Agent Tesla still hits unpatched systems. Hot wallet hacks. AI and DevSecOps. Notes on Fancy Bear and NoName057(16). And some curious trends in the cyber labor market.
Dave Bittner: There's a new agent Tesla variant lost credentials and crypto wallet hacks. Tension between DevSecOps and AI. Fancy Bear makes an attempt on Ukrainian energy infrastructure. A look at NoName 05716. Tim Starks from the Washington Post's Cybersecurity 202. Simone Petrella and Helen Patten discuss people as a security first principle. And cybersecurity jobs seem to be getting tougher.
Dave Bittner: I'm Dave Bittner with your CyberWire Intel Briefing for Wednesday, September 6, 2023.
A new Agent Tesla variant is out.
Dave Bittner: Fortinet describes a new variant of the Agent Tesla remote access Trojan that’s being distributed via malicious Excel documents. The attackers exploit a pair of long-patched CVE vulnerabilities in Excel to execute the malware.
Dave Bittner: It’s another case in which failure to patch leaves the door wide open to attackers. As Fortinet notes, “Despite fixes for CVE-2017-11882/CVE-2018-0802 being released by Microsoft in November 2017 and January 2018, this vulnerability remains popular amongst threat actors, suggesting there are still unpatched devices in the wild, even after over five years. We are observing and mitigating 3000 attacks per day, at the IPS level. The number of observed vulnerable devices is around 1300 per day.”
Lost credentials and crypto wallet hacks.
Dave Bittner: Cryptocurrency casino Stake.com has disclosed that hackers have stolen $41 million from its Ethereum, Binance Smart Chain (BSC), and Polygon hot wallets. BleepingComputer quotes the casino’s statement about the incident: “We are investigating and will get the wallets up as soon as they’re completely re-secured. User funds are safe. BTC, LTC, XRP, EOS, TRX + all other wallets remain fully operational.”
Dave Bittner: While Stake didn’t explain how the intrusion and theft occurred, it’s not the only cryptocurrency operation to sustain a loss, and some of the other cases may be instructive. KrebsOnSecurity reports that another set of cryptocurrency thefts may be tied to the November 2022 breach of LastPass. Krebs cites Taylor Monahan, founder and CEO of MetaMask, who’s found that a total of $35 million worth of cryptocurrency has been stolen from more than 150 individuals since December 2022. According to Monahan, the victims aren’t newbies or naifs. He said, “The victim profile remains the most striking thing. They truly all are reasonably secure. They are also deeply integrated into this ecosystem, [including] employees of reputable crypto orgs, VCs [venture capitalists], people who built DeFi protocols, deploy contracts, run full nodes.” Monahan and other researchers suspect that the hacks are due to attackers gradually cracking the leaked LastPass vaults.
Tension between DevSecOps and AI.
Dave Bittner: GitLab has published a report looking at the state of AI in software development, finding that “83% of those surveyed said that implementing AI in their software development processes is essential to avoid falling behind, however 79% noted they are concerned about AI tools having access to private information or intellectual property.” Additionally, 90% of respondents said they’re already using or plan to use AI for software development, though 81% said they need more training with AI tools.
Fancy Bear makes an attempt on Ukrainian energy infrastructure.
Dave Bittner: Turning to development in Russia’s hybrid war against Ukraine. CERT-UA reported Monday that the GRU's APT28, Fancy Bear, has attempted to compromise an unspecified energy facility with a phishing campaign that carries a malicious payload in a zip file (said to contain links to photos) attached to an email. If the attachment is opened, the victim is open to remote code execution.
Dave Bittner: The phishing email is unusual, the Record points out, in that the phishbait it dangles is gaudier than the stodgy and sober come-ons that have characterized much Russian phishing of Ukrainian targets. The text of the email often reads like this: “Hi! I talked to three girls, and they agreed. Their photos are in the archive; I suggest checking them out on the website." Should the recipients incautiously do so, they'll be taken to some apparently innocent websites where the malware will be served up piping hot. CERT-UA says an alert user tipped them off to the phishing before any substantial damage was (apparently) done..
A look at NoName057(16).
