WEBVTT 1 00:00:00.450 --> 00:00:05.010 Mathew Schwartz: What are some of the latest cybercrime threats? Hi, I'm Matthew Schwartz with 2 00:00:05.040 --> 00:00:10.740 Information Security Media Group. And to help me answer that question, I am joined by Raj Samani, 3 00:00:10.830 --> 00:00:16.770 the Chief Scientist at McAfee. Raj, great to see you. Thanks for joining us. 4 00:00:17.280 --> 00:00:19.140 Raj Samani: Hey, no problem. Nice to see you. 5 00:00:20.040 --> 00:00:24.240 Mathew Schwartz: Thank you. So you have a new threat report out, give me some of the highlights, 6 00:00:24.240 --> 00:00:24.960 please. 7 00:00:26.130 --> 00:00:29.700 Raj Samani: Well, so I think one of the big things that we did from the threat report is, you know, 8 00:00:29.700 --> 00:00:35.790 ordinarily, we publish a static document. And, you know, what we realized was, as soon as that's 9 00:00:35.790 --> 00:00:41.550 published, actually, it's quickly out of date. And so I think why this is particularly different this 10 00:00:41.550 --> 00:00:46.230 time around is we've actually released the dashboard. And of course, this threat report looks 11 00:00:46.230 --> 00:00:55.350 at Q1, and particularly the kind of use of COVID as a potential law. And so, whilst we've seen a 12 00:00:55.350 --> 00:01:00.450 high degree of prevalence, what we wanted to do is provide a interactive map that people kind of 13 00:01:00.450 --> 00:01:04.470 track. Looking at these are the most targeted sectors, or these are the most targeted 14 00:01:04.470 --> 00:01:10.860 geographies. And so the report looks at the volume of threats. But not only that, we also do a deeper 15 00:01:10.860 --> 00:01:16.560 dive into some of the emerging trends. And so for example, you know, the use of PowerShell within 16 00:01:16.560 --> 00:01:22.050 malware and I think, like, if you look at the use of PowerShell, within living off the land 17 00:01:22.050 --> 00:01:27.870 techniques used by malicious actors, that's understandable I mean it's a 689% increase from 18 00:01:28.260 --> 00:01:38.010 the Q4 2019. And so it's been a really busy couple of months, not only in terms of prevalence, but I 19 00:01:38.010 --> 00:01:42.720 think predominantly also because you've seen these more capable threat actors as well. 20 00:01:43.920 --> 00:01:48.210 Mathew Schwartz: We keep seeing more advanced threat actors, especially for example, with 21 00:01:48.210 --> 00:01:53.940 ransomware attacks, things like - probably mispronouncing but - LOL bins, for example, these 22 00:01:53.940 --> 00:02:01.050 living off the land, malicious binaries that look legit lateral movement techniques that look legit, 23 00:02:01.290 --> 00:02:07.470 it seems like the state of the art in terms of hack- hacker and you know, attacker aptitude keeps 24 00:02:07.470 --> 00:02:12.150 improving, it makes it much more difficult for these organizations that get hit to spot that 25 00:02:12.150 --> 00:02:13.380 they've been attacked, I think. 26 00:02:14.200 --> 00:02:19.450 Raj Samani: Well, they've had to get better. Because I mean, actually, because just recently, 27 00:02:19.450 --> 00:02:25.780 we had the four year anniversary of no more ransom. And, of course, this joined up collective 28 00:02:25.780 --> 00:02:31.540 group of, you know, private sector and public sector organizations can point to the fact that we 29 00:02:31.540 --> 00:02:39.130 prevented $632 million from going into the hands of criminals. And so I'm actually wouldn't say I'm 30 00:02:39.130 --> 00:02:43.390 happy that they've got better, that's probably the wrong term. But they've had to get better because 31 00:02:43.570 --> 00:02:51.640 we have also improved the way that we have developed free tools, but not only that, like 32 00:02:51.760 --> 00:02:56.770 helped organizations to kind of get around the fact that actually they shouldn't pay ransomware 33 00:02:56.770 --> 00:03:01.930 demands because that only just drives the issue even further, and so. You know, while we celebrate 34 00:03:01.930 --> 00:03:07.510 our successes, we know