The CyberWire Daily Podcast 5.5.23
Ep 1817 | 5.5.23

DPRK's Kimsuki spearphishes. A standards strategy for AI. Ransomware Task Force retrospective. KillNet's new menu. Ex Uber CSO sentenced for data breach cover-up.

Transcript

Dave Bittner: Kimsuky has a new reconnaissance tool. The Biden administration shares plans for AI. Reports on the Ransomware Task Force Report. KillNet recommits to turning a profit. Deepen Desai from Zscaler has the latest stats on Phishing. Our guest is Karen Worstell from VMware with a conversation about inclusivity. And the former CSO at Uber is sentenced.

Dave Bittner: I'm Dave Bittner with your CyberWire intel briefing for Friday, May 5, 2023.

ReconShark, a new reconnaissance tool deployed in DPRK spearphishing attacks.

Dave Bittner: SentinelLabs reports that Kimsuky, a North Korean state-sponsored cyber espionage activity, has incorporated a new reconnaissance tool into its repertoire. ReconShark accompanies specially crafted emails in spear-phishing attacks. The group crafts spear-phishing emails tailored to the individual target by using real names, and especially, information directly pertinent to the target's work to lure the prospect into downloading a malicious file. Recently, the group has been favoring password-protected Microsoft OneDrive documents.

White House releases National Standards Strategy for Critical and Emerging Technology.

Dave Bittner: The U.S. administration yesterday released a summary of measures it intends to take to regulate the development of artificial intelligence technology, fostering the benefits it brings while at the same time mitigating the technology's risks. A White House fact sheet stressed the evolutionary nature of the strategy and took care to point out earlier policies and actions that prepared the way for the present approach to AI. Three aspects of the strategy were described at moderate length: new investments to power responsible American AI research and development; public assessment of existing generative AI systems; and policies to ensure the U.S. government is leading by example on mitigating AI risks and harnessing AI opportunities.

US Ransomware Task Force releases a two-year retrospective.

Dave Bittner: Members of the Ransomware Task Force, created by the U.S. Government Accountability Office to track ransomware trends and establish protocols to fight the threat, released a progress report and spoke with reporters from The Washington Post about the distance covered since the office's creation two years ago. When asked what their view was on the progress made in two years, the answers took a familiar GAO form. As a task force member himself notes, we are making progress, but there is always work to be done. Some 92% of the task force's suggestions have been put in place, and they have, at the very least, led to a lull in ransomware's effectiveness in some ways.

KillNet's reorganization continues.

Dave Bittner: The Russian hacktivist auxiliary KillNet continues its ongoing visioning exercise. Flashpoint reports that the group has remained committed to turning a profit. Flashpoint also argues that this isn't really new. Flashpoint highlights the fact that Killnet has remained a financially-motivated gang, despite its Russian government affiliation. The researchers write that the group “has used the media exposure provided by an eager Russian pro-Kremlin media ecosystem to promote its DDoS-for-hire services. Killnet has partnered with several botnet providers as well as the Deanon Club, a partner threat group, to target narcotics-focused dark net markets. KillNet hasn't shown any particular growth in terms of sophistication or effectiveness, and this reliance on ho-hum commodity tools has attracted the ridicule of other players in the cyber underworld. Killmilk, the gang's leader, continues to see mockery on what the researchers describe as top-tier Russian forums.

Ex Uber CSO sentenced for data breach cover-up.

