A seemingly legitimate but actually bogus host for a proxy botnet. PowerShell Gallery vulnerabilities. Cyber incident at Clorox. Scamming would be beta-testers. Cyber updates from Russia’s hybrid war.
Dave Bittner: Building a proxy botnet. Active flaws in PowerShell Gallery. A cyber incident disrupts Clorox. Scams lure would-be mobile beta-testers. Lessons learned from the Russian cyberattack on Viasat. An update on cyber threats to Starlink. Robert M. Lee from Dragos shares his thoughts on the waves of layoffs that have gone through the industry. Steve Leeper of Datadobi explains mitigating risks associated with illegal data on your network. And hey, world leader: it’s never too late to stop manifesting a chronic cranio-urological condition, as they more-or-less say in the Quantum Realm.
Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Thursday, August 17th, 2023.
Building a proxy botnet.
Dave Bittner: AT&T Alien Labs has discovered a botnet comprising more than 400,000 proxy exit nodes. The attackers are using a seemingly legitimate company to host the proxies: “Alien Labs identified a company that offers proxy services, wherein proxy requests are rerouted through compromised systems that have been transformed into residential exit nodes due to malware infiltration. Although the proxy website claims that its exit nodes come only from users who have been informed and agreed to the use of their device, Alien Labs has evidence that malware writers are installing the proxy silently in infected systems. In addition, as the proxy application is signed, it has no anti-virus detection, going under the radar of security companies.”
Dave Bittner: The malware is distributed via social engineering, often posing as cracked software or games. BleepingComputer wisely notes that users should “avoid downloading pirated software and running executables sourced from dubious locations like peer-to-peer networks or sites offering premium software free of charge.”
Active flaws in PowerShell Gallery.
Dave Bittner: Aqua Security warns that threat actors can spoof package names in the PowerShell Gallery package repository: “PowerShell Gallery modules are commonly used as part of the cloud deployment process, especially popular around AWS and Azure, to interact with and manage cloud resources. Therefore, the installation of a malicious module could be fatal to organizations. Moreover, attackers can exploit another flaw, allowing them to discover unlisted packages and uncover deleted secrets within the registry, which users attempt to hide by unlisting their packages.”
Dave Bittner: The researchers reported the flaws to the Microsoft Security Response Center, and Microsoft says it’s working on fixes. As of August 2023, however, the flaws remain exploitable.
Cyber incident disrupts Clorox.
Dave Bittner: Cleaning product company Clorox disclosed that it sustained a cyber incident that forced it to take certain systems offline, the Record reports. The company stated in an 8-K filing, “To the extent possible, and in line with its business continuity plans, Clorox has implemented workarounds for certain offline operations in order to continue servicing its customers.” The company is coordinating with law enforcement, and has hired a cybersecurity firm to assist with the recovery.
Dave Bittner: While the company didn’t specify the nature of the incident, Infosecurity Magazine quotes Jordan Schroeder, managing CISO at Barrier Networks, as saying the incident response suggests that it may have been a ransomware attack.
Scams lure would-be mobile beta-testers.
Dave Bittner: The US Federal Bureau of Investigation (FBI) warns that cybercriminals are spreading malicious mobile beta-testing apps. The apps purport to belong to popular cryptocurrency exchanges, and offer users large payouts if they invest in the currency. The funds are instead sent directly to the attackers. The criminals are distributing the malicious apps via messages on dating and networking sites.
Dave Bittner: The FBI says users should “not send payment to someone you have only spoken to online, even if you believe you have established a relationship with the individual.”
Lessons learned from the Russian cyberattack on Viasat.
Dave Bittner: CSO Online has an account of the lessons in incident response learned when Russian cyber operators disrupted Viasat service in Ukraine during the opening hours of Russia's invasion in February of 2022. Viasat and NSA offered their analyses of the incident at Black Hat and Defcon. Early on February 24th, 2022, as Russian forces were preparing to cross their lines of departure, a well-timed wiper attack disrupted Viasat's KA-band satellite communications, shutting down thousands of ground-based modems.
