McAfee Chief Scientist: Cybersecurity War ‘Exhausting and Relentless’
MCAFEE MPOWER — McAfee has discovered a new cyber-espionage campaign targeting South Korea, the United States and Canada reusing code from implants last seen in 2010 by the Comment Crew, a Chinese military-affiliated group accused of launching cyberattacks on more than 141 US. companies from 2006-2010.
McAfee announced the campaign Wednesday during its MPower Security Summit in Las Vegas. Raj Samani, McAfee’s chief scientist, presented the research and has assisted multiple law enforcement agencies in cybercrime cases.
The actors of this new campaign haven’t been identified. The Comment Crew operations were dubbed Operation Seasalt, and McAfee has named the new campaign Operation Oceansalt.
Oceansalt was launched in five attacks waves adapted to its targets. In the United States, the campaign targeted the finance and agriculture sectors. It gives the attackers full control of any system they manage to compromise and the network to which it was connected, according to McAfee.
The impact is difficult to assess and the true purpose of the campaign remains a mystery, Samani said. It does prompt the question of whether this represents a code-sharing arrangement between two nation states as the actors displayed a strong command of the Korean language, he said.
“This research represents how threat actors are continuously learning from each other and building upon their peers’ greatest innovations,” he said. “Whoever is ultimately responsible for the Oceansalt attack is not marketing their initiatives, but now taking action and bringing attacks to life.”
In a Q&A with Channel Futures, Samani talks about his work fighting cybercriminals and gives his take on the rapidly changing threat landscape.
Channel Futures: What is your focus here at MPower?
Raj Samani: What I do and what the team does, I think, is the kind of ethos of what the company is, why we do what we do. We lead the threat research team both across major malware as well as vulnerabilities, and really our objective is to highlight and showcase how the adversary is evolving. In other words, who are our competitors? So we discuss some recent campaigns that we’ve just analyzed, major nation-state attacks, and we really demonstrate how they are evolving and how they are innovating, which is at a frightening pace.
CF: You were a co-founder of No More Ransom. How is that being used?
RS: Successfully, actually. We’ve been quite fortunate in that we’ve gotten huge press attention across the globe and we’ve prevented tens of millions of dollars [and] euros going into the hands of criminals. So I’m delighted that people are getting the message. It’s still quite concerning when I’ll speak to people in the industry and say, “Have you heard of this?” and they haven’t. So our work isn’t done yet. There’s still work to be done in terms of getting people to understand if you’ve ever been hit by these types of attacks, the first thing you do is go to No More Ransom, and there is a possibility that we may have a decryption tool that you can get your data back without having to pay criminals.
CF: So it’s being widely used, but it should be more?
RS: I’ll give you an example. When we launched, we had seven decryption tools, and we’re now at 84. We had 12,000 hits that we forecast for day one and we had 2.8 million in the first day. So it’s been a roaring success. My only concern is we need to have more of these types of initiatives. The term “public-private partnership” is not a marketing term; you either are committed toward partnering with public sector and trying to do the right thing, or you’re not. But you can’t say that you are not and not do anything. So No More Ransom is a great example of … our peers in the industry, global law enforcement, the Security Intelligence Review Committee (SIRC) and an enormous number of organizations looking to join. We have about 140 partners now.
CF: We’re seeing increasing regulation, such as the GDPR, and more discussion of regulation. Is that helping?
RS: The General Data Protection Regulation (GDPR) [and] the EU directive on the security of Networks and Information Systems (NIS directive) kind of place the burden of responsibility onto the organization; in other words, you need to demonstrate the level of due diligence that you’re doing. And to be fair, we’ve had that level of burden for some time now. What I think is beginning to happen is people are becoming more attuned to their expectations of how their data is managed and how their data is processed. There [are] still really enormous examples that things still are really not directly working. The Facebook example with the “View As” feature — it was 50 million accounts, and then Facebook came up with a blog saying, “Don’t worry; it’s only 30 million.” Oh, that’s a relief. So there’s still work to be done. You’ve got these enormous repositories of data, and every single day these repositories are being compromised. Patient records, credit cards, all of this is happening, and it’s having an impact on us as data subjects. And so I think slowly – but surely there is – maybe anger would be a strong word, but a growing sense of concern about how organizations look after our data. And I think you’re seeing people, not the whole society, but people beginning to say “No, I don’t wish to give you this data,” and it’s having a financial impact on organizations. TalkTalk is a great example. They lost tens of millions of dollars and thousands of customers because they were breached and they didn’t look after the data correctly.
CF: Are businesses, enterprises, corporations and other organizations of all kinds making cybersecurity enough of a priority?
RS: I definitely think it’s gotten board attention. I was talking to the chief information security officer (CISO) of a large bank and he said to me that he sees the board more than any other executive, and that’s understandable because a major breach of some description could well have repercussions in terms of somebody’s ability to be able to remain in a job. The challenge that I think we face, though, isn’t does it have the attention that it deserves — but there are some fundamental issues that we have within the industry. First of all, we’ve got this challenge of asymmetry of information. If a criminal wants to know what we are doing against ransomware, they can attend one of my talks, they can listen to a webcast, they can download a white paper, they can read our blogs, and they can even follow us on Twitter. If we want to know what they’re doing, we only can find out once the attack has happened and once we’ve managed to get samples, and we have to reverse-engineer and then we can try to piece together what we think is happening. That’s completely unfair. In terms of the asymmetry of information, we are completely open and transparent, and they are the complete opposite.
