Risky Business #772 -- Salt Typhoon is truly a national security disaster

Summary

Risky Business Podcast #772: Salt Typhoon is Truly a National Security Disaster

Release Date: November 27, 2024
Host: Patrick Gray
Guest: Adam Boileau

Introduction & News Overview

In the latest episode of Risky Business, host Patrick Gray and guest Adam Boileau delve into a week’s worth of critical information security news. They kick off the discussion by addressing a correction regarding Jen Easterly's departure from SISA, highlighting the complexities of U.S. political appointments and resignations.

Ransomware Attack on Blue Yonder

The episode quickly shifts focus to a significant ransomware attack targeting Blue Yonder, a multinational company providing supply chain and HR management services. Patrick admits, “...what do we have here? A major, significant ransomware attack which is affecting a company called Blue Yonder” (02:48). Adam elaborates on the severity, noting the lack of detailed information but emphasizing the widespread impact: “It sounds like, yeah, they have been wrecked... it’s probably bad, we don’t know much” (03:43).

Patrick highlights the operational disruptions faced by Blue Yonder’s clients, such as Starbucks reverting to manual processes for timesheets. The vague updates from Blue Yonder, including phrases like “steady progress” and the absence of a restoration timeline, suggest ongoing negotiations with attackers.

Advanced Persistent Threats: APT28's Wireless Attack Techniques

Adam introduces a report from Andy Greenberg at Wired about APT28's innovative use of Wi-Fi to transition between networks, targeting U.S. entities. Patrick finds the incident intriguing, noting its resemblance to known Red Team engagement strategies: “...it’s not something that you see often in public sort of incident reports” (09:11). Adam concurs, pointing out the sophisticated nature of such attacks and their implications for national security.

Salt Typhoon: A National Security Crisis

The core of the episode centers on the Salt Typhoon incident, described as a national security disaster. Multiple reports from credible sources like The New York Times and The Washington Post indicate that Chinese attackers targeted FBI surveillance data, risking the exposure of sensitive sources. Patrick raises concerns about the antiquated and insecure networking equipment used by telcos, which facilitated the breach: “...these networks are just ancient and they’re not properly secured” (11:38).

Adam shares his extensive experience with telco networks, emphasizing their vulnerability due to outdated infrastructure: “Telco networks are a wonderland for attackers because there is so much super old gear” (13:50). The discussion underscores the urgent need for policymakers to address the security shortcomings of critical infrastructure.

Chinese Espionage and Data Brokering

Patrick discusses a Wired story about Chinese surveillance employees selling access to sensitive data brokers. He reflects on the implications for Western intelligence agencies: “It’s a huge national security issue for China and it’s a vulnerability that the west would do well to take advantage of” (22:31). Adam adds that economic disparities within Chinese intelligence operations make such insider threats particularly exploitable: “...economic disparity of the Chinese surveillance apparatus is a thing that the west could probably take advantage of” (24:03).

Insider Threats: Verizon Employee Sentenced

The podcast touches on the sentencing of Ping Lee, a former Verizon employee, for sharing cyber secrets with the Chinese government. Patrick critiques the relatively light sentence, “...four years. Gee, you got off pretty light there, guy” (25:24). The conversation highlights the broader issue of insider threats in intelligence and corporate sectors.

Operation Ironside: Australian Legal Controversies

Patrick narrates Operation Ironside, an investigation involving the FBI and Australian Federal Police distributing fake crime phones. Legal battles ensue over the methods used to intercept communications, leading to the Australian Parliament passing the Surveillance Legislation Confirmation of Application Bill 2024. Adam remarks on Australia’s swift legislative response, “It’s, it seems strange to have a government that is so nimble and responsive” (28:30), showcasing a unique aspect of Australian law enforcement.

Money Laundering via Tether and Cryptocurrency

Joe Cox from 404 Media discusses how Mexican drug cartels utilize Tether, a stablecoin, for money laundering. Patrick explains the process: “...they can have a store of it and then move it along into some launderer who might pay... some of these Mexican money changers will buy tether at a discount” (31:36). Adam is critical of cryptocurrency exchanges' responses, sarcastically noting their claims of blockchain transparency: “...your customers are voting with their illicit dollars right there, buddy” (32:21).

