Podcasts
Only Malware in the Building
Ep 16
Only Malware in the Building 10.7.25
Ep 16 | 10.7.25

When malware goes bump in the night.

Show Notes
Transcript

Speaker 1: Copyright strike. Approved royalty free music. [ Video playing ]

Selena Larson: Okay. This building is seriously giving me goosebumps. Why are we recording here again?

 

Dave Bittner: Yeah. It's like the air itself is trying to spook us.

 

Keith Mularski: Relax. It's probably just the wind or faulty wiring or --

 

Selena Larson: Or a ghost.

 

Dave Bittner: Wait. Did you see that curtain move over there?

 

Selena Larson: I definitely saw it move. Is that a ghost wearing a mask? Someone do something!

 

Keith Mularski: I'm on it. Almost got it.

 

Selena Larson: Go, Keith!

 

Liz Irvin: Get off me.

 

Keith Mularski: Now let's see who you really are.

 

Dave Bittner: It's Liz, the producer.

 

Selena Larson: Liz, what are you doing here?

 

Liz Irvin: Producing, obviously. I thought scaring you a little would make this Halloween recording interesting. And I would have got away with it, too, if it weren't for you meddling hosts.

 

Keith Mularski: Classic producer move.

 

Liz Irvin: Yeah, yeah, yeah. Fine. Scooby doo gang style or feel complete. Can we please just start the show.

 

Selena Larson: Ruh-roh. Guess we caught the villain. Good job, gang.

 

Dave Bittner: Zoiks!

 

Selena Larson: Today, we're going to share our favorite, or least favorite, scary stories from cyberspace. We've already made multiple ghost jokes, so I think it's only fair that we start with GhostRAT. Keith, you also had GhostRAT on your list, right?

 

Keith Mularski: I do have GhostRAT on my list, so I'll let you kind of kick it off on that. And then we can kind of dive into GhostRAT. It's a fun one.

 

Selena Larson: It is a fun one. So GhostRAT has been around for execute the -- it's been 84 years meme.

 

Keith Mularski: Many unbearable hours later.

 

Selena Larson: It was initially on the scene, what, like a decade ago. And it was initially used by Chinese state threat actors. But now it's broadly available, regularly used by threat actors, including Chinese speaking cybercrime threat actors. And oftentimes we'll see new variants of GhostRAT in threat data. And I'll be like, oh, this is a new malware. This is fun. This is interesting. And then it just ends up being GhostRAT in a hat.

 

Keith Mularski: Back in the day, GhostRAT was just everywhere when I was at the FBI working Chinese matters. I mean, it was just like -- seemed like every time we would go out and do some kind of an IR at a victim company, it was always GhostRAT. And it was just -- then it became so prevalent that, if you saw GhostRAT, everybody just naturally just thought, wow. It's China. But then naturally it just became very prevalent where, you know, everybody was using GhostRAT.

 

Selena Larson: Yeah. It was definitely one of those things where sometimes you have malware that starts off as belonging to a certain threat actor, or you can use malware for attribution of a particular state or adversary or group. But now I feel like that's not really the case anymore. I feel like a lot of that old school malware is used by a lot of different threat actors. And there also really isn't any -- there's not a whole lot of malware, at least, let's say, that is only used by one threat group.

 

Keith Mularski: Yeah. And I think, you know, they've kind of pivoted to that to make attribution a lot harder, whereas back in the day with some of those first cyberespionage campaigns, you know, they would develop unique, you know, malware packages. And then that became, so, hey. That -- well, that's China, or that's Russia. But they've kind of learned to kind of blend in with the other noise. The other neat thing about Ghost, you know, RAT was because it was one of those first RATs used for cyberespionage. You know, if our listeners don't know kind of what it did it, you know, it would log the keystrokes. It would capture screenshots and activate webcams, you know, to really be able to steal any of that intellectual property on the computers; be able to, you know, videotape conferences. Really, anything like that. So the victims really had no idea that their systems were haunted back in those days.

 

Dave Bittner: Now, what -- how did -- now -- yes. I use words for a living. How does it come to pass that a tool like GhostRAT becomes so widely used? Are people who are not the original users, does it somehow get shared? Or do they reverse engineer it? Like, what do we think is going on there?

 

Keith Mularski: I think it was just really developed as a -- you know, a remote admin tool in China, and it became predominantly used by nation state actors. But it really wasn't a nation state so, you know, designed by the PLA or the MSS. It was just one that was adopted by actors. So it was out there in the wild that we -- at that time, we really weren't seeing Chinese e-crime actors attacking the United States. So, really, anything coming out of China back in those days was predominantly nation states. So that's kind of how GhostRAT became associated with -- with PLA actors at the time.

