BlackCat follows Cl0p to GoAnywhere. Mirai gets an upgrade. Deterring cyber war. Homeland Secrity’s cyber priorities. Action against DPRK cryptocrooks. What KillNet’s up to.

Dave Bittner: BlackCat follows Cl0p, exploiting the GoAnywhere MFA vulnerability. The Mirai botnet exploits a vulnerability disclosed at Pwn2Own. An RSAC presentation describes the U.S. response to Russian prewar and wartime cyber operations. The U.S. Department of Homeland Security outlines cyber priorities. Andrea Little Limbago from Interos shares insights from her RSA panels. The U.S. indicts and sanctions DPRK operators in a crypto-laundering campaign. My guest is Marc van Zadelhoff, CEO of Devo, with insights from the conference. And the latest on KillNet.

Dave Bittner: From the RSA Conference in San Francisco, I'm Dave Bittner with your CyberWire security briefing for Thursday, April 20th, 2023.

BlackCat (ALPHV) follows Cl0p, exploiting GoAnywhere MFA vulnerability.

Dave Bittner: At Bay reported this morning that Cl0p is now seconded by BlackCat (a.k.a. ALPHV) in using the GoAnywhere MFT exploit CVE-2023-0669. The researchers write “The vulnerability is a good example of how cyber criminals don’t just go after the most prevalent or publicly-known CVE disclosures. The most important indicator of risk isn’t just the score that’s given to the vulnerability, but how easily it can be exploited by cyber criminals in-the-wild, at scale, to achieve a desired outcome.” Forta released a patch to remedy this vulnerability in February of this year and all users are recommended to install the patch. As well, At-Bay urges organizations using the affected GoAnywhere MFT versions to “immediately follow the mitigation methods recommended by Fortra.

Dave Bittner: BlackCat seems increasingly active as At Bay reports. According to At Bay's claims data, which includes any confirmed attacks against its 30,000 plus policyholders, the BlackCat group was responsible for 9.8% of ransomware claims in 2022, making it the third most successful ransomware group last year. This year is trending similarly with 13.5% of ransomware claims in the first three months of 2023 coming from BlackCat. Despite being a relative newcomer, BlackCat is also the third most active ransomware group so far this year, following Royal and LockBit.

Mirai botnet exploits vulnerability disclosed at Pwn2Own.

Dave Bittner: The Zero Day Initiative announced discovery of new activity using a zero day exploit that surfaced during last month's Pwn2Own event. The report says this bug in the TP-Link Archer AX21 wifi router was originally disclosed to ZDI during the Pwn2Own Toronto event where it was used by Team Viettel in their LAN-side entry against the TP-Link devices and by Qrious Security in their WAN-side entry. The report continues -- TP-Link released a firmware update in March that fixed some security issues including this and other CVEs. It was after this fix was made public that exploit attempts using this CVE were detected in the wild.

Dave Bittner: The Zero Day is now being used by the Marai Botnet. Zero Day Initiative began seeing the exploit in the wild on April 11th. Marai Botnet was using the exploit to make an http request to the Marai C2 servers to download and execute a series of binary payloads. Seeing the CVE being exploited so quickly after the patch being released is a clear demonstration of the decreasing time-to-exploit speed that we continue to see across the industry. The researchers recommend that users apply TP-Link's patch which is the only effective defense against the exploit.

RSAC presentation describes US response to Russian prewar and wartime cyber operations.

Dave Bittner: A joint presentation by CISA and Cyber Command's Cyber National Mission Force described interagency, international, and public/private cooperation as vital to the blunting of Russian cyber operations. The case study they presented at RSAC yesterday focused on the response to the SVR's [inaudible] intrusion into SolarWinds and the threat that posed to government networks. That incident occurred in 2021 and so predates Russia's invasion of Ukraine, but it arguably represented battlespace preparation and, in any case, the allied response has continued to blunt the effectiveness of Russian cyber operations in the present war as well. Washington Post summarizes some of the presentation's lessons and also describes the ways in which a deeply compromised Russian intelligence establishment has been unable to operate effectively against Western targets. Apply the usual cautions with respect to overconfidence. As Captain Solo once said, "Don't get cocky, kids."

