DISCARDED: Tales From the Threat Research Trenches
DISCARDED: Tales from the Threat Research Trenches is a podcast for security practitioners, intelligence analysts, and threat hunters looking to learn more about the threat behaviors and attack patterns. Each episode you’ll hear real world insights from our researchers about the latest trends in malware, threat actors, TTPs, and more.
Welcome to DISCARDED
DISCARDED: Tales From the Threat Research Trenches
OMITB: Trusting the wrong package.
Use Left/Right to seek, Home/End to jump to start or end. Hold shift to jump forward or backward.
Hello to all our Cyber Pals! This week, we present a special replay of "Only Malware in the Building," the podcast that our host, Selena Larson, also co-hosts! Enjoy!
Welcome in! You’ve entered, Only Malware in the Building. Join us each month to sip tea and solve mysteries about today’s most interesting threats. Your host is Selena Larson, Proofpoint intelligence analyst and host of their podcast DISCARDED. Inspired by the residents of a building in New York’s exclusive upper west side, Selena is joined by her co-hosts N2K Networks Dave Bittner and Keith Mularski, former FBI cybercrime investigator and now Chief Global Ambassador at Qintel.
Being a security researcher is a bit like being a detective: you gather clues, analyze the evidence, and consult the experts to solve the cyber puzzle. This week, our hosts dive into the evolving threat of software supply chain attacks and the growing risks facing the open-source ecosystem. As developers increasingly rely on third-party packages and AI-powered coding tools, attackers are finding new ways to abuse trusted software to reach a wider range of targets. The discussion explores why these attacks are becoming more common, what recent incidents reveal about the state of software security, and what organizations can do to better protect themselves.
Sources:
Shai-Hulud worm returns stronger and more automated than ever before
‘Mini Shai-Hulud’ malware compromises hundreds of open-source packages in sprawling supply-chain attack
What We Learned: Axios NPM Supply Chain Compromise Emergency Briefing
Your AI Gateway Was a Backdoor: Inside the LiteLLM Supply Chain Compromise
Hi, today's your host, Selena Larson, principal threat researcher here at ProofPoint and host of the Discarded Podcast. Did you know I'm also a co-host of the Only Malware in the Building? This is a monthly segment crafted through a collaboration between N2K Cyberwire and the Proof Point Discarded Podcast. Our segment focuses on the most impactful and intriguing malware stories. We aim to distill complex cybersecurity information into digestible and insightful segments for tech professionals, providing security executives a clear and engaging silhouette that is actionable. I am joined every month by my co-host NTUNDK Network's data editor and Keith Wilarski, a former FBI cybercrime investigator and now chief global ambassador at Q Intel. This week, I wanted to bring you a sample of Only Malware in the Building, trusting the wrong package. In this episode, we dive into the evolving threat of software supply chain attacks and the growing risks facing the open source ecosystem. If you like what you hear, be sure to check out Only Malware in the Building and subscribe wherever you get your podcasts. Thanks for tuning in. As always, until next time, happy hunting.
SPEAKER_00Look, I don't want to have to get HR involved in it.
SPEAKER_03Last week I gave a malware training session, and the guys didn't pay any attention.
SPEAKER_01No pickles, please. I don't want any cheese.
SPEAKER_03It was my own fault for using PowerPoint. PowerPoint is boring. People learn in a lot of different ways, but experience is the best teacher. Today, malware is going to save lives. You got roof anyone hear that noise?
SPEAKER_00Oh my god.
SPEAKER_03Oh my god! Malware! Oh malware? What's the procedure, everyone? What do we do?
SPEAKER_01Oh my god. Okay, it's it's it's happening.
SPEAKER_03Everybody stay calm. What's the procedure, everyone? What's the procedure?
SPEAKER_01Calm! I'll email it! It's on the old computer!
SPEAKER_03No, no, Keith. Check the computer screen first. What's it look like? It could be infected too.
SPEAKER_01What's a blue screen mean?
SPEAKER_03Hmm. Not a viable option. Check other laptops. What's next? Back to Venom like Data! Data can be saved, Keith. Bank account, however.