 

Selena Larson: And now you have the builder available online, which I believe it has been around for quite some time. And so it is openly available. It's like one of those tools that you see various criminals use, adopt, add their own little flavors to it, clone existing repositories or existing samples of it. And then sometimes they'll add additional features that might make it seem like it's something else. But then, when you kind of do, like, code analysis, it's like, okay. This is -- this is -- this is GhostRAT or like an evolution of GhostRAT. Yeah. So a lot of -- I feel like a lot of times these things just kind of end up online, and then threat actors can use however they want. But, interestingly enough, at least when we see it, it is so predominantly used by Chinese speaking threat actors. We mostly see it in those types of campaigns.

 

Dave Bittner: I've also seen variants. Like, there's one called Sugar GhostRAT. Are you familiar with that? I think -- actually, wasn't it Proofpoint that originally spotted that one?

 

Selena Larson: Yes. It added a little sweetness to the spookiness.

 

Dave Bittner: Like a delicious Halloween candy.

 

Keith Mularski: I thought you were going to go there, for sure.

 

Selena Larson: Yeah. And this one was actually suspected to be an espionage threat actor. So it was, again, a customized variant of GhostRAT so, you know, building on the existing tooling. And we actually named the -- because we, you know, clustering, unattributed threat clusters before they're graduated to a full TA, we did call it Sweet Specter, so fully leaning in to the naming conventions of -- of this. So, yeah. So it was kind of interesting. So you do see even -- even espionage threat actors using the variants that are available out there, adding their own spice or sweetness, if you will. But, yeah. It's one of those things that it's still spooky. It's still out there. And even -- even old malware can come back to haunt us.

 

Keith Mularski: Speaking of old malware, that's a perfect segue because, if we're talking about spooky malware, we really kind of have to go way back to the beginning. And you know how I like history. So we got to go back to 1972 to the very first-ever computer worm called the Creeper. Which actually, if you're a Scooby Doo fan, since we did our Scooby Doo entrance, as well, one of the Scooby Doo gang did go up against the Creeper in one of their episodes. [ Yelling ] But if you're not familiar with the Creeper malware, it was the first-ever computer worm. And it was used as an experiment, but it wasn't designed to do any actual harm or anything like that. All the Creeper did was write, I'm the Creeper. Catch Me If You Can. But all the data was left untouched. So it was a -- it was a worm that would go through the ARPANET back in those days. And the Creeper actually inspired an early computer game called Core War way back in the days. So going way back to, you know, the beginning with the Halloween themes.

 

Dave Bittner: It's hard to imagine. You're talking about 1972. I mean, there basically wasn't any cybersecurity. It was all just the gentleman's and gentlewoman's agreements of, you know, that we are simply not going to do things. And so something like Creeper could spread with abandon.

 

Keith Mularski: So -- which actually is -- led to the very first antivirus, so to speak, which was called Reaper, which was specifically designed to combat Creeper back in the day. So how one thing led to another way back in the day.

 

Dave Bittner: Creeper without the R -- without the C, I guess, right. Creeper, Reaper.

 

Selena Larson: It also reminds me of The Cuckoo's Egg by Cliff Stoll, which talks about the first-ever basically identified espionage hack at a university campus in California.

 

Keith Mularski: I think it was Stanford. Was a Berkeley? Yeah. Berkeley.

 

Selena Larson: One of the Northern California infiltration and basically talking about how a discrepancy in the phone costs of, like, the phone line because, you know, internet, phone was still connected way back then. It's like, wait a second. There is some discrepancies in these calls or these telephone connections. And he fell down the rabbit hole.

 

Dave Bittner: See. The thing is, Selena, back in the day, we used to use wires to connect our telephone calls together. It didn't use radio. It used wires.

 

Selena Larson: I mean, look. This is all before my time. I'm just walking down memory lane with you guys.

 

Dave Bittner: Ah. Right. Like -- like in a -- like in a retirement home. Go on, Grandpa. Tell us about the -- tell us about Creeper. No, no. No, please. Go on. This is fascinating.

