State of Cybercrime

China's Silent Cyber Campaigns

Episode Summary

Recent cyberattacks, zero-days, and APTs have positioned China as a cybersecurity adversary. Join Matt Radolec and David Gibson for a special State of Cybercrime episode, during which the two will discuss the recent wave of stealth Chinese cyberattacks against U.S. private networks and what this means for U.S.-Chinese relations in 2023. Matt and David also cover: -The congressional TikTok hearing surrounding data privacy concerns as a byproduct of Chinese ownership -The recent Facebook accounts hacked by the ChatGPT Chrome extension -Our “good news” segment: the shutdown of the notorious Breached hacking forum -The 55 zero-days that were weaponized in 2022

Episode Transcription

[00:00:00]

David Gibson: Hey Matt. How you doing?

Matt Radolec: I'm doing well, David. How's it going? 

David Gibson: I'm doing all right. Matt, I see you're in a different location today than normal.

Matt Radolec: Yeah I'm not in my home studio. I'm actually in Atlanta, Georgia, specifically in Buckhead. Are you at home in Conneticut, I think? 

David Gibson: I am. I am at home in cyberspace, Connecticut? Yes. 

Matt Radolec: Or in the cloud, I should say. 

David Gibson: Cloud, yeah. No, I'm not a reluctant traveler today. Are you more Eugene Levy or more outgoing in your [00:01:00] travels? 

Matt Radolec: I think I'm a little more outgoing than a Eugene Levy in in my travels at least this week. 

David Gibson: Excellent. Excellent. That's good to hear. 

Thanks for joining everybody today. Matt, what do you say? We get started. 

Matt Radolec: Yeah, I think we should crack straight into it. Yeah. 

David Gibson: We always try to talk a little bit about what's happening in security from a good news perspective so we'll share a little bit that we have there, go into some of the not so good news, Danger Zone, what's been happening from a threat perspective and then some vulnerabilities that folks should watch out for. And then we'll open it up to some Q&A. We'll also have a couple of polls along the way, but first let's get into the good news. 

Is there any good news? Actually, one interesting piece of news was that the Breached Hacking Forum which according to Bleeping Computer as the largest leak forum of its kind has been shut down.

This was kind of an interesting thing. Apparently there was two kind of admins and one owner. And the owner Pompompurin was arrested apparently from New York, [00:02:00] and he was a former member of another breach site called Raid Forums. 

But the other admin was named Baphomet and he had left a CDN servers part of the infrastructure that wasn't used for very much, but he noticed somebody log into it and I guess he thought that only he and Pompompurin would be able to log into it. So he concluded that somebody had Pompomporin's computer or credentials and that the entire outfit was compromised so he decided to shut it all down, which, I guess score one for the good news. 

Baphomet said that, he'd be back essentially, and he left it open. He said he knows that they'll be replaced, but he's challenging future breach sites that what he'll offer is gonna be as good and, stay patient or so.

It seems like pretty good news to me though, man. What do you think? 

Matt Radolec: Yeah. This isn't the first time that we've seen not even just law enforcement take something down, but the fear or [00:03:00] retribution from law enforcement being the reason why an attacker shuts down their infrastructure. 

I think back to a lot of the ransomware gangs that we track, who might preemptively as we think, rebrand themselves in an effort to avoid arrest or being doxed and finding out who they are.

But that's not the only good news that we've got. In the UK a crime agency set up a fake distributed denial of service website for hire, meaning that if you actually went to try to transact it would never be successful, but the idea being I think the operation was part of something called Power Off, which is a global collective of law enforcement agencies attempting to take down the ease that it would be for an attacker to rent infrastructure to carry out an attack.

So to use something like a DDOS for hire site, you don't even need to know how to carry out a denial of service attack. You can just pay money like a monthly subscription and then click the name of the domain you want to go after and really hit go. So a lot of the sophistication was removed, and that's what the target here from law enforcement is. [00:04:00] They stood up a fake site to gather information about attackers and I wanna say a couple thousand, attackers were able to do this. 

Now, this isn't the first time news. This is just the recent news. The FBI is actually known for this. They set up, I think it was called ANOM, which was an encrypted chat messaging service a number of years ago in order to identify different hackers that wanted to use this encrypted messaging service and they were able to collect, I think somewhere around 30 million what the attackers thought were encrypted chat messages as it related to their hacking operations. 

