The CyberWire Daily Podcast 3.10.23
Ep 1777 | 3.10.23

Cybercrime and cyberespionage: IceFire, DUCKTAIL, LIGHTSHOW, Remcsos, and a tarot card reader. US cyber budgets, strategy, and a DoD cyber workforce approach. Five new ICS advisories.


Tre Hester: A new IceFire version is out. A DUCKTAIL tale. Social engineering by Tehran DPRK's LIGHTSHOW cyber-espionage. The president's budget and cybersecurity. U.S. Department of Defense issues its cyber workforce strategy. Remcos surfaces in attacks against Ukrainian government agencies. DDoS at a Ukrainian radio station. Dave Bittner sits down with Beth Robinson of Bishop Fox to share their 2023 Offensive Security Resolutions. Caleb Barlow from Cylete on the security implications of gigapixel images and CISA releases five ICS advisories.

Tre Hester: From the CyberWire studios at DataTribe, I'm Tre, Hester, filling in for Dave Bittner, with your CyberWire summary for Friday, March 10, 2023. 

New IceFire version is out.

Tre Hester: A new version of the IceFire ransomware is targeting Linux systems within enterprise networks, according to researchers at SentinelOne. The ransomware was previously limited to Windows systems. The threat actors behind IceFire launch double extortion attacks against large enterprises in the technology, media and entertainment sectors. The ransomware has been deployed against entities in Turkey, Iran, Pakistan and the United Arab Emirates, which researchers note are not typically the focus of organized ransomware actors. The Linux version of IceFire is deployed via CVE-2022-47986, a recently disclosed vulnerability in IBM’s Aspera Faspex file-sharing software. The Record notes that IBM issued a patch for the flaw on January 18. 


Tre Hester: Deep Instinct says the malware operation tracked as DUCKTAIL resurfaced at the beginning of February of 2023 with an updated set of malware. The goal of the operation is to install malware that will steal browser cookies with a particular focus on session cookies for Facebook Business accounts. The researchers note that it's not entirely clear what the threat actor does after they gain access to the Facebook accounts. Quote, "While it might be possible to get the credit card information that is used for paying for ads in the compromised accounts, this doesn't seem plausible. There are far better, cheaper and easier ways to gain credit card information," end quote. Deep Instinct found one Facebook page tied to DUCKTAIL that appeared to be intimidating a legitimate brand that sells kitchen appliances. Deep Instinct theorizes that this page was used to scam users with fraudulent sales and to distribute malware, though the researchers add, quote, "Since we have only identified one such instance, we can't assess exactly whether this is a one-time event or whether this is the usual operational method for DUCKTAIL," end quote. In any case, DUCKTAIL will bear watching. 

Social engineering by Tehran.

Tre Hester: Researchers at Secureworks discovered a campaign from the Iranian Cobalt Illusion threat group that leverages the death of Mahsa Amini as bait, Dark Reading reports. Cobalt Illusion is also known as Charming Kitten APT42, Phosphorus, TA453 and Yellow Garuda. The threat group uses a bogus Twitter handle and represents itself as working with the Atlantic Council, Cybernews reports. The account has also been seen engaging with posts surrounding the protests following the death of Mahsa Amini, which Secureworks researchers say will help them appear sympathetic to protesters' interests and demands and create an illusion of shared interests. Secureworks CTU Rafe Pilling said in a statement, quote, "The threat actors create a fake persona and use it to build rapport with targets before attempting to phish credentials or deploy malware on the target's device. Having a convincing persona is an important part of this tactic," end quote. 

LIGHTSHOW: a probable North Korean cyberespionage effort.

Tre Hester: Mandiant researchers have been tracking a campaign from suspected North Korean espionage group UNC2970, seen to be targeting media and tech companies in the Western world. The suspected North Korean threat actor is linked with high confidence to UNC577, a group also known as TEMP.Hermit, in action since 2013. UNC577 was seen targeting primarily South Korean companies, with some attacks by the group on a global scale, whereas the probably related UNC2970 has been primarily targeting entities in the West. These attacks begin on LinkedIn with the threat actor posing as recruiters and reaching out to targets. Mandiant researchers have identified files and suspicious drivers within compromised hosts. A dropper, LIGHTSHIFT, delivers the LIGHTSHOW payload, which then performs arbitrary read and write operations to kernel memory that aid in obfuscation from endpoint detection and response software. It's a case of bring your own vulnerable devices, since LIGHTSHOW relies on trusted yet vulnerable drivers to function. 

