Malware metamorphosis: 2024 reflections and 2025 predictions. [Only Malware in the building] - Hacking Humans

Summary7 min read

Podcast Summary: Hacking Humans – "Malware Metamorphosis: 2024 Reflections and 2025 Predictions"

Release Date: January 7, 2025
Host/Author: N2K Networks
Description: Deception, influence, and social engineering in the world of cybercrime.

1. Introduction

In the episode titled "Malware Metamorphosis: 2024 Reflections and 2025 Predictions," hosts Selena Larson, Dave Buettner, and Rick Howard delve deep into the evolving landscape of malware and ransomware. They analyze past trends, current threats, and future predictions, providing listeners with comprehensive insights into cybersecurity challenges and strategies.

2. Ransomware Trends in 2024 and Predictions for 2025

The conversation kicks off with an examination of ransomware's persistent prevalence and profitability. Selena highlights the significant financial impact ransomware continues to have on enterprises.

"It's expected to pass 1 billion in ransomware payments this year. It's still very, very successful enterprise."
— Selena Larson [04:44]

Normalization of Ransomware:
Dave notes the troubling normalization of ransomware attacks within organizational risk assessments.

"It's funny to me how normalized ransomware has become as a standard part of the things that every organization has to worry about."
— Dave Buettner [06:23]

Expansion of Techniques:
Selena discusses the diversification of ransomware tactics, including multi-channel attacks and social engineering.

"Rainsworth threat actors were posing as IT support on Microsoft Teams... expansion and growth of the multi-channel attacks."
— Selena Larson [05:09]

3. Ransomware Payment Statistics

The hosts delve into the statistics surrounding ransomware payments, debating the reliability and interpretation of available data.

"One security company was looking back at the numbers of ransomware claims over the year... 600 ransomware claims in November compared to an average of 350."
— Dave Buettner [06:23]

Rick counters by contextualizing these numbers against the total number of organizations.

"We did some research... 6 million organizations in the United States last year. The chances that any organization is going to get hit with ransomware is just small."
— Rick Howard [07:31]

4. Multi-Channel Attack Expansion

Selena emphasizes the shift towards multi-channel attacks, making ransomware delivery more sophisticated and harder to defend against.

"Threat actors are using multi-channel attacks to target organizations... through social engineering or to deliver various payloads."
— Selena Larson [05:09]

Dave's Observation:
Dave concurs, highlighting the increasing frequency and integration of ransomware into standard attack vectors.

"Ransomware has become a standard part of the playbook."
— Dave Buettner [06:23]

5. Defense Strategies: Resilience vs. Prevention

The discussion transitions to effective strategies for combating ransomware, balancing prevention and resilience.

Resilience as a Strategy:
Rick advocates for resilience, especially for small to medium-sized businesses with limited resources.

"Our probably best strategy is resilience. We want to survive the attack, not prevent it."
— Rick Howard [13:00]

Backup Practices:
Selena and Rick highlight the importance of robust backup and restore practices over solely investing in expensive firewall solutions.

"Instead of spending money on an expensive firewall... just got good at backups and restores."
— Rick Howard [17:17]

Dave echoes this sentiment, emphasizing the necessity of regular backup testing.

"There's always time to do it again."
— Dave Buettner [18:33]

6. Role of MFA and Authentication Methods

The hosts discuss the critical role of Multi-Factor Authentication (MFA) in safeguarding against cyber threats, drawing attention to its evolving challenges.

"MFA is good to have. You should have MFA everywhere."
— Selena Larson [20:58]

Vulnerabilities of Traditional MFA:
Selena points out the limitations of SMS-based MFA and the emergence of MFA phishing techniques.

"SMS MFA... susceptible to interception via mobile devices or MFA phishing."
— Selena Larson [20:58]

Advanced Solutions:
The conversation shifts to more secure MFA methods like U2F hardware keys and passkeys.

"The best is U2F keys... an actual hardware key."
— Selena Larson [21:35]

7. Nation-State Cyber Activities: Volt and Salt Typhoon

A significant portion of the episode is dedicated to nation-state cyber activities, particularly focusing on Chinese operations like Volt Typhoon and Salt Typhoon.

Understanding the Threats:
Selena explains the differences between the two operations, underscoring their implications for global cybersecurity.

"Salt Typhoon is a Snowden-style espionage by China against the United States... Volt Typhoon as a direct Chinese military threat to degrade western infrastructure."
— Selena Larson [31:33]

Law Enforcement Efforts:
Dave and Rick discuss the accelerated efforts by law enforcement to tackle these sophisticated threats.

"Coordinated international effort to take down these folks... seems to be accelerating."
— Dave Buettner [30:00]

"Operation Endgame... cutting off access to important malware and arresting involved individuals."
— Selena Larson [37:19]

8. AI in Cybersecurity: Benefits and Dangers

The hosts explore the dual-edged nature of Artificial Intelligence in cybersecurity, addressing both its potentials and pitfalls.

Risks of AI Chatbots:
Rick and Dave share alarming stories about AI-driven chatbots negatively impacting mental health, illustrating the dark side of advanced AI.

"A teenager committed suicide partly because of a relationship he developed with an artificial character from Game of Thrones."
— Rick Howard [41:28]

"Another teenager was advised by a chatbot to kill his parents."
— Dave Buettner [43:52]

Guardrails and Ethics:
Selena emphasizes the necessity of implementing robust ethical guidelines and safety measures to mitigate these risks.

"Maybe 2025 will bring us more of these guardrails to prevent incidents like that."
— Selena Larson [45:14]

9. Optimism Through Law Enforcement Efforts

Despite the grim landscape, the hosts express optimism grounded in proactive law enforcement actions against cybercriminals.

