Risky Business #767 – SEC Fines Check Point, Mimecast, Avaya, and Unisys Over Hacks

Release Date: October 23, 2024
Host: Patrick Gray
Guest: Adam Boileau
Sponsor Interview: Ryan Calumber, Chief Strategy Officer at Proofpoint

1. SEC Fines Over SolarWinds Hack Cover-Up

Overview:
The episode opens with Patrick Gray and Adam Boileau discussing recent actions by the Securities and Exchange Commission (SEC) against major companies—Check Point, Mimecast, Avaya, and Unisys—for their handling of the SolarWinds hack disclosures.

Key Points:

• SEC's Criticism: The SEC fined these companies for using vague language in their breach disclosures, failing to accurately represent the material impact of the SolarWinds intrusion.
• Downplayed Breaches: Statements from affected companies suggested minimal impact, whereas evidence indicated significant unauthorized access and potential data loss.

Notable Quotes:

• Patrick Gray [01:09]: "The SEC has fined a bunch of companies for essentially covering up the extent of the SolarWinds campaign on them."
• Adam Boileau [01:52]: "The SEC does not take kindly to... making it seem smaller and less than it was."

Insights:

• Transparency in Security Disclosures: The discussion emphasizes the importance of transparent and accurate reporting in maintaining trust and compliance.
• Implications for Security Vendors: Failure to disclose breaches transparently can damage reputations, especially for companies in the information security sector.

2. Arrests of Anonymous Sudan Leaders Amid Russian Involvement Suspicion

Overview:
Patrick and Adam delve into the surprising arrests of two brothers associated with "Anonymous Sudan," challenging earlier beliefs about their Russian ties.

Key Points:

• DOJ Statements: The Department of Justice (DOJ) stated there was no Russian nexus, a claim contested by Adam’s colleague, Catalyn Kimpanu.
• Evidence of Russian Ties: Kimpanu's analysis suggests significant Russian involvement based on communication patterns, shared infrastructure, and operational behaviors aligning with Russian interests.
• Continuing Threats: Following the arrests, a new pro-Kremlin hacktivist group emerged, indicating ongoing Russian influence.

Notable Quotes:

• Patrick Gray [02:47]: "Catalan writes... these guys have been rounded up... but there's still a lot pointing to Russia."
• Adam Boileau [06:10]: "Catalyn is probably onto something here that... if it quacks enough like a duck, it probably is."

Insights:

• Attribution Challenges: Highlighting the complexities in attributing cyber activities to specific state actors.
• Operational Resilience: The emergence of new groups after arrests underscores the resilience of state-backed cyber operations.

3. Microsoft’s Purview Logging Glitch

Overview:
The hosts discuss a significant issue within Microsoft’s Purview logging system, resulting in the loss of critical authentication logs.

Key Points:

• Bug Introduction: A software fix for an internal logging mechanism introduced a deadlock condition, causing loss of logs due to cache overflows.
• Impact Duration: Approximately three weeks of data, including essential Entra authentication logs, were lost.
• Technical Challenges: Emphasis on the difficulties of maintaining large-scale distributed systems and the necessity for robust troubleshooting processes.

Notable Quotes:

• Adam Boileau [07:50]: "They ended up losing a bunch of logs, including probably most importantly, logs from Entra."
• Patrick Gray [09:23]: "Random, random. A little bit over here, a little bit over there..."

Insights:

• System Complexity: Demonstrates the inherent challenges in managing and updating large-scale cloud-based infrastructure without unintended side effects.
• Importance of Logging: Highlights the critical role of comprehensive logging in maintaining security and operational integrity.

4. Apple’s Ambitious TLS Certificate Renewal Plans

Overview:
Patrick and Adam explore Apple’s proposal to reduce TLS certificate lifetimes from the industry-standard one year to a mere ten days.

Key Points:

• Automation Requirement: Such a drastic reduction mandates programmatic certificate generation and automatic renewal processes.
• Revocation Infrastructure Issues: Shorter certificate lifespans aim to mitigate the inefficiencies and fragility of current revocation mechanisms like CRLs and OCSP.
• Industry Impact: Potentially forces organizations to overhaul their certificate management practices, emphasizing automation and resilience.