that there's a lot more work to be done in terms of no more ransom, but 35 00:03:07.510 --> 00:03:13.870 also making sure that organizations look at the new tools, techniques and procedures being used by 36 00:03:14.170 --> 00:03:19.450 some of these criminal gangs who, by the way, are improving, are getting better, and, you know, no 37 00:03:19.450 --> 00:03:25.240 better kind of cases with, for example, with NetWalker, you know, and we've seen them actually 38 00:03:25.240 --> 00:03:26.200 improve as well. 39 00:03:27.370 --> 00:03:30.850 Mathew Schwartz: Well, though, I think one of the statistics in the report that really speaks to 40 00:03:30.850 --> 00:03:38.560 that is comparing Q4 2019, with Q1 2020. It's the sheer number of publicly disclosed security 41 00:03:38.560 --> 00:03:41.890 incidents, that having I mean, there's a huge increase there. 42 00:03:43.940 --> 00:03:48.380 Raj Samani: It is, and well, and of course, look, you know, there are the unknown unknowns. And so 43 00:03:48.500 --> 00:03:53.660 that's only what we know. And, like, I don't want to quote Donald Rumsfeld. But like, you know, when 44 00:03:53.660 --> 00:03:57.470 he said there are known knowns, well, these are known knowns. But then of course, we've got known 45 00:03:57.470 --> 00:04:02.150 unknowns and unknown unknowns. All your listeners are going, "What the hell is he talking about 46 00:04:02.150 --> 00:04:07.490 now?" But like that's the world that we live in, in terms of in terms of cybersecurity is we really 47 00:04:07.490 --> 00:04:13.550 don't have the level of transparency to be able to draw kind of overarching conclusions about what's 48 00:04:13.550 --> 00:04:19.550 happening. But what we do know based upon the information that's out there is during lockdown, 49 00:04:19.640 --> 00:04:26.390 cybercrime didn't shut down. It's probably the one of the few sectors that actually thrived, as 50 00:04:26.390 --> 00:04:28.430 opposed to say, for example, traditional crime. 51 00:04:31.800 --> 00:04:34.980 Mathew Schwartz: What do you think we're going to be seeing? I don't mean to make you get out of 52 00:04:34.980 --> 00:04:42.600 crystal ball. But as we come through the pandemic, and hopefully get back to more normal, we see more 53 00:04:42.600 --> 00:04:48.180 people in the office, we see less remote administration, for example, do you think there is 54 00:04:48.240 --> 00:04:54.990 a surge of data breaches that organizations have yet to detect potentially, or is it too early to 55 00:04:54.990 --> 00:04:57.930 begin making those sorts of observations? 56 00:04:58.980 --> 00:05:03.420 Raj Samani: Well, you know, one good example to see what's going to happen is, and I kind of 57 00:05:03.420 --> 00:05:10.620 alluded to this earlier is we published the research paper on the NetWalker ransomware. And, 58 00:05:10.650 --> 00:05:14.760 you know, the NetWalker ransomware, it's particularly interesting, because you saw in 59 00:05:14.760 --> 00:05:21.660 March, for example, a real change, you know, it's a sea change in terms of the affiliate schemes, 60 00:05:21.660 --> 00:05:28.140 the hiring, the the kind of criminal ecosystem, which basically improved to the point that 61 00:05:28.140 --> 00:05:34.620 actually, you know, least our assessment, we can determine that they've made millions, certainly 62 00:05:34.620 --> 00:05:41.040 over the last couple of months. And that's very telling, because, you know, hey, you have a group 63 00:05:41.040 --> 00:05:48.300 who would have an email address, and now actually, they've got a TorChat capability TorChat window so 64 00:05:48.360 --> 00:05:54.450 criminals can talk to victims and so forth. And so you're seeing investment going in to criminal 65 00:05:54.450 --> 00:06:00.780 enterprises, you're seeing a recruitment capability being increased, so they're going out 66 00:06:00.780 --> 00:06:05.850 and hiring, vetting more capable affiliates. And I think like, in part, you know, you look at 67 00:06:05.850 --> 00:06:11.730 something like Sodinokibi, where that's a great example