The President's Budget and cybersecurity.

Tre Hester: The President's Budget for Fiscal Year 2024 has been published and addresses cybersecurity across the spectrum of the federal government's operations. The budget will now go to Congress for the usual review, debate, modification and passage. The budget throughout ties appropriate spending request to the National Cybersecurity Strategy. Much of that funding will go not only to counter the work of adversaries like China and Russia in cyberspace but also for more enforcement actions against cybercrime, to the countering of malign influence and to bolstering federal cybersecurity. The U.S. Cybersecurity and Infrastructure Security Agency would receive under the plan a budget of $3.1 billion, an increase of $145 million over current funding. 

The US Department of Defense issues its cyber workforce strategy.

Tre Hester: The DOD released their 2023-2027 Cyber Workforce Strategy Thursday. The agency wrote in a press release. The strategy contains four “human capital pillars” centered around identifying, recruiting, developing, and retaining cyber talent, Breaking Defense writes. The foundational strategy is intended to make cybersecurity roles in the government more attractive to potential employees, as it has struggled to compete with private sector roles and their offerings, Axios reports Mark Gorak, DOD principal director for resources and analysis, said in a briefing, quote, "So we have to compete on mission and other tangibles to the department. Leadership, organizational culture and mission is the key there," end quote. Check Point reports seeing the Remcos remote access Trojan as the payload in phishing messages being sent to Ukrainian government organizations. "Remcos distributes itself through malicious Microsoft Office documents which are attached to spam emails and is designed to bypass Microsoft Windows' UAC security and execute malware with high-level privileges," end quote. 

DDoS at a Ukrainian radio station.

Tre Hester: Halychyna FM, a radio station in western Ukraine, was inaccessible briefly on March 2 due to a distributed denial-of-service attack by the hacktivists of Russia's Narodnaya Cyber-Armiya, the International Press Institute reports. The attack is typical of the nuance-level hacktivism cyber auxiliaries have established during the present war. 

CISA releases five ICS advisories.

Tre Hester: And finally, CISA yesterday released five Industrial Control System advisories. Check your systems and apply updates per vendor instructions. 

Tre Hester: Coming up after the break, Dave Bittner sits down with Beth Robinson of Bishop Fox to share their 2023 Offensive Security Resolutions. And Caleb Barlow from Cylete discusses the security implications of gigapixel images. Stick around. 

Dave Bittner: New Year's resolutions have come and gone, but it's never too late to resolve to do better. To that end, offensive security company Bishop Fox recently released a report titled "2023 Offensive Security Resolutions," highlighting ways offensive security teams can keep pace with attacks evolution in 2023. Beth Robinson is senior content writer at Bishop Fox. 

Beth Robinson: Threat actors exploit those same technologies that we use, and every new technology adds to an existing or a completely new attack surface. And attackers take advantage of our errors in creating and developing and deploying emerging technologies. So cloud and AI, for example, are examples of this right now. And those technologies are attack surfaces that are completely woven into many things you rely on each and every day, whether you know it or not. 

Dave Bittner: Well, let's go through the report together here. What are some of the highlights that caught your attention? 

Beth Robinson: Absolutely. So we've highlighted several technologies and skills that we plan to keep our eyes on in 2023. But cloud security is the biggest priority for our consultants and Cosmos operators. So while cloud is very ubiquitous technology and it's changed many aspects of modern life as we know it, it is still very much an emerging technology in its own right. Things like human error and misconfigurations are very prevalent in cloud environments, giving threat actors a whole new world of opportunities to take advantage of. And then, with COVID-19, without a doubt, it significantly accelerated the adoption of cloud technology with the sudden shift to remote work that, really, all of us have experienced. And then, you couple that with things like the increase in e-commerce and shipping of goods instead of in-person shopping due to COVID. And this just really further complicates cloud - the security of cloud environments for everyone. And those are just two examples out of many that we can give for cloud computing and the complexity of it. 

