The CyberWire Daily Podcast 5.1.23
Ep 1813 | 5.1.23

FDA warns of biomed device vulnerability. Ransomware's effects continue at US Marshals Service fugitive tracking. US DoJ shifts to disruption of cybercrime. GRU phishing. KillNet’s ask-me-anything.

Transcript

Dave Bittner: The FDA warns of a vulnerability affecting biomedical devices. Ransomware's effects continue to trouble the U.S. Marshals Service. The U.S. Justice Department shifts how it deals with large-scale cybercrime. Fresh phish from the GRU. Caleb Barlow looks at unicorns and zombiecorns. Our guest is Manoj Sharma from Symantec, explaining the difference between Zero Trust and SASE. And KillNet runs an ask-me-anything session.

Dave Bittner: I'm Dave Bittner with your CyberWire Intel briefing for Monday, May 1, 2023.

FDA warns of vulnerability affecting biomedical devices.

Dave Bittner: The U.S. Food and Drug Administration is warning healthcare providers of a vulnerability affecting the universal copy service software in a multitude of Illumina devices. The vulnerability impacts a range of devices and instruments used primarily in sequencing DNA for diagnosing potential genetic medical conditions as well as research.

Dave Bittner: The vulnerability allows for an unauthorized user to remotely control, alter settings, configuration, software, or data, and can alter genomic data outcomes to show no results at all, or an incorrect or altered version of the results. The FDA says that on April 5th of this year, Illumina notified affected parties of the vulnerability and advised checking the relevant devices for signs of exploitation. No exploitations have so far been reported. Illumina's Chief Technology Officer, Alex Aravanis, wrote in a LinkedIn post that the company has developed a software update for the vulnerability, which he says will be free and require little to no downtime for most.

Ransomware's effects continue to trouble US Marshals Service fugitive tracking. 

Dave Bittner: A ransomware attack against the U.S. Marshals Service computer network is still causing the agency to experience an outage. As the Washington Post reports, "A key law enforcement computer network has been down for 10 weeks, the victim of a ransomware attack that has frustrated efforts by senior officials to get the system back up and running, raising concerns about how to secure critical crime-fighting operations." The effects of ransomware can be protracted and difficult to remediate fully. The U.S. Marshals Service, by no means and inept or poorly resourced organization, affords a case in point. They didn't, it's worth noting, knuckle under to the extortionists. The U.S. Marshal refused to pay the ransom and decided to wipe all devices that could have been used to facilitate the breach. This has caused some frustration among agents. According to the Post, "In the case of the TOG system, the network has existed outside regular Justice Department computer systems for years, unnoticed in the open, crowded internet." Many agents had their work phones wiped, which resulted in the loss of text conversations and contact information, which is inconvenient but not crippling. The service is working to rebuild its systems and reevaluating its network architecture.

U.S. Justice Department shifts to disruption and prevention of large scale cybercrime.

Dave Bittner: PCMag reported from the RSA Conference that the U.S. Department of Justice has shifted focus away from arrest and toward disruption and prevention of cyberattacks. U.S. Deputy Attorney General Lisa Monaco explained that the goal is now to minimize harm. "We're not measuring our success only with courtroom actions and courtroom victories," she said.

Dave Bittner: Monaco used the Colonial Pipeline attack as an example of how to protect victims. For context, the DOJ was able to seize approximately $2.3 million in bitcoin Colonial Pipeline had paid the criminals to recover its files. Monaco attributes the success to Colonial Pipeline's willingness to work with the DOJ. This approach is not centered on prosecution. Monaco says, "The direction we've given to our prosecutors and investigators is you've got to have a bias towards action to disrupt and prevent, to minimize that harm if it is ongoing, to disrupt it and take that action to protect the next victim, and doing so will not always yield a prosecution."

Dave Bittner: The DOJ's CyclopsBlink operation, in which the DOJ worked with Microsoft and other private companies to discover and disrupt a botnet operated by Russia's GRU, is another example of this approach. The botnet hadn't yet been activated, and its disruption amounted to proactive mitigation, and that's what Justice is interested in.

