In today's conversation, Craig Rowland joins us to talk about the often overlooked significance of Linux as a key part of global communications and computing infrastructure, and discuss various types threats targeting Linux systems.

Malware, attackers, and techniques are often very distinct from those seen on Windows; Craig shares insights all of these from his extensive experience both writing and reverse-engineering Linux malware.

Craig is CEO of Sandfly Security, a New Zealand-based provider of Linux threat behavior scanning tools. Full disclosure: John Salomon is a paid consultant to Sandfly Security.

Notes from the video:

03:48 I can't find a source for the 95% figure, but a 2023 ZDNet article says 90%, which seems to be the most common figure: https://www.zdnet.com/article/linux-has-over-3-of-the-desktop-market-its-more-complicated-than-that/
03:55 Percentage of top million websites running Linux is another interesting statistic, which seems to be well above 90%. For example: https://gitnux.org/linux-statistics/
04:08 https://www.linuxinsider.com/story/the-flying-penguin-linux-in-flight-entertainment-systems-65541.html etc. etc.
05:54 France's Gendarmerie Nationale: https://en.wikipedia.org/wiki/GendBuntu
06:40 https://www.zdnet.com/article/linux-not-windows-why-munich-is-shifting-back-from-microsoft-to-open-source-again/
14:10 A propos, F5 has some interesting ways of using web shells as an attack vector: https://www.f5.com/labs/learning-center/web-shells-understanding-attackers-tools-and-techniques
14:40 "attacks on kubernetes" is a fun web search string. Same for "attacks on S3 buckets". Enjoy.
14:56 https://redis.io/solutions/messaging/
15:42 https://en.wikipedia.org/wiki/Patch_Tuesday
17:40 To be fair, Bob in Accounting is a pretty powerful entry point to the organization for various types of cyberattackers.
19:35 Mirai botnet: https://www.cloudflare.com/learning/ddos/glossary/mirai-botnet/
19:37 NoaBot: https://www.akamai.com/blog/security-research/mirai-based-noabot-crypto-mining
20:35 Chroot (change root directory): https://wiki.archlinux.org/title/chroot
27:42 PuTTY: https://www.putty.org/
29:45 There are several cryptojackers that try to neutralize competing malware, e.g. ChaosRAT https://www.trendmicro.com/en_th/research/22/l/linux-cryptomining-enhanced-via-chaos-rat-.html or Jenkins https://www.f5.com/labs/articles/threat-intelligence/new-jenkins-campaign-hides-malware--kills-competing-crypto-miner
35:30 For example LockBit: https://www.akamai.com/blog/security/learning-from-the-lockbit-takedown
35:37 My mistake - AvosLocker is also a Linux port of Windows malware: https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-avoslocker - HiddenWasp may be a better example: https://www.trendmicro.com/vinfo/us/security/news/cyber-attacks/hiddenwasp-malware-targets-linux-systems-borrows-code-from-mirai-winnti
35:42 Diamorphine LKM rootkit: https://github.com/m0nad/Diamorphine
36:44 https://core.vmware.com/esxi - an example is ESXiArgs ransomware: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-039a
38:42 Abuse.ch MalwareBazaar: https://bazaar.abuse.ch/
38:49 Fraunhofer FKIE Malpedia: https://malpedia.caad.fkie.fraunhofer.de
39:35 You could just run a Linux version of the virus aquarium: https://xkcd.com/350/
39:52 A few examples of VM detection: https://www.cynet.com/attack-techniques-hands-on/malware-anti-vm-techniques/
41:15 Joe Sandbox: https://www.joesandbox.com/
42:10 No I won't, because I can't find it. Bit of Baader-Meinhof going on there...
42:59 https://www.youtube.com/@SandflySecurity

Craig on LinkedIn: https://www.linkedin.com/in/craighrowland/
Sandfly Security: https://sandflysecurity.com

Check out the rest of CyAN's media channels on https://cybersecurityadvisors.network/media - and visit us at https://cybersecurityadvisors.network

Intro/outro music courtesy of Studio Kolomna via Pixabay: https://pixabay.com/users/studiokolomna-2073170/

Original video available at https://youtu.be/W-7edx7Le6Y?si=NOoOy1kF3KiVOPUe

In today's episode of State of (Cyber)War, Hugo Tarrida and John Salomon talk about the background and current state of cyber conflict in the Middle East.

We give an overview of some of the major state actors involved, and zero in on the structures, groups, and motivations of the two main regional adversaries - Iran and Israel.

