Clicky

Cybersecurity Shorts: Western Digital Storage Drive Hack, DOE Cybersecurity Budget Request, Bill Requiring Cyber Breach Reporting
by Shelly Kramer | June 30, 2021

In this episode of the Futurum Tech Webcast, Cybersecurity Shorts series, I’m joined by my colleague and fellow analyst Fred McClimans, for a conversation about the goings on in the world of cybersecurity. Our conversation covered:

  • Storage drive maker Western Digital tells owners of its WD My Book Live and My Book Live Duo to disconnect from the internet immediately. What’s the responsibility of a brand who stops support equipment still in use in the instance of a hack? What are the ramifications for users and what kind of loss are we talking about?
  • Antivirus software maker John McAfee, a pioneer in many ways and a rebel in many others, took his life while awaiting extradition in a Spanish prison. Our conversation touched on some of McAfee’s accomplishments and how he ended up in jail.
  • The DOE has requested some $201 million earmarked for cybersecurity in its 2022 budget request. This joins requests by the Biden administration for $9.8 billion for federal civilian cybersecurity and $10.4 billion requested by the Pentagon.
  • Senators draft bill that would require the reporting of cyber breaches specific to vendors of the Federal government within 24 hours.

And we wrapped up our show talking about some new malware to be on the lookout for and a ransomware note:

  • VMware bug in the Carbon Black App Control (AppC) management server, and another high-risk bug in VMware Tools, VMware Remote Console for Windows, and VMware App Volumes products.
  • LV ransomware appears to have the same code structure as REvil, which could indicate the the code was either sold or shared by another threat actor group.

You can find watch this episode here:

Or grab the podcast via Apple, Spotify, or your podcast service of choice here:

Last but not least, if you’ve not yet subscribed to the Futurum YouTube and Futurum Tech Podcast in those channels, take a moment and do that. You won’t be disappointed.

Disclaimer: The Futurum Tech Webcast is for information and entertainment purposes only. Over the course of this podcast, we may talk about companies that are publicly traded and we may even reference that fact and their equity share price, but please do not take anything that we say as a recommendation about what you should do with your investment dollars. We are not investment advisors and we do not ask that you treat us as such.

Other insights from Futurum Research:

Bipartisan Lawmakers Work Toward Disclosure Bill For Cybersecurity Breaches 

Cybersecurity Shorts: Colonial Pipeline Attack, DarkSide’s Ransomware-As-A-Service, Executive Order Hardening Fed Cybersecurity Defenses 

Cybersecurity Shorts — Google’s 2FA Mandate, Peloton’s Leaky API, And Password Management App Malware 

Transcript:

Shelly Kramer: Hello and welcome to this episode of the Futurum Tech Webcast Cybersecurity Shorts Edition. I’m joined today by my colleague, Fred McClimans. And today we’re going to dive in and talk about some cybersecurity things. So welcome, we’re glad to have you, and hey Fred.

Fred McClimans: Hey Shelly. How are you today?

Shelly Kramer: I’m great.

Fred McClimans: I hear it’s really good to be Friday today.

Shelly Kramer: It is good to be Friday today, and it’s good to have clean clothes, Fred. So what we’re going to talk about first, we’re going to talk about storage drive maker, Western Digital, and an alert that the company has sent to customers using its WD My Book Live, and WD My Book Live Duo storage drives. And the problem is that some malicious software has been discovered that is erasing customer’s data. And in some cases, the compromises led to the device just being instantly factory reset, which means everything that you thought you had is gone. And the important thing here is that it appears to be only applicable to the My book Live and the My Book Duo Live devices in which the live part of the product names indicates that those devices are connected to the internet, which of course then allows them to be accessed remotely.

The first clue that owners had, or will have that there’s a problem is when they try to log in, they’ll see an invalid password message. And then what’s happening is that work, photos, documents, years worth of work, in some instances, are just disappearing. What I thought was interesting about this is that it does not appear to be a couple of things. One is, it doesn’t appear to be a ransomware situation because the hackers aren’t asking for anything. It kind of looks like somebody just was playing around and wanted to show what they can do, and maybe set things on fire. I think a really important thing to note here is that Western Digital stopped supporting My Book Live in 2015, 6 years ago. That was the date of the last firmware update for both of these devices. And so, of course the company, and this was discovered and talked about in forums of device users, and people are just totally freaking out, as, understandably right?