 

Selena Larson: Well, speaking of because you mentioned -- so Creeper was a computer program, and it was an -- it was a research project, right? You were saying it was like they were trying to figure out how -- how it works. But we still see that today because you guys I'm sure are aware of PromptLock, the AI generated ransomware -- I'm using air quotes -- AI powered ransomware that ESET reported on that turned out to be New York University. Tandon School of Engineering confirmed that they created the code as part of a project to illustrate the potential harms of AI-powered malware. So we still have scary research projects that creep up and confuse people. And then they're like, oh, wait. We are -- we are continuing to investigate these spooky strains of malware. And it just so happened that some NYU researchers stumbled across something that blew up.

 

Keith Mularski: Yeah. I just read that article in Wired about the AI -- Anthropic was also talking about how actors were -- whether that was the same researchers or not, you know, abusing Claude code to develop ransomware. And I think, you know, that's -- if we're talking about scary things, I think that's one of our big fears going forward with AI. You know, are threat actors going to abuse AI for malicious purposes to write code, to develop new exploits and ransomware variants or whatever going to be the next, you know, big thing on the cybercrime horizon. But that's definitely one of the scary things on the -- on the horizon, for sure.

 

Dave Bittner: Well, since we're talking about worms, can I point out two that I think are noteworthy? First, there's the Morris worm, which was 1988, I'm guessing still before your time, Selena.

 

Selena Larson: Yes.

 

Dave Bittner: So, in 1990 -- or 1988, I was indeed using a computer. But Morris was the first worm to spread across the internet, and evidently it crashed about 10% of all internet-connected systems at the time. In fact, its creator, who was a gentleman named Robert Morris, that -- which is why he's called the Morris worm -- he was the first person convicted under the Computer Fraud and Abuse Act. Now, Keith, did you have anything to do with that?

 

Keith Mularski: No. Not that one. That one's a little bit before my time too.

 

Dave Bittner: Well, let me move on to I love you. And I do love both of you, but that's not what I'm talking about right now. This is the I Love You worm, which was in 2000. And this one masqueraded as a love letter in an email attachment.

 

David: New dangers tonight from the love bug computer virus, this time disguised as a friendlier email. Copycats have now spread around the world. Bill Graffin joins us live. Bill.

 

Bill Graffin: David, this is far from a childhood prank anymore. Experts say that the I Love You virus could end up costing the world economy $10 billion in lost work time.

 

Dave Bittner: It was really, I'd say, one of the first big email malware campaigns. Any recollection of this one from either of you?

 

Keith Mularski: Oh, I do. I do remember getting that on my Gateway computer.

 

Selena Larson: Really.

 

Keith Mularski: This is pre-cyber days for me. And --

 

Dave Bittner: Yeah.

 

Keith Mularski: -- it definitely infected my Gateway computer back in the day.

 

Dave Bittner: Okay. See, those of us on Planet Macintosh were smugly smiling and pointing our fingers at you poor Windows users back then. The pre ubiquity of malware days.

 

Keith Mularski: Yeah. It got through my 28-bit modem back in the day.

 

Dave Bittner: Right, right. You had to wait 10 minutes to download malware while it's --

 

Selena Larson: Well, if you're waiting for that long to actually download and install the malware, does that provide a better window of opportunity for defenders? Is it bad that computers have gotten so much faster, Dave? Should we go back to dial up?

 

Dave Bittner: Yeah. Well, look. I will make the case that computers were much more fun when they were simpler and not ubiquitous and more hobby related where you had -- not everybody had a computer on their desk. And so it was a much more experimental period of time. It just, you know, everybody's got a computer. Everybody's got a smartphone. But back then, I guess the pioneering days is what I'm pining away for is when it seemed like every day there was new discovery. And people were impressing each other with the things they could do, like new things they figured out to do with a computer that someone hadn't done before with these very, very slow, very, very incapable machines so.

 

Selena Larson: It's like the age of exploration but for in the digital world. Yeah.

 

Dave Bittner: Right, right. Do you want to go back to crossing the Atlantic on, you know, one of Christopher Columbus's ships? No.

 

Keith Mularski: No.

 

Dave Bittner: But I'm glad they did it.

 

Keith Mularski: I will take my tech now over those tech days.

 

Dave Bittner: Oh, absolutely. Yeah. I think -- what was it? Let's say you definitely want to be born at a time after the invention of antibiotics. I think Woody Allen said that.

 

Selena Larson: And antivirus.

 

Dave Bittner: Well, there you go. See? There you go, Selena.

 

Selena Larson: Inoculating against malware.

 

Dave Bittner: You just always bring it home. Nicely done. Nicely done.

