Podcasts
Only Malware in the Building
Ep 2
Only Malware in the Building 7.2.24
Ep 2 | 7.2.24

Operation Endgame: The ultimate troll patrol.

Show Notes
Transcript

Announcer: This week on "Only Malware in the Building."

Rick Howard: You make it sound like you're narrating a Ken Burns documentary. It's not that serious, my friend.

Dave Bittner: I don't know, it's sporx dealer with an "X."

Selena Larson: Perhaps encouraging threat actors to sleep with pajamas on in the future.

Rick Howard: Really take stock and think whether or not this is worth the effort.

Selena Larson: I like to think the request is submitted in emoji.

Rick Howard: That was an Apple IIc, for that matter, for those of you wanting to know that, okay?

Dave Bittner: Yes, there's the distinction without a difference.

Selena Larson: Dave, what are your dips today?

Dave Bittner: I'm not sharing my dips with my with my podcast cohost Rick. He has already taken my airtime, he is not taking my dips, too. >> In a world where the cyber good guys have finally had enough. This summer, Only Malware in the Building. It's going to be money well spent, trust me. [ Music ]

Selena Larson: You guys might remember last time when we talked about "the curious case of the missing IcedID." Well, we got a little bit of an answer with "Operation Endgame." This was a major law enforcement activity called "Operation Endgame," and it was a widespread effort to disrupt malware and botnet infrastructure and identify the alleged individuals associated with the activity. Europol called it "the largest operation ever against botnets." And IcedID was one of the malware, including SystemBC, Pikabot, Smokeloader, Bumblebee, and Trickbot that were also announced as part of this takedown.

Rick Howard: Can I just say, I think we mentioned this in the last show, okay, I love that we have all those stupid names. If it wasn't for that, I don't think I would be a cybersecurity person.

Dave Bittner: Speak for yourself. I'm the one who has to say all those stupid names. Oh, I don't know, it's "sportx dealer" with an 'X.' Great.

Selena Larson: No, don't give him any ideas, Dave. I don't want to write that one down.

Rick Howard: I've already written it down. "Sporx dealer" with an 'X, that's my new favorite adversary campaign.

Dave Bittner: Right, yeah. Somebody needs to make a T-shirt that says that, "sporx dealer," with an 'X.' I have to apologize to both of you. I'm a little behind the game here. The producers told me that this was going to be on camera, so I'm actually wearing two layers of Spanx.

Selena Larson: Spanx Loader, that's where you're getting that from.

Rick Howard: Spanx Loader, yeah. I can barely breathe here, so. All right, well, Selena, take us through this. I mean, did we see this coming? Was there any scuttlebutt that something like this was underway?

Selena Larson: So I think it was kept pretty closely under wraps. Obviously, this was a large private-public partnership success. So there were of course some private organizations involved as well as a lot of various global law enforcement. And so it was really cool to see this coordinated effort. And you know, you mentioned all this silly malware names? Well, I have to say, part of "Operation Endgame" was releasing Hollywood-style videos on all of the malware and the suspected usernames of folks behind it. It's almost as if Ryan Reynolds directed a malware disruption. It's fantastic. They're really leaning in to the trolling of threat actors.

Rick Howard: I have a whole image of Ryan Reynolds trolling a bunch of malware-producing criminals. That is right up my alley.

Selena Larson: Oh, it's fantastic! They have these great videos. Some are in 8-bit. Others are cartoons. It's just very, very fun.

Dave Bittner: I want to know how the people who got those made went to their bosses and got the budgets approved, like in the federal government. No, seriously, this is going to be money well spent, trust me.

Rick Howard: No, no, hear me out.

Selena Larson: I like to think the request was submitted in emoji.

Dave Bittner: Oh, I like that, I like that, yes. I mean, it's interesting to think about how law enforcement was able to get the drop on these folks, to listen in on their things. Selena, did you know that Rick is actually an old signals intelligence officer?

Rick Howard: Damn straight, I am.

Selena Larson: I didn't know that.

Dave Bittner: And by "old" I mean his first job was tapping out Morse code for the transcontinental railroad.

Rick Howard: And I am still waiting for an answer back on that first message.

