Proof of Concept: Crypto - A New National Security ThreatAlso: First Anniversary of Colonial Pipeline Attack; CISA's Vulnerability Alert
In the latest "Proof of Concept," Ari Redbord, head of legal and government affairs at TRM Labs, and former CISO David Pollino of PNC Bank join editors at Information Security Media Group to discuss the U.S Treasury's decision to sanction cryptocurrency mixer Blender.io. They also assess software supply chain security.
Anna Delaney, director, productions; Tom Field, vice president, editorial; Ari Redbord, head of legal and government affairs at TRM Labs; and David Pollino, former CISO, PNC Bank, discuss:
- The significance of the first-ever U.S. sanctions on a cryptocurrency mixer;
- Reflections on the Colonial Pipeline incident, one year later;
- Whether rewards offered by law enforcement agencies for information on cybercriminals actually work.
Prior to joining TRM, Redbord was senior adviser to the deputy secretary and the undersecretary for terrorism and financial intelligence at the U.S. Department of the Treasury.
Pollino has over 25 years of experience in information security, fraud prevention and risk management. He has focused on financial services for 20 years and was the chief information security officer of Bank of the West and a divisional CISO at PNC. He has held multiple leadership positions in security and fraud, including Wells Fargo, Washington Mutual and Charles Schwab. Pollino has authored multiple books and white papers focused on cybersecurity and fraud.
"Proof of Concept" runs semimonthly. Don't miss our previous installments, including the March 11 edition discussing the reality of passwordless authentication today and the April 7 edition on dealing with the regulation "tsunami."
Anna Delaney: Hello, and welcome to Proof of Concept, the ISMG talk show, where we discuss today's and tomorrow's cybersecurity challenges and quiz experts in the field on how we can potentially solve them. I'm Anna Delaney, director of productions at ISMG. And I'm very pleased to introduce my co-host, Tom Field, senior vice president of Editorial. Hello, Tom.
Tom Field: Hello! Pleasure to see you.
Delaney:Pleasure always. Before introducing our guests, Tom, what is the most interesting thing in cybersecurity today?
Field: You know, I was prepared to come in here and talk about the one-year anniversary of the Colonial Pipeline ransomware attack because it was on everybody's minds. But, you read the news today and the headline that's got my attention is the government of Costa Rica, an entire country, declaring a state of emergency because of the Conti ransomware attack — a state of emergency, Anna. This is what happens when you have hurricanes. This is what happens when there is a coup. This is what happens when your nation is attacked by physical forces. Now, we have a state of emergency because of ransomware. That, to me, is the biggest news today.
Delaney: Incredible! But also, as you say, it's a year since the Colonial attack. So the question is, what have we learned this past year? And the news today, as you say, is alarming. I was going to say that certainly, I think, the conversations have improved. There's more talk about cyber preparedness, cyber resilience, and cyber readiness. But, is critical infrastructure more secure than before? Now, have we strengthened our security postures? Are we more prepared? How do we prepare? I don't know. These are questions perhaps our guests will have some thoughts on.
Field: Anna, I will say we've refined our conversations. But, what we've learned is that whatever today's big headline is going to be, there's going to be a bigger one tomorrow. And so far, nothing's proven that wrong.
Delaney: And Tom, in less than three weeks' time, where will we be?
Field: Less than three weeks' time, in two weeks' time, Anna, we are going to be together in London, preparing for our Live London summit. Very much looking forward to it; my first trip back to London since the fall of 2019.
Delaney: Yes, I was going to say also after that, though, we’ll then be in San Francisco.
Field: Of course, RSA Conference is live events. I can't keep them straight anymore. Yes, we will be at RSA Conference in three weeks, and the first time that we have been there since 2020.
Delaney: This will be a new experience for me, of course, being with the ISMG team at RSA. So looking forward to it. Any hints and tips are welcome.
Field: So I think that's the question.
Delaney: Yeah. Well, perhaps it's time to introduce our first guest, Ari Redbord, head of Legal and Government Affairs at TRM Labs. Ari, so good to see you again.
Ari Redbord: Anna, great to see you as well. Tom, nice to see you.
Field: Ari, always.
Delaney: So, starting with a big story. The U.S. Treasury announced last week the ffirst-everU.S. sanctions on cryptocurrency mixer Blender.io. And according to U.S. officials, the service was used by North Korean state hackers, Lazarus Group, to launder some of the funds stolen during the Ronin network hack at the end of March. So Ari, what are your thoughts? What's the significance of this move?