Dave Bittner: Joe Sullivan, former security chief at ride-sharing company Uber, has been sentenced to three years of probation for his involvement in the cover-up of a 2016 data breach. As SecurityWeek explains, Sullivan was accused of obstructing the US Federal Trade Commission’s investigation into a data breach Uber experienced in 2014. It was while that incident was being investigated in 2016 that Sullivan decided not to disclose a newer breach that was even larger than the first. In this second incident, the data of over 50 million Uber users and drivers were stolen, and the hackers extorted the company, receiving $100,000 through Uber’s bug bounty program. Sullivan allegedly instructed the attackers to sign non-disclosure agreements to keep silent about the stolen data. It wasn’t until a year later, when the company brought on a new CEO, that Sullivan’s actions were discovered. As the Washington Post reports, Sullivan became the first corporate executive to be convicted of crimes related to a data breach carried out by external hackers when he was found guilty of obstruction of justice and hiding a felony. While prosecutors pushed for Sullivan to be sent to prison for 15 months, U.S. District Judge William Orrick decided on just probation and community service, noting Sullivan's past record for protecting individuals from previous breaches and the actions he took to prevent the stolen data from being released. The landmark case drew attention from industry experts, and the Cybersecurity and Infrastructure Security Agency's former chief of staff, Kiersten Todt, warned the judge that his verdict could make it impossible to recruit smart people into the roles of CISOs and CSOs if imprisonment is on the table and will set the industry back. However, Orrick responded that Sullivan's attempts to deceive the federal government could not go unpunished. Before sentencing, Sullivan spoke before the judge stating, "I was a bad role model. We're there to be the champion of the customer, and I failed in this case." And finally, our CyberWire associate producer Liz Irvin was with us for the first time at the RSA Conference this year. And she shared her mic with conference-goers walking the show floor. She files this report.

Liz Irvin: We're here in the beautiful San Francisco at the RSA Conference for 2023. My name is Liz Irvin, and this is my woman-on-the-street walk-and-talk with cyber professionals around the world. So do you feel like RSA is fully back since you've been here before -- since COVID has happened? Do you feel like it's fully back in the swing of everything?

Kyla Guru: I would say, I think, after the pandemic people have come back stronger. And it's a big community of individuals who now, like, recognize the risks of, like, being online and, like, the, I guess, the risks that the pandemic brings. So I feel like now it's a more energized, empowered community, and everybody feels, like, a little bit more, like, loving the fact that we're being together. I feel like the recognition that this is so special is definitely here now that we've been through COVID.

Crystle-Day Villanueva: So I think, like, especially for the main floor, before COVID there was a lot of people on microphones and very loud sessions. And it was very disruptive. Like, it was very hard to concentrate. People were fighting for attention. Now it's a lot more like everyone's in the same mindset. Everyone's respectful for -- to each other's space, and everyone's messaging because we're all here for, like, a good time as well as cybersecurity.

Liz Irvin: So what does it feel like to be walking on the showroom floor? I mean, typically this is a male-dominated field, and you see a lot of men on the showroom floor. How does it feel to be here kind of representing women as a whole, and seeing more women in general, just on the floor this year?

Regina Menezes: I feel like it is a good thing. I feel very honored to be a woman and working in IT and doing networking because you don't really see that. So I feel like representing women and being able to do that is empowering.

Kyla Guru: Yeah. No, it feels super-powerful to -- I think, especially walking with a group of super-cyber girls and just walk in and, you know, take over the floor and have that confidence and energy that you're bringing to the table. And I think people recognize that too, and they're kind of vibing off of that. And people are inviting us to the table, asking us questions about our experience. And it's so lovely. I think, again, just stronger together.

Ameesha Patel: I think it's also just great inspiration. Like, no matter what your background is, like, what your position is in the company. I think it's just inspiring overall. And I think if I knew a lot more about cybersecurity and about computer science when I was younger, I definitely would have maybe pursued a career in that. Like, seeing it, how fun it is, and how, like -- like, you know, people have so much knowledge, like, and these are such important things. Like, it builds communities.

Divya Ganesan: Seeing so many women is inspiring, and the turnout here is, like -- to put it simply, better than I thought. Having competed on a team with only girls but in a really male, military-dominated space for the last year, it's been inspiring, surprising pleasantly, and exciting to see that we're joining a larger community of women. We went to a Women in Cyber event two nights ago in the city. It's great to see that that's getting more of a stronghold. And now we're able to kind of build networks and mentorships and see ourselves in this space in a way that we haven't ever been before.

Dave Bittner: That's Liz Irvin, our N2K Networks associate producer, reporting from the show floor of last week's RSA Conference in San Francisco.

Dave Bittner: Coming up after the break, Deepen Desai from Zscaler has the latest stats on Phishing. Our guest is Karen Worstell from VMware with a conversation about inclusivity. Stay with us.