 

Selena Larson: I like to go wrap things up in a little bow, like packages of malware, for example. And I think actually, so since we're talking about the before times and the happy times and how now everything is dark and dreary and we all have to be on watch for everything. But I actually think that, no matter the era, whether it was in the time of the Egyptian water clock or the time of dial up internet or, Dave, phone freaking, there has always been a threat of social engineering. And I think that that is baked into human nature. And regardless of the tools and resources that are available to us or where we're going, where we're shopping, what we're selling, hawking, snake -- literal snake oil, that, to me, is something that's very, very spooky is social engineering and the cleverness of social engineering, especially that has emerged recently. And my number one, the thing that I hate the most, talk a lot about espionage. I know that there's -- and we can, even, you know, talk about this too. It's like malware, the target safety instrumented systems and industrial control systems that can lead to physical disruptions, that is also very scary. But one thing that really makes me angry and it is a little spooky, is pig butchering.

 

Keith Mularski: Pig butchering.

 

Selena Larson: It's called a pig butchering scam.

 

Speaker 2: FBI says this scam is known as pig butchering or crypto confidence fraud.

 

Speaker 3: Pig butchering cost Americans nearly $4 billion last year alone.

 

Selena Larson: And like romance scam and crypto investment fraud scamming, and it has blown up in the last few years. And it's a fundamentally social engineering based thing where threat actors are using the phones and our computers and the tools in our hands because we're online all the time to manipulate people, hack your brain, hack your emotions into spending money, into making you feel a certain way, making you feel loved, making you feel wanted and using that to steal your money. And, to me, that's the worst. I think that that's the scariest. I talked to a lot of folks lately about this type of threat, just in my community, I've been trying to do a lot more training, especially with older folks. And I have heard many stories lately about older folks getting romance scammed, and it just breaks my heart. And it's just I hate it.

 

Keith Mularski: I think that's the worst level of criminality. You know, when -- when I worked undercover and, you know, working with all the e-fraud guys and the Russians, and there was kind of this unspoken code with the groups that I was in was that you were attacking corporations because the corporations made the people whole. So it was kind of going after corporate greed, of stealing credit cards or taking money out of bank accounts because the corporations wouldn't -- would make the people whole. And it was kind of an unspoken thing where it was like you were like the low of the low if you were targeting individuals, you know. So it was at least -- at least the groups that I work with, you know, undercover, it was like you wanted to go after the corporations and not -- not the people. And so, when you're talking about the pig butchering, those are just, you know, the worst of the worst, in my opinion.

 

Dave Bittner: We talked about this over on the Hacking Humans podcast a lot. And it's just heartbreaking because you'll have cases where someone gets caught up in a romance scam, and their family cannot convince them otherwise. They -- I mean, it sounds crazy, but they really believe that Keanu Reeves is getting ready to marry them. And they will lose touch with their family. They'll push their family aside in pursuit of this fake romance that has swept them off their feet and can cost them their life savings. And it really is heartbreaking.

 

Keith Mularski: I actually talked to a friend of mine who had a friend that was getting romance scammed. And they were talking to that person, and the person basically said, Yeah. I know that that's probably not the case, that they're not going to marry me. But, when I talk to that person, I feel good. And I don't have anything else. So, if I'm paying the money to feel good and feel wanted, they continue to do that, even though they're confronted that this is -- this is all fake. And that's just really -- that's heartbreaking.

 

Dave Bittner: It is. And I guess, on the one hand, if you are self-aware and know what's going on and you can afford it, you know, the same way as someone going to a casino to play slot machines just for fun, knowing that they're going to lose money but be entertained in exchange for it, then there -- I guess there's nothing wrong with that. But it's really these cases where people lose everything and get their hearts broken, and just these -- it's just despicable.

 

Keith Mularski: Which actually kind of pivots into my next malware, which is TrickBot. So you can't have Halloween without Trick or Treat. TrickBot is one of my favorites because that one of the guys behind it is just, I guess, one of my all time favorite cybercriminals, Vitaly -- Vitaly Kovalev who is, in my opinion, one of the original OGs of the cyber underground.

 

Dave Bittner: Do you have trading cards?

 

Keith Mularski: I do not have trading cards. I need trading cards, Dave.

 

Selena Larson: That's a great idea, actually. Yes. Keith's malware trading cards.

 

Dave Bittner: Yeah.

