The CyberWire Daily Podcast 1.25.23
Ep 1746 | 1.25.23

TA444 and crypto theft on behalf of the Dear Successor. CryptoAPI spoofing vulnerability described. New Python-based malware campaign. User headspace. Tanks vs. hacktivists.


How do the North Koreans get away with it? They do run their cyber ops like a creepy start-up business. A spoofing vulnerability is discovered in Windows CryptoAPI. Python-based malware is distributed via phishing. MacOS may have a reputation for threat-resistance, but users shouldn't get cocky. DevSecOps survey results show tension between innovation and security. Russian hacktivist auxiliaries hit German targets. Tim Starks from the Washington Post Cyber 202 shares insights from his interview with Senator Warner. Our guest is Keith McCammon of Red Canary to discuss cyber accessibility. And Private sector support for Ukraine's cyber defense. 

From the CyberWire studios at DataTribe, I’m Dave Bittner with your CyberWire summary for Wednesday, January 25th 2023. 

Spoofing vulnerability discovered in Windows CryptoAPI.

Akamai this morning released research detailing their analysis of a critical spoofing vulnerability, CVE-2022-34689, affecting Windows CryptoAPI. The vulnerability allows for malicious actors to feign a genuine entity’s identity and perform certain actions. According to Microsoft, this vulnerability allows for attackers to “spoof their identity and perform actions such as authentication or code signing as the targeted certificate.” CryptoAPI is the primary Windows API handling cryptography; particularly certificates. Akamai says exploitation has two primary steps: in the first, malicious actors take a “legitimate certificate, modify it, and serve the modified version to the victim,” researchers explain. “The second phase involves creating a new certificate whose MD5 collides with the modified legitimate certificate, and using the new certificate to spoof the identity of the original certificate’s subject.” The vulnerability, although rated critical, was only given a CVSS score of 7.5. Researchers attribute that rating to “the limited scope of vulnerable applications and Windows components in which the vulnerability prerequisites are met.” 

Python-based malware distributed via phishing.

Securonix describes an attack campaign that’s using a Python-based remote access Trojan dubbed “PY#RATION.” Securonix observed the first version of PY#RATION in August 2022, and the malware has been updated several times since. The RAT is distributed via phishing emails written in English containing malicious ZIP files. The ZIP files contain LNK files disguised as JPG images showing a UK driver’s license. The researchers believe the campaign is targeting users in the UK or other English-speaking countries. After installation, the malware can carry out a wide variety of malicious activities associated with other RATs, such as keylogging and data theft. 

MacOS may have a reputation for threat-resistance, but users shouldn't get cocky.

BlackBerry has released its Quarterly Threat Intelligence Report for Q4 2022, looking at various threats facing desktop and mobile devices. The researchers note that while macOS is often viewed as being more secure than other operating systems, users frequently install malicious or unwanted software on their Apple devices: “During the 90-day reporting period, the malicious application Dock2Master was the most-seen threat on macOS: BlackBerry researchers noted that a whopping 34 percent of client organizations using macOS had Dock2Master on their network, where it was found on 26 percent of their devices.” 

BlackBerry hasn’t forgotten Windows, in case you were wondering, and their study is no means a hit piece on macOS. Windows systems have their characteristic threats, too: BlackBerry found that RedLine was the most active infostealer targeting Windows systems. 

The point is, perhaps, that no operating system or the applications built for it can be proof against incautious users. Caveat clicker, as the Romans would’ve said if Nero had the Internet.

DevSecOps survey results show tension between innovation and security.

Dynatrace has published a study looking at the challenges of maintaining security during DevOps processes. The survey of 1,300 CIOs and senior DevOps managers found that over a third (34%) of respondents are forced to sacrifice code security to keep up with the demand for faster innovation. The report outlines the following findings. Here are some of the ones they list::

  • “90% of organizations say digital transformation has accelerated in the past 12 months.

  • “78% of organizations deploy software updates into production every 12 hours or less, and 54% say they do so at least once every two hours.

  • “DevOps teams spend nearly a third (31%) of their time on manual tasks involving detecting code quality issues and vulnerabilities, reducing the time spent on innovation.

  • “55% of organizations make tradeoffs between quality, security, and user experience to meet the need for rapid transformation.

  • “88% of CIOs say the convergence of observability and security practices will be critical to building a DevSecOps culture, and 90% say increasing the use of AIOps will be key to scaling up these practices.”

The tension between competing goals is familiar. All managers want it faster, cheaper, and better. Maybe start the process by picking two.

Russian hacktivist auxiliaries hit German targets.

Reuters reports this morning that Killnet responded to the German government's decision to supply Leopard [LAY-oh-PAHRD] tanks to Ukraine by hitting a range of German sites with distributed denial-of-service (DDoS) attacks. They were generally of brief duration and amounted to little more than a minor nuisance. Germany's BSI cybersecurity agency said, "Currently, some websites are not accessible. There are currently no indications of direct effects on the respective service and, according to the BSI's assessment, these are not to be expected if the usual protective measures are taken."