Selena Larson: Well, I do think that this was an awesome and fantastic effort by a lot of the folks that were involved. I know that we've seen takedowns before, where it's like, oh, we're taking down chat, we're taking down QBot. But they don't have necessarily multiple legs in this chair. So with "Operation Endgame," you had people that were also arrested as part of it and identify as part of these disruptions. So when you have the infrastructure taken down, as well as the people behind it potentially impacted, you have a little bit more sort of reach and success. And what is absolutely fantastic is this "Operation Endgame" really cuts off ransomware operators at the knees. This is the entire ecosystem supporting the ransomware, not just the ransomware actors themselves.

Rick Howard: Well, talk to me about that. Because usually bad actors in the cyber space, they're hiding in countries that we can't get access to. Why did some of these expose themselves to law enforcement so they could get arrested?

Selena Larson: Well, I have to say, Ukraine police, the Ukraine cyber police, tweeted some photos of the arrest that they had made in Ukraine as well as some recording coming up out of other places. But that's part of it, right? So Ukraine was very much involved in and part of this disruption. And I have to say, some of the images might not be safe for work.

Rick Howard: Wait, what's that URL again? Let me go write down.

Selena Larson: They fully exposed.

Dave Bittner: Oh, my.

Rick Howard: Oh, wow.

Selena Larson: A potential person that was allegedly involved in the "Operation Endgame."

Dave Bittner: Yeah.

Rick Howard: In their trolling expedition, okay, I love it.

Dave Bittner: I mean, a lot of times, these Eastern European Russian gangsters, like part of the crime is their choice in outfits, the fashion. They just love their animal prints, don't they?

Selena Larson: Oh, my gosh, yes, the cheetah print.

Dave Bittner: Right.

Selena Larson: Yeah, there was that famous photo by one notable Russian cyber criminal threat actor that was in his cheetah print, holding his cat, also. And it was like a very unique cat, and they matched, yes.

Dave Bittner: Right, it was like a lynx or something, like he borrowed from the zoo.

Rick Howard: Yeah, but the one you're talking about, Selena, no cheetah print here. This was in his birthday suit. If that's what I understand you were saying?

Selena Larson: Yeah, yeah. Perhaps encouraging threat actors to sleep with pajamas on in the future.

Dave Bittner: That is adding insult to injury, right?

Selena Larson: Definitely. Well, we've seen this idea of trolling cyber criminals. We saw it certainly with "Operation Endgame." But there's a fantastic writeup in Wired that hopefully we can link to in the Show Notes about how Western law enforcement have just kind of turned to these psychological measures, just messing with the threat actors, right? It's not just enough to knock down their infrastructure and have a press conference. But a good example of this is the LockBit disruption with the UK's NCA really leading the campaign to sort of troll them and write on their own link site, like, ha-ha, we got you. And then there was a lot of sort of back-and-forth and a lot of talk on social media that had all this like trolling, joking, kind of poking fun behavior, which is I feel like a good -- we're moving in the right direction here. You'll have to see it, you know?

Rick Howard: Well, I had an old Army boss of mine that used to say, you know, just because you take a swing at a guy doesn't mean he's going to give up. And you worry that trolling as a, I don't know, influence operation or a counterintelligence kind of a thing, what do you think the reaction's going to be to the criminal underground once they get reorganized?

Selena Larson: Well, so that's a good question, right? I think part of this is not just psychological operations against the people themselves, the specific malware, but also the ecosystem, sewing distrust and uncertainty and trying to think of who can I trust now, right? Like, oh, law enforcement could potentially be on this person's trail. Is this a good person to even have a business interaction with? Is this something that I can trust them in the future? So it's really interesting to see not only the impact to the individuals involved but also the ecosystem and this mistrust and confusion and like, oh, maybe I don't want to work with them in the future.

Rick Howard: So this is an uptick, right? This is a change in direction for law enforcement. It wasn't too long ago that law enforcement, I mean, official law enforcement, like the FBI, only thought they could get after these folks by arresting them and putting them on trial. But it seems like in the last couple of years, they've decided that it's okay to unleash the hounds, as they say, right, and do all kinds of vectors of disrupting this kind of activity. Trolling is one of them, but offensive operations and other kinds of things, right? And it seems to be a lot of that going on in the last year or so.

Selena Larson: I do think it's exciting to see more activity like that. You mentioned "unleash the hounds," I like to think it's unleashing the millennials and GenZ.

Rick Howard: That's a scary thought.

Dave Bittner: Oh, no. Well, so much for us, Rick.

Rick Howard: They're coming for us next, Dave, is what they're doing.

Dave Bittner: Yeah.

