[00:00:00] This episode is brought to you by CrowdStrike. Protect your health system with CrowdStrike, a global security leader. CrowdStrike has redefined modern security with the world's most advanced cloud native platform for protecting critical areas of Intraprise risk. Endpoints and cloud workloads. Identity, and data.

Powered by the CrowdStrike Security Cloud and world class AI, the CrowdStrike Falcon platform leverages real time indicators of attack, threat intelligence, insights on evolving adversary tradecraft, and enriched telemetry from across the Intraprise to deliver hyper accurate detections, automated protection, and remediation.

All this, and elite threat hunting and prioritized awareness of vulnerabilities. CrowdStrike. Unified platform, one agent, complete protection.

[00:00:55] Drex DeFord: Hi, I'm Drex DeFord, a recovering healthcare CIO and long time cyber advisor and [00:01:00] strategist for some of the world's most innovative cybersecurity companies. Now I'm president of this week Health's 229 Cyber and Risk Community, and this is Unhack the News, a mostly plain English, mostly non technical show covering the latest and most important security news stories.

. And now, this episode of Unhack the News.

Christian Rodriguez is with me.

Hey Christian. How's it going?

[00:01:24] Cristian Rodriguez: I'm doing great Drs. How you doing?

[00:01:26] Drex DeFord: I'm good. You're at CrowdStrike. I'm positive that you've been promoted since the last time I've talked to you. What's your job title now?

[00:01:32] Cristian Rodriguez: I don't even look anymore.

[00:01:35] Drex DeFord: It's like, I don't know, I just show up and people introduce me and then I just roll with it.

[00:01:40] Cristian Rodriguez: I just show up and I talk about the fun stuff. I talk about the threats what we're how we're innovating rather. And yeah, I mean, and I have conversations with great people like yourself, so thanks for having me. Ah, I

[00:01:50] Drex DeFord: love it. I love it. And you've got your own podcast.

[00:01:53] Cristian Rodriguez: Yeah, the Adversary Universe Podcast smash that subscribe button, and we'll cover some of this stuff that we'll probably cover today as well.

[00:01:59] Drex DeFord: It's really [00:02:00] one of my favorite things, and it's because you and Adam. almost like when I watch the podcast, you are doing your best to, in a very subtle way, try to figure out how to aggravate Adam A.

Little bit. And it's especially around things. We're gonna talk about one of these today. Voice phishing. Yes. So I notice that he has a thing about vishing as a word.

[00:02:23] Cristian Rodriguez: Yeah, he can't say it. He just, I feel like if he says it three times, he'll like, explode or something. Right. He'll just, he's very angry with the culmination of these two words of voice, and phishing.

But yeah that's an interesting topic. It's coming up it every. Event that I've been to, every conversation I've had has kind of, circled around this topic, right, of a

[00:02:42] Drex DeFord: massive increase. I mean, I talked about it on the two minute drill today. Yeah. This show will air probably a week after that, but

[00:02:48] Cristian Rodriguez: Cool.

[00:02:49] Drex DeFord: Just the reality of like, you look at the list of companies who have been busted in the voice, phish getting in, getting into the CRM, taking all the data. You guys [00:03:00] talk about a global threat report too. Like tell me more about what's going on there.

[00:03:03] Cristian Rodriguez: , It's funny, we actually just recorded an episode this week on this topic, specifically scattered spider.

But more importantly kind of the evolution of how attackers went from this very aggressive. Slew of campaigns that were very much focused on like malware and like exploits. And I think the exploits are still very much relevant, but malware use as an entry point, as an initial access vector, if you will, has been significantly reduced.

And the identities have been kind of, just this ocean, if you will availability. Right. Right. That these attackers are kind of fishing for. I just got

[00:03:36] Drex DeFord: my Ian's life letter oh, did you? A notice of data security.

So more credit monitoring for me.