Redbord: Sure. Yeah, it's a great question. And it's just an interesting moment. We've seen a flurry of activity in the cryptocurrency space by Treasury over the last six or eight months. And, Tom, at the beginning of the show talked about the one-year anniversary of Colonial Pipeline, which, quite frankly, is a shock to me that we're almost at that point already. But, it really did harken in many respects; it was a watershed and move to this digital battlefield. And the Ronin hack is a great example. Essentially a few weeks ago, a hacker attacked the Ronin Bridge, which is a bridge between blockchains associated with the Axie Infinity — the play-to-earn game that is wildly popular. Those attackers stole about $600 million, $625 million in that attack, making it the largest or one of the largest hacks of any cryptocurrency business. And a couple of weeks later, OFAC, the Department of Treasury of the sanctions regulator, put an address on the sanctions list associated with Lazarus Group, which is the North Korea hacking unit, the state-sponsored professionalized hacking team — essentially what they did there was, associate Lazarus Group and North Korea with that hack. And it was an extraordinary moment. We've seen North Korea for years attack cryptocurrency businesses because in the age of crypto, a hack means you can essentially steal money at the speed of the internet. And for North Korea, a country with really pretty much absolutely no economy to speak of, they realized very quickly that stealing funds can result in destabilizing activity and fund weapons proliferation. So they've engaged in a series of escalating attacks. Finally, culminating in a $600+ million hack of Ronin. So to get back to your question about this designation, what we've seen over the last few weeks is North Korea really launder those funds, because the goal is to move them to obfuscate the transactions from law enforcement and blockchain analytics tools like TRM, in order to ultimately off-ramp them. We've seen them use a number of mixing services, and what mixing services, mixers, or blenders, they are on chain. They're essentially exchanges where users put in their cryptocurrency, it mixes it together, and then sends it out the other side, not associated necessarily with the illicit activity. It is an obfuscation technique. There's one of these called Tornado Cash, which we've seen millions and millions of dollars flow through associated with this hack; another called Blender.io, where we saw about $20 billion of funds flow through as that were the proceeds of the Ronin hack. Treasury finally took action against Blender.io, basically saying you did not have the necessary compliance controls in place. And what you are doing is facilitating North Korea’s money laundering. So, it is literally a direct response to this Ronin hack and North Korea's attempt to launder these funds.
Delaney: Really helpful background there, Ari. But of course, the press release was quite interesting. It used the words national security threat. It's not just about this hack, is it? There's a wider issue here.
Redbord: Now, it's a great question. And I think the most important one. Look, I mean, in any financial system, you're going to have fraud, and you're going to have financial crime. But when North Korea, when state actors are involved, things inevitably escalate. Because look, you see the Bitfinex hack, for example, where you see these individuals attempt to launder funds over years and across blockchains and obfuscation techniques. And it's about greed, essentially. It's important to stop those because a hack of cryptocurrency exchanges, potentially the loss of people's life savings, it is serious always. But it is escalated when those funds, the $600 million, which is a significant portion of North Korea's GDP, right? Like this is not inconsequential. It is a national security issue when North Korea has now funds to fund weapons proliferation. And I think we see the reaction here. Look, OFAC does not designate addresses associated with a hack. They designate, they sanction addresses associated with the hack when there's a national security threat. And here's clear the U.S. Treasury Department, the White House, and foreign partners are involved with this investigation and with the sanctions.
Delaney: And it's interesting to read that Russia-linked ransomware groups are also using Blender.io. I think Ryuk, Conti, and TrickBot as well. So, how bad is this cryptocurrency mixing problem?
Redbord: Yeah, it's interesting, look, as we move to a more open financial system where more transactions occur on open blockchains, on open ledgers where everyone can see transactions in real-time, there's going to be legitimate reasons to want to keep your transactions private. And potentially, legitimate mixing services are an answer to that question, right? But what's really important is that even these mixing services have compliance controls in place that they are screening for sanction addresses, right? That they are essentially able to block funds or file suspicious activity reports or engage with law enforcement if bad actors are going to use those platforms. So it's interesting that mixers are not illegal. And there are legitimate reasons to use them. What is illegal is to advertise a mixer on a darknet market within literally an attempt to launder funds or to provide a way to launder funds. There are two pending cases from the Department of Justice. One called Helix, and the other called Bitcoin Fog, where these were mixing services that were advertising on AlphaBay to be used to obfuscate transactions involving narcotics and other types of illicit activity. So, mixing services, per se, are not as much the problem as not having the compliance controls in place to stop them. But look, I know this show is about cyber. And I think one thing that's always really important to remember is that cryptocurrency essentially is the thing that's being stolen, the thing that's being attacked, or the reason for the hack. But really, what has to happen here is, Ronin, Axie Infinity, and cryptocurrency businesses really need to work to harden their cyber defenses. I know that's such a focus of what you guys do. What you talk about is trying to ensure that we're really thinking about cyber; we're really thinking about cybersecurity as we're growing our businesses.
