The CyberWire Daily Podcast 3.7.23
Ep 1774 | 3.7.23

A new threat to routers. DoppelPaymer hoods collared. Ransomware hits a Barcelona hospital. Phishing in productivity suites. Espionage, hacktiism, and prank phone calls.


Tre Hester: HiatusRAT exploits business-grade routers. International law enforcement action against the DoppelPaymer gang. Ransomware hits a Barcelona hospital. Productivity suites are increasingly attractive as phishing grounds. Transparent Tribe's romance scams. Cyberattacks briefly disrupt Russian websites and media outlets. Ashley Leonard, CEO of Syxsense, sits down with Dave Bittner to discuss their "Advancing Zero Trust Priorities" report. Joe Carrigan on a warning from Microsoft about a surge in token theft. And trolling for disinformation raw material. From the CyberWire studios at DataTribe, I'm Tre Hester, filling in for Dave Bittner, with your CyberWire summary for Tuesday, March 7, 2023.

HiatusRAT exploits business-grade routers.

Tre Hester: Lumen's Black Lotus Lab report identifies a campaign they're calling Hiatus, which they characterize as a complex, never-before-seen campaign which has been targeting business-grade routers since June of 2022. The malware converts compromised devices into covert proxies. Black Lotus says, quote, "The packet capture binary enables the actor to monitor router traffic on ports associated with email and file transfer communications," end quote. Most of the victims so far have been identified in Europe and Latin America, and the researchers, seeing no significant overlap with other threat activities, see HiatusRAT as a unique cluster. It constitutes both a staging mechanism for subsequent attacks and threat to information transiting affected routers. 

International law enforcement action against DoppelPaymer gang.

Tre Hester: Bleeping Computer reports that two alleged members of the DoppelPaymer group were targeted in a joint effort between German and Ukraine law enforcement. Europol, the FBI and Dutch police also saw involvement. Europol said in a press release that officers in Germany on February 28 raided the house of a German national who is believed to have played a major role in the DoppelPaymer ransomware group. Ukrainian police, despite the ongoing war with Russia, were able to interrogate an alleged member of the gang apprehended in Ukraine. Law enforcement is actively seeking out three more actors that they believe were the core members of the gang. Eleven suspects altogether have been identified. 

Ransomware hits Barcelona hospital.

Tre Hester: A ransomware attack against the Hospital Clinic of Barcelona on Sunday has severely disrupted the clinic's computer operations, as well as forcing cancellations of 150 non-urgent operations and as many as 3,000 patient checkups, the AP reported yesterday. The attack has been attributed to the Ransom House gang, a group working from the outskirts of Spain. Security Week wrote that Sunday's attack on the center crippled computer systems at the facilities, laboratories, emergency room and pharmacy at three main centers and several external clinics. Thus, its effects weren't confined to a single location. Approximately 150 elective surgeries, 500 extractions and around 300 consultations were unscheduled, according to EuroWeekly News. Urgent cases are being redirected to other locations. Hospital director Antoni Castells said in a Monday news conference, quote, "We can't make any predictions as to when the system will be back up to normal. Recovery is in process," end quote. 

Productivity suites increasingly attractive as phishing grounds.

Tre Hester: Vade has published its annual Phishers' Favorites report for 2022, finding that Facebook, Microsoft and Google were the most impersonated brands last year. Notably, Google, which placed 28th in 2021, jumped to the third most impersonated brand last year, following a 1,560% increase in Google-themed phishing pages. The researchers attributed this increase to the growing popularity of Google Workspace, and Vade predicts that Microsoft and Google will be the two most widely impersonated brands in 2023 due to the prevalence of their productivity suites. Vade also observed significant increases in phishing attacks across nearly every industry sector. 

Transparent Tribe's romance scams: only the lonely can play.

Tre Hester: Virtual swallows and digital ravens are seeking to enmesh targets using bogus romantic come-ons. ESET reported this morning that Transparent Tribe, a group believed to operate from Pakistan, is active and apparently targeting, for the most part, Indian and Pakistani military and government officials with romance scams. The victims are convinced to download compromised versions of secure messaging apps to their Android phones. These apps will install the CapraRAT backdoor, which is designed to exfiltrate information. ESET believes the attackers began by contacting their victims via an email address or phone number and then luring them into a romance scam. After the victims have downloaded the Trojanized messaging app, the attackers continue communications with them over the messaging app while stealing information in the background. The malicious apps used poor operational security, and the researchers were able to locate over 150 victims. Most of Transparent Tribe's efforts may have gone into India and Pakistan, but infestations were also found in Egypt, Russia and Oman. 

Cyberattacks briefly disrupt Russian websites and media outlets.