Dave Bittner: Not long ago, I had the pleasure of interviewing Karen Worstell for our "Career Notes" podcast, and when I discovered she'd be at the RSA conference, I jumped at the chance to speak with her in person. Karen Worstell is a senior cybersecurity strategist at VMware, and our conversation centers on the notion of inclusiveness in cybersecurity.

Karen Worstell: Well, I was just at an event with WSIS last night, so it was fantastic to see. I mean, it was a packed-out crowd, and there were a lot of women and allies in the room. So that's a new thing over the years at RSA. So I think there's progress -- definitely there's progress. It's a conversation now, that's happening -- that people I think expect to see happening. So that's a shift. Something that hasn't shifted so much, if I look at who is running the companies and who's on the top level, at the executive level in the organization, that's not changed that much. You know, it's for sure male-dominated. Not so much always white-male-dominated. But still, when I say that, it's not -- I'm not trying to say that that's necessarily a bad thing. [multiple speakers] We have very good people leading organizations.

Dave Bittner: Right.

Karen Worstell: It's an indicator that, in the world of inclusion, there are still barriers to women showing up at that top level. So I think there's work to be done. Not to say that it's a bad thing that we see men leading these organizations at all.

Dave Bittner: What do you think some of the specific barriers are right now?

Karen Worstell: Wow. I wish I knew the answer to that -- you know, totally. But I think there are -- there are still -- as human beings, it's a human-being thing. [multiple speakers] We like to hang out with people that are like us. Things are easier to get done quickly when everyone in the room thinks the same, talks the same, has the same background, uses the same jargon. So there's a huge human tendency to kind of stay there. That's the fast thinking.

Dave Bittner: Right.

Karen Worstell: That's the -- that's our fast-thinking brain.

Dave Bittner: It's like a comfort zone thing, too. [multiple speakers] Right?

Karen Worstell: It's a comfort zone, and I think we value speed. You know, we really value speed. And speed sometimes comes at the expense of inclusion. Trying to slow down enough to truly understand another person who doesn't necessarily have the same background as you or talk like you, think like you, it takes more time. We're not always really willing to do that. And I think the culture -- and I'll just say, in general, you know, the startup culture, the Silicon Valley culture, it values speed. It values profit -- well, at least it values innovation, hopefully leading to profit. And so -- and so that, I think, tends to foster an environment where, if you're not one of us, if you're not able to fit in, if you're not able to kind of like get up to speed and be a member of this team and included in this group without a lot of effort, then you're going to be passed over in favor of somebody who will. And I think that's part of the challenge that we're all facing. It's like, can we slow down enough to hear everybody. And I think inclusion is not just a gendered thing. Right? And it's not just a race thing. For example, the place where this would really be helpful is for all of the really quiet, introvert people who are very thoughtful about what they say and want to think everything through before they raise their hand to speak up. But by then, the meeting is over, and they've never been heard. Because unless we recognize that we have that kind of difference in the room, and we can stop and say, I haven't heard much from you yet, and I'd really like to -- you know, are you ready to have something that -- or do you want to share what you've got on your mind. And help to pull that out and help to make the rest of the room recognize that we need to make that happen. So inclusion is a lot of things. You know, neurodiversity. You know, people's preferences for speaking up. I had a -- I interviewed somebody on my podcast a while back who was very much an introvert. And she expressed how horrifying it is to have an extrovert in the room who just talks out loud while they're thinking, you know, to literally be thinking out loud.

Dave Bittner: Yes. Yes.

Karen Worstell: Right?

Dave Bittner: Yes.

Karen Worstell: [multiple speakers] It's, like, the most horrifying [laughter] thing to them. And they're, like, how can you be doing that? And I'm, like, oh, that's me. [laughter] That's so -- I --

Dave Bittner: That's interesting.

Karen Worstell: So I try to -- I try to think about that. You know, like, who else is in the room and is going to feel like they can't say anything because I can't stop talking.

Dave Bittner: Is it a bit of a feedback loop as well? Because I imagine the extroverts attract attention. And so when it's time to do promotions, there's a natural tendency to gravitate towards those people -- move them to the top of the list.