Fred McClimans: As you’d expect, yes.

Shelly Kramer: And the company, of course, is aware of this, and has issued a statement that, customer data is very important to us and we are investigating. And also said that they don’t have any indications of a breach or a compromise of the Western Digital cloud or systems. So, in one sense, it’ll be interesting to see if anything comes of this. I guess probably my most important thing in talking about this today is one, if in some way you live in a world where you’re using these two devices, My Book Live, My Book Live Duo for storage, and you have not heard about this, get that device disconnected from the internet. That’s the advice that Western Digital is giving. And secondly, I mean, we talk about this all the time, but if you’ve got critical information, you have got to have more than one backup. Don’t put all your trust in one basket. And this is a perfect example of some people who are learning about that in a very rough way.

Fred McClimans: Yes. Well, I’m going to send this up, Shelly, in two letters. XP. Reminds me a lot of the cutoff date for support for Windows XP, and the significant number of users out there, not just individuals, but enterprises-

Shelly Kramer: Absolutely.

Fred McClimans: … that were still running Windows XP in an unpatched mode for years. It is an issue. It is kind of interesting, though. I’m not using one of these devices now, but I did until recently. What’s interesting is, that was one of those devices that was sort of the first hybrid type model. It’s your own private data center in a small form factor.

Shelly Kramer: Right.

Fred McClimans: But it’s accessible across the web. So there were things that you could do with it that you couldn’t do if you would just have a hard drive plugged into your local laptop device there. But it is a huge issue here. I mean, the fact that we allow these devices to kind of lapse from support is an issue for many people, especially people who may have purchased that device when they were very active and now perhaps are a little bit less active with those devices.

Shelly Kramer: Right.

Fred McClimans: It’s a lot of things to keep up with. Now add on top of that, all of the smart devices that we’re bringing into our home. How many of those are going to run into a similar situation-

Shelly Kramer: Right.

Fred McClimans: … where a garage door opener you bought from what looked like a really good company on Amazon may not be around in four or five years. The support, security updates may lapse for that. And at that point, I think a lot of people are just going to have an absolute field day going in and, literally, attacking, turning on and off, spying, whatever you want to do with these devices into people’s lives. And that’s an issue. Significant issue.

Shelly Kramer: You know, and I think, as a final point here, what’s important to recognize is that the lifespan of devices is not what it once was, or at least perhaps it shouldn’t be. You know what I’m saying? And so we all like to buy something and have, even if it’s… Especially if it’s expensive, right? And have it work for a number of years and everything else. But the reality of it is, I don’t know how, if you’re a Western Digital My Book Live customer, I’m assuming they sent plenty of notifications that we’re going to stop supporting this after this update, or something like that.

But I feel like staying on top of things like that. To have a device for six years, it’s kind of a long time today. And just, I think, the importance of staying on top of and saying, “When did I get that router? And when was the last time I did this? And when did I check the security on this?” And as you say, with smart homes, and smart devices filling our homes in an exponential way, I think it is, not only support of those, but just what’s the lifespan here, and when do I need to think about replacing this?

Fred McClimans: Yeah. Technology accumulation, Shelly. And think about all the people who are senior citizens that have been using these devices for years.

Shelly Kramer: Yeah.

Fred McClimans: They’re not keeping up with email necessarily, or even the families. In our case, we installed a device and we stopped using it a while ago, we migrated to something else, but the advice sat there.

Shelly Kramer: Yeah.

Fred McClimans: My kids were still doing a little bit of data storage on it. Not everybody’s going to catch that.

Shelly Kramer: Yeah, well, we need to try harder.

Fred McClimans: We do.

Shelly Kramer: So if you are using a Western Digital My Book Live, or My Book Live Duo device, immediately disconnect it from the web, and also get another backup in place. So with that, we’re going to move on. And so next, we’re going to talk about one of the OG rebels out there. Fred, take it away.

