The CyberWire Daily Podcast 4.4.23
Ep 1794 | 4.4.23

Cyber appeasement? Western Digital discloses cyberattack. Rilide malware is in active use. Mantis has new mandibles. Challenges of threat hunting. Small, medium, and large criminal enterprises.


Dave Bittner: Did "appeasement" embolden Russia's cyber operators? Western Digital discloses a cyberattack. Rilide is a new strain of malware in active use. The Mantis cyberespionage group uses new, robust tools and tactics. The challenges of threat hunting. Joe Carrigan has thoughts on public school systems making cyber security part of the curriculum. Our guest is May Mitchell of Open Systems, addressing closing the talent gap. And when it comes to criminal enterprise, size matters. From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Tuesday, April 4, 2023.

Did "appeasement" embolden Russia's cyber operators?

Dave Bittner: The present state of Russia's war against Ukraine, stalled on the ground as it is, has prompted some reflection on the lessons that might be learned from that war's cyber phases.

Dave Bittner: Online publication the Conversation has summarized and placed into context the accounts of the Vulkan Papers'. Russian operations have encompassed cyberespionage, disruptive attacks against infrastructure, nuisance-level hacktivism, and, most prominently, influence operations aimed at both domestic and international opinion.

Dave Bittner: The disruptive attempts may have fallen short of pre-war expectations, but defense experts find them alarming nonetheless. The Voice of America quotes a US Defense official who spoke Friday on condition of anonymity, stating, "The Russian operation in Ukraine as it relates to red lines for conflict should be of concern to many people. You're willing to drop a bomb on a power station, or if you're willing to drop a bomb on a rail network, then you're certainly willing to execute a cyberattack against them. As just general commonsense sort of military tactics, I don't believe you would reduce something to rubble if you had the ability to neutralize it otherwise. You don't want to use high-end kinetic tools unless you have to.".

Dave Bittner: Retired US Admiral James Stavridis, a former NATO Supreme Allied Commander for Europe, thinks so. He argues, in an op-ed published by both Bloomberg and the Washington Post, that "Insufficient response to its non-kinetic military operations helped equip the Kremlin with an effective virtual complement to the traditional invasion. The West in effect conducted a policy of digital appeasement in response to multiple cyberattacks." There has been, in Admiral Stavridis' view, a failure of deterrence and diplomacy. He concludes, "The US needs to develop a sense of deterrence in cyber, and doing so will require more aggressive responses than it has been willing to employ thus far. Now that the Russians have acted so strongly in the physical domain, we may find them even more emboldened in the cyber domain.".

Dave Bittner: So how does one achieve cyber deterrence? Discuss amongst yourselves, and take a look at the Admiral's op-ed for suggestions on how to frame the challenge.

Western Digital discloses cyberattack.

Dave Bittner: California-based data storage provider Western Digital has disclosed a breach in which an unauthorized third party gained access to its systems, the Register reports. Computing reports that the company has shut down its My Cloud consumer cloud and backup service while it investigates the incident. The company hasn't disclosed the nature of the attack, and the investigation is still in its early stages. Western Digital said in a statement that it detected an incident on March 26th, initiated its incident response plans, and began taking steps to remediate the issue.

Rilide, a new strain of malware, is in active use.

Dave Bittner: A new strain of Chromium-based browser malware, "Rilide," has been uncovered by Trustwave SpiderLabs. This morning SpiderLabs wrote, "Rilide malware is disguised as a legitimate Google Drive extension and enables threat actors to carry out a broad spectrum of malicious activities, including monitoring browsing history, taking screenshots, and injecting malicious scripts to withdraw funds from various cryptocurrency exchanges."

Dave Bittner: Rilide has been found by SpiderLabs in at least two malware campaigns since April of 2022. The first was involved with the Epikia RAT, a remote access Trojan, malware that used Microsoft Publisher and relied on the user ignoring a warning pop-up and executing a macro. SpiderLabs notes "Microsoft Publisher was not affected by Microsoft's decision to block macros from executing files downloaded from the Internet." The second seems to be using Google Ads, disguising itself as legitimate Team Viewer installers or an NVIDIA Drivers installer.

Mantis cyberespionage group uses new, robust tools and tactics.

Dave Bittner: Symantec discovered that Mantis -- which you may know as Arid Viper, Desert Falcon, or APT-C-23 -- is now mounting attacks against Palestinian targets with a new set of tools. In its report published today, Symantec explains that although this pattern of targeting isn't new, the tools in Mantis's mandibles certainly appear to be. Mantis operates from the Palestinian territories against Palestinian individuals.