LockBit's affiliates should have read the terms and conditions?

Dave Bittner: A LockBit affiliate has fallen out of the ransomware gang's good graces after using LockBit's ransomware-as-a-service tool against a school district in Illinois in February, Bitdefender reports. Olympia Community Unit School District 16 discovered that it was victimized on February 26th of this year, and LockBit's leak site began counting down to April 12th as the date on which all the district's stolen data would be released. The LockBit administrator, however, updated the leak site with an apology for the attack against small innocent children, and that administrator even seems to have offered the decryptor for free, with apologies, saying, "Please forgive me for allowing the attack on small innocent children. The stolen data has been deleted. To get the decryptor, please give me the decryption ID. I am very ashamed, but I cannot control all partners. Anyone can join my affiliate program as well as break the rules. I have blocked this partner." So there may be some small honor among thieves, or in this case, ransomware-as-a-service operators, but they remain thieves nonetheless. On Friday, April 28th, 2023, CERT-UA, Ukraine's Computer Emergency Response Team, reported that Russian operators were sending phishing emails that misrepresent themselves as sending instructions on installing a Windows security update.

Fresh phish from the GRU.

Dave Bittner: Bleeping Computer writes that "The Computer Emergency Response Team of Ukraine, CERT-UA, says Russian hackers are targeting various government bodies in the country with malicious emails supposedly containing instructions on how to update Windows as a defense against cyberattacks. CERT-UA believes that the Russian state-sponsored hacking group APT28, also known as Fancy Bear, sent these emails and impersonated system administrators of the targeted government entities to make it easier to trick their targets." APT28 is associated with Russia's military intelligence service, the GRU, and CERT-UA is both certain of and unambiguous with respect to that attribution. CERT-UA describes the attack process as follows, stating, "During April 2023, the government Computer Emergency Response Team of Ukraine, CERT-UA, recorded cases of the distribution of emails with the subject 'Windows Update' among government bodies of Ukraine, sent apparently on behalf of system administrators of departments. At the same time, email addresses of senders created on the public service '@outlook.com' can be formed using the employee's real surname and initials." The warning add, "The sample letter contains instructions in Ukrainian for updates to protect against hacker attacks, as well as graphical images of the process of launching a command line and executing a PowerShell command." Should the victims follow the instructions in the email, they'll find themselves installing a PowerShell script that simulates a Windows update while it in fact downloads a second malicious PowerShell payload in the background. That payload deploys information-harvesting malware that abuses the legitimate Mocky tool. CERT-UA concludes, "We recommend restricting the ability of users to launch PowerShell and monitor network connections to the Mocky service API." The attack is interesting in a self-referential way. It exploits fear of Russian cyberattacks in order to accomplish exactly that, Russian cyberattacks.

KillNet’s ask-me-anything.

Dave Bittner: And finally, we turn again to KillNet, that prominent Russian hacktivist auxiliary that now says it's reinventing itself as a for-profit operation. KillNet held an Ask Me Anything session on their telegram page this past Saturday to answer questions about their new self- designation as a Private Military Hacking Company. The questions raised were mostly about how they'll operate. KillNet responded, "We created four sub-detachments consisting of former cybercriminals and former members of special services, not only from Russia. At the current time, we are ready to not only defend the motherland, but also conduct computer network attacks and destruction of intruders of different levels throughout the world." They also explained that the price per mission is going to depend on the complexity involved. When asked what kind of file sharing system they'll be using, the response was "Skype." KillNet also explained that they have very tight and trusting relationships with international specialists that provide them with 24/7 support in accomplishing their goals. Regarding their pricing, they explained that they could destroy the electrical infrastructure of Ukraine and Poland for a sum of $30 million, adding that every destructive operation against electrical infrastructure costs money. We mention that destroying the electrical infrastructure of Ukraine, Poland, or indeed anywhere else, is a lot easier said than done, and were it that easy, why hasn't it already been done? It could have saved the Kremlin the expense of all those cruise missiles that failed to get the job done in Ukraine. A side note, interestingly enough, KillNet seems to be pricing its missions in dollars, not rubles. We hope that's not a bad sign about the strength of Russia's currency. Anyhoo, most of the remaining questions were about KillNeteers' personal lives and education, and about how they're offering opportunities to learn more about being a hacker. KillNet ended their Ask Me Anything by explaining that their days of altruism are over. They're done destroying civilian infrastructure or conducting nuisance-level DDoS for free. From now on, it's all about the Benjamins. Their activity won't continue at its formerly high tempo, but they will continue to support Russia and its interests. They say they came to this line of work because they hate the Polish people and Ukrainians, but now they need to monetize their hate. And alas, sadly, there's always been a market for that.