Fred McClimans: I suppose you could term John McAfee an OG Rebel. John McAfee, the founder of McAfee software, all the software tools that people used for years back in the ’90s to protect their PCs, the antivirus tools, malware, and so forth, after a very long, 75 year long, and somewhat controversial life, apparently has taken his own life in a Spanish prison where he was awaiting extradition to the United States for some charges involving taxes and cryptocurrency manipulation. It’s sort of a sad and tragic end to a life that had a lot of tragedy in it. And I think it’s important to just kind of, first, you mentioned him as sort of the OG guy, we owe a debt to John McAfee and McAfee software for what it did for cybersecurity back in the ’90s.

Shelly Kramer: Absolutely.

Fred McClimans: It was one of those tools that, it was the security shield that people used to protect themselves in a very new digital world, but over the subsequent decades, and by the way, he left McAfee in, I think it was ’94. He left McAfee. The company stayed around obviously, but John was involved in a number of different ventures. He faced some allegations of murder, either himself, or perhaps somebody on his behalf, of a neighbor in Belize. He was on the run there for a while. He’s faced charges in a number of different locations. At one point, he even went on a rant a couple of years back and filmed a video instructing people how they could de-install all of the software tools that his former company McAfee had installed onto their systems. Of late, he was really a very strong advocate for cryptocurrencies, digital currencies. But again, even there, very unpredictable and accused of manipulating prices up and down, as well as making millions of dollars and never reporting that for purposes. So, I don’t want his legacy to be just a footnote, but at this point, I think he’s kind of just a footnote, unfortunately.

Shelly Kramer: Yeah. It was interesting news. And anybody who’s certainly been, I mean, as you said, people have been touched by McAfee and his products in ways they didn’t even know it.

Fred McClimans: Right.

Shelly Kramer: But, it was kind of the gold standard, certainly back in the day of security protection and that sort of thing. You know, one thing is I was reading about that, that was really sad, is that McAfee’s father took his own life when he was 15. And it’s a tough road. Tough road, so.

Fred McClimans: It is. It is.

Shelly Kramer: Well, all right, moving along.

Fred McClimans: Yeah.

Shelly Kramer: We’re going to talk now about the DOE asking Congress for 200 million for its cyber security budget, following the Colonial Pipeline attack that we’ve weathered in recent weeks. It’s no surprise that the DOE and others are really taking cyber security much more seriously, especially as it relates to infrastructure. And we’ve been talking about cybersecurity threats to infrastructure for a very long time, and warning that, and not just us, any experts in this space, warning that this is a reality, this is going to happen. This is happening. But I think that that Colonial Pipeline was really kind of a wake up call as was the attack on the beef processing plant, I think.

Fred McClimans: Yeah.

Shelly Kramer: So in any event, the DOE has asked Congress for 201 million in its 2022 budget, specifically to address vulnerabilities in the wake of what is easily described as a relentless increase in cyber attacks. This request is up from 157 million in 2021, and it’s intended to help fill gaps in tech infrastructure and the supply chain. Beef processing plant, Colonial Pipeline.

Fred McClimans: Yeah.

Shelly Kramer: And the DOE also needs to upgrade software, hire additional cybersecurity staffers, and update policies and standards. In her testimony about the request, Secretary of Energy, Jennifer Granholm, told the Senate Arms Committee on Thursday, that part of the problem that they’re dealing with is the inability of the government to have insight into what’s happening in the private sector. And that really does make perfect sense, because the reality of it is, private sector, again, Colonial Pipeline, for example, or there was a wastewater treatment plant in Florida, I think, that suffered a cybersecurity attack recently. So these private organizations exist and have problems, but there’s no collaboration, there’s no communication.

The government has no insight into what’s happening, what practices and procedures are happening, or anything else. And so that’s really part of, I think, the focus on updating policies and standards and just taking a look at, this is how we’ve been doing it, but this is not working. And this doesn’t necessarily mean, to my interpretation, this doesn’t mean that the government’s looking to oversee public companies. But there has to be some way to connect and collaborate what’s going on in the private sector to what’s going on in the government sector and make sure that we’re all working together.

Fred McClimans: Right.

Shelly Kramer: And one final note here is that the Biden administration is asking Congress for 9.8 billion for federal cybersecurity in 2022. That’s about a 15% increase over last year. And not to be out done, the Pentagon is requesting 10.4 billion in 2022 for its cybersecurity budget. So I think it’s safe to say that cyber security is on everybody’s minds.