Tre Hester: Anonymous claims to have resumed hacktivist actions against Russia, saying last Thursday that they were, quote, "currently involved in operations against the Russian Federation," end quote. The Daily Beast reports that the Russian government site,, and five other government sites were down briefly on Monday. is back up now. The action appears to have been the now customary nuance-level hacktivist work of distributed denial of service and website defacements. Meanwhile, TASS is authorized to disclose that a member of Russia's delegation to the United Nations has denounced what she characterizes as the West's use of Ukraine as a testing ground for cyber warfare. 

Disinformation, how may we help you?

Tre Hester: Proofpoint, this morning, described an ongoing campaign by a Russian-aligned threat actor, TA499, also known as Vovan or Lexus, to engage Western political and business leaders in voice or video calls. The calls are recorded, and they appear designed to gather raw material that can be used to produce content that would tend to discredit those who have publicly supported Ukraine. Proofpoint summarizes, quote, "the calls are almost always, certainly, a pro-Russia propaganda effort designed to create negative political content about those who have spoken out against Russian President Vladimir Putin and, in the last year, opposed Russia's invasion of Ukraine," end quote. 

Tre Hester: Proofpoint goes on to add that if you rashly decide to take one of these calls, quote, "TA499 is not a threat to take lightly due to the damage such propaganda could have on the brand and public perception of those targeted, as well as the perpetuation of disinformation," end quote. Engagement begins with emails inviting a target to join a call. The emails commonly impersonate a Ukrainian ambassador. Should the target agree to the call, TA499 will use a video deepfake to impersonate a trusted interlocutor. Once the target is induced to make a statement in the Ukrainian interest, the threat actor engages in what Proofpoint calls antics designed to fluster the target into doing or saying something embarrassing. That embarrassment will then display elsewhere in the interest of the Kremlin. 

Tre Hester: Coming up after the break, Dave Bittner sits down with Ashley Leonard of Syxsense to discuss their Advancing Zero Trust Priorities report, and Joe Carrigan on a warning from Microsoft about a surge in token theft. Stick around. 

Dave Bittner: Ashley Leonard is CEO and co-founder of endpoint security firm Syxsense. They recently shared a report titled Advancing Zero Trust Priorities. For details on what they found, I spoke with Ashley Leonard. 

Ashley Leonard: First of all, the fact that the amount of organizations that are currently evaluating zero trust is pretty interesting. Our results showed that 62% of organizations are currently evaluating or have implemented a zero-trust solution. The amount that actually have implemented it so far, though, is pretty small. It's only 4.8% of organizations that have actually currently implemented some form of zero-trust implementation. 

Dave Bittner: And why do you suppose that's lagging in that way? I mean, you know, as you say, this is certainly a hot topic these days. That's a smaller number than I would have expected. 

Ashley Leonard: Yeah. It surprised me because you do see it so prevalent in the industry news and at trade shows. And I think a lot of it is that there's a lot of complexity around zero trust and a lot of problems actually understanding really what zero trust is. Many organizations think that you can just buy a product, and you install the zero-trust product, and that will allow you to then have zero trust. And zero trust is really a lot more than that. It's more of a mindset. Certainly, products help, and obviously, we're a product vendor. We're a software vendor. So we can help you along that path. But it's a lot more than just buying a product to implement a true zero-trust methodology. 

Dave Bittner: What are your recommendations, then? I mean, for folks who have their eye on going down this path, any words of wisdom? 

Ashley Leonard: Yeah. You know, if you kind of look at traditional security, traditional security worked with more of kind of - I like to call it the castle mentality, where you're going to have very high walls and a moat and very limited gates that you can enter the building through. And that kind of protected your organization in the old days. Now, nowadays, of course, those walls have come down. A great example is what recently happened with COVID and employees at home. And now, you know, those laptops and devices that were once at home are now walking in through the gates of the castle, get plugged into the corporate network, and now you have a problem. So you kind of have to, first of all, I think, change the mentality of the way that you look at cybersecurity in your organization from being kind of that castle mentality to being a zero-trust mentality, which is that you kind of have to have the mindset that everything is already breached and that you want - what your job is, is to limit the damage that could happen from a device that is already potentially breached in the organization. 

Ashley Leonard: So you kind of start there with that mindset change. What you then do is go ahead - you then go ahead and need to perform an audit. And you kind of want to audit a lot of different things. You want to think about the tools that you're currently using. And that's an important point 'cause many organizations today are not actually at Step 1 when it comes to implementing zero trust. They've often got tools that can already be used to help them along their zero-trust route. Think about the assets that you have. Think about the data, the networks, how they're accessed, how they're secured. So you kind of want to do this audit of your IT infrastructure and then determine your risks. And that's also a different approach, I think, when it comes to zero trust, where traditional security - you typically look at an outside-in approach to security. You're kind of looking at how an attacker might get into your organization. With zero trust, you start on the inside looking outwards. So you kind of have to change the way you look at your entire infrastructure. 

