November 1, 2023
In this Episode:
Marcel Brown: November 1st, 1963. The largest radio telescope ever constructed, the Arecibo Observatory opened in Puerto Rico. It would be used for many major discoveries including the first direct imaging of an asteroid.
Edwin Kwan: A malware that was initially thought to be a crypto miner has been discovered to be a sophisticated spy platform. The malware has infected over a million Windows and Linux systems.
Hillary Coover: The cybersecurity landscape is experiencing a paradoxical challenge as cyberattacks continue to rise while budgets decrease and companies implement layoffs. A recent survey reveals that nearly half of cybersecurity professionals have seen their teams face spending cuts and personnel reductions in the past year, intensifying the pressure on these teams.
Mark Miller: On Monday, the Security and Exchange Commission filed suit against SolarWinds and their CISO, Tim Brown, for fraud and internal controls failure. You remember the old Gomer Pyle episodes, right? “Surprise, surprise!” That’s kind of what I feel like right now. SolarWinds lied. Imagine that.
The Stories Behind the Cybersecurity Headlines
APT Malware Disguised as Crypto Miner Infects One Million Systems
This is Edwin Kwan from Sydney, Australia.
The malware framework platform is named StripFly, and it has flown under the radar of security researchers for over five years.
First detected in 2017, it was incorrectly classified and widely dismissed as a largely ineffective malware for mining crypto. Turns out, crypto mining was only one of the many capabilities of this malware. The malware comes equipped with a built-in TOR network tunnel for communications with its command servers. It also uses trusted services such as GitHub, GitLab, and Bitbucket for its update and delivery functionality.
Security researchers described the malware as nothing short of impressive and said that while it is unclear if the malware framework is used for revenue generation or cyber espionage, its level of sophistication indicates that this is an APT, an Advanced Persistent Threat malware. The malware has infected over a million Windows and Linux systems.
– Secure List: https://securelist.com/stripedfly-perennially-flying-under-the-radar/110903/
– Bleeping Computer: https://www.bleepingcomputer.com/news/security/stripedfly-malware-framework-infects-1-million-windows-linux-hosts/
– Dark Reading: https://www.darkreading.com/threat-intelligence/complex-spy-platform-stripedfly-bites-1m-victims-disguised-as-a-cryptominer
Surprise, Surprise! SolarWinds Lied. Imagine that.
On Monday, the Security and Exchange Commission filed suit against SolarWinds and their CISO, Tim Brown, for fraud and internal controls failure. You remember SolarWinds. They provide system management tools for network and infrastructure monitoring. In a reported massive data breach in 2018 through 2020, a hack compromised the data, networks, and systems of 18,000 of the 30,000 public and private organizations using SolarWinds. Those affected included local, state, and federal agencies.
Okay, let’s get to what’s up now. The SEC is raising their hand high and saying, “Wait a minute! You lied to us, your investors, and your clients.” The statement from the SEC alleges that “from at least its October 2018 initial public offering through at least its December 2020 announcement that it was the target of a massive, nearly two-year long cyber attack. SolarWinds and Brown defrauded investors by overstating SolarWinds’ cybersecurity practices and understating or failing to disclose known risks.”
Internal memos show that Brown and company admitted internally that their systems were not secure and an adversary could pretty much do whatever they wanted without being noticed. Brown pretty much said so, internally. Brown knew, according to his own internal memos to the team, that ” the volume of security issues being identified over the last month have outstripped the capacity of engineering teams to resolve.”
The public statements and coverup from SolarWinds was so blatant, the SEC quotes one of the employees as saying, ” Every time I hear about our head geeks talking about security, I want to throw up.”
The SEC has a little twist in the filing if you read it closely. They’re filing because SolarWinds and Tim Brown defrauded investors. Check out this statement by the SEC. ” SolarWinds made an incomplete disclosure about the SUNBURST attack in December 14, 2020, Form 8-K filing, following which its stock price dropped approximately 25% over the next two days and approximately 35% by the end of the month.”
Ah, there’s the rub. People lost money and now they want their pound of flesh.
So, who is the SEC protecting here? Investors or clients who had their data compromised? It will be interesting to follow this thread over the next year to see who actually is the victim, according to the SEC, and who deserves compensation. I’ll be keeping an eye on it.
This is Mark Miller. I’ve put links to the SEC original filing, their description of the filing, and other resources at the bottom of the transcription for this episode on 505updates.com. I’d appreciate you sending this update to your CISO. It’s definitely a story worth following.
– SEC: https://www.sec.gov/news/press-release/2023-227
– SEC Complaint: https://www.sec.gov/files/litigation/complaints/2023/comp-pr2023-227.pdf
– TechTarget: ‘https://www.techtarget.com/whatis/feature/SolarWinds-hack-explained-Everything-you-need-to-know
The Paradox of Cybersecurity: Increasing Threats, Decreasing Budgets, and Talent Shortages
The cybersecurity landscape is experiencing a paradoxical challenge as cyberattacks continue to rise while budgets decrease and companies implement layoffs. A recent survey reveals that nearly half of cybersecurity professionals have seen their teams face spending cuts and personnel reductions in the past year, intensifying the pressure on these teams.
Hi, this is Hillary Coover in Washington, DC.
A survey conducted by trade group ISC2 in collaboration with Forrester Research reveals that out of 14,865 cybersecurity professionals surveyed, 47% reported some form of cutbacks in cybersecurity within the past 12 months. And this was not done as a result of a decrease in cybercriminal activity.
So these cutbacks included layoffs, budget reductions, hiring freezes, and promotion delays. 22% of respondents experienced layoffs, while 53 percent saw delays in acquiring and implementing new technology.
As a consequence of these cutbacks, 71% of cybersecurity professionals reported an increase in their workloads. Industries that reported the highest number of cybersecurity layoffs in the past year included entertainment and media, construction, security software and hardware development, and automotive.
In addition to layoffs and budget cuts, cybersecurity professionals are facing the constraint of keeping expenses at the same levels as the previous year, despite rising costs. As salaries and the cost of living increase, companies are forced to limit their cybersecurity spending.
While cybersecurity is traditionally seen as resilient to the economic downturns, even this sector has witnessed layoffs this year. This is a reflection of the broader economic pressures influencing the cybersecurity landscape.
Simply deploying an AI solution isn’t going to get you out of this one, folks. Don’t fall for the clickbait.
– Wall Street Journal: https://www.wsj.com/articles/budget-cuts-layoffs-add-to-pressure-on-cyber-teams-adbf6f85?mod=cybersecurity_news_article_pos1
This Day, November 1, in Tech History
November 1st, 1954. The Industrial Development Engineering Associates Company, otherwise known as IDEA, begins selling the Regency TR-1, the world’s first commercial transistor radio. Texas Instruments designed and developed the transistor technology, who then partnered with IDEA to design and manufacture the completed radio. The TR-1 sold over 100, 000 units, ushering in the commercial transistor industry.
November 1st, 1963. The largest radio telescope ever constructed, the Arecibo Observatory opened in Puerto Rico. It would be used for many major discoveries including the first direct imaging of an asteroid.
November 1st, 1968. The MPAA and two other industry organizations introduced the Voluntary Rating System. G meant good for all ages, M meant mature audiences, R was restricted, and X, well you know what X means. It would serve as a model for future voluntary systems like that used by the video game industry.
That’s your tech history for today. For more, tune in tomorrow and visit my website, thisdayintechhistory.com.