Join Matt Radolec and David Gibson for this episode of the State of Cybercrime, recording from Black Hat 2023, as they cover the latest threats you need to know about. Also be sure to check out our webinar, New SEC Cyber Rules: Action Plan for CISOs and CFOs on Tuesday, August 22 | 12 p.m. ET. Link here: https://info.varonis.com/en/webinar/what-the-new-sec-requirements-mean-for-your-org-2023-08-22
[00:00:00]
Matt Radolec: Hi everybody. My name's Matt Radolec. I'm joined today by David Gibson and we are here live in Las Vegas, Nevada for today's episode of State of Cybercrime. Are you excited? What's it like to be here at a conference and have the show live at the booth?
David Gibson: This is pretty nuts. We usually are from thousands of miles away. Now we're in thousands of like micrometers
Matt Radolec: and I wanna, I feel like, I just want to ask where's everybody watching the show from today? And I think everybody's answer would be the Mandalay Bay convention center in Las [00:01:00] Vegas, Nevada. But with that, let's crack right into it, right? Let's jump, we're gonna go over some of our usual segments today.
We'll start out with is there any good news?
David Gibson: Lots of good news.
Matt Radolec: We'll jump on a highway to the danger zone and talk about some threat actors and vulnerabilities that you might be concerned about, should be concerns. We'll cover the most vulnerable vulnerabilities that are top of mind for everybody at the conference today. And then, as always, we'll have some time at the end for q and a. How does that sound?
David Gibson: I think that sounds great, especially since we're not gonna have anybody to come up and ask us any questions.
Matt Radolec: Oh, that's right.
David Gibson: We'll make up some questions. We'll imagine. We'll put ourselves,
Matt Radolec: we'll put ourselves in the audience's shoes and then we'll ask ourselves, and then we'll give them a free State of Cybercrime decal afterwards, right?
That's right. Something like that.
Okay. Alright, great. So whenever we kick off the show, we always like this cover good news. In cybersecurity there's all this doom and gloom. Everybody's always worried about the next big thing that's gonna end us all.
A fire sale, a big hack, some data breach. But we often, as practitioners never talk about the [00:02:00] good things that happen. So at the start of the show, we always like to talk about some of the good news in cyber and I think, we have a lot to talk about this week. First and foremost, most of the SEC agrees and has committed to policy to extend what we would call the breach notification requirements.
So this dates back to 2011 when the SEC put out some rough guidance revolving that maybe if something happens, maybe, and it impacts your business, you should maybe report it, but it didn't really stick.
David Gibson: It's hard to believe that was only about 12 years ago that people started to think, Hey, maybe cybersecurity is important for the functioning of a business.
As we get more dependent on technology collaboration, maybe if somebody has a breach, this could be a problem. And in 2011, it really just started it.
Matt Radolec: It just started, but it really got accelerated in 2018 with the Equifax breach.
David Gibson: That's right.
Matt Radolec: 'cause in Equifax there was longstanding circumstances of all the people and the financial impact, which shot the SEC's attention.
But it was also this case of potential [00:03:00] insider risk and insider trading that really tipped the edge here.
David Gibson: That's right. It's maybe I shouldn't sell stock. If our companies had a breach,
Matt Radolec: had a data breach, maybe that's insider trading.
David Gibson: Potentially the stock could go down.
Matt Radolec: Fast forward to 2023 billions of dollars getting paid in ransom payments, data breaches happening every day, and the SEC comes out and says, not only do you need to disclose a breach, but you need to disclose a significant cyber event with materiality.
I think the exact words were something like, the economy runs on electronic systems. There's been a huge rise in crime. You need to report it. This is essentially What this updated guidance says, right?
David Gibson: Yeah. And in fact, it, a lot of people are reporting and they are putting things in their public filings, like their 10 Ks and their eight Ks, but the standard hasn't really been established.