Delaney: So how do you think this is going to rattle or even shift the cybercrime ecosystem?
Redbord: Yeah, look, I mean, Treasury has had a lot of effect with these sanctions designations on cryptocurrency businesses. What now I'm thinking of as like the trifecta of the illicit underbelly of the overall growing crypto economy. I mean, at first, you saw Treasury go after SUEX, which was a non-compliant exchange based in Russia, for essentially allowing ransomware payments to flow through it. A couple of weeks later, they sanction Chatex, another Russia-based exchange for very similar reasons. It doesn't matter if it's ransomware, sanctions or terrorist financing. It's really for not having the compliance controls necessary to stop illicit activity. And essentially without those controls, you're facilitating it. Then next we saw Treasury go after darknet markets. We saw them take down the largest darknet market Hydra, with coordination from German law enforcement. And now we're seeing them go after a mixing service that, quite frankly, is facilitating money laundering by not having compliance controls in place. And I think what we're going to see is this steady drumbeat from Treasury and from foreign partners of going after entities that formed that illicit underbelly, while to the extent possible, staying away from the overall growing crypto economy exchanges with compliance controls in place, for example.
Delaney: Always fascinating, Ari, speaking to you. Thank you very much. Over to you, Tom.
Redbord: Thank you so much for having me.
Field: Don't you think Anna, this has got to be like Ari's greatest professional year ever. Since what you have seen is just the beginning of the year.
Redbord: Well, a lot is going on for sure.
Field: We're not even halfway through it yet. And I'm thrilled to bring our next guest on to the screen here. He and I go back many years to when he was a deputy CISO with Bank of the West out in San Francisco. He's most recently the CISO of PNC Bank, and he's out there today, climbing new mounts. David Pollino, thanks so much for being here with us today. Hey Tom, great to see you. Thanks for having me. David, Anna mentioned this, Ari mentioned it, we talked about at the top of the hour here, this past weekend was the one-year anniversary of the Colonial Pipeline ransomware attack that impacted the entire East Coast economy of the United States. And then we wake up to news that the Costa Rica government has declared a state of emergency. How are we doing with this ransomware thing?
David Pollino: It appears we're not very effective with the whole response to the ransomware attack. I think it should be a wake-up call for everybody — individuals, businesses, big and small government agencies — that we probably need to reevaluate the investment that we're making in our cyber defenses, and hopefully, make 2022 a year that we start to see things getting better as opposed to getting worse.
Field: Maybe we need to go back 40 years now to former First Lady, Nancy Reagan, and just start saying No. As long as we're continuing to pay these ransoms, there is going to continue to be ransomware to pay dividends too. I know it's not as simple as just don't pay, but maybe it is just as simple as just don't pay.
Pollino: Yeah, it's definitely an interesting question. I've had a number of conversations with businesses around their incident response plans, and many of them now are actually adding that paying the ransom to their incident response plans, which is not a good thing to hear as a cybersecurity professional, but it's the business trying to explore every option that they could potentially have. Insurance companies I've heard are not paying or reimbursing the ransom payments like they were in the past. So, I think there's definitely a readiness conversation to be had to make sure that if you are hit with ransomware, could you start from scratch? Could you back up from the last-known-good? Could you get the business back up and running in a timely manner and not even consider paying the ransom?
Field: A good point! I know the insurance companies are hoping that at least in the U.S. that Congress declares ransomware attacks on nation-state-funded adversaries as an act of war because then it becomes moot, the ransom wouldn't be paid. I guess, at that point, ransomware becomes a hack of God. But, in any event, David, this past week, CISA released a list of the top 15 most routinely exploited vulnerabilities of 2021. Maybe not as surprised, Log4Shell was at the top of that list. Did you get a chance to review this?