SPEAKER_00Okay, this is it.
SPEAKER_03Everyone for the settlers. Have you ever seen a random? What's the procedure? What do we do? What do we do? Use the surge of fear and adrenaline to sharpen your decision making. Look at the kidney fear. Attention, everyone. This has been a test of our emergency preparedness. There is no malware. It was only a simulation. The malware is not real. Just merely a training exercise. So, what have we learned?
SPEAKER_00That Keith really should have backed up his data. I stand by smashing the computer.
SPEAKER_02Same time next week, we'll cover fishing.
SPEAKER_00I'm calling in sick.
SPEAKER_03After that chaotic opener, we have all calmed down and have addressed the pretend malware issue. But what isn't a pretend malware issue is soft goalish, Steel C, Comedy Stealer, and Operation Endgame in general. Today we're going to talk about how global law enforcement and private sector partners work to disrupt activity related to some major cybercrime threat actors and what this means for the threat landscape going forward. One of the most interesting things about this to me is TA569 or the SOC Golish disruption. This is one of the most prominent threat actors associated with web injects. They've been around since at least 2018. And now they have sort of become the grandfather of a lot of this activity. But before we get into SOC Golish as well as the information stealers, Steel C in Amity, Keith, I wanted to throw it over to you. As someone who has been actually involved in law enforcement disruptions to major malware, what goes into this? What, like, what when you heard about this or saw this, what did you think?
SPEAKER_01First, I think it was awesome. You know, what I thought was, you know, we we've seen a lot of disruptions before in the past, and I've been involved in a lot of disruptions. But this is kind of the first like stage two of the same operation, stage three of the same operation. Because we talked about Operation Endgame in the spring. Uh, and usually these uh, you know, these operations are one and done. It's like, bam, we're gonna go in there, just zap the guys, and then kind of move on to the next thing. What was really cool about this is the good guys just basically said, hey, we're not done yet. You know, we're we we still want to just kind of go after these bad guys and uh continue to impact them because you know, everybody always talks about, well, you know, the name and shame or these disruptions, they don't have long-lasting impact. But I think what we've seen in this is that law enforcement is really serious about this and you know, to continue with that, you know, which we talked about in the past, like a lot of things go into you know these operations, you know. So it was just great to see everybody involved in that. And um, and I just talked a whole lot there. So I'm just gonna let you guys say a little bit more before I go into you know some of the other things.
SPEAKER_00So well, why don't we just back up a half step and uh I'd love to know, since you two are the practitioners, uh, what are the things, what is the range of things that you would include under the umbrella of an info stealer? What are the capabilities who generally is uh doing these sorts of things? You know, what what do listeners who may not be familiar with it need to know?
SPEAKER_03So Socolish is a dropper or a loader that's associated with um a threat activity cluster called Evil Corp. And those types of infections can lead to ransomware. So that's one piece of malware. But Steel C uh is an information stealer. It also has a dropper function, but basically, threat actors are targeting any information they could possibly get their hands on. So logs, cryptocurrency, usernames and passwords, banking information, any type of details that they could siphon from your computer, potentially use it to move flaterally within an infected network. And we've talked about this on the podcast before, how identity is kind of the gold standard now for threat actors. And there's this increase in information stealer activity as threat actors are trying to do more information gathering type focused activity to then do things like potentially ransomware or ATO jumping or trying to, you know, facilitate compromises of additional users. And so info stealers are really growing. They can also be used as precursors to ransomware. And that's kind of the important part of Operation Endgame, right? They're kind of targeting all of the ecosystem, the different components of the malware universe. I like to call it like the malware cinematic universe because it's like all of these things that are like involved and ultimately like ransomware, right? These things can basically enable that type of activity. And then of course Amity is also this sort of like dropper loader, which is also does a lot of the same things as um a DLC. So these are were two separate actions, but kind of coordinated all under one umbrella.
