Principal Threat Researcher at SentinelLabs, Juan Andres Guerrero-Saade (aka JAG-S) talks to Rachel Lyon and Eric Trexler in the first of a two-part To the Point – Cybersecurity podcast.
JAG-S recounts the fascinating case of Moonlight Maze, one of the first ever cyber espionage campaigns, tells how he came to be featured in the International Spy Museum in Washington, D.C., and talks us through his recent research into Meteor Express, a wiper attack and “epic trolling endeavor” on an Iranian railway.
JAG-S also reveals some of his personal history including how he went from Philosophy graduate to cybersecurity researcher and APT hunter and much more.
Click ‘play’ and enjoy the ride!
“Roided-out Sitting Duck” – Part One : Audio automatically transcribed by Sonix
“Roided-out Sitting Duck” – Part One : this mp3 audio file was automatically transcribed by Sonix with the best speech-to-text algorithms. This transcript may contain errors.
Intro:
Welcome to the Point Cybersecurity podcast. Each week, join Eric Trexler and Rachel Lyon to explore the latest in global cybersecurity news, trending topics and industry transformation initiatives impacting governments, enterprises and our way of life. Now let’s get to the point.
Rachael Lyon:
Hello, everyone, welcome to to the Point podcast. I’m Rachel Lyon here as ever with co-host Eric Trexler. Eric, how are you doing?
Eric Trexler:
I am great, Rachel. It’s a great day. We’re recording on a Friday for the first time in a long Typekit. I like it a lot. I do so, so I have to tell something. I have to announce something to our audience. Aside from our Fed Fed Top 30 Federal Influencers Award three years in a row, by the way. Subscribe, tell your friends and please leave us some feedback. We get so little feedback through the podcast platform and the mechanisms provided. So leave us some feedback. Only good feedback. If you have bad feedback, put it on a cooking show or something. But Rachel, you’re an actress. Rachel, if we go to Rachel Lyon, no Lyon, Lyon, Rachel Lyon on IMDb, we can look up your profile. Yes, you are a SAG card carrying actress
Rachael Lyon:
Card carrying SAG. Yes, yes. I couldn’t have done the show with you. Had I known that a long time ago, I would have been too nervous. It would have been awesome. No, no. Well, I mean, it’s you know, you could probably get your SAG card, too. I mean, this mini-podcast, surely you qualify?
Eric Trexler:
Yeah, I don’t think it’s video, though. So what were you on?
Rachael Lyon:
Well, I did some soaps, so days of our lives. As the world turns, I met Susan Lucci. She was fantastic. It was an episode where she went off to Las Vegas and she was pretending to be this person called Desiree. It was a lot of fun. It was Las Vegas casino.
Eric Trexler:
Fabulous. Now you’re on to the point cybersecurity.
Rachael Lyon:
Right now, I’m on to the Point Security podcast, Baby.
Eric Trexler:
Ok, so I’m you don’t have to call me baby. It’s OK. This is a professional show, so I’m going to lead us into our excellent, amazing guest who’s been doing this longer than all of us today by saying, You know, we have a guest from SentinelOne one. My wife works at SentinelOne, as some people may know, and she was nominated, which you shared with me for this cyber scoop 50, recently. So she’s a nomination. And she was put in as most inspiring up and comer. And my wife, you know, I’m looking for some credit here, I’m like, Hey, this is amazing, Patty, she goes, I’m fifty-three. I’ve been doing this. I’m not a young leader anymore. I’m like, Look, you look young. It’s everybody’s going to love it. You look great. So I thought that was very funny since we were on the topic of SentinelOne one today. But who do we have today from SentinelOne?
Speaker2:
Well, we have Juan Andres…last name.
Juan Andres Guerrero-Saade :
You can do it almost there.
Juan Andres Guerrero-Saade :
Guerrero Saad.
Juan Andres Guerrero-Saade :
All right. Well close enough.
Eric Trexler:
Juan, can you. Can you help us there Juan? Yeah. And then we’ll finish the.
