Waging lawfare against criminal infrastructure. Notes from the cyber underworld. Hybrid war, and cyber ops across the spectrum of conflict. And what do the bots want? (Hint: kicks.)

Dave Bittner: Google targets CryptBot malware infrastructure. FIN7 attacked Veeam servers to steal credentials. Ransomware-as-a-service offering threatens Linux systems. Evasive Panda targets NGOs in China. Anonymous Sudan is active against targets in Israel. Russian ransomware operations aim at disrupting supply chains into Ukraine. Our guest is Stuart McClure, CEO of Qwiet AI. Microsoft's Ann Johnson stops by with her take on the RSA conference. And bots want new kicks.

Dave Bittner: From the RSA Conference in San Francisco, I'm Dave Bittner with your CyberWire Intel briefing for Thursday, April 27th, 2023.

Google targets CryptBot malware infrastructure.

Dave Bittner: Google blogged yesterday explaining steps they're taking to disrupt the CryptBot malware gang's infrastructure after securing a court order against the malware's operators. The tech giant has filed litigation against the CryptBot distributors, who they believe operate out of Pakistan and run what they call a "worldwide criminal enterprise." The legal complaint Google filed is based on multiple claims, which include "computer fraud and abuse and trademark infringement." The company has been granted a temporary restraining order, Bleeping Computer reports, that allows for them to take down domains both now, and in the future that are linked to the malware. Google says that this will hinder CryptBot's growth and decelerate the infection rate (which Google estimated at about 670,000 last year). Google says, "Lawsuits have the effect of establishing both legal precedent and putting those profiting, and others who are in the same criminal ecosystem, under scrutiny." Bravo, and good hunting, Google.

FIN7 used CVE-2023-27532 to attack Veeam servers and steal credentials.

Dave Bittner: WithSecure Intelligence reported yesterday that the FIN7 Russian cybercrime group was likely behind the attack on Veeam Backup and Replication servers. The gang was able to steal credentials using a custom PowerShell script not previously associated with FIN7. They state, "Our research indicates with high confidence that the intrusion set used in these attacks is consistent with activities attributed to the FIN7 activity group. It is likely that initial access & execution was achieved through a recently patched Veeam Backup & Replication vulnerability, CVE-2023-27532." WithSecure Intelligence advises affected companies to follow their recommendations and guidlelines to patch and configure their backup servers appropriately.

Ransomware-as-a-service offering threatens Linux systems.

Dave Bittner: The Uptycs threat research team released a blog this morning detailing a ransomware-as-a-service offering impacting Linux systems. This malware is attributed to RTM Group, and researchers say it "appears to be inspired by Babuk ransomware's leaked source code. The team reports that they found the hacker group through dark web hunting, and that the malware is focused on ESXi hosts. The initial point ofaccess remains unknown.

Chinese APT group Evasive Panda targets NGOs in China.

Dave Bittner: ESET reported yesterday that Evasive Panda, a Chinese APT group also known as BRONZE HIGHLAND and Daggerfly, had conducted a campaign to install its custom message bot backdoor malware on Chinese users by using malicious software updates for legitimate applications. BleepingComputer writes, "Evasive Panda is a cyberespionage group active since at least 2012 that has previously targeted organizations and individuals in mainland China, Hong Kong, Macao, Nigeria, and various countries in Southeast and East Asia."

Dave Bittner: ESET explains that, "The majority of the Chinese victims are members of an international NGO that operates in two of the previously mentioned provinces. One additional victim was also discovered to be located in the country of Nigeria." ESET assesses that Evasive Panda may have compromised the messaging software Tencent QQ and its update servers in order to tailor their targeting list and distribute corrupted updates to targets of interest while providing legitimate updates to non-targets. This campaign would then be classified as a supply chain attack (much like the attack on SolarWinds, or the more recent 3CX attacks) since it uses upstream infiltration of third parties to infect downstream users with malware through updates or software downloads. Evasive Panda's goal in this campaign seems to be credential theft.

Russian ransomware operations aim at disrupting supply chains into Ukraine.

Dave Bittner: The US Intelligence Community sees Russian cyber operators devoting more effort toward disruption of supply chains supporting Ukraine. CyberScoop quotes NSA's Rob Joyce, the agency's director of cybersecurity, as saying that NSA is observing "a significant amount of intelligence gathering into the Western countries, to include the U.S., in that logistics supply chain." A significant fraction of that supply chain carries humanitarian aid.

And KillNet declares itself a Russian “Private Military Hacker Company.”

Dave Bittner: Looking, apparently, for a bigger payday, the Russian cyber auxiliary KillNet yesterday announced that they would become Russia's "Private Military Hacker Company." What this means for their operational tempo is unclear, but they promised they would continue distributed denial-of-service attacks against NATO sites as they pursue their current objective of "destroying NATO infrastructure." The group says it will now also accept jobs from private individuals and from governments. They will still work to defend Russian interests. They explained in their post that they will no longer be making money from donations and promised sponsorships (and they included an emoji that indicated the sponsorships fell short of expectations).