"Operation Endgame has had a huge impact... cutting off access to impactful malware."
— Selena Larson [37:19]

"Law enforcement is no longer afraid to take decisive action against cyber threats."
— Rick Howard [38:47]

10. Conclusion

The episode wraps up with a blend of caution and hope, urging organizations to stay informed and resilient while acknowledging the relentless evolution of cyber threats. The hosts encourage listeners to engage with the podcast and share their thoughts on future cybersecurity challenges and solutions.

"We unravel the mysteries of cybersecurity, always keeping the bad guys one step behind."
— Selena Larson [49:20]

Notable Quotes

Selena Larson [04:44]: "It's expected to pass 1 billion in ransomware payments this year. It's still very, very successful enterprise."
Dave Buettner [06:23]: "It's funny to me how normalized ransomware has become as a standard part of the things that every organization has to worry about."
Rick Howard [07:31]: "The chances that any organization is going to get hit with ransomware is just small. But when it hits you, it's a black swan event."
Selena Larson [05:09]: "Rainsworth threat actors were posing as IT support on Microsoft Teams... expansion and growth of the multi-channel attacks."
Selena Larson [20:58]: "MFA is good to have. You should have MFA everywhere."
Selena Larson [31:33]: "Salt Typhoon is a Snowden-style espionage by China against the United States... Volt Typhoon as a direct Chinese military threat to degrade western infrastructure."
Rick Howard [41:28]: "A teenager committed suicide partly because of a relationship he developed with an artificial character from Game of Thrones."

Key Takeaways

Ransomware Continues to Thrive: Despite increased awareness, ransomware remains a lucrative and evolving threat, with payments surpassing past records.
Multi-Channel Attacks are on the Rise: Cybercriminals are diversifying their attack vectors, making defenses more complex and necessitating multi-faceted security strategies.
Resilience over Sole Prevention: Especially for smaller organizations, building resilience through robust backup systems and recovery plans is as crucial as preventive measures.
Advanced MFA Solutions are Essential: Transitioning to more secure authentication methods like U2F hardware keys can significantly reduce the risk of compromised credentials.
Nation-State Cyber Threats Demand Vigilance: Operations like Volt and Salt Typhoon highlight the sophisticated and targeted nature of state-sponsored cyber espionage and sabotage.
AI's Double-Edged Sword: While AI can bolster cybersecurity efforts, it also poses significant risks, particularly concerning mental health and ethical implications.
Optimism through Action: Proactive law enforcement interventions offer hope in mitigating the impact of cyber threats, emphasizing the importance of collaboration between public and private sectors.

Final Thoughts

As cybersecurity threats continue to evolve, staying informed and adaptable is paramount. This episode of "Hacking Humans" serves as a crucial resource for understanding the current landscape and preparing for future challenges. Listeners are encouraged to implement the discussed strategies and remain vigilant against the ever-changing tactics of cybercriminals.

Produced by Liz Stokes, with mixing and sound design by Trey Hester and original music by Elliot Peltzman. Executive production by Jennifer Ibin, executive editing by Brandon Karpf. Simone Petrella serves as president, and Peter Kilby is the publisher.

