The CyberWire Daily Podcast 4.26.23
Ep 1810 | 4.26.23

BellaCiao from Tehran; PingPull from Beijing: two cyberespionage tools. SLP exploitation. Ransomware as an international threat. The state of hacktivism. Digital evidence or war crimes.


David Bittner: BellaCiao is malware from Iran's IRCG, while PingPull is malware used by the Chinese government affiliated Tarus Group. Ransomware continues to be a pervasive international threat. An overview of hacktivism. Our guest is CyberMindz founder Peter Coroneos, discussing the importance of mental health in cybersecurity. Johannes Ullrich shares insights from his RSAC panel discussions and Ukraine continues to collect evidence of Russian war crimes.

Dave Bittner: From the RSA conference in San Francisco I'm Dave Bittner with your CyberWire summary for Wednesday, April 26th, 2023.

BellaCiao malware, from Iran's IRGC.

Dave Bittner: Iran's APT Charming Kitten, sponsored by Tehran's Islamic Revolutionary Guard Corps, has been seen using a new strain of malware known as BellaCiao, Bitdefender reported this morning. The group, known also by many names including Mint Sandstorm, Phosphors, APT35 and APT42, uses this individually-tailored dropper to deliver payloads from their command-and-control server. Bitdefender said that "Each sample collected was tied up to a specific victim and included hardcoded information such as company name, specially crafted subdomains or associated public IP address. The malware has been seen in use against victims in US and Europe but also against targets in Turkey and India. The exact point if infection is unknown, but researchers conjecture a Microsoft Exchange exploit chain software vulnerability or something similar. The researchers suspect the Italian moniker for this Iranian-native malware, BellaCiao, may be a reference to a folk song of the same name about resistance fighters.

PingPull, malware used by the Chinese government affiliated Tarus Group.

Dave Bittner: Researchers at Palo Alto's Unit 42 discovered a new malware strain they're calling "PingPull". It's used by Tarus, a cyberespionage group attributed to China. PingPull targets Linux machines and has been used in conjunction with these Sword2033 backdoor. Unit 42 explained that alto Tarus has been historically active against telecommunications companies in Asia, Europe and Africa, recently researchers have noticed increase activity spreading to financial institutions and government entities.

CVE-2023-29552 a critical level Service Location Protocol exploit.

Dave Bittner: BitSight reported today that they discovered a new high-severity exploit for the Service Location Protocol stating, "SLP is a protocol that was created in 1997 through RFC 2165 to provide a dynamic configuration mechanism for applications in local area networks." The exploit dubbed, CVE-2023-29552 allows attackers to launch DDoS attacks against open SLP instances. CISA explains, "The Service Location Protocol allows an unauthenticated remote attacker to register arbitrary services. This knows allow an attacker to use spoofed UDP traffic to conduct a denial-of-service attack with a significant amplification factor." BitSight explains, "Attackers exploiting this vulnerability could leverage vulnerable instances to lunch massive Denial-of-Service amplification attacks with a factor as high as 2200 times, potentially making it one of the largest amplification attacks ever reported." BitSight urges businesses to disable SLB on devices connected to the open internet and if that's now piece, "then firewall should be configured to filter traffic on UDP and TCP port 427. This will prevent external attackers from accessing the SLP service."

Ransomware continues to be a pervasive international threat.

Dave Bittner: he Five Eyes alliance is seeing a rising threat from ransomware, Infosecurity Magazine reports. Felicity Oswald, the United Kingdom's National Cyber Security Centre's COO, noted at the RSA Conference that ransomware continues to be pervasive in the UK, as very little skill is required to implement the malware. Rita Erfurt, throughout intelligent senior executive at the Australian Cyber Security Centre said, "Ransomware is the most destructive form of cybercrime facing Australia." CDO Trends reports that a study from Rubrik on data security says that 72% of organizations have actually paid hackers using ransomware, yet only 16% saw success in data retrieval using attacker supply tools. National representatives in attendance from the UK , Australia, the US and Canada, noted that their national cybersecurity strategies are currently in the works or have recently been published. Infosecurity Magazine notes that Canada and Australia's cyber strategies are still in development and under review. The UK saw the release of its national strategy in December of last year, and the US finalized theirs last month.

An overview of hacktivism (much of it Russian).