As we talked about in our last episode, I predict we're going to see more collaboration from law enforcement and from government agencies doing a little more of what we might consider to be the offense, right?

Like setting up, this is a bit of an entrapment ring to try to identify information about hackers. I think we're gonna see more of this versus less of this moving forward. 

David Gibson: Yeah, this is a sting operation, right? It's a kind of click here to do something illegal, right? It doesn't seem like [00:05:00] you should, if you're a cyber criminal, trust some of these sites.

Matt Radolec: And if you're trying to do a pen test of your own environment, probably best not to use an advertised hacking tool and maybe hire an outfit to do some DOS testing from you versus go out online. I know some of you in the chat might be thinking someone could have good intentions here.

Usually if you're seeking out this type of a website, it's to carry out a nefarious act as opposed to a, maybe a gray hat or a white hat hacker one. 

David Gibson: It makes sense. And speaking of hackers, maybe we should get into the Danger Zone. What do you say? 

I thought this story about the BianLian. I dunno if I'm saying that right, ransomware group was interesting because it seems like an evolution of ransomware. You know, initially ransomware gangs would just go after the availability of data and they would just basically encrypt everything and say, "you can't get it back unless you pay us". And then we started to see a double extortion technique where not only would they compromise the availability, but they [00:06:00] would threaten to leak the information in kind of a double extortion, right? So threatening the confidentiality as well as the availability of the data. 

But this group really just focused on the confidentiality. They would say, "listen, we've stolen a bunch of regulated data, and they'd wield the threat of being fined for having that data breach over their victims. So, pay us money or you're gonna have to pay the regulators money". 

I thought that was an interesting evolution in the monetary direction of this ransomware group. Pretty standard operation from how they do it technically: go base backdoor, remotely compromising the advice then, doing their thing from a ransomware perspective.

Matt Radolec: And I wonder, do I even call this ransomware anymore? Is this extortware? 

I commonly associate ransomware with the encryption part. I'm okay with this broadened definition, but the shift in technique to: why bother going for the encryption? Let's just go straight to "we're gonna post it online and you're gonna face fines if you don't pay us." [00:07:00] Is this a breed of ransomware that we could call extortware, or is it still the classic ransomware? 

I'd be curious to see what our audience says in the chat about that. 

David Gibson: There is software and there is ransom.

Matt Radolec: Yeah, one plus one can equal two. I could see it, I could see it. 

David Gibson: Maybe we could have a hybrid there.

So this is one piece of Danger Zone, I think, we have to include TikTok in our Danger Zone as well, right? A lot of talk about TikTok and they've been testifying, the CEO of TikTok in front of Congress.

And it seems like a lot of questions over a lot of aspects, from children's mental health to, " what power does this application have over the people looking at the feed". There's some privacy concerns. And then also, like some of the responses I think elicit some of the sovereignty stuff. One of the things is like hey, this is a US company and the US data is kept on US soil. 

Matt Radolec: In terms of the question around data sovereignty, right? I'm not sure how much that matters other than, which law enforcement agencies I could willingly cooperate with versus which law [00:08:00] enforcement agencies do I have no choice but to cooperate with.

Like, when we think about the powers of the Patriot Act when it comes to digital evidence and things like that, the angle I'm always trying to get people to think about is: you in your company might be permitting or not permitting corporate devices to have TikTok on them and then the risk and dangers associated with that. 

And then we all have to make the personal choices with our families and even with our children around the content that they see online. 

I think TikTok just brings it all together. It brings it all to a head, right? They're clearly taking a ton of data in order to deliver the functionality in their app, maybe more than they need.

And whether or not we are okay with this trend in big tech to take all the data and share all the data really without a net benefit other than the usage of the app. 

I think that's where consumers are now starting to face these decisions and Congress is trying to bring these decisions to a head. Should this be okay or not?

The other angle that I'm always looking for and trying to encourage people to talk about is, really it's the danger of the data being shared is one thing, but I think we learn from Facebook and Cambridge Analytica [00:09:00] and all of the fallout from that, that's happening. 

I think the other thing is that content could be presented to you that could incite a response from you, and is that content governed by a foreign state actor or not? That's the core question, and I think where the core risk comes from. 

Imagine if everybody got displayed the same content that might incite certain behaviors from people, maybe like some sort of economic like a fire sale or some sort of revolution type of an event, if that started as a misinformation or what we would call a PSYOPs campaign, a psychological warfare campaign, I think TikTok would be a tool that could be used by a bad actor to execute psychological warfare. 