Dave Bittner: The attack began with reconnaissance, and then, around midnight, successful access to Viasat’s FTP server, "a part of the infrastructure that delivers new software or updates to the modems." The attackers "dropped a wiper binary along with scripts to enumerate the network, interrogate it, and report back the status after the scripts completed execution." Over roughly three hours, the Russian operators installed the wiper on the targeted terminals and wiped the flash memory of the modems. When rebooted, the modems "became inoperable." Viasat lost between 40,000 and 45,000 modems. The initial wiper attack was followed by a distributed denial-of-service attack, which complicated recovery.
Dave Bittner: Viasat identified several lessons it drew from the experience. First, incident response is a vital security capability. Second, information sharing is both complicated and vital. And, third, it's important to have a sound baseline understanding of what normal operations look like, the better to recognize anomalies. One mystery endures: how did the Russians obtain the credentials they used to gain access to Viasat's FTP server? Investigation seems to have ruled out both brute-forcing and a zero-day exploit. An insider threat has not been ruled out.
Dave Bittner: The initial wiper attack stands out as a Russian success in a record of offensive cyber action that, for the most part, has been mediocre, falling far short of prewar expectations. The cyberattack against Viasat was well-planned and effectively executed. It was timed to maximize its combat support effect. And it served a traditional electronic warfare role, jamming the enemy's communications at a crucial phase of the operation.
Update on cyber threats to Starlink.
Dave Bittner: The Viasat incident is by now of course history, but other satellite communication services remain potential targets of cyberattack.
Dave Bittner: The Telegraph reported Saturday that Ukraine's State Security Service (SBU) has claimed that Russia's GRU is attempting to deploy malware against the Starlink satellite communications system with a view to collecting data on Ukrainian troop movements. The Debrief provided an update on Wednesday, quoting an SBU report to the effect that the GRU operation represented “large-scale cyber attacks to obtain unauthorized access to Android devices possessed by Ukrainian military personnel for planning and performing combat missions.” The SBU has found ten malware strains in the campaign, including one infostealer whose "functional purpose is to gather data from the Starlink satellite system.” This campaign, it’s important to note, represents collection, and not an attempt at disruption. It's espionage, not sabotage.
Disgruntled currency speculator? Unhappy importer-exporter?
Dave Bittner: And, finally, the ruble's recent sanctions-induced slide against the dollar, the euro, and other foreign currencies is a matter of some dissatisfaction in Russia. The government is working to stabilize its money, and has for now decided against imposing a freeze on currency trading or related speculation Radio Free Europe | Radio Liberty reports.
Dave Bittner: One disgruntled citizen (apparently a citizen, although other hackers can't necessarily be ruled out) hacked a big outdoor news ticker in the Siberian oil town of Surgut [sir-GOOT] to display the message, "Putin is a d*ckh*ad and a thief. 100 rubles to the dollar – you've lost your f*cking mind." Video of the crawler is provided by the Financial Times Moscow Bureau Chief in a tweet.
Dave Bittner: "D*ckh*ad," which we won’t actually say, because we’re a family show, and it’s not the sort of word one wants the children to pick up, “D*ckh*ad,” we say, isn't a literal translation of the demotic argot that appears in the message, but it's close enough in perlocutionary force for government work. We’ll just gloss “D*ckh*ad” as “allegedly manifesting a chronic cranio-urological condition,” and let it go at that. There, Surgut: fixed it for you.
Dave Bittner: Coming up after the break, Robert M. Lee from Dragos shares his thoughts on the waves of layoffs that have gone through the industry. Steve Leeper of Datadobi explains mitigating risks associated with illegal data on your network. Stay with us.
Dave Bittner: We talk a lot about the importance of taking inventory of the devices on your network, but what about the data itself? In these days of abundant, inexpensive online storage, it's easy for employees to adopt a pack rat behavior with their data, hanging on to stuff just because they can. Not to mention stuff that probably shouldn't be on your network to begin with. Steve Leeper is VP and Product Marketing Manager at Datadobi. And I checked in with him for insights on managing unstructured data and avoiding trouble.