Loading summary

Transcript130 lines

[00:02]
Dave Buettner
You're listening to the Cyberwire network, powered by N2K, N2K FM, Maryland radio.
[00:18]
Rick Howard
Home.
[00:19]
Dave Buettner
Of only malware in the building. Well, hello there and welcome back to American top 40. I'm Casey Kasem, counting down the hits and sharing the stories that bring them to life. Now it's time for one of my favorite parts of the show, our long distance dedication. This week's letter comes to us from Emily in Tulsa, Oklahoma. Emily writes, dear Casey, my boyfriend Jake is the sweetest guy I've ever met. He's thoughtful, kind, and always willing to help out a friend or a stranger for that matter. But, Casey, there's one little problem. Jake can't resist clicking on those links in emails that promise things like free vacations or secret stock tips. I keep telling him, jake, those emails are trouble. But he says, what's the worst thing that could happen? Well, last month his credit card got maxed out after he clicked on something about a free giveaway. Then last week, his work computer got locked up with something called ransomware. I love Jake Casey, but his curiosity is putting him and his passwords at risk. Could you play a song to remind him to think before he clicks? It would mean the world to me. Well, Emily, you're not alone. Plenty of folks out there have fallen for the sneaky tricks of cyber scammers. And it sounds like Jake could use a little reminder to pause and ask, is this link legit? So for Jake in Tulsa, here's your long distance dedication. The 1961 hit by the King himself, Elvis Presley. Suspicious Minds. Jake, remember, when it comes to sketchy emails, it seems too good to be true. It probably is. That was for you, Jake, and everyone else out there clicking without thinking. Stay safe online, folks, and keep your firewalls high and your guard higher. We'll be back with more of the countdown right after this.
[03:10]
Selena Larson
And we're back. Dave, you might be stuck in the 80s every day, but on the threat landscape, we are a little bit more up to date. In modern times, things are changing very quickly, and it's very important to stay on top of our game. So in this episode, we want to look back at some of the sort of things that made us go huh or really surprised us or piqued our interest and showed.
[03:38]
Rick Howard
I think we can say that we went huh When Dave did Casey Kasem as the intro to our thing. And Dave, a wave of nostalgia rolled over me. Okay, as you started that promo, man, that was awesome.
[03:52]
Dave Buettner
We probably don't have time to do the top 40 bits of malware from the past year, but we could certainly hit on some of our favorites. And yes, I spent entirely too much time sitting in my bedroom with a FM transistor radio on, listening to Casey count down the hits.
[04:08]
Rick Howard
Absolutely. Spend too much of my time trying to figure that out. So you and me and Selena says, what's a radio?
[04:15]
Dave Buettner
Okay, so I know, I was gonna.
[04:17]
Selena Larson
Say, I think I've only heard Casey Kasem on YouTube, so.
[04:20]
Dave Buettner
Okay, well, you know, he's the original voice of Shaggy on Scooby Doo as well. Absolutely. Maybe you know him better.
[04:27]
Selena Larson
That is a fun fact.
[04:28]
Rick Howard
I didn't know that. Robin on one of the Batman cartoons, right?
[04:32]
Dave Buettner
That's right.
[04:33]
Rick Howard
Okay.
[04:33]
Dave Buettner
That's right.
[04:34]
Rick Howard
There you go.
[04:35]
Dave Buettner
All right, Selena, so lead us in here. How shall we be?
[04:44]
Selena Larson
Well, you mentioned the reader writing in to talk about ransomware, so that might be a good place to start. It's still a thing. And I think what's really interesting is the expansion of techniques that ransomware threat actors are doing and that they continue to be so profitable. So it's expected to pass 1 billion in ransomware payments this year. It's still very, very successful enterprise.
[05:10]
Rick Howard
What was it last year? What's the, what's the number threshold for payments?
[05:14]
Selena Larson
I believe actually according to Chainalysis, last year it also passed 1 billion. So unclear if it's going to be more or less than last year. But I believe we're seeing, we're going to see higher payments. I mean, we've seen quite a lot of money paid in ransomware big time dollar sign. So it's definitely still a successful enterprise. Although I was talking to Alan Liska and he says he hates calling it an enterprise. Of course, Alan Liska is the ransomware Somalia. He says we give them too much cred when we say it's an enterprise. So the ecosystem, the chaos and criminal underground. But I do think it's interesting too that we're seeing a lot of sort of expansion in techniques. So this is kind of, you know, we want to look back over the last year, but also look forward to what's to come. An interesting story popped up towards the end of the fall where Rainsworth threat actors were posing as IT support on Microsoft Teams. So this expansion, expansion, this use of multi channel attacks to target organizations, whether it's through social engineering or whether it's to actually deliver various payloads. It's, it's this expansion and growth of the multi channel attacks that we're going to have to kind of be on guard For.
[06:23]
Dave Buettner
Yeah, you know, I saw a story back in mid December, I think it was where they, one of the security companies was looking back at the numbers of ransomware claims over the year and they were saying that the number of claims in November of 24 was double the average for the rest of the year. So it was something like 600 ransomware claims and the average was, I think in the 350s or something like that. So you're absolutely right. It's not slowing down. I think one of the things that, that I think of when I think about ransomware is kind of how normalized it's become. Like it's a standard part of the playbook. And you know, I know Rick, you and I have talked about having, having a playbook and having, you know, your risk scenario and your, your appetite for risk and all that kind of thing. And I mean, it's just, it's on the list now. There's, it's. I guess what I'm saying is it's, it's funny to me how normalized ransomware has become as a, a standard part of the things that every organization has to worry about.
[07:32]
Rick Howard
Well, I want to push back on the numbers a little bit. Right. Because like you said, 600 in a month. And so what is that total for the year is, you know, is it 6,000 or whatever? So we did some research about the number of organizations just in the United States last year and it's like 6 million. Okay. So the chances that any organizations are going to get hit with ransomware is just small. Right. But when it hits you, okay, it's a black swan event. Right. It could be a company killer. Right. So that goes to how you might think about how to protect yourselves from those kinds of things. Does that jive with what you're saying, Selena?
[08:11]
Selena Larson
Absolutely. And I think it's important to note too that it's to your point, it could be a business killer. So if you are a small or medium sized business, we've seen it with healthcare organizations having shutdowns linked directly to ransomware attacks or at least played a major factor in organizations having to shut their doors.
[08:32]
Rick Howard
And I keep going to the numbers, right? How many is it tens? Is it hundreds even? That's a small number. Right. So what do you think it is?
[08:42]
Selena Larson