David Gibson: Yeah I think, we've definitely seen that. 

I'm reminded of a Littlefinger from Game of Thrones: I like to play a little game. What is the worst possible motivation that somebody has for doing something? And I think it's fair to ask that of all sides. What is the worst case scenario that we could have with [00:10:00] having this massive content machine by a government and and what could happen there?

So anyway, big issues here. 

Matt Radolec: I think we should see where the viewers are around, what your organization thinks about TikTok, where you think the danger or the risk is and really, if you guys have even taken any steps around that. 

David Gibson: It's interesting kind of the undercurrent of fear. Fear of the unknown as we answer this, and that's gonna come back. I think there's another big topic here that we're gonna talk about where there's a lot of unknown and a lot of fear happening. 

So I'm curious to see what people think is the most dangerous aspect of TikTok.

Matt Radolec: It seems like everybody thinks that it's a combination, but there seems to be some competing priorities around either just like data privacy and violating data privacy laws as well as the, as I talked about, really where I personally see the most danger is in around like state sponsored misinformation campaigns.

David Gibson: Yeah, this is interesting. Are we talking about the symptoms or the underlying problem and chasing the [00:11:00] threats here. 

Matt Radolec: And it seems not a whole lot of our audience uses TikTok and more of our audience than not doesn't have some sort of policy to restrict the use of TikTok on work devices. I'm pretty surprised by about 60% of our audience has some sort of policy in place to limit the use of TikTok on corporate devices. 

David Gibson: Maybe we should add another poll question for where do you get your funny cat videos, if not TikTok. 

Matt Radolec: I would say Reddit personally, but are we just trading one social media app for another at that point?

David Gibson: Yeah, definitely. Definitely. 

Alright so there's another story in the Danger Zone, which is as dangerous as it gets, I think. And this is from a report on Mandiant, which is tracking some of the zero days that were used. 

Apparently last year there were 55 zero days that were tracked, which was a little bit down from the year before but significantly higher. It really does seem like either there are fewer zero days this past year, but more likely people are getting better at hiding [00:12:00] them because cyber is the new battleground, right? And these zero day vulnerabilities are pretty heavy weapons, right?

So it looks like there's some kind of no surprises here. Some financially motivated threat actors, some state actors, China, and then going after products that people use, right? From Microsoft, from Google, from Apple. I guess any surprises here for you, Matt? 

Matt Radolec: In some ways this is business as usual. It's a cat and mouse game. We've got security researchers trying to find these zero days, but those researchers might not be as well funded as nation state adversaries that are also trying to identify zero days. 

The main difference being that the ethical security researcher is gonna share it with the community. That's where their incentive lies. Or maybe even through like a bug bounty, a bug crowd or a bug bounty from a particular organization. 

And then on the other end of the spectrum, a state sponsored actor, it's in their best interest to not tell anyone to sit on that zero day as long as possible and use it to gain access to information or manipulate information [00:13:00] for state goals and I think that's business as usual. I mean, when we talk about state-sponsored cyber attacks from China, this is the playbook of Chinese State-sponsored actors is, get in, even if potentially at the hardware level, with zero-day vulnerabilities, or even embedding bad code from the factory as a means to carry on an intrusion.

David Gibson: It definitely seems like part of our lives now. And I guess that leads us into our next segment which is Vulnerable Vulnerabilities. 

Speaking of China and zero days and vulnerabilities, there was an interesting story here in the Wall Street Journal about these zero days on Edge devices, firewalls, remote access servers as well as virtual machine concentrators. 

You know, I was reminded by kind of the playbook that we saw with proxy shell, which is a vulnerable Edge connected device. I guess this story, what I think was a little bit spooky, but we should unpack a little bit, is just that the stealth, some of the [00:14:00] careful use of these zero days that are gonna make it hard for folks to detect when they're being exploited and then hard to react hard to get ahead of these things.

Matt Radolec: And I think we could draw a parallel here to how different that is from Solarwinds. 

We all remember December in 2020. If you guys don't remember, David and I were talking about it with everybody. The Varonis system actually detected that novel zero day attack, not the focus of today's session, but that was a very widespread attack. It was clear that thousands and thousands of organizations were having that actions on objectives phase of the attack all at the same time. The attackers unleashed the power that they had established from that zero day attack. 