SPEAKER_01Yeah. And the thing too, Dave, is that you know, both both of these are kind of like, you know, malware as a service, you know, and um, you know, so the their their whole uh criminal ecosystem on the back end, like, you know, for for example, you know, uh Steel IC, they have like their uh channel with the give support, uh, you know, so pretty much, you know, they're they have support updates, new feature rollouts, and new releases, you know. So, you know, when we look at these guys, you know, we always think of like this hacker in the basement or or something like that. But these are guys that are running, and you know, they're running enterprises.
SPEAKER_03It's very much a malware as a service enterprise model, right? So you have the creators of this malware that then sell to affiliates, and then those affiliates are the ones that are running the campaigns. So the creator, the manager of the actual malware is taking a cut of that and then is working with their own customers. And so I think, you know, Keita, it is really funny that you mentioned it is like an enterprise, it's like a business model, because I think what we've seen from a lot of these different groups is it is like kind of a well-run enterprise. Although I have to say that there were some sort of errors in some of the code that allowed investigators or researchers to be able to get a little bit more information, I think, than they probably would have wanted. Um, some of those flaws in the in the different panels. And there was even some potential maliciousness within the affiliates themselves that were kind of going back and forth. And yeah, so you have like these there's no honor among thieves, right? They're running a business, but also like it's possible that you know other crimes are being committed.
SPEAKER_00I'm curious. So to what degree is the info stealing the end game itself for these folks? In other words, I'm I've stolen your information, I've bundled it up, and now I'm gonna sell that to someone else, versus uh the info stealer being the first step into me being able to then install ransomware or a crypto miner or something like that.
SPEAKER_01Yeah, I I mean, I think there's a little bit of uh the tail wagging a dog on some of that. You know, it kind of goes circular depending on what you're trying to do. Uh, like for example, on the Soc Ghoulish stuff, you know, they were looking for in order to spread their their infostiller, they were actually looking to get like um cPanel access, WordPress, Joomla access. So they they were trying to buy these compromised websites or access to these websites so then they could have their phishing pages on the website. So like you're you're you're visiting a legitimate website, but you're getting infected now with the malware. So so you have compromised credentials on both ends of getting access to the website to then throw malware down to get more credentials. And the the really interesting thing is well, how cheap! Like, so the one actor for Sock Goulish, we saw him on the underground wanting to buy access to like the c panels and you know, the Joomla and WordPress. And like some of the prices, uh the he would pay a dollar for c panel access, he would pay 30 cents for WordPress access, and uh 40 cents, a big whopping 40 cents for Joomla. Uh, you know, so uh you know, so so it's really not like uh, you know, it's not like advanced malware to get access to these sites. It's you know, basically cents on the dollar to then set up your operation. Uh so it's kind of like a whole ecosystem, but it depends on really what you're looking for because there's different aspects that fuel the next part of the of the scheme, if that makes sense.
SPEAKER_03Mm-hmm.
SPEAKER_01Mm-hmm.
SPEAKER_03Well, and also too, one of the interesting things about Web Injects in particular, um, Soc Golish is, you know, that threat actor is one of them, is the traffic distribution systems as well, that they're partnering with basically the facilitators of crime. So for like Steel C and Amity, these are um phishing-based or maladvertising-based types of activities. So they'll send malicious emails or they'll, you know, have some malvertising, but with like the web inject activities that are trying to insert that malicious job script on the WordPress or related websites, those partner with like additional threat actors. And in the case of Sat Golish, they also kind of ran their own traffic distribution service. So the actual targeted targeted activity targeted like that part of that whole service, right? So it wasn't just like trying to clean up the injects themselves. It was also trying to see, okay, what can we do with this like traffic distribution service that they're running themselves? It was like this this interesting thing to kind of see the impacts beyond just the websites getting cleaned. It's like, okay, what else is happening? And for all of the disruptions during the entire action, according to Europol, it has a pretty big impact. So 326 servers and 142 domains were actioned by law enforcement and private sector partners that crippled the malware's distribution network. And crypto assets of criminal origin, currently valued at over 41 million euros or 47 million dollars, were identified, flagged, and thereby restricted from use. And as many as 27 million stolen loggering credentials have been recovered as part of the operation. So it's quite costly for from the threat actor perspective, um, as well as the sort of overall disruption to the services.