Juan Andres Guerrero-Saade :
So it’s Juan Andres Guerrero-Saade, and it’s so complicated that most of the people I know in the industry have just decided to go by Jags because somehow that’s initials are better, at this point.
Eric Trexler:
Jags, it is. So tell us about Jags, Rachel.
Rachael Lyon:
Well, Jags, which is like the coolest name ever, by the way, is principal threat researcher at SentinelOne. He’s also an adjunct professor of strategic studies at Johns Hopkins School of Advanced International Studies. He’s worked as senior cybersecurity and National Security Advisor to the Government of Ecuador, and his joint work on Moonlight Maze is now featured in the International Spy Museum’s permanent exhibit in Washington, D.C..
Eric Trexler:
Wow. So Jags, you’re in the Spy Museum.
Juan Andres Guerrero-Saade :
Uh, yeah, and Thomas Rid, a couple of other folks, we’re actually holograms in the Spy Museum, somehow just trying to explain like code similarity and all this attribution stuff. It’s they did a great job. It’s very cool, Rachel.
Eric Trexler:
I was working with a co-worker years ago and there’s a cyber infosec guy out there called Jester. Why are you with me? Jags? Yeah. So he had to transport jester’s laptop to the Spy Museum because it was so like, nobody knows who he is. It’s fascinating. Wow. Yeah. So he is there. So it’s a big thing.
Rachael Lyon:
I follow him on Twitter. It’s hilarious that you just said that.
Eric Trexler:
Yeah. Yes, TR. But it’s a big thing to be in the Spy Museum, and they just redid it in D.C. It is awesome.
Juan Andres Guerrero-Saade :
Yeah. If you haven’t visit the new building is fantastic. Yeah.
Rachael Lyon:
You know, I admittedly, I had to look up Moonlight Maze. I’m embarrassed to say, but I thought it was like 1996, first widely known cyber espionage campaign in world history. The value of the information stolen. I guess, according to congressional testimony, was in the tens or hundreds of millions of dollars. And if you were to print out and stack all of the information that had been taken, that paper stack would be three times the height of the Washington Monument. So this is a big
Eric Trexler:
Deal and nowhere close to OPM or Sunburst or the like. But go on.
Juan Andres Guerrero-Saade :
Right, right? I mean, well, it’s a different era, right? The internet of the nineties is a very different landscape, right?
Eric Trexler:
But let’s go back to the Cold War of the eighties. I mean, what would it take a let’s just pick on an American spy to carry that type of content out of Russia. Like how many? How many? What was it, Rachel? Oh, you mean the height of the stack of paper?
Rachael Lyon:
Oh, sorry, it’s three times the height of the Washington Monument, and the Washington Monument is five hundred and fifty-five feet tall.
Eric Trexler:
Ok, so we’re talking almost eighteen hundred feet of paper, eight and a half and eleven, I’m assuming stacked up. I mean, think about how long it would take a spy organization to walk that out of a building. That’s a lot of content
Juan Andres Guerrero-Saade :
In a similar example, I think the closest thing would have been the Mitre att&ck archive, which one of it’s an interesting story totally unrelated to this, but one of the guys that worked at the KGB archives was taking notes of everything that he was transcribing and saved it all for 20 years until they finally got him out of Russia. Really? Wow. Very interesting. But yeah, there’s no corollary. As far as cyber goes, you know, the amount of information that you can steal in one go is just a click of a button. Yeah. And well, in the nineties, it was a little more involved. It was really interesting to go kind of anachronistic early in the research, right? Like, we work on all these APT’s all these cyber espionage campaigns, all this recent stuff, and you get used to a certain level of automation. You get used to all the facility that comes with the modern internet and then you’re looking at an operation that’s, you know, evolving from its infancy in the late nineties. And it looked very different. You’re talking about a hands-on keyboard. There’s no command and control servers sort of orchestrating the whole thing. They’re trying to code their way through this. You see broken tools, getting deployed all the time, then sort of trying to grow as they go along. So it was like watching the birth of a threat actor, right?