Karen Worstell: Right. Well, we value contribution. Right? We value ideas, and we value that energy. And an introvert in the room is quietly listening to everything everybody is saying and synthesizing what they want to say. And like I said, if the meeting can be over by the time they're ready to speak up. So they don't get the credit for what they can bring to the table, and I think we have to be careful about that. So yeah. There's -- I mean, inclusion is -- I think if we focused on trying to be intentional about inclusion, we would see all of these unintended, unexpected benefits. And the reason I say that is, a while back Intel had a program where they decided that they were going to make the internal demographics of Intel match the demographics of the population that they served. So there was a big -- you know, there was a big program there to try to make this happen over a period of time. They actually got done early. They met their goal. And one of the outcomes of that, which was a big surprise, was that the people who were part of that dominant culture -- I like to use the word dominant culture instead of white men, but, you know [laughter], the people who are the dominant culture --

Dave Bittner: Right.

Karen Worstell: -- had the experience that, for the first time in their career, they were being heard too. So it's not like, I think we -- it's not like we have to just focus on the identity groups. It's not that. It's that we need to slow down and learn to listen to everybody. Right? Am I making assumptions about what you're saying because I have a certain schedule that goes in my brain, and I don't have the time to slow down and listen to you. And that's the thing that I think we would all gain from. And if we could actually do that, wow. The workplace would transform.

Dave Bittner: Is it -- I mean, is that the lesson for leaders to have some intentionality of, I don't know, modeling that kind of behavior?

Karen Worstell: Definitely. I mean, yeah. And I think some leaders are already really good at it. I've certainly had some of them in my career, and I noticed it. I'll never forget one person. He was the head of Research and Technology at the Boeing Company. I was just, like, an analyst. And I was working away in my office, and he stopped. I'll never forget this. He stopped in my room, in my office. And he said, I have a question. Do you have a moment to talk to me? And he -- I could tell in that conversation that he was 100% present, listening to what I said. He was not running through -- he ran seven businesses. Right? He wasn't -- he wasn't doing all the other things in his head while he was in the room with me. He was truly listening to me. That was a transformative experience for me as -- I'm sitting here thinking, he's actually listening to me? Like, what? And I was, like, that's an amazing feeling. And I want to try to do that for other people. And I have to say that I'm not always really successful, but I'm conscious of not being successful at it when I'm not. And to sit down and say, this is a gift, to be 100% fully present with another person and giving them your full attention and hearing what -- and hearing them. There's another exercise that I do. So one of the things that I learned when I was in my chaplaincy training is I became a SoulCollage -- a certified SoulCollage facilitator. And without getting into the all the details about it -- you can always look it up at soulcollage.com -- but the experience that people have when they do this, they create an image. It's a very simple process. And it essentially is a reflection of something that they have a difficulty giving voice to. And when they're done with creating this image, they're with another person. And they put the image -- they hold the card, and they say, I am one who. And then they complete the sentence, and it's sort of a stream of consciousness thing. The other person's job is to write down word for word everything they say as they're saying it. And the purpose of that is, when it's done, the person reads back verbatim word for word what was spoken to the person who spoke it. And what I learned in doing that, facilitating that process, was almost no one has the experience in real life of having someone repeat back to them exactly what they said. They get repeated back to them what I think you said, or what I believe you're really trying to say, or, you know [multiple speakers], some paraphrase of that. Right?

Dave Bittner: Right. It's -- what I said was, but what you heard was --

Karen Worstell: Exactly.

Dave Bittner: Right? [laughter]

Karen Worstell: And that's the lost in translation [multiple speakers] piece. And that's where inclusion -- when we talk about inclusion, I think it all boils down to that process that says, actually, I value you in the way that you see the world, in the way that you think about things, in the way that you express them verbally -- or in any other expressive mode. Right? And I value that enough to try to step into that space and hear that. That's the fundamental thing. It's not about how many numbers did we make. You know, how many -- how much did we achieve? And in terms of demographics, that's an easy measurement. But it misses the point, in my opinion. So -- and I think whenever we have those metrics, metrics always drive behavior.