SPEAKER_01And not bad for like uh, you know, it's uh you're just talking about the scale of the bad guys. It's a it's a pretty nice-sized business, if I can think, you know. Uh and and and basically the bad the the good guys here, we hit their supply chain. Uh, you know, we kind of do this kind of reverse things where they're hitting our supply chain. We decided to uh kind of disrupt their supply chain.
SPEAKER_00So Keith, can you take us behind the scenes of of the planning of a disruption like this? I mean, you know, keeping it in general terms, how does law enforcement come at something like this that that is at this scale?
SPEAKER_01Yeah, so I I think first it's gonna start with like companies like Proof Point that Selena works for and having that intelligence and kind of going to law enforcement and saying, hey, you know, we're seeing a lot of visibility right now into sock ghoulish or this threat that's out there. It would be great if uh you guys did something about this, uh, you know, and so then uh, you know, law enforcement goes, okay, well, you know, this is impacting. What what what type of impact can we do? You know, is this as big as you want? And then, you know, in this case, they were at Europol, and Europol was is just a really awesome place to kind of bring together all the law enforcement, especially in the EU, uh, and you know, in the the US is over there, and the other Five Eye partners like Canada and Australia. So they all they all sit and they all have their representatives right there in The Hague. Uh, and they're able to then pull that data from any of their member states or their other law enforcements. So now, even though the infrastructure is all around the world, now this kind of is a good central pulling point to kind of coordinate everything. So, so now, hey, maybe we need something from uh the United States, a Gmail or as a server. So the FBI or Secret Service could go out and issue uh, you know, legal process to get that data, or maybe something is at Hettner in Germany and the BKA could go out and get that. And then it will all kind of come back into that uh basically that coordination center or command post. And then at that point, once they get the legal processes in place, then that's when they kind of get with private industry. Are there gaps that we can't, you know, do as law enforcement? Can't private industry help us out? You know, if you're gonna seize like domains or things, you need to have like uh, you know, ICANN or the other registrars involved. And then really at the end of the day, how are we gonna kind of pull this off all coordinated at one time uh and make it go off without a hit? So so that's kind of like uh there's there's a lot of long nights and a lot of uh beers and other drinks at bars afterwards to play and everything.
SPEAKER_00So more more often than not, it goes right rather than horribly wrong. Yeah.
SPEAKER_02I feel like that's the most important part, Keith. The late nights and the beers.
SPEAKER_01Well, we're all working for something. Yeah. Well, well, I think you know, a lot of times, you know, when when you get into some of these big um meetings when you have all these different lawyers and other law enforcement and industry people there, sometimes people don't want to speak up all the time. Uh, you know, so but when you get people out with beers, they they tend to pretty much tell you what they think. Uh so uh so then you know, then you can kind of plan things. Um but it it is really neat. And I think I told the story before, before we were doing the core flood uh takedown. You know, once you get ready to do that and you got to get that legal sign-off, when we were gonna do core flood, we had to go to the attorney general uh and you know, he had to sign off on it and he looked at it and he goes, It looks good, uh, but just remember if you break it, you bought it.
SPEAKER_00So is that like the in the movies when they say the State Department will deny all knowledge of your operation if it doesn't go well? Yes, exactly.
SPEAKER_03Well, actually, I'm so glad that you mentioned lawyers because they play a really interesting role in all of this too. I think a lot of times people think about disruptions and takedowns as, you know, cyber operators and hackers and, you know, kind of the pew-pew maps of things and maybe, you know, seizing servers and busting down doors and stuff. But um, there is a lot of uh sort of like legal process that can be used against this stuff. And lawyers, cybercrime lawyers, I have so much respect for, actually chatted with um Sean Farrell, who is an assistant general counsel of Microsoft's digital crimes unit. And they have really sort of innovated when it comes to doing takedowns via lawsuits. And I've never like left a conversation wanting to go to law school until this moment. And I was like, wow, do I need a career change? Because this sounds so fun. I mean, it's really cool because you can use these civil actions to disrupt criminal criminal infrastructure. And basically they use Rico, which is a Racketeer Influenced and Corrupt Organization Act that targets organized crime to actually go after some of these cyber criminals. And in the case of Steel C and Amity, they were able to identify shared infrastructure between these two groups and kind of do an all-in-one civil suit against this whole ecosystem, these info stealers and the malware together. And so it was really kind of cool to see um some of their publications on it. Like, here's how we were able to sort of sort of like innovate, and here's how lawyers play a role in this, right? Like I'm just over here, like beep boop, I'm on the computer, and they're like filing important documents and things.