of how much money you can make by having a 68 00:06:11.730 --> 00:06:17.250 strong ecosystem. And so, you know, if you, if you were to ask me, probably more depressingly, I 69 00:06:17.250 --> 00:06:24.240 would see more criminal groups beginning to, to improve operations. And actually, you know, like, 70 00:06:24.240 --> 00:06:29.580 like you saw this, like, it was end of 2019 that you saw the advent of leak sites. Now, of course, 71 00:06:29.880 --> 00:06:35.130 that was just one crew. I think there was DoppelPaymer in 2019. And now, everybody else is 72 00:06:35.130 --> 00:06:38.640 jumping on that. And in fact, in some cases, they're even collaborating and working together. 73 00:06:38.640 --> 00:06:45.780 So unfortunately, you know, cybercrime is going to be here. And you know, as organizations begin to 74 00:06:45.780 --> 00:06:50.700 push towards being more digitized, you're going to see adversaries looking to leverage and utilize 75 00:06:50.700 --> 00:06:51.000 that. 76 00:06:53.070 --> 00:06:57.210 Mathew Schwartz: Fantastic. I mean, NetWalker, as you mentioned, is just one of multiple 77 00:06:57.210 --> 00:07:02.640 organizations. Are they leaking data are they actually training data as well, I think we saw 78 00:07:02.730 --> 00:07:08.790 some attacks where maybe it wasn't clear. But had they joined that sea change, if you will, toward 79 00:07:08.790 --> 00:07:09.690 exfiltration. 80 00:07:10.890 --> 00:07:16.590 Raj Samani: So many groups have, I think my DoppelPaymer were fairly early. But actually, if 81 00:07:16.590 --> 00:07:22.860 you look at the likes of like the riot gang, when you look at the likes of Sodinokibi, or even, like 82 00:07:22.860 --> 00:07:29.070 more recently, like Nempty, you know, you're seeing active investment, active development in, 83 00:07:29.340 --> 00:07:35.070 in what I would call kind of post-intrusion ransomware cases, and actually, I don't even think 84 00:07:35.070 --> 00:07:41.490 they're called ransomware anymore, because the whole modus operandi of them is, is getting the 85 00:07:41.490 --> 00:07:45.270 environment. I mean, that's, that's, that's infiltration and, you know, then there's 86 00:07:45.270 --> 00:07:51.390 exfiltration components and so, is it ransomware anymore, you know, we probably need to change our 87 00:07:51.390 --> 00:07:58.410 categories because this kind of hybrid approach of attacks is, you know, they're a lot broader and 88 00:07:58.410 --> 00:08:01.140 bigger than we've ever kind of imagined. The past I suspect. 89 00:08:03.360 --> 00:08:08.070 Mathew Schwartz: So don't forget to see the big picture, basically. Now I also wanted to make sure 90 00:08:08.070 --> 00:08:12.780 that we touched on Operation Northstar. Walk me through that place. 91 00:08:14.160 --> 00:08:18.090 Raj Samani: Yeah, absolutely. So Operation Northstar is and again, I think like this is a 92 00:08:18.090 --> 00:08:23.310 really key point, which is, you know, often we talk about prevalence, often we say, you know, 93 00:08:23.310 --> 00:08:32.400 689% increase in PowerShell, or, you know, 375 new threats a minute. But Operation Northstar is one 94 00:08:32.400 --> 00:08:38.700 of those more surreptitious techniques that are being used by adversaries to go out and target 95 00:08:38.700 --> 00:08:43.800 specific individuals associated with defense and aerospace. Now, as you know, we don't do 96 00:08:43.800 --> 00:08:50.160 attribution, but certainly the indicators of compromise that are being used would overlap with 97 00:08:50.160 --> 00:08:54.630 previous campaigns that have previously been attributed to hidden Cobra. Now, in this 98 00:08:54.630 --> 00:08:59.100 particular case, what we're seeing is we're seeing, you know, specific targeting of 99 00:08:59.100 --> 00:09:05.250 individuals with job offers. And actually, the initial entry vector appears to be, you know, 100 00:09:06.180 --> 00:09:12.780 using bonafide e-companies with job offers where individuals will potentially open up these these 101 00:09:12.780 --> 00:09:18.270 particular messages. But