Eric Trexler:
Yeah, yeah. And I bet most of our listeners have no idea what Moonlight Maze was. They weren’t. They weren’t in infosec at the time, and I’m betting a good percentage of our listeners may not have even been alive at the time. I mean, it’s like nine eleven or how long we’ve been in Afghanistan. I mean, you go back and it’s a generation, at least at this point, right? Wow.
Juan Andres Guerrero-Saade :
Right. I mean, with your set award, I think you might actually have a good amount of the people that dealt with moonlight maize from the Air Force and NSA and whatnot. But for the most part, it is. It is sort of a forgotten phase of cyberwar. The beginning? Yeah. Right.
Eric Trexler:
So if anybody wants to understand the time period and Jags, I don’t know if you’ve ever read the book, but there’s a book The Cuckoo’s Egg by
Juan Andres Guerrero-Saade :
Absolutely
Eric Trexler:
Clifford Stoll, DOE IT person. Essentially, I think I’ve talked about it on the show, but it just takes you back to, I think the Cuckoo’s Egg was the late 80s, early 90s, like when Clifford wrote the book, I don’t even know what he’s doing. He might be retired at this point, but yes. Yeah. So I mean, but it’ll give you some framework for the time, which is very different than now. These types of attacks were, I mean, massive and not expected like they’re almost expected every month. At this point, we’re recording the week that I mean, I don’t even know what T-Mobile lost. Rachel was like 50 million personnel records or something around that. Yeah, yeah, whatever. Who cares? Nobody even cares anymore. I mean, like, nobody cares machine learning customer.
Rachael Lyon:
And I’m T-Mobile customer, Yeah, yeah, whatever.
Eric Trexler:
What are you going to do? Right, so. So can you put us in that time frame? Like most of our listeners, I don’t think we’ll know what this was, but can you like put us in the time frame? Obviously, you were a little younger back then. The world was different. The, you know, infosec I.T, you name it. I mean, there wasn’t really much of cybersecurity out of NSA and in a couple of companies, right?
Juan Andres Guerrero-Saade :
Yeah, it’s a really interesting landscape. So there are two ways to approach this that are kind of foreign to most of us. One of them is the state of the internet at the time, right? You’re talking about mostly university research centers, military computers, that kind of stuff, and then some early adopters trying to get into the scene. But it’s not at all like what the internet looks like now in its proliferation and its number of users nor and its uses right. For the most part, you’re storing research and databases and government stuff. So in itself, it’s a very different target environment and from the espionage side, from the cyber espionage side, it is entirely undeveloped. I mean, we have rumors of maybe early Israeli operations. We believe the NSA was already operating at that time. I like to call it the League of Titans, right? Like we’ve got the folks that were doing Moonlight Maze, which has a connection to a modern threat actor called Tirla. Yeah. And then you’ve got the folks from the Equation Group, which we’ve come to know us as some function within NSA that we’re also around in nineteen ninety-five around there. So you basically have a drastically underpopulated threat actor menagerie, right? You don’t have your. When did this
Eric Trexler:
Start? Like what year, really? I mean, I know ninety-eight’s like the big ninety eight and ninety-nine is the big year, right?
Rachael Lyon:
Wikipedia said Ninety six, but I don’t know if that’s accurate.
Juan Andres Guerrero-Saade :
Yeah, so moonlight maze starts somewhere in ninety-six. As far as we can tell, so
Eric Trexler:
Windows 95 is out. Most people are still on Windows three one, maybe. Maybe we’re talking like ninety-four and three, three, five, I mean, most of our users haven’t heard of this stuff or listeners,
Juan Andres Guerrero-Saade :
So that was our initial assumption. It gets more obscure, right? So our ability to do this research, I kind of have to tell a bit of a back story comes mostly from the doggedness of Thomas Rid, who is another he is a full time professor over it at Sice and a brilliant researcher, a fantastic author. And he and I talked years back and he was very much focused on this idea of, you know, what the hell happened with like Maze? Why have we never seen anything technical come out about Moonlight Maze? And he started filing FOIA requests and trying to follow up with everybody involved and just kept pressing and pressing and pressing until he found a bit of a redaction error. One of the documents basically, I believe, redacted the name of a company that had been compromised but didn’t redact the name of the person managing it. It’s one of those two. It’s either the company or the person or is his name. And Thomas was able to contact this man. Older gentleman called David Hedges super nice guy who had been managing this system for a UK company that got compromised and was being used to root part of the attack to the United States. And as luck would have it, he had the machine. He still had the machine under his desk. So it was basically his his his willingness to kind of hold on to all this stuff allowed us to do all this research. He had been asked by the FBI at the time whether he would be willing to kind of let the hack continue and essentially watch everything that went through there. And he did, but he also didn’t get rid of any of it afterwards. So once we nobody thought
Eric Trexler:
To ask him.
