ISMG Editors: The Rise of Info-Stealing MalwareAlso: Holiday Cybercrime Defense; Palo Alto's New Acquisition Anna Delaney (annamadeline) • November 25, 2022
In the latest weekly update, four editors at Information Security Media Group discuss important cybersecurity and privacy issues, including advice for security leaders and their teams on strengthening off-hours defenses during the holiday season, emerging cybercrime trends in 2022, and Palo Alto's first big M&A since early 2021.
The panelists - Anna Delaney, director, productions; Mathew Schwartz, executive editor of DataBreachToday and Europe; Michael Novinson, managing editor of business; and Tom Field, senior vice president, editorial - discuss:
- Highlights from an interview with Sam Curry of Cybereason who shares recommendations to security leaders to bolster off-hours defenses as we enter the holiday season;
- Two emerging cybercrime trends of 2022; a surge in data stealing malware and cryptocurrency-targeting attacks;
- How Palo Alto Networks will make its first major acquisition in nearly two years, scooping up application security startup Cider Security for $250 million.
The ISMG Editors' Panel runs weekly. Don't miss our previous installments, including the Nov. 4 edition discussing how the ransomware ecosystem is fracturing and the Nov. 11 edition discussing how a $3B crypto seizure shows blockchain's security.
Anna Delaney: Hi, welcome to the ISMG Editors' Panel. I'm Anna Delaney, and here's our roundup of the most gripping and important cybersecurity news stories of the week. I'm very pleased to be joined by colleagues Tom Field, senior vice president of editorial; Mathew Schwartz, executive editor for DataBreachToday and Europe; and Michael Novinson, managing editor for ISMG business. Good to see you all. Tom, 'tis the season for cybercrime, is it not?
Tom Field: It is. In fact, I spoke recently with Sam Curry, old friend of ours. He's the chief security officer for Cybereason. And of course, Cybereason did its third annual study of ransomware attack trends around holidays. And we all know that when it comes to weekends and holidays, the adversaries up the games, they don't take time off. They know companies are at reduced staff, they know that people are hoping for a break and maybe looking the other way. And SolarWinds was two years ago. We got Log4j last year. Hence we got lots of security leaders and PTSD this year waiting to see what happens next. So I spoke with Sam, a week or so ago, about this latest study and the findings. And I said to him that it's not news that the adversaries attack on weekends and holidays. What is news? I will share his response with you.
Sam Curry: What we found is the preparedness. And I think people can do a lot more ahead of time. Now I'm not condoning perhaps paying. In fact, I think you can't pay to get out of the mess, to be perfectly clear. But I think that people aren't doing enough to prepare ahead of time. I mentioned antivirus. I mentioned EDR. We found that in the crisis, a quarter of those who decided to pay were in fact scrambling to set up crypto wallets. How do they in fact get the money out? A quarter of them were engaged in advanced negotiations, which means three quarters weren't. They weren't able to buy time to validate the data was stolen. That means this is stuff that could have been done peacetime and there are strategies that people can engage in ahead of time and say how do we get ready in case of emergency break glass? Yes, but how do we do the tabletop to have it done? How do we make sure that this feels like a reflex when the time comes as opposed to a completely unused policy and then blowing the dust off of unused document? That sort of thing. That shouldn't be news. People should be preparing now for it. And if they aren't, we're about to go into the Thanksgiving season in the United States, Christmas all around the world and other holidays. Now's the time to be doing it. Because even if you don't celebrate those holidays, the bad guys know that most companies do. And that's when they'll be at their weakest.
Field: Here we are. U.S. Thanksgiving is tomorrow.
Mathew Schwartz: You're trying to jinx us, Tom. I'm sure everything will be fine. But hopefully, organizations will be prepared. Although, as a cybersecurity journalist with an increasing amount of cynicism, I think it's unlikely that a lot of the victims will be seeing half prepared, because experts like Sam have been saying this for so long. Preparation pays. Take a little bit of time now, think about what you do. Print out the phone numbers of who you need to call in case your systems get cryptolocked. And we keep seeing organizations apparently getting surprised even though there shouldn't be any surprises left about this.
Field: Matt, you're exactly right. After Log4j, after SolarWinds, it should be no surprise about the timing of the year and what we should expect. But to me, it's similar to the background I have behind here. When that snowstorm hit in Calgary, I drove to the airport the next day. I saw cars on the side of the road. I saw trucks doing circles in front of me. I saw accidents all over the place. And it's the same thing I've encountered all my life growing up in the northeast of the U.S. Every winter, people are driving in the snow like it's the first time, like they haven't done it before. And they go out, have accidents much like these. I think the cybersecurity community is not much different. We know the snowstorm is coming but we forgot how to drive in the offseason.