The US Department of Homeland Security outlines cyber priorities.

Dave Bittner: The Department of Homeland Security is assessing its cyber priorities in the Department's recently released Quadrennial Homeland Security Review. Nextgov reports that the review warns of more complex threats that may target many industries and sectors. The review emphasizes deterrence of cyber attacks against critical infrastructure and does so in the context of public/private collaboration and the development of a pool of highly-skilled cyber workers. The review discusses mitigation of active cyber threats with focus on the work of the Cybersecurity and Infrastructure Security Agency. The review also outlines steps that governmental agencies have taken to strengthen the nation's cyber resilience. It also highlighted ongoing international collaboration to secure critical infrastructure and fight adversarial cyber attacks.

US indicts, sanctions DPRK operators in crypto-laundering campaign.

Dave Bittner: The U.S. Justice Department has announced the indictment of Sim Hyon Sop, a representative of North Korea's Foreign Trade Bank on two conspiracy counts. Mr. Sim allegedly conspired to launder cryptocurrency as part of an effort to evade sanctions on Pyongyang. The sanctions in question are intended to impede the development of North Korea's ballistic missiles, weapons production, and research and development programs. In a separate but related action, the U.S. Department of the Treasury has sanctioned Mr. Sim and the two over-the-counter currency traders he worked with for their illegal support of North Korea's weapons programs. Undersecretary of the Treasury for Terrorism and Financial Intelligence, Brian Nelson said, "The DPRK's use of illicit facilitation networks to access the international financial system and generate revenue using virtual currency for the regime's unlawful weapons of mass destruction and ballistic missile programs directly threatens international security. The United States and our partners are committed to safeguarding the international financial system and preventing its use in the DPRK's destabilizing activities, especially in light of the DPRK's three launches of intercontinental ballistic missiles this year alone." Treasury emphasizes that it acted in close cooperation with South Korean authorities.

An update on KillNet.

Dave Bittner: And, finally, to return to Russia's war against Ukraine and the rest of the civilized world, what are the cyber auxiliaries of KillNet up to lately? In addition to creating its own virtual community college, KillNet has been advertising various malign tools, specifically the hacktivist auxiliary announced on the 16th of April that it had partnered with operators of Titan Stealer, an accomplice in the nuisance attack against NATO School Oberammergau. Titan Stealer is billed as “a universal instrument for those who possess professional knowledge in their field as well as amateurs.” Uptycs reported in January that the Stealer is capable of stealing a variety of information from infected Windows machines, including credential data from browsers and crypto wallets, FTP client details, screen shots, system information, and grabbed files. KillNet has also announced on Anonymous Russia's telegram page that they are creating a new DDoS service called Teslabot. Teslabot is a distributed denial of service toolkit offered in three different flavors and prices. For twenty-five dollars, you get Basic, which includes ten bots. Pro at seventy-five dollars comes with thirty bots. And the pricier Rare offers fifty bots. Teslabot is presently in presale and will be available for general purpose on April 28th. Get the bots while they're hot, we guess -- or not.

Dave Bittner: Coming up after the break, Andrea Little Limbago from Interos tears insights from her RSAC 2023 panels. My guest is Mark van Zadelhoff, CEO of Devo, with insights from the show. Stick around.

Dave Bittner: Marc van Zadelhoff is CEO of Devo and he stopped by for a conversation on insights from the conference, what he's looking forward to, and where he thinks we're going. Here's Marc van Zadelhoff. So here we are. We find ourselves at the RSA Conference 2023, back again.

Marc van Zadelhoff: Amazing.

Dave Bittner: Yeah. And I'm really interested in your insights as we come into this year's show. Where do you think we find ourselves as an industry? What -- what's the lay of the land as you describe it at this point in time?

Marc van Zadelhoff: Well, geez. I -- I've been coming here since 2008, probably not every year but most of them and, in a way, maybe I'm a little cynical in that I think a lot of things have changed and then a lot of things are the same. You know, I no longer get enthralled by, oh, there was another hacker or a security company missed their earnings reports. Someone just mentioned that [inaudible] announced their earnings and stock went down to whatever. So some of this stuff, yeah, that's been happening forever, but it's happening on different surfaces. You know, when I first got here, I was shipping CD-ROMs with a C++ code.