So in terms of the actual impacts, we also rely on open source information in terms of what we're seeing, but certainly based off of information posted to leak sites, what we see in SEC filings here in the United States, it's a lot, unfortunately, I'm interested to see how that number shakes out. Like what Dave was saying, the 600 claims in a month versus 350 overall, what the geographic spread on that is. And oftentimes it's really hard to collect data from a researcher perspective because so many organizations want to keep raids and wear quiet. If you're a publicly traded organization, you'll probably submit a filing. It says, you know, we had a security, a cybersecurity incident. Many of those that we see end up being ransomware. They're definitely worded. Very squirrely sometimes to try and. To try and hide.
[09:33]
Dave Buettner
Here's your free year of protection insurance. You know, here's your free year of.
[09:40]
Selena Larson
Yes, yeah, exactly. So unless something comes out via media reporting, sometimes things aren't even posted to leak sites because organizations will pay. Right? So the double extortion tactic only shares publicly if an organization doesn't pay or if the threat actor is particularly mean and just, you know, they paid already, but we're still going to extort them type of thing. So it's hard to get from open source data information about what it looks like overall. So I think there's quite a bit. Few hundred a month I would say is probably solid like you're talking about Dave, but of course that also. What is the geographic spread of that? Is it, you know, what are we. Where are we looking at? Is that based on open source reporting or, you know, incident data, things like that? So it's tough to gauge, but just looking at the actual money that these organizations.
[10:32]
Rick Howard
Money's big.
[10:33]
Selena Larson
Are making so much money.
[10:39]
Rick Howard
Well, Dave knows that I am a Malcolm Gladwell fan, right? And over the holidays I read his latest book, Revenge of the Tipping Point. And one of the things he mentions in there is the rule of the few, right? Where we see these problems emerge in the world like ransomware, and we see the headlines and it appears that it's this gigantic problem that there's thousands of attacks every day and we should all just be sticking our heads in the sand and, you know, and running away from the problem. And what, what we were talking about here is that the number of attacks are really small, okay. But they have a large effect on the culture and how we try to, you know, what we do as we devise strategies to try to protect ourselves from those things. So he calls it radically asymmetric distributions. Okay. Of problems. Right. And it's a really interesting idea and I think that's the way it, the way that it is in the cybersecurity community.
[11:34]
Selena Larson
I would Say attempts are a lot though, because if you're talking about successful ransomware, the number is probably drastically lower than the attempts to get, you know, ransomware on an organization. Right. So you have like initial access brokers that are conducting super widespread attacks on a daily basis that could impact, you know, tens of thousands of organizations or target tens of thousands of organizations. But if organizations have the right security in place, have defense in depth, are using the right tools and resources to protect themselves, it makes the ransomware or the initial access broken, the ransomware delivery a lot more difficult. So that kind of goes into ties into like these multi channel attacks. Okay. So it's like, okay, well, you know, if this one delivery method isn't super effective, then let's pivot or expand to see if we can use things like chat apps or teams or other enterprise software that organizations are using every day to see if we can maybe have more luck.
[12:35]
Rick Howard
So absolutely, whatever that dog's name is, I agree wholeheartedly. Well, this whole discussion though, goes to the point we were talking about before, is what strategies do you use to protect yourselves from this? Because if the chances that you're going to get hit by a ransomware is really small, but if you do get hit by it, it could be a company killer.
[13:00]
Dave Buettner
Right. Okay, so but let me, let me, let me jump in there because does that mean in your planning you think about it in the same way you think about something like a hurricane or a fire or a tornado or a flood. Right. Like natural disasters that are highly unlikely, but if they do happen, as a friend of mine who is in the insurance business said, imagine a Wile E. Coyote smoking hole in the ground. Right? Like that's where it could leave you.
[13:32]
Rick Howard
Well, I mean, that's exactly right. So instead of especially, and I would say that for most organizations, you know, I'm talking about small to medium to maybe getting close to the fortune, you know, 5,000 or whatever the strategy do in this kind of environment. We're talking about black swan events here. Okay. Things that don't happen very often. Right. So you might not spend a lot of money in prevention because, you know, here at the N2K, we're just a little startup. We don't have resources to do all that. Our probably best strategy is resilience. We want to survive the attack, not prevent it. Right. And keep on delivering whatever we're delivering to our customers. And so they don't even notice, even though it's complete chaos on the inside. That might be the strategy that most of us should Be pursuing for this kind of thing?
[14:27]
Selena Larson
Yeah, I think on one hand, yes, but on the other hand there are a lot of techniques that are used by ransomware threat actors or initial access brokers enabling ransomware that are used by a number of different threat actors. Right. So it's not just ransomware that you have to think about. Certainly business email compromise is actually more costly than ransomware. If we're talking about, you know, just in scope, I think the IC3 report last year said 3 billion doll in business email compromise fraud impacting organizations. And you know, they use similar techniques. So you have, you know, if we're talking about the multi channel attacks, you have them targeting again, potentially, potentially Teams, LinkedIn or Messages, things like that. SMS of course, you know, you see a lot of SMS tech space like hey, can you do me a quick favor? And so similar to some of the techniques that they're using there, also you see impersonations or you know, the, the registering various lookalike domains or you know, sending malicious URLs and attachments. So you have very similar techniques that are used across the landscape. It's just what is the ultimate objective? And I think, yes, obviously being prepared for a when, not if ransomware attack is certainly a very, very top priority. But also thinking about the tools and resources that you can equip yourself with, whether that is a security product or whether that's just user training. I know a lot of people kind of think about, oh well, maybe user training is, is, you know, clicking a button and making sure that, that I, I know what I'm looking at, but it is very important to equip people with like what do the threats really look like? I mean, what are the social engineering techniques that that threat actors are using? And this kind of brings up another point too, right, where we have a lot of things like telephone oriented attack delivery or callback phishing, right where it's actually talking to someone, a real person to pretend to be somebody, to ask them, hey, like call this number, we're gonna invoice you this. And then it starts off a whole different social engineering technique or we mentioned before the click fix technique where a little pop up comes up on your computer, it says, hey, this is broken, but here's how you can fix it. So it's trying to also equip people with the knowledge and understanding of the modern threat landscape. I think to be able to play that role if you know, Rick, to your point, maybe we don't have the availability and resources to invest in a full defense in depth infrastructure from top to bottom. Like many small businesses, we have to think about where do we prioritize, where do we focus our energies and how can we use, you know, potentially even free resources.
