State of Cybercrime

Inside China's APT Network

Episode Summary

A new data leak of more than 500 documents published to GitHub reveals the big business behind China’s state-sponsored hacking groups — from top-secret surveillance tools to details of offensive cyber ops carried out on behalf of the Chinese government.

Episode Notes

A new data leak of more than 500 documents published to GitHub reveals the big business behind China’s state-sponsored hacking groups — from top-secret surveillance tools to details of offensive cyber ops carried out on behalf of the Chinese government.  

Join Matt and David for a special State of Cybercrime, which dives into China's espionage campaigns and complex network of resources.  

We’ll also discuss:

- The massive cyberattack on Change Healthcare

- Zyndicate’s successful hack of the Danish government

- Apple Vision Pro’s launch day woes

- Multiple developments in AI risk/regulation

- How LockBit remains active after their servers and domains were seized

- And more! 

Episode Transcription

SOC Podcast Template

[00:00:00]

Matt Radolec: Hello everyone. 

Thanks everybody for joining us today. I'm here from my home in Maryland as well. What about you, David? You in Connecticut today?

David Gibson: I sure am. 

Matt Radolec: Looks like we got some people from North Carolina, Parsippany, Colorado Springs. Somebody from Blighty. From Baton Rouge, from Lisbon. Alright, some people from across the ocean. It's awesome to see the audience that we draw for the show.

We're really excited to talk with you today. We have a whole lot to pack into our show today, so we're gonna get right into it. 

We'll [00:01:00] go through our usual segments. We'll cover whether or not there's some good news, which I think that there is. We'll talk about AI and all the happenings related to AI.

We'll jump on the highway to the danger zone and talk to you about a couple of breaches that you should know about. And we'll end with a vulnerability that was actually found by Varonis security Researchers, Varonis Threat Labs. As always, we try to make these sessions interactive, hang out with you, our audience, whether it's via the chat and the Q& A.

I even think our producers have some polls in store for you today, so we'll be looking forward to your participation.

Oftentimes in cybersecurity, everything is doom and gloom. Everybody wants to talk about the end is near or the next vulnerability is going to be the one that gets us all, but there are some good things going on. Sometimes the good people get it right, and today is definitely one of those days. I am super, super excited to talk to you about the Literal last minute addition to the show.

We were just putting this in only an hour ago for the good news section, and I'd actually call this the mighty good news [00:02:00] section, if you were asking me, as an executive order from President Biden to protect Americans sensitive personal information, like their genomic biometric, Personal health, geolocation, financial, or other forms of personally identifiable information needs all the protections that it can get.

And so what exactly does this represent? President Biden has issued, commands to various departments of the government, including the Department of Justice, to issue regulations to protect information, establish greater protections on government data, and set very high security standards to prevent access to American Data by Countries of Concern. 

Now David, I've made it pretty clear, I am pumped up about this, but what does this got you? How do you feel about this? 

David Gibson: I think especially with some of the other stuff that we'll talk about later on in the show about kind of information asymmetry and asymmetrical sharing this is an interesting take on this and needed, we [00:03:00] need to be very conscious of where the data's going and the direction that it's going in.

And if you share data with an organization or a country that doesn't take care of it, it's like posting it pretty much freely on the internet. So taking some steps to put some consciousness and deliberation on where the data should be going I think is an important step.

Matt Radolec: And they're not the only ones doing some good things in cyberspace, OpenAI is taking some actions to prevent unauthorized use of information as well, but more on the generative information side. They're actively policing those who make queries and try to abuse ChatGPT. And so far, they've actually come out and said that they've removed threat actors from Iran, North Korea, China, and Russia from the platform, while simultaneously making a commitment to continue to police these abusive queriers. I hope that's the right thing that we would call them.

I gotta say, David, for me, It smells a lot like the Whack a Mole game that we play with ransomware actors, [00:04:00] and I wonder how effective removing actors from the platform is going to be. At the same time, though, I'm sure that open AI is probably leveraging AI to find people that are abusing their AI, and attempted abuse might only make their detectors even better.

David Gibson: Yeah I think when there's something clearly going on in terms of, and we've talked about this, threat actors are going to get better with AI, right? There's no reason that they won't be able to leverage AI to write better phishing emails, to write better, potentially malware. I think there's already been some proof of concept malware written by AI.

You know, If we can spot them and eliminate that activity, it certainly seems like a good idea. I agree with what you said, though. I think it's going to be hard to stay ahead of people creating new accounts, and using VPNs to masquerade where they're coming in from. It just doesn't seem like it's that hard to get a new account to take advantage of these AIs, and as more of them become available, it's going to get even harder.

Matt Radolec: Yeah, and talking about whack a mole: domains go down, bounties [00:05:00] go up. 