[00:03:43] Cristian Rodriguez: Yeah. Yeah. I have some very controversial opinions on this, by the way. I don't know if I, they would necessarily be CrowdStrike sanctioned, but I have an idea of like where. The consumer space anyway is going to end up one day When it comes to your your PII being out there exposed, right?

I mean, again, this is very against the grain, [00:04:00] but I think at some point based upon all of the breaches and all of our personal information being out there, I think at one point it won't even matter as a consumer, right? I think what's gonna happen is you're gonna, there's gonna be a major shift in the responsibility, being brought into the banks, right. Whoever's basically authorizing the opening of credit or authorizing certain transactions. I think it will, I think we'll get to the point where banks and financial institutions and credit, companies are going to have multi-layer authentication and approval processes built into the way that you buy and the way that you transact online, to the point where

if your information was stolen the act of creating new credit is gonna be very difficult. Right. So I think long term, that's where we're gonna go. Where, I don't wanna say you shouldn't care personal information is out there, but at some point, I think the grand scheme of things it's probably out there.

Like all of our information is out there in some capacity. Right. So, I mean, I don't know where it's gonna go, but I think that's what's gonna have to happen right. At some point.

[00:04:52] Drex DeFord: This voice phishing phenomenon, what can organizations do to try to. Keep, yeah. I mean, for those from being sucked into that.

[00:04:59] Cristian Rodriguez: [00:05:00] Yeah. For those not familiar with it. Right. So, imagine someone calling up your help desk under the guise of an employee under duress, and they're asking you to reset passwords and your traditional help desk analyst is trying to help as their title implies and they're they want to close out that.

ticket as quickly as possible. So they're gonna try to walk through, some basic questions to verify your identity, right? Like who's your supervisor and your department and like your phone number. And these are very antiquated business practices, right? Where putting that employee or that person on the other line through.

A series of harder questions or validations is something that I think most organizations need to improve on. So for example, getting that person on video, right? Or asking that person to show some authentication in the form of IDs or passports, like on the camera.

[00:05:44] Drex DeFord: Hold their

[00:05:44] Cristian Rodriguez: yeah, exactly.

Exactly. Like get on camera. Right. And I know we can talk about AI and deep fake, but I think there's other ways to make sure that the person is who they say they are and then maybe even adding like a third party, like a tertiary. Validation, process like a coworker or like a supervisor, right?

[00:06:00] Someone that can also co validate and then say, yes, this is a real request and you can move on to the next stage of resetting that password. Or resetting MFA because it's very easy, right? It's very easy for these adversaries. It's, they've been extremely successful, their success.

Which they brag about in their various forums and comms, their success it's proliferating through other E-crime groups that are scratching their head saying, oh, I don't have to try that hard. I can just pick up the phone and dial for dollars, if you will. Right. There's a lot of copycat in

[00:06:28] Drex DeFord: this when somebody, one of the groups is successful.

Then the next group and the next group, they're like yeah, we can do that.

[00:06:33] Cristian Rodriguez: Exactly. Correct. Exactly. Correct. Right. So it's easy for them, based upon what we've seen historically and as a result. Other groups are copying that and they're picking up the phones, right.

And they're calling in.

[00:06:42] Drex DeFord: Yeah. Wow. , I want to talk about another story too. All this stuff that's going on with North Korean fake employees who are now working for US based companies and I've heard the stories from, chief information security officers and healthcare organizations and healthcare partners too, [00:07:00] where they've had.

This same stuff happened to them. You talk about that in the Global threat report, but it's in the news all over the place. It is. Tell me more about that story.

[00:07:09] Cristian Rodriguez: Yeah, so basically a group that we've given the moniker of famous Chima, right? Which is basically an extension of North Korean intelligence.

They have been embedding agents in, Western enterprises for a few years now. Where they have these agents go through a variety of job applications. They go through interview processes and they actually get hired by companies like software companies, very big reputable names that hire these folks Yeah.