Ashley Leonard: And then you implement the controls and requirements that will tighten the security to limit access, assuming that everything is untrusted until it's proved to be trusted. Finally, you repeat because it's constantly changing. That's the other key learning is that this is an iterative process, and you need to just run through the process and get to the end and start again because new software is coming in, new ways of accessing data, new data itself, new forms of storing data. So it's a constantly iterative process as you implement zero-trust policies. 

Dave Bittner: You know, there's that old saying that you shouldn't let the perfect be the enemy of the good. I'm curious - do you think that applies to people who are in the midst of their zero-trust journey? 

Ashley Leonard: Yeah. And I don't think there is going to be a perfect. And, you know, typically, the smartest way to implement zero trust is to start with kind of the easy wins, and then you get to the end and then start again, and you move up to the next challenge. So it's - I wouldn't wait. There's not going to be a perfect plan for implementing zero trust. The best thing to do is to get going and just keep iterating. 

Dave Bittner: What's your message to the folks who are putting off this transition or kicking that can down the road, you know, maybe intimidated by the notion of the change itself or for other reasons? What do you have to say to them? 

Ashley Leonard: Well, so we - that's an interesting one as well. So as part of the survey, we actually asked that question. So we asked the question, why - if you're not looking at implementing zero trust, why? And the kind of top three answers that came back were lack of budget was No. 1. Forty-one percent of the respondents that are not implementing zero trust at the moment came back and said the primary reason was lack of budget and funding for a zero-trust implementation. So they wanted to do it, but they couldn't. So I would say to that group, hey, this is not something you can put off. And again, the old security approach of the castle walls doesn't work anymore. Behind that was technical challenges. And yes, there are challenges, but there's also an opportunity to learn new skills and improve your skills as an individual if you're implementing zero trust and help improve the business's overall security posture. And I would say that your level of security compliance and posture actually is a business benefit for your organization. We're in the security business, and we have to prove compliance for many of the customers that we do business with. So it's an advantage the more highly secure we are, and it ends up being a differentiator for us versus some of our competitors. 

Ashley Leonard: And then finally, I would say the kind of the third item that came back from our survey regarding why customers don't implement zero-trust was just a lack of direction from the top. So it's important, depending on the size of your organization, whether it's your CIO, CISO or CEO that you're aware of these types of initiatives like zero-trust, and you're making it a priority for your organization to implement. 

Dave Bittner: That's Ashley Leonard from Syxsense. The report is titled "Advancing Zero Trust Priorities." And joining me once again is Joe Carrigan. He is from Harbor Labs and the Johns Hopkins University Information Security Institute and also my co-host over on the "Hacking Humans" podcast. Hello, Joe. 

Joe Carrigan: Hi, Dave. 

Dave Bittner: So interesting story here from the folks over at eSecurity Planet. This is an article written by Jeff Goldman, and it's titled "Microsoft Warns of Surge in Token Theft Bypassing MFA." Can you unpack what's going on here, Joe? 

Joe Carrigan: Yeah, so I'm not sure what's going on with the surge. That's - I guess that Microsoft has a team called Detection and Response Team... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Or - they like to call it DART because they also have a cool acronyms department over at Microsoft. 

Dave Bittner: Right. 

Joe Carrigan: But they are noticing that there is an increase in these token - what's called token theft. They're describing two different kinds of token theft in here. One is called the adversary in the middle and the other is called pass the cookie. 

Dave Bittner: OK. 

Joe Carrigan: So before we get into that, we should understand what a token is. 

Dave Bittner: Yeah. 

Joe Carrigan: When you log in to a website or a service or something, whatever it is - it's easier to understand with the web. So the web is stateless in that it doesn't - the state doesn't survive from one connection to the next. So in that connection, your web browser will maintain something called - "in that connection," I say with quotes, because it's actually mimicking a connection. Your web browser will maintain, in a set of cookies - and that's why we have cookies - a - something called a session token that verifies to the server that you are logged in correctly, and you are who you say they are... 

Dave Bittner: I see. 

Joe Carrigan: ...You say you are. So basically what that means is every time you go to request something, if you have one of these tokens, you don't have to provide your username and password. So imagine life without the tokens. And I want to submit this form, and a thing says log in. So I go - I have to log in. And then it says, OK. And then I want to click to the next page. I have to log in again. That would be miserable, right? 

Dave Bittner: Right. Right. 

Joe Carrigan: You wouldn't - it would be unusable. But not only that, but how would you even - there's a whole bunch of different questions that arise. So we just use these tokens as a representation of our session that really doesn't exist between one request and the next one. 

Dave Bittner: OK. 

Joe Carrigan: And we kind of build, like, a human understanding of a session. I'm logged in, and then I'm logged out. 