Shortly after the recent takedown of LockBit's servers, the State Department is offering a 15 million dollar reward for taking down the LockBit leaders or 5 million for one of their affiliates. Now, when you look at a takedown they are effective at disruption, but I think it's important that you realize that these established ransomware rings, like a LockBit, AlphV , and BlackCat, they're about as resilient as cloud service providers.

You knock down their infrastructure, they're up again the next day. And so while it's important for law enforcement to take steps like disruption, because you might be able to interrupt like an important breach that's in progress or even disrupt the actors, disrupt the flow of Bitcoin payments to actors, I'm sitting here and wondering like how much of an effect is this really going to have? And David, maybe you'll be able to tell us. 

David Gibson: Yeah, I think it's clear that they have a pretty good business continuity plan, or disaster recovery. 

There's a report here out of [00:06:00] Sophos that they've spotted the ransomware builder, LockBit's ransomware builder in 30 some new ransomware attacks. Though they do believe it's being used by a different threat actor, if I read that correctly.

These new ransomware attacks, by the way, are exploiting a vulnerability in ScreenConnect, which is a product by ConnectWise. This has been patched. By the way, this is another trend that I think we're seeing, is a day after the security update was released by ConnectWise the exploit was in the wild, right? And it was being used. 

It seems threat actors are reverse engineering the security updates to create a vulnerability to create I guess 

Matt Radolec: an exploit 

David Gibson: way to exploit that. Thank you. 

Matt Radolec: Yeah. 

David Gibson: Thank you. An exploit to use that vulnerability very quickly. So if you haven't been patched it's hey, here's an open door.

And by the way, federal agencies have to secure ConnectWise by February 29th because of this authentication bypass law. But the other thing I think that's interesting is that Sophos [00:07:00] recognized the ransomware builder because a disgruntled malware developer released it in 2022, and that kind of leads into our next story, I think, right?

Matt Radolec: Yeah, now when we talk about LockBit the fact that even after this takedown, they're already back, they're apparently working on an upgrade to their ransomware as a service platform. And this makes me wonder things like, what is LockBit NG or LockBit 4. 0 going to look like? What extra features will it have?

Will it be disrupted by law enforcement? And something tells me, based on how things are going, we might get a chance to cover that on our next show during the good news segment. But it just brings me back, and we talked a lot about this on the show last year, where we look at these cybercrime operations, and they're becoming more and more enterprise grade.

Versioning is a pretty enterprise thing to do, right? Software platforms having versions, releasing new features, having support, having the resilience that if they get taken down, they can be stood up again really quickly. It's time that people realize that we're not just up against [00:08:00] your kind of backyard cybercriminal.

These are well funded and sophisticated groups, much like we'll talk about at the end of the show today around a particular APT group that had a data leak from China. 

Now so much is happening in AI. I always find myself saying AI Vey, and I know nobody is tired of hearing about it, and we'll cover the good, the bad and the ugly as it's related to AI and our eventual demise to the robot overlords during this segment. 

But first, if you thought that ChatGPT was cool, wait till you start working with Sora. Sora is a generative AI model that creates realistic and imaginative videos from text. They call it text to video.

At release, Sora can create up to one minute videos based on your text props. And from what I've seen, the visual quality is Absolutely stunning. And for me, it's getting really hard to spot real from fake? And more so than ChatGPT, I'm really worried about how [00:09:00] SORA is going to take us into the depths of this real or fake paradigm even farther.

I looked to a testimony that was recently done in Singapore from a senator in Singapore talking about how there were 30 videos that they watched. And 29 of them were made by AI and one was real and they were all featuring the same people. And it was impossible to tell the difference. No one that they showed those videos to could actually spot the real one.

And so I, this makes me worry about is deep faking going to become the next layer of cybercrime? 

David Gibson: I'll bet you 25 million that it might. This story blew me away.

Matt Radolec: So what happened in France? 

David Gibson: It was actually a finance worker. Oh, finance worker, sorry. And sorry, it actually was in Hong Kong. But this is why I said 25 million. Apparently this threat actor orchestrated a deepfaked video conference call.

And it was with the CFO and some colleagues, [00:10:00] and it was convincing enough. So that even though he had some initial skepticism when the email inviting him to the conference call came in, he was convinced, okay, my CFO needs me to wire 25 million dollars for this secret project, and I just, I was pretty blown away that we're at that point, right?

And if you take into consideration Sora and the ease with which somebody might be able to create these videos at this point, It's just, what does that mean for authentication? What does that mean for spotting something 

Matt Radolec: that's real? 

Yeah, it's almost like we're going to have to come up with A form of multi factor authentication, not for logging onto computers, but for validating the content that gets presented to you.

