[ EDITOR’S NOTE: Security Conversations thanks the following sponsors who generously support the creation and production of our high-signal, low-noise coverage of the cybersecurity industry: Uptycs, Eclypsium and SecurityWeek ]
Was this newsletter forwarded to you? Sign up here! Say hello on Twitter (DMs are open).
Monday blues.
I don’t have much this week. My calendar has been active with a ton of new podcast recordings (see below), new projects to decipher the future of data security (more on that later), and background work preparing for appearances at two upcoming virtual events — SecurityWeek’s threat-intel summit and the RSA Conference.
However, I can’t push out this newsletter without a quick word on this Colonial Pipeline ransomware infection dominating mainstream news headlines and bringing the ransomware epidemic to the front burner for everyone.
I’m not sure what took so long. We’ve seen these cybercriminals target hospitals (hospitals!), universities, city governments and companies big and small. This DarkSide group (see links below) isn’t your run-of-the-mill crimeware operation. This is the work of professionals, most certainly protected by a nation-state, that have wreaked havoc on corporate networks, encrypting all data and extorting victims for massive crypto-currency payments.
They are brazen and ruthless and operate with startling precision, even rummaging through an infected network for documents related to ransomware insurance to determine how much to extort from victims.
An unfortunate side effect of this particular incident is something I tried to flag on Twitter back in March. There are a handful of security news publications that do PR/advertising for the DarkSide ransomware gangs, participating openly in the naming-and-shaming of victims. It may be good for clicks and headlines but I’m not sure it qualifies as journalism to do advertising for dangerous criminal gangs.
While I’m on this track, we need to figure out the nuance of describing ransomware infections as “attacks,” “cybersecurity attacks,” to “cyber-destructive” operations. Sure, the real-world collateral damage may reach the threshold for an “attack” but words matter when government regulators get involved with only rudimentary understanding of the threat landscape.
Plus, “cyber-cyber-cyber” feeds into the ugly hype and FUD that feeds the security marketing narratives. We could do with less of that.
On to the newsletter.
- The most clicked link from last week’s issue was Ralf-Philipp Weinmann’s slide deck documenting a zero-click hack of a Tesla car from a drone.
🎧 The podcast studio has been humming with new recordings. Check the site for new thought-provoking, long-form conversations with these cybersecurity leaders:
- Collin Greene, engineering director and head of product security, Facebook.
- Retired Googler Justin Schuh, who pioneered some of the earliest security work on the Chrome browser.
- Offensive hardware researcher and embedded security expert Alex Matrosov.
- Charles Nwatu, Security Technology and Risk, Netflix
Full conversations are available on the SecurityConversations.com home page, and on all major platforms — Apple, Google, Spotify and Amazon.
[ Uptycs sponsor message: Going on the ATT&CK versus FIN7 and Carbanak ]
The most recent MITRE ATT&CK evaluation round focused on the FIN7 and Carbanak threat groups. In this 40-minute on-demand discussion, Security Conversations editor Ryan Naraine finds out how the Uptycs platform not only detects the activity of these groups but also provides the context that analysts need to quickly understand how signals are tied together. Catch the discussion here.
- Dragos CEO Rob Lee on the Colonial Pipeline ransomware attack: “These gangs figure out, here’s a bunch of internet-facing devices, here are vulnerabilities that give us access to them, and here are the IP ranges of a bunch of big industrial companies. Cool, let’s go big game hunting.”
- The U.S. declares emergency after ransomware shuts down oil pipeline that pumps 100 million gallons a day.
- The FBI is officially blaming notorious ransomware-as-a-service criminals DarkSide for the Colonial pipeline hack.
- The DarkSide data-extortion criminals have issued a press release (!) claiming the goal is to make money, and not create problems for society.”
- The folks at Digital Shadows has a good primer from last September on the DarkSide operation.
- Kim Zetter’s coverage of the incident is, as usual, top-notch..
- New from the NSA: Potential threat vectors to 5G infrastructure [PDF]
- NIST/CISA has a lengthy document on defending against software supply chain attacks.
- The U.K.’s GCHQ says the APT group responsible for the Solarwinds mega-hack is now using an open-source tool from Bishop Fox to ensure access to a certain special victims. The tool is called Sliver and is a legitimate adversary emulation framework used by defenders.
- A thought-provoking Twitter thread on the forming of a new data privacy stack.
- The below-the-surface report provides a detailed recap of firmware security threats, advisories, research, tools, and education resources.
- Cosign, from Google/Sigstore, simplifies signing and verifying container images, aiming to make signatures invisible infrastructure. There are plans to establish a consumable, introspectable, and secure supply chain for the project.
- eBPF for Windows is a work-in-progress project that allows existing eBPF toolchains and APIs from the Linux ecosystem to be used on top of Windows.
- Shuffle is a general-purpose security automation platform that looks promising.
- DazedAndConfused is a nifty tool to help determine dependency confusion exposure.
_ryan
PS: The podcast is available on all platforms (Apple, Google, Spotify and Amazon). As the kids say, like and subscribe, like and subscribe.