Dave Bittner: Coming up after the break, Caleb Barlow looks at unicorns and zombiecorns. Our guest is Manoj Sharma from Symantec to explain the difference between Zero Trust and SASE. Stick around.

Dave Bittner: One of my favorite games to play at RSA Conference is buzzword bingo. This year, the center free square was ChatGPT. But maintaining a solid presence on the playfield are SASE and Zero Trust, and for better clarity on the distinction between those two things, I spoke with Manoj Sharma, Global Head of Security Strategy at Symantec.

Manoj Sharma: I look at the Zero Trust and SASE as two sides of the same coin for a very large purpose and explain that, what the exceptions are.

Dave Bittner: Okay.

Manoj Sharma: But they're very different, too. So one is a product and an architecture that you buy. That's SASE.

Dave Bittner: Yeah.

Manoj Sharma: Zero Trust, on the other hand, is a cybersecurity framework. You cannot sell Zero Trust. You cannot buy Zero Trust. Zero Trust is an -- is a framework that you adopt and build for yourself. So to build something, SASE is the responsibility of the vendor itself, and you are the consumer of that technology and all you are responsible for, the actual customer, is identifying the best way to get the traffic into that cloud and then the policies that will govern how you secure yourself. Zero Trust, on the other hand, you need a set of tools that integrate with each other and is driven by the intelligence that you derive out of your environment and buy or acquire from a third party, and then you build that framework for yourself and you operate it by yourself. So when you think about how these -- these things are two very different things, how are they even related to each other?

Dave Bittner: Right.

Manoj Sharma: What? And when you read the official definition of SASE as Gartner defines it, it is impossible to build a SASE product, if you will, or an architecture, without the Zero Trust elements already built into it. So that's where these two things get very, very, really, really similar, if you will.

Dave Bittner: Yeah.

Manoj Sharma: And SASE has to deliver Zero Trust outcomes when it is deployed.

Dave Bittner: It does, but just for clarification, is -- would you consider one a subset of the other, or are they two things that overlap in some places?

Manoj Sharma: They are, look, like I said, one is the framework that you're responsible for as a customer. The other one is a product the vendor is responsible for.

Dave Bittner: I see.

Manoj Sharma: But the product you're buying has to deliver, so we build upon Zero Trust principles. That's what I'm trying to say. Give an example. So Zero Trust network access is a product that is part of the SASE portfolio which really delivers Zero Trust way of establishing the connect between the user and the entity they're connecting to. Why? It is part of SASE. If it is not based on Zero Trust principles, that -- principles of least privilege, a Zoom breach, know the user before they're going to enumerate the application, all of these things are built into that architecture. So Zero Trust is way bigger, by the way, than SASE itself. SASE is very well defined, very well contained with the list of functionalities, and there are a lot of things that you could do in your DMZs on-prem but not yet part of SASE, if you will. So ability to do full packet capture for forensics, well, that's critical capability. It's not part of SASE yet. Or when you think about Zero Trust, it actually extends to accessing the databases, how databases will talk to the applications, how applications talk to applications, and so those use cases are not served by SASE. So Zero Trust being a framework is much larger than the product that SASE is.