Notes and links:

Due to the volume of supporting links and text, we've listed them on the CyAN blog, available here: https://cybersecurityadvisors.network/2024/04/10/state-of-cyberwar-episode-5-notes/

Original video episode avaialable at https://youtu.be/X3wkTszRlck

Hugo Tarrida on LinkedIn: https://www.linkedin.com/in/hugo-tarrida-32915a204/

John Salomon on LinkedIn: https://www.linkedin.com/in/johnsalomon/

Check out the rest of CyAN's media channels on https://cybersecurityadvisors.network/media - and visit us at https://cybersecurityadvisors.network

Intro music courtesy of AlexiAction via Pixabay: https://pixabay.com/users/alexiaction-26977400

Outro music courtesy of Studio Kolomna via Pixabay: https://pixabay.com/users/studiokolomna-2073170

In today's episode of State of (Cyber)War, Hugo Tarrida and John Salomon talk about China's approach to cyberwar. What is the history behind Chinese cyber capabilities? What are Chinese geopolitical, economic, and social objectives that drive their international cyber activities? What are some of the biases that we should be aware of when evaluating the trajectory of China and its cyberwar abilities?

Also don't forget to check out our previous video about Chinese disinformation activities here: https://youtu.be/xBAJ2rBKrMc

Notes and links:

Hugo Tarrida on LinkedIn: https://www.linkedin.com/in/hugo-tarrida-32915a204/
John Salomon on LinkedIn: https://www.linkedin.com/in/johnsalomon/

Wikipedia article worth reading about Chinese cyber warfare: https://en.wikipedia.org/wiki/Cyberwarfare_by_China

05:42 Granted, Stuxnet was a joint US-Israeli venture - https://en.wikipedia.org/wiki/Stuxnet
07:06 https://www.reuters.com/world/russia-says-its-working-major-new-agreement-with-iran-2023-12-12/
14:05 Titan Rain - https://en.wikipedia.org/wiki/Titan_Rain
Related: Operation Aurora (2009) - https://en.wikipedia.org/wiki/Operation_Aurora
15:20 https://www.npr.org/2022/05/11/1098368201/a-spying-scandal-and-the-fate-of-western-sahara
17:07 The case of Wen Ho Lee, one of several perpetrators of military espionage: https://sgp.fas.org/crs/nuke/RL30143.pdf
20:30 https://nattothoughts.substack.com - Nellie Ohr and her team do excellent analysis work
20:50 "An Analysis of China's Great Cannon" - https://www.usenix.org/system/files/conference/foci15/foci15-paper-marczak.pdf
Shoutout to fellow UC Berkeley CSUA member Nick Weaver for co-authoring this paper)
27:48 E.g. "The 'Century of Humiliation' and China's National Narratives" - https://www.uscc.gov/sites/default/files/3.10.11Kaufman.pdf
29:42 Belt and Road Initiative - https://www.cfr.org/backgrounder/chinas-massive-belt-and-road-initiative
32:38 Referenced here: https://en.wikipedia.org/wiki/Chinese_information_operations_and_information_warfare ("Definitions" section)
32:45 The Three Warfares: https://apps.dtic.mil/sti/tr/pdf/ADB372300.pdf
34:04 The Nine-Dash Line: https://chinaus-icas.org/research/map-spotlight-nine-dash-line/
34:52 In fact, ruled to be explicitly illegal by the Permanent Court of Arbitration in 2016:
https://pca-cpa.org/en/news/pca-press-release-the-south-china-sea-arbitration-the-republic-of-the-philippines-v-the-peoples-republic-of-china/
36:19 US FBI director Christopher Wray recently warned about this: https://www.npr.org/2024/01/31/1228153857/wray-chinese-hackers-national-security

The State of (Cyber)War is a project by members of the Cybersecurity Advisors Network (CyAN), with an interest in information security topics relevant to geopolitics, military cyberdefence, diplomacy, and other international topics. We discuss various aspects of both current and past issues from the point of view of interested amateurs with varying degrees of experience in the field, in a not-always-entirely-serious format.

Visit the Cybersecurity Advisors Network at https://cybersecurityadvisors.network

Intro music courtesy of AlexiAction via Pixabay: https://pixabay.com/users/alexiaction-26977400/

Outro music courtesy of Studio Kolomna via Pixabay: https://pixabay.com/users/studiokolomna-2073170/

Original YouTube video at https://youtu.be/HLVPDojARh0

Welcome to episode 2 of CyAN's State of (Cyber) War series.