Into like their development program. And now these agents that are working in this development program through basically a middleman who. Sets up like a laptop farm and allows that, that agent in North Korea to install like remote management tools on that system. And these laptop farm operators have, dozens of machines, if not hundreds of machines in a room, in their house. And they're all connected to this specific KVM with [00:08:00] these remote management tools, allowing these adversaries to come in and actually do development for these companies. And they're kind of broken out into two categories.

One category of, someone just developing. So a North Korean, like literally just doing

[00:08:10] Drex DeFord: the work.

[00:08:11] Cristian Rodriguez: They're doing their work and then their salaries are going into the weapons program, right. For example. Yeah. Right. And there's other groups that are embedding malware and they're looking for sensitive data, right.

Based upon what their access ultimately entails. And there are over 300 organizations that we've identified that had this issue. And I was at an event a couple months ago on stage with a ciso and he mentioned, he's like, Hey, we were impacted by this. We had an actual agent in our DevOps team that was attributed to.

This North Korean actor in this nexus and, it's kind of wild right? To see that it's proliferated for quite some time and there's a lot of money that went into. The weapons program, right. And yeah. By Mr. Kim Jong-Un. So it's definitely not slowing down.

They've been using AI for like, deep fake interviews. They've been using AI to build up these fake personas online, on websites like LinkedIn or any type of professional hiring sites, they've used AI to build [00:09:00] resumes. They use AI to get through interview processes. We have tons of video that actually shows what that interview process is and how they respond to questions when it comes to.

Even asking that person to come in in person right. To maybe grab their laptop in there. Just some of the excuses are, oh, I'm visiting a family member. Or, if someone's out sick or someone's in the hospital, I can't make it. Can you ship my laptop to somewhere else? And it's effective and it's worked in the past.

[00:09:22] Drex DeFord: Yeah. And people are, I think sometimes too, HR folks or hiring managers feel super lucky to find this person at a great price who mostly wants to talk about salary and doesn't want to talk a lot about benefits.

[00:09:35] Cristian Rodriguez: Sure, yeah. And they're

[00:09:36] Drex DeFord: ready to go. It seems like you got a sweet deal. We gotta hire this person before they get an offer from somebody else.

And so that sense of urgency's all part of it.

[00:09:44] Cristian Rodriguez: Absolutely. Absolutely. And they'll answer questions and they'll answer pretty effectively, on, programming or skills. And to your point, yeah, sometimes the HR manager or hiring manager sees that person and says, oh, we have a winner, right?

Let's get this role filled quickly. Let's, they wanna move on to the next one, right?

[00:09:59] Drex DeFord: Yeah. [00:10:00] And because a lot of times too, these roles are open for a long time too.

[00:10:04] Cristian Rodriguez: Yeah,

[00:10:04] Drex DeFord: They're in a hurry to not, it's

[00:10:05] Cristian Rodriguez: interesting now that I'm saying this out loud. There's an interesting correlation between the help desk objective and the hiring manager's objective, right.

To say like, Hey, I just want to get this through, the process and onto the next thing. Yeah. Right. And I think there's an urgency issue that I think we need to address in the grand scheme of like security enablement for HR and help desk to say, listen, these are things you need to be cognizant of.

On both sides of

[00:10:28] Drex DeFord: it. Right? There's the applicants creating a sense of urgency.

[00:10:31] Cristian Rodriguez: Yeah. The,

[00:10:32] Drex DeFord: in hr it's actually maybe the hiring manager who's creating a sense of urgency, so Exactly. They're may be overlooking a couple of things to hurry up and get this done. Done. Exactly. The help desk is doing the same thing, right?

[00:10:41] Cristian Rodriguez: Yeah.

[00:10:42] Drex DeFord: They're like, look at my queue. There's 60 calls in the queue. Exactly. And you just get past this person. That's great insight. Actually, hadn't really thought about that. Two sides of the same coin.

[00:10:52] Cristian Rodriguez: I know. I just thought about that and I'm like, oh, that's interesting. There's, they're both a plan urgency, so you can put

[00:10:57] Drex DeFord: that in your next presentation.