Dave Bittner: In 2022, Mantis began using "updated versions of its custom Micropsia and Arid Gopher backdoors to compromise targets before engaging in extensive credential theft and exfiltration of stolen data." Mantis seems to compartmentalize its attacks by using "three distinct versions of the same toolset on three groups of computers." This affords redundancy: if one group of tools is discovered and neutralized, then the other two may remain unaffected. Symantec reports, "The attackers also used a custom exfiltration tool to exfiltrate data stolen from targeted organizations." The researchers describe Mantis as a determined adversary with the demonstrated ability to compartmentalize attacks against one organization and rewrite malware to maintain an edge against its targets.

Challenges of threat hunting.


Dave Bittner: Team Cymru this morning published a report looking at the challenges faced by cyber security analysts in hunting threats. 59% of the respondents said their organizations' threat hunting program was only somewhat effective, and 38% said their biggest challenge was a lack of appropriate threat hunting tools. Nearly half said their main goal is to identify threats before an intruder is able to cause damage. One of the top concerns among threat hunters is the inability to measure the success of their efforts.

Small, medium, and large criminal enterprises.

Dave Bittner: Are crooks more successful when they run their crime like a business? So it seems. Trend Micro yesterday released a report discussing the variances in criminal group behavior based on their sizes. The researchers share that knowledge of the size of a criminal organization can aid in the discovery of cybercrime.

Dave Bittner: Small criminal businesses -- and these make up the majority of cyber criminal enterprises -- are typically comprised of one to five staff members, a single layer of management personnel, and a turnover of under $500,000. Smaller criminal businesses tend to be staffed by moonlighters who also have a day job. Doing what, you ask? Who knows? We imagine it varies: dental hygienist, convenience store staff, paralegal, roofer, pretty much anything. One of our writers knew a guy in LA who eked out a living by being the tenth caller to radio stations.

Dave Bittner: Mid-sized businesses tend to have between six and 49 employees, two layers of management, and upwards of $50 million in turnover annually. These businesses tend to be structured as pyramids, with one boss at the time.

Dave Bittner: The big criminal enterprises usually have three layers of management, 50 or more employees, and over $50 million in annual revenue. Lower management and supervisory management are kings in these businesses, with the overarching leadership well-versed in cybercrime. The larger cybercriminal businesses, such as Conti, tend to be run like corporations, containing familiar departments, like IT and HR, with benefits and the other impedimenta of legitimate business.

Dave Bittner: Notice anything about these org charts? As it does everywhere else, the old law of seven plus or minus three prevails. That's about the number of direct reports you can have before you start losing track of what the snitches are up to. Look that one up.

[ Music ]

Dave Bittner: Coming up after the break, Joe Carrigan has thoughts on public school systems making cyber security part of the curriculum. Our guest is May Mitchell from Open Systems, addressing closing the talent gap. Stay with us.

[ Music ]

Dave Bittner: Yesterday here, we discussed training trends and how investing in your employees' continuing education can be an important part of retention. May Mitchell is CMO at Ontinue, the recently-formed MDR division of Open Systems. I spoke with her about the challenges of attracting and retaining top talent.

May Mitchell: It's definitely very challenging. If you are a manager, a hiring manager, looking for top talent, you know, regardless of location, it's so very tough. Lots of areas where you can find top talent, but finding the specific skill set to fit the needs, it's still challenging. And then the other challenging thing is that once you do find them, you have to retain them. So getting them trained, the enablement piece, and then keeping them engaged throughout is definitely challenging these days, especially for a hybrid workforce. Reason being is, once you spend all that time and money getting your top talent on board, it's this ongoing career development, making sure that they are getting what they need, they have the right tools in place. You know, they can easily get tapped by your competitors or someone else that's calling for them. So it's this constant push and pull in the marketplace today. And then the second thing is regarding the diversity. You know, we all know that diversity drives innovation. And I understand that a lot of companies have put emphasis starting from the top-down in terms of diversity being, you know, the top initiative, and there's goals and stats and all that. But that is something that has to be bought in,

and it's an ongoing effort. It is really tough. You've got the balance of, you know, meeting those diverse numbers, but also you want the top talent if you're a hiring manager. So it's hard to find that. And then number of women that's currently in cyber security, it's a numbers game. There's just not enough of that, you know.

Dave Bittner: I'm curious, you know, in your experience, what are some of the successful strategies that organizations can use to both attract good talent but then also is, as you say, retain them?