Delaney: And just emphasizing that point. According to Cybereason's study, I think they surveyed 1,200 cybersecurity professionals, and 88% of them said they had missed a holiday or weekend event due to a ransomware attack. So we've even experienced it.
Field: There you go. I don't mean to be the Grinch of the season, but we know what's coming. Keep your eyes on the skies.
Delaney: Yeah, great advice. Matt, rolling into ransomware then. What are the dominant cybercrime trends of 2022?
Schwartz: Well, Anna, four weeks is a long time, and I wouldn't want to get ahead of what could be something that we didn't see coming, not a snow storm, because we know that those are coming but some other calamitous events. I know I sound like a doomsday merchant here. But there's been a few interesting trends so far. Just in no particular order to hit some of them. There's a new report out by cybersecurity firm Group-IB. And it looks at what's been a real surge in information stealing malware, sometimes known as info stealers. I find this sort of thing fascinating. So if you look at malware, we've had a lot of changes over the years. Banking Trojans used to be big. Now we're bothered as we should be by ransomware. But we shouldn't over obsess about ransomware because criminals are trying to make a buck. And they'll do whatever they need to do with the least amount of efforts, typically, in order to get that done. And so as wielding ransomware has become a little more difficult because of law enforcement disruptions, there's been a rise in info stealers. And so Group-IB looked at what's going on. And one of the big ways of obtaining info stealers is as-a-service. So ransomware as a service, kind of well known. Lot of attackers work with groups that maintain the malware, and in return the developers that maintain it, get a cut. The same goes with info-stealing malware. So if you want to go out make a criminal profit, illicit proceeds, you can sign up to be an affiliate, or user of one of these information stealing malware stealer-as-a-service sort of businesses, and they will give you info stealers such as Raccoon that is the most popular. Second most popular is RedLine. And these are designed as malware, designed to infect the system. And they'll look for all sorts of things. Credentials for Amazon, credentials for PayPal, your financial records, crypto wallet information, maybe your accounts on Steam, or Roblox or even Discord. And then this gets ingested and sometimes the person who's using the malware, gets to keep some of it. Typically though the stealer-as-a-service operators will keep the most lucrative stuff. So we see them, for example, peeling off anything to do with cryptocurrency or cryptocurrency wallets, because they can sometimes use that themselves to go after people's cryptocurrency wallets to try to drain them. And so these attacks, if they're successful, is model. If it's successful, can be extremely lucrative. I think it's fascinating that you have this service model as well. Like I was saying RedLine is popular. Group-IB said that 23 out of the 34 gangs that it's tracking that provide this service, use RedLine. Eight of the groups use Raccoon, and then three, use something custom. So you see, again, this model where you don't need to have a lot of technical expertise to get involved. You can work with a service that provides it to you. You go out and infect the systems. Everybody reaps the rewards. Info stealers as a service. As a side note, there's been an interesting new piece of ransomware called AxLocker, which is based on some ransomware that's been seen before. But one interesting thing to me about this is it doesn't just cryptolock systems, it also looks for people's Discord credentials. So Discord, if you don't know, it's loved by the kids, all the gamers, they like to stream what they're doing. It's got Voice over IP, it's got instant messaging. So why are attackers looking for discord credentials? Well, there are about 150 million active users every month on Discord and a fair number of those are into NFT's and cryptocurrency. So it turns out the Discord - if you're a scammer or a fraudster - is a great place to try to target them, especially if you can steal the access to a legitimate Discord service, maybe on a Discord server devoted to crypto, and then try to scam the people who are on it. And so this leads to the other big trend I want to talk about which is cryptocurrency targeting, and we think about hacking of exchanges, North Korea, here's looking at you. But with a lot of these cryptocurrency targeting attacks, it's much more likely to see things that are a lot less technically sophisticated - scams schemes, things like rug pulls, where I create a token called squid coin. And I get a bunch of people to invest in it, but I don't let them sell it. And then once it hits what I think is a critical mass, maybe $3.4 million worth. I turn it all off and I walk away with all the funds. I take that liquidity and use it against investors. So if you can think of a scheme and it can be executed by fraudsters, expect it to happen. And so I think with the crash and burn that we're seeing of cryptocurrency exchange FTX, it seems to be a crash and burn whatever they say. That's had a knock on effect. Bitcoin's down from $21,000 at a high to earlier this week, but $15,500 per bitcoin. That's still a lot of cash. If you're an investor, it doesn't look good. But if you're a criminal, and you can convert those bitcoins into dollars, that is an amazing attack or amazing scenario still. And so, anybody with any interest in cryptocurrency or NFT's or who gets an email promising a bonanza of free bitcoin, all you have to do is just deposit a little bit to show us your good intentions, that kind of thing that we've seen so many times before now in a crypto guys just beware all of that. Keep an eye out as well for cryptojacking malware the turns the CPUs and your infrastructure against you. Apparently, there's been a real rise in critical infrastructure or any organization that has a lot of servers, for example, getting hit with this stuff so that criminals can mine more cryptocurrency. So those are just few the themes, check back with me in four or five, six weeks, and then again in six months, because some of these attacks take forever to come to light. And we'll see what went down in 2022.
