The CyberWire Daily Podcast 2.6.23
Ep 1754 | 2.6.23

Unpatched VMware ESXi instances attacked. Okatpus is back. Update on LockBit’s ransomware attack on ION. Charlie Hebdo hack attributed to Iran.


Dave Bittner: New ransomware exploits a VMware ESXi vulnerability. Roasted 0ktapus squads up. LockBit says ION paid the ransom. Russian cyber auxiliaries continue attacks against health care organizations. Attribution on the Charlie Hebdo attack. Deepen Desai from Zscaler describes recent activity by Ducktail malware. Rick Howard looks at cyberthreat intelligence. And the top U.S. cyber diplomat says his Twitter account was hacked.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday, February 6, 2023. 

New ransomware exploits VMware ESXi vulnerability.

Dave Bittner: France's Computer Emergency Response Team - that's CERT-FR - and Italy's National Cybersecurity Agency have both warned of a widespread ransomware campaign that is exploiting a vulnerability in VMware ESXi servers. The ransomware is exploiting CVE-2021-21974, which VMware patched in February 2021. BleepingComputer says at least 3,200 servers around the world have been infected. CERT-FR recommends that organizations apply all patches for ESXi hypervisors and also verify that their systems haven't already been compromised. The ransomware appears to be based on Babuk source code. 

Roasted 0ktapus squads up.

Dave Bittner: TechCrunch reports that the threat actor known as 0ktapus is now targeting the technology and video game sectors. The threat actor compromised more than 130 organizations last year using simple phishing kits. According to a report obtained by TechCrunch, 0ktapus is launching phishing attacks against video game companies, as well as business process outsourcing companies and cellular providers. Some of the targeted companies are said to include Roblox, Zynga, Mailchimp, Intuit, Salesforce, Comcast and GrubHub. Group-IB published an extensive report on 0ktapus last August. Indeed, they're the ones who declared it roasted. The researchers say the criminal group combined simplicity with sophistication, and its tentacles were groping at credentials. TechCrunch reports a consensus among researchers that 0ktapus is the same group known elsewhere as Scattered Spider. 

LockBit says ION paid ransom.

Dave Bittner: The U.K.-based ION Trading Group, hit by a LockBit-claimed ransomware attack that began on Tuesday, has reportedly paid the ransom asked of them by the threat group, Bloomberg reported Friday. Bloomberg News cites a LockBit group representative, who told them “that the ransom was paid and that the gang provided a decryption key to unlock the compromised computers.” The person or entity behind the ransom payment, as well as the monetary amount, was not disclosed to the outlet. Reuters said last week that the attack could take days to fix, though if the group representative is reliable, the decryption key provided may expedite the process. The United States FBI has begun their own search for information on the attack, in addition to U.K. regulators conducting individual investigations, Bloomberg wrote Friday. 

Russian cyber auxiliaries continue attacks against healthcare organizations.

Dave Bittner: Med City News last week put the total number of U.S. health care facilities affected by KillNet DDoS attacks at at least 17. While much of the activity has remained at nuisance level, that hasn't been the case with all of it. Tallahassee Memorial HealthCare in the U.S. state of Florida took its IT systems offline Friday and suspended emergency medical services, diverting most such patients to other hospitals. It announced that for the time being, it would only accept Level 1 traumas from its immediate service area. The hospital said in its updates on the incident, we are safely caring for all patients currently in our hospital, and we are not moving patients to other facilities. However, we have rescheduled nonemergency patient appointments. Patients will be contacted directly by their provider and-or care facility if their appointment is affected. 

Dave Bittner: The Record observes that attribution to Russian auxiliaries is still circumstantial, but it seems nonetheless fairly clear. The attack on Tallahassee Memorial HealthCare comes just one day after a group of pro-Russian hackers announced DDoS attacks on hospitals in at least 25 U.S. states, knocking several offline for hours. The Russian cyber auxiliaries appear to have ready access to commodity criminal DDoS tools, notably the Passion botnet described last week by Radware, who stated, Passion group, affiliated with KillNet and Anonymous Russia, recently began offering DDoS-as-a-service to pro-Russian hacktivists. The Passion botnet was leveraged during the attacks on January 27, targeting medical institutions in the USA, Portugal, Spain, Germany, Poland, Finland, Norway, Netherlands and the United Kingdom as retaliation for sending tanks in support of Ukraine. 

Attack on Charlie Hebdo attributed to Iranian threat actor.

Dave Bittner: Charlie Hebdo, the well-known French weekly satirical magazine, was hit with a cyberattack that saw customer data stolen and leaked, Reuters reported Friday. Microsoft researchers are attributing the activity to the Iranian threat group NEPTUNIUM (which appears as Emennet Pasargad in the U.S. State Department's Rewards for Justice program. Security Affairs wrote yesterday that the group claimed in early January to have stolen the personal data of over 200,000 Charlie Hebdo customers, sharing a data sample that included the full names, telephone numbers and home and email addresses of people who'd either subscribed to or purchased something from the magazine. Microsoft says that the data was offered for sale at the price of 20 bitcoin, or approximately $340,000 at Friday's exchange rates. 