You have to compare that to if the playbook instead was: uses zero day to get in, but do as much as humanly possible to avoid second stage detection so that someone would truly have to identify the zero day in order to identify the [00:15:00] presence of attackers.

It's a different playbook. Think about like proxy shell, that was something that was extremely widespread but started from identifying the postmortem of a nation state, the state sponsored attack, even the researchers revealed that attack they suspected to have started months and months ago. 

So who knows how long that zero day was sitting on the shelf for the attackers before a security research firm got an incident that was able to get them to identify that was the original source of the attack and then shared it with the rest of the world for us, even still to this day, to find attacks that used proxy shell as the initial access vector.

David Gibson: Yeah, and I think you know, we're gonna talk a little bit about whether folks should despair or whether this is the way we've been thinking about it already. 

Matt Radolec: And the thing that I'm really curious about, for all of our listeners, is when you think about APTs and state-sponsored attacks, like China, and what your risk assessment reveals, like where you think the risk is, is this the top threat for your org? Is it in the top five? Is it in the top 10 or, and I think this is an okay [00:16:00] answer depending on your risk posture, are you not worried about, state-sponsored actors or APT at all? 

David Gibson: Yeah. I'm curious where this falls in people's thinking, in their policies. 

Matt Radolec: I think back to like past experiences, even before I got to Varonis, I think for me it was definitely a top five threat whether I was working government or in the private sector. The idea that a state sponsor actor would have the motivation to attack my organization, it was absolutely up there.

But I actually would probably concur, with our audience here: the top threat for most organizations, just blanket statement, is probably cybercrime or insiders. Likely the state sponsored attacks, at least as far as we know today, aren't as common as a ransomware or a phishing cycle of an attack. A fiscally motivated low sophistication attack there seems to be the much more prevalent attack. 

And it does seem like our audience agrees, though. Most people are feeling like it's a pretty top concern. 

David Gibson: Yeah I definitely feel like this is elevated over the past few years. And I think it's also interesting how the state sponsored [00:17:00] techniques quickly spill out into the cyber world, right? That there's just not as much lead time as I think there used to be. 

Matt Radolec: And to shout out just a comment I just read in the chat where someone was saying that for a utility company, state sponsored might be number one. And I would tend to agree with you. Critical infrastructure providers, and I mean, the US government certainly agrees with this, should be concerned about state sponsored attacks because of the impact it could have on the economy, on the the general use of electricity, water, cell phones.

I realize even though Mandiant was the one that released this 55 zero days report, I think back to the APT1 report. Was that like 2010, 2011, I don't even remember 2008 where they came out and said China and state sponsored attacks from China were aligned to the five year plan and nation state attacks from China are something that everyone should be concerned about.

I don't know that anything's changed since the APT1 report. If anything state sponsored actors are more well funded or better staffed, [00:18:00] and it's more of a focus of states to, including the United States, to have where, David and I sit to have state sponsored hackers on payroll. To have offensive and defensive cyber capabilities is even bigger than it was a long time ago. 

But I still think that not much has changed. That China's still one of the looming threats and one of the most powerful state sponsored hacker groups that's out there.

David Gibson: Matt, you may ask yourself, how do I stop this? Or what should I do differently? 

Matt Radolec: Yeah. Do we have some kind of practical advice for our audience around dealing with APTs?

I think the first thing that comes to mind for me to just jump on the bandwagon of Zero Trust is the reason that Zero Trust is so popular, It's actually because that is one of the lines of defense against a state sponsored zero day. 

Let's say one of your Edge devices, like the ones we're talking about, a firewall, a remote access gateway gets compromised.

If you've, implemented zero trust on that, there's a really, really high likelihood that you're going to be able to detect that before it gets [00:19:00] to what likely is that, that really juicy center, which is your data. 

That same concept, if you think about security from like an inside out or a data first approach, and you put those protections in around the critical assets that you're trying to protect the most, you put the highest level of monitoring and the most control there, you're again, gonna have a really high likelihood of being able to detect that.

But if most of your security controls exist away from the assets that you're trying to protect, you're not as well instrumented for an APT as you might think that you are. 

I would really challenge everyone to first of all go through that risk assessment, figure out what is it that a, again for utility providers, which our audience seems to be really excited about, focus on keeping the utilities running and implement your risk control measures there.

And for a lot of organizations, a lot of that could be buried in your data, and make sure that the stuff that the state actor would want or they would want to do to you is where you spend the most of your time and apply the most of your protections. 