Palo Alto Networks Compromise and Industry Critique

A concerning development involves Palo Alto Networks, a leading cybersecurity firm, being compromised. Shadowserver identified thousands of affected devices, though Palo Alto disputes these findings. Patrick expresses frustration: “They’re laughing all the way to the bank. When will the wicked be punished?” (34:35). Adam echoes the sentiment, criticizing Palo Alto’s handling of the breach and their public relations stance: “...Shadow Server is absolutely working in the best interests of the Internet” (35:43).

Qualys Linux Security Research Shoutout

Patrick and Adam take a moment to commend the security researchers at Qualys for their exemplary Linux security research. Adam appreciates the acknowledgment: “Well, I’m glad that they have heard the nice things we’ve had to say...” (38:41), highlighting the importance of collaborative efforts in cybersecurity.

Reuters and Appen Legal Controversy

The podcast addresses a situation where Reporters Without Borders cited Risky Business for an alleged content takedown related to a Reuters article on an Indian spyware firm. Patrick clarifies the circumstances, explaining that legal pressures from a court order led to the removal of their analysis: “...we thought we’d take it down... we just thought we’d take it down” (28:30). The discussion underscores challenges faced by media outlets in reporting under legal constraints.

Social Media Platforms: BlueSky vs. Mastodon

Patrick shares his experience transitioning to BlueSky, praising it for a more positive community compared to X (formerly Twitter). Adam provides his perspective, having moved to Mastodon but cautiously optimistic about BlueSky's environment: “It’s just like old Twitter and, you know, old Twitter had its moments” (44:01). Both hosts express relief at escaping the toxicity prevalent on mainstream platforms.

Sponsor Interview: Tynes and Gartner's "SOAR is Dead" Statement

Concluding the episode, Patrick interviews Matt Muller from Tynes about Gartner’s provocative statement declaring that SOAR (Security Orchestration, Automation, and Response) is dead. Matt refutes this, arguing that automation is evolving rather than obsolete: “AI isn’t necessarily displacing traditional automation, it’s supplementing it” (47:04). They discuss how Tynes integrates AI and Large Language Models (LLMs) to enhance automation capabilities, emphasizing the synergy between deterministic processes and probabilistic AI decision-making.

Matt highlights innovative use cases such as automatic data transformation and intent understanding for routing security requests, demonstrating the practical advancements in security automation: “We actually recently added the capability of turning a workbench conversation into an actual deterministic workflow” (59:24).

Patrick appreciates Tynes' approach, envisioning a future where AI-driven automation handles mundane tasks, allowing security professionals to focus on more critical issues: “...the awesome part is seeing the ability to go from like, hey, I have an automation idea to I actually have something that is like validated, tested and in production” (60:05).

Conclusion

Patrick Gray wraps up the episode by reiterating the importance of embracing evolving automation technologies in cybersecurity, while critiquing Gartner's misinterpretation of SOAR's relevance. The discussion offers valuable insights into contemporary security challenges, ranging from ransomware and espionage to the ethical implications of automation in the industry.

Notable Quotes:

Patrick Gray: “We're talking about a major, significant ransomware attack which is affecting a company called Blue Yonder” (02:48).
Adam Boileau: “Telco networks are a wonderland for attackers because there is so much super old gear” (13:50).
Patrick Gray: “They’re laughing all the way to the bank. When will the wicked be punished?” (34:35).
Matt Muller (Tynes): “AI isn’t necessarily displacing traditional automation, it’s supplementing it” (47:04).
Matt Muller (Tynes): “We actually recently added the capability of turning a workbench conversation into an actual deterministic workflow” (59:24).

This comprehensive summary captures the essence of Risky Business episode #772, providing listeners with an in-depth overview of critical security issues discussed by Patrick Gray and Adam Boileau.