So people are a little inconsistent in the way that they report their breaches. There was one recent breach where somebody said, we had a cyber security event. I think we're at a [00:04:00] cybersecurity event's. What does that mean?
Matt Radolec: To be clear, when we report this, I don't think this is reportable.
I don't think our C F O, 'cause he actually had a lot to say about this. I imagine that CFOs all over the world at publicly traded companies are scrambling to say, did we, when should we have done this in the past? And what is the threshold for us to meet to do this in the future?
David Gibson: And not only do you have to have consistency in the way you report breach, but you also have to show, alright, what is our expertise in cybersecurity? What are the controls we have in place? A little bit more consistency in the annual filings, your 10 K to begin with.
Matt Radolec: And maybe this is wishful thinking, but I hope this gives CISOs a voice in the board. I hope this is a way for CISOs to connect with CFOs on something other than asking for a bigger budget, but to really focus on the risk to the business and the risk that we might have to report an event.
Now, that's not the only good news though, right? It's not the only news. I feel like we could talk about this all day almost as much as if we're gonna host a webinar on this very topic with our CFO. And our CTO Brian Vecci.
David Gibson: That's a great idea. Maybe [00:05:00] we should, oh wait, we're already happening.
Matt Radolec: We are doing that. But enough on the SEC breach notification and all the changes that happened there, talk to me about, LetMeSpy.
David Gibson: So I wasn't really sure whether this was good news or bad news. It feels like it's in between news, but I think there's some good news from it.
But LetMeSpy was some Android software that let people spy on other people's, on their phones, right? So it was marketed for parents that wanted to make sure their kids weren't doing things that they shouldn't do or organizations maybe keeping tabs on employees, but in reality, a lot of people were putting spyware on people's phones that probably shouldn't have been. So now the people that were installing the malware have been exposed in a breach. But then I also think all of the victims
Matt Radolec: yeah, the people that were victims have since also been MAL and their data so potentially location information, voice information, passcodes, logins, certificates.
I [00:06:00] would say it's good news in the sense that sort of this service is gonna be interrupted and people are finding out a bit, but bad news that there were victims to yet another data breach.
David Gibson: Yeah. From a privacy perspective, I think we're probably in a better place without this malware.
Matt Radolec: Another debatable good news versus bad news doesn't really fit in this segment is this OSINT tool, "Illicit Services", incredibly cleverly named, I just gotta say hats off to the creator. The reason that they're shutting their doors is because criminals were using illicit services for, wait for it, wait for it, illicit activity, or illicit services. Oh I missed the opportunity there, David.
Thanks for correcting me on that. What was designed as an open source intelligence tool has mainly been used by criminals to gather intelligence on potential victims and even search through records of data breaches.
David Gibson: I feel like it, maybe it's a little late to shut the doors on a list of services, but the creator is now shutting it down.
Matt Radolec: I guess it could, it does fit in the good news segment, in the [00:07:00] essence of now that the illicit services are shut down that's good news.
David Gibson: I think so. Although sad for open source in practitioners I guess a little bit, but
Matt Radolec: I guess that means we gotta jump on the highway to the danger zone, though.
David Gibson: We should
Matt Radolec: Because there's some stuff we gotta talk about. We've talked about BlackCat slash Alpha V for 12 months. 18 months, 16 months
David Gibson: is that black cat wearing a black hat?
Matt Radolec: This black cat is wearing a black hat and a monocle, which I noticed you didn't mention, but they now offer to get the data that they're leaking via an API.
David Gibson: Much more convenient.
Matt Radolec: Yeah. So I guess if you're looking to do mass downloads of data that was stolen by BlackCat, why not use an API versus downloading it over the web? Now it, it brings up questions though. Is it a secure API?
David Gibson: Can you exploit the API?
Matt Radolec: Can you exploit the API? Is it exposed via a guest site in the Salesforce community. These are the questions that I'm asking.
David Gibson: Do they have good configuration management, right?
Matt Radolec: Someone should talk to them about the security of [00:08:00] the web app hosting the API that's got sensitive data inside of it.