Dave Bittner: Do you understand, do you have a certain amount of empathy who find this a bit fuzzy, a bit confusing to suss out the differences?

Manoj Sharma: I tell you what, I've been in front of customers, and that's what my role is, to work with the largest companies in the world.

Dave Bittner: Yeah.

Manoj Sharma: And with some of the IBITF services providers and say, "Manoj, help me understand the Zero Trust." So I explain to them, you know, like the principles, the building blocks of Zero Trust.

Dave Bittner: Right.

Manoj Sharma: And most customers come back with, like, "We're doing this already."

Dave Bittner: Oh, interesting.

Manoj Sharma: Right?

Dave Bittner: Yeah, yeah.

Manoj Sharma: I mean, there's no default access to any of my applications. I have to know who the user is. Yeah, they can enumerate stuff when I'm not there, but when you think about, Zero Trust is a journey that you may never finish.

Dave Bittner: I see.

Manoj Sharma: Right?

Dave Bittner: Yeah.

Manoj Sharma: And I'm working with the financials in this -- the bigger financial companies in the world that actually have dedicated teams to build a Zero Trust strategy and implement that architecture, and SASE plays an important role there because the use cases that they are trying to build are already served by SASE. So it is, yes, it can be confusing, so that's where the distinction between a framework and a product is. You have to understand that. Product has limitations in terms of capabilities. Zero Trust is a framework [inaudible] many more things.

Dave Bittner: Is there a pathway to success that you see -- for the folks who are doing this and finding success, are there common elements there?

Manoj Sharma: There are, absolutely, yes, right? So one of the lowest-hanging fruit, if you will, where these two things meet together is ZTNA, which is Zero Trust Network Access. That's a building block, the very first thing you could do to take some of the most critical applications that you have inside your data centers and publish those applications to your known users, not for the world, known users, in a very well-defined way, in the matter of the principles of least privilege. So a lot of people confuse this thing with replacing the VPNs. It's a lot more than that. So for example, at Symantec, we have two levels of ZTNA, for example. One is like we're going to place a VPN for you, for the user, in touch with the right application, but then, how do you implement the principle of least privilege? So that's the Layer 3, Layer 4 kind of a tunneling, kind of an application publishing. We have a Layer 7 one, which means the user will only have access to the actual application interface, not the host, not the IP address, not the ports, and so on and so forth. So there are ways to continue to build your policy in a way that you continue to restrict what user absolutely will be able to do and achieve that bizarre [phonetic] state. So ZTNA is one place where we find that Zero Trust and SASE are coming together, solving that problem. Now, there are two ways to get there, too. When you say, "I want to establish Zero Trust," people ask question, "Well, where do we start?" That's always the very first, "Where do we start?" And usually the industry will say, "Let's go with the access part." Who can access what? The application. Well, with Symantec, we're a little bit different, if you will. You have a way to do the access piece. You can also start with the data, because at the end of the day, why do we build the security ecosystems around us is because we have something worth protecting, and what is something that protecting is the reputation of the company, which among a lot of other things in today's world relies on how secure your intellectual property is, or the data that you became custodian of because you're in that business, how secure is that data? So we understand both the access and the data part, so you can start from either the access part or securing the data itself.

Dave Bittner: That's Manoj Sharma, Global Head of Security Strategy at Symantec.

Dave Bittner: It is always my pleasure to welcome back to the show Caleb Barlow. He is the CEO at Cylete. Caleb, great to see you here at RSA Conference.

Caleb Barlow: Hey, Dave. It's, first of all, incredible to be doing this finally face to face.

Dave Bittner: I know.

Caleb Barlow: We've been doing this for years, and this is the first time we've ever met face to face, let alone in a sea of thousands here.

Dave Bittner: I think you're right. I wanted to touch base on something that I think isn't getting the attention that it deserves, and you actually pointed this out to me. As we're walking around on the show floor here at RSA, and indeed here in San Francisco, there's this perception of success, of wealth, and a lot of that is well placed, but it's not the whole story.