Dave Bittner: The Record has published a report on the Russian hacktivist auxiliary, NoName057(16). Like other such auxiliaries, they've specialized in distributed denial-of-service (DDoS) attacks, most recently against financial institutions in Poland and Czechia.
Dave Bittner: Compared to its peers, however, the Record finds NoName057(16) more disciplined, selecting targets and studying their vulnerabilities before initiating the attack. The group also doesn't rely on widely traded commodity malware, preferring to rely on its own bespoke tool, DDoSia.
Dave Bittner: The group lacks a public face analogous to KillNet's noisy (yet still mysterious) figurehead KillMilk. Who funds NoName057(16) remains unclear. It obviously acts in the Russian interest, with a preference for NATO targets, but there haven't been, according to the Record, any obvious signs of money flowing to the group from the Russian government.
Cybersecurity jobs seem to be getting tougher (say the people who are doing them).
Dave Bittner: And, finally, there are some curious cross-currents in the cybersecurity labor market.
Dave Bittner: The first of these has been much talked about: a general shortage of cybersecurity workers. TechTarget’s Enterprise Strategy Group (ESG) and the Information Systems Security Association (ISSA) have published research looking at the cybersecurity workforce, finding that the majority of cybersecurity workers said their jobs have grown more difficult over the past two years. The problems about two-thirds of those surveyed report are both internal and external to their organizations. Externally, a more challenging set of threats and more onerous regulatory regimes have made the job tougher. Internally, workers say staffing shortages, tight budgets, and workload complexity have combined to increase the burdens at work and have made their careers more difficult.
Dave Bittner: 71% of organizations say they've been affected by a shortage of workers with cybersecurity skills, and that, the report says, represents "a dramatic increase from 57% in the last study." The labor shortage has increased cybersecurity team workloads and contributed to a high rate of staff burnout. Organizations say that they have the most difficulty finding people qualified to work in application security, cloud security, and security analysis and investigations.
Dave Bittner: Industry has long deplored cybersecurity labor shortages, so this study amplifies a familiar complaint. It's interesting, however, to see the tension between such reports of a tight labor market and a more recent trend toward layoffs by cybersecurity firms. This second trend is less often remarked.
Dave Bittner: Cybersecuritynews reports that data from Layoffs.fyi show that "at least 46 cybersecurity companies have laid off 4738 employees since the start of 2023." And those numbers are probably low, since not all companies are required to report layoffs and therefore many do not. Many of the layoffs followed mergers or acquisitions, and therefore are unlikely to be composed entirely of cybersecurity specialists (staff teams like marketing and HR, for example, are notoriously vulnerable to cuts after M&A as the combined organizations eliminate redundancies and look for economies of scale). But a significant fraction do affect cybersecurity workers proper.
Dave Bittner: That these two trends seem to be in simultaneous progress is curious. It suggests that there are inefficiencies and irrationalities in a labor market that has yet to fully mature.
Dave Bittner: Coming up after the break, Tim Starks from the Washington Post Cybersecurity 202. Simone Petrella and Helen Patton discuss people as a security first principle. Stay with us. There's a generally accepted principle in business that your organization is only as good as your people. Hiring the right people, training them, keeping them up to date and investing in them are all critical to establishing and maintaining an effective and fulfilling workplace culture. Helen Patton is Chief Information Security Officer for Cisco's security business group, and author of the book Navigating the Cybersecurity Career Path. As part of a series of segments we call Solution Spotlight, our own N2K President, Simone Petrella, sat down with Helen Patton. Here's their conversation.
Simone Petrella: Helen, we've had some great conversations in the past and one of the things that I think we connected on immediately is our mutual belief that successful business outcomes are not possible without good people and a strategy to have good people. What in your own career path solidified this notion for you?