Notable Quotes:

• Patrick Gray [10:39]: "You just have to do it programmatically because manually swapping out certs isn't feasible."
• Adam Boileau [11:51]: "Reducing the lifetime of certificates... solves the revocation problem."

Insights:

• Security vs. Practicality: Balancing enhanced security measures with the practicalities of implementation and management.
• Future of Certificate Management: Apple’s initiative could set a new standard, pushing the industry towards more secure and automated practices.

5. Session Moves Operations to Switzerland Amid Australian Federal Police Visits

Overview:
The encrypted messaging app Session has announced relocating its operations to Switzerland following visits from the Australian Federal Police (AFP).

Key Points:

• Privacy Commitment: Session prides itself on being metadata-resistant and prioritizes user privacy, resisting requirements to collect identifiable information.
• Operational Relocation: Moving to Switzerland aims to better protect against governmental interference, though it’s unclear how effective this move will be if operational staff remain in Australia.
• Technical Innovation: Session utilizes its own onion routing network, differentiating it from platforms like Tor, to enhance privacy and accessibility on mobile devices.

Notable Quotes:

• Patrick Gray [07:50]: "The idea is it's a metadata resistant mobile messaging platform."
• Adam Boileau [19:03]: "They are true believer types. They don't strike me as the sort of crime phone types."

Insights:

• Jurisdictional Challenges: Illustrates the difficulties tech companies face in balancing user privacy with compliance to national regulations.
• Security Infrastructure: Emphasizes the ongoing innovation in secure communication platforms to counteract surveillance and interference.

6. Radiant Capital Crypto Platform Theft

Overview:
A significant theft of $50 million in digital coins from Radiant Capital is analyzed, focusing on the sophisticated methods used despite best security practices.

Key Points:

• Attack Method: Attackers compromised three developers' computers, deploying fake user interfaces to authorize fraudulent multi-signature transactions using hardware wallets.
• Bypassing Hardware Wallets: The malware presented deceptive transaction details, tricking developers into approving unauthorized transfers.
• Security Implications: Even robust multi-signature and hardware wallet setups are vulnerable to sophisticated social engineering and malware attacks.

Notable Quotes:

• Adam Boileau [23:41]: "They made a fake user interface that convinced them that they were dealing with their real piece of software."
• Patrick Gray [25:08]: "I thought the point of a hardware wallet is they have a display which will actually tell you what you're doing with the transaction."

Insights:

• Human Factor in Security: Highlights that even advanced security mechanisms can be undermined by human error and sophisticated malware.
• Need for Comprehensive Security: Reinforces the necessity for layered security measures, including user training and advanced threat detection.

7. North Korean Malware Targets ATM Networks

Overview:
A pioneering attack by North Korean actors targets ATM networks by manipulating payment switches to approve fraudulent cash withdrawals.

Key Points:

• Malware Deployment: Attackers installed malware on payment switches, intercepting and altering transaction messages to falsely approve cash withdrawals.
• Target Specificity: Focused on Turkish lira transactions, indicating strategic financial motives possibly linked to geopolitical funding.
• Technical Sophistication: The malware’s ability to rewrite transaction messages showcases advanced technical capabilities and deep understanding of legacy payment systems.

Notable Quotes:

• Adam Boileau [26:35]: "I gotta hand it to the North Koreans for actually going through the process of doing."
• Patrick Gray [28:13]: "I mean, you read this and you're like, wow, you actually really did the R and D here."

Insights:

• Legacy System Vulnerabilities: Exposes the vulnerabilities inherent in outdated financial infrastructure and the necessity for modernization.
• State-Sponsored Cybercrime: Demonstrates the lengths to which state actors will go to fund their operations through cybercriminal activities.

8. Arrest of Brazilian Cybercriminal 'usdod'

Overview:
A 33-year-old Brazilian man, suspected of being the cybercriminal 'usdod,' was arrested for significant breaches, including infiltrating the FBI’s Infra Guard program.