Juan Andres Guerrero-Saade :
Well, yeah, I guess, you know, the FBI didn’t do their homework on that one because one of the tragic things of this is the there’s a notice that Thomas uncovered first that says, you know, as part of standard procedures we have destroyed after a certain amount of time, we have destroyed all of the evidence that we had collected. So we kind of it was a gut punch for us in the early days of our research because we were like, OK, we’re just, you know, unless you’re in the NSA or GCHQ, we’re not going to get anything. And then, you know, Thomas stumbles upon David, who was just sitting on this treasure trove of fossils that we could essentially reconstruct a good portion of the attack from.
Eric Trexler:
And when were you doing this reconstruction piece?
Juan Andres Guerrero-Saade :
So I’m going to have to think back. I’m like, all of time has sort of blended into one giant ever day. But I believe we were doing the research around twenty sixteen, twenty seventeen. I might actually have to google it myself.
Eric Trexler:
Yeah, no worries. But this is I mean, this is all happening after the wall fell five years after the Cold War ended. Right? It’s still underway. And I I suspect Jags that most people in government weren’t weren’t thinking about cybersecurity back then. We’ve got to protect this. People can walk through our our walls and just get in here from keyboard strokes.
Juan Andres Guerrero-Saade :
Yeah, it was. It was a rude awakening on a variety of levels, but for one, it essentially kicks off. Establishing things like JTF and other functions within the U.S. government to respond to this like this is kind of the big wake up, call it also because someone eventually decides to brief Congress. Of course it leaks and it becomes the, you know, the first rally cry, including, I believe, a Newsweek article that said, you know, we are in a cyberwar. It was like the beginning of that, that kind of Cyber Pearl Harbor hyperbole style of taking on these things. But it’s also a really interesting time. I mean, you mentioned Cliff Stoll and what Cliff was onto, and he’s kind of like the patron saint of threat hunters because he was, you know, it’s the late eighties, I believe, or early nineties. And more than anything, he doesn’t have any of the tools available that were used. You don’t you’re not talking about firewall logs or sims or a V or EDR.
Eric Trexler:
And if you read the book, he’s got like CIA involved, but they really don’t care or aren’t doing anything, they’re not sharing with them. He’s a government employee. He’s a Department of Energy. Was he had Lawrence Livermore, I think, in Berkeley. He was in that area and he had nowhere to go. But he’s watching this behavior. It’s never explained. It’s I mean, that was a pretty good pull, I have to admit, but it’s a decent read. It’s a little detailed, but yeah, it’s a different time.
Juan Andres Guerrero-Saade :
It’s really interesting. I mean, for folks who have not been exposed to it or even for big fans of the music, I would actually point you to a more recent talk sans CTI in 2015-2016. Sorry, my cat is waking up, 2015-2016. Cliff Stoll came back and he did a keynote talk for this conference, and I had the pleasure of being in the crowd. He’s an incredibly animated speaker to the point where he was jumping around. He basically disconnected the projector, but he shows
Eric Trexler:
That he’s back then when he can’t get anybody to listen to the fact that there’s people inside energy,
Juan Andres Guerrero-Saade :
The amount of energy this man has, you know, at his age, which is fantastic. And he literally showed up with the same slides like the old timey projector slides that he used to explain to NSA what was happening, and he just looked at the projector slides. Yeah, it was like it was. I don’t even know what you call them, but yeah, it was fantastic.