 

Keith Mularski: Yeah. So TrickBot has been around since 2016. And it really was initially designed to steal financial information like banking credentials. And it was the successor to a previous banking Trojan called Dyre. But what made TrickBot was, like, special, it was kind of like a Swiss Army knife for cybercriminals. It had plugins and modules that could be loaded to perform different types of attacks, such as credential theft, key logging, stealing emails and -- you know, and spreading through -- throughout network. So it would worm his way, like we were talking about, worms across networks and move laterally and maintain that persistence. So that's what made it so scary for that. And there was a big botnet built for that, and it compromised millions of computers worldwide. And it was kind of one of those first malware-as-a-service type platforms that's out there. And that was taken down in 2020 but with a big operation by Microsoft to dismantle TrickBot's infrastructure. They went after the scenes -- the C2s or CNCs. It didn't actually kill it completely. But my favorite thing is with Vitaly Kovalev, though, he -- during the TrickBot operation, they actually ran a film distribution company called 25th Floor Films in the heart of Moscow. And they would hire people for their coders. And they were legitimately distributing Russian films as a way to launder their money. So it's just a fascinating case study of organized crime in the 21st century, and he wanted to write -- make a movie about himself.

 

Dave Bittner: Well, who wouldn't.

 

Keith Mularski: Yes.

 

Dave Bittner: We'll be right back. I have one. I am not exaggerating that this one disturbs me more than any that I've seen in a while. And this one came from you and your colleagues, Selena. This is Stealerium. So many of us have seen the common scam that you'll get via email. And it says, Hey. I've hacked into your machine. And I've been watching you through your webcam, and you've been visiting some naughty websites. And you should be ashamed of yourself. And, unless you send me some money, I'm going to send pictures of your naughtiness to all of your friends and family. But, of course, it's an empty threat. It's just trying to scare you into sending the money. Well, Stealerium takes it to the next level. Am I saying that, right, Selina? Is it Stealerium or Stealerium?

 

Selena Larson: That's a great question.

 

Keith Mularski: She's like, I didn't name it.

 

Selena Larson: I -- I think we were saying Stealerium.

 

Dave Bittner: Stealerium like delirium. Okay.

 

Selena Larson: That's just how I was saying it. But it's, again, one of those words that you just read and don't say out loud until this moment when you're asked how you pronounce it.

 

Dave Bittner: Until you're me, and you have to. Yeah. I have to say all these out loud. So -- so what these folks have done -- and please, Selena, feel free to jump in here if I missed anything or get something wrong. This is an info stealer that can -- it gets installed on your machine, and it can detect when you're viewing adult content. It'll take webcam photos. So it'll take a screen grab of the adult content you're viewing. It'll take a snapshot from your webcam, pair those things up, and then send you the blackmail letter as leverage. So it's taking that thing that was an empty threat and making it real.

 

Selena Larson: I would point out Stealerium has -- is a typical information stealer, but it does have the addition of not-safe-for-work content searching. The default configuration has a bunch of strings that could be configurable by the operator of the malware. But, basically, there's a function in the malware that will query a victim's open browser windows to see if any of the following words are in the titles of open web pages. So it's actually literally called porn services. But there's words -- and apologies for saying porn and sex on the podcast. There are a couple others that I'm not going to say on the podcast that we did black out in the research because they are not safe for work. And, yeah. So, essentially, they will have -- you can configure adult content words. And so it looks like the operators of this malware could potentially use it for sextortion activities. And we did actually see a couple of adult-themed words that were related to the distribution of Stealerium. Not, hey, I'm going to expose you but check out my adult content that was actually distributing this particular malware. We didn't actually see follow-on activity from this malware. But, based off of the functionality of the malware and some of the configurable components of it, it could be used for sextortion, which is very gross because, yeah. I've actually had friends who've emailed me or sent me emails and be like, Oh, my gosh. Some guy just emailed me. Said he's going to expose me if I don't pay him in bitcoin. I'm freaking out. He says my computer's hacked. And -- and, you know, I go over to my friend's house; look at their -- it's not hacked. It's just, you know, empty threats, basically. Like, yeah. With this type of malware, they could have this automated capability. It's not just looking for your banking credentials or your passwords and, you know, clipboard information, crypto wallets; but it's also, with the addition of the sensitive adult content personal information that adds an additional layer of absolute disgusting capabilities that's really just horrible. I mean, it's bad enough stealing your banking details. But when you add -- sprinkle on just gross behavior, it's just so much worse.

 

Dave Bittner: Well, I want to apologize to Keith for all of the tasteful nudes that I've sent him just to say, Keith, do you think this image was stolen or not? And Keith sends it back. And he says --

 

Keith Mularski: And you sent it over as, like, cat videos to me. Come on, Dave.