Steve Leeper: Effectively what - you know, when we say "illegal data," what we're describing is fundamentally data that you do not want on your corporate system. And that falls into a number of different categories. So, you have governance risk and compliance groups, so the GRC groups that are providing the guidelines for how data is collected, how it's stored, how it's used, how long it's retained, you know, things of that nature. And those guidelines are going to stipulate certain types of data that you want to keep, and then certain types of data that you do not want on your systems. Right? And that's going to vary from organization to organization. When it gets into, you know, truly illegal data, that can happen. And we've discovered this at some of our customer sites, you know, where copyrighted material has shown up embedded on corporate file systems, you know, in the form of BitTorrents, so music, motion pictures, you know, with - that are in torrent files. You know, those are things that really have no reason to be on corporate file systems. There's, also, data that has what we call "alternate data streams." And think of that as just being a - embedding a file within another file. But it can be very sneaky because you could have a text file that has an executable embedded in it and, on the surface, you would never know that. Right? And, so, those kinds of things you may want to know about because that's data that you don't necessarily want. There's valid uses for that, but there's also nefarious uses as well with those data streams. And then some other things about orphan data, which is data that doesn't have any valid business owner. That may be data that you don't necessarily want on your systems anymore, especially if you've divested of a cor - of another entity or a subsidiary, you may not want that data on your systems anymore. You may be obligated to remove it. And then, finally, there's aging data as well, which is - a couple categories of that is just data that gets old over time because people don't access it. It's, you know, used a lot in the beginning and then it cools off. But then you also have worm data, so "write once, read many" datasets. And those you find in regulated environments for - you know, for example, in financial services, you know, they're required to keep - maintain records according to SEC 17a-4(f) guidelines. And, so, they have to maintain compliance with that. But sometimes they keep the data longer than they need to and that can generate some exposure. So, when we say "illegal data," there's a lot of little components that build that up and can introduce risk into an organization.
Dave Bittner: You know, it strikes me that in today's era where storage is basically free that it's easy to become a pack rat. You know, there's - there isn't a whole lot of pressure either from corporate or the providers to go through and be cleaning things out. Your data buckets tend not to fill up.
Steve Leeper: Yeah. And it's interesting that we're starting to see a change with that, because the cost to maintain this, it's not necessarily free, there's definitely a spectrum. Right? And, so, the - you can park some data in some storage classes, which are very, very inexpensive. But, yet, most of the data doesn't make its way into those. So, what organizations find is that they're just consuming more and more and more storage. Right? And it's getting untenable. So, they're actually starting to look at data minimization strategies. Right? And I don't really like that term that much because it sounds like - you know, with the tsunami of unstructured data that keeps collecting, it sounds like we're reversing the trend with data minimization. But that's really not the case. All you're doing is just kind of slowing the tide a little bit there. But minimizing the data has value in terms of there's operational efficiency aspects of that. You know, if you store less, then you're going to spend less, you know. But when you're talking about risk management, you know, data that's been removed, it can't be included in a breach, right, of your systems. It doesn't come into litigation discovery. It's data that doesn't have to be searched for Data Subject Access Requests, so DSARs. Like with GDPR, you can make a request to an organization to say, "I want to know what kind of data you have about me." Right? If data's been removed, you don't have to worry about that. It's kind of a similar thing with, like, the California Consumer Privacy Act, which, even outside of California, you have other states in the U.S. that are starting to look at some form of that. Right? This type of data and the minimization really impacts more of the risk management category versus - I mean, it has impact on cost efficiency, but risk management is where - is kind of the long pole in the tent.
Dave Bittner: What about when an individual leaves a company? You know, I think about, in the physical world, it's someone's responsibility to clean out their office or empty out their cubicle. Are we doing that on the data side as well?
Steve Leeper: You know, no, not really, not really. What usually ends up happening is, historically, the mantra for the storage teams at all of these organizations has been, "You keep all data forever." Right? And that included people that left the company. So, as an individual left an organization, their login would be disabled, but they would have their own private home directory where they could keep files and content that they had created. And that would never get cleaned up. Right? Not much would be done with that. In some cases, it would be held because, "Well, this person left our company, we're going to keep it for six months. If they come back, then we'll res - we'll just connect them right back up to it." Right? They'll just continue to use it with the thought being that after six months or nine months or some period, they would go ahead and remove that content. But the removing the content part never really happens. And, so, over time, you have more and more content that's been created by effectively no one as far as the organization goes because there's no one there anymore that owns that data. And you don't know what's in there.
Dave Bittner: And how do you recommend organizations get started here? I mean, I would imagine it - it's easy to feel overwhelmed.