Delaney: Exciting. Can't wait now. But in terms of info-stealing malware, how's the industry currently tackling that? Do we have the right defenses?
Schwartz: Well, it's the same defenses as you would use against any kind of malware. The trouble is, like ransomware, it has a habit of worming into organizations. So phishing attacks, RDP, we focus on this a lot. For ransomware, saying if you want to get ahead of ransomware, you need to be aware of those two things. AxLocker, for example, and other groups are oftentimes targeting known vulnerabilities. So SonicWALL vulnerabilities that the likes of CISA have been urging organizations to patch forever. Attackers know all this. So, many times attackers will get in and do more than one thing. Maybe they will ultimately deploy ransomware. But before that, maybe they'll deploy info-stealing malware. Or they'll do that and then hand off to ransomware gang. So anything goes when you're are an attacker, they're just trying to monetize these in the best, most direct, quickest, easiest way possible. So do we have the right defenses? No, because the likes of ransomware is still getting in. And info-stealing malware is just as easy to deploy.
Delaney: Thanks, Matt, as ever, Well, Michael, more acquisitions this week. Palo Alto Networks has acquired Cider Security. Tell us about it.
Michael Novinson: Absolutely. And I thank you for the opportunity. So Palo Alto Networks is an interesting company and that so much of their capability is been built up through mergers and acquisitions from 2018 to 2021. Nobody was more active than they were on the M&A circuit, they bought a dozen companies, built out their cloud security practice from scratch, bought some stuff in the security operations world, some SOAR capabilities and multiple endpoint security companies. And then, almost quickly it started to come to a halt. Last big acquisition they had done was in February of 2021, a company named Bridgecrew. And then the customer or their CEO, got on earnings calls and said, we're done with M&A, we bought everything we need to buy, we have capabilities in three areas - security operations, cloud security, network security. We're not looking to get into other parts of security, we're not looking to be identity and identity security company, an email security company, and we have the capabilities we need in each of these areas. And we don't want to start buying companies that do a lot of the same things as that we already do. We don't want overlapping capabilities who does not add new capabilities. So they're kind of at a 20-month pause. But as you alluded to last week, they went back to M&A and purchased Cider Security for $250 million in terms of both the cash and the equity piece. So why did they do that? And I think that comes down to what cybersecurity does that they're focused on securing engineering processes and engineering systems from code to deployment. And if you think about when Palo Alto Networks was building out their practices through M&A, that supply chain security code, security shift-left, CI/CD, this stuff wasn't as top of mind. So most of their M&A took place, pre-SolarWinds. And all of that took place pre-Log4j. So this wasn't as central to them. So I think they realized that if they do want to be that broad platform that can be all things to all people that they need to have to play into the code security market. Now, Cider Security takes a bit of a different approach than some of the other players here. A lot of the companies have been focused on the source code and trying to figure out where does that source code come from? And is that secure? Cider focuses a little bit differently, they are focused on that development pipeline. But it's more about the dozens or hundreds of applications, or the dozens or hundreds of pieces of software that companies use as they're developing technology and figuring out where do sourcing all of those applications, sourcing all that software and figuring out, where does that come from? Is that secure? Are there any vulnerabilities in that, and in particular, looking at open-source type software, things like Log4j, and looking at vulnerabilities there? So this will fit into what Palo Alto Networks does with their Prisma Cloud practice, which does do a lot of that CNAP cloud security type capability. But Palo's been focused on trying to bridge that divide between cloud security and application security. And their feeling is that in terms of what Cider is able to do around security engineering, processes and systems that that will be integral to that.
Delaney: And Michael, do you think we'll be seeing more acquisitions from Palo Alto, perhaps next year?