 

Dave Bittner: Yeah. That's right. That's right. And he says, I can only block you so much. So bleach out his eyeballs.

 

Selena Larson: Yes. That is important. It's also worth noting here, too, actually, that, since we published that research, it is no longer available on GitHub. The URL that you had published is no longer there. So that's good.

 

Dave Bittner: Good for you.

 

Selena Larson: Yeah. Much -- much appreciated, even though it said for educational purposes only.

 

Dave Bittner: Oh, yeah. Doesn't -- that was another thing that -- that grinds my gears, right? Like, you know, I'm just putting it out there. I'm just asking questions. I'm just putting this out there for people to experiment with. Do what -- be sure not to do anything illegal.

 

Keith Mularski: It was always so funny on the -- a lot of the cyber underground forums, the criminals would have this big disclaimer at the beginning. In order to enter into the forum, it would say, you know, this is just -- everything being discussed here is for research purpose only. There's no criminal activity. And you're like, okay. Yeah. You know, like -- like that was going to indemnify them.

 

Dave Bittner: Keith, how many times did someone ask you if you were a cop?

 

Keith Mularski: Oh, so many times. Like -- like, people would think that I had to tell them the truth.

 

Dave Bittner: Right.

 

Keith Mularski: I'm lying about my identity. I'm giving them a false name. But all of a sudden I have to tell the truth when I'm -- if they ask me whether I'm a cop or not. That would always crack me up.

 

Dave Bittner: That doesn't seem very sporting of me. It doesn't seem very sporting, Keith, that the FBI is allowed to lie to you; but lying to the FBI is a crime.

 

Keith Mularski: I guess it's a little one-sided there, isn't it?

 

Dave Bittner: Yes, it is.

 

Keith Mularski: It worked for me, though.

 

Dave Bittner: I'll bet it did.

 

Selena Larson: You were trick or treating, basically.

 

Keith Mularski: I was.

 

Selena Larson: Is trick or treating social engineering? Is that -- are we -- are we teaching our youth of the world early to social engineer their neighbors into giving them candy?

 

Keith Mularski: Well, I want the big chocolate bars. That's what I want. I don't want the fun size. I want the full size.

 

Dave Bittner: Well, that's our strategy in our neighborhood is we give away full-size candy bars as insurance against anything bad happening to our home, right, like any of the tricks. And I think trick or treating is -- I mean, there is the threat of mischief. If you don't give me a treat, then there will be a trick. But, you know, straightforward deal. It's a transaction. We all know what's up with that.

 

Selena Larson: I guess, yeah. It's a little bit -- it's too transparent to be real social engineering. But it is introduction, entry level, entry level social engineering.

 

Dave Bittner: Yeah. Right. I get -- the thing that gets me is when you see, like, the same spider man come around five times, you know.

 

Selena Larson: Honestly.

 

Keith Mularski: Any 17, Dave. Any 17.

 

Dave Bittner: Or even worse, like high school kids who don't even bother with a costume. They're just like, Give me candy.

 

Selena Larson: I will -- I will give those kids candy. They can come to my house. I love it. I'm, like, you're out here trick or treating. That means you're not getting into any other trouble. I'll give you my fun-size candy bars. But, also, I never get trick or treaters at my house. So I -- I love it when they come back because I have to get rid of the candy.

 

Dave Bittner: Okay.

 

Selena Larson: Otherwise, I will end up eating it all.

 

Keith Mularski: We always have -- at our place, we have -- we have -- for the kids, we have the candy. And then we have a little cooler on the side for trick or treat for mom or dad, too. So, yes. Yes.

 

Selena Larson: That's always important. Extra layer.

 

Dave Bittner: We have box wine along with plastic cups.

 

Keith Mularski: You're really going trick or treat, right, Dave?

 

Dave Bittner: Well, you can get some red, or you could get some white.

 

Keith Mularski: Yeah.

 

Dave Bittner: Whatever. The men -- let me tell you. Parents are gracious. They're grateful. It's merciful on -- on Halloween night when you're out there with all the kids.

 

Keith Mularski: I knew every house in the neighborhood that had adult trick or treat beverages when I took my son around so.

 

Selena Larson: What I'm hearing is I need to go spooky season at Dave's neighborhood.

 

Dave Bittner: Yeah, yeah. People come from all around because they know they're going to get full-size candy bars.