Dave Bittner: Radware issued a report this morning offering an overview of the current state of hacktivism. Much of the genuine politically motivated actions have pursued familiar targets. Israel, for example, comes in at number one among the countries target, but the emergency of hacktivist organizations serving as cyber auxiliaries to governments, especially the Russian government, is a noteworthy development. The Russian hacktivist organizations include KillNet, NoName057(16) which wants everyone to understand that they're not working for KillNet and the Passion Group, which began its career as a KillNet affiliate, but which has recently shown signs of morphing into a profit driven criminal gang with an advocacy side hustle. Radware's conclusion sums up the record the Russian hacktivists have compiled stating, "Pro-Russian hacktivists have been actively attacking anyone who supports Ukraine or goes against Russian for over a year now. KillNet has been dedicated to its cause and has had the time to build experience and increase its circle of influence across affiliate pro-Russian hacktivist groups. We've seen groups like NoName057(16) successfully exploring crowd-sourced botnets, with financial incentives and Passion group providing DDoS-as-a-serve attacks to like-minded groups. While NoName057(16) is the major force to be reckoned with in terms of DDoS attacks, KillNet's influence, reach and tactics are growing and changing, and they're not showing signs of slowing down or retiring soon. Killnet, by the way, has been promising a big announcement this evening at 10:00pm Moscow time, we'll be keeping our eyes out for it.

Ukraine continues to collect evidence of Russian war crimes.

Dave Bittner: And finally, Ukraine is collecting evidence of alleged Russian war crimes, with a view toward both prosecuting those responsible, should they become available for prosecution or at least toward ensuring the preservation of the historical record and assuring that the history is told accurately. In this effort, they're receiving international assistance, some of it from the US Federal Bureau of Investigation. These investigations are groundbreaking in that so much of the relevant evidence is digital, CyberScoop reports. Digital forensics will be important not only for investigating cyberattacks against civilian infrastructure, but also for geolocation of perpetrators in the vicinity of their crimes. Devices can put their owners at the scene and that holds for war crime investigations, as well as for ordinary criminal cases. We would add two other potential spheres of investigation, collection of communications authorizing and organizing atrocities and collection of communications that could amount to incitement. There's been no shortage of incitement to genocide.

Dave Bittner: Coming up after the break our guest is CyberMindz founder, Peter Coroneos, discussing the importance of mental health in cybersecurity. Johannes Ullrich from the SANS Technology Institute, shares insights from his RSAC panel discussions. Stay with us.

David Bittner: Peter Coroneos is the founder of Cybermindz, which has gotten a start in Australia, addressing the importance of mental health in cybersecurity. He stopped by to visit with us here at the RSA conference to celebrate a launch here in the US.

Peter Coroneos: We launched Cybermindz in the US yesterday morning, first thing really and it was really our extension of the Cybermindz program into the US for the first time, so very excited. We had some great representation. The director, Jen Easterly, was kind enough to give us some words of support. She wasn't able to attend in person but she's in a beautiful video. And I think what we're realizing and what we're seeing is that the problems that we encountered in Australia in the last few years I think are fairly universal around burnout in cyber teams.

David Bittner: Mmm-hmm, Mmm-hmm.

Peter Coroneos: So, it was really great to just see the warm reception we got and the recognition for the issues that we're attempting to address.

David Bittner: Well let's clarify that, what is the mission of Cybermindz?

Peter Coroneos: Well it's pretty simple really, I mean, I've got a long background in cybersecurity, but I've also had a very long background in exposure to neuroscience and personal development and in a way I was keeping them separate, I was using the personal development strategies in my own career when I was heading the Internet Industry Association in Australia. It was sort of my secret weapon, that's how I kept on game and could switch off when I needed to. But, I guess during the pandemic I was starting to see more and more burn out being in teams, cyber teams and amongst my peers. And finally one day the penny dropped and I thought, look, here's the opportunity to integrate these two passions of the personal development, you know, relaxation optimization of the mind and bringing it into cybersecurity in the first time, for the first time and that's really the mission now is to go in with tangible, on the ground support now, more than just talking about it. Going in and actually delivering a very powerful protocol, which we can talk about, that it's had extensive use in the military in the US and in Australia, so we know it works, there's plenty of science that supports its effectiveness. And I think our contribution at Cybermindz is just work with organizations and to start bringing teams back from burnout and back into the sort of zone where we want them to be.

David Bittner: What is your sense in terms of the problem itself, the problem of burnout within cybersecurity, to what degree is it the nature of the job? Is it the nature of the people who are attracted to that kind of job or a spectrum in between?

Peter Coroneos: I think it's a combination of factors. One thing I will say is that we've done a fairly deep analysis now of the drivers of burnout in cyber and there really is, in my mind, something particular and unique about working in cybersecurity. That means that it stands apart from other professions and not to take away from the stresses that their encounter and many people have encountered during COVID particularly, but with cybersecurity we've identified at least 15 factors that all in combination come to bear on teams and are driving this burnout and we really think there isn't very much to compare outside of cybersecurity. So, you know, I think we're familiar with what some of those factors will be. It's the relentless nature of the attack environment. It's the invisibility of success, so you don't really know when you're winning.