[17:17]
Rick Howard
Because, you know, instead of spending money on a really expensive, let's say, firewall. Right. And trying to train, you know, your two guys and a dog in the back room about how to manage that thing, the money might be, well, more well spent if you just got good at backups and restores. Right. For a ransomware attack. Right. So. And not, you know, not like most of us, Selena, you know, when we practice, we may do a restore once in a year for a little small segment of our network just to make sure. Right. We're talking about practicing restores every day so that you're so good at it that you don't even hesitate. Okay. You just flip the switch and it happens. All right? And it's my experience. Dave's laughing. Sure, Rick, that's what we're gonna do.
[18:02]
Dave Buettner
No, I'm laughing because actually, earlier this or last year, I wrote a joke that I posted on Mastodon, and it was a made up conversation between two people and someone said, so have you tested your backups by doing full restores? And the person responded, oh, we don't have time for that. And the first person said, say that again. Say that again. You don't have time for that. But you're gonna, you know, it's that old thing. There's always time. There's never time to do it. Right, but there's always time to do it again.
[18:33]
Rick Howard
Mm, that's exactly right.
[18:36]
Dave Buettner
Yeah.
[18:37]
Selena Larson
This is an interesting point too. Right. So in addition to many organizations having their it be their security team, oftentimes it's the same person wearing multiple hats or same, you know, team of people wearing multiple hats. Is there going to be a divestment in security teams moving forward? You know, I've seen some, you know, open source reporting about various organizations who have cut back on security or outsourced it or, you know, try to streamline operations or something. But is that kind of then result in having to figure out how do we reallocate these resources in a way that might not be the best for the organization.
[19:17]
Rick Howard
So the bottom line here for going into 2025 is ransomware payments are up and we may not. The number of attacks are going up too, but it may not be significant to that. Everybody has to worry about. Is that the bottom line here?
[19:31]
Selena Larson
I think every organization needs to worry about ransomware still.
[19:35]
Dave Buettner
Unfortunately, you don't want to be the low hanging fruit. Right. I mean that's the thing.
[19:39]
Selena Larson
Yes, absolutely.
[19:40]
Dave Buettner
You don't want to make it easy. You know, it's like you don't want to be living in a oceanfront home in Miami right now with the hurricane on the way.
[19:51]
Selena Larson
Right, That's a good point. Yes. I like being. I have the high ground. Right, Right. But you talk about low hanging fruits. This is another topic that we can discuss from 2024 and into 2025 is MFA fish kits and MFA fishing and attacker in the middle becoming essentially the standard for a lot of these fishing. Right where so it used to be if you don't have mfa, that's still obviously, you know, number one go to and we've seen unfortunately as a result from data leaks is that, you know, non MFA accounts can be very effectively popped. But certain again with some fish kits now that we see pretty standard attacker in the middle like they have adopted to the mfa. So you know, this is kind of like the new reality and that's definitely not changing. In 2025, when we did our Christmas.
[20:45]
Rick Howard
Episode, I walked us through the various kinds of mfa. Right. And so which ones on that list, Selena, are not or not protecting as much as we thought and which ones are still good?
[20:59]
Selena Larson
So fundamentally like MFA is good to have. Like you should have MFA everywhere. Number one, regardless of what MFA it is, it should be everywhere. But you know, things like a SMS MFA for example, both for the possibility of interception via mobile devices or MFA fish kits. Certainly even the apps too. Right. Like these attacker in the middle fish kits are going to suck up the tokens as well as the session cookies. So really the best is U2F keys. Right. You know, you mentioned like the U key.
[21:36]
Dave Buettner
A hardware key. An actual hardware key.
[21:38]
Selena Larson
Yes, an actual hardware key. Or. Or just sacrificing blood on your computer so they know it's you. They can run your DNA code.
[21:50]
Dave Buettner
Rick just Rick gets that from slamming his head down on the keyboard in frustration. Every time he, he tries to write something, he just bam, bam, bam. And there's blood all over the keyboard.
[21:59]
Rick Howard
Or when I don't get upstairs in time to take my nap, my head hits the keyboard pretty hard too.
[22:06]
Selena Larson
That's how he knows it's you. That's your identifier. Yes, yes.
[22:11]
Rick Howard
So we talk about the hard token key and then the latest development in multi factor is passkey that not everybody's using. So those two are still pretty good, I guess.
[22:20]
Selena Larson
Yeah, yeah. And I think too like, you know, like a touch ID or something, you know, where you have something like you said, something that you physically have that can, you know, sign you in is pretty cool. And what I do actually like about things like Face ID or touch ID or something, it doesn't like sort of disrupt you as much as like other sort of sort of logins. So I was like a little bit skeptical of Face ID when Apple first launched it of course, like many people because I was like I don't want it storing my facial recognition and there's times when you want definitely want to turn it off certainly.
[22:58]
Rick Howard
Yeah. Cuz I'm going to draw the line there on my face because they have every other piece of information on me, but I'm drawing the line there. Okay.
[23:05]
Selena Larson
I post too many selfies really to complain complain about.
[23:10]
Rick Howard
That's a really good point.
[23:21]
Selena Larson
Stay tuned. There's more to come after the break.
[23:29]
Dave Buettner