Rachael Lyon:
What was it called Rachel? The overhead projectors. Remember, you would put the the film-based slides on them with the right markers.
Juan Andres Guerrero-Saade :
He still has them. We I don’t know where they source this projector for him, but so I would point to that as a must see. It’s probably like the best keynote talk I’ve ever seen. And where is it again?
Eric Trexler:
It was SANS?
Juan Andres Guerrero-Saade :
SANS CTI in D.C. I can’t remember the year, but if you look for sand and Cliff Stoll, you Stoll.
Eric Trexler:
Your boom. Ok, we’ll link to that if we can find it. So back to Moonlight Mays, you’re doing all this work. You hit the mother lode.
Juan Andres Guerrero-Saade :
Yeah, so some something to feel.
Eric Trexler:
Where do you go from there?
Juan Andres Guerrero-Saade :
Yeah. Well, so to close off the thing with Cliff, right, the reason I brought it up is what we didn’t understand at the time is he was seeing these German hackers who were stealing American documents to sell them to the KGB for some combination of, you know, drugs and money. And at the time, we just were not really cognizant that this could happen with Moonlight Maze. I think it comes at a time when the U.S. is already in a very covert fashion, taking on that same activity and someone in the U.S. in Russia figures out, you know, why not go for this ourselves? So what we see and you asked, you know, what do we feel at the time? The idea of getting our hands on this material was if there is such a thing as a miracle and threat intel, I think this is it, right? We found more detailed information for that incident than we usually get for most modern investigations. I mean, you had on keyboard logs, all kinds of tools, you could see how they were deploying things, their different victims. Danny Moore, who worked with us on this, he’s over at Facebook now. He he actually was able to reconstruct this whole cloud of all the IPS connecting to each other and figuring out sort of how they were routing themselves through these different systems and coasts. And Ryu and I spent our time reversing the reverse engineering the different samples. I told you that it was a little more obscure than Windows, NT and whatnot because these were actually SPARC stations, Solaris systems, iris systems from back in the day.
Eric Trexler:
So it was I can hang Rachel. See?
Juan Andres Guerrero-Saade :
Well, I’ll tell you what, when I was seven years old, when this stuff was being coded, it was entirely new assembly seven using
Eric Trexler:
Be in this one. So how do you take Solaris? Like what is that? Back then, it’s probably Solaris 7 or Solaris 8. How do you take Iris and actually even do anything with it?
Juan Andres Guerrero-Saade :
Well, I mean, thanksfully.AIDAPRO will battle anything you throw at it, but I think the bigger issue was that’s a
Eric Trexler:
That’s a tool you’re using for reverse engineering,
Juan Andres Guerrero-Saade :
Right? I mean, that’s sort of the tool, you know, until Ghidorah came out, it was the tool, and I think that it still is. But essentially the harder issue was not disassembling these things, but rather that I mean, I was entirely foreign to this type of assembly. Like I had to sit down and basically learn a whole new right form of assembly to understand these different binaries and try to figure out what the hell it is that they’re doing. And thankfully, I had Caussin Rai, who’s always been a mentor, and he’s he’s much more experienced in that in these sorts of things. To help guide me, but we had a ton of stuff to reverse. So it took us at least six months just to deal with the samples and figure out how that toolkit was being iteratively developed, what it was that they were trying to do, what was going on. And I think the greatest finding of the whole moonlight mais parallel construction that we got to do was realizing that these guys who for all intents and purposes, were skittish. They were script kiddies at the time and they were just, you know, kind of testing out different tools and what they could get their hands on. They eventually start to kind of catch their stride and develop, you know, one set of tools that really work for them and, you know, develop it better and get closer to what we now would think of as a malware family. And the interesting thing was they they built on top of a publicly available backdoor called Loki, too. And we saw them start to iterate on that strip aspects of it, improve on certain aspects of it, build, build, build, build and then our visibility ends. There’s you know, there’s a period when when this leaks out of Congress and the Newsweek story comes out, they freak out and burn all of their infrastructure, including the server that we’d gotten access to. So at that point, we kind of.