Helen Patton: Well, I think we've all had experiences where you join an organization and you join to do a specific role. You're very excited about the job that you're, you know, that you're joining for. And then you realize that you actually have to do this work in a community of people. And sometimes you luck out and the community of people think like you do and had share your values and work the way that you want them to. And sometimes they don't. And sometimes you're a part of a team that where your immediate team thinks like you do. And this happens in security a lot. We have this sort of little bubble of people and they all think the same way and everyone feels great. But we're completely alienated from the rest of the organization who cares about different things and prioritizes things differently. And so, in my own career, I've experienced all of these kinds of variations on this theme. And I really got to the point of saying, if you're going to be a leader of security, you have to control that. Now, you can't control people. And I get that. But you can have very intentional strategies around. And, of course, I remember the lessons that were the difficult lessons, most easily, unfortunately. But I've also been really fortunate to network with people who've got really great ideas. And so I am all about liberally stealing somebody else's good idea and applying it if I can do that.
Simone Petrella: You actually wrote a book on this topic. And it was released in late 2021, just as we were all just kind of sitting at home, really learning a brave new world. But tell us a little bit about the book, and what inspired you to write about it in the first place?
Helen Patton: Well, so I had always thought that in my own career, I would either end up doing a Ph.D., or I would end up writing a book. And I hit this point where I had a fork in the road, which one am I going to do? And I couldn't work out how to do a Ph.D. and stay a full time working adult. And so I decided to write the book. So that was that. And then the question was, what do you write a book about? Well, at the time, I was the CISO at The Ohio State University. And when you are there, you're always getting asked for career advice. You get asked for career advice from people, from the students who are trying to hack into cyber for the very first time. But I also would be asked to talk to people who are already in security. But they were dealing with some issue. How do I deal with being a woman in security? And I found myself being invited for coffee, to talk about these things. And what I was finding was, one, I didn't have enough tolerance for caffeine that I could meet with as many people as I wanted to. And two, the answers were mostly the same, right? Like you, certainly everyone's an individual. I get it. But from an advice perspective, you tend to start from the same point. So when I was thinking about what I want to write a book about, I was thinking, maybe if I wrote this down, and my answers down, I could mentor at scale.
Simone Petrella: One of the sections that has stood out most to me in our conversations as well, though is the final section, you have it divided into three parts. And there's a lot to that's geared towards the individual, but there's also a whole section on leading and for those who are starting to lead in cybersecurity. And a lot of the elements that you discusses what goes into building and communicating a strong business case for a security program, it includes things, like, having a security strategy and building a diverse team how to fund that strategy, how do you talk security to a non security audience? I'm actually curious, before we even get into kind of what should people do? What are some of the things you see today that security leaders make as mistakes that standing in their way to preventing them from kind of having these principles widely adopted in their organizations?
Helen Patton: That question is, like, a whole thesis all on its own. There's lots. I think the first thing I would say to answer that question is that security, as a professional discipline, tends to be everywhere in our business. You know, we tend to sit in technology. And we might originate from technology, but we find ourselves working with legal or finance or HR or sales or development, whatever. We tend to be everywhere. And the tendency of a cybersecurity leader who isn't as mature is to try and be all things to all people. And it's really easy in the security space to find a reason where you should be involved in everybody's business and at some point you burn out. So being able to be clear on what kind of security person are you? Are you a more of a risk management kind of person? Are you a technologist who runs cybersecurity technology? Are you somewhere in the middle? Do you come from a privacy background. Like, understanding the kind of security person you are? I think the second thing is, then knowing where your boundaries are, which I know is related. But there are some things you can control. And there are some things you can't. And I think, being intentional about what you can do about the things you can control. Great, that goes into your strategy. That's where you spend your time. But being able to say, you know, this thing over here, the way this leader thinks, or the fact that I haven't got money right now, or that these things I can't control. So being able to then be able to let that go gracefully, or being able to then have a reactive strategy to that is really important as well. So those would be the first two places I would start.
Simone Petrella: Well, and you know, the old adage goes, you're only -- you only are as successful as the people that are around you. And that includes the team you built underneath you. But if we don't have the right team, it's going to actually contribute to that burnout.
Helen Patton: Yeah, for sure. This usually first comes up when people are thinking, do I stay an individual contributor? Or do I become a people manager? And so they're learning on the job. If they have any accountability, they realize that their failures as a manager has direct implications to the success and happiness of the people who are on their team. And some people go, yay, I love this responsibility, and they rise to the challenge. And other people go, hell no. I didn't sign up for this. So, you know, understanding what it takes in terms of coaching and mentoring, there's a lot of parenting overlap, actually, that goes into people managers, right? Often, as a manager, you don't feel like you've got a lot of time. So it's a big balance. It's a challenge.