Fred McClimans: Yeah, it is. And it should be. What I think is interesting about this is not everybody recognizes that the Department of Energy, as you’ve mentioned, where was the testimony? Armed services. That’s because the Department of Energy controls the nuclear stockpile of weapons in the United States.

Shelly Kramer: Right.

Fred McClimans: A very important thing that we would like to keep secure and something that does rely on a massive extended supply chain.

Shelly Kramer: Yeah.

Fred McClimans: But I think, if you look at that budget, I kind of saw that and I said, “I’m not sure that’s even enough.”

Shelly Kramer: Right.

Fred McClimans: Which is a sad testimony on where we are today. But I do think that they’re going in the right direction. And I’m hoping that there’s at least part of this that gets carved out into some behavioral management, because right now we’re still just throwing technology at the system. They’re talking about what can we do to improve the tech cyber defenses that we have? But in reality, there’s a lot of behaviors that we’ve been doing for years, because why? In the early days digital tech wasn’t networked, it wasn’t accessible. It was still air gapped off from everything else. Today, it’s not. Everything is connected.

And we need to rethink, not just the way we’re securing our systems, but the way we implement our systems in general, asking a very big question at times, if there is a risk of this being compromised, do we even want to do it this way? And it may be that the alternatives are a little bit more painful, a little bit more costly, perhaps, but if they prevent or add an element of risk mitigation and protection to a system that’s otherwise easily attacked, we need to start thinking about that now, before it’s much too late.

Shelly Kramer: I agree. No argument from me on that front. Well, speaking of the government-

Fred McClimans: Yes.

Shelly Kramer: I think we’re going to move on.

Fred McClimans: Yeah. So the federal government is actually doing some things. Well, let me qualify that. Senators Warner, Rubio and Collins have joined forces here, and they are circulating a draft bill that would mandate some 24 hour disclosures about cyber attacks within organizations that are either within the federal government, or directly supporting the federal government through federal contracts. Now, this is something that it has been proposed in the past at various times, but I don’t think there’s ever been quite the sense of urgency that there is today about actually putting something in the law that says, if you are attacked, you need to disclose that to the federal government if it involves something related to the federal government.

Now there are exceptions carved into this, and there’s also some liability waivers that are in the draft version of the bill that would serve as sort of an inducement for organizations to actually admit very rapidly, we have an issue, we’ve been attacked. And that has been sort of an issue in the past with cyber breaches. We’ve seen a very familiar pattern in the private sector, and even in the government sector to a bit, where a breach occurs, damage control is initiated internally, and then the breach is disclosed, but usually after somebody else figures it out first. And that’s just the wrong way to do it, because in that interim period, data is compromised. Individuals lives are compromised and at risk. So hopefully this resolves some of this here. I will say that it’s probably not going to be as aggressive as I would like it to be, or as expansive. Again, it only deals with organizations that are dealing directly with the federal government.

Shelly Kramer: Right.

Fred McClimans: I think there’s probably a larger set of regulations that we need to discuss that apply to the true private sector serving direct consumers in there, but at least we’re moving down that road. And I think that’s a good positive here.

Shelly Kramer: Yeah, I do as well. I think that there’s a couple of different thoughts that I have. One is that, in many instances, it’s not the organization itself who discovers the problem.

Fred McClimans: Right.

Shelly Kramer: The breach. And in more instances than I can count it’s been cybersecurity, threat, researchers, experts who-

Fred McClimans: The bug hunters.

Shelly Kramer: Absolutely. Who, thank goodness they exist. Right? Who discover the breach, who report it. I know for sure, top of mind, this happened to in the Peloton breach, which certainly wasn’t related to the federal government, except for, as you and I have talked in another webcast…

Fred McClimans: Yes. President Biden

Shelly Kramer: Our president is a Peloton user. But anyway, the breach discovered, reported to the organization, the organization says, “Oh, gee, thanks.” Doesn’t do anything. And usually what the cybersecurity experts do, I think there’s a window of time that they provide, “Here’s notice that we found this, and you have this amount of time to fix it before we report it.” And I can’t remember what that timeframe is. I want to… Six weeks stays in my head, but that’s totally a reach. I mean, it’s just a guess. And I know we talked about it in our prior webcast, I just can’t remember the detail. But that’s a long time.

