Enter Sandman. A look at an initial access broker. Iran’s OilRig hits Israeli targets. Cyber ops and soft power. Update on casino ransomware attacks. Bermuda’s government sustains cyberattacks.

Dave Bittner: A new APT is found: enter Sandman. Tracking an initial access broker called Gold Melody. Iran’s OilRig group is active against Israeli targets. Cyber ops as an instrument of soft power. Recovery and investigation in the casino ransomware attacks. In our Solutions Spotlight, Simone Petrella speaks with MK Palmore from Google Cloud about talent retention and the cybersecurity skills gap. Our guest is Kristen Marquardt of Hakluyt with advice for cyber startups. And Bermuda points to Russian threat actors.

Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Friday, September 22nd, 2023.

Enter the Sandman.

<https://youtu.be/XZuM4zFg-60> That’s right: enter Sandman. Only in this case it’s not Metallica and it’s not walk-up music, and it’s not sleepytime. It’s an APT.

Dave Bittner: SentinelOne is tracking a new threat group it’s calling “Sandman,” and Sandman is  targeting telecommunication providers in the Middle East, Western Europe, and South Asia. The threat actor is using a backdoor called “LuaDream,” which SentinelOne says “indicates a well-executed, maintained, and actively developed project of a considerable scale.” Dreamy, right?

Dave Bittner: The researchers note, “At this time, we don’t have a consistent sense of attribution. LuaDream does not appear to be related to any known threat actors. While the development style is historically associated with a specific type of advanced threat actor, inconsistencies between the high-end development of the malware and poor segmentation practices lead us towards the possibility of a private contractor or mercenary group similar to Metador.”

Dave Bittner: But it is being called an APT, which suggests that, contractor or mercenary, some government is probably paying the bills.

Gold Melody: an initial access broker.

Dave Bittner: Secureworks has published a report on the financially motivated threat actor “Gold Melody,” which acts as an initial access broker for other cybercriminal groups. The threat actor “relies on web shells, built-in operating system utilities, and proprietary remote access trojans (RATs) and tunneling tools to facilitate its activity once inside a compromised environment.” 

Dave Bittner: The researchers add, “GOLD MELODY conducts a considerable amount of scanning to understand a victim's environment. Scanning begins shortly after gaining access but is repeated and continued throughout the intrusion. The group normally conducts this activity from the initially compromised server. GOLD MELODY sometimes uses the initially exploited vulnerability to conduct reconnaissance.”

OilRig active against Israeli targets.

Dave Bittner: ESET describes two campaigns the Iranian threat actor OilRig (also known as “APT34”) launched against Israeli organizations. The first campaign, “Outer Space,” occurred in 2021, and used a compromised Israeli human resources site as a command-and-control server for a “previously undocumented C#/.NET backdoor, Solar.”

Dave Bittner: The second campaign, “Juicy Mix,” was launched in 2022 and used a compromised Israeli job portal website as a command-and-control server for a new backdoor called “Mango.” Mango, which is a successor to the Solar backdoor, was used to target an Israeli healthcare organization.

Cyber ops in support of soft power.

Dave Bittner: SentinelOne yesterday announced the formation of the Undermonitored Regions Working Group, in an effort to “better manage the challenge of tracking state-aligned cyber activities in less monitored areas like Africa and Latin America.” The company stated, “[T]his effort calls upon established security researchers to join analytic capabilities, combine telemetry, resources, and local expertise, and promote a unified approach to analyzing cyber operations used to support soft power agendas in Africa and Latin America.”

Dave Bittner: In a blog post, SentinelOne outlined China’s cyber operations in Africa, which “conspicuously align with China’s broader soft power and technological agenda in the region, focusing on critical areas such as the telecommunication sector, financial institutions, and governmental bodies.”

Dave Bittner: Cyber operations have recently been thought of to a considerable extent in terms of combat support for kinetic war. It’s worth remembering that they can play a supporting role in soft power, too, supporting diplomacy through intelligence collection and influence operations.

Casino ransomware attacks: recovery and investigation.