Steve Leeper: Yeah. Well, the first thing an organization needs to do is just scan their entire environment. And that gives us a big inventory of everything that they have in the environment. And then what we do as part of that inventory process is we start to look for - or we do look for those pockets of orphan data. And we present that in the form of analytics to, you know, whoever's using the software so they can see, well, you've got x amount of data and you have y amount of orphan data as it turns out. Right? And we can break that down into either who the user was that's left the company or some of these unresolvable IDAs that there's no way to determine who actually owned that data in the first place. So, we can present that all to them. So it's a bit of a peel the onion exercise. But you first start off at the macro level with give me everything in the environment and then you start to look at that orphan data and drill down through there.
Dave Bittner: That's Steve Leeper from Datadobi.
Dave Bittner: And joining me once again is Robert M. Lee. He is the CEO at Dragos. Rob, as a CEO of a successful company, surely you have been tracking what we've been seeing across the industry here, which is waves of layoffs. And, indeed, Dragos itself has not been immune to this. I want to get your perspective as a leader as how do you approach this? What goes into the decision making to decide when it's time to consider something like layoffs?
Robert M. Lee: A bunch of companies do it in a bunch of different ways. And I would be remiss to try to speak for any of them. But how I view it, and kind of from my personal experience with it, number one, there's got to be a requirement. So, I remember stepping into the boardroom when COVID first started being obvious it was happening, and I was getting outside advice. And some board members and some are, "Oh, you've got to do a 40 percent layoff." And I was like, "Why?" "Well, everybody else is doing it. And you've got to prepare for the worst," blah, blah, blah. Like, no, that's - no. What's the requirement? "Well, we want the cash to be able to last until here because this is when we think the window's going to come back open for, like, venture capital or investment." I was like, "Okay, let me go validate that." And we ran the numbers and everything. And they were like, "Okay, we think it's a little different, but yeah, we need elastic here. So, we all agree as a board that this is the target." And we're like, "Yep, that's the target." And I was like, "Cool. Then I'm going to go figure out the answer." And I think too many CEOs are just like take the board and go, poof, let's do that. And it's like, "Nope. You are the one running the company, the management team is. The oversight is the board, but the management team is the one that's responsible in running it. So, I'm not just going to take a requirement of 'go cut 40 percent of your staff.' That's an outcome. I'm looking for the requirement." Well, their requirement was to make the money last till x. And, so, when COVID hit, we found that we actually needed to cut, like, five people I think it was, not 40 percent. And we could do cost saving measures in other ways. In this latest one, what we found was essentially everything changed and pretty quickly. Like, people - I think there's a lot of, like, easy - there's a lot of companies that do it poorly. And, so, then you throw all these companies in it together. And, like, the social media commentary that I've seen, even from people I very much respect, it just shows how very little they understand about running a business. And I don't mean to be, you know, snippy with that. But the commentary of, "Well, why couldn't they just do this? Or why couldn't they just do that? Or I can't" - well, it's because they were chasing growth at all cost. And, and it's like, "Dude, you listen to, like, one 'All-In' podcast and now you think you want it in every company out there."
Dave Bittner: It's easy to throw stones from the cheap seats. Right?