 

Selena Larson: Well, I do think that it's probably worth talking about one -- at least one more spooky malware because I think it's interesting, and I'm curious to hear your guys' thoughts because one of the things that I wrote down was TRISIS, which was a malware that targeted safety instrumented systems at an oil and gas facility in Saudi Arabia back in 2017. There was a handful of ICS-specific malware that could cause disruptions to industrial control systems if deployed correctly. And this particular one specifically targeted the safety equipment, which I thought was extra scary because it could have a very, very bad impact. It didn't. Thankfully, it was detected and disrupted. In 2020, US Treasury actually sanctioned a Russian government research institution connected to developing this malware. What I find so interesting is we just don't see very much of it reported publicly, of course. And I think, you know, targeting safety equipment is particularly heinous. But, also, I think it's so interesting because stuff as basic as ransomware can have widespread disruptions to operations, not necessarily the safety equipment. But you just disrupt some of the actual operations. They have to turn off production. They have to -- you know, things really grind to a halt, but it's not disrupting the pieces of the environment that will -- could potentially cause a catastrophic incident and loss of human life. The flip side of that, though, is you have ransomware that targets hospitals that does actually impact human life. So I think that, you know, I'm curious to see your guys' thoughts of this sort of, I don't know, era of malware that can have real-world physical impacts. Is it getting worse? Is it getting better? Like, what -- what are we kind of expecting?

 

Keith Mularski: Well, I think just what you said is kind of the segue was the next variation of the Black Energy malware that targeted ICS systems back in the mid-2010s, some around there, which then led to NotPetya, you know, so very destructive attacks. And when you're thinking about targeting ICS or control systems, you're talking about some of our most sensitive things, and especially our energy grid of, you know, being in the dark, if we're talking about scary things, you know, shut down dams or release water from dams or just hit the whole -- you know, take control of all those SCADA systems. So that's probably some of our biggest nightmares. And we're just still seeing the evolution of that, of those types of malware to be able to target those types of systems.

 

Selena Larson: Yeah. I hope we're not going to see a huge one. Obviously, we have seen some pretty significant destructive things but not the sort of blackout level event that I think a lot of people are afraid is coming.

 

Dave Bittner: I'm surprised there hasn't been more significant accidents where a threat actor releases something that they weren't intending to do damage to ICS systems. But it just got loose and shut something down, and a chemical factory explodes.

 

Selena Larson: So I think it's important to note that defense in-depth really plays a role here. So I think, you know, in cyber land, we're so used to everything being, like, flat networks and not, you know, everyone having admin access and, you know, very easy to sort of go through and expand networks and have these sort of catastrophic digital impacts. A lot of times the physical impacts to a lot of these things are because people just turn them off and not because a hacker successfully disrupted the safety or security of chemical materials or chlorine or oil and gas transportation. But, yeah. I mean, Dave, to your point, I think it's because these systems are so secure. And we have things, for example, like regulations that you have to maintain a certain level of safety and security within your environment. I don't know if you guys have ever watched OSHA YouTube videos that will reconstruct major disasters.

 

Dave Bittner: Oh, yeah.

 

Selena Larson: Oh, my gosh.

 

Dave Bittner: National -- I have a friend who does animations for the -- I think it's the National Chemical Safety Board. And they're the ones who -- they're the ones who reconstruct when a manufacturing plant explodes or a chemical plant explodes. They go in and figure out what the heck happened and why. And they're so scary.

 

Selena Larson: They are really scary, yeah.

 

Dave Bittner: Yeah.

 

Selena Larson: And we haven't had quite like a cyber-enabled thing leading to that type of disruption. I think that's a great testament to the folks who are working on the front lines of OT security, both digital security as well as physical security of a lot of these environments.

 

Keith Mularski: And I think, too, that why we haven't seen something major is it really takes a special skill set to be able to penetrate these systems that's usually reserved for nation state actors. So when a nation state would be doing something that -- that's kind of an act of war. And one of the few times that we've seen a criminal do that, which was Colonial Pipeline, you know, they kind of realized very quickly, whoa. We kind of maybe overstepped our bounds here because now the whole US government was looking at going after them. So I think criminals, for the most part, you know, they want their money; and they want to blend a little bit more in the background. And, from a nation state standpoint, if they do something like that, that is an act of war. And you would think that there would be some kind of retaliation. So there is a little bit of that, you know, standoff, cold wars type thing on those things.

 

Dave Bittner: Yeah. I think about our pal, Alan Liska, from Recorded Future. I don't know if any -- if either of you know Alan.

 

Selena Larson: Oh, yeah.