Eric Trexler:
So they reach into the server, which is in somebody’s house.
Juan Andres Guerrero-Saade :
It was in a company in the UK. It was like a guitar company in the UK.
Eric Trexler:
Right. Ok, so it’s part of their infrastructure, though, and they basically burn
Juan Andres Guerrero-Saade :
It all down. They burned everything they stopped using.
Eric Trexler:
We think the Russians.
Juan Andres Guerrero-Saade :
Yeah. I mean, for all intents and purposes, I mean, we we had these connections going back to like City Line, which was like a Russian ISP at the time. Like everything pointed. You know, they tried using proxies. That’s what this company in the UK was right. They hacked this company and used it to route themselves so that the attacks would look like they were coming from the UK rather than Russia. But eventually, that mask kind of falls apart, right? Where it gets interesting is that that tool that we were watching get developed doesn’t disappear. As a testament to sort of the compatibility of POSTECH systems and Linux and still kind of working on the same elements. It looks like they continue to use that same source code up to now.
Juan Andres Guerrero-Saade :
Why would you recreate it if you don’t need to, right?
Eric Trexler:
Well, yeah, but again, I mean, that was. It. I was in disbelief to consider that you could have a malware family work 20 years later and in Windows, it would be impossible, but in Linux, you know, they took the same source code that they had continued to develop over the years for these Solaris systems and recompiled it for Linux eventually. And we had already seen it. We just didn’t know what it was. We didn’t know how to connect it. It’s something that researchers at Kaspersky had discovered around 20 15 called Penguin Turlock. And you might know Twirla Twirla is a really well-known cyberespionage actor, Russian actor. They’ve been behind a lot of very notable attacks, including, you know, DOD systems, military, a lot of government, a lot of governments. I mean, they are very much an old-school, proper espionage organization. You know, you’ve got sort of the the the bears that, you know, come around like bulls in a China shop like Sophia C APT twenty-eight, fancy bear, whatever you want to call them. And then you’ve got the kind of the pros that are actually just stealthily watching embassies, watching, you know, different ministries of state and so on.
Eric Trexler:
That sense a little respect there.
Juan Andres Guerrero-Saade :
Oh, definitely. I mean, I my blog is named after them like, I love these guys. They do, you know, they just do fascinating work, but they use something called Penguin Tala around twenty fifteen and they continue to use it sparingly over the years. And what we figured out was when they were having a hard time with an intrusion. Whenever somebody was starting to clean them out of a network, they would grab like a Linux server somewhere on that enterprise and hide this little backdoor and they would get cleaned out and they would wait three months or whatever. And then they would just come right back in through that Linux back door that most folks didn’t catch and they would just repopulate. That Linux backdoor was compiled from the same source code that we were seeing develop from Moonlight. So you have this perfect connection of 20 some years, from moonlight, mace to the modern twirla that we continue to deal with, which is just mind blowing.
Eric Trexler:
So JAGS, I’m going to ask you a question because if you look at like MacOS, it comes from next OS, which is, you know, comes from Unix. Hmm. Right. If you look at Windows, what are we up to now? Windows 11, I think? Well, I can still see, right? Ok, so I can still see in Windows 10, which I don’t do a lot of remnants of dos and early Windows 95 and Windows 3.1. And you know, the operating systems that we work with still go back 20, 30 plus years. In the case of Unix, we’re talking. I mean, what are we talking? We’re probably talking close to what, 50, 60 years now? I think Unix was late sixties if I had to take a guess. So it works. The code still works. I don’t know. I mean, you don’t hear about this often, but why wouldn’t you just keep using it if it works? If nobody’s shut you down, why not keep using it? We do it on the operating system.
