Risky Business #772 -- Salt Typhoon is truly a national security disaster
Nov 27, 2024
auto_awesome
Matt Muller from Tines, a security automation expert, dives into the provocative assertion by Gartner that SOAR is dead. The chat reveals the complexities of ransomware attacks, focusing on Blue Yonder and the tough choices companies must make when traditional recovery fails. They also discuss how the evolving tactics of state-backed hackers, particularly Salt Typhoon's telecom assaults, have raised national security alarms. The conversation wraps up with insights on the integration of AI in security and the necessity for adaptive approaches in ever-changing cyber landscapes.
The ransomware attack on Blue Yonder has severely disrupted operations for many clients, highlighting vulnerabilities in the supply chain software sector.
Russian espionage tactics using Wi-Fi to transition between networks demonstrate existing vulnerabilities in cybersecurity techniques rather than introducing entirely new threats.
China's internal security weaknesses are exposed as surveillance state workers sell access to sensitive data, potentially providing leverage for Western intelligence.
Deep dives
Significant Ransomware Attack on Blue Yonder
A notable ransomware attack has severely impacted Blue Yonder, a company specializing in supply chain and HR management solutions. The attack has disrupted their service offerings, leaving customers scrambling to revert to manual processes for operations like timesheet management, as seen with Starbucks. Details about the ransom or the attackers remain scarce, leading to speculation about the potential loss of data and the state of ongoing negotiations with the attackers. The ambiguity surrounding restoration timelines and the vague updates from Blue Yonder suggest that their predicament is quite dire, potentially impacting a wide range of customers reliant on their services.
APT28's Wi-Fi Exploit
A fascinating development reported by Vilexity revealed that Russian espionage group APT28 utilized Wi-Fi to transition between networks during cyberattacks, a technique not frequently highlighted in public forums. While this could appear groundbreaking, experts noted that methods akin to this have been employed in red team exercises and are not entirely novel. The exploitation involved accessing a device within close proximity to the actual target, subsequently using its Wi-Fi connection for the attack, showcasing an innovative approach to compromising networks. Despite the significant implications of this tactic, it reflects existing vulnerabilities rather than present entirely new methods of attack.
Concerns Over Source Leakage from Salt Typhoon
New reports indicate that a recent cyber breach known as Salt Typhoon may have compromised sensitive communications detailed by the FBI, raising alarms over the security of their informants. The breach reportedly allowed unauthorized access to monitoring systems, potentially exposing sources and valuable intelligence to adversaries. The involvement of older networking equipment in the breach underscores the vulnerability of legacy systems, raising questions about the security practices of U.S. telecom networks. With the growing recognition of these risks, policymakers are being urged to address these systemic weaknesses before further damage occurs.
Chinese Espionage and Data Breaching Insights
A report highlighted the troubling trend of Chinese surveillance personnel selling access to sensitive data, exposing a significant vulnerability in their internal security structures. Workers within these government surveillance apparatuses, disillusioned by low salaries, have reportedly been providing direct access to various databases to underground data brokers for cash. This notable disparity in economic conditions raises concerns about potential exploitation, providing opportunities for Western intelligence agencies to leverage this weakness. The emerging underground market, combined with data breaches, has further complicated security and operational capabilities for China, indicating a potential strategic advantage for opposing forces.
Response to SOAR Being Declared 'Dead'
Gartner's claim that Security Orchestration, Automation, and Response (SOAR) is 'dead' has stirred controversy in the cybersecurity sector, leading to discussions on the evolution of automation in security. Advocates argue that the category of SOAR may not have reached its expected potential due to a focus on legacy solutions and the limited scope of automation beyond Security Operations Centers (SOCs). The introduction of advanced AI technologies, such as large language models, offers new opportunities for automation and efficiency, suggesting that the concept of security orchestration is far from extinct. Rather than dismissing SOAR, the industry is shifting towards an integrated approach that harnesses both AI and traditional automation methodologies to address complex security challenges.
On this week’s show, Patrick Gray and Adam Boileau discuss the week’s cybersecurity news, including:
A ransomware attack has crippled US supply chain software provider Blue Yonder
Russian spies hack nearby wifi to get to their targets, but that doesn’t seem surprising?
Salt Typhoon’s attacks on telcos are hard to solve and big on impact
China’s surveillance state workers sell their access at home
Palo Alto is bad and should feel bad
And much, much more.
In this week’s sponsor interview Patrick Gray chats with Matt Muller from Tines about Gartner’s “spicy take” that the SOAR category is dead. SOAR is dead! Long live SOAR!