May Mitchell: You have to have the right culture. And it's the people business, it's the culture. People enjoy working with people that, you know, they connect with, and that they want to work for environments where they are inspired -- they're inspired by the leadership team; they're inspired by what the leader is saying, you know. And they're bought into that strategy or that mission. And culture's only built from the top-down. It starts at the top, there's no question about it, and then it cascades. And then every single person within that company -- whether you are a senior leader or individual contributor -- you are part of that culture. Your belief in it, your strength in it throughout. So that's number one. Number two is, you know, setting goals, having common set of goals and up at the top, you know, three to five goals, and those goals are cascaded throughout the organization. And some of those goals could be, you know, building a great culture; having a set number of for diversity. And again, that has to be bought in throughout everyone. And then having -- putting that as a top priority, finding the right individuals, having a coordinated effort to hit

those numbers. Your candidate pool should include X number of individuals that's part of the, you know, women. The other thing is maybe your panel -- your panel should have some women leaders in there as well. And then also once you do hire that individual, when they do come on board, make sure there's a new hire buddy, you know, that they're assigned to. And you want to pair up. If you're bringing in a top talent female leader or individual contributor, maybe you should pair them up with someone like-to-like. You know, the first 30 days, you know, the first two weeks actually, first 30 days, it's really, really important to keep in touch, the next 90 days. And they'll get a good feel for whether or not this is the right place for them.

Dave Bittner: You know, we're seeing layoffs across the industry right now. And I think for many people, particularly those who maybe not have been in cybersecurity for a while, this is the first rounds of layoffs that they've experienced. Do you think that changes the equation here any?

May Mitchell: You know, everyone is going through this right now, every single company -- large, small, DC-funded and all that. Everyone's watching what's happening. It's kind of interesting. I'd say, you know, everyone's really, really mindful on priorities. Everyone's mindful on budget spend, and that includes a program budget and hiring even. Everyone wants stability, you know. You need to stabilize your business. Certainly everyone wants to grow. And also it's like - - when I think about being a hiring manager, I also feel times like this it's about resource allocation. So there might have been some things that we did in the past, certainly with the economic climate that's changed. You have to put a different hat on, think about, okay, what are the things that we need to do that we can go deep in? Let's do a few things and go really, really deep. There's some things that we're not going to do, and you want to make sure that the other departments are okay with it. Again, it's about getting alignment. Number two is -- when I say "resource allocation," this is really where we have to ask our employees to stretch themselves, you know, and try new things. You know, maybe we didn't hire them for something but we do need everyone's help and wear a different hat, and we may have to move some individuals around to pick up those areas that we really want to do. But in terms of diversity and all that, yeah, I've been reading a lot of stories about whether or not that has been impacted with these recent layoffs. Because, at the end of the day, there's so much that goes into having layoffs and all that, the reasonings. I'm sure it's a very, very thoughtful process. And again, it goes back to the priorities of the organization. I am hearing some things that, you know, diversity is still a top priority, but then also other organization's like, look, we're going to be looking for what have we got to do? It's bootstrapping right now, stabilizing the business. But I still think that there's a lot of companies out there that are still hiring. But again, they're very, very mindful of the specific skill set that they're looking for. So I still think the job market, you know, is still pretty good out there as far as high-tech and as far as cybersecurity as well.

Dave Bittner: That's May Mitchell from Ontinue. 

Dave Bittner: And joining me once again is Joe Carrigan. He is from Harbor Labs and the Johns Hopkins University Information Security Institute, and also my cohost over on the Hacking Humans Podcast. Hello, Joe.

Joe Carrigan: Hi, Dave.

Dave Bittner: This article caught my eye. This is particular reporting on it comes from a website called "K-12 Dive," which is a news website for folks who are in education. Joe, you have dipped your toes in education with your profession over at Hopkins.

Joe Carrigan: My toes have been in the education pool for about 10 years now.

Dave Bittner: There we go. So you're at least ankle-deep.

Joe Carrigan: Right.

Dave Bittner: So this article is titled "North Dakota becomes first state to require K-12 cybersecurity education."

Joe Carrigan: That is excellent.
Dave Bittner: Yeah. What's going on here, Joe?

Joe Carrigan: Well, first off, I'd like to know why North Dakota is the first state to do this and not Maryland.

Dave Bittner: Okay, fair enough. Our home state.

Joe Carrigan: Yeah, our home state. But also, kind of like the Silicon Valley of cybersecurity companies, right? A lot of cybersecurity companies around here. And we've done a lot over the last two decades to try to attract them, but we haven't made this as part of the education requirement for students graduating from high school.

Dave Bittner: Right.