Today, James Briscoe and John Salomon talk about Japan - its national cyberdefence capabilities, the regional and global threat landscape, regulations and laws, and how all of these are evolving in the face of changing geopolitical realities and technologies.

A few notes from our chat:

02:25 US-Japan 1960 joint security treaty:  https://www.mofa.go.jp/region/n-america/us/q&a/ref/1.html
02:37 Article 9 Japanese constitution:  https://en.wikipedia.org/wiki/Article_9_of_the_Japanese_Constitution
02:45 SCAP:  Supreme commander allied powers
02:58 Japan Self Defense Forces:  https://en.wikipedia.org/wiki/Japan_Self-Defense_Forces
05:01 2019 US-Japan security treaty update:  https://www.mofa.go.jp/files/000470738.pdf
06:54 national security strategy end of 2022:  https://www.cas.go.jp/jp/siryou/221216anzenhoshou/nss-e.pdf
08:14 Lazarus Group:  https://www.aljazeera.com/news/2023/12/9/us-japan-south-korea-launch-new-efforts-to-counter-n-korea-cyber-threats
10:35 Lazarus Group's cryptocurrency thefts:  https://www.coindesk.com/markets/2023/12/01/north-korean-hackers-lazarus-group-stolen-3b-in-cryptocurrency/
11:29 https://www.dragonflyintelligence.com/news/japan-shift-to-a-more-offensive-cyber-posture-in-2023/
11:35 https://asia.nikkei.com/Politics/Japan-to-quadruple-cyber-defense-forces-meeting-threats-head-on
12:47 The 2016 revision in question:  https://www.mofa.go.jp/files/000143304.pdf
13:37 The spending increase to 2% request:  https://www.reuters.com/business/aerospace-defense/japan-makes-record-defence-spending-request-amid-tension-with-china-2023-08-31/
13:59 It's actually 2% as well:  https://www.nato.int/docu/review/articles/2023/07/03/defence-spending-sustaining-the-effort-in-the-long-term/index.html
14:39 CCDCOE:  https://ccdcoe.org/
14:46 Locked Shields exercise:  https://ccdcoe.org/exercises/locked-shields/
15:33 The official in question was former US Director of National Intelligence Dennis Blair:  https://japannews.yomiuri.co.jp/politics/political-series/20221122-72394/
16:05 The Japanese National Security Strategy allows for development of a posture for information warfare and introduction of active cyber defence in cybersecurity. It will create a government information warfare department, allowing government to aggregate and analyze the situation on disinformation originated abroad.  The National Center for Incident Readiness and Strategy for Cybersecurity is to be restructured to establish an new organisation to coordinate policies between the police and JSDF. This will allow for active cyber defence against attackers. Training for 4000 cyber ‘warriors’ and 16k cyber-capable JSDF members over 5 years is also foreseen.  The Ministry of Foreign Affairs plans AI to enhance monitoring of information and intelligence analysis. Furthermore, defence industry profit margin will be permitted to increase to a max of 15%.
16:45 The Nagoya port ransomware attack of July 2023:  https://www.bloomberg.com/news/articles/2023-07-06/nagoya-port-delays-restart-following-alleged-ransomware-attack
17:10 The Chinese cyberattack on the Japanese defence network:  
https://www.japantimes.co.jp/news/2023/08/08/japan/japan-china-hack-defense-network/ - WaPo article:  https://www.washingtonpost.com/national-security/2023/08/07/china-japan-hack-pentagon/
17:23 KillNet ceases attacks on Japan:  https://english.kyodonews.net/news/2022/09/9846d4bf7aee-pro-russia-hacker-group-stops-cyberattacks-on-japan-due-to-money-woes.html
20:17 2023 Amendments to Telecommunications Business Act:  https://www.dataguidance.com/news/japan-amendments-telecommunications-business-act-enter
20:20 Unauthorized Computer Access Law (UCAL):  https://iclg.com/practice-areas/cybersecurity-laws-and-regulations/japan

James Briscoe on LinkedIn:  https://www.linkedin.com/in/jimbriscoe/
John Salomon on LinkedIn:  https://www.linkedin.com/in/johnsalomon/

Check out the rest of CyAN's media channels on https://cybersecurityadvisors.network/media - and visit us at https://cybersecurityadvisors.network

Original YouTube video version:  https://youtu.be/Fmuno8ohJPs

Intro/outro music courtesy of AlexiAction via Pixabay: https://pixabay.com/users/alexiaction-26977400/

Welcome to episode 1 of CyAN's new State of (Cyber) War series.