Dave Bittner: One of the things that you all highlighted here was the use of artificial intelligence and automation. What caught your eye there? 

Beth Robinson: AI and automation are hugely prevalent technologies these days and the attack surfaces that are - that accompany them. And that's - you know, it's a new technology, emerging technology. And emerging technologies create expanded and brand-new attack surfaces. So as offensive security professionals at Bishop Fox, we have to be on both sides of the fence to understand how the technology, like AI automation, machine learning - how it's adopted and used by our customers and clients, but also how attackers see it from an exploitation perspective. So with technologies like that, we really have to be on the cutting edge of understanding artificial intelligence, for example, as an emerging technology to see the exploitation and intrusion opportunities that attackers will use so that we can find vulnerabilities in our client's environments before attackers have a chance to. 

Dave Bittner: But when you all were putting together this report, was there anything that was unexpected or anything that surprised you? 

Beth Robinson: Sure. Yeah. I think the metaverse attack surface management was a bit of a surprise, but it's something - a very emerging technology with, you know, a brand-new attack surface that's something that we have to keep our eyes on as, you know, big, heavy hitters, like Disney and JPMorgan, are taking the plunge into this type of digital universe. So we have to see how attackers view the metaverse in order to, you know, protect our customers in that attack surface environment. 

Dave Bittner: Yeah, it's a really interesting point how, you know, something like that that is emerging - even though it's not a part of our day to day so far, it's something that folks still need to keep an eye on. 

Beth Robinson: Absolutely. Yeah. And, you know, any new emerging technology really - you know, it ties in to this, like, endless cycle of software and products that largely focus on innovation and openness and speed first, right? But security is often a secondary concern. So, you know, security issues tend to only surface when a technology has achieved widespread deployment. And this - you know, things like this can be examples of this. 

Dave Bittner: So based on the information that you all have gathered here, what are your recommendations? 

Beth Robinson: Recommendations would be to mix and match your security posture and your security controls. You know, use a mix of defensive and offensive security, and be focused on your attack surface and the ways that attackers view your attack surface. And use offensive security to help map out your attack surface. 

Dave Bittner: Do you find that there's a little bit of a blind spot when it comes to offensive security? Do - are there folks out there who overlook it or feel as though they don't necessarily need to engage with it? 

Beth Robinson: Sure, of course. But I think it's coming into its own right. And I think it's really seen - we're seeing a surge in the need for offensive security especially with the surge in emerging technologies and our reliance on cloud, artificial intelligence, blockchain technology and, you know, perhaps even metaverse - the metaverse world. And the best way to protect yourself is, you know, like we do. We look at it from an attacker's perspective to understand where the vulnerabilities are in those environments before attackers have a chance to find them themselves. 

Dave Bittner: That's Beth Robinson from Bishop Fox. The report is titled 2023 Offensive Security Resolutions. 

Dave Bittner: If you want to hear more of this interview, head on over to, and sign up for Interview Selects, where you can have access to this and many more extended interviews. 

Dave Bittner: And I'm pleased to be joined once again by Caleb Barlow. He is the founder and CEO at Cylete. Caleb, it is always great to welcome you back. You know, I was recently thinking about that every time I upgrade my phone, one of the main motivators for me there is to get an improved camera. And part of that is the number of pixels that I'm able to gather, allowing me to zoom in and crop and do all that kind of stuff that I want to do. The imaging capabilities of our devices are pretty extensive, and you point out that there are some potential security implications here. 

Caleb Barlow: Well, there's a thing out there - and they're not that new. They're called gigapixel images. And, you know, in the classic cliche, if a picture's worth a thousand words, if you haven't seen a gigapixel image, Google it. It... 

Dave Bittner: Yeah. 