SPEAKER_00Yeah, so yeah, I mean, that's a really fascinating point. I'm glad you brought it up, Selena. So what's the reality on the ground, Keith? Like when you have trusted partners, you know, it's like a behemoth organization, like a Microsoft or a Google or an Amazon, um, and they say to you all, hey, we've got this. You know, how how long a leash do you give a private organization like that to take corrective action?
SPEAKER_01Yeah, that's a good question. So, I mean, Microsoft has been kind of on the forefront of doing this for uh well over 15 years now, which is really good. And I I love Sean. Sean's a former FBI colleague of mine, just a great guy. And Dave, if you haven't had him on your show, you should have him gone to kind of talk about what they're doing in the space because it it is really fascinating and cutting edge. When they first started doing it, you know, they were trying to make an impact, you know, 15 years ago. You know, maybe there wasn't that coordination. They they were trying to protect their area of you know, of Windows computers. And, you know, the the first one or two times they acted uh without, you know, not thinking about how it may impact like an FBI case. Uh, but really over these last 15 years, that coordination has gotten so much better now because I think what everybody's realized is that it really takes a village. And everybody plays an important role, you know, in this to make that collective win. And the great thing is, is that Microsoft being this big behemoth, you know, very forward thought thinking. Now, other companies will go, hey, well, if Microsoft could do it and they're a big bureaucracy and they have a lot of potential liability, we can kind of do this too. So I love what they're doing because it really is setting the trend uh, you know, for that. And I think just much more coordination has been involved because they've done so many of these now. It's getting to be second nature. And that's what we want. We want to be able to kind of do this off the shelf and not reinvent the wheel every time stick around after the break.
SPEAKER_00How do we measure success? You know, obviously we have these takedowns, uh, but it seems like groups pop up not long afterwards or they reform, or you know, it is part of this monitoring the criminal forums to see that you know these folks are getting a little more. Tentative about getting into this business at all?
SPEAKER_01I don't think that it's going to stop people from getting into the business. Because if you're a criminal, you're a criminal. It doesn't matter. You know, there's always been the threat of getting arrested, whether, you know, you're running, uh, you're running a gambling ring or you're running cybercrime, you know, the everybody that gets into criminal activity. But it does make them a little leery and it does impact their operations. And, you know, if you impact somebody and they're down for six months, that's six months of uh, you know, of an impact. And if you could put them in jail, even better. As long as there's ever crime, which will be forever, there's always going to be somebody that's going to step up into the place, next place. But the big thing is you need to disrupt the operations. You just can't let it go on.