Simone Petrella: The last question I have for you is, once you apply all those principles, or if you do apply all those principles, how do you measure whether the things that you're putting in place, or those strategies are having the impact on the business or they're successful the way that you want them to be?
Helen Patton: There is no magic metric. I know there's mean time to detect and mean time to repair and, and there's all those things. But I think whether or not you're successful is very contextual to the organization you're in. I think, sometimes the measurement of success isn't a security metric. It should be. There's got to be something in that balanced scorecard that is a security metric. But it might be something, like, the turnover rate of your employees. What's your voluntary turnover rate in your team? If it's super high, you're probably getting something wrong, right? Maybe if you're trying to do cultural change in the organization, you're going to measure the engagement of the non security employees at your company with your security team. So there isn't one metric, but for me internally within my own team, I am looking for engagement. You can spend your whole life trying to get the right metric and never find it.
Simone Petrella: Well, just goes to prove that it's a, you know, a hard problem and one that can't be solved overnight. As you said, there's no magic wand. Well, Helen, thank you so much for joining me today. And for those who are looking for an opportunity to read more on the topic, but Helen will still potentially get a cup of coffee with you, the name of the book is Navigating the Cybersecurity Career Path by Helen Patton. Helen, thank you so much.
Helen Patton: Thank you for having me.
Dave Bittner: That's Helen Patton, Chief Information Security Officer for Cisco Security Business Group, and author of the book Navigating the Cybersecurity Career Path. She spoke with our own N2K President, Simone Petrella. And it is always my pleasure to welcome back to the show Tim Starks. He is the author of the Cybersecurity 202 with the Washington Post. Tim, great to have you back.
Tim Starks: Dave, Dave, Dave.
Dave Bittner: A couple of interesting stories that you have shared on the 202 in the past couple of days. First of all, a bit of a scoop here. You had the story of Mudge coming back to public service. What's going on here, Tim?
Tim Starks: Yes, the famed hacker known as Mudge, Born Zatko [assumed spelling]. Either name seems suitable to me. He has decided to join CISA as a technical adviser. His real job will be to be a part time person focusing on their Secure by Design Initiative. That's the thing they've been working on, to try to get software makers to put cybersecurity into the product as they're developing it. Not just tacking it on at the end or making it constant source of updates. So pretty big scoop for them. You know, in terms of the hire, a scoop for me, a scoop for them. The hire is high profile one. He is a person who has significant credibility in our community, and is coming off of being an employee who may be, you know, people would be scared to hire, given the fallout that he had with Twitter as the big whistleblower of their security problems. Then when he was their security chief, he left. Felt it was a valid complaint with a number of federal agencies. And so a bold hire a little bit too, you know, in terms of, you know, he's gonna be a truth teller. You know, he's going to be a truth teller, perhaps at your expense. So, interesting development.
Dave Bittner: Right. Yeah. I raised my eyebrows a little bit at the fact that he's part time. Just Is there such a thing in that position right? Other than the name only. I can imagine that he'll be short on hours.
Tim Starks: Yeah. You know, the CISA's done this kind of thing before. I think they might have been with Josh Corman [assumed spelling], where they've had people come in as these kinds of outside advisors, help them in these roles, and then move on not long after. So I don't know how long he's gonna be sticking around. He obviously had been had been showing some interest in staying in industry, you know, working with Rapid7 after Twitter. So it might be a sort of thing where they had an opportunity to snack him for a bit and they're taking advantage of the moment.
Dave Bittner: Yeah. You recently spent time at the Billington Cybersecurity Summit. And you wrote about some comments from General Paul Nakasone. Share with us that story.