Dave Bittner: MGM Resorts reported that customer-facing operations had returned to normal ten days after the casino operator sustained a ransomware attack. Cybernews reports, however, that employees complain of having to rely on manual backups as familiar automated systems remain imperfectly available. The employees themselves are also said to have expressed concern about the possible exposure of their own personal data in the incident.

Dave Bittner: Reuters describes Scattered Spider, the gang at the center of the recent ransomware attacks against casino operators, as careful in its research into potential victims, fluent in English, and relentless in its pursuit of its chosen targets. Its members are believed to be young, for the most part 17 to 22 years old, Okta thinks their activities show they've studied its product (perhaps even taken OKta online training). Mandiant says they've engaged in swatting (making bogus 911 calls reporting phony active threats designed to send police SWAT teams to innocent homes). 

Dave Bittner: And their motivation is complex, apparently at least as interested in cachet as they’re interested in cash. Mandiant founder Kevin Mandia said, "I don’t even think these intrusions are about money. I think they’re about power, influence and notoriety. That makes it harder to respond to." The frenzy of renown, the taste for influence, the desire to count coup motivates some youths to pick up a can of spray paint. Others sit down in front of a keyboard.

Apple patches three flaws.

Dave Bittner: Yesterday Apple issued patches for macOS Ventura 13.6, iOS 17.0.1 and iPadOS 17.0.1. Three vulnerabilities in all (CVE-2023-41993, CVE-2023-41991, and CVE-2023-41992) were patched, and there are reports that they've been exploited in the wild. The vulnerabilities could permit privilege escalation and signature validation bypass incidents.

Bermuda points to Russian threat actors in cyber incident.

Dave Bittner: And, finally, Bermuda's government judges that widespread disruption of official networks and services in the island at week’s end  is the work of Russian threat actors. Premier David Burt said, the Royal Gazette reports, “Our initial indication is it’s come from an external source, most likely from Russia, and we are working with agencies to make sure that we can identify any particular challenges and make sure that services are restored as quickly as possible.” 

Dave Bittner: Whether the attack is simply criminal or has a political purpose is unclear. Authorities in Bermuda believe that some Caribbean countries have been similarly affected. According to Bernews, the government says that service disruptions are expected to continue into today. 

Dave Bittner: So Bermuda dodges the tropical storm headed up the Carolina Banks toward Maryland (that’s where we are, of course) only to be clobbered by Russian crooks. Hacktivists, spies, or just old-fashioned crooks, the Russian hackers have a long arm. Forget it, Jake: it’s the Internet.

Dave Bittner: Coming up after the break, in our Solutions Spotlight, Simone Petrella speaks with MK Palmore from Google Cloud about the talent retention and the cybersecurity skill gap. Our guest is Kristen Marquardt from Hakluyt with advice for cyber startups. Stick around. In this edition of our Solutions Spotlight, N2K's Simone Petrella speaks with MK Palmore from Google Cloud about talent retention and the cybersecurity skills gap. Here's their conversation.

Simone Petrella: I am honored to be here today with MK Palmore, director in the Office of the CISO at Google Cloud. MK, thank you so much for joining me.

MK Palmore: Thanks, Simone. I appreciate the offer and looking forward to the conversation.

Simone Petrella: Sure. We'll get right into it. So I know one of the reasons that we connected in the first place, and this is true both in your professional capacity at Google as well as some of the work you do outside, is around, you know, just the coordination and the work that organizations are focused on in increasing the pipeline of not only talent in cybersecurity but specifically diverse talent. How do you think about retaining talent within Google Cloud?

MK Palmore: So great question. Talent retention is I think the same across any organization. And that is if you can provide good leadership, if you can provide your employees with a pathway towards their own professional development, and you can engage them in interesting work, then likely you have the elements necessary to keep employees on board. Now, as quickly as I said that, though, you should recognize that I think any organization really has challenges with retention, especially in today's environment, with things like remote work, the variabilities involved in where you work, what regions you're actually allowed to work out of, and of course, all things pay. But at the end of the day, I do believe that the subject of leadership -- people oftentimes leave employers because of bad leadership, not because of bad situations at work or anything like that. And so if you can provide good leadership, you can provide them a mission where they're effectively engaged, and a pathway for their own success, people will likely stay where they are. But that's, you know, easier said than done. Those challenges I think are felt across every enterprise on the planet.