Dave Bittner: Earlier this month KillMilk, the group's nominal leader, explained that he was tired of waiting for government personnel and businessmen to fund his group's cyber escapades. Shortly after their announcement they changed their channel name to PMHC KillNet. This could be just a publicity stunt, as the ramifications of a cybercriminal group sanctioned by Moscow attacking NATO websites are unknown but probably severe. KillNet has yet to release any information on pending contracts (either governmental or private) to conduct cyber warfare.

Prosecutors ask that accused Discord Papers leaker remain in custody.

Dave Bittner: According to the AP, US Federal prosecutors have asked that Jack Teixeira, charged with violations of the Espionage Act, be held in custody and not, as Airman Teixeira's defense is expected to request be released to his parents. The prosecution wrote in their petition. "There simply is no condition or combination of conditions that can ensure the defendant will not further disclose additional information still in his knowledge or possession." The damage the Defendant has already caused to the U.S. national security is immense. The damage the Defendant is still capable of causing is extraordinary."

Dave Bittner: The AP reports that investigators are still working to determine whether Airman Teixeira retained any other classified information that has so far remained unreleased. Investigators and prosecutors have also not discussed Airman Teixeira's possible motives for the alleged leaks, but the consensus among Discord users who had been in touch with him is that he was simply showing off, without any serious political purpose.

Bots want new kicks.

Dave Bittner: And, finally, we ask you, what are the scalper bots after nowadays? Sneakers, lots of sneakers, Netacea reports. that scalper bots are especially partial to Black and White Nike Dunk Low Panda. And while they certainly love them some sneakers, the bots don't work via sneakernet.

Dave Bittner: Coming up after the break, our guest is Stuart McClure, CEO at Qwiet AI. Microsoft's Ann Johnson stops by with her take on the RSA Conference. Stay with us.

Dave Bittner: So, I am pleased to be joined by Stuart McClure. He is the CEO of Qwiet AI and certainly well-known within the industry for some of your previous efforts, former Head of Cylance. A company we're very familiar with, of course, was sold to Blackberry and still continuing on under their umbrella. Here we are at RSA 2023. Before we dig into some of the details of the new company, I'd love to get your insights on where you think we stand as an industry facing the challenges that are in front of us?

Stuart McClure: Oh, I was just talking to a good friend last night about this. I mean, I think we're all sort of in agreement that the fog of more is just not working, you know, we keep adding more and more layers and more and more people and more and more technologies and tools and we just seem to get more and more problems. And they're not the kind of problems that are preventative. They're really more detect and respond problems, and I think all of us have to think about how can we pivot into a preventative world? You know, is prevention possible? You know, let's talk about it. Let's talk about where all the threats come from and go to the root cause and see if we can affect some change

there, because I think it's probably the only way we're going to get ahead of this in any substantive way. So, I think we all as an industry have to stop sort of pandering to the "Hey we need to see more," and think about well we need to prevent more.

Dave Bittner: It's interesting, I mean that--I--there are folks who would say assume breach. Let's leapfrog right over prevention and get to what we do once they're in.

Stuart McClure: Yah. That's right. You're saying not so fast? I'm saying, try to think different. I think that's the common vernacular and the common thread and it's self- perpetuating, because if you believe that prevention is not possible and you have to assume breach, you then create an industry and a machine that you can't stop anymore. It's now self-perpetuating, because the more people you hire and the more tools you deploy, the more sensors and the more dashboards you employ, the more you have to manage it and the more budget you need to do so. And, you know, we are in a time of real concern about the economy and where budgets are going, and our timeline is extending on acquiring solutions and getting real help and having it sanctimonious mindset just simply doesn't work. I mean, now you get a place where you have a company and folks that run it that are invested in adding more and more and more, and therefore, you can't ever get to a place of true prevention. But if you understand how every attack works, I mean every single cyber-attack, they all go down to some fundamental elements that if you were to inject yourself with the right viewpoint and the way of managing those elements of those core of the attacks, you can actually prevent and you can prevent to 99.9% level even if you don't believe a 100%. You can prevent to 99, and if you prevent to 99, well then now you've shrunk your world of what you have to go chase and assume breached down to the 1 or.1%. Now, you can really reallocate resources to go after the.1 which is a much harder challenge to go find and identify than it is to prevent the 99.9; which is pretty obvious, pretty well- known, not a lot of secrets there. You just need to think ahead and you need to put your resources and attention to the places that matter.

Dave Bittner: Well, and I guess that's a good segue into Qwiet AI, your new venture. When you wrapped up your time with Cylance and with Blackberry you had lots of options available to you. What made you decide that this is the one you wanted to pursue?