SPEAKER_03So I think there's also a few things to consider when you're thinking about the impact to this stuff. So it's one of my favorite parts of my job is actually measuring success of takedowns and disruptions. Because you can look at data and say, okay, here's how long this service was down. Here are the number of websites that were cleaned up. So actually, it's important. I think I wanted to highlight that too. So in the case of Sockolish, the law enforcement was able to clean almost 15,000 websites, basically deinfect them, right? So that plays a huge role in disrupting the botnum because that means that that actor has to go reinfect all of these websites again if they, if they really want to. So that's part of it, right? So it's like, okay, how effective was this? Putting out awareness and general like information about this threat always plays a huge role as well, because you can kind of time it with the disruption. You can further education for the end user. You can really encourage organizations to say, hey, this is what you have to pay attention to. Um, but from our data, for example, we see significant disruptions pretty much every single time there is a law enforcement, either full takedown or disruptions to activity. So it'll be a reduced number of emails that we'll see through our telemetry, a reduced number of uh C2s or panels or servers that are actually active and associated with the particular malware or threat actor. You see, I'm sure Keith sees this too and can probably speak to it, some chatter on the underground that is a lot more like, oh, okay, well, they're on to us, or we're gonna have to change something, or they might actually even close purchases for a prolonged period of time, potentially even altogether, just completely take their, oh, there's too much heat on me. I'm gonna go elsewhere. But there's also this idea of sort of causing mistrust among the criminal ecosystem and the affiliates. And one really interesting thing that Operation Endgame is doing that they're really pioneering is these videos that they post with every takedown. And they'll have these little Easter eggs in the video that are explicitly targeting the threat actor or the affiliates that are part of this targeted effort. And so you can see, oh, maybe there's like a username that's included in there that they're like clearly going after them, or maybe there's some sort of indication that the affiliates are turning on each other, or maybe the malware creator is actually like stealing some of the information that they are, you know, siphoning off of their own affiliates, and you know, depending on what the actual video is. They've done it for pretty much all of their takedowns and or disruptions. And I think that, you know, that's kind of fun too. So you have this also sort of like social engineering happening at the same time as the sort of like actual technical targeted efforts. Um, and at the end of these videos, there's always like reach out, like think about your next move, or like come talk to us. And there's that sort of attempt to get people to turn themselves in or engage with them. So I think, you know, I'll oftentimes I hear a lot of scorn in the industry. Oh, well, you know, they're just gonna come back. So why bother doing these takedowns? But I think this idea of imposing cost is from a financial perspective, there's tons, you know, asset seizures is huge. From an actual infrastructure perspective, you know, imposing that cost is huge because it, you know, removes their current capabilities and forces them to spend more money to retool more time. There's a time stack, a time cost, there's a reputational cost, and there's a psychological cost too. So when all of these are factored in, it can have a huge disruption. So maybe we're not like maybe, yeah, we'll see a blip in traffic, or maybe they'll come back after a couple of months to be at the same level of activity. But all of those factors and variables played a role in terms of their decision making and the potential that they have lost business, which is ultimately what we want. We want them to make less money and do less crime.
SPEAKER_01Yeah, really at the end of the day, it's not just bringing down servers, it's attacking that trust in that criminal ecosystem. Uh, you know, you wanna, you want to have customers distrust their operations, you want to break that trust. Uh, and just you were just talking about those little Easter eggs. I'll share a little story. When I was uh when I came out from undercover, you know, everybody kind of knew that I was there was there was this one criminal that that hit me up online and you know, he hit me up and he's like, you effing fed and you know, and and and all that type of stuff. You know, and I responded back to him because he was on our target list. He just wasn't home when we raided him. I was like, dude, we know who you are. Uh you could spend the rest of your life on the run uh and constantly looking over your shoulder of when you're gonna get arrested in you know, this cafe in Paris or when you're at the beach in Nice or somewhere else, or you could just go turn yourself in and just get it over with. Uh and two days later he turned himself in. So it does work.
SPEAKER_00But that that was my next question, Keith, was whether do because I find it hard to believe that these people actually turn themselves in. But you laid out the case for why that could be in their best interest.
SPEAKER_01Yeah, I mean, especially, I mean, if law enforcement knows who you are, I mean, the only way that you're gonna not get caught is if you stay in Russia or China. Uh, you know, and even in those, some, you know, even in those places, if you're not paying people off, you may end up falling down the steps or something like that. Uh, you know, so uh, you know, so sometimes it's in your best interest to just um go and uh turn yourself in and let the legal process go through it. So uh and because a lot of times the people, you know, they'll be on the run for a couple years, they'll get caught, and then you know, then they have to go through the process, you might just get it over with. So that's that that's my suggestion to all the criminals. Just turn yourself in, get it over with.
SPEAKER_00Going to get caught. You might as well get it over with. Serve your time. Straighten up and fly right. Well, what do we feel in terms of like the overall arc of this? Are our you know, this this didn't always exist. It's here now. Is this here to stay?