Robert M. Lee: It's super easy. So, what happened this time that made it so complex? There was warning signs of the economy, absolutely. And everybody saw that. And, last year or the year before, you saw Microsoft and Amazon, these, like, platinum-level companies doing layoffs because of what they were seeing. What they were seeing, though, is a lot of business-to-consumer, like, B-to-C, and the buying profile. And the consumers changed, so their business changed. And you can't predict that, no matter how much you want to claim, oh, you see it coming, you can't predict to what it is. You may know that something bad is coming, but you want to be precise when you're talking about people's careers and livelihoods. You don't want to cut 40 percent of your staff when you only need to cut 10 percent of your staff. Like, they're people. You can't treat them that way. So, anyways, what changed here was a lot of the pressures that, like, enterprise companies were facing was getting hit at a different time than what banks were facing. And, so, it seems like there's just been this consistent layoffs for two years. But it's been different sectors and different companies because they're getting hit - that market is getting hit at a different time. And, so, we came in, you know, to the year with our traditional growth projections that were actually pretty conservative based on every bit of data that we had and insights. And we have a certain cost basis or profile or cost profile for employees and everybody else to hit that number. And then when the fed - and, like, I'm not trying to put this off on the government, but, like, if you look at the charts of what's happened in the market, it's insane. And I really don't think most people understand just how crazy it was. Like, prior to - I mean, Guggenheim made a phenomenal slide on this. I - I'll - if you find it, you can always reference it later. But, basically, in the history of, like, these federal interest rate hikes, they would happen maybe a point, two points, three points, one time, like, four points over the course of, like, 36, 48, you know, months. What we ended up going through - and I don't - not the exact numbers, but directionally accurate. What we ended up going through was, like, a five-and-a-half-point hike in, like, a 12-month period. It never happened that it was this high of interest rates. And it would never happen that it was this fast. And that's going to have completely untold and unknown impacts in the economy. And what that manifested into was just, like, breaks getting hit on companies. And, so, when you walk in one day and you're projecting - let's - you know, I'm just using random numbers here, let's say you're projecting that you're going to look at 100 million in revenue and you're going to have, you know, 70 million cost basis to do so, and then you find out everything changed. None of the data you were working on for the last decade matters anymore. Everything changed. And it turns out you might get 60 million in revenue. You can't keep the 70 million cost basis. You've got to take cuts. And headcount is almost always the most expensive portion. So, as a leader, how I approached it was transparency. I showed every bit of the data to our employees as I showed to the board. I went through all the decisions that went in through it, talked about all the areas we cut besides headcount to just really make that the last effort, and said, "Look, here's where we're at. And you may not agree with the decision that I make, but you as shareholders, you as employees deserve to understand why I'm making that decision. So, here is all that goes into it. And then you keep it to yourself." And what I mean by that is I've seen, like, these CEOs go on, like, Twitter or, you know, LinkedIn or whatever and, like, "Here's my picture of me crying." And it's, like, it is always about the people you're letting go. Always. And, like, I will be the first to admit that, like, I cried like a baby every night after that happened. I mean, these are your teammates. And it was a rough period. But you know who has it rougher? The person that gets let go. So, focus on them, be transparent and everything will be the best it can be in a bad situation. The last thing I would say is I think there are companies who are massively inappropriate that did chase growth at all costs, and "we're going to go for 300 percent growth this year," and their employees paid the price. And I do think that was always inconsistent with the market data. Like, when your historical five-year average of multiples on a software-based company is like 15x, and you're chasing 38x or 50x or 100x, the floor's going to fall out at some point. But then there was a bunch of other companies that did the historical five-year of, "Hey, we got 15x and here's what we're rolling on and this is what we're trying to do," that it still then fell out below that. And I find it really disingenuous when people are coming out and saying, "Oh, these companies, we'll remember you and you did horrible things." I'm like, "Dude, like, the literal - like, we went through a global pandemic that we hadn't had since the Spanish flu on the back end of one of the biggest market crashes with the biggest fed rate hike ever. Have a little empathy that this stuff is hard." But that doesn't mean that the leaders executing it don't have to have as much, if not more, empathy and do everything they can to take care of their employees, even after they're let go.
Dave Bittner: What about this notion that layoffs are contagious?
Robert M. Lee: I do think there's probably some aspect of that, but I would hope not in any good company. But just go back to my COVID example where board members who sit on lots of boards, they go, "These other boards I'm doing are doing layoffs. Why aren't you doing layoffs?"
Dave Bittner: Right.
Robert M. Lee: And, so, it adds a contagion, if you will, of pressure on the management team to do that. But if a management team is doing that based on, like, a board recommendation, that's a very weak management team in my opinion. So, I think there's pressures, but there's no requirement to be like that. But I do know of companies and peers that did layoffs, "Well, it was - the prudent thing to do is cut deep and cut early." I'm like, "You're talking about people's lives." And, so, I take a lot of offense to that. But it does exist.
Dave Bittner: Yeah. All right. Well, Robert M. Lee is CEO at Dragos. Rob, thanks so much for joining us.
Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at the cyberwire.com. We'd love to know what you think of this podcast. You can email us at email@example.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is Tré Hester, with original music by Elliott Peltzman. The show was written by our editorial staff. Our Executive Editor is Peter Kilpe. And I am Dave Bittner. Thanks for listening. We'll see you back here tomorrow.