And now a few thoughts from our sponsors at Threat Locker. The tactics used by cybercriminals are becoming more and more advanced every day. The shift from a default allow approach to a default deny is more critical than ever. This is where ThreatLocker comes in. Stay tuned for how ThreatLocker allow listing and Ring Fencing has your back. So let's return to our sponsor, ThreatLocker. ThreatLocker is a zero trust endpoint protection platform that strengthens your infrastructure from the ground up. Where traditional cybersecurity tools require you to create a list of things you don't Want to Run, ThreatLocker enables you to easily curate an allow list of everything you need in your environment and network and block everything else by default. With ThreatLocker allowlisting and ring fencing, you gain a more secure approach to blocking exploits of known and unknown vulnerabilities. ThreatLocker provides zero trust control at the kernel level that enables you to allow everything you need and block everything else, including ransomware. The ThreatLocker Zero Trust endpoint protection platform deploys in a learning mode that analyzes the operations of your company, using machine learning to assist you in developing your allow list for approved applications, what they can do on the endpoint, what can interact with your data, and even east and west network traffic. We thank ThreatLocker for sponsoring our show. And of course we want to thank this week's sponsor, ThreatLocker. Go to ThreatLocker.com HH and check out their Zero Trust Endpoint Protection platform. That's the words threat and locker with no space.com HH where you can request a demo and neutralize the threat of malware running on your Devices. Well, let's move on to some other categories then. I mean, we, we've got, we got passwords, we got ransomware. I mean, what are some of the other sort of top things? If you're a, if you're a business organization and you're looking to minimize your exposure for this coming year, Selena, in your mind, what are some of the best bang for your buck, areas that you should focus on?
[26:11]
Selena Larson
So certainly what we've mentioned is I think, you know, MFA really focusing on multi channel attacks too, I think is really important. A lot of that though does come down to user training and user education and identification. One thing that I thought was really interesting, actually I'm referencing him again because we literally just talked about this. But when I was talking to Al and Liska, I thought it was really interesting because he talked about, you know, when he goes to, he has his comic books that he, he creates and sells when he goes to Comic Con and he's like, you know, talking about his, his book that he's based on, a ransomware insurance investigator. They're like, what's ransomware? And so I think, you know, we have this conception as people that work in security that everyone obviously knows everything and oh gosh, you know, we're so sick of talking about ransomware. It's everywhere. Everyone knows. I mean, my sister has been a victim of ransomware four times. So an impacted by it that many times and she still is just like, well, it's a cybersecurity issue that I just have to deal with in my life, you know. And you know, so, so it's really interesting and I think a lot of people kind of oftentimes, I think, you know, either scoff at or kind of, you know, oh, does user training actually work? But so much of that is education and it's so important to raise awareness about these new techniques and educate people about this is how it's actually working and why. I love this podcast because we do it in a very fun way. You know, it's not like, it's not like, oh gosh, this is like boring security training. But we really want to talk about these things and make it understandable from, you know, a sort of general user experience. And so, you know, I think mobile threats are really big. We've seen a very, very big increase in things like crypto job scamming. So like pig butchers, they're kind of pivoting to these sort of, oh, can I offer you a job to conduct crypto fraud? We see them targeting mobile and Apps across the space. Another really big one I think that's important to be mindful of is the North Korean IT workers infiltrating various businesses. So that's huge. And I actually believe that the U.S. department of justice just released information on charging some of the individuals involved with that.
[28:15]
Dave Buettner
14, 14 folks got indicted in a federal court. Just not let. Not that long ago. The odds of them ever seeing justice are low. But. But it is, you know, the symbolism, I think is important.
[28:38]
Selena Larson
But that just speaks to, you know, another threat angle that companies really need to be mindful of and. Aw. And it's not super technical, right? Like, it's not a very super technical, sophisticated attack vector. It's someone getting a job and unfortunately being a spy.
[28:57]
Rick Howard
Well, I'm glad you brought up nation state activity, Selena, because I'm pretty concerned with what the Chinese have been doing the last couple years. We've been talking about various hacker campaigns like Salt Typhoon, Volt Typhoon, and Flax Typhoon. This is Chinese government infiltrating critical infrastructure in the US and all over the world. For Salt Typhoon, they've infiltrated the telecommunications infrastructure. Right. And then. Which means they could listen in on everything. It's probably one of the greatest cyber espionage coups we've seen since the OPM hacks a number of years ago. And I'm wondering what you guys are seeing about all that, and can we protect ourselves from that?
[29:47]
Dave Buettner
I wonder if the rate of takedowns has been accelerating. My sense is that it has. Just the, the amount that I've been reporting on them the past year talking.
[30:01]
Rick Howard
About law enforcement takedowns, is that law enforcement.
[30:03]
Dave Buettner
And I realize that's not the same thing as espionage. But my, I guess what I'm saying is the coordinated international effort to take down these folks, to take down infrastructure and to actually arrest people and to extradite them and that sort of thing. It seems to me like those efforts are accelerating and we're seeing more and more of it. I don't, it's. It's not a, an avalanche yet, but it. I just have a sense that it's getting faster. The espionage thing. I guess I always wonder, because, look, everybody does espionage, right? And we don't hear stateside, we don't hear the reports about what our own government is getting into and what access we have. So while, yeah, I think it's justified for us to be upset about them getting in, and it certainly is, you know, problem. But what. What's the bat? What's the real balance? Like, is this tit for tat is this, are we, are they way behind us or are they way, way ahead of us? I don't have a sense for that.
[31:14]
Selena Larson
I actually saw a very interesting Blue sky post from Kieran Martin and he says, you know, who's Kara Martin? So Kieran Martin was the first head of the UK National Cybersecurity center and now he is a professor at the Blavatnik School at Oxford.
[31:34]
Rick Howard
Easy for you to say.
[31:36]
Selena Larson
I hope I pronounced that correctly. Actually sorry Kieran, if I didn't side note, I went and visited him recently and got a lovely tour of Oxford and where he works and a very cool bridge. So I have to say 10 out of 10 for Oxford. But he posted a really interesting thing on Blue sky and he said the Volt and Salt Typhoon is a disaster and it's in terms of naming like the typhoons and it's really hard for non specialists to tell them apart. And you know Dave, you mentioned the sort of oh well, the US is hacking. Well the way that he described Salt Typhoon is a Snowden style espionage by China against the United States. So I thought that was kind of funny like putting it in reference to a campaign or capabilities that many of us here in the United States learned about with the Snowden Leaks that the US government was, was conducting. And then he described Volt Typhoon as a direct Chinese military threat to degrade western infrastructure. So I think you know, having these two distinct ways of explaining it's very basic level, like very basic level but from the telco infrastructure, you know, I think that's, it was really interesting and it hoovered up, I'm sure a lot of data. People were you know, notified, certainly politicians were involved and you know, people working with them. But what I really think is, is Volt Typhoon in terms of, of pre positioning and getting into critical infrastructure. Because there was, there was no indication really of like what the objective could be. There was like it could be pre positioning for disruptive attack, it could be espionage. But certainly having the ability to potentially do that is, is a lot. Those are two like different types of threats, right? Like I think it's, I think it's really interesting to see that both in the same year I feel like came out and it's like oh whoa, China be messing with US infrastructure. Like whoa.