When I think about this CFO example, even, I'm sure, and you are my dealings at Varonis, We have the infrequent interaction with our CFO, but if the CFO called me and said I needed to do something right now, and it was a video, and it looks like the CFO, and it came in on Zoom, I don't know, I'm probably doing it.

I'm probably, trying to [00:11:00] make it happen, because this is something that's pretty important, and so I can't imagine that cyber criminals aren't going to pick up on that and start to use that more and more for abuse. Now, I wonder though is regulation going to keep up with this, David? 

David Gibson: Yeah and this could probably be in the good news category as well.

With so much AI and so much capability, we need some new laws. And luckily, EU was able to use ChatGPT to write a whole lot of legislation. No, not really. They actually work very hard. and mainly created a legislation, a comprehensive AI act to make sure that they took a risk based approach, that considered privacy, other concerns, there are exceptions for military and research models, but looking model by model, trying to figure out whether there's some harm here.

It and thank you, Shane, for pointing out created by AI in a video, right? That's created by AI or an image, right? Making sure that we can start to see what's real and what's not more quickly. But some progress [00:12:00] here. I think we talked about it a couple shows ago where, AI is powerful.

You look at some of the past powerful things, past powerful technologies, like with space and the moon landing and nuclear weapons, regulation. follows because these things need to be thought about a little bit, need to be regulated.

Matt Radolec: Now, AI happenings, good news, not the only things we were going to talk about on the show today. There are a couple of breaches that happened that really make me step back and wonder, are we keeping up with the bad guys? One of those was this nation state hacking GitHub leak. 

We've always known Russia, China, other state actors, they were doing this APT for Hire thing, but we've never had our hands on a treasure trove of a leak to go through and actually affirm that hypothesis, and this leak from ISUN, a private Chinese APT for Hire group, provides really strong insights into how state sponsored hacking groups work, who their targets are, the tactics, the tools, and the techniques that they use.

And particularly what we saw with ISUN was they [00:13:00] targeted foreign intelligence officials across the UK and various Asian nations in collaboration with China's Ministry of Public Security and the military, largely by targeting the mobile devices and network access points used by those officials. 

And I got to ask David, are you that surprised by this? Because I'm not that surprised by this, but when I get into the details, seeing that like a foreign government intelligence has so much going on, that they're willing to outsource the surveillance of foreign officials to private security contractors to hack into their phones and their wireless networks, this seems like a big jump from the government doing it to using third parties.

David Gibson: Yeah, I can't say I'm surprised about this. What we've seen, with some of the links and blends with government and private, and some of the other, I think we've seen some signs of that with Russia and it seems to be a trend that the government would be farming out and enlisting the help.

I think the leak was by a disgruntled hacker, essentially, 

Matt Radolec: right? 

Yeah. [00:14:00] It's suspected. Yeah. It's suspected that it was maybe from someone on the inside or that had insider information just based on how much information was leaked and the kind of the, how much juicy stuff was in there.

David Gibson: Yeah. Well, And also it sounds like the organizations are poaching each other's hackers, and they're working long hours, they're getting disgruntled. It's an interesting ecosystem. What surprised me, I think, was this concept of information asymmetry. And I hadn't really looked at this model what if the whole game is just to be the black hole for information, for data?

There's no data escaping our country, but everybody's data is coming in. And if you just look at it, it's like the country with the most data wins, right? It it's an interesting lens that I hadn't really looked at the whole equation for, but I certainly, and maybe I'm late to that party.

But it's a simple way to look at the problem and all the efforts of just, sucking information out wherever there's intellectual property records [00:15:00] about agents or, any kind of intelligence gathering, and I think all the way back to the OPS breach, right?

Where we lost all of that, all the personal records for all the classic, yeah, exactly. 

Matt Radolec: SF86, a very personal on this phone call that filled one out around that time, likely. Yeah. Still heard about that one a little bit, David. Now, that's not the only breach, though, that has real world 

 

Matt Radolec: consequences.

Every year, I'm asked by like Varonis public relations team and members of the media to participate in these What are your predictions for cybercrime in the next year, whether it's 2022 or 2023, or this year it was 2024? And every year, time after time, I've said the same thing. Cybercrime and cyberwarfare will increasingly have real world kinetic consequences.

And this is exactly what happened last week with Change Healthcare. Optum, which is a subsidiary of United Healthcare Group was targeted by Black Cat. They used these kind of expertly crafted phishing emails that were claimed to be documents that were shared with someone else. They were targeting mid level senior executives in the company, and their goal was to really, was to deploy ransomware and wreak havoc, and that's exactly what happened.

They even [00:16:00] interrupted the delivery of patient care services with things like prescriptions, the ability to order care, and bill for care, and so here we saw that, Patients, people, were impacted by a ransomware attack on a healthcare group. And we still don't know what, full recovery hasn't necessarily been established yet.