Fred McClimans: No, it is. Absolutely. But even there, there’s an issue of, once a company becomes aware that somebody has notified them, “Hey, here’s something that I’ve discovered.” Them even acknowledging that this is a legitimate, you’ve found something that needs to be addressed. I mean, look at the case of Microsoft, and how long it took them to just initially acknowledged that, “Yes, somebody has discovered a vulnerability in our system.”

Shelly Kramer: Right.

Fred McClimans: And it wasn’t until it was made public that action really started to take place on that. But maybe one answer here, Shelly, is to actually start to have a coordinated system for vetting bugs that have been discovered, or breaches that have been discovered, so in a centralized way, and rewarding those that discover and disclose those to the companies.

Shelly Kramer: Yeah.

Fred McClimans: There are bug hunting programs out there, but they’re inconsistent. And I think, if perhaps that was a little bit better organized and maybe a little bit better funded, you might have more people vetting these things faster rather than later.

Shelly Kramer: Yeah, absolutely. I think there is something, something needs to happen in this space. And I think even, again, I think that the folks who discovered the solar winds attack, it wasn’t solar winds, it was cybersecurity experts. So, I do think, and by the way, solar winds, definite government contractor, right?

Fred McClimans: Absolutely.

Shelly Kramer: So perfect example.

Fred McClimans: A global government contract.

Shelly Kramer: A global government contract. So perfect example of how important this is. And I’ve heard feedback about this proposal in the past in terms of mandatory reporting, and people pushing back about that, and there’s security implications, and blah, blah, blah. But the reality of it is, especially as it relates to anyone doing business with the federal government, or any federal government, there really does need to be some mandates in place there, I think.

Fred McClimans: Yeah.

Shelly Kramer: I mean, I feel like this is a game of whack-a-mole, right? Here’s one over here. No, wait, here’s one over here. And it keeps getting worse, and it’s going to keep getting worse. And it’s kind of like going back to how we started our conversation, talking about the Western Digital storage drives. It’s like what’s happening out there in terms of threat actors is it’s, in some instances, it’s just because I can. I’m going to mess with you just because I can. And in many instances, of course, we also know that this is a very, very lucrative, hacking is a very, very lucrative, and ransomware, are very, very lucrative professions, so.

Fred McClimans: It is, indeed.

Shelly Kramer: Let’s not guess that, that one is going to stop.

Fred McClimans: There’s one thing that would be interesting here, kind of combining a couple of the different stories that we’re talking about here today, take this legislation and then take DOE’s request for funding.

Shelly Kramer: Yeah.

Fred McClimans: Wouldn’t it be interesting if we combine that with the administration’s overall infrastructure plan and said, “Here you go. We’re going to give every private business out here X number of dollars. And what we want you to do is discover all the shadow ware and shadow data that you have in your system that you don’t know about.”

Shelly Kramer: Right.

Fred McClimans: I mean, that would be a phenomenal initiative right there. Very focused, here’s your target, here’s what we want to do. But think about over the past-

Shelly Kramer: And here’s the money to do it.

Fred McClimans: Here’s the money to do it. But over the past decades, how many devices have been brought into a system, replaced by something else, usually gradually over a period of time, and then just left sitting in the system. And certainly today, as we go into this work from home digital hybrid mode of business operations, there’s even more of that that’s sitting out there now that, in many cases, has been connected into the network that people don’t even know was ever there into the network. So that would be an interesting thing if we could kind of find a way to make that particular type of initiative happen.

Shelly Kramer: Yeah. That would be very cool. Although we have a difficult time, it seems, agreeing on what infrastructure really is. And the reality of it is, is that, technology, and the internet, and all of the things connected to it, that is the infrastructure of this century. And really understanding what is involved in protecting it is tremendously important.

Fred McClimans: Yep.

Shelly Kramer: All right. Well, we’ve talked about lots of different things and we’re going to wrap up this show talking about some malware we think you ought to be concerned about. So, there’s a VMware bug in Carbon Black app control management server. VMware has fixed this bug. The service job, just to give you a little backstory. The service job is to lock down critical systems and servers so they can’t be changed. And it also helps companies ensure that they’re in compliance with regulatory mandates. So kind of an important system, right?

Fred McClimans: Kind of important. Yes.