[33:34]
Rick Howard
I was listening to David Sanger talk about this. He's a New York Times journalist, covers the cyber beat for the paper and he's also by the way written a cybersecurity canon hall of fame book called the Perfect Weapon where he outlines nation state cyber activity from about 2010 to 2018. We're talking about the big five, you know, China, Russia, Iran, North Korea and Iran and even a little bit of the US Right. Anyway, he was saying we forget, but this is remarkable because here we have the US government telling everybody you should be using encrypted comms in order to protect yourselves from Volt typhoon. Remember, not 15 years ago they were trying to make sure you couldn't use encrypted comms. Right. So this is a milestone that we should, you know, just stand around and talk to each other about.
[34:27]
Dave Buettner
Yeah, well, and I mean it's the. Everyone. How many people were saying I told you so when the back door into our telecommunications infrastructure got hit, right? How many people were saying, there's no such thing as a absolutely secure backdoor. If we can get in, they can get in. There you go.
[34:51]
Rick Howard
Well, go ahead, Selena.
[34:53]
Selena Larson
I was gonna say I had a very funny experience that my brother in law texted our family group chat being like, should I use signal? Like what signal? After all, like this was a few days ago, you know, so even. And he, Ye, you know, he is pretty technically savvy. But I think it's getting, you know, trickling down to the average user. You know, just people being like, oh, what's signal? In a way, I think that hasn't happened before. It's really interesting.
[35:20]
Rick Howard
I got that same question from my 85 year old mother in law. You know the. I, I've talked about her on the show before. You know, she slings her iPad around like she's a ninja warrior. Right. And so she asked me, she asked me if she should download signal and I said sure grandma, go ahead.
[35:42]
Selena Larson
I mean it's good advice. No matter your age, no matter who you're texting. Like that's right. Yeah, yeah, you signal.
[35:49]
Rick Howard
I think your point is right though, Selena. The more dangerous one is the critical infrastructure one. Is that Volt Typhoon? Is that the name of it? Because that is pre positioning an ability or a capability that you could actually take down some critical infrastructure stuff if we ever get into a hot mess fight with China. Right. So yeah, that's the one that's probably more scary.
[36:12]
Dave Buettner
Yeah.
[36:13]
Selena Larson
But it has less of an impact on the regular person, I think. So it might just not have perpetuated.
[36:18]
Rick Howard
Unless you turn my power off. Yeah.
[36:20]
Selena Larson
Oh yeah. But the, yeah, but we haven't seen like, you know, there's nothing for the average user to do to prevent this.
[36:27]
Rick Howard
Right, Right.
[36:29]
Selena Larson
There's no signal For.
[36:30]
Rick Howard
Yeah, wait, I'm gonna stand. I'm gonna stand and look. Ready to the right. Wait, that's what I'm gonna do, though, Right?
[36:38]
Dave Buettner
Well, you know, what's the. What's the cyber equivalent of a duck and cover drill?
[36:43]
Rick Howard
Yeah, no, that's true.
[36:53]
Dave Buettner
All right, well, I tell you what, let's bring it home here. As we're looking towards the new year, to what degree are we optimistic? To what degree are we pessimistic? What do we think are going to be some good things that could happen? What are the things that have us losing sleep?
[37:16]
Selena Larson
I have a good thing. So maybe I'll start with a good thing, and then Rick can bring us down.
[37:20]
Rick Howard
Thanks.
[37:21]
Dave Buettner
It's what he does best. You know, Rick's password is so old, it's hieroglyphic.
[37:29]
Rick Howard
I have it etched right here on my laptop.
[37:31]
Dave Buettner
That's right.
[37:33]
Selena Larson
The second factor is the weighing of your soul. Yes.
[37:40]
Rick Howard
So, yeah, good news. Let's hear it.
[37:42]
Selena Larson
So the good news, I think, Dave, you touched on it, is law enforcement disruption and collaboration between public and private industry. And just seeing globally how many organizations have been participating from a law enforcement perspective in this work. And I think Operation Endgame, which we've talked about previously on the podcast, is the coolest thing to happen in 2024. I am, of course, extremely biased because I track cybercriminal activity and have seen directly the results of that operation have. That the operation had on threat actor activity in the overall landscape. And it's been big. It's been big. You know, cutting off the access to a lot of very important and impactful malware, as well as, you know, arresting people involved in. In. In. It has been huge. And I would say my positive prediction is we are going to see more of this. We've seen it, you know, with a lock bit disruption, Operation Endgame, the multiple botnets disrupted this year, Redline, you know, another redline disruption. And I think that's not going anywhere. If anything, we're going to see more of it.
[38:48]
Rick Howard
I really like that, this whole idea. And yeah, that gives me some optimism, too, because it seems like it was like 2023 when law enforcement and governments decided to take the gloves off. We've always, always been able to do those kinds of things, but we've been afraid to do it for, I don't know, reasons. Okay. But sometime about two years ago, law enforcement said, okay, we're enough with this. We're going to do other things to mitigate these things. So I'm very forward. Yeah, there you go, that's the name.
[39:20]
Dave Buettner
Yeah. I want to be optimistic, and I think that's good news. I think we all sit here day to day and, you know, especially, like, you just wonder, like, what's today's news going to be? What's right? And I guess my position is unusual in that, you know, the first thing I do every day when I come into work is gather up all the bad news to share with the world. Right? It's kind of my thing. And so that can lead you down a path, I think, of a pessimism, and I really try not to be pessimistic or, you know, to let that guide me, but.
[40:02]
Rick Howard
Well, let me help you out with this, because I can bring you down, Dave. I know.
[40:05]
Dave Buettner
Oh, good.
[40:06]
Rick Howard
I know how to do this.
[40:06]
Dave Buettner
Terrific. Excellent.
[40:09]
Rick Howard