Tim Starks: Yeah. So those of us who have covered General Nakasone for a long time, are probably well aware of how cautious he can seem when he's speaking publicly. He definitely wants to stay on track on what he's trying to say. This one felt a little bit more reflective for him. He's been running Cyber Command. He's been running NSA since 2018. And he was due to leave this year, but has been stuck in a Senate kerfuffle. That is not of his making, that is of a general dispute over the military and abortion. So he's a little bit stuck in the role waiting to leave the role. And maybe that's -- that made him feel more reflective, the fact that he was revisiting a speech that he'd given five years ago and Billington itself. But he talked a good deal about how different things were, are now compared to where they were in 2018. And talking about the not just the threat picture from 2018, to now, but also the way the government has changed. And also talked a bit about where he thinks things are going, the things he has been working on, as he's departing and where he's looking at the future of those two agencies.
Dave Bittner: Some interesting comments about Russia and China and our relationship with those two in the cyber realm. What did he say there?
Tim Starks: Yeah. So one of the things we've heard a lot from top cyber officials these days is that China is this generation, you know, this era defining cyber threat. Where I think he took it a little further than what we've heard from some other officials is that I think he referred to it as a pacing threat, and also talked about it being something that we're going to be having, I think he said, our children, our children's children are going to be dealing with as the main competitive threat. Not just talking about it in the cyber context, but certainly including that cyber context. That was taking a little further and saying that this is going to be a really long-term problem for the United States and cyber, and then talking about Russia as an acute threat. One that they're dealing with, you know, a more piecemeal basis, probably perhaps a more urgent basis, in certain ways. A little chance for him to brag a little bit about the way they feel as though they've been able to counter Russia's Information Operations in Ukraine just by speaking them aloud, just by talking about them, talking about the existence of them, and making it so that Russia feels like they're on the back foot.
Dave Bittner: And then quickly, you covered the story here about Verizon agreeing to a $4 million settlement with some allegations of coming up short in some government contracting?
Tim Starks: Yeah, kind of a late breaking story. The other night, when I first read it, I thought it said $4,000, and I was, like, that's not much of a fight for Verizon. I think that'd be just fine.
Dave Bittner: That's the money they find in the couch cushions.
Tim Starks: Right. Yeah. So, yeah, $4 million fine for not following some required CyberSecurity standards. And we'll see. We'll see how much of a dent that puts into the mix though. I don't know if -- I actually don't know how much of a difference four million is for Verizon compared to 4,000. But, you know, it's interesting. I'm making a joke, but it's interesting to see a company of that size being held to account. I think it's a reflection of this administration's desire to put people on notice that that not following these subsequent standards is going to cost you.
Dave Bittner: Yeah. And I found it interesting that, you know, both sides of this sort of threading the needle of Verizon saying that we're not really acknowledging we did anything wrong and the government saying we're not acknowledging that you didn't not do anything wrong.
Tim Starks: There's a weird sort of dance that happens with these kinds of settlements and agreements. You know, we see them more often with the FTC saying, we think you did this. But here's the settlement, and then, you know, a sort of vaguely worded non apology that says we did. Maybe we did it, maybe we didn't.
Dave Bittner: Yeah.
Tim Starks: It's fairly standard in that regard.
Dave Bittner: Yeah. Interesting. Sort of regulatory shot across the bow, I suppose.
Tim Starks: Yeah. A little bit, maybe a little bit rare to see it on the Justice Department site though.
Dave Bittner: All right. Well, Tim Starks is the author of the Cybersecurity 202 at the Washington Post. Tim, thanks so much for joining us.
Tim Starks: Yeah. Thank you.
Dave Bittner: And that's the "CyberWire." For links to all of today's stories, check out our daily briefing at the cyberwire.com. We'd love to know what you think of this podcast. You can email us at email@example.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that n2k and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Erman [assumed spelling] and Senior Producer Jennifer Eiben. Our mixer is Trey Hester with Original Music by Elliot Peltzman. The show was written by our editorial staff. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.
New Agent Tesla Variant Being Spread by Crafted Excel Document (Fortinet Blog)
Crypto casino Stake.com loses $41 million to hot wallet hackers (BleepingComputer)
Experts Fear Crooks are Cracking Keys Stolen in LastPass Breach (KrebsOnSecurity)
Life and Times 2023 Download Landing Page (ISSA International)