David Gibson: Yeah, I think it's a normal practice, right?

You have to assume that there are many vectors, that anybody could get in your [00:20:00] firewall. You can't assume that somebody can't go right through it. And so putting those layers behind what you know, could be breached, it's a way to keep the water flowing. 

I think one sense of unknowns and fear that I mentioned is from all these zero days but, it is, I think very similar to what it's been.

Another big kind of unknown new thing is, we've talked about it on the show, is ChatGPT. There was a security breach, actually a couple of them that was related to ChatGPT. So I actually asked ChatGPT to summarize the security breach that happened.

And really what it looks like happened is that somebody was able to get a Chrome extension into the Chrome app store that was masquerading as a benign interface into the ChatGPT API, but it not only would allow you a connection, it would actually scrape credentials out of your browser, hijack your Facebook account, [00:21:00] then use access to your Facebook account to set up an ad to promote the Chrome extension to keep the cycle going, right? 

And by the way, for those that don't know, ChatGPT is an ai and you can basically ask it anything. And it's pretty crazy. It will even answer in Klingon if you want. It's pretty nuts in terms of all the things it can do, but so many people are using this, I think it's pretty natural people want a Chrome extension for this. 

Matt Radolec: I also think it's natural they'd want malware for this. 

David Gibson: Yeah. And so anyway I thought this was a pretty crazy story and potentially I think a sign of new stuff to come and a new kind of conversation around ChatGPT.

It was followed with an actual breach of the ChatGPT database, at least the subscriber information. There's a free option for ChatGPT, and there's a paid option for ChatGPT and apparently [00:22:00] ChatGPT uses Redis, which I think is a no SQL in memory database or something. Somebody can correct me if I'm wrong on that.

But apparently it uses a Python library, and it's an open source Python library that there was a bug in it that was able to be exploited. And then attackers were able to siphon off subscriber information, payment information, and email addresses, contact, stuff like that as well.

So as more and more people use this put data there, of course it becomes a target and of itself, right? 

Matt Radolec: I think about it, even in more basic sense, it's new tech, right? New tech's gonna bring new risks. New tech's gonna bring new vulnerabilities. New tech's gonna bring new sources to attack. 

It's almost like mobile phones or the cloud, AI and the power and the dangers of AI is something that everyone seems to be talking about, right?

David Gibson: Yep. And actually you remind me, speaking of New Tech, right?

They've released a container, a docker image to help folks integrate plugins into API with different software, right? Different ways to integrate it. And [00:23:00] that had a vulnerability too, right? So with any new tech there's all sorts of new stuff that we're learning and people looking to exploit the new tech.

And I think, when I mentioned the fear, this story where folks are saying, "Hey, we need to pause. This is getting too scary." We've got some big figures in tech saying let's put the breaks on this. That was interesting too.

Matt Radolec: Isn't there a movie series featuring Arnold Schwarzenegger about the worst possible outcome? 

David Gibson: Let me ask Siri, I mean, skynet, I mean Siri about that. Yeah, I think there was.

You kind of wonder though. I guess I'm curious what people think in the chat whether this is kind of an overreaction to ChatGPT.

Matt Radolec: Yeah. Are we on the road to Skynet with ChatGPT and GPT-4 and the adoption of AI. Is it time to pause? What do you guys think? And this isn't a poll question, we really just want to read your thoughts in the chat. 

David Gibson: Great point Nancy. It's a little bit like, slowing when Pandora's box is opened, it's really hard to put the genie back in the bottle to mix my metaphors.

What are the buggy whip people gonna do [00:24:00] now that we've got cars? It's really hard to stop that.

Matt Radolec: And I think that to Kent, to your point, I don't know that we can just burn it down. I think we're a little bit past that.

David Gibson: The horse is out of the barn. Yep. It's funny, there's lots of cliches around this same concept, isn't it? 

Yeah we did get one comment that said an arms manufacturer in Norway says that the TikTok cat videos are keeping it from making ammunition. So it's an interesting way to weaponize cat pictures.

Matt Radolec: Oh, meow-ware. That is an angle I haven't thought about yet. Maybe that's malware embedded in cute cat stuff. 

I think we could probably wrap things up. A big shout out to you David, I love doing the show with you and to our audience. I really appreciate your guys' attendance and we hope you tune in for our next episode of State of Cybercrime. 

Thanks so much everybody. Thanks, Matt.