Novinson: I don't think we're going to see a ton. I think they'll pick and choose their spots carefully. This was supply chain security, something that's percolated in recent months. You could say the same thing. Do they want to make a play into critical infrastructure in a post-colonial world? They've picked and chosen their spots carefully. I think they've been clear to investors, they're not going back to that pace, and they ended up spending about three and a half billion dollars, over the three year period and acquisitions. Investors weren't happy. It was causing them to lose money. Given that where the economy is right now, investors want to see companies making money. So I don't think investors would be happy to see them receive that pace of acquisition, nor do I think Palo feels they have those types of gaps that they would need to but could they potentially make a play into infrastructure security, looking at IoT or security medical devices? That might be adjacent to some of what they do with firewalls today. But I think they would pick and choose their spots very carefully. I guess the one final note I would make is that their acquisitions with the exception of expanse, which was quite a bit bigger than everything else, they've bought - they've spent between 150 and 500 million - that's kind of their sweet spot is they want technology that's been built up mature, but they don't want to buy sales and marketing they have that they have to go to market engine themselves. So I know there's been talk about some larger companies needing to exit companies that were unicorns that maybe don't have an exit path with the IPO market closing. That's not a space I see them playing and they want to take strong technology and strong leadership plugging into their go to market engine. So I'd expect them to stay in that low nine figures range when it comes to M&A going forward.
Delaney: Very interesting. Thank you very much, Michael. So finally its Thanksgiving week of course. My final question is, what is the biggest turkey moment of 2022. And I know that Matt said five weeks left to go so we could still have more turkeys. But Tom, you are ready.
Field: I think we have one - my turkey doesn't gobble, it tweets. I think I've got to go with Elon Musk, and in his initial stewardship of the most influential social media network in the world, Twitter, seeing such an exodus, encouraging such an exodus of security and privacy professionals. Poor timing.
Schwartz: Yeah, my turkey is definitely an own goal. It has less of an impact on me, because Twitter's a wonderful community. And it's a shame. It takes forever to build a community up and it's easy to tear it down. On that front, though, when it comes to ransomware, I love the fact that Conti shot itself in the foot earlier this year by backing, the Moscow ordered invasion of Ukraine, and all of a sudden, nobody was paying Conti anymore. And Conti went oops, and had to burn his brand. It was very stupid. Before that spun out a number of other different groups. But what we're hearing is for affiliates, and maybe this is why info-stealing malware is surging. For affiliates of ransomware groups, working with big name brands is a liability. They are in the crosshairs of law enforcement. And we have a hard time disrupting ransomware. But it's great news that some of the bigger, more professional, well-polished organizations with the most affiliates taking down the biggest organizations via big game hunting, are having a harder time making that business model work. So gobble gobble!
Delaney: Great turkey. Michael?
Novinson: I could take my inspiration from the business world. And this would be the special purpose acquisition companies that were so so hot in 2021. We saw several security players take advantage of that. We saw AppGate, IronNet, ZeroFox all go public through SPAC and then complex monitor but didn't even make it across the finish line and trying to take that shortcut of avoiding the traditional Esteban IPO path. This had consequences. IronNet lost the Co-CEO and laid off half of its staff involved with lawsuits. Allegations of misleading investors often tend to do pretty sharp layoffs. And then ZeroFox also had to have seen a very sharp decline in their stock price since going public in August. I think it's just a reminder that there's no shortcut to success that the IPO metrics that the industry maintains that you want to have at least 150 million in top line revenue that you need a path to profitability, that you have to disclose all of this beforehand, and an S-1 filing and do an investor roadshow and then present all of your financials to the investment community. Those are good things, it's good to have that due diligence and that scrutiny. When you start trying to find an end around to make to bring a smaller company, that company with only 25 or 30 million in top line revenue to the public market that you're going to pay a price for and maybe not right away. Maybe the market's hot like it wasn't 2021. But eventually you will and I think it's important to remember to grow responsibly to follow traditional accounting practices, traditional paths to market and not let yourself grow and get big before you try to take the next leap.
Delaney: It's very turkey. Thank you. I was going to say Elon Musk as well and his plan to charge users for the blue checkmarks, which seems like an attacker's dream. Anyway, we'll see what happens there. I hope you'll get to enjoy some turkeys this week as well.
Field: Thank you very much. Tonight's the night of planes, trains and automobiles. I look forward to it.
Delaney: Happy Thanksgiving! Thank you very much. Thanks so much for watching.