Dave Bittner: Right.

Marc van Zadelhoff: Years later, appliances with -- with Java code, and now we're in the Cloud. And so I think attacks are following that same pattern. Right? I'm serving as a service and attacks are happening as a service. Attacks are happening from the Cloud, to the Cloud, leveraging AI. So I think it's more similar themes but on different surfaces as the world is modernized.

Dave Bittner: Do you think as an industry we've been on the path of -- of increased professionalization over the past decade or so?

Marc van Zadelhoff: I think so. I mean, I definitely think that when I first started coming here the CSO was a -- pretty much an ornery person stuck in the basement of the building dreaming of having some time with the Board of Directors. And now, you know, we -- I'm not a CSO -- but we as an industry, we're in front of the board. We have our moment. We have headlines and attention and -- and slots at board meetings. And I sometimes wonder, are we doing the right things with them? We also have public attention from governments. Right? So I would say our moment has arrived, versus 2008 when I started in this business. We would say lots of things and it felt like you were yelling into the wind.

Dave Bittner: Mm-hmm. As the CEO of a company, what is the value proposition for you to be at a show like this? How do you choose how you're going to divvy up your time?

Marc van Zadelhoff: I think as a CEO you try and leverage the title insofar as it's worth something to give your company exposure. So I just did a nice panel at a -- at one of the banking conferences where I think, you know, that just gives us good -- good visibility to an audience that's important to us that I don't spend a lot of time on because I'm not public.

Dave Bittner: Mm-hmm.

Marc van Zadelhoff: The banking community is an important one to kind of start to warm up. And then I spend a lot of time with customers and partners and, ideally towards the end of the evening, with my team members in a bar having a beer.

Dave Bittner: [laughing] Fair enough. There's nothing like being face to face. Right?

Marc van Zadelhoff: Exactly. Well, you said it -- in this current climate, you know, that's a luxury that we cannot take for granted is actually seeing each other.

Dave Bittner: Do you sense that there are any specific themes this year?

Marc van Zadelhoff: Yeah, I think certainly AI is -- obviously, chatGBT and AI is -- is a big theme.

Dave Bittner: Yeah.

Marc van Zadelhoff: And I think one that you're going to see on the show floor is leveraging that in product announcements. You know, we now -- in fact, my -- my friend, Christopher Ahlberg at Recorded Future did a really nice announcement pre the show on how they're leveraging chatGBT-like technology. I don't know exactly what he's using to -- to offer a very neat experience within their -- their suite of solutions. So I think you'll see more of that happening here. And what I also find interesting is discussion yesterday in a couple meetings I was in on how do we secure AI?

Dave Bittner: Mm-hmm.

Marc van Zadelhoff: How do we make sure that corpus of data doesn't get hacked and abused because, you know, if you can hack and abuse someone's corpus of data that's being leveraged to make these decisions that we just take for granted -- ask the computer a question, now you get a brilliant answer. But what if that's polluted data?

Dave Bittner: Right.

Marc van Zadelhoff: What if that data is designed to make you think there isn't an attack coming from a certain set of IP addresses and you base your decision on that check? And suddenly you realize that corpus was polluted.

Dave Bittner: Yeah.

Marc van Zadelhoff: So this discussion of -- of how do you secure AI as well.

Dave Bittner: I was chatting with our Chief Security Officer, Rick Howard, earlier and we were -- we were talking about the possibility of chatGBT being a hot topic here. And we were wondering -- you know, are there going to be companies who say we're now chatGBT-enabled and then other ones who say we protect you from things that are chatGBT-enabled. Right? It's rare you see something that has that spectrum of -- thought about it.

Marc van Zadelhoff: Yeah!

Dave Bittner: You know?

Marc van Zadelhoff: But -- but -- but, in a way, and -- and it's different, but back to my opening answer to your question, it's just another surface. Right? So --

Dave Bittner: Yeah.