Joe Carrigan: So there's a new bill that has been signed into law, it is to graduate from high school in North Dakota, the law requires that students take at least one course in either computer science or cybersecurity. And they are saying that this underpins everything that we do now. So it's an imperative part of education that students understand cybersecurity and computer science.

Dave Bittner: What do you make of this?

Joe Carrigan: I like it. I think it's a long time overdue. I'm amazed that we don't have other computer science requirements in our education around the country. Everybody should know how to do at least some kind of basic scripting, right, or something. You know, and then there's the argument, well, not everybody is good at that. But you don't need to do super excellent work or -- but I think you should understand how computers work and what's under the covers in these things. When I hand you a cell phone that has all these pretty lights on the front of it, what's actually going on on in the back?

Dave Bittner: Yeah.

Joe Carrigan: I think it's important to know. It's not just for computer science, but also it does relate to the cybersecurity stuff, and it also relates to privacy and, you know, human rights in that way.

Dave Bittner: Yeah.

Joe Carrigan: You need to know what's going on and you need to have an idea of how it works. And cybersecurity, I think -- I don't know how I feel about it being either computer science or cybersecurity. I would like to see both of those be some kind of requirement. If I had to pick one, I was going to make mandatory, I'd make security mandatory over computer science.

Dave Bittner: Yeah. Maybe it's a matter of giving some kids choice so that the kids who are more technically-oriented can choose that computer science class. But beyond that, you can take cybersecurity and hopefully that'll be something that will serve you well as you go through life.

Joe Carrigan: And maybe that is exactly what I'm describing here: some kind of technical class that puts you in the right frame of mind for this, for thinking analytically and in terms of computers and how they work.

Dave Bittner: I think it's worth noting here also that this is really part of a push on North Dakota's part to really embrace technology. They've really got a strong vision here.

Joe Carrigan: They have this initiative, they call it the "PK-20W Initiative." I have no idea why they call it 20W. But it's supposed to be prekindergarten through PhD plus.

Dave Bittner: Okay.

Joe Carrigan: So they're saying that they should have cybersecurity education all along this spectrum of people. And I think that's a valid goal, that's a good idea. We should be training people in cybersecurity all the time, even at the end-user level, throughout their education careers. And the reason for that is because this Internet thing isn't really a fad. It's not going away, despite what people thought in the '90s and 2000s. It's demonstrated that it's going to be

around forever. As long as we can power it and keep the lights on, it'll stay on.

Dave Bittner: Yeah, again, I'll just point out that I've learned that folks that I've interviewed that North Dakota has really embraced kind of a whole of government approach to cyber.

Joe Carrigan: Yeah, they have.

Dave Bittner: From the top-down.

Joe Carrigan: Yeah, they have one organization or one set of policies that goes across all of their organizations of government. And not just at the state level, but it also protrudes down to the county and local level as well.

Dave Bittner: Right, right. So they're really resourcing everybody and trying to provide that higher-level protection at all levels, starting at the top and then sort of, you know, making its way down to the smaller organizations who are going to have more of a challenge funding this on their own.

Joe Carrigan: That's right.

Dave Bittner: It's a really interesting experiment from North Dakota, and will be interesting to see how it plays out for them. Personally, I think this is good news that they're putting this in the curriculum, and I think it's something to keep an eye on.

Joe Carrigan: I agree. I think it's -- the curriculum part is good news. Now, if you're thinking about the whole of government thing, I don't know how easy that would be to do in Maryland. Because in North Dakota, you're talking about fewer than a million people, three-quarters of a million people.

Dave Bittner: Right.

Joe Carrigan: And about one-third of those people in some way use the Internet or the network or something on that. Which means there's user -- if you think about your Maryland Easy Pass, that makes you a user of the Maryland government systems, right? A quarter million is a lot less than we have in Maryland. And I don't know how that whole of government thing would work in Maryland. I'd like to see it. But something we could certainly do in Maryland is make cybersecurity education a requirement to graduate from high school. That should be easy.

Dave Bittner: Yeah. And it really is the whole notion of, you know, the states being places where these things are tried.

Joe Carrigan: Right.
Dave Bittner: The experiments happen at the states. This is a great example of


that. So something to keep an eye on. All right, well, Joe Carrigan, thanks for joining us.

Joe Carrigan: It's my pleasure, Dave. 

Dave Bittner: And that's the CyberWire. The CyberWire Podcast is a production of N2K Networks. Proudly produced in Maryland, out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tre Hester. With original music by Elliott Peltzman. The show was written by John Petrik. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.