Here's a story that happened recently, and it just makes me take a deep breath, okay? And it's about how a company called Character AI they offer a service where you can use their chatbots to, you know, have a conversations, just like you normally do with ChatGPT or any of you. But human actors or even synthetic actors can be used for them. And they have generic things like CEO or marketing person or whatever. But they also offer a service where they mimic well known pop culture characters like Game of Thrones or anime and things like that. And the story I read was. And you know, Dave, you. You know, I've talked about Alan Turing over and over again, right? He is my all time favorite computer science hero. He is famous for lots of things, all right? But one of them is the Turing Test, okay? He's one of the first people to define what it might be to discover an artificial intelligence. And the test is if you put a human behind a screen and a computer behind a screen and a judge in front, and the judge asks them questions. If they. If the judge can't tell the difference, then by, for all intents and purposes, the machine is intelligent, okay? And we have passed that threshold in some of these ChatGPT LLM models, right? And that's a long beginning of a story of this, really, downside to the Turing test, which is a teenager last year committed suicide partly because of a relationship he developed with an artificial character from Game of Thrones that talked, at least partially talked him into committing suicide, right? And when they looked at the text transcripts, not only was that conversation going on, but this is, again, a teenage boy. He thought the character was his girlfriend, okay? And they were having sexual conversations, okay? In those chat bots. Now, if you're an adult, you know, who cares? But a teenage boy, teenage girl, maybe that's not appropriate. And that is the dark side. Okay, to passing by Turing test.
[42:39]
Dave Buettner
I saw a similar one where another teenager had been talking to one of these chatbots and was trying to puzzle through what to do with some challenges they were having with their parents. And the chat bot suggested that. That he kill them as you do. Okay, Right, right, right. Like that was the most logical solution. So, you know, look, it's horrible. It's also, I think it's fair to say fairly early days with our societies becoming accustomed to this new genie we've let out of the bottle. And we're gonna have to put more guardrails on it. I don't know what that's gonna look like, but it has to happen. We just look at, you know, people's mental health. Not just teenagers, but people's mental health. And there's. I mean, look, there's. There can be good sides too. There are plenty of stories of folks who have had really good outcomes from being able to talk to these, these devices, you know, that they're, they are. They never get tired of listening to you. Right. So they can be good companions. But I don't know. How do you keep track of it?
[43:52]
Selena Larson
I remember. When was this? 2015, maybe. Do you guys remember Tay?
[43:58]
Dave Buettner
Sure. From Micah. Tay was epic Tay, the short lived era of Tay. We made good fun of Tay on the cyber wire. Tay was just phenomenal.
[44:12]
Selena Larson
I mean, it was an early addition of what we're seeing now. And Tay very quickly became racist, sexist, bad, unfortunately. And I think that that was kind of like a, like a harbinger of what can come if we aren't building in safety and security and process and ethics and mind, mindfully developing a lot of these things. I think my favorite story so far that's not super dark, but is that mushroom foragers were given instructions created by AI to cook poisonous mushrooms, and they reported it to their fellow foragers being like, can you believe this? And then, of course, it went viral and, you know, it was, hopefully nobody died because they cooked poisonous mushrooms. But it's a very good example of not just, you know, the harm to people's, you know, understanding of concepts.
[45:15]
Dave Buettner
Right.
[45:15]
Selena Larson
If we're like, yeah, a lot of these chatbots get facts wrong, and so it sort of can have a misinformation component, but also for mental health and well being of people. And, you know, maybe on something of a lighter, more whole hopeful Note is maybe 2025 will bring us more of these guardrails and help prevent incidents like that from happening.
[45:41]
Rick Howard
Right, Okay, I will keep my fingers crossed.
[45:44]
Selena Larson
Okay, I. I know, I know.
[45:47]
Dave Buettner
Look, my. My take on it is that you load all of humanity into these machines and you. You hit press the high button on the blender, and what you're going to get out of it is a reflection of who we actually are, not who we aspire to be. Right? So we have this, like, look, I grew up in the 80s, which was, I think, was an era of techno optimism. We thought that the future was going to be amazing, you know, and computers were going to mean that we'd have shorter work weeks, more vacation time. Everything was going to be great, and here we are. Didn't happen. So I think we have to be realistic that these systems reflect who we are. The cold, hard truth of who the we with a capital W. By that, I mean humanity. Global humanity. Who we are, and that we can be mean to each other and we can be racist and we can be sexist and all of those things. So I think it's great. You know, hats off to the people who are building those guardrails, because it can't be easy. And. And nothing is foolproof to a talented fool. There are people out there who are doing their darndest to jailbreak these things, and they're demonstrating success, so.
[47:08]
Rick Howard
Well, I was telling you guys before we started recording, you don't even have to be that smart. I. I went over to character AI and. And grabbed one of the Game of Thrones characters, and within three sentences, the conversation got sexual. And it wasn't. I wasn't pushing it. The character was pushing it. So I guess that's that blender function that you were talking about, Dave. That's what they. That character thought I wanted.
[47:29]
Dave Buettner
Well, to be fair, Rick, you are an exceptionally handsome man. So, I think. I mean, who could resist?
[47:36]
Rick Howard
I will keep those checks coming, my friend.
[47:53]
Selena Larson
We'll be right back.
[48:12]
Dave Buettner
All right, with that, why don't we wrap it up for this episode of Only Malware in the Building? Selena, you want to take us out?
[48:20]
Selena Larson
Yes. This was a very fun conversation. I think 2024 really had a lot of big, big, big events that can help us predict what's coming next and hopefully guard ourselves against new threats and the human soup of artificial intelligence. Human soup.
[48:38]
Rick Howard
Wow.
[48:39]
Dave Buettner
Yeah. We call my hot tub.
[48:45]
Selena Larson
That will not be one of your dips, Dave.
[48:47]
Rick Howard
I was going to say, don't be eating dips in the hot tub. Don't be doing that.
[48:52]
Selena Larson
Do not put that in a blender. But yeah. So we'd also love to hear from our listeners. You know, what are you thinking? Coming up next in this. This coming year, both good news and bad news. And hope. Hope and optimism, as well as deep sadness.
[49:11]
Rick Howard
That weighs on my soul. Like you said, Selena.
[49:14]
Selena Larson
Yeah, exactly. Exactly.
[49:16]
Dave Buettner
We laugh so we don't cry.
[49:18]
Rick Howard
Yeah, that's it.
[49:20]
Selena Larson
And that's only malware in the building. Brought to you by N2K CyberWire. In a digital world where malware lurks in the shadows, we bring you the stories and strategies to stay one step ahead of the game. As your trusty digital sleuths, we're unraveling the mysteries of cybersecurity, always keeping the bad guys one step behind. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you ahead in the ever evolving world of cybersecurity. If you like the show, please share a rating and review in your podcast app. This episode was produced by Liz Stokes. Mixing and sound design by Trey Hester with original music by Elliot Peltzman. Our executive producer is Jennifer Ibin. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilby is our publisher.
[50:13]
Dave Buettner
I'm Dave Buettner.
[50:14]
Rick Howard
And I'm Rick Howard.
[50:15]
Selena Larson
And I'm Selena Larson. Thanks for listening, Ra.