Yeah, I'll

[00:10:58] Cristian Rodriguez: put it in your next episode. [00:11:00]

[00:11:01] Drex DeFord: I'll do that. Totally. I wanna ask you too, one of the stories or one of the things we talk about regularly, but I just think it just, we can't talk enough about it. Yeah. There was a story in the nightly from Australia and it was about, conti and all of the messages that got leaked, but more and more insight on how bad guys really operate, like startup companies who have a lot of money.

Yeah. I mean, they just, they have CEOs and CFOs and I mean, you see this kind of stuff all the time. How do they look and how do they operate?

[00:11:32] Cristian Rodriguez: Yeah. It's interesting. There's an, organizational structure behind a lot of these groups. They operate like a full business to your point, and, and naturally, depending on whether they're kind of standalone E-crime groups versus nation state sponsored. A lot of times what we're seeing on the nation state side is that these are, they're, almost like defense contractors that are working with, for example, like the Chinese government, right?

And they're building counterintelligence tools. And with some of the leaks that took place not long ago with a couple of those organizations. The chat logs were [00:12:00] leaked. You saw them communicating sentiment around like salary issues, right. Not getting paid enough or, not having equity in a stake of these smaller defense contractors.

Yeah. Which I thought was interesting. Right. They're building these, offensive tools, if you will, and they are trying to make money. Right. So that's on the nation state side. On the ECRM side, you have this ecosystem of, I don't wanna call it like a pyramid, but you think of, groups that are designing ransomware and they're selling the ransomware as a service versus groups that are more focused on selling identities.

Right? And then there are like these lower tier groups that don't necessarily have the technical aptitude to build these, tools from scratch, but they'll subscribe to these services because it's a lot easier to just, use what's out there and use, what is being innovated on.

Right. So, if you subscribe to service subcontract, sub subcontractors, somebody who's actually

[00:12:49] Drex DeFord: Really good and they're focused on this little niche. Exactly. Correct. Yeah,

[00:12:52] Cristian Rodriguez: exactly. Correct. And your goal once you spend the money is to just find your targets. Right. And then, hopefully infiltrate them.

Run your double extortion [00:13:00] programs or run your ransomware and then use AI right, to profile your victims and use AI to to do things like even spam bombing. Right. We've seen that with a group called Curly Spider where they we're talking about vishing or attacks that are a little more on the social engineering side.

We've seen groups that. We'll find victims and just spam them, right? Sign 'em up for all these newsletters or things that would interest them, but they're just getting spam and their inbox is being flooded and then they're calling up that victim under the guise of someone from the help desk. So that's kind of the inverse of what we mentioned earlier, right?

Saying, Hey, are you getting a bunch of spam? And that person is saying, yes, I am. Like, can you fix this? And go, yeah, you know what I can do? You mind just downloading this remote management tool? Lemme get on your system and start to fix things and rectify it. Oh, and that is ultimate. Their path into that system, and then they wreak their havoc and jump credentials and move laterally.

And so, it's interesting again that a lot of these adversaries have reverted to like the Kevin Mitnick style of an intrusion, right? By targeting the human side of the house in a much more personal way. And it's been very successful for them.

[00:13:58] Drex DeFord: I was talking to somebody [00:14:00] yesterday about how sometimes this, personalized medicine approach to hacking, right. The like., Because I know so much about you now, I can find so much out about you online.

[00:14:13] Cristian Rodriguez: Oh yeah. Okay. And it makes it

[00:14:14] Drex DeFord: really easy for me to create the story that's gonna get you to keep your alarm bells silent.

Absolutely. Yeah, totally. No, man, my machine is totally messed up and yeah. I would love your help.

[00:14:25] Cristian Rodriguez: Yeah, exactly. Looks like

[00:14:27] Drex DeFord: the right phone number from the help desk. Yeah.

[00:14:30] Cristian Rodriguez: Yeah. I think it's fascinating that the psychology behind these attacks are a major focal point for these adversaries now.

[00:14:37] Drex DeFord: They're almost like magicians in some ways.