Shelly Kramer: Kind of important. This bug gives attackers admin rights with no authentication required, which would let them, of course, attack anything from point of sale systems to industrial control systems. So, yikes. The bug is an authentication bypass that could enable an attacker with network access to the server to get admin privileges without needing to authenticate. And depending on the situations, threat actors could potentially exploit this vulnerability to attack, as I said, lots of different systems. Now patches have been issued by VMware.

According to VMware this is kind of the money line here. According to VMware… Let me say this again. According to VMware, the authentication bypass bug affects AppC versions 8.0, 8.1, 8.5 before 8.5.8 and 8.6 before 8.6.2. Again, patches have been issued by VMware. So if you’re running this, you need to get those patches applied.

Also, as if that’s not enough, VMware also published a security advisory for another high-risk bug. This one in VM-ware tools, VM-ware remote console for Windows, and VMware app volumes products. This bug hasn’t yet been rated, but VMware says it’s a pretty high severity around 7.8. There is no work around for this bug either, and admin should patch it as quickly as possible. And the one thing that I didn’t mention about this, the first bug that I talked about, this bug was identified by VMware in the security range of a measly 9.4 out of a possible 10. So do not delay.

Fred McClimans: No, no. I think the message here is, if your organization uses VMware-

Shelly Kramer: Period.

Fred McClimans: … or even if you’re not sure your organization uses VMware-

Shelly Kramer: Right.

Fred McClimans: … go ahead and ask these questions now, because most organizations, they have a process to get the updates and so forth, but they don’t always work the way we’d like them to work.

Shelly Kramer: Right.

Fred McClimans: We’ve just seen that in practical applications. So yeah, ask these questions. If you’re a CSO, if you’re a CEO, a senior executive in an organization, if you’re not suggesting, “Hey, part of our risk management strategy for our entire business needs to be a process to ensure that all of these tools are updated on a regular basis, that we’re aware of what’s going on.” I mean, you’ve got to do that, otherwise, you’re just kind of setting yourself up for a failure at some point.

Shelly Kramer: Yeah. And I think that the big challenge is that our tech stacks have become so, so big, and so spread out. And so it’s impossible for a lot of people to really understand that volume of tools, and platforms, and everything else that we’re using at any given time. So I think the important thing is, when you hear VMware and you think, “Wait a minute, I know that’s one of our vendors. Is this something we need to be worried about?” That’s really, you need to be really paying attention to conversations like this. And there’s my dog saying hi, but yeah, I think that this is a hard job.

Fred McClimans: It is. It is. So think about this for a moment. We were talking about the issues of shadow ware, and the legacy devices sitting in here. Maybe there’s some opportunity here to do something similar to the recycling DOC effort, plastic cans and bottles. Here’s a product that you’re purchasing and we’ll give you a rebate of X number of dollars that, when you’re done using it, you let us know and we’ll help you uninstall it and remove it and clean everything up.

Shelly Kramer: I think that sounds like a great product.

Fred McClimans: Just a thought there. So Shelly, I would like to talk with one final issue here about ransomware, and something that we’ve seen that I think is going to be somewhat of a game changing event that we’ve talked about in the past. And that’s the repurposing of REvil’s ransomware by third parties out there. So as we know, there’ve been a number of attacks. REvil has built, literally, a ransomware as a service offering out there in the dark web where organizations can literally pay to use ransomware’s resources. Their software, their payment systems, even help targeting and accessing potential threats or potential organizations out there.

That was the same thing that we saw with the most recent attack on the Colonial Pipeline that was an offshoot of that particular group. But now we’ve seen something that is probably even more disconcerting here. It’s not just another ransomware as a service program out there. And before I get into that, let me just say that REvil and the more recent Dark Shadow. Dark Shadow?

Shelly Kramer: DarkSide?

Fred McClimans: No. I think it was Dark… I’m drawing a blank on that for whatever reason. The Colonial Pipeline hackers who disbanded after the government seized some of their assets and recovered some of the money, that particular organization liked to think of themselves as ethical ransomware hackers, only trying to target organizations that didn’t put people’s lives at risk. Okay. So where-

Shelly Kramer: It is DarkSide, by the way.

Fred McClimans: It is DarkSide. Okay. I keep confusing that with Far Side. Every time I hear DarkSide I want to think Far Side and the comic strip. So in any event, one of the concerns that we’ve spoken about in the past is, what happens when somebody uses ransomware software, for lack of a better phrase, unethically, or uses it to not actually extract ransom money, but simply to disrupt? That’s a very dangerous thing. And we’re starting to see the beginning of that with a new group called LV, that apparently has repurposed REvil’s ransomware software.