David Gibson: That's right. And to the BlackCat users install third party apps that can access the API?
Matt Radolec: That's right. And that's not the only news that came out. I also think that some security researchers found the loader that was used by BlackCat, and that's one of the ways they've been able to learn a little bit more about how the operation works. So a little bit of good news tied in with the fact that BlackCat Alpha V is still one of the most prominent ransomware actors, taking out, stealing data exfil, trading extorting organizations today.
David Gibson: And I think might qualify as an additional tool that the ransomware actors are utilizing, which is really shaming their victims. Making it easy for people to, Hey, you got breached.
Matt Radolec: It's moved much more from ransomware to extortion. Yeah. Like, how can I get you to pay no matter what? You got great backups. Doesn't matter. I already got the data out. 'cause I think, wise words were once said that you can't unbreach data.
David Gibson: I love those words.
Matt Radolec: I love those words too. So talk to us about NPO Mash.
David Gibson: NPO Mash. So this outfit is a Russian outfit that makes [00:09:00] hypersonic missiles. Okay. Like the King's Isles. And they got breached by North Korean actors it looks like. Which may not be that surprising. North Korea wants its missiles too. I know. And so of course there's there's some activity going on that's always gonna happen.
But what's interesting about this breach is the way it was discovered. Apparently the people at NPO Mash that were investigating the breach accidentally posted a bunch of emails on a public site or a site about other breaches unintentionally, that then security researchers found that said, oh my God what happened here?
This company got breached. And how did they they breached themselves by looking at how this breach happened. So totally unintentionally security researchers discovered that NPO Mash was breached by North Korean actors. But the breach was a mistake.
Matt Radolec: Yeah, and I think when we often think about breaches in general, everybody rushes to threat actors [00:10:00] and insiders, but forgets that I think the DBIR said something to 17% and 20%. We'll have to check the numbers on that, we're by mistakes, by IT administrators. Yeah. Not even just mistakes by end users, but specifically misconfigurations created by administrators without understanding the consequences of those actions.
So it just underlines something we always talk about, which is like the basics, right? The basic hygienes, misconfigurations, you gotta be able to tackle that stuff and look for that.
Now, three episodes running, we've covered MOVEit.
The story here is MOVEit continues to have long-term impacts.
The zero day was disclosed. A remediation slash mitigation has been available for some months now, but it seems every couple of weeks we had another a hundred or 200 victims to the list of people who have been taken advantage of due to this DMZ file transfer zero day vulnerability.
David Gibson: It's 600 victims and counting. And the worst thing about this is the victim that hosts the MOVEit really hosts MOVEit to share data with so many other folks that the victims just expand exponentially.
Matt Radolec: So the message here stays the same every [00:11:00] single time we've talked to our audience, it's been, if a zero day comes out, fix it.
If a zero day comes out, fix it.
So talk about what is this ClassWallet permission setting switch. Why is this dangerous?
David Gibson: So this has been a story I've been following for a couple of weeks now, I think, and new stuff has come out. I think we have a conclusion to the story now, which is the Arizona Department of Homeland Security concluded that an employee was really behind this data leak of student information. So basically there's this application called ClassWallet. Okay. And when somebody wants to get funding or a scholarship or a financial assistance they apply on this system that you know where you can get some financial aid. Now what happened is, due to a misconfiguration, people were able to see other people's applications.
Now these applications can have and
Matt Radolec: financial records.
David Gibson: Financial records
Matt Radolec: also sources of income, assets, hardship.
David Gibson: What kind of, what kind?
Matt Radolec: Yeah. Why do you deserve [00:12:00] it?
David Gibson: Yeah, exactly. And so a lot of sensitive information here, and it seems like there's been a lot of politics going back and forth, and there was actually an email to the governor from the superintendent saying, because the governor had said, you need to tell me what you're doing about this breach and what's happening.