Selena Larson: Malware and Rick both have one thing in common: they love to come back just when you think you've gotten rid of them for good.

Dave Bittner: I made the mistake of driving Rick to the Apple Store last week.

Rick Howard: Oh, no.

Dave Bittner: And we were asked to leave after he kept badgering the poor woman at the Genius Bar to sell him headphones for his Walkman.

Rick Howard: I don't know why they don't have those. Why don't they have those?

Dave Bittner: No, sir, we do not have floppy disks for your Apple II Plus.

Selena Larson: Okay, grandpa, that's down at RadioShack.

Rick Howard: That was an Apple IIc, for that matter, for those of who you want to know that. Geez.

Dave Bittner: Yes, there is the distinction without a difference. So, Selena, where do you think we're headed here then? I mean, we're seeing all of this swagger from law enforcement. Does it feel like it's making a dent? We used to talk about Whac-A-Mole and how these organizations would just pop up. But are there lasting aftereffects here?

Selena Larson: Definitely. So I like using swagger to describe this hashtag swag, you love to see it. It's really great because the loaders and the botnets that they went after were responsible for really high-volume activity and stuff that can lead to ransomware. So all of these malware -- we mentioned IcedID and its sort of evolution into Latrodectus, also we haven't seen in a bit. IcedID was the one that was mentioned in terms of the takedown, but SystemBC is another one that is used in a lot of different ransomware attacks. Pikabot, Smokeloader, Bumblebee, these are all malware that initial access brokers rely on for the distribution of malware. And if that's cut off, that access is cut off, they are going to have to spend time retooling, figuring out what's next, figuring out, okay, what's a more reliable malware distribution; is this even something that I want to keep doing? Because it seems like it's so frustrating when this infrastructure gets taken down. So I do think it's going to have these sort of follow-on impacts to the various threat actors that we're tracking, and it's exciting. Because this just happened at the end of May, and we are all waiting to see, okay, what's next? So what is the next big thing? And I think that even if it's just a prolonged disruption, and we will see the threat actors rear their ugly heads again with something new and different, this time helps defenders, it helps us as threat researchers, it will give us a lot of intelligence to better understand the threat actors and where they're coming next. So overall, this is a win. I do think the fight never ends, though. I mean, you talk about playing Whac-A-Mole, it is a little bit, because they will always come back with something new, and we'll just have to be ready for them.

Rick Howard: Well, that's kind of the point. The cynics in the room -- and, Dave, I'm looking right at you when I'm saying this. Is why would we do this? They're just going to come back anyway? What's the point? But I agree with you, Selena, that any kind of friction we can throw into the system causes bad guys to spend resources on things that they don't want to spend resources on, right? And that slows the whole thing down. So I'm totally on board with letting the hounds loose and letting them go forward and do their thing.

Selena Larson: It's imposing costs.

Rick Howard: Costs.

Selena Larson: Yeah.

Dave Bittner: I just wonder, it seems to me like one of the fuels to all of this is cryptocurrency. Before cryptocurrency, if the bad guys had to try to transact using traditional credit cards, think about how much easier this would be to shut down. Or even if they had to have people here in your neighborhood to collect cash. Like it's a force multiplier for them to be able to use cryptocurrency globally. It seems to me like no one's come at that particular part of it yet.

Selena Larson: Yeah. So part of "Operation Endgame," there was a disruption or seizing of crypto assets. So that was part of it. But to your point, crypto has made it easier for threat actors, right? So in the mid-'00s, we had the rise of banking trojans. That was heavily focused on banking information, financial information, like legitimate banking credentials. And with the rise of cryptocurrency, once Bitcoin came along, the threat actors were like, oh, wait a second, I can get rid of the money mules, I can get rid of the fiat currency, I can get rid of these tracked transactions and the short-lived bank accounts and all that stuff, in exchange to use crypto. And of course Bitcoin's not the only one, you have a lot of others, Ethereum, and what-have-you. But it does make it a little bit easier for threat actors to operate with less sort of financial oversight or friction, financial friction. But at the same time, as those threat actors have gotten a lot better at using digital currencies and fake money, there are a lot of researchers and a lot of focus on, okay, can we track -- because it's on the blockchain, right? Even if it's anonymized, you're able to see the different wallets or who's receiving what, what's going where. And what's kind of cool is Chainanalysis did a fantastic writeup on the ransomware ecosystem looking at the cryptocurrency perspective. You can see relationships and you can see where the money is going. And if you have a wallet that you know is identified as X threat actor sending money to this threat actor, you can kind of see those relationships. So in a way it's given us a little more intelligence, but at the same time it's made it easier to make money. [ Music ]