Simone Petrella: And, you know, specific to that -- because obviously we want to retain the talent that's so difficult to get in the first place. But we also want to increase the diversity that we see in the field writ large. So how do you think about that as it comes to identifying and bringing in new talent and then trying to retain the talent as they move through their careers?

MK Palmore: Yeah. So anyone that's listened to me, seen my musings in terms of writings, knows that this issue of increasing diversity in the cybersecurity workforce and pipeline is a real passion topic for me. I honestly believe that this is one of the core components of solving, if you will, the cybersecurity challenge. Diversity helps us in every aspect of life. And in the cybersecurity realm, the need to diversify the cyber workforce answers the mail on a couple of different issues. One: our ability to actually create and invent solutions that apply across the board. You know, here at Google, we're always trying to solve for global problems, and cybersecurity happens to be one of them. When we think about solving problems, we think how can we solve this for the planet, not how can we solve it for some individual instance. Although we do a pretty good job at that as well. How do we solve for globally for a particular challenge? And when we think about issues like the cybersecurity workforce, we absolutely believe that diversity is a way for us to close down this gap, this ongoing gap, of here in the US, 750,000 plus open cybersecurity positions annually. If you include the numbers globally, that number ekes up I think to probably 1.5 million annually open positions. And in addition to widening sort of the lens that we use to identify cyber talent, as an industry, all of us have to do a much better job at getting diverse talent to the table. And that happens in a couple of different ways. We know for a fact that training helps get individuals to the table, if you can provide them with training. Some of which, especially some of the best training in the world, can be truly expensive. If you're not already on board with one of the global providers like the Googles of the world, where, you know, things like training may be covered by your employer, it can be extremely challenging for someone to actually get the certifications or academic training that they need in order to break into the cybersecurity field. But the second piece of that in terms of answering a challenge in the workforce is, of course, the piece of actually getting people experience. And hopefully we can dive a little bit deeper into that challenge, because I actually think that that's really the critical piece that we're all challenged with, with trying to identify how we close that gap now. Because, you know, Google has put training certifications on the table. We, this year, released a Grow With Google cybersecurity cert. There are a number of certifications by other organizations and agencies out there that folks can get access to. Grow With Google is certainly, you know, one that we would promote that prepares people for entry-level jobs. But there's lots of opportunities to train. And I think as an industry, where we're really challenged is this area of actually getting work experience for these folks. Because the truth of it is is that cybersecurity companies -- big vendors like Google and others -- are challenged with hiring brand new talent. It's really difficult for organizations that have as much on the line as they do, you know, to open up the employment door for folks with little to no experience. And that's really the area, I think as we move forward, that's the area where all organizations are going to have to start thinking about, how do we solve that problem? Because that's the critical piece that we're missing now.

Simone Petrella: Yeah. Really great point. One thing that I would be curious if you could share your perspectives as a leader in, you know, a large organization is, what are your recommendations when you think about that necessity to train and to invest in people? How do you think about or what are the recommendations you have to evaluate and measure not only the team skills that are required for the business to achieve its security strategy, but then what are the pathways or what are the recommendations and how you prioritize those investments, if you're already going to make them, in order to align the need with the actual training you're going to send someone to? If you're going to make that investment, you want it to be related back to the business in some way.