The other issue we face today is, it’s difficult to articulate the value of security. A good CISO, for example, it will be quiet, there will be no issues, the board will never hear from them, everything is good. A CISO who’s unfortunate or may not be very good at their job actually will end up being on the front page of newspapers. But there’s no middle ground. The good CISO has the challenge whereby if they ask for more budget, like marketing, marketing will bring revenue to the company. A good CISO may run an awareness campaign and all of a sudden … they’ve got more events because more people are aware of what to look for. So you end up creating more work by investing in security, whereas in marketing and HR, and other areas, you actually enable the business to do more. And I think this is probably one of the challenges that we as an industry need to begin to address, which is addressing that value proposition, making sure the business is aware and really actually becoming an enabler, not just talking about enabling.
CF: Is the way partners deliver security in the UK and EU different than how it’s delivered in the United States?
RS: I think globally you’re seeing a change in the way that partners are seen. The threat is a lot more evolved than it used to be. When I got into this industry, being secure simply meant switching off modems on desks. It really was as simple as that. Today, the number of devices that you have connected in your own home is dizzying, let alone in an organization. So I think what you’re seeing more of – and I hate the term trusted adviser because it’s just overused – but the reality is the definition of a partner is somebody that’s there for you. If an organization suffers from a ransomware attack, you’re going to call the partner, and can the partner respond, can the partner provide the necessary information, can they have people on site halfway across the world within a few hours, can they get you back up and online. And we get phone calls on a very recurring basis from organizations that have suffered a major breach and we’ve got to find out [if we can] fly somebody halfway around the world, to Asia, to Eastern Europe. Those are the challenges that I think partners are being asked more of, and I think we can sully the term trusted adviser — but it is just that. When I was a CISO, my trusted advisers were big technology players and the database vendors, whereas now I think the security companies themselves and their partners need to be those trusted advisers, the people you can call on and can have that relationship with. So I think there’s work to be done for us as an industry.
CF: We’re seeing IoT exploding globally. How is all of that going to be secured?
RS: It won’t — and that’s the reality. The majority of it won’t be and isn’t today.
CF: So where do you go? It’s wide open.
RS: That’s exactly why we have the likes of the Mirai botnet, because these devices are coming out that are basically sh***y; they have default passwords, they have weak authentication, they are open as anything and they are effectively an open window to your home and your business. There are beginning to be some changes. California, for example, is the first territory that has dictated that by 2020, you’re not going to be allowed to use weak passwords. The U.K., through the Department for Digital, Culture, Media and Sport, just issued guidance, which is a voluntary code of practice. So I anticipate what you’ll begin to see [are] regulatory controls on organizations that don’t put the right level of control in to begin to address that. But it’s very difficult because this is a global industry and a global issue. If California has secure devices and the rest of the world doesn’t, then Mirai will just use devices from all across the world. We live in a society in which security is never the first thing ever discussed. You look at the functionality, you look at the cool factor, and unless the market begins to demand those particular requirements, that’s the way that things are going to be. These devices are coming out and people are just rushing headlong first into giving away insights into their home, how they eat, what they do, what they listen to, what they watch — and we’re paying for the privilege of giving our data away.
CF: What’s your prediction as far as the next big threat?
RS: In November we’ll be presenting our 2019 threat predictions. We’ve got a number of these predictions coming out. I think this year has been the year of major nation-state attacks, more so than anything we’ve seen before. I think these major identity platforms – you look at the Facebooks of this world – there is an emerging trend of these particular environments being utilized, compromised and manipulated by adversaries across the world. And not just threat actors, but large corporations looking to manipulate them. I anticipate identity – and certainly identity on these type of platforms – to be a major cause of concern for us as a society. You use these identity platforms to not only log into a social network, but you use them for nearly every asset you use online. When you log in, you use all of these different types of identities to authenticate you across multiple platforms.
CF: Is there real progress being made in the war on cybercrime?
RS: There are people who are being arrested and there are people who are being indicted. There is the disruption and takedown of criminal infrastructure. It is happening today. So it is positive, but it’s like swimming upstream. Every single person across the planet today has the ability to become a cybercriminal with access to a browser and about 10 minutes of reading — if that. They’re recruiting what we would call ransomware affiliates. It’s accessible and available for anybody to become a criminal. You wouldn’t anticipate people to walk out and try to rob a bank, but [when] a couple of mouse clicks gives you maybe $5,000-$10,000 a month, it’s different. The psychological barriers to become a cybercriminal compared to a physical criminal I think are way, way lower. We’re dealing with this world in which nation-states are moving away from traditional warfare to electronic warfare because it’s cheaper. You’ve got non-repudiation, you don’t have to leave your borders, all of these things. So that’s the challenge that we’re facing. We’ve literally just opened these floodgates and there’s so much of it. It is exhausting and relentless, but we do have wins.