Marc van Zadelhoff: -- you know, we used to have the same conversations when mobile devices are -- were introduced. Right? Can we enhance security with mobile devices? An app that allows you to -- to access data and information about your environment, or will the mobile devices get hacked. Right? Will the Cloud make you more secure, or will the Cloud get hacked? Right? So it's just a different -- it's just a different surface. And -- and -- and this AI generation will just be another surface of leverage and attack.

Dave Bittner: I think that's a really powerful insight. Before I let you go, I would be remiss if I did not mention your podcast which is "Cyber CEOs Decoded." Rumor has it that you are gearing up for your second season there. Any -- anything we can look forward to? Any -- any previews for us?

Marc van Zadelhoff: Well, it was a rough negotiation, but we did sign up for a second season, and I'm super delighted. Yeah. We've had so much fun on that podcast, and I want to thank the CyberWire for your support. You know, the whole premise of that is that being a CEO, they say, is a lonely job. And I would say at times that's for sure true. So why not get some pals on a -- on a podcast and demystify and decode what it's like to be a CEO. So I've had a really fun opportunity. I think we did eight episodes with a myriad of different CEOs talking about pivotal points in their company's development and decisions they made. And I learned from it and I think the audience hopefully took a bunch of things away, too. Yeah. Season two and I -- I was able to secure at RSA the first two speakers already.

Dave Bittner: Oh, good!

Marc van Zadelhoff: Been a good use of my time.

Dave Bittner: The thing I particularly enjoy about your show is how intimate it is. That these are trusted relationships that you have with the people you're talking with. So I think as a listener, the value we get out of it is that, I think, your guests are much more open and candid than they might be with someone they're a stranger with.

Marc van Zadelhoff: Yeah. No, it's -- you know, it's designed to be a bit of a confessional setting, and -- but -- but safe in terms of, you know, CEOs can't talk about everything, but I think we should talk about more than we think we can. And so I try and set the -- the tone so that we try and open up about things that really are -- are difficult because if we're not talking about that then we're not going to solve them.

Dave Bittner: Yeah. All right. Well, thank you so much for taking the time today. And hope you have a good rest of the week.

Marc van Zadelhoff: Awesome to see you.

Dave Bittner: Our thanks to Marc van Zadelhoff from Devo for joining us.

Dave Bittner: And it is always a pleasure to welcome back to the show Andrea Little Limbago. She is a Senior Vice President in Charge of Research at Interos. Andrea, it's great to see you.

Andreas Little Limbago: Great to see you again. Love being in person.

Dave Bittner: I know! It's so -- it's such a treat, isn't it?

Andreas Little Limbago: It is a very -- like, all too rare treat.

Dave Bittner: Yes. Yeah, I think we appreciate it much more than we did in years past.

Andreas Little Limbago: Absolutely.

Dave Bittner: So you are quite busy here at the RSA Conference this year. You -- there's a couple -- well, you just wrapped up a panel as we record this, and you have another one later in the week. Let's go through those. What -- what are the conversations that you're part of?

Andreas Little Limbago: Yeah. No, thanks. And there's even one, a different one yesterday, a pre-RSA event, because that's to really optimize the entire week. You --

Dave Bittner: Right.

Andreas Little Limbago: -- so I can hand tie all of those in -- in together.

Dave Bittner: Okay.

Andreas Little Limbago: What we just discussed a couple minutes ago was with Edna Conway and Erin Joe from Mandiant. So --

Dave Bittner: Oh, yeah!

Andreas Little Limbago: -- brought together luminaries in the industry --

Dave Bittner: Sure!

Andreas Little Limbago: -- talk about what this new normal is and how to prepare for operational resilience in the new normal.

Dave Bittner: Okay.

Andreas Little Limbago: And so setting the stage -- you know, I have a political science/international relations background, so I always look at things as far as international systems and how they're shifting. And I look at 2020 as a really big inflection point where the world before and the world after are very, very different.

Dave Bittner: Okay.

Andreas Little Limbago: There's some trends that, you know, got us to that point that still continue and persist, but they're really accelerated.