We don't know, the inner workings of what happened or how it happened. Just the consequences that were faced by patients and people that use Optum. 

David Gibson: And it's interesting to see these names like ALPHV and LockBit, and BlackCat persist. We've been doing this show now for several years, I think, and BlackCat was one of the ones that we talked about, probably in 2021 or so.

So still around even with the attention of the FBI and our government agencies. 

Matt Radolec: Yeah, and I think there was one more breach, David. Something to deal with global data center domination that you wanted to talk about. 

David Gibson: Yeah, Looks like there are lots of account takeovers happening in Azure.

It's that these threat [00:17:00] actors are targeting multiple kind of roles in the organization, from executives on down. Doing the account takeovers with fake shared documents where the folks enter their credentials. Once they have the takeover they create new authentication factors, right?

you know, An authenticator app that you didn't have before. A couple of signs to identify this sort of activity. They all seem to be using Linux based user agents when they connect. But I think the thing that's interesting about this is the scale and the size and certainly the target, But also I thought is interesting is, is everybody typically, or most people typically, have MFA enabled.

And also with the number based MFA, I think it's worth talking about, how you can't sleep on this stuff, right? Because you can bypass that just with, I believe, a token, right? 

Matt Radolec: We see this mouse game where When it's easier to do the password reuse, the brute force in the password reuse becomes really popular.

When, MFA advances like this number schema, what we see [00:18:00] is a shift back to compromised devices, grab credentials, grab tokens, reuse tokens that have already maybe made it past that MFA or don't get reprompted for MFA for so much time or based on geolocation. And so the actors are going to come at you with whatever works.

And it seems like the kind of classic password Reuse, MFA Fatigue, still working. 

David Gibson: It's cat and mouse. 

Matt Radolec: Yes, and to kind of end out that cat and mouse game, let's talk about a couple of vulnerabilities that Varonis Threat Labs found in Salesforce, specifically in their APEX. So just about every episode, whether it's Dvir or other means, we're always talking about some new finding from Varonis Threat Labs.

This latest one is a series of vulnerabilities in Salesforce's APEX that could lead to Salesforce data leakage or data poisoning or even denial of service. For those of you that are like completely foreign to security and Salesforce, Think of APEX for Salesforce akin to JavaScript for Java. I'm sure a lot of security researchers and our security researchers do the exact same [00:19:00] thing.

They try various forms of code injection, poisoning, and obviously it's in our efforts to help Salesforce improve their security. So we always share these findings and practice responsible disclosure and things like that. But ultimately, what do these vulnerabilities mean to you if you're running Salesforce, that an actor could use them in order to leak data, corrupt data, or even do denial of service of different functions inside of your Salesforce. 

I'm actually going to ask our producers to drop a link to that blog post in our chat in case anyone in the audience wants to dive in a little bit more. 

As David, we've actually gotten quite a few questions so far in the show today, and I want to take a minute or two if our audience wants to read more, our producers will drop a link to that blog in the chat.

And let's go through some of the Q& A that came in today. So I got one from, and I hope I pronounce it right. If I don't you can correct us. It's either Yebez, Jebez, Yebez, Abraham said, I'm curious about this executive order. How is it different from HIPAA?

David Gibson: Yeah, that's a great question. [00:20:00] I feel like this, when I read through, and it came out this morning, right? So I did a quick read through. It seemed to be, first of all cover not just a specific kind of information, right? It seemed a little broader in terms of not just healthcare or not just so specific.

But it also targeted the mechanisms that companies use and organizations use to decide whether they should share data deliberately with a third party that may or may not be in another country, like a friendly nation. Really, that's the thing that I thought was something I hadn't seen before, is there are countries of concern that you may not share 

Matt Radolec: Information, 

data, and especially these data elements that are being called out as deserving of these extra protections.

Another really sage comment that we got was from John, which was around, what about offering bounty rewards for information leading to the takedown of these networks and trying to actually [00:21:00] target paying people that operate the APT networks. Maybe we can convince and maybe pay more to the APT operators than the APT themselves are paying those people.

David Gibson: Yeah. I think enlisting some more help, but in the right way is usually a good idea. And I'm trying to think of ways that might backfire. And I think there's some wisdom and that don't hack back, but from an information perspective, that if done in the right way, that might make a lot of sense.

Matt Radolec: Yeah, and I think that just about wraps it up for today's episode of State of Cybercrime. This show is made possible by you, our audience. So on behalf of myself and Varonis, we super, super appreciate you being here today.

Any last words, 

David? 

David Gibson: Just thanks everybody and thanks for the lively comments. It's exciting and fun to read.