what's really fascinating is that the techniques that they're using in order 102 00:09:18.270 --> 00:09:23.130 to be able to get, you know, the first stage of malware onto an environment is they're leveraging 103 00:09:23.130 --> 00:09:29.880 a new technique called template injection attack. And basically, what the template injection attack 104 00:09:29.880 --> 00:09:35.610 refers to is, you know, as you go out to open up a particular document, as it goes to download this 105 00:09:35.610 --> 00:09:40.680 particular template, then that particular template has macros which are malicious and which are 106 00:09:40.680 --> 00:09:46.590 malicious. And so, you know, this is quite clearly or I say quite clearly this appears to be an 107 00:09:46.590 --> 00:09:52.950 espionage campaign. And it appears to be very, very highly targeted. Equally it appears to be 108 00:09:52.950 --> 00:09:58.920 potentially leveraging social networks is a vehicle to be able to trick people and and what's 109 00:09:58.920 --> 00:10:04.830 particularly telling about this is that it kind of goes everything against what we discussed early 110 00:10:04.830 --> 00:10:11.460 on, which is, you know, prevalence is the issue whereby actually hidden amongst all of this noise 111 00:10:11.460 --> 00:10:17.190 of, you know, fake PPE, and so forth, you've got very, very capable threat actors kind of operating 112 00:10:17.190 --> 00:10:23.130 underneath the surface with your low levels of prevalence, but very, very highly targeted. 113 00:10:24.929 --> 00:10:30.299 Mathew Schwartz: One thing I hear from incident responders is if you are a nation state, not that 114 00:10:30.299 --> 00:10:36.719 we're saying that this particular one is, but if you want to stay off the map, use these come 115 00:10:36.749 --> 00:10:41.579 common techniques now things like PowerShell and other tools that are being used by gangs with a 116 00:10:41.579 --> 00:10:46.679 financial impetus to their attacks, it makes it much more difficult to attribute. 117 00:10:48.280 --> 00:10:51.760 Raj Samani: Well, so we're actually in this case, there's a new technique that, you know, that has 118 00:10:51.760 --> 00:10:56.860 been documented before, but it's not particularly common. And, you know, and again, I think, you 119 00:10:56.860 --> 00:11:01.840 know, like we talked about NetWalker innovating, you know, We've talked about the likes of 120 00:11:01.870 --> 00:11:07.810 DoppelPaymer, you know, and innovating with it with the introduction of a leak site. Now we're 121 00:11:07.810 --> 00:11:13.510 talking about, you know, groups that have indicators that potentially could be nation-state 122 00:11:14.020 --> 00:11:19.900 related, also introducing new techniques to go out and target. And I think, like, the one overriding 123 00:11:19.900 --> 00:11:24.850 thing that we can take from all of this is, is that the bad guys are innovating, the bad guys are 124 00:11:24.850 --> 00:11:30.520 getting better. And it's important for organizations to, first of all understand the 125 00:11:30.520 --> 00:11:35.890 campaigns and so you know, we publish blogs, we publish white papers, we do webinars, but also to 126 00:11:35.890 --> 00:11:40.540 start to hunt in their own environment. And, you know, we've made available on our GitHub 127 00:11:40.540 --> 00:11:47.620 repository, YARA rules in we provided free IOCs but now also we give you a dashboard to be able to 128 00:11:47.620 --> 00:11:52.480 track this and this is not something that you need to be a McAfee customer for. It is free for you to 129 00:11:52.480 --> 00:11:57.370 be able to access and use and I think that's, you know, you need to get better at protecting your 130 00:11:57.370 --> 00:12:03.070 environment because the adversaries are getting better. And if you don't keep up with them, then, 131 00:12:03.310 --> 00:12:08.680 you know, we all know what's going to happen, right? You're going to be a statistic on the Q2 132 00:12:08.680 --> 00:12:13.900 threat report in which we say publicly disclosed incidents have gone up again. So that's the kind 133 00:12:13.900 --> 00:12:17.950 of, I guess, the background to what's happening out there in the real world. 