Pollino: Yeah, it was an interesting report. I can't say it was very enlightening. Anyone who's been paying attention to some of the vulnerabilities over the past year said, yep, that those are on the list, those are on the list. Like Ari said, some of them feel like it’s been so much longer than just a year. The Log4Shell, I think that's a good wake-up call for everybody to understand their software supply chain. Whether they're developing their own software or buying off-the-shelf software, it commonly comes with open source components. And when these vulnerabilities are published, is it easy to sit back and say, do I have this deployed on my network? Yes or no. So I think many companies are starting to take it a little bit more seriously. Having that the bill of materials for their software components, and also having an additional focus on open-source components, when they're deploying their own software. So seeing Log4j in there wasn't surprised. It was at the end of the year, and we all have kind of our scars from having to respond to that, because it was so widely exploited and so easy to exploit. The other one that was on there or a handful of them were related to the Microsoft Exchange vulnerabilities. And it seemed like I had to look up the date of it. But last year, the Department of Justice had their court authorized effort to remove web shells. It was just about a year ago, just over a year ago. But it felt so long ago, that was a huge change in the industry that actually saw the Department of Justice take proactive action to remove these shells. But that also goes to show that who is still running their own email servers anymore. I mean, it's proven that probably Microsoft is the only company on earth that's qualified to be able to run Microsoft Exchange Server. And with the cost of cloud services now, I think it makes sense for just about every business to outsource that to whether it's like the Google Suite or Office 365. Make managing email and those document sharing services somebody else's problem, so you can focus on your business. So, businesses should also be reconsidering exactly what technology they're trying to support themselves. Because these have been routinely compromised that many of these are the ProxyShell vulnerabilities as well, hitting these Microsoft products that are commonly used. You have Log4Shell; you have all these exchange ones. And then a couple of the other ones that were interesting and very important are around VPN gateways. Sometimes network infrastructure is not at the top of our list for patching. But VPN gateways are absolutely a great way into a business. And having a good routine to be able to make sure that those VPN gateways are up to date. And also, as the recommendations from that report point out, using MFA to help kind of give one additional layer of security there. So, taking a look at your networking infrastructure and having a good routine for quickly patching those, because that's really what we see in that report is that when these vulnerabilities are published, sometimes proof of concept code is published shortly thereafter. But whether the proof of concept code is published or not, people are hard at work, reverse engineering the patches to find exactly what the vulnerability is. So when those patches come out, you need to be applying those patches on your infrastructure quickly. But perhaps probably the most discouraging thing in the report was that three of the vulnerabilities in the 2021 report were the same as 2020. So, it seems like we're not learning our lessons quick enough and being able to patch the or secure vulnerabilities that are well known. So, it was definitely an interesting report there. But like I said, not a lot of surprises for cybersecurity professionals.
Field: David, beyond that if it doesn't appear in the CISA report, certainly, but I've got it on authority from those who follow such things that within the past two weeks, and as recently as the past two weeks, as organizations have downloaded Log4j, up to 40% of new downloads have been infected versions. No, we aren't learning lessons. So my question to you, when you see lists like this come out, how do you advise organizations that you consult with to review these?
Pollino: It’s important for any large enterprise to have a threat intelligence program. The threat intelligence program would look at not just incidents that happened, Colonial Pipeline, and ask themselves a question, could we be hit by this particular attack? But also, when reports like this are published, these should be socialized with the executives and the board members. The question that comes when you socialize a report like this is, are we vulnerable to any of these? Do we have these vulnerabilities in our infrastructure? So probably the proactive scans, we'll be looking at if we do have the vulnerabilities in the environment and being able to take appropriate action. Utilizing the items that hit the mainstream media like this, to help educate the board and executive committee, is important.
Field: Good. Anna, we bring you back to the conversation here.
Delaney: Very good. That was a brilliant discussion. Thanks, David. So I'd love to bring you all back to the party. This question is around reward schemes. We heard last week that the U.S. State Department announced it is offering a reward of up to $10 million for information on leaders of the Conti ransomware gang. And we've seen a few bounties advertised for information on particular criminal groups recently, how effective are these rewards in the fight against cybercrime? What are your thoughts? Ari?
Redbord: Yeah, I think traditionally, from the early days of the most wanted list, there was a huge emphasis on this during the post-9/11 world — bounties or rewards, they do work. I do think that a lot of the same groups are already looking for these people and will continue to look for these people. I think there's some motivation around it, but I don't know if it is a solution. But I do, I will say that they do tend to work.
Pollino: Yeah, if we see the success of bug bounty programs, when you put a monetary reward behind something, people get interested in it. So, I don't think it's a bad thing. But as Ari mentioned, it's probably not the most effective way of chasing any type of criminal activity. So we brought out brown vulnerabilities, we need to make sure that we're reexamining our efforts. And if we continue to have the same problems over and over again, then maybe we need to reevaluate how we're addressing them. The reward might be good, but it might be a good opportunity to say, do we have the right approach to policing cybercrime in general? Or is there something else needed?