Dave Bittner: And 2020 is the marker because of COVID, or --

Andreas Little Limbago: You know, the pandemic really shook things and then accelerated some the other trends, and so --

Dave Bittner: Okay.

Andreas Little Limbago: -- so, for example, on geopolitics and trade sanctions, those had started prior to COVID --

Dave Bittner: Mm-hmm.

Andreas Little Limbago: -- from 2020 on, not directly linked to COVID but some -- some, you know, tangential components. We also saw exacerbation of geopolitical tensions, of geoeconomic statecraft. COVID really drove home the supply chain risk --

Dave Bittner: Mm.

Andreas Little Limbago: -- and so, while that was more in the PPE, if you remember that, and some of the different concentration risks, supply chain really started to elevate across the board and into cybersecurity as well. Then we had SolarWinds --

Dave Bittner: Right.

Andreas Little Limbago: -- we had [inaudible]. We just keep seeing the steady drumbeat of what used to be considered [inaudible] one events occurring much more naturally, or much more frequently. And so we kind of set the stage for that new normal is and you're tying on top of that climate change as well --

Dave Bittner: Mm-hmm.

Andreas Little Limbago: -- which does have a cybersecurity risk component to it, especially if you think about data centers.

Dave Bittner: Mm-hmm.

Andreas Little Limbago: Really bringing in all these range of disruptions that are going on that are going to be part of this new normal on top of the -- the transformation that's underway for globalization, and that's the geopolitical aspect of it where we are, seeing the segmentation of the globe into different kinds of trade flows, technology spheres, all that is -- we're still very nascent in it. But that's really where we're seeing all that accelerating kicking off, really, in 2020. And so how do you, as an organization, prepare operational resilience in this world where we're seeing supply chain shift, where we're seeing technologies that perhaps were, you know, embedded in your supply chain stack that you now have to remove due to sanctions?

Dave Bittner: Hm!

Andreas Little Limbago: How do you deal with concentration risks and potentially adversarial countries?

Dave Bittner: Mm-hmm.

Andreas Little Limbago: And then on top of that, the whole range of supply chain attacks themself which have increased, you know, 600% over the last year. We keep seeing more and more reports coming out of, you know, the newest supply chain attack. It's really, you know, increasingly common attack vector replacing malware and data compromise over the last year. And so how do you build operational resilience? And that -- you know, given that, you know, somewhat bleak overview of what this world that we're in --

Dave Bittner: What -- what did this panel conclude? Were there conclusions made?

Andreas Little Limbago: There were. And, on the one hand, you know -- you know, we don't want to be Pollyannish about it and ignore these disruptions that are going on. But we can build operational resilience by understanding that these ships are underway. And one of the key things that was focused on was looking at it as a -- as a "we" problem, not as a "me" problem. And so looking at -- how can companies both work, you know, internally, transform how they're organized -- organized to make sure there's the proper information sharing going on. And how can they then work with their supply chains, with the government, with all their -- the extended partner ecosystem together and raise all boats to help build operational resilience. So that was I honestly think one of the -- the highest takeaways because I think we still look at it from our own saddle perspective --

Dave Bittner: Yeah.

Andreas Little Limbago: -- and we do need to, you know, branch out and think about how can we work together in innovative ways to prepare for this because the adversaries are. That was a point Erin Joe made -- you know, she works at Mandiant, bought by Google -- just how much adversaries are working together. The [inaudible] working together. On the defensive side, we need to be doing the same thing, working together as much if not more. And so we talked about that a bit. Talked about really shifting our frame -- our mindset and our framework for how we think about information sharing, and that goes on both sides for -- you know, the private sector often views, well, we sure got information to the government and we don't know what happens with it. It's a one-way street.

Dave Bittner: Right.

Andreas Little Limbago: So making sure that's more of a mutual benefit for everyone. And then on the government side, really trying to help incentivize private sector to come forth with information that may uniquely have that no one else has.

Dave Bittner: Is there any sense for who is best positioned to lead this charge? Is this -- we have the ISAACs. We have -- federal government could do something. Was there any discussion there?

Andreas Little Limbago: That's a challenge.

Dave Bittner: Yeah.

