Breaking Badness
Breaking Badness Cybersecurity Podcast - 178. Volt Typhoon Lagoon | DomainTools
Coming up this week on Breaking Badness: A Tangled Botnet, Certificate of Participation, and Gold, Guidance, and Grievances.
Here are a few highlights from each article we discussed:
A Tangled Botnet
- The US disabled a Chinese hacking network targeting critical infrastructure
- Who is Volt Typhoon?
- Volt Typhoon is a state-sponsored actor based in China and their focus has typically been espionage and information gathering
- The real worry is that they are interested in developing capabilities that could disrupt critical communications or possibly other infrastructure, especially in Asia, leading up to what potential Chinese military action in Taiwan (Tim speculates)
- The article opens stating that the Justice Department and FBI sought and received legal authorization to remotely disable aspects of Volt Typhoon. What does the process of authorization look like?
- Lots of paperwork involved – you may have to wait in a long line at some government agency
- Of course, we kid
- Certainly court orders are involved. Tim’s seen a five-part test that the White House should look at whenever they’re authorizing to take down of criminal malware
- Tim doesn’t know if the cyber command, which would have been the relevant part of the military in this case, was actually involved. Some of the details about the actual takedown itself have not really been divulged in a lot of detail, and that’s likely on purposes – you don’t want to show your hand
- Legal authorization is important because every one of these major takedowns that happens is a precedent and something that’s closely watched on the world stage as we come to grips with how cyber warfare or cyber campaigns are going to play out over the near term
- Lots of paperwork involved – you may have to wait in a long line at some government agency
- Why would you need authorization?
- Tim believes that when you are seizing resources or carrying out enforcement actions against servers and whatnot, there’s a due process aspect
- It can be complicated and the potential for unintended consequences could be high
- If you want to be able to move swiftly, especially if there might be an imminent event, you want to do that within the parameters of the law
- How has the Chinese Foreign Ministry and the Chinese Embassy responded to this?
- According to the official Chinese government line, China doesn’t take part in any of these kinds of nefarious activities – they’re just trying to be the marketplace for the world
- This article also notes that the Biden administration has been focusing on ransomware because of the havoc it wreaked on Corporate America in 2023. With this being an election year, regardless of the outcome of the election, will this initiative continue into 2025 regardless of the administration?
- The folks at CISA are dedicated to dealing with this problem and there’s the larger ransomware task force that we’ve talked about on this podcast that is also doing some really good work
- To the extent that CISA is given some latitude to fulfill its charter, Tim thinks we’ll continue to see a lot of fighting against ransomware
- But who knows whether they’ll be given all of that latitude and especially if you had an administration that was overly friendly toward other nations that take part in a lot of ransomware campaigns, you could see a lessening of the emphasis on this, but we sure hope we don’t (it remains to be seen)
- But we have a ton of faith in CISA itself
Certificate of Participation
- AnyDesk confirms that it suffered a recent cyberattack allowing hackers to gain access to the company’s production systems
- The name of this organization might give away what they do, but for those who don’t know, what is AnyDesk?
- AnyDesk is a remote desktop software company – it’s something that you could have someone install on a machine that would give you the ability to view their remote desktop
- Remote access software is kind of a goldmine for threat actors
- You could use it to help an elderly family member with doing something on the Internet or it could be used by scammers to do the exact opposite of that with the same person, which is shockingly common, unfortunately
- AnyDesk has been around for a while and they’re based out of Germany
- AnyDesk is a remote desktop software company – it’s something that you could have someone install on a machine that would give you the ability to view their remote desktop
- AnyDesk first learned of the attack after detecting indications of an incident on their production servers – do we know what those indications were?
- It’s protected information, but from what we understand, they shut down their signing servers for a few days and announced a breach
- They also said they had new signing certificates and asked users to get the latest version
- They also engaged with the Incident Response team at CrowdStrike, which you may recognize from their recent Super Bowl commercial
- Were end users impacted?
- AnyDesk is saying no end users were impacted, but we’ll probably continue to see information dropped on this story – we hope no end users were affected and it would be great if that was the case
This Week’s Hoodie/Goodie Scale
A Tangled Botnet
[Taylor]: 5/10 Hoodies
[Tim]: 8/10 Hoodies
Certificate of Participation
[Taylor]: 10/10 Hoodies
[Tim]: 5/10 Hoodies
That’s about all we have for this week, you can find us on Twitter @domaintools, all of the articles mentioned in our podcast will always be included on our podcast recap. Catch us Wednesdays at 9 AM Pacific time when we publish our next podcast and blog.
*A special thanks to John Roderick for our incredible podcast music!