Key Points:

• Known Exploits: Responsible for leaking contact information of 80,000 FBI members and breaching National Public Data.
• Doxxing Admission: The suspect openly admitted his actions, expressing a desire to accept the consequences.
• Legal Consequences: Despite the severity of his actions, there's a nuanced discussion about his age and motivations, though the general consensus is that he deserves punishment.

Notable Quotes:

• Brian Krebs [30:52]: "I'm a human like everyone else. It’s time to take responsibility."
• Patrick Gray [31:34]: "I would have a little bit more sympathy if he was like, you know, 18 now."

Insights:

• Psychology of Cybercriminals: Offers a glimpse into the mindset of high-profile cybercriminals and the personal repercussions of their actions.
• Law Enforcement Impact: Underlines the efforts and challenges law enforcement faces in tracking and apprehending sophisticated cybercriminals.

9. SEC Twitter Account Takeover via SIM Swap

Overview:
An elaborate SIM swap attack resulted in the temporary takeover of the SEC’s official Twitter account, falsely announcing the approval of Bitcoin ETFs.

Key Points:

• Attack Execution: The perpetrator, Eric Council Jr., executed a SIM swap by deceiving phone stores and Apple Stores to gain control of the victim's phone number.
• False Announcement: Leveraged the hijacked account to make credible-sounding but fraudulent financial announcements aimed at manipulating markets.
• Intelligence Gathering: The attacker’s actions suggest access to detailed personal information and strategic planning, though ultimately unsuccessful in financial gain.

Notable Quotes:

• Adam Boileau [33:13]: "He walked into the phone store and did the SIM swap... got caught on the cameras yet again."
• Patrick Gray [34:18]: "Google doesn't always have the answers, folks."

Insights:

• Vulnerability of High-Value Targets: Demonstrates how even well-protected accounts can be compromised through social engineering and insider manipulation.
• Need for Enhanced Security Measures: Emphasizes the importance of multi-factor authentication and monitoring of account recovery processes to prevent such takeovers.

10. Veeam Backup Software Vulnerabilities Exploited by Ransomware

Overview:
Veeam, a widely used enterprise backup solution, has been found to possess a critical vulnerability (CVSS 9.8) that ransomware groups are actively exploiting.

Key Points:

• Nature of the Vulnerability: Unauthenticated remote code execution via deserialization flaws in the Veeam agent.
• Ransomware Exploitation: Attackers leverage this vulnerability to gain access to corporate backups, undermining the very defenses intended to mitigate ransomware impacts.
• Strategic Implications: Highlights the paradox where backup solutions, essential for recovery, become avenues for ransomware infiltration.

Notable Quotes:

• Adam Boileau [35:24]: "You can't win. One of the reasons you want comprehensive backups... and now ransomware crews are using it."
• Patrick Gray [37:12]: "It's like you can't win."

Insights:

• Security of Backup Systems: Alerts organizations to prioritize the security of their backup infrastructure to prevent it from being exploited as an attack vector.
• Defense in Depth: Reinforces the necessity for layered security strategies to protect critical systems against multifaceted cyber threats.

11. Fortinet Vulnerabilities and Exploits

Overview:
Several severe vulnerabilities in Fortinet products, particularly FortiManager, have been identified and are actively being exploited in the wild.

Key Points:

• Vulnerability Details: Exploitable bugs allow attackers to extract certificate/key material and enroll rogue devices in FortiManager, leading to remote code execution.
• Exploitation Mechanics: Threat actors register fake FortiGate devices with misleading hostnames to gain unauthorized access and execute malicious code.
• Vendor Response: Fortinet has been criticized for poor communication and attempting to divert attention from their own security flaws.

Notable Quotes:

• Adam Boileau [40:36]: "Fortinet are just kind of weaselly about their communication... shoddy engineering."
• Patrick Gray [41:34]: "It's just more Fortinet drama. Just an interesting one here."

Insights:

• Vendor Accountability: Highlights the critical role of timely and transparent communication from vendors when vulnerabilities are discovered.
• Security of Network Infrastructure: Emphasizes the importance of securing network management tools to prevent widespread exploitation.

12. ESET Brand Abuse Targeting Israeli Organizations

Overview:
Attackers have been impersonating ESET to target Israeli organizations, misleading recipients into installing malicious software under the guise of legitimate security tools.