Dave Bittner: Yeah. Well, I'm also thinking about the person who has to report to their Board of Directors, who, I suspect, are probably not so receptive to something that they would -- they might consider touchy-feely-fuzzy --

Karen Worstell: Right.

Dave Bittner: -- kind of stuff.

Karen Worstell: The soft skills.

Dave Bittner: Right. What does this have to do with making money? [laughing]

Karen Worstell: Right.

Dave Bittner: Right?

Karen Worstell: Well, you know, I think that's another -- this is just a, you know, really personal experience for me. But I realized that there is a profit -- you know, Wall Street-driven, Silicon Valley, VC-driven kind of environment -- is very head-oriented. Whenever we're talking about numbers. Right? Figures and numbers and statistics, we are in our heads. When I am needing to hear you, that's a heart-to-heart conversation. And those two things are kind of like oil and water, a little bit. And we haven't done a good job of figuring out -- I mean, there's a lot of people talking about it now. There's an MBA program that is sponsored by LinkedIn and Sounds True and New York University, and it is focused on trying to merge those two things together. So yes, you can be the balance-sheet person. You can be the, you know, the statistics and the metrics person. You can also be heart-centered at the same time.

Dave Bittner: That's Karen Worstell from VMware.

It is always my pleasure to welcome back to the show Deepen Desai. He is the Chief Information Security Officer and Head of Research at Zscaler. Deepen, it's great to see you face-to-face here at RSA.

Deepen Desai: It is great to see you as well, Dave. [laughter]

Dave Bittner: Before we dig into our topic at hand here, I just want to get your take on what you've seen so far at the show as you've been walking around. Are there -- have there been any themes or anything that stood out to you?

Deepen Desai: Yeah. The theme of RSA this time is LLM -- or you could say ChatGPT.

Dave Bittner: Yeah.

Deepen Desai: There have been some interesting talks. I've been listening to a few new folks as well. So supply chain security, public cloud security.

Dave Bittner: Right.

Deepen Desai: And then a lot of chatter around LLM and ChatGPT, both from how to harness the power of the innovation, and then also how to stay secure. Right? Use it in a way that you're not ending up on the wrong side.

Dave Bittner: Yeah. Yeah. Well, let's dig into a report that you and your colleagues at Zscaler recently published. This is digging into phishing here. What were some of the highlights from the report?

Deepen Desai: Yeah. So this is ThreatLabz' annual Phishing Report. We published it last week. And the focus was on all the phishing campaigns, attacks that the team discovered, tracked over 2022. And since we do this every year, we also obviously compare it to what we saw a year ago and how things have changed, evolved in terms of pure telemetry, in terms of tools, tactics, procedures that the bad guys are using. So there were a lot of interesting findings in this one as well. But at volumetric level, we saw about 47% growth in number of phishing attacks that were targeting more than enterprises.

Dave Bittner: Wow. It's -- so the growth continues to be kind of relentless.

Deepen Desai: Yes. I mean, look. Majority of the attacks in this threat landscape are multistage attacks. It's not -- you know, you get a email with malware, and it's done. Right? They try to start with phishing, they fool the end-user, use social engineering. At times, they will use a zero-day exploit. They gain persistence. Then they do the stage two, stage three, and the final malware.

Dave Bittner: You know, you mentioned LLMs at the beginning of our conversation, and I think there's been a lot of speculation that we'd see that contribute to the phishing problem. Are we seeing that yet? Did the report dig into that? Or is it still early days?

Deepen Desai: Probably the next one will dig into it a lot more in detail. But there were a couple campaigns that we saw -- not necessarily attributed to LLM, but machine learning and automation in general. The one I'll call out is where they were -- and you could even call out deepfake technology being used. Right? Where it's a business email compromise campaign where they would call the victim with the voice that is exactly -- I mean, it's identical to your CEO or your -- one of your executive staff. Hey, this is Deepen Desai. And then, it just cuts off. And then, they follow it up with SMS messages. So it's a combination of smishing and vishing but they're using your voice, which is generated by automation.