Dave Bittner: The Rewards for Justice Description of Emennet Pasargad explains that the outfit is a contractor, an Iranian company that's done business under a variety of names. It earned its place of dishonor in the Rewards for Justice program through its unsuccessful attempts to influence the 2020 U.S. elections. But the State Department says they are not just ordinary trolls hanging out under some bridge in Saint Petersburg. Emennet Pasargad, State says, poses a broader cybersecurity threat outside of information operations. Since 2018, Emennet has conducted traditional cyber exploitation activity, targeting several sectors, including news, shipping, travel, oil and petrochemical, financial and telecommunications, in the United States, Europe and the Middle East. There is a reward of up to 10 million Yankee dollars for information on the group. If you'd like to drop a dime on them, you can do so on the State Department's special Tor site. 

Top US cyber diplomat says his Twitter account was hacked.

Dave Bittner: And finally, Nate Fick, U.S. ambassador-at-large for cyber and head of the State Department's Bureau of Cyberspace and Digital Policy, tweeted Saturday, my account has been hacked - perils of the job. What he means by hacked isn't further specified. In any case, the hacked account is a personal one the ambassador uses for posts about weather, mountain biking and backcountry skiing, which probably accounts for the refreshing shrug-off. Ambassador Fick communicates officially through an official account, @StateCDP, and that's a good practice. 

Dave Bittner: Coming up after the break, Deepen Desai from Zscaler describes recent activity by Ducktail malware. Rick Howard looks at cyberthreat intelligence. Stay with us. 

Dave Bittner: And joining me once again is Rick Howard. He is the CyberWire's chief security officer and also our chief analyst. Rick, it's always great to welcome you back. 

Rick Howard: Hey, Dave. 

Dave Bittner: So your "CSO Perspectives" show is in the middle of your 12th season, which... 

Rick Howard: Yep (laughter). 

Dave Bittner: ...Is unbelievable to me, especially since the CyberWire's only been around for seven years. So you seem to be running at warp speed over there. 


Rick Howard: Yeah. We talked about this last week. This is dog years. That's how we count these seasons in "CSO Perspectives". 

Dave Bittner: Fair enough. 

Rick Howard: (Laughter). 

Dave Bittner: Fair enough. Well, so far this year - or this season, I should say - you've been talking about some great stuff. And what is on your docket for this week? 

Rick Howard: So back in Season 1, when we first started the show, we did an episode on cyberthreat intelligence operations, or CTI, and it was one of our most-listened-to shows. So I really liked that one. 

Dave Bittner: Yeah, I remember that one. You were talking about the intelligence life cycle, if memory serves me, which is - that's the mechanics of how you collect intelligence. Now... 

Rick Howard: Yeah. 

Dave Bittner: ...Didn't you say that that was invented by the U.S. military during and around World War II? 

Rick Howard: Yeah, that's right. They kind of invented the formal process after the war, you know, when intelligence officers tried to explain what they did during the war. So, you know, kind of - here's what we did. Yeah, that sounds good. But... 

Dave Bittner: (Laughter). 

Rick Howard: ...You know, the whole operation stuck. So - but it's been two years since that episode, and I was just thinking it was time for an update. And I got a call from Landon Winklevoss before the holiday break. He's the co-founder and VP of content at Nisos. They're a commercial intelligence firm. And he thought it would be interesting to explore how the corporate world is systematically using their intelligence teams to help the business. So I grabbed Landon for a deep-dive conversation about the current state of cyberthreat intelligence in the commercial world. 

Dave Bittner: All right. Well, that is the CyberWire Pro side. What are you pulling out of the "CSO Perspectives" archives this week for the public side? 

Rick Howard: So last week, we pulled an episode about single sign-on, and so this week, it made sense that we would couple that episode with a topic in the same general category, identity - kind of a double feature, if you will, right? So this week, we're pulling an episode from May of 2002 about two-factor authentication. 

Dave Bittner: You know, when I listened to that show last year, I really had no idea there were so many different ways to do two-factor authentication. And, you know, with all things security, there's always that trade-off between the ease of use and the degree of security. 

Rick Howard: Yeah, I didn't know all that stuff either until we did a deep dive on it. And we ended up covering several authentication methods in detail. We cover SMS, email - let's see - authenticator software tokens, push tokens and, the latest entry into the field, Universal 2nd Factor, or UTF it's called. 

Dave Bittner: Well, before I let you go, what do you have for us this week on your "Word Notes" podcast? 

Rick Howard: So this week, the word is man-in-the-middle. 

Dave Bittner: Well, that's an old but goodie. 

Rick Howard: I know you're familiar with that, Dave. Yeah. 


Rick Howard: Yeah. Really is. 

Dave Bittner: Yeah. Yeah. Yeah. 