 

Dave Bittner: Everybody knows Alan. But Alan says that some people really do deserve targeted drone strikes. And, to me, it's the people who go after the hospitals. You know, like, what -- the rules of engagement, the -- you know, the laws of armed conflict say that you don't go after hospitals. Those are not targets. And here we are. And I wonder if the people who go after hospitals started receiving targeted drone strikes or some other kinetic response, if that would -- even if we had international treaties that said -- that extended that to the cyber realm and said we all agree. Same thing, you know, like, we're not going to use chemical weapons. Okay. Great. We're not going to attack hospitals with cyber. Why can't we get there? It's frustrating.

 

Selena Larson: Keith, you mentioned, you know, the groups that you were infiltrating did have some sort of standards of operations where --

 

Keith Mularski: There was honor among thieves, believes it or -- believe it or not.

 

Selena Larson: Honor among thieves. We just don't really have that anymore. To be clear, no hacking, please. But -- but, yes. Where are the gentlemen hackers, Dave?

 

Dave Bittner: Well, it's a funny story. I -- years ago, I was working at a television facility; and we were transmitting our signal to a satellite and back down again. And I was talking to the satellite engineer. And I said, you know, you're in charge of this dish that sends this signal up to the satellite to be received and then bounced back down to Earth. I said, What's to keep you from pointing your dish at another satellite and just jamming them off the air, either intentionally or accidentally? He paused for a moment. And he looked at me incredulously, and he said, David, we're gentlemen. And that was it. Right?

 

Selena Larson: That's why. Yeah.

 

Dave Bittner: Yeah. This is probably 20 years ago so simpler times. But you had those agreements that this is a shared space, and so there are things we simply will not do. And I find it really troubling that keeping your hands off of hospitals, they don't respect that. It's despicable.

 

Keith Mularski: There should be -- if you look at -- back at the old anti-piracy laws back in the 1800s and 1700s where they basically called pirates the scum of the Earth and that they should all be hung if they're caught, and so I think there should be kind of modern-day piracy laws for these scum of the Earth that do attack hospitals or do ransomware types of attacks, to really have that global law like they did for piracy way back in the day because it's really no different, in my opinion.

 

Dave Bittner: Yeah. Spooky pirates.

 

Selena Larson: Yeah. We've really hit on maritime adventures in this podcast. Christopher Columbus; 17th century, 18th century pirates. I love it.

 

Dave Bittner: Want to hear a pirate joke?

 

Selena Larson: Always.

 

Keith Mularski: Of course.

 

Dave Bittner: What is a pirate's favorite letter?

 

Selena Larson: R?

 

Dave Bittner: You'd think it'd be R, but it's actually the C.

 

Selena Larson: Oh!

 

Keith Mularski: Well played, well played.

 

Selena Larson: Okay. That was good, that was good.

 

Dave Bittner: We'll be right back. You want to just take us out, Selena.

 

Selena Larson: Of course. Thank you, Dave. Thank you Keith, for this sail down memory lane of very spooky stories of malware. And I think, you know, moving forward, a lot of the stuff that we talked about today is still very much a threat. And we are still seeing the evolution of social engineering, the evolution of open source malware that's being retooled and reused. And we will continue to see potentially hospitals and those things that should be off limits continuing to get targeted, and it's more important than ever for collective defense so we can make those ghost stories a bit of history. Thank you to all our listeners for tuning in. As always, we hope you have a wonderful spooky season; and we'll see you next time.

Only Malware in the Building
Podcast Info
HOST(S):
Selena Larson
Keith Mularski
Dave Bittner
Selena Larson is a Staff Threat Researcher and Lead, Intelligence Analysis and Strategy at Proofpoint on the Threat Research team. She collaborates with fellow researchers to identify and investigate advanced cybercriminal threats and develop actionable threat intelligence. Previously, she was a Cyber Threat Analyst for the industrial cybersecurity firm, Dragos, and a cybersecurity and privacy journalist.
Keith Mularski is the Chief Global Ambassador for Qintel and a retired FBI Special Agent with extensive experience in cybercrime investigations and intelligence operations. He previously led major cybercrime takedowns and held leadership roles bridging public and private sector cybersecurity efforts, including as a cybersecurity executive at Ernst & Young. He continues to collaborate with global partners to combat cyber threats and protect critical infrastructure.
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Schedule: Monthly
Creator: N2K
ADVERTISEMENT
Sponsored by ThreatLocker
Sponsored by ThreatLocker

ThreatLocker® is a Zero Trust endpoint protection platform that provides enterprise-level cybersecurity to organizations globally. With ThreatLocker, you can allow only what you need and block everything else, including ransomware! Learn more.