Join John Salomon and James Briscoe in a discussion of offensive cyberoperations involving Russian actors, parallels to historical attacks on civilians, expectations and limitations of information operations, and more.

A few notes from our chat:

05:10  James' research paper on Russia/Ukraine:  https://www.linkedin.com/feed/update/urn:li:activity:6899132398601162752/
05:30  Conti ransomware group:  https://flashpoint.io/blog/history-of-conti-ransomware/
08:55  2016 Ukraine power grid attacks:  https://www.wired.com/story/russia-ukraine-cyberattack-power-grid-blackout-destruction/
11:15  Stuxnet:  https://en.wikipedia.org/wiki/Stuxnet
12:47  James' follow-up work: https://www.linkedin.com/feed/update/urn:li:activity:6944843584533581824/
14:35  The Dukes:  https://www.cfr.org/cyber-operations/dukes
 Cozy Bear:  https://www.crowdstrike.com/adversaries/cozy-bear/
 NotPetya:  https://en.wikipedia.org/wiki/2017_Ukraine_ransomware_attacks
18:32  Lazarus Group:  https://www.trendmicro.com/vinfo/pl/security/news/cybercrime-and-digital-threats/a-look-into-the-lazarus-groups-operations
20:11  2022 Yandex Moscow taxi hack:  https://www.euronews.com/my-europe/2022/09/02/gridlock-as-hackers-order-hundreds-of-taxis-to-same-place-in-moscow
20:25  2023 GUR Russian state tax service hack:  https://therecord.media/ukraine-intelligence-claims-attack-on-russia-tax-service
23:22  2022 Belarus railway hack:  https://www.theguardian.com/world/2022/jan/25/cyberpartisans-hack-belarusian-railway-to-disrupt-russian-buildup
24:04  Alexander Lukashenko and the Ukraine invasion map:  https://www.independent.co.uk/news/world/europe/lukashenko-ukraine-russia-belarus-invasion-map-b2026440.html
25:23  Syrian Electronic Army:  https://en.wikipedia.org/wiki/Syrian_Electronic_Army
29:03  Momotarō no Umiwashi came out in 1942:  https://en.wikipedia.org/wiki/Momotar%C5%8D_no_Umiwashi

Original YouTube video is at https://youtu.be/VlP_L3xX2Lo

James Briscoe on LinkedIn:  https://www.linkedin.com/in/jimbriscoe/
John Salomon on LinkedIn:  https://www.linkedin.com/in/johnsalomon/

Check out the rest of CyAN's media channels on https://cybersecurityadvisors.network/media - and visit us at https://cybersecurityadvisors.network

Intro/outro music courtesy of AlexiAction via Pixabay: https://pixabay.com/users/alexiaction-26977400/

Juan Ignacio Nicolossi, PRODAFT Team Leader for threat intelligence, joins us today from Chile to discuss the Snatch ransomware group.  Active since mid-2018, Snatch has caused havoc in a variety of companies and government agencies.  

In this episode, we discuss Snatch's techniques, the significance of how they use stolen information, and how their approach to what's important to customers means for the future of extortion.  

CISA #StopRansomware Snatch advisory:  https://www.cisa.gov/sites/default/files/2023-09/joint-cybersecurity-advisory-stopransomware-snatch-ransomware_0.pdf

Ransomlook.io Snatch profile:  https://www.ransomlook.io/group/snatch

ALPHV (BlackCat) regulatory extortion article:  https://www.darkreading.com/risk/alphv-ransomware-group-files-sec-complaint-against-own-victim

PRODAFT is a Netherlands-based cyber-threat intelligence analysis firm - their website is at https://prodaft.com

Full disclosure:  John Salomon is a paid, part-time advisor to PRODAFT.  

Juan Nicolossi's LinkedIn profile is at https://www.linkedin.com/in/juan-ignacio-nicolossi-baeza-286b035a/

Check out the rest of CyAN's media channels on https://cybersecurityadvisors.network/media - and visit us at https://cybersecurityadvisors.network

Intro/outro music courtesy of Studio Kolomna via Pixabay: https://pixabay.com/users/studiokolomna-2073170/

Original video version at https://youtu.be/g5yiScRofxU