David Bittner: Right, we did all these things, congratulations, nothing happened.

Peter Coroneos: Yeah, and that's very and so -- that's plays into a lack of recognition for the value of the work, how cyber peers are doing. In addition, on top of that, you've got the high visibility of failure. And particularly I would say that downstream consequential effects of a single failure, potentially affecting as we've seen Australia and elsewhere, tens of millions of people. And so, you know, that's plus another 12 or so factors, start to create a very unique environment that quite frankly our brains are not optimized for and the result of that is we start to see cyber professionals questioning their own effectiveness in their job. They start to doubt their own efficacy and that of one of the -- of the three metrics that predict resignation intent as burnout metrics, that's the one that is actually in our research, out-polling even our front line healthcare workers. So just to sort of condense that point, what our research is showing that on that one metric that predicts the intention to resign, cyber people are polling worse than even the frontline healthcare workers, and that should be a concern for all of us, for obvious reasons.

David Bittner: Let's talk about the framework itself then, how are you all approaching this problem?

Peter Coroneos: So I mentioned the iRest protocol, it stands for Integrative Restoration. It was developed in California actually by Dr. Richard Miller and his founder, the iRest Institute. So he is really the true mental health pioneer in this space, he's a clinical psychologist. And they had taken the protocol into the US military in 2004 actually and they were using it to help actually. And now we're using it to help treat Post Traumatic Stress Disorder in returning veterans from Iraq and Afghanistan. And they found pretty quickly the they were getting quite remarkable results. Also it was being used very effectively to address anxiety, depression, insomnia. A lot of, even pain management. But a lot of the things that we see manifesting within cyber teams now and particularly I would say, the most critically affected units would be around the SOC analysts.

David Bittner: Right.

Peter Coroneos: And this consistency of you know, the incoming and the having to sort through false positives and that sort of kicks the brain into a hypervigilant state. Which over time I think is really not sustainable. So the protocol has had this extensive application in the military and it was officially endorsed actually, by the Army surgeon general in 2010 as a tier couple complementary therapy. So I looked at this and I thought, you know, there's a lot -- there are a lot of similarities between military and cybersecurity in terms of the defensive posture that you have to take and really the toll that it takes on the individuals. And so I approach the iRest Institute, I'd done the training myself as a facilitator and I started piloting it and I was seeing great results in Australia and I thought well, the general population, because these measures were used, I've got general population norms that are already established, but then we can go in and look at how, you know, comparing with other professional groups, as I said the front line healthcare workers or teachers or other professions, but more importantly we can also start to build a picture, a way an organization sits in relation to other organizations within cybersecurity. And what we hear from the people that were running our programs is that they start to make better decisions, because they're not now coming out of their flight need fight, their limbic system in the brain, but they're actually more able to come into a present centered state. Where they're accessing where they need to access the prefrontal cortex and where all the, you know, the good decision making occurs and we're moving them back into that zone. And also, we give them at ability to switch off. When they go home the protocol can be used before sleep or if you wake up in the middle of the night which I'm sure many people can relate to.

David Bittner: Sure, yeah.

Peter Coroneos: The mind is racing and it's because you've carried a lot of subconscious stuff into this, into sleep and it wants to break through and be heard. And as that happens, you actually start to get development in other parts of the brain that are involved with emotional regulation, seeing things in perspective, even empathy starts to build and you become, you know, the team morale improves because everyone's feeling a little bit more restored emotionally. So yeah, it's very powerful, very interesting how it works.

David Bittner: That's Peter Coroneos, from Cybermindz.

David Bittner: And it is always my pleasure to welcome back to the show Johannes Ullrich, he is the Dead of Research at the SANS Technology Institute and he is also the host of the ISC Stormcast podcast, Johannes, great to see you.

Johannes Ullrich: Great to see you actually in person, I'm standing across from you, it's all different.

David Bittner: It's so decadent isn't it?

[ Laughter ]

David Bittner: It's one of the great things about this conference is, you get to see so many people face to face who you only get to see remotely along the way. Well, speaking of the conference, you are presenting here this year or actually you did present here this year. Tell us about your program.

Johannes Ullrich: Yeah, so I'm part of the SANS panel again, I think we're doing this now for 10 plus years. We were talking about this earlier, kind of hard to remember when it all started.