Rick Howard: You mentioned the Wired story. One of their journalists, Andy Greenberg, published a book last year called "Tracers in the Dark," that talks about the researchers breakthrough of being able to track down Bitcoin, who's behind the Bitcoin transactions. And if you had any illusions that somehow Bitcoin was anonymous, you should wipe those out right now. The good guys can track you down now. And Chainanalysis is the company, one of the companies that are providing those tools in the cyber criminal space now. So yeah, it's really amazing that we've figured that out as this point.

Dave Bittner: Especially, they call them tumblers, right, where they would try to take a bunch of different cryptocurrency and I imagine it either going into like a blender or a washing machine, it all just getting spun and mixed together. But to Rick's point, I mean, even that, it seems as though law enforcement has a window into that and they're clever enough to be able to follow those breadcrumbs.

Selena Larson: I think I realized that cryptocurrency was mainstream, like super mainstream enough, when I was watching one of my favorite British murder mysteries.

Rick Howard: Go on.

Selena Larson: It was "Death in Paradise." And there was a plot line about a guy who was stealing electricity to mine cryptocurrency getting murdered. >> Here's an exclusive sneak peek of an all new motion picture event. What's this? It's a crypto mining rig. Beautiful, isn't she? What does it do? Well, it says on the tin, it mines cryptocurrency, or in this case, it's Ethereum. We have fully achieved widespread awareness about crypto when this is a plot point on this British mystery show.

Dave Bittner: I will know it has reached critical mass when I can use Bitcoin at the place where I purchase my delicious dips.

Selena Larson: Dave, what are your dips today?

Dave Bittner: I'm not sharing my dips with my podcast cohost Rick. He has already taken my airtime, he is not taking my dips, too. Rick can have some of my snacks when he starts bringing jokes that are as fresh as my dips. Until then, no dips for you.

Selena Larson: Only Dave's dips.

Rick Howard: Okay, only Dave gets those dips.

Dave Bittner: So what's next, Selena? What are we expecting here? Is this the first of many more to come? We often use these metaphors like cyber Pearl Harbors and the cyber 9/11s and those sorts of things. So if we turn those metaphors on, the good guys coming after the bad guys, what's the big one look like? Is it possible to have such a big hit that it makes all of the bad guys really take stock and think whether or not this is worth the effort?

Rick Howard: Geez, Dave, listen to you. You make it sound like you're narrating a Ken Burns documentary. It's not that serious, my friend.

Selena Larson: Yeah, we should get Ken Burns on this podcast to narrate the CyberWire. Yes, coming to PBS in 2025. So if we're talking about metaphors, "Operation Endgame," that was like the Avengers endgame. That was the final big finale, Thanos and Snap. Everyone comes together to defeat the baddies.

Dave Bittner: Oh, that's the movie with all the superheroes, right?

Rick Howard: Yes, it absolutely is.

Dave Bittner: I think my kids told me about that. [ Music ]

Selena Larson: All right, well, you may not be familiar with the Avengers, Dave.

Dave Bittner: When you said "endgame," I thought you were talking about Chess.

Selena Larson: That, too. I mean, it could be a lot of different metaphors.

Rick Howard: I guarantee you that somebody in the FBI is totally a fan of the Avengers movies, right? And that is the reason it's called "endgame."

Selena Larson: Well, there is a Chess favicon on the "Operation Endgame" website.

Rick Howard: Are you saying I'm wrong, Selena, is that what you're saying? I don't know.

Dave Bittner: Is there a picture of Thanos on the website, or is it just the Chess metaphor?

Selena Larson: The videos look like there are superheroes involved, okay?

Dave Bittner: Okay, fair enough. Well, let's all agree that it's ambiguous.

Selena Larson: Well, I mean, either way, either way, it was a big win, and I do think that hopefully this is kind of what the gold standard moving forward, right? Like if we're going to combat these guys, it needs to be a concerted effort, with global law enforcement, public-private partnerships, making fun of them. That's my favorite part. We'll see what happens. I think it'll take a few months for the threat landscape to kind of really return or fluctuate a little bit as we kind of get the heartbeat of consistent activity back for some of the actors whose botnets or operations may have been disrupted. But I think this is exciting. I don't really think there is going to be a true Thanos/Snap for all crime everywhere. If so, that would be amazing. But then I also wouldn't have a job.