Rick Howard: You know, 'cause some things never go away. And we think that the first documented use of a cyber man-in-the-middle attack was sometime in the early 1980s. So on this show, we explain what it is, and we even demonstrate its use from one of my favorite hacker movies, "WarGames." 

Dave Bittner: All right. Well, we will look forward to that. Once again, Rick Howard is the host of the "CSO Perspectives" podcast on CyberWire Pro. He is also our chief security officer and chief analyst. Rick Howard, thanks for joining us. 

Rick Howard: Thank you, sir. 

Dave Bittner: And joining me once again is Deepen Desai. He is the global CISO and head of security research and operations at Zscaler. Deepen, it's always a pleasure to welcome you back to the show. I want to touch today on the Ducktail Infostealer, which I understand you and your colleagues have been keeping an eye on lately. There's a new variant that you all are tracking? 

Deepen Desai: Yes. Thank you, Dave. So Ducktail - very interesting info-stealing malware. So just to give you guys a background, ThreatLabZ's team tracks dozens of different info-stealer families. So there's a group of researchers under ThreatLabZ that are tracking changes in this threat landscape where - how the threat actors are evolving their tactics, tool tactics and procedures to steal a variety of information. So as part of that tracking activity, we came across a new variant of Ducktail Infostealer, and that is being actively distributed by pretending to be a cracked software. You know, nothing new over there, like we've seen other families leverage that tactic before as well. It includes a variety of applications like, you know, gaming apps or Microsoft Office application. We saw Telegram and some of the other popular apps as well being used by the gang. 

Dave Bittner: So someone's looking to get themselves a cracked version of software, and they get a little more than they were counting on. 

Deepen Desai: Yeah, exactly. 

Dave Bittner: And so what exactly does Ducktail go after? Is it just a pretty broad info stealer? 

Deepen Desai: Yeah. So just some background - I mean, Ducktail is not new. I mean, they've been around since at least 2021. And it's attributed to a Vietnamese threat group. The campaigns that the team has tracked since last year were all focused on taking over Facebook business accounts, right? And intent over there is to either manipulate the page or to access the financial information. And, you know, the goal is to steal data and commit financial fraud over there. The earlier versions that we saw were written using .NET Core, which is, you know, the Microsoft open-source version of .NET. And they were leveraging Telegram with those - with that one group of CNC activity and exfiltrate data - right? - the data that got stolen after the account hijacking. 

Deepen Desai: In August 2022, Zscaler ThreatLabZ team saw a new campaign consisting of the info stealer, which is, you know, in PHP version. And, again, it's still aiming to exfiltrate sensitive data, but it will target a little bit broad. I mean, it will look at things saved in the browser - so save credentials in web browser, especially targeting Facebook account information. But rather than going after just Facebook business accounts now, and they're targeting, you know, a broader consumer base as well. 

Dave Bittner: And how exactly are they going after people on Facebook? Are they going after their credentials? 

Deepen Desai: Yeah. The goal over here is - with the payload that I spoke about, they - so folks who are looking for cracked or free version of the software will download a payload that is basically this malware that will then run on the system, look for saved credentials, which includes Facebook business accounts, right? And the credentials get stolen. The threat actor is able to establish access to the page, make changes. They are able to access even the financial information related to the business account and get access to - basically steal that part as well to perform financial fraud. 

Dave Bittner: You know, Deepen, usually when we talk about these things, I ask you, you know, what folks can do to help protect themselves. I suppose, in this case, we lead off with don't download cracked software. 

Deepen Desai: Absolutely, yes. 


Deepen Desai: Don't look for free versions of, you know, licensed software. 

Dave Bittner: Right, right. But suppose I'm, you know, running an organization here, and one of my users does this. Are there things that I should be on the lookout for? 

Deepen Desai: Yeah. I mean, look; in this case, you need to have a strategy in place that users will make a mistake. They will click on those links, and they will download, you know, at times, suspicious payload. So this is where your cloud sandboxing solution plays a very important role 'cause many of these payloads are packaged near real time, when the user clicks on the link and tries to download them. Now, not downplaying the fact that you're - the inline engines, whether it's the IPS engine, your scanning engines, all of those play a very important role in blocking things that are known bad. But when the payloads are being packaged near real time, you also need to have a sandboxing solution that's able to detonate the payload, monitor the behavior and convict the file based on activity it performs. 

Deepen Desai: The other piece that I would always encourage is to include some of these scenarios in your employee awareness training as well. It's important to make the employees aware that in your quest for downloading that free version of the software, you know, there are so many of these cases where you're inadvertently downloading a malware file that can cause a lot of harm, not just to the - to their individual system but to the business overall. 

Dave Bittner: All right. Well, Deepen Desai, thanks so much for joining us. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at Don't forget to check out the "Grumpy Old Geeks" podcast, where I contribute to a regular segment called Security Ha. I join Jason and Brian on their show for a lively discussion of the latest security news every week. You can find "Grumpy Old Geeks" where all the fine podcasts are listed. 

Dave Bittner: The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland, out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tre Hester, with original music by Elliott Peltzman. The show was written by John Petrik. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.