Juan Andres Guerrero-Saade :
Yeah, I mean, it’s kind of fascinating. I say that this is more possible in Linux, where, you know, pop standards are much more important than folks are continuing to maintain. The same open SSL has been around for a billion years, and you just kind of iterate on it, which is why it’s a frigging mess. But you know, it continues to work. You couldn’t do that on Windows. I mean, Windows has a lot of things that continue to look like their old versions. But if I took malware from the early two thousands and tried to run it on like Windows 10, chances are it’s just going to crap out, right? Like the of the DHL’s aren’t going to work the same way. The services don’t work the same way the crowd.
Eric Trexler:
But when I go to edit the registry, it’s like back in the day when I was an I see on Windows NT 3.5, 3.5.1. I mean, it’s it’s still the registry, right? Terminal Command control is still there a lot. I’ve got Mac OS x Unix books downstairs. That still works, surprisingly or not, because I forgot everything. You can still run by. I forgot it all, Rachel. I forgot It all. This is fascinating.
Juan Andres Guerrero-Saade :
Well, another version of that, right? Speaking more to the security industry in the way that it’s evolved over the past 10, 15 years, there’s been a lot more of a cat and mouse game in on Windows. Right? You know, viruses were a thing that became there was a greater consciousness about viruses on windows. And then the antivirus industry started to evolve from the great figures that we’ve known from back in the day, whether it’s Eugene, Kaspersky was there and the folks from McAfee, you know, I won’t say that, John, kind of rest in peace. You know, as a figure, he didn’t sort of withstanding the test of time, but we have these sort of like luminaries that started the AV industry and it was all about kind of, you know, a new viruses come out and all these different folks around the world are doing their best to kind of best it. And that evolves into the industry that we know now where you have hundreds of thousands of unique samples coming in all the time. And we’ve tried to. Develop more automated systems that deal with them. All of that is largely rooted in the Windows Battlefield and Linux and Mac OS have kind of flown under the radar, not because there aren’t threats for either of them, but rather from a lack of visibility, from a lack of adoption. Honestly, some snobbery on the part of Linux administrators who seem to think that these things can’t affect them, even though it’s quite clear that they do so. In a sense, the evolution of security tooling under the hood of Windows is it’s been battle-tested and it’s been sort of this natural evolution that’s happened between predator and prey, whereas I think Linux is really lagging behind. In that sense, they adopt security measures just sort of like, you know,
Eric Trexler:
They want seeing on the defensive side, the white hat side. But really, the bad guys, the adversary, they don’t care. They’ll pick whatever platform works for them, right?
Juan Andres Guerrero-Saade :
I mean, whichever they have to write, like if I if I know that I want to target you and you’ve got an iPhone, then you know, we know what the stakes are now, right? I’m going to go to NSO, I’m going to pay them a million dollars and boom. You know, we’ve got Eric. I’m not going to spend all my time trying to figure out Windows malware if you don’t use it, right? Right?
Eric Trexler:
Yeah. Now I’ve been in the industry 20 years and it’s like, well, Linux doesn’t have a big enough footprint. There’s not enough, you know, the addressable market is too small. We’re not going to have a Linux client capability. It’s like, Well, wait a minute here. Every server that’s like leaving, it’s like leaving two windows in a house open, but everything else is totally bolted down. I mean, come on. Well, I’ve always heard that there’s like an 18 percent number, which is where a lot of the adversaries look for mass attacks, when a platform, whatever it may be great goes above like 18 percent. I’m sure that number changes. It becomes attractive from a monetization perspective. That’s not nation-state. That’s like, you know, hacktivists, people out there for money.
Juan Andres Guerrero-Saade :
So it’s a very outdated way of thinking about things, right? Like every server and cloud system on Earth essentially is built on Linux in some form or another. And the idea of monetization has changed drastically, right? Like what has fueled the ransomware epidemic, but the ability to exchange value through cryptocurrency and you can mine cryptocurrency. The only reason that you shouldn’t mind cryptocurrency at home is that it’s inefficient because you don’t want to pay the light bill. But if I can deploy crypto miners to a bunch of instances, then you know, what do I care? Right? So there’s definitely a whole side of that that we’re ignoring, and that’s the large scale on the smallest scale. It’s like, well, my router runs Linux and there’s these Mirai botnets that at times have taken down entire swaths of the internet because of the lack of security on those things. So yeah, we we treat them like edge cases, but it’s kind of ridiculous because I agree it’s our whole infrastructure.