Caleb Barlow: No, you know, it's not, Dave, and I think, you know, particularly at RSA, right, I mean, this is where we come to show off the innovations, the new technology in the security space, and this year, like any year, there's some amazing things to look at, but I think one of the things that, you know, there's a little bit of an undercurrent here that we have to acknowledge this year, I mean, how many times have we talked on this show about the skills gap and the difficulty in finding people? This is the first time that there's large masses of people walking around in the cybersecurity industry that have been laid off and are looking for jobs.

Dave Bittner: Right.

Caleb Barlow: And, you know, I think we have to acknowledge that. I think we've got to recognize that, okay, we're still an industry that's going to hire a lot of people. These people are going to find new roles, but, you know, a little bit of that skills gap we talk about, we're taking a big chunk out of it over the last couple of months. You know, the other thing we should probably talk about here, too, and this is important whether you're a buyer of cybersecurity solutions or maybe you're an employee to vendor is that, you know, the pressure is now on in new ways for these cybersecurity companies.

Dave Bittner: How so?

Caleb Barlow: Well, if you think about it, if you were sitting in the CEO seat of most of these companies over the last 5 to 10 years, you're in what we call a "growth-oriented mindset."

Dave Bittner: Right.

Caleb Barlow: And we've talked on this show about the Rule of 40, as an example. You can look up what that means.

Dave Bittner: Yeah.

Caleb Barlow: But, you know, the idea was that it was okay if you had a company that was burning cash as long as you were growing that business, as long as, you know, your, you know, average annual return was growing year over year, that was actually looked as a good thing, and investors rally behind that, and you'd be able to get access to capital. Well, Dave, the world has changed.

Dave Bittner: Yes.

Caleb Barlow: It's now -- it's now all about cash flow, and I think there's a couple of concepts that are really important for people to recognize. So the first thing to really recognize in this is that in any of these venture-funded cybersecurity startups, which is most of them on the show floor, you know, it's not just the stock of employees and investors. You have to realize that not all stock is equal. There's this thing called the "preference stack," and what this means is that, you know, when a company gets sold, certain people get paid first. So if the company has been successful and it's grown to everyone's aspirations, then everybody makes out great and we're all good, but let's take a different scenario. Let's say that maybe that company has been revalued. Maybe it comes time for it to get sold to, you know, a strategic buyer and it hasn't quite garnered, you know, the aspirations that everyone had after it and what was kind of putting that preference stack when people made the investment. Well, the people that lose on that are typically the employees and the management because they don't usually get paid first. So one of the things that people want to be paying attention to is this preference stack, but the other thing it can mean is -- and there are companies here today that have this issue, you know, their employees may be underwater. So even though the company is successful, even though the company is moving forward, you know, what motivates people to be entrepreneurs and what motivates this audience is, you know, that opportunity to work hard for a few years and maybe get a bite of that apple of success, and, you know, you might be in a position where you're not going to get that big bite of the apple.

Dave Bittner: What about the companies themselves? You know, for years, we've been tracking and crowing about the unicorns in the space. Are we still generating unicorns?

Caleb Barlow: Well, there is a new term that I learned this week that I've never heard before, and, you know, I don't want to be all gloom and doom, but it's called the "zombiecorn," and, you know, what you have is, especially last year, there were a whole series of companies that raised, you know, 100, 200, 300, $400 million in a year. I mean, these are incredible amounts of money. Well, the problem with that is that creates a valuation of what's the company worth. So, you know, you take down $400 million, the company is easily going to be worth probably more than a billion in its valuation of what people anticipate that it should become, so that then creates the unicorn.

Dave Bittner: Right.