Stuart McClure: Well, yah and a little of full disclosure, I mean, I had largely let cybersecuritybe a part of my past, you know, once I had left Blackberry and put it in good hands, I had decided I was going to just apply AI into non-cybersecurity endeavors. I really am passionate about machine learning and be able to predict the future by learning from the past. I've always been focused on that predictive AI element versus the generative AI element, although there's plenty of a few cases for that as well. But for me it was the predicted side and I was approached by a good dear friend to consider coming in--back into the space here in AppSec and DevSecOps and I started to look at the tech and I started torealize this is the real deal. This--we might be able to apply machine learning, predictive machine learning into the code science space; to be able to actually prevent the 99.99 inside of code which is where all cyber-attacks start. If you look at the taxonomy of all attacks and you boil it down to the bottom basal elements, you really are talking about one of two things, either it's a vulnerability in the code that was never considered, or it was--there was a missing feature or a design flaw that should have been implemented. I mean, we know how to secure things. We really, really do. We just don't do it early enough and in the beginning development efforts even the design elements of a particular piece of software or hardware. We just don't. I mean, I've spent my whole career exposing that fact with hacking exposed and all of that hacks that we've demonstrate on stage right here at RSA, countless years, year after year. And I can tell you, we know how all of these attacks work. It is not rocket science in any way. So, if we know how they all work, why can't you go prevent it? I mean, it's manmade. All of these things are manmade, not alien made. So, we know how to go.

Dave Bittner: Is it a matter of scale?

Stuart McClure: Not--not really. I mean, there certainly are countless hardware endpoints out there and there are countless software endpoints and it is scaling quite a bit, but if you go back and just look at down at the bottom of where it all begins, inside of the design of code, no one thinks about it from a secure mindset or a viewpoint. You have developers that really aren't trained in cybersecurity. Yah? You have AppSec that really aren't trained in development. And you need to bridge that gap between these two cultures into a blended, efficient, effective culture of knowing how to solve problem and then being very comfortable with making the changes to get secure. And this would include not just of course vendors, proper you know, Microsoft, Adobe, Apple etcetera, but it included every single company that ever creates a single line of code. And there are-- that number is growing it seems exponentially. But everybody's developing code and no one considers what to do about securing that code before they start writing it.

Dave Bittner: So, what is the take home for you, the recommendation for the coders out there in terms of the mindset? Is this a different approach? What are you suggesting here?

Stuart McClure: I'm sort of suggesting what I've been suggesting for almost 30 years, but it hasn't stuck. Is "think evil, do good." If you're a developer out there, think evil, do good. Try to understand the core of the attacks and how they all work. Your role in that is not intentional, it's unintentional, but you have the power to prevent countless attacks by simply thinking like a bad guy and incorporating the changes that you know very well could prevent that attack going forward. We're doing a talk tomorrow. It's going to be basically we're hacking Sec into demos. So, we're taking the world of code and DevOps and AppSec and we're finding the techniques and we're going to expose a few techniques that the

Dave Bittner: Yah.

Ann Johnson: And companies like that, and Cranium came out of stealth from KPMG and those are you know robust intelligence in that space and a few others, but I think we still need to invest and have innovation in the actual protection of AI, the protection of data that's going into AI, model poisoning, model theft, model drift data poisoning. There's an opportunity in that space for companies to really differentiate themselves and for a lot of innovation to take place. I saw a ton of our security solutions were enabled by ChatGPT or OpenAI, or you know, natural language models or large language models. I saw a ton of that. I didn't see quite as much of the "we're going to protect that infrastructure."

Dave Bittner: Yah. What about on the personnel side of things? I think, you know, this--I think it's fair to say this is the first year that our industry has been hit with some economic headwinds. Are you sensing the tone of that out there on the show floor or is it mostly positive energy still?

Ann Johnson: No, it really positive energy. I mean, that show floor was enthusiastic. I think that, you know, I ran into a couple of folks and you know not humorously who had been impacted that I know and they were job shopping.

Dave Bittner: Yah.

Ann Johnson: And they saying tons of people where hiring. So, I think there's a transition of folks, but I think there were plenty of opportunities for people.

Dave Bittner: What's your outlook for the year ahead now? I mean, the information you've gathered here, how does that inform your thoughts as we ride out the rest of 2023?

Ann Johnson: Yah, because my day job is M and A and Strategic Partnerships for Microsoft Cybersecurity Business, RSA is always a really important event for me, right? Because I get to see all the newest startups, I talk to the investment bankers, I talk to the P's--the PEs, the VC community, you know, what are they seeing? Where's money flowing? What's the next way of a startup? So, it's going to inform the strategy. As we're thinking about our ecosystem we're building a huge and robust system around Security Copilot. As we're thinking about that, what type of vendors, what categories, and then who's interesting so they can build killer apps on top of, you know, the Copilot.

Dave Bittner: You mentioned Security Copilot, can you describe to us what exactly that is?

Ann Johnson: Yah, absolutely. So, it is our implementation of ChatGPT on GPT4 specifically to enable cyber defenders. That's the first use case, right? It will enable cyber defenders to do better incidence response, to do better forensics, to do better investigations, better reporting because it will give that--it will be able to deal-- be able to use command prompts, be able to rationalized tools, we will be able to get real data much more quickly and understand what to investigate. But I think the power of it is actually not the use cases, I think the power of it is it extends, it makes cybersecurity much more egalitarian. So, you could spin up like a cyber-reserve, you could train your IT department on how to do command prompts. So, if you suddenly have an incident, you suddenly can spin up these resources, you don't have to be a full-time cyber analyst to help in the event of an incident and I think that's going to be the real power of the solution that we can bring cyber to more people. We can educate more people and won't have this talent charge we have now.