Key Points:

• Attack Method: Phishing emails purportedly from ESET partners claim to offer advanced threat defense software, tricking users into downloading malicious ZIP files.
• ESET’s Response: The company has publicly denied any breach, condemning the misuse of their brand.
• Detection Challenges: The sophistication of the phishing attacks makes them difficult to distinguish from legitimate communications, increasing the risk of successful exploitation.

Notable Quotes:

• Adam Boileau [42:40]: "We’ve seen government-backed attackers trying to compromise your stuff... Attach a ZIP file with a password."
• Patrick Gray [43:14]: "Here's the password and just click through the warnings."

Insights:

• Trust Exploitation: Underlines how attackers exploit established brands to gain user trust and bypass traditional security measures.
• Importance of Verification: Encourages organizations to verify the authenticity of unsolicited security communications before engaging.

13. North Korean IT Workers Threaten Data Release for Ransom

Overview:
Some North Korean IT workers, upon termination, have begun threatening to release accumulated data unless ransoms are paid, marking a shift in their cybercriminal tactics.

Key Points:

• Insider Threats: Former employees, with access to sensitive data, leverage their insider knowledge for financial gain through data extortion.
• Technical and Organizational Implications: Reflects the increasing sophistication and adaptability of state-sponsored cybercriminal operations.
• Criminal Innovation: North Korean groups continue to evolve their methods, finding new avenues to monetize their access and intelligence.

Notable Quotes:

• Adam Boileau [44:46]: "The North Koreans are pretty good at innovating crime."
• Patrick Gray [45:36]: "Game is game, right?"

Insights:

• Monetization of Insider Access: Highlights the risks posed by insiders who have both access and knowledge critical for launching effective cyberattacks.
• Adaptability of Threat Actors: Emphasizes the need for organizations to implement comprehensive insider threat programs and monitoring.

14. Sponsor Interview: Ryan Calumber on Sock Golish Malware Campaign

Overview:
The episode concludes with an in-depth discussion with Ryan Calumber from Proofpoint about the Sock Golish malware campaign, currently the top threat in their data sets.

Key Points:

• Campaign Characteristics: Combines compromised legitimate websites, fake browser updates, and malvertising to evade detection.
• Evasion Techniques: Selective payload delivery based on user cookies and system information, reducing detection rates by traditional security measures.
• Proofpoint’s Response: Introduction of a browser extension aimed at detecting and blocking malicious payloads at the user level.

Notable Quotes:

• Ryan Calumber [48:08]: "They can look at cookies that are there in the browser and be extremely selective."
• Patrick Gray [51:13]: "What if it comes in via LinkedIn or Teams?"

Insights:

• Advanced Evasion Strategies: Demonstrates how modern malware campaigns employ sophisticated techniques to bypass conventional security defenses.
• Defense in Depth: Reinforces the necessity for multiple layers of security, including network-based detection, browser instrumentation, and host-level defenses.

Conclusion

In this episode of Risky Business, Patrick Gray and Adam Boileau navigated through a plethora of pressing information security topics, from regulatory fines and sophisticated cyberattacks to vulnerabilities in major software platforms. The discussions underscored the ever-evolving landscape of cybersecurity threats and the imperative for organizations to adopt robust, multi-layered defense strategies. The sponsor segment with Ryan Calumber emphasized the importance of innovative detection methods in combating advanced malware campaigns like Sock Golish.

Key Takeaways:

• Transparency and Compliance: Companies must maintain honesty in breach disclosures to comply with regulatory standards and preserve trust.
• State-Sponsored Threats: Ongoing state-backed cybercriminal activities necessitate enhanced vigilance and adaptive security measures.
• Security Infrastructure Resilience: Protecting critical infrastructure, such as backup systems and network management tools, is paramount.
• Evolving Attack Techniques: As attackers refine their methods, organizations must continuously update and diversify their defense mechanisms.

Big thanks to Adam Boileau for his insightful analysis of the week's security news and to Ryan Calumber from Proofpoint for shedding light on the Sock Golish malware campaign.

Stay tuned for next week's episode of Risky Business, where we continue to dissect and discuss the latest in information security.