And the this quote from that letter back to the governor's Hey, the Homeland Security people are in my office, and you sent them I, or I thought you would've checked about it. We've had some issues with that and we've also had some resignations based on potentially these employees. So a lot's going on with this.
I think the moral of the story though is we need consistency on breach reporting The SEC, it's mandating because people are spinning their tails and it does, it's not a good look.
Matt Radolec: We need, we also need like a cultural shift as practitioners that breaches happen.
Like you're gonna have security events, you're gonna have incidents, you're gonna have breaches. We need a culture around sharing [00:13:00] what happened, how the threat actors made it possible, the zero days or the tools that they used. It's the only way that we as defenders are gonna keep up, right? We could only do so much research and find so much out on our own or in, in the private intel sphere as a community, if we make more noise about that these incidents are happening. Number one, it's gonna drive awareness at board level down that this is something every company faces, but two, it's gonna allow us to potentially try to keep up with attackers.
David Gibson: Yeah. And hopefully it'll stop some of the noise that happens around this attacks.
Yeah. And we're gonna have more.
Matt Radolec: Yeah. Let's talk about some vulnerable vulnerabilities.
David Gibson: Yeah. So there's paper cut print management software that has a vulnerability in it. And now the Bl00dy ransomware group seems to be taking advantage of that vulnerability, right?
So it, it looks like yet another vulnerability to patch, I'm always worried about,
Matt Radolec: but also a supply chain vulnerability, right? We're always worried about the inception here. If, this company has hundreds or thousands of customers and they all use this software, and this software has an exploitable [00:14:00] vulnerability, maybe it's sitting in the DMZ, we're just looking at another MOVEit.
David Gibson: It really could be. I think the good news on these is not so much internet facing devices. Okay. But printers are always, I always worry about printers and how often do they get updated? What are they doing, how can you connect on them? And this is a host stinger network that somebody can take over.
Matt Radolec: I wonder do you think that the ransomware groups are like sitting and waiting for a juicy target like this, like that the Bl00dy group is like, we gotta do this paper cut thing. This has gotta be us. Do you think that there's like a, do they do stuff like this and talk about it?
David Gibson: I just think there's so much synergy between the ransomware group name and the software name.
Matt Radolec: So now that's not the only vulnerability that you should worry, especially if you have kids and your kids do stuff like use Discord or Steam or Minecraft. And all these other games. Earlier this month there, there's this large scale remote code execution vulnerability that was found with this bleeding pipes inside of Minecraft that would actually expose a user's token and their API token for discord, which would then allow you to retrieve [00:15:00] information, pictures, chat messages, and even potentially snoop in on voice conversations that often, I mean that the people that play Minecraft are usually young people, right? These are usually kids. So in a way, this vulnerability is a little bit more dangerous because it could lead to, child exploitation.
David Gibson: That's right. That's right. And I think you've been known to
Matt Radolec: I've definitely done a little diamond mining in Minecraft. A little bit of red stone, a little bit of this, a little bit of that. I wouldn't want to get too much into it on the show today, but I, I know a little bit about Minecraft and Redstone.
David Gibson: Maybe they were trying to listen in on your,
Matt Radolec: maybe they were trying to get Yeah not to totally shift gears, but since the Teixeira leaks where we found out discords not so private, not so secure, I've really stopped using it completely.
Switched to other voiceover IP known, end-to-end encryption, not all this open API stuff because, Discord's a little dangerous could probably have a whole episode just talking about the dangers of using discord.
David Gibson: I think this one I'm hoping gets patched if it hasn't already been, just so people's communications can [00:16:00] get safely.
Matt Radolec: And I think that pretty much wraps it up live from the Varonis booth in Las Vegas, Nevada at the Mandalay Bay. Thanks for tuning in to State of Cybercrime. I'm Matt Radolec. This is David Gibson, the Man, the myth, the legend behind All Things Varonis. We super appreciate you tuning in today and we hope to see you at the booth here in Vegas.
David Gibson: Thanks so much everybody.