Andreas Little Limbago: They said there's, in some -- in some regards, you know, the government can help set the stage, but the government isn't going to be the one, you know, determining how, you know, private sector works across our supply chain, for instance, and getting some of that information. They can help provide some frameworks for it and that's, I think, exactly where they can do what's best, but one of the core components was really building trust. And I think what -- an interesting component was -- that we ended on -- was we're right at RSA, so there's, you know, RSA buzzword bingo and zero trust.

Dave Bittner: Right.

Andreas Little Limbago: It's certainly at the top of all of them.

Dave Bittner: Sure.

Andreas Little Limbago: So how do you build trust as needed for collective resilience and collaboration when all we're hearing is it should be zero trust and don't trust anyone?

Dave Bittner: Interesting.

Andreas Little Limbago: And so, looking at that, you know, what might seem like a, you know, orthogonal to one another, thinking about zero trust as a technological framework and how to leverage technologies to overview access controls and so forth, it's a technology solution, whereas trust is the human element of it. And so building that trust amongst humans, that often gets forgotten. We -- we've talked about that on this show.

Dave Bittner: Yeah.

Andreas Little Limbago: Really looking at how can you build more trusting relations across your supply chain, across private sector, public sector, especially in an era when that trust is going to be essential to help raise, you know, all boats for higher security.

Dave Bittner: Well, in the time we have left here, can you give us a preview of what you've got going on later in the week?

Andreas Little Limbago: Sure. And then, you know, a fairly big switch on -- on topics. Looking at -- with the liability in who might be accountable for breach liability going forward and --

Dave Bittner: Hm!

Andreas Little Limbago: -- and just looking at, you know, where does the buck stop? Who's accountable for breaches? Is it the CSO? Is it the CEO? Is it the board? And, you know, this sort of stemmed from -- we saw a CSO go to jail for different aspects of data breaches. It's not necessarily as straightforward -- it was moreso the handling of the -- of the data breach. We saw that, you know --

Dave Bittner: Right.

Andreas Little Limbago: -- several months ago.

Dave Bittner: Right.

Andreas Little Limbago: And that really sent a chill throughout the CSO community for what needs to be done to not have that happen. How do -- are there steps that CSOs can take to make sure that they can protect themselves? But then, also, where's the law going? And so we've got a panel of legal experts and CSOs together, kind of provide perspective on what can be done to protect yourself to make sure you're not in that situation? But then also where is the law going and where is it going to be focusing on when a data breach happens? Who's going to be held accountable? Are we going to see more of that, or is it one of those things that was -- you know, are we going to see just a couple cases here and there trying to make an example? And so really talking about where the broader trend is because it was a hot topic a few months ago. Haven't heard a lot about it going forward, but for organizations they're very much so thinking about that. That hasn't -- it's still very much top of mind to make sure the processes are in place so that they can identify the steps they took for data breach accountability. And it's -- it's hard. You know, there are 54 data breach laws in the United States alone.

Dave Bittner: Hm.

Andreas Little Limbago: So it's not an easy task to --

Dave Bittner: Right.

Andreas Little Limbago: -- expect everyone and, you know, obviously, you know, of course they vary. You know, there's not going to be --

Dave Bittner: Sure.

Andreas Little Limbago: -- consistency across it. Some have very short timelines. Some have 72 hours. Some have less hours. You know?

Dave Bittner: Yeah.

Andreas Little Limbago: What you have to -- what you have to provide is -- is different from, you know, state to state. So it's a really hard challenge and there isn't any definitive answer yet. But we'll be discussing the trends that are going on, why is this a growing concern, and then what the security community can do to help safeguard themselves as this legislation starts to shift.

Dave Bittner: Yeah. Well, thank you for taking the time to come by and visit us and share your expertise. Andrea Little Limbago, always a pleasure.

Andreas Little Limbago: Oh, thank you, Dave.

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. We'd love to know what you think of our podcast. You can email us at cyberwire@n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly-changing world of cybersecurity. We are privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K's strategic workforce intelligence optimizes the value of your biggest investment -- people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is Tre Hester, with original music by Elliott Peltzman. The show was written by John Petrik. Our Executive Editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.