Dave Bittner: OK. 

Joe Carrigan: And there's also other services where you log in - like, let's say, for example, remote desktop protocol... 

Dave Bittner: Yeah. 

Joe Carrigan: ...Where I might - I don't know if that one has a token or not, but I would imagine it does, that there's some token in there that lets me authenticate over time. So what's happening here is they're talking about two different attacks. One is a pretty simple attack to understand. It's called pass the cookie. 

Dave Bittner: OK. 

Joe Carrigan: So it involves compromising a user's browser somehow. You see this happening a lot with plugins or with HTML. If it can break out - there's a vulnerability that nobody knows about or you're using an unpatched version of your web browser, somebody might be able to get access to the cookies that are stored for a site. And if they can get access to them, then it's really simple then just to export them to somebody else. And then they can put that cookie into their web browser just by using some of the development tools that are included with these web browsers to then represent that they are you. And the server - if the server is not configured to look for things like, hey, this IP address has changed significantly - this person is now looking like they're coming out of New York City, when just two minutes ago they looked like they were coming out of California... 

Dave Bittner: OK. 

Joe Carrigan: Right? Now, that actually may be a valid use case, but I think it's reasonable to - when you see that, to say, OK, you're just going to have to authenticate again... 

Dave Bittner: Right. 

Joe Carrigan: ...And log back in. 

Dave Bittner: Yeah. 

Joe Carrigan: So those kind of attacks are out there. The other one is called the attacker in the middle or adversary in the middle attack, which is kind of like a man in the middle. But it's - basically what they do is they build malicious infrastructure that then lets you connect and log in and shows you what you should be connecting to and logging into. But when they receive the tokens, they make a copy of them, and then they steal them, and they can log in with whatever service it was. This will bypass a lot of the multifactor authentication protocols out there, like the SMS code or any of the codes that you have to enter because you'll be looking at the actual web page when this thing loads. 

Joe Carrigan: And when you have to enter a code that's either texted to you or generated by a program or a little piece of hardware that you have, there's nothing in that process that says you're not on the right web page, right? You don't - you're not looking at who you think you're looking at, or you're not using the correct service, or there's somebody in the middle that's being malicious. One of the things that Microsoft recommends here is using a FIDO Alliance authentication method because that will protect against this because the people - the FIDO device will only respond using the connection information for the people asking - or for the service asking for the authentication, which will not be the legitimate service behind the attacker in the middle, the malicious infrastructure. 

Dave Bittner: I see. 

Joe Carrigan: So when it goes to - what it does - and my reading is old on this, and I haven't read this up. I'm doing this all from memory. But what it does is it uses that server name, that URL or whatever it is, as a part of a private key along with a secret that it generates on the fly. 

Dave Bittner: OK. 

Joe Carrigan: And then it does a challenge response using that private key. Well, if Microsoft is saying, hey, I'm Microsoft, take Microsoft and your secret and add them together and give me the challenge response for this number, and then Bob's Evil Infrastructure says, hey, I'm Bob's Evil Infrastructure, give me the challenge response, your challenge response is not going to be correct for Microsoft. It's going to be correct for Bob's Evil Infrastructure. 

Dave Bittner: I see. 

Joe Carrigan: And Microsoft will go, no, you didn't authenticate. So that's how - and that's a terrible way to explain FIDO. 


Joe Carrigan: FIDO protects you against that. But suffice it to say, a FIDO key, like a YubiKey or a Google Titan will protect you against this kind of attack. 

Dave Bittner: All right. 

Joe Carrigan: But it will not protect you against logging in and having somebody exfiltrate your keys from your web browser. 

Dave Bittner: Yeah. 

Joe Carrigan: So if you log into Google, put your Google Titan in there, push the button and get the session key and somebody steals that, if Google's not checking for that kind of thing, which they might be - I don't know - then they have stolen your session, and they can do whatever they want as you. 

Dave Bittner: All right. 

Joe Carrigan: Now, fortunately, Google, whenever you need to do anything significant, they do ask for your password again. 

Dave Bittner: Yeah. 

Joe Carrigan: But these guys don't even need to know your password - username, password or your multifactor authentication stuff. They just need to get the session. 

Dave Bittner: All right. Well, once again, this is over on eSecurity Planet, article by Jeff Goldman - "Microsoft Warns of Surge in Token Theft Bypassing MFA." Joe Carrigan, thanks for joining us. 

Joe Carrigan: It's my pleasure, Dave. 

Tre Hester: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is a production of N2K Networks proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is me, with original music by Elliott Peltzman. The show is written by John Petrik. Our executive editor is Peter Kilpe. And I'm Tre Hester, filling in for Dave Bittner. Thanks for listening. And we'll see you back here tomorrow.