Field: Anna, if I may?
Field: Attribution is so hard. It really is so difficult to track this back to a single adversary. And the incentive for continuing to exploit ransomware is so high. I'm not sure $10 million is enough.
Delaney: I was going to ask, what's the purpose of these awards? I mean, it's surely not just about the reward. Does it send out a message to these criminal gangs? Is that message even working? Thoughts?
Redbord: Yeah, I think that it does send a message and when you're building out these reward programs, especially when you're talking about the State Department, you are showing a real focus on it. I think a lot of times, these types of programs are designed in many respects to show what the current priorities are. The fact that these types of resources are dedicated in this space, I think just confirms what we've all known for some time. And that is the focus on this digital battlefield is very real. We've moved kind of into a world where you can draw just so many parallels to that post-9/11 world where there's the level of coordination across agencies across governments. These types of programs from the State Department, right? These are all types of techniques that we used post-9/11. And, again, harkening back to the Colonial Pipeline attack, Chris Wray, the director of the FBI, within days of it, essentially compared this to 9/11. And really was a watershed. We're seeing governments build out and respond to these attacks. It's not just ransomware; there's so many other of these hacks and that we were talking about earlier. There's a movement to the digital battlefield, and governments are prioritizing it.
Delaney: So, RSA around the corner, are you both going? David, are you on your way? Are we meeting in San Francisco?
Pollino: No, I will not be there. I lived in the San Francisco Bay area for many years. So it would go by the show plenty of times. It's amazing to see how it grew from, I think, just a few thousands when I first started going there in the late '90s, to tens of thousands today. But, I'm sure you guys will have a good time there. But nope, no plans. I prefer the smaller conferences now.
Redbord: No, it's really exciting. And, look, I mean, the world is back. And it's fun that this group is back as well. And I think, there's going to be tons of great opportunities going forward.
Field: You'll be there?
Redbord: I will not be there.
Field: Anna, you be there please.
Delaney: I'll be there.
Field: I will be as well. Nice to be back.
Delaney: Yeah. At least that. So headed into the second half of the year soon. What are we looking toward?
Redbord: Yeah, I mean, from my perspective, it's 24/7 crypto, and there's crypto never sleeps. So I think we're going to continue to see, until crypto businesses begin to harden cyber defenses, we're still going to see these types of attacks that we've been talking about earlier. But we're also going to see Treasury and foreign partners go after these types of actors. I mean, we're even seeing, a couple of weeks ago, for the first time, Treasury put a crypto designation, related designation in the Russia sanctions context, sanctioning a crypto mining company that had large mining farms — these large server farms in Russia — to really say, crypto mining is like oil or natural gas, we need to cut off your energy supply, your ability to create value with your energy. There's so much going on in the space, whether it's sanctions or whether it's Department of Justice, and we're going to continue to see more and more activity.
Delaney: We'll be lucky to have you on the show going forward. I am surprised, you made time for us, Ari.
Redbord: Always, Anna.
Delaney: Oh, that is good to know.
Delaney: David, what does the year ahead, half year ahead look like for you?
Pollino: Well, we discussed before this Proof of Concept session here that the new law that was passed around requiring the FBI to have a little bit better data collection around cybercrime. I wonder how many people realize that cybercrime is the largest form of crime in the United States. I mean, it's unbelievable how easy it is to click for many criminals to get away with it, and how difficult it is for us to really get down to the root cause. So I think, we're going to see more cybercrime. We're going to continue to see more scams; we're going to continue to see more unauthorized access to data and data being published. I don't think ransomware is going away anytime soon. So, more of the same, but hopefully with this new rule here, we'll understand exactly why it's hurting and maybe even come up with some new ideas on how to protect ourselves against it.
Delaney: Tom, work is not done.
Field: Can I offer my wish list?
Delaney: Go for it.
Field: I want to see the U.S. government pay out $10 million in a bounty. I want to see a ransomware perp walk. I want to see us have holidays that don't coincide with new large-scale supply chain attacks. I don't know that we're going to see any of that. I think it's going to be a half year more of the same.
Delaney: And breathe. I hope you're wrong. But yes. Something tells me, you may be right. Well, thank you, everyone. This has been fantastic. It's been fun and informative. So Ari Redbord, David Pollino, thank you so much for joining us.
Redbord: Thank you so much for having me.
Pollino: Yeah. Thank you for having me.
Delaney: And thank you so much for watching. Until next time.