MK Palmore: So there's a lot to unpack there. And I think that certainly in the curriculum realm, the cybersecurity curriculum realm, they're starting to understand this. I think that the certifications realm maybe has a better handle on this than, say, the traditional academic environments and, say, four-year colleges and that kind of thing. Because they're still kind of training towards, I won't call it an outdated model, but one that doesn't necessarily keep pace with all of the changes that are in the industry. And there are certainly shorter return on investment, time and effort, that you can make in terms of investing in certifications, because the turnaround on those types of things are quicker. You mentioned the term "skills." And I think as an industry, we absolutely have to start thinking about what skills are needed in order to do the job and get better at the job. And that is where the concentration of investment and training needs to happen. As opposed to thinking about domain-specific over-riding strategic knowledge, we need to start thinking about, what does this person need in order to be excellent at this job, so that they get what they need to get out of the experience and the organization gets the kind of productivity that they're expecting. You know, security operations, case in point, is a fantastic example of that. There is no way that you can be an absolute expert on all of those products. There are a handful of individuals who even could probably run down the list and provide you at least level one, level two on what those products do and what they're capable of. And so as an organization, the office of a CISO, we spend some of our cycles taking time aside and making sure that we get, you know, deep dives on products that we think will come up in conversations with our customers as it relates to cybersecurity. And so we don't need to learn the entirety of the landscape, but we do need to be able to do deep dives on the products that are relevant to our portion within the Google Cloud story. And oftentimes that revolves around the subject of security. So that's just one example of, you know, very targeted training that organizations can undertake to make sure that their workforce is prepared for their role.

Simone Petrella: Amazing. Well, MK, thank you so much for joining. Really appreciate you taking the time this afternoon.

Dave Bittner: That's our own Simone Petrella speaking with MK Palmore from Google Cloud. There's a lot more to this conversation. If you want to hear more, head on over to the CyberWire Pro and sign up for Interview Selects, where you'll get access to this and many more extended interviews. [ Music ] Kristen Marquardt is head of Digital and Cyber Practice at Hakluyt and Company. She's also one of the judges of this year's DataTribe Challenge, where hopeful startups will pitch their ideas to a panel of industry luminaries. I asked Kristen Marquardt about some of the challenges startup CEOs face when considering the business side of starting a cyber business.

Kristen Marquardt: Oftentimes, there's a misalignment of expectation, either in terms of funding, timing of funding, control. I think there's oftentimes also a misalignment of how you talk about things. And when I oftentimes think about the business of cyber, what I really am focused on -- and this comes from the various places I've worked professionally -- is that there's oftentimes a disconnect around the fundamentals and the framing of conversations. So it's the business of cyber or really it's the cyber from a business perspective. It's understanding, particularly for startups or companies who want to work and who are dedicated to solving problems in this space, the way that they speak to the solving of those problems is oftentimes at a disconnect with the business or with the business corner. Because they're so focused on the technical piece of it, the problem as they see it, the really cool thing that they're going to solve for you. And what they're failing to really frame it as is, this is how it enables your business to make money, to be successful, to endure, to grow. And it is that disconnected framing and a fundamental understanding of what the other person needs and wants that oftentimes I see really stymies people. I think of it sometimes as a bit of a marriage between business and cybersecurity. Businesses exist to make money. That is enabled by having secure operations. And cyber exists to make that all happen. But the business and cyber functionalities, particularly in-house but also when you're bringing in an outside vendor to solve a particular problem for you, is can you talk about what this is going to do for you in the context of your business and why it's going to matter and why the adoption of it is going to matter, not just from a technology piece but from a culture piece, from a planning and process piece. And that oftentimes is a disconnect. So I think of it as a marriage, like I said, but it's one that can either be unholy and uncomfortable, filled with all sorts of miscommunications and misread assumptions, or it can be a pretty happy one that's got good communication, shared expectation, a willingness to work through things. I'm really kind of framing it from that perspective. And that is not a tech thing. That's not an innovation piece. That is straight up linguistics and culture and a little bit of patience and grace.

Dave Bittner: One thing I think about with a lot of the VCs that I've spoken to as they're evaluating some of these startups who are looking to get funding, they'll say, quite often someone has an interesting feature but it's not a product.

Kristen Marquardt: That often is a common thing. And it can be, you got really excited about solving one aspect of one problem, or you found a way to do something really cool and you're in search of a problem that it can solve, and you're trying to engineer from that perspective. Oftentimes, that feature is not enough, right. If you're going to layer into an existing ecosystem or an existing budget, it can't just be one thing anymore, unless that thing is an intrinsic, existential problem that you're going to solve for them. But it's how does that work in conjunction with everything else? How does it complement everything else? Is it just a slight innovation, or is it a sea-change? And can you articulate that not only for yourself but for the business? It's context of, what is this going to do for me? How does it make my life easier? How does it make me more successful, faster, smarter, better, as opposed to, it's just going to solve this problem? But why, why does it matter?