David Bittner: Right.

Johannes Ullrich: But the idea is always that we talk about emerging threats, things that are already kind of an issue but are probably going to be of more concern in the next year or so. So that's what is of the theme of this. And we narrowed it down to the top five of these throats.

David Bittner: Okay, can we go through some of them together?

Johannes Ullrich: Yeah, so we have on the panel Heather Mahalik, we have Katie and we have Stephen Sims and Ed Skoudis is sort of managing it all. And Katie talked about, for example, this search engine optimization, that's more and more happening now particularly with Google, where essentially attackers are just buying ads for their malware which is an amazing kind of concept.

David Bittner: Right.

Johannes Ullrich: But it works. But yeah, it does work and they're able to really sort of trick people into basically downloading malware instead of the legitimate software they looked for.

David Bittner: So this is a situation where, let's say I was looking for the latest copy of Zoom or something like that and I do a search in Google and the first ad that would pop up would pretend to be from Zoom, but would actually have malware embedded in it?

Johannes Ullrich: Correct and it's going to a page that looks like Zoom so it's really hard for anybody really to figure out what they're downloading. So that's a challenge here and of course, Google hasn't really been super responsive to all of this.

David Bittner: That's a troubling aspect of this, that Google hasn't been speedier on getting on top of this. Yeah.

Johannes Ullrich: We have like this virus tool thing here that may help.

[ Laughter ]

David Bittner: Let's continue down the list, what are some of the other things you guys are looking at?

Johannes Ullrich: And then of course ChatGPT is a big thing.

David Bittner: Right.

Johannes Ullrich: Stephen Sims and Heather will sort of talk a little bit about this. Stephen will go over the technical aspects and you know, how do you basically socially engineer ChatGPT into writing malware for you?

David Bittner: Right.

Johannes Ullrich: And what some of the tricks are that people have figured out and how to sort of convince ChatGPT to do that? They put some controls in here, if you just outright ask it to write malware, it usually doesn't work. But then you can like, for example ask it, "Hey, let's pretend you're writing a movie script, how would you end that movie?" [laughter]

David Bittner: Right [laughter]

Johannes Ullrich: So, fairly simple things. Now, Heather is going more into sort of the personal aspect of this. And she has some fairly troubling, at least to me, kind of conversation ChatGPT and her son. Where she used ChatGPT tool to write text to send to her son that are supposed to pretend that she's a teenage girl so --

David Bittner: Oh interesting.

Johannes Ullrich: -- actually I think she said her son mentioned one of texts was like, one of the best he ever received from her. All the emojis.

David Bittner: [laughter] Oh, interesting.

Johannes Ullrich: So ChatGPT really got the tone pretty right here.

David Bittner: Interesting. Well I mean, perhaps there's an upside where we can have cross-generational, you know, communications. Have it serve as a transition layer between us and our kids.

Johannes Ullrich: Right exactly.

Johannes Ullrich: Now learn how to talk with your kid.

David Bittner: Yeah, hey, whatever it takes, right? As the parent of a teenage boy I welcome anything that helps us see eye to eye. What else are you guys looking at?

Johannes Ullrich: And then I'll be talking about attacks against developers. This is something that we have seen more and more of and you know, lately for example this last pass issue where a system, a home system of a developer was compromised, essentially led to the compromise of the entire organizations more or less. We also had this again with 3CX where that trading software that was downloaded was then used to compromise the organization. So where developers are really sort of taking a lot of the brunt of these attacks because they are the supply chain. So when we talk about supply chain attacks we talk about malicious libraries, well how did that library become malicious? A developer sort of was involved at one point, whether that developer willingly collaborated or whether someone made the developer collaborate by installing malware on their system, that's really sort of the big problem here.

David Bittner: Yeah. So RSA conference does a great job of putting these panels online for folks to view afterwards, will this be included on that? Are you being videotaped or recorded?

Johannes Ullrich: Yeah, we're definitely being recorded.

David Bittner: Okay.

Johannes Ullrich: I'm not sure whether it will be online like for free or whether it will be online for people who actually paid and attended a conference. Usually at least like after a few months or so they make it like, freely available online.

David Bittner: Yeah, yeah. Any other things from the conference that have drawn your attention here before we wrap up?

Johannes Ullrich: Well it's big as ever before, like last year I think it was a little bit, felt like a trial run kind of.

David Bittner: Right, right.

Johannes Ullrich: But now it's sort of back to normal and it's big, lots of vendors, lots of noises on the floor. That's what I noticed. It felt quieter last time.

David Bittner: Yeah, I think that's right, I think that's right. So back