134 00:12:18.960 --> 00:12:23.460 Mathew Schwartz: Now, I don't taking all of that in its entirety, I don't mean to just drill them 135 00:12:23.460 --> 00:12:30.120 into one small angle. But when it comes to the template injection attack that you mentioned, in 136 00:12:30.120 --> 00:12:33.600 case anyone's worried about that, whether or not they may or may not be an espionage target. 137 00:12:33.900 --> 00:12:39.360 Anybody could be. How does one defend against that? Is there an easy response besides looking 138 00:12:39.360 --> 00:12:43.230 for the indicators of compromise to the use of the templates in that matter? 139 00:12:43.960 --> 00:12:49.180 Raj Samani: Well, I you know, it's a great question. And I guess what I would say and like, 140 00:12:49.180 --> 00:12:54.340 look, I'm gonna sound like a I'm gonna sound awful here. The first thing you need to do is like, 141 00:12:54.370 --> 00:12:59.680 first of all, you're you're already one step ahead, because you're listening to this particular 142 00:12:59.710 --> 00:13:07.240 interview. But number two, just read the document. Like we we basically break down the the attack in 143 00:13:07.300 --> 00:13:13.840 in the minute detail as well as much as we know. And in that we sit down and we show you how the 144 00:13:13.870 --> 00:13:20.560 how the initial entry vector occurs we show you, you know, the telemetry map of targeted victims, 145 00:13:20.770 --> 00:13:25.630 we and so like, everything is there for you to be able to understand the way that the attackers 146 00:13:25.630 --> 00:13:30.460 work, and more importantly, ensure that you have protection against it. And I think like, that's 147 00:13:30.460 --> 00:13:35.440 the best thing that you can be doing right now is staying up to speed and like, you know, I'll be 148 00:13:35.440 --> 00:13:39.730 honest, man, I still go to conferences, and I'll speak and I'll ask, have you heard of no more 149 00:13:39.730 --> 00:13:46.930 ransom and people still don't even know about it, in our industry, by the way. So I always say that, 150 00:13:46.930 --> 00:13:53.020 you know, information is power. And you've got all of this and it's not just us it's you know, our 151 00:13:53.020 --> 00:13:58.120 competitors produce great threat content as well. I was tweeting stuff from one of our competitors 152 00:13:58.120 --> 00:14:03.130 just earlier this week. So it's important for you to be able to see what's happening out there 153 00:14:03.130 --> 00:14:08.410 because the bad guys are getting better. And honestly, if you, if you if you're not keeping up 154 00:14:08.410 --> 00:14:11.530 to speed with it, then you'll you'll be a statistic. 155 00:14:12.779 --> 00:14:17.609 Mathew Schwartz: That's a great note to end on, keep learning, keep watching the attacks, keep 156 00:14:17.609 --> 00:14:20.999 reading the threat research, keep up, basically, 157 00:14:21.300 --> 00:14:25.920 Raj Samani: And follow Matthew Schwartz, right. You know, that's the key thing. Mat, Mat's a great 158 00:14:25.950 --> 00:14:30.990 honestly, like I say this, but like, you know, you've been on top of a lot of the the biggest 159 00:14:30.990 --> 00:14:34.890 campaigns that have been going out there, you've been, you know, getting experts to kind of 160 00:14:34.890 --> 00:14:39.090 contribute to that. So like, find the people to follow and make sure that you read what they 161 00:14:39.090 --> 00:14:41.130 produce. And that's the key part. 162 00:14:42.330 --> 00:14:45.900 Mathew Schwartz: Well, thank you very much. And I will put Raj Samani from McAfee in the same camp. 163 00:14:45.900 --> 00:14:46.770 So thank you, Raj. 164 00:14:46.770 --> 00:14:48.390 Raj Samani: You're welcome. 165 00:14:49.350 --> 00:14:53.640 Mathew Schwartz: I've been talking cybercrime with Raj Samani. I'm Matthew Schwartz with Information 166 00:14:53.640 --> 00:14:57.390 Security Media Group. Thank you very much for joining us.