[00:14:39] Cristian Rodriguez: Yeah. They're look over here. Look over here,

[00:14:42] Drex DeFord: and don't feel

[00:14:42] Cristian Rodriguez: flight of hands. Yeah. Yeah. That's funny. Yeah, you're right. You're right. If you can target, I mean, now AI has even it's accelerated that experience, right, of targeting someone, getting a profile on them, understanding what their likes are, their interests are, and then from there, creating a campaign that is fairly fluid.

Right? And [00:15:00] then onto the next one.

[00:15:01] Drex DeFord: And the more they do, the more they learn, the more they figure out, well, what'll work on the next victim? Oh, absolutely. And the copycats py on, so,

[00:15:07] Cristian Rodriguez: yeah. Absolutely. Yeah.

[00:15:08] Drex DeFord: I wanna ask you about one more story. because I thought it was pretty interesting.

There's a ransomware gang that's using an AI chat bot to initiate their deals. Have you guys heard of this and seen it and how much of it, is out there, or should we read about it?

[00:15:25] Cristian Rodriguez: I mean, it's the, it's just lazy. But anyway, I mean, everyone's using chatbots now, right? You're not even asking for their money personally anymore.

I think, yeah, so I, I think it's just part of what we've seen with technical operations being kind of augmented with. Right. And that's where, a lot of these groups are, they're getting into the let's, there's targeted campaigns where there'll be a very, big focus, very aggressive, targeting of high worth individuals, if you will, within an organization.

And then there's groups that will say, look, the more we can automate the better. Right? And if we can set up a bot. That communicates on our behalf. Then that bot has the ability of, [00:16:00] just blast speaking on behalf of the, yeah, speaking of behalf, think about this. If the bot is chatting on your behalf, then attributing your conversation, right?

If you're on a forum think of the way that Intel collection is done. If you're on a forum and you're monitoring adversaries and the way that they communicate, right? And that same communication style. Is used in actual negotiations, right? You can, there's other, there's so much that goes into this.

I'm really simplifying this now, Uhhuh, but I can say, Hey, that's this person. We've been tracking them Uhhuh, they may be part of this campaign. Language, you name it. Right? And we have linguists that will analyze this type of activity. Yeah. But when you start to implement a chat bot that just starts communicating on your behalf, right?

Then you're giving the chatbot, instructions that says you're gonna ask for this, you know you're gonna negotiate. This is your floor cost, for example. And it can do a lot. For you, and it's just up and running. And so now you've basically put another layer in between you as an adversary and your victims, maybe even several layers to kinda walk through things like payment systems and [00:17:00] negotiations and whatever the case may be.

And it

[00:17:01] Drex DeFord: becomes even harder to do attribution then.

[00:17:04] Cristian Rodriguez: Yeah, at some point it, it does. Right now there's plenty of ways to, go beyond analysis of like, what is the bot? Where is this being spun up? Where it being host? I mean, there's so many other things that you can do, but you know, the days of the negotiations.

Where there's like a message, for example, that just pops up and says, call this number right. And make a payment, and you're talking to someone. I think that's, you will see that probably fade away as AI starts to take the role of that persona, if you will.

[00:17:28] Drex DeFord: Right. That's amazing. I love talking to you. It's always Yeah, likewise. Yeah. Good time. I really appreciate you being on UnHack today, Cristian Rodriguez from CrowdStrike. Thanks.

[00:17:37] Cristian Rodriguez: You got it. Thanks so much.

[00:17:39] Drex DeFord: Thanks for tuning in to Unhack the News. And while this show keeps you updated on the biggest stories, we also try to provide some context and even opinions on the latest developments. And now there's another way for you to stay ahead. Subscribe to our Daily Insights email. What you'll get is expertly curated health IT news straight to your inbox, [00:18:00] ensuring you never miss a beat.

Sign up at thisweekhealth. com slash news. I'm your host, Rex DeFord. Thanks for spending some time with me today. And that's it for Unhack the News.

As always, stay a little paranoid, and I'll see you around campus.