Caleb Barlow: Well, now the problem is, the company's got to grow into that. There may not be the strategic buyers. There may not be the follow-on investments. It's going to be harder to get money. So now what you have are these companies that have taken down all this money, then they've got to grow into that valuation, and that's, you know, what that does is it pushes their time trajectory out potentially many years, especially if we have a potential recession on the way, you know, that could push it even further. So, you know, these companies will get there. They will likely survive, but it may be a very difficult journey for these CEOs and managers as they kind of have to deal with their, you know, you know, their new status as a zombiecorn.

Dave Bittner: What about the individuals themselves? You know, earlier today, I was talking with my colleague Rick Howard and we were saying how so many of these organizations want to hire the high-level people who have a lot of experience, and they're willing to throw a lot of money at those people to get them, but I still hear stories about, particularly the entry-level folks who are having trouble getting hired. It's like this disconnect there. People don't want to -- my perception is companies don't want to invest in hiring and training those people up. They want the fully baked person.

Caleb Barlow: I think you're absolutely right, and I think we have a new problem. I mean, we've talked about the skills gap and security, we've talked about the diversity challenges and security, but I think we actually have a new problem, which is an accessibility gap, meaning that there are workers that want these jobs. There are people that are capable, over three months, six months, a year's worth of training, to be able to move into these jobs, but what we have to do is make these jobs accessible, and what that means is we have to upskill. You know, so I think part of what this means for your, you know, HR managers at companies is to pivot the spend. Today, if you go recruit a high-caliber individual, you could be spending a lot of money on a recruiter, you know, in many cases, well north of six figures.

Dave Bittner: Right.

Caleb Barlow: To recruit that individual who it becomes difficult to retain, right? So, you know, if you want to spend $100,000, recruiting a top cyberthreat hunter and they leave after two years, you didn't really gain anything out of that. So, you know, the new approach to this that I think a lot of people are going to start looking at is to say, why don't we take that same money and why don't we invest in upskilling individuals. Now, there's a couple of benefits that come out of that. One, it's going to cost a whole lot less. Two, there is a higher likelihood that person is going to be retained. And third, I think the loyalty of that individual, because you help them get there, is inconsequential. Now, the negative of upskilling is it's going to take time. You know, you're going to have to invest the time upfront, rather than in recruiting, you're going to have to invest the time in training. But, you know, at the end of the day, I think that's okay, and I think people are starting to realize that. You know, the other thing I'd leave you with, Dave, is, let's also not forget about interest rates. So, you know, if anyone's looking at buying a home, they might have noticed that interest rates have gone from nearly nothing to, you know, 7%, 8%.

Dave Bittner: Right.

Caleb Barlow: Well, remember, business loans, especially business loans for startups, are going to be much more than what you're going to see in a home loan. So also what we have is a lot of companies here, coming through the pandemic, maybe it wasn't the right time to raise capital, so instead, they, you know, went to a debt service. There are companies here that might have 50 to $100 million in loans. Well, now all of a sudden you're not paying a few percentage points on that. You might be spending millions of dollars a year just servicing the loan.

Dave Bittner: Does that shorten the runway for that?

Caleb Barlow: That absolutely shortens the runway. So this is the other thing that I think a lot of companies are dealing with, and the reason I mention this isn't gloom and doom. You know, remember, we're in an industry that's going to be successful, but what it means is that, as employees at companies and buyers of solutions, we now need to pay attention to, how is that company capitalized? What is their runway? Are they going to be around? And most importantly, are they going to be able to retain their critical staff?

Dave Bittner: Yeah. All right, well, Caleb Barlow, thank you for coming by, and always an interesting conversation. It's great to see you in person.

Caleb Barlow: Likewise, Dave.

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at thecyberwire.com. Don't forget to check out the Grumpy Old Geeks podcast where I contribute to a regular segment called "Security Ha." I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find Grumpy Old Geeks where all the fine podcasts are listed. We'd love to know what you think of this podcast. You can email us at cyberwire@n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 in many of the world's preeminent intelligence and law enforcement agencies. N2K's strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tre Hester with original music by Elliott Peltzman. The show was written by John Petrik. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.