Rick Howard: That's a good point. We all get jobs.

Dave Bittner: Right.

Rick Howard: If we did the Thanos/Snap.

Dave Bittner: Another thing that strikes me about this is that for the folks who are in law enforcement, coming at something like this in this way, in this public way, like we said, with a lot of swagger, to me this really opens up avenues for them in terms of recruiting, right? Because the folks who are coming out of school or coming out of trade school or boot camp or whatever, they can look at this and say, maybe I'm not going to have to be operating behind the scenes in some non-descript government building and no one will ever know what I do and I won't get credit for anything, right? So in the recruiting side of things, it seems to me like law enforcement being able to take credit this way, in such a flashy kind of way, that must help them in the side of it as well.

Selena Larson: I think so. I don't know if it's necessarily the people that are going to get a lot more attention, it's just going to be the work that they're doing. I think might be a little bit more fun. There was SLEUTHCON at Washington, DC, a couple weeks ago, and a couple of folks from the UK's National Crime Agency, again talking about LockBit and the NCA, and they were able to sort of stand there and be like, look at this great stuff we did. Like look at these tweets that people made about the work that we were doing. And it was really fun. And I do think that showing your work and making it fun and not having it necessarily be closed off, you can't talk about it. Like this is a way for people to explain to people outside of the cyber bubble, this is what happens, this is what I do for work, these are cool projects that I'm working on, this is why it matters, this is why it's important. And I think not only for recruiting purposes but I also think for general cyber education purposes and understanding the overall threat landscape, telling a story via video and making hackers and their hoodies as cartoons or 8-bitxx characters is a really cool way of showing the actor, hey, we see, we know what you're doing. But also, people like, this is cool, like this is fun, cool stuff. And it's not necessarily like spy versus spy, espionage type of thing where we think about cyber in a lot of ways. But having a real impact on the cyber criminal ecosystem is just plain cool.

Rick Howard: Well, aside from the cool codenames that I particularly like, right, one of the things that makes the cybersecurity profession unique I think is that you're not just protecting your enterprise from bad things happening, but you're actually stopping criminals and spies and things from being successful. And you don't get to do that if you're the clerk at the Seven Eleven, right? So it's an added benefit, motivation factor, for infosec professionals.

Selena Larson: Yeah, it's fun and it's cool. I love making bad people sad.

Rick Howard: I love that. That's a new motto.

Selena Larson: I definitely stole that from someone. That's not a Selena original, but it exists somewhere.

Rick Howard: It is now.

Dave Bittner: All right, well, I think that's a great place for us to wrap things up for this time around. Thank you all for joining us here this time. Rick, I know we're running over into your naptime, so I apologize for that.

Rick Howard: Yeah, I appreciate that, my friend, I appreciate that so much.

Dave Bittner: Selena, it is always a pleasure and I look forward to catching up with you next time.

Selena Larson: Yeah, this was fantastic. Dave, I've got to get on, I've got to try some of your dips. If I ever see you in person, bring.

Rick Howard: He's not going to let you have his dips, even in person, that's not happening.

Dave Bittner: No. We can negotiate.

Selena Larson: Thanks to you, all our listeners, for tuning in to "Only Malware in the Building." [ Music ]

Only Malware in the Building
Podcast Info
HOST(S):
Selena Larson
Dave Bittner
Rick Howard
Selena Larson is a Staff Threat Researcher and Lead, Intelligence Analysis and Strategy at Proofpoint on the Threat Research team. She collaborates with fellow researchers to identify and investigate advanced cybercriminal threats and develop actionable threat intelligence. Previously, she was a Cyber Threat Analyst for the industrial cybersecurity firm, Dragos, and a cybersecurity and privacy journalist.
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Rick Howard is the CSO of N2K and the Chief Analyst, and Senior Fellow at the N2K Cyber, formerly CyberWire. His past lives include CSO at Palo Alto Networks, CISO at TASC, the GM at Verisign/iDefense, the Counterpane SOC Director, and the Commander of the Army's Computer Emergency Response Team (CERT). Rick served 25 years in the Army, taught computer science at West Point, edited two books and just published his own book, "Cybersecurity First Principles: A Reboot of Strategy and Tactics" and he is regularly joined at the N2K Cyber's Hash Table by a collection of industry experts.
Schedule: Monthly
Creator: N2K