Dave Bittner: I see.

Deepen Desai: And the victim -- I mean, if you would just receive a text message. Hey, this is Deepen Desai. Can you wire me, or can you do this or do X or Y? You would call me back. You wouldn't believe me. But if I were to call you and leave this message. Right? Or talk to you, and then suddenly the call disconnects. And then I follow it up a text message. It becomes more believable.

Dave Bittner: Yeah --

Deepen Desai: And then [multiple speakers] --

Dave Bittner: -- absolutely. Hey, I'm having trouble with my phone, but I need you to take care of this for me.

Deepen Desai: Exactly.

Dave Bittner: Oh. [multiple speakers] Fascinating.

Deepen Desai: That's what we saw in business email compromise case. And then the other concerning trend was [inaudible] attacks. In fact, I have a talk tomorrow morning at RSA.

Dave Bittner: Yeah.

Deepen Desai: Right? Where I'll be presenting on all the attacks, different ways in which they are bypassing MFA -- conventional MFA.

Dave Bittner: Okay.

Deepen Desai: So back in the day, we would always say, hey, user password is not enough. You need to have MFA. Last year, or maybe last couple of years, we've been hearing SMS-based MFA a big no-no. Now what we're seeing is even the app-based MFA, where you have an app like Google Authenticator running on your cell phone -- that's not enough --

Dave Bittner: Really?

Deepen Desai: -- because you guys are able to evade that as well because they will literally man-in--the-middle you, gain the auth token, and then establish persistence. And we've seen multiple attacks where this was successfully leveraged --

Dave Bittner: Wow.

Deepen Desai: -- by bad guys.

Dave Bittner: Where do you think we're headed there? I mean, based on the information that you've gathered, what are the trending lines that you're tracking?

Deepen Desai: Yeah. So the trend actually started last year itself. In our report, we called out phishing as a service on the rise, and there is combination of open source. There's something called OpenPhish. There are multiple phishing kits. Some of them are open source, some of them are being modded and managed by the bad guys. In fact, my team actually took one of the open-source kits. We spent just an hour on that, and we were able to bypass all the security mechanisms that majority of these cloud providers have. When I say cloud providers, I'm talking about [inaudible], AWS, where you host those phishing pages. So they're not able to detect it. They're not able to detect the infrastructure that these kits allow cybercriminals to launch these phishing campaigns at scale. So again, coming back to your question. The direction in which this is headed is more and more automation. Right? There will be usage of LLM, whether we like it or not. It's able to write beautiful poems --

Dave Bittner: Right.

Deepen Desai: -- paragraphs. Right? It could -- you could ask it to write in a different language. So now you could have a localized phishing campaigns as well where it's written perfectly. There are no mistakes. So that's another thing that we will have to keep an eye out for in terms of defending. And then, finally, the major trend -- why these attacks lead to an org-wide breach, it again comes back to having, you know, the flat network problem. Many of the companies are in their zero-trust transformation journey, but they are at different stages. So the question that I would encourage all of you guys to always ask when you're planning your security strategy is, if my laptop or if one of my end users' laptop were to get compromised, what is my blast radius? What all things can the bad guy get to using that compromised asset? And if the answer is, all the other machines, all the applications, then that's not a zero-trust implementation.

Dave Bittner: Right.

Deepen Desai: You've got some work to do. [laughter]

Dave Bittner: Absolutely.

Deepen Desai: Yeah.

Dave Bittner: All right. Well, always a pleasure, Deepen Desai. Thank you so much for joining us.

Deepen Desai: Thank you.

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our "Daily Briefing" at thecyberwire.com. We'd love to know what you think of this podcast. You can email us at cyberwire@n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law-enforcement agencies. N2K's strategic workforce intelligence optimizes the value of your biggest investment: your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. Be sure to check out this weekend's "Research Saturday" and my conversation with Ryan Robinson from Intezer to discuss his team's work on phishing campaigns targeting Chinese nuclear energy industries. That's "Research Saturday." Do check it out. This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is Trey Hester with original music by Elliot Peltzman. The show was written by John Petrik. Our Executive Editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.