So Killnet’s got script kiddies. The Leopard has a 120mm smoothbore. Our hybrid warfare desk thinks the latter is likely to prove more disruptive than the former. 

Private sector support for Ukraine's cyber defense.

Kyiv has often acknowledged the contribution private-sector corporations have made to its cyber defense and IT resiliency over the course of Russia's war. Computer World has an account of how one company in particular, Microsoft, has helped. The assistance rendered has been, the piece argues, both principled and the working of enlightened self-interest. "Microsoft isn’t just trying to help defend a country under siege from an aggressive, more-powerful neighbor," Computer World argues. "Russian cyberattacks against Ukraine can also get loose in the wild and do damage to enterprises and organizations that rely on Microsoft technology. (Russia could also deliberately target private companies with those attacks.) By helping Ukraine, Microsoft also helps its customers — and it happens to be good PR, as well." Russian cyberattacks against Ukraine had gotten loose in the wild even before last year's invasion, with NotPetya being the most prominent example.

Microsoft has provided both threat intelligence and the sort of hardening and resiliency that have helped Ukraine keep its networks up and running. Computer World summarizes the effects: "Ukraine has so far defeated Russia in the cyberwar. Russia’s once-feared hackers threw everything they had against Ukraine, including trying to shut down the power grid, disable government networks, and kill satellite communications. They failed every time."

In full disclosure, Microsoft is a CyberWire partner.

CISA issues two ICS advisories.

The US Cybersecurity and Infrastructure Security Agency (CISA) yesterday issued two industrial control system (ICS) advisories, one for XINJE XD and the other for SOCOMEC MODULYS GP. As always, users are counseled to apply updates per vendor instructions.

“Devotion to the dollar and the grind.”

And finally, whether you’re in San Jose or Sinanju, it’s the same jading story–as Proofpoint puts it in the study they released this morning about a North Korean APT, TA444, a start-up is a start-up, whether you’re a cool disrupter or an uncool grifter.

North Korean state-run threat actors are distinctive in that they’re at least as focused on stealing money as they are on stealing information. Proofpoint explains, “TA444, which overlaps with public activity called APT38, Bluenoroff, BlackAlicanto, Stardust Chollima, and COPERNICIUM, is likely tasked with generating revenue for the North Korean regime.” Pyongyang’s chronic financial hardship is the function of a failed economy, one kept down by global odium and international sanctions. So the regime turns to cybercrime to help keep itself together, able to buy the expensive stuff that, for example, a nuclear weapons program needs. 

Recently TA444 has turned its attention to cryptocurrencies, selecting its victims and shaping its phishbait to suit the victims’ probable susceptibilities. In doing so, the threat actor has been quick and opportunistic–and opportunistic in a way that, while morally objectionable, is operationally a good thing, from TA444’s point of view. They’re acting like a start-up in their focus on success and their devotion to trying whatever seems likely to work. 

Proofpoint sourly observes, “While we do not know if the group has ping pong tables or kegs of some overrated IPA in its workspace, TA444 does mirror the startup culture in its devotion to the dollar and to the grind.” 

Who knows? All of that stolen alt-coin can’t be going to ballistic missile R&D. Your hackers need some R&R, don’t they?

Proofpoint’s got a point here that they don’t need to prove: ping pong and IPAs don’t necessarily make for a healthy organizational culture. We’ve always preferred shuffleboard and a nice gose, like those at Full Tilt, down the block in Baltimore, where our editorial staff hangs out. Ping pong and IPAs? C’mon, Pyongyang–you’re not competing in Barmageddon. Show some self-respect, Mr. Kim. I mean, you’re supposed to be the Banner of all Victory and Glory, and not some tacky crypto bro. Or so we hear.

We note that in this report Proofpoint is clearly having a lot of fun, and it’s worth a look.


And that's the CyberWire. 

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com. And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for CyberWire Pro. It will save you time and keep you informed. Listen for us on your Alexa smart speaker, too. 

Don't forget to check out the "Grumpy Old Geeks" podcast where I contribute to a regular segment called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. And check out the "Recorded Future" podcast, which I also host. The subject there is threat intelligence. And every week, we talk to interesting people about timely cybersecurity topics. That's at 


The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. 

This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is Tré Hester, with original music by Elliott Peltzman. The show was written by John Petrik. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening. 


Selected reading.

TA444: The APT Startup Aimed at Acquisition (of Your Funds) (Proofpoint)

Exploiting a Critical Spoofing Vulnerability in Windows CryptoAPI (Akamai) 

Securonix Security Advisory: Python-Based PY#RATION Attack Campaign Leverages Fernet Encryption and Websockets to Avoid Detection (Securonix)

BlackBerry's Inaugural Quarterly Threat Intelligence Report Reveals Threat Actors Launch One Malicious Threat Every Minute (BlackBerry)

Global CIO Report Reveals Growing Urgency for Observability and Security to Converge (Dynatrace)

Russian 'hacktivists' briefly knock German websites offline (Reuters)

How Microsoft is helping Ukraine’s cyberwar against Russia (Computerworld)

CISA Releases Two Industrial Control Systems Advisories (CISA)