SPEAKER_01I I know from the industry standpoint, industry freaking loves it. You know, they're like, hey, let's let's do it, can we do it again tomorrow? Uh you know, and you know, and all of that. And, you know, in the law enforcement, they they love it because they're making impact. And really at the end of the day, that's what they want to do. And and if they have impact from their partners as well, uh they want to continue. And everybody, every politician or every uh, you know, elected official or like in the government, they love to see their name on TV. Uh, you know, and they love to be part of something special. Uh, and and so success breeds success. Stand in front of the big seal.
SPEAKER_00What were you saying, Selena?
SPEAKER_03Oh, yeah, no, I so I think so. First of all, it's here to stay for sure. Um, but I also think that the it's become initially, I I feel like takedowns or disruptions were, oh my gosh, they did a takedown. Like, this is crazy, this is unbelievable. I can't believe they did it. This is so interesting. We have to talk about it. But now it's just kind of like, okay, yeah, this is yet another takedown. And I think it's really cool that we've gotten to that point where, you know, okay, maybe it's just not as newsworthy as it used to be, or maybe it's just not as cool because it's just expected that this is what happens. I think that there's a lot of interest from all sides right now to be able to contribute to this. Because at least from my perspective, as someone who works in the industry, I often feel like I'm just sort of banging my head against the wall because, like, okay, crime is happening, more crime is happening, I see crime happening. I can write detections to stop it. But like, how else? Like, what else can I do? You know, how can I have like a real world impact? And so I think it's really awesome to be able to see the real world impact of this. And whether or not you get handcuffs, right? Like, that's really, that's really when it stops, right? Is when you're able to handcuff someone, put them in jail. You know, all right, you're you're done. That malware guy is gone. But I mean, I think it's an ongoing process, it never stops. And I think that, you know, it's important to note here too. So, first of all, this wasn't necessarily a full takedown, right? Like Sakolish is not, it is, I I I refer to it in our blog as literally like the grandfather of web injects or like the OG of the like threat landscape because they've been around forever. They're a very prominent cyber criminal group that was they're associated to Evil Corp, which is a Russian uh cyber criminal outfit, a bunch of different ransomware families they've been, you know, had links to. So it's a big group, but saying, hey, we're we're coming after you is great. And what we're gonna see, I think, too, is like the the echo through the rest of the ecosystem. Because if if sockolish was sort of the innovator of the web inject landscape, I think all the rest of these threat actors that are doing, because it's a really popular technique now. And sometimes you'll find infected websites that are infected with multiple different web injects, because it's such a common technique used by a variety of threat actors. It went from being only Sokolish TA569 to I think we track like a dozen web inject-related threat clusters right now, at least at my team at ProofPoint. So maybe there's some reverberation that we're gonna feel across the ecosystem. Maybe they're gonna feel, oh, wait a second, if this group is being targeted, maybe I should rethink my strategy. Like clearly, there's being a lot of attention paid on this particular technique, a lot of these compromises. There was, you know, information about how to patch and advice for website owners and defenders to like pay attention to this. So maybe we'll kind of see this reverberation across the ecosystem. And then maybe we'll just continue to see some of these like targeted takedowns or targeted disruptions of some of these other types of activity. And I think that to me, that's really important is that one, end users are aware that Sock Goalish is not the only web inject threat cluster that is doing this type of activity. And it's important to be able to protect yourself against the threat overall. And two, hopefully we can kind of see this reverberation through the ecosystem where even SAG Goalish is coming under scrutiny, right? They've been around forever and they're still going under scrutiny. So yeah, I'm hopeful that we'll kind of continue to see some of that echo throughout the throughout all of the criminal underground. And I don't know, maybe you'll start seeing some more gossip on the forums about stuff like this.