Eric Trexler:
Right, right. But from corporate America’s perspective, it’s hard to monetize in many cases because there just aren’t as many nodes out there, if you will. Systems?
Juan Andres Guerrero-Saade :
Yeah, I mean, I think I think some folks are kind of getting ahead of that, I think. I would also expect or hope that customers get a little more savvy in what they ask of their vendors. Like, I try to kind of egg customers on to be like, you know, ask for this, ask for something better. Look at the DNC. I mean, it’s such a contentious issue to talk about what happened in the summer of SOPA. Twenty sixteen. But the DNC, if you read the CrowdStrike report carefully, they realize that APT28 is their fancy bear or whatever SA team, whatever you want to call him, a million names. They realized they put twenty eight is there and they clean all the Windows machines. They don’t realize that there’s an X agent sample on a Linux machine, and they repopulate exactly the same way that we were talking about with Twirla. And you know, it’s not let’s not knock CrowdStrike in particular. I think most folks in the industry just aren’t paying attention to Linux the same way that they should. And it’s it’s situations like that where you see the chink in the armor where it’s like just one machine sitting there is enough to keep that beachhead going, keep that infection going for way longer. And then we see the effects that that has sort of in horrible ways, right?
Eric Trexler:
Yeah, you can be 99% perfect, but that one percent that one machine, I mean, you have to have perfection in many cases. Ok, so you’re doing Moonlight Maze, you’ve done the research. Where does it end up? Well, how do you end the story because we have another amazing story coming?
Juan Andres Guerrero-Saade :
Yeah, well, there are quite a few. I mean, I’ve had a very I’ve had the privilege to work on a lot of interesting cases in my career. And, you know, we can talk about them for as long as you want. Moonlight Maze. I was really happy to see how it ended up. I mean, I got to, first of all, go on stage at SAS, which was one of my favorite conferences with my friends, my co-researchers at the time, Thomas rid that Danny Moore and Coson Ryu. We got on stage there together how to drink together over the machine and got to tell the story. But better yet, the Spy Museum, as they were doing this sort of redesign and they got that brand new building amazing site in D.C. they dedicated a whole section to the cyber espionage and cyberwar, sort of the development of things in the cyber domain. And apart from giving us an opportunity to explain some difficult concepts as wonky holograms. They actually took the server. David Hedges was kind enough to ship them the original command and control server from like Maze. And, you know, it’s up there in the exhibit. So if folks ever get to escape COVID madness, I definitely recommend you go see this machine that field a thousand hacks, right? Awesome. That is amazing.
Rachael Lyon:
So now where do you go from there, I mean, gosh, I
Eric Trexler:
Think we go to trains, trains and planes and automobiles, but let’s go to trains, Rachel.
Eric Trexler:
Wow, what a great story. Eric, I think with that, let’s let’s call it the end of part one and bring people back next week for part two.
Eric Trexler:
But I don’t want to wait a week. And the inside story, Rachel is we don’t get the raw copy, so we have to wait to hear the second part also.
Rachael Lyon:
I know, I know I hate it, but that’s what makes it so much fun. How often do you wait for anything anymore? I just binge-watch like 11 seasons of The X-Files.
Eric Trexler:
I get so angry when they drip them out week by week. I Ted Lasso right now is killing me.
Rachael Lyon:
It’s excruciating. Excruciating.
Eric Trexler:
Ok, so Jags Part two next week.
Rachael Lyon:
Jags Part two next week? Yes. So can’t don’t want to miss it. Yeah, exactly. Tuesday bribe. You get direct in your email box. That’s right. On Tuesday.
Eric Trexler:
Talk to you then. All right.
Intro:
Thanks for joining us on the to the Point cybersecurity podcast brought to you by Force Point. For more information and show notes from today’s episode, please visit W-w-what four gov podcast. And don’t forget to subscribe and leave a review on Apple Podcasts or Google Podcasts.