Caleb Barlow: They are simply amazing. In short, it's an image, usually of a landscape or a cityscape or something like that, that's at such high resolution. You know, let's say you can see buildings and mountains at a distance. You can then drill all the way down to see inside of an apartment and, depending on the image, even read writing on the wall. If you see a car, you know, maybe just as a little blip in the image, you can drill right down into that small dot and zoom it all the way down till you can literally read the license plate. So these are essentially, you know, military surveillance images in terms of their quality that would have normally been the thing reserved for government images. But they can now be created with simple, off-the-shelf hardware, a special gimbal, and a regular 20 megapixel camera. 

Dave Bittner: Yeah, I remember seeing one - I believe it was all the way back from Obama's second inauguration. And just remarkable that - how you could - exactly as you say, you start off with this wide shot, but then go pick out faces in the crowd. What are people wearing? You know, who's - who needs - who has a hair out of place, that sort of thing? 

Caleb Barlow: Well, what's even more interesting about that particular image, which is one of them that I'm particularly fascinated by, is you can see the Secret Service positions. You can see them on rooftops, where they're gathered. You can count - literally count how many of them there are. You know, so these things are often used at, like, sporting events to gather pictures of fans in the crowd and, you know, see what everybody's laughing at and doing in detail. But the point is, anybody can create one of these things now, right? In fact, you don't even need to buy the equipment. You can just rent it. And the way it works is this gimbal moves the camera very slowly, incrementally, over the course of maybe an hour, gathering upwards of 1,000 images, and then an AI engine merges them together. 

Dave Bittner: Yeah. 

Caleb Barlow: So the upper left corner of the image might have been taken an hour before the lower right corner of the image. But the AI stitches it together in a way that it's basically a continuous image. You know, these things have some really interesting, you know, security ramifications if, let's say, your business or maybe - you know, we're getting into kind of civil liberties conversations. You're taking a more persistent gigapixel image of, let's say, a cityscape because of the level of detail that you can get access to is literally just mind-boggling. I mean, like I said, you can read what's written inside somebody's apartment. 

Dave Bittner: Well, and we've seen incidences where people have been able to pull fingerprints off of photographs of people who are just waving at the camera, the resolution is so high. I'm curious what is to be done here other than to be aware? What's your message to the security folks out there in terms of having this sort of thing on their radar? 

Caleb Barlow: Well, two things - first of all, we're all nerds. Go play with it. It's crazy cool, right? 

Dave Bittner: (Laughter) Fair enough. Fair enough. 

Caleb Barlow: That's the first image - the first point. The second point, though, is if you happen to have a business that happens to be, you know, maybe in manufacturing or agriculture or something like that where a view of your business, especially a persistent view of your business, could release intellectual property or other things you don't want people to know about, you need to be very aware of this. So, you know, I happen to live in Massachusetts. It's pretty darn flat, other than in the city of Boston. I'm not worried about a gigapixel image. On the other hand, if I live someplace like Phoenix or Colorado City, where you have lots of really high vantage points that can take in the entire cityscape, then gigapixel imaging is a major issue to be worried about, again, if your business has something that you don't want people to see from afar, including inside your conference rooms if you have big windows. So, you know, again, go check it out. This is no joke in terms of how simple and low cost this is to be able to gather images at unbelievable quality. And, you know, I think we're even going to have law enforcement looking at these things saying, hey, why put up a security camera? I'll just grab an image of the whole city every 15 minutes. 

Dave Bittner: Yeah. All right. Well, Caleb Barlow, thanks for joining us. 

Caleb Barlow: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at Don't forget to check out this weekend's episode of "Research Saturday," where Dave Bittner sits down with Ron Masas of Imperva to discuss their work on the Google Chrome SIM stealer vulnerability. That's "Research Saturday." Check it out. 

Tre Hester: The CyberWire podcast is a production of N2K Networks, proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. Our amazing CyberWire team is Elliott Peltzman, Brandon Karpf, Eliana White, Puru Prakash, Liz Irvin, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Maria Varmazis, Ben Yelin, Nick Veliky, Milly Lardy, Gina Johnson, Bennett Moe, Catherine Murphy, Janene Daly, Jim Hoscheit, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, Simone Petrella. And I'm Tre Hester, filling in for Dave Bittner. Dave will be back next week behind the mic. Thank you all so much for having me. Enjoy your weekend.