And when I say repurposed here, it looks like what they’ve done, according to Secureworks and some really good investigation work they did there, it looks like this group has literally hijacked the REvil software, changed a few pieces of code to allow it to operate independently. And the risk here is that what you see happening is the same technology that we use to protect our networks is now obviously being used to infiltrate networks. The ransomware tools that are being used are now being repurposed and used by others that may lack, I don’t know, ethics discipline. I’m not sure that’s the right way to put it. But think of it this way, once that software stack is out there and it goes onto the dark web and anybody can access it-

Shelly Kramer: Right.

Fred McClimans: … the number of people that are going to be locking down organization’s data is scary. So this is something that I think we really need to start thinking a little bit more about this, and organizations need to be thinking about what happens when that ransomware attack is really not a ransom attack. It’s more a disrupt or shut down attack for these organizations. That puts situations like the meatpacking company, like Colonial Pipeline, in a very different mode, because there’s no ransom that you can pay to turn things back on very quickly. And again, with this kind of a shift here, it opens up the risk to people who are more thinking of things on a political level to have access to these tools on a broader scale.

Shelly Kramer: Absolutely.

Fred McClimans: So something to think about.

Shelly Kramer: I have so much respect for CSOs, and really anyone involved in the cybersecurity operations of a business of any kind, because it has got to be, absolutely, one of the most stressful jobs that there is. And again, I mentioned it’s like playing whack-a-mole, right? And you think you’ve got everything taken care of and then…

Fred McClimans: Yeah.

Shelly Kramer: Anyway, it’s really interesting. And it’s funny, I think about you talking about ethical hackers. It really is very difficult to think about any of these groups, in any way, behaving in an ethical manner, because that’s not really what they’re in it for. They’re either nation, state threat actors that are trying to get access on behalf of China, or Russia, or North Korea, or there are people who are trying to make money, or there are people who just want to get in and blow things up, like we saw earlier in our conversation. So I just don’t think that this is a profession, as a whole, that is driven in any way by ethics.

Fred McClimans: No. I mean, that’s kind of like calling organized crime ethical, because they have rules.

Shelly Kramer: Right. Or compassion.

Fred McClimans: Yeah, or compassion. Anything [crosstalk]. I mean, they have tried, they have donated substantial amounts of money, from the money they have ransomed and extorted from others, to charitable causes. And those charitable causes are we turning it right back going, “We don’t want your Bitcoin.” Thank you, but no thank you.

Shelly Kramer: It doesn’t make you good.

Fred McClimans: It does not make you good. You’re not Robin Hood, so get over that. But it is interesting to even hear this new group LV. One of the components that the Secureworks identified of this was a couple of sites where it looked like what they were intending to do, or doing at this point, is actually posting data to shame their victims into paying. So it’s just ugly. It’s just ugly, no matter how you look at it.

Shelly Kramer: Well on that ugly note I’m going to think of something uplifting. Fred, it is always my pleasure to share gray matter with you, and to learn along with you, and to learn from you. And I really enjoy this Cybersecurity Shorts series, and thank you for participating with me in it and thank you for-

Fred McClimans: I feel the same, Shelly. I learn everything. Every time I learn from you.

Shelly Kramer: Absolutely. Well, that’s a good thing, right?

Fred McClimans: It is.

Shelly Kramer: We are lucky to have work that is pretty fulfilling. So I count my blessings on a daily basis that I get to spend my time learning, and researching, and writing. And we are. We’re very fortunate. And for that we are grateful, and we are also grateful to you, our audience, for hanging out with us today. We always appreciate that, and make sure to hit that subscribe button, whether you’re watching on YouTube, you can subscribe to our YouTube channel, or if you’re listening on the podcast and you haven’t yet subscribed, just hit the subscribe button because we’d love to have you. And with that, have a great rest of the day.

About the Author

A serial entrepreneur with a technology centric focus, Shelly has worked with some of the world’s largest brands to lead them into the digital space, embrace disruption, understand the reality of the connected customer, and help navigate the process of Digital Transformation. Read Full Bio.