SPEAKER_01And I just want people to think, well, what's next? You know, say, hey, we just did this, you know, what's the next thing they're gonna hit? You know, or you know, so uh that that we want that distrust and and that that's what I love. And I think the other thing too, Dave, that is that, you know, we all, you know, we're in the corporate space and you know, we're usually in the corporate when you have that opportunity to kind of make a difference in the mission, uh, that's kind of uh it's just a different category of just your normal defense for you know a corporate partner, which is important. Um, but when you actually get a chance to make an impact like that, going after the bad guys, uh that that you know, that just makes you want to just kind of put your hand on your heart and stand up and just you know go go for the missions. And and I think that's what everybody really likes about it as well.
SPEAKER_00I guess it also plays a part in international relations, right? I mean, there's a diplomacy aspect to this.
SPEAKER_01Oh, no, no doubt about it. Uh, and and it just makes that uh, you know, that world a little smaller. You know, when you think about uh you're here in the United States and there's infrastructure overseas, everybody over there, let's say in France and Germany or the UK, they all have their own important priority things as well. So at what point, you know, do you get them to move your requests to the top of their list uh and being part of these things and building those relationships? And like when you go out to Europol, Selena and I were out at Europol last year for a conference, and you just sit around and you're getting a chance to meet a lot of people and you, you know, you meet maybe somebody from Latvia or Lithuania that you know that you just never thought of or you know, meeting, but yet, you know, next week there's a server in Latvia right now, and now now you know you can call Pavel, you know, and he can go help you out. You know, so so it's really important to do that and to build those relationships. Because really at the end of the day, relationships are what makes the world go round.
SPEAKER_00You can all hold hands and sing we are the world.
SPEAKER_03I personally would love to kick myself out of a job. If, you know, if at the end of this there is no not enough work for cybercrime analysts because we've done such a good job with private public partner collaboration that crime has decreased so drastically that I can go, I don't know, be a librarian or like open open a coffee shop, I would be so happy.
SPEAKER_00Here's what needs to happen is we need to take all of the assets that we seize from them, put them into a big pot for the old age retirement home for retired analysts who've been put out of work, right? So you have a so you have a place to live, you get a monthly stipend. You know, it's like the old actors' home in Hollywood where they just take care of you, but based on the ill-gotten gains that uh, you know, Keith's colleagues collected over the years.
SPEAKER_01I love it. It's what we'll call it like the uh the AI fund for the AI displacement fund. There you go.
SPEAKER_03We will be right back after this quick break. Well, I do want to just make sure that before we leave, especially if we're talking about the compromised websites, some recommendations for folks. Um so obviously, like network detections and endpoint protection are huge. But really the things that to kind of look out for, especially with Slack Golish and some of the other web inject stuff, from a defender, actual defender perspective, is restrict Windows users from downloading script files and anything but a text file. You could do that via group policy. Consider disabling PowerShell for general users who don't need it for their workflow. And from the website management side of the house. So for organizations that like own websites, like website administrators, make sure you have MFA on. Um, you know, consider something like YubiKey or additional layers of protection for that, which is direct access to the WordPress admin with allow listing. Just there's a lot of some of these sort of very sort of, I don't know, air quotes basic uh security recommendations that you can implement. The WordPress plugins and themes is a huge one. Make sure that you're getting them from legitimate websites and they're maintained, being up to date as much as possible. Yeah. So just really make sure that you're trying to make the best of your web security that you possibly can because a lot of these web inject threat actors, including Zach Golish, really try and exploit that. So um, yeah, it's it's it's exciting, but it's still a threat. And we have to make sure that we're staying on top of it. And uh, I just hope we continue to have more of these. So we don't have a podcast episode on all of them. It's just so common that we're just like, oh, yep, another disruption.
SPEAKER_00The disruption of the month.
SPEAKER_03Exactly. And that's only malware in the building, brought to you by N2K CyberWire. In a digital world where malware lurks in the shadows, we bring you the stories and strategies to stay one step ahead of the game. As your trusty digital salutes, we're unraveling the mysteries of cybersecurity, always keeping the bad guys one step behind. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you ahead in the ever-evolving world of cybersecurity. If you like the show, please share a rating and review in your favorite podcast app. This episode was produced by Liz Stokes, mixing and sound design by Trey Hester, with original music by Elliot Peltzman. Our executive producer is Jennifer Ivan. Peter Kilpie is our publisher.