Dave Bittner: You are set to be one of the judges for the upcoming DataTribe 2023 DataTribe Challenge. And I will be there for that as well. As these hopeful organizations are putting together their presentations, do you have any words of wisdom, any advice for someone who's in this situation, effective ways to communicate their message?

Kristen Marquardt: Don't get so excited that you dive straight in to the nitty-gritty before you paint the landscape of what a difference you're going to be able to make. Oftentimes, when you're talking to people who have spent months, weeks, years, hard earned sweat, love, toil, every moment of every day obsessing about something, they start there. And it's a bit like starting in the middle or the end of a conversation for everybody else. You need to make sure that the people you're talking to really understand where you're starting from and that you've taken into account that you need to paint that picture for them. You want to take them with you on a journey. And it is a funny thing that in such a technical space, you still need to have those communication skills to be able to paint the picture, capture the audience, and take them with you.

Dave Bittner: Do you find sometimes that perhaps the founder of a company or the person who has the technical expertise is best perhaps sitting on the sidelines when it comes to these sort of communications types of things? You know, to have someone, a partner, who is the person out there being the face of the company? Or does the founder need to have all those skills?

Kristen Marquardt: That's an answer in the DC area, but I'm going to say it depends, right.

Dave Bittner: Fair enough.

Kristen Marquardt: It's going to depend. Because I do think what you need is to have enough humility to know what you're good at and what you can bring and enough humility to recognize if you need somebody who has that other skill set. You can develop a lot of it. You can learn to do it to a certain degree. But if you just fundamentally cannot think like your target audience, then you need to find somebody who can, and who can communicate it. If, however, you come from that or you think you really understand the mindset, absolutely you can develop the skills to communicate, right. We all can, through practice, through trial, through a lot of failure, right. But I think it requires a certain degree of humility -- what am I really good at? Where am I going to bring the value? Is there someone else who can do this better so that it's better for the company? And also, the flipside of that, is if you recognize that this is a limitation of yours, and you have somebody who can do that, you also can step back and take all of the energy and the focus that you would have dedicated to that and turn it right back around to the place where you really drive value for your company.

Dave Bittner: Yeah, I mean, it strikes me that one of the really interesting insights I think you're making here is that it's really important to be coachable. You know, both from being a good presenter but also this relationship that you're starting down with your investors.

Kristen Marquardt: Absolutely. You've got to be coachable. You have to be willing to offer grace to other people and hear the feedback in the way that it's intended. Not everybody has a lot of emotional intelligence for how they're going to frame feedback, right. They may be in a hurry. They may think they're doing you a favor by being hyper, hyper blunt. And you've got to see it for what it is and take from it the things that you know you can do. That's not to say that all feedback is good feedback. Again, there's a self-reflection period here where you've got to really take a look at yourself and what you're trying to accomplish and who you're trying to accomplish it with and think to yourself, there's context for all of that. Yeah, being coachable really matters everywhere in life, it's not just on, you know, the peewee field, it's for the rest of your life -- are you coachable? Are you adaptable? Do you recognize your strengths for what they are? And are you willing to bring somebody else's strengths into the picture and balance that with yours?

 

Dave Bittner: That's Kristen Marquardt from Hakluyt. She's one of the judges at the upcoming DataTribe Challenge, where startup companies compete for seed funding in a live competition. The submission deadline is Saturday, September 23, and the event itself is November 2. [ Music ] And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at the cyberwire.com. Be sure to check out this weekend's Research Saturday and my conversation with Maxim Zavodchik from Akamai. We're discussing "Xurum, a New Magento Campaign" that's been discovered. That's Research Saturday, check it out. We'd love to know what you think of this podcast. You can email us at cyberwire@n2k.com. Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tré Hester, with original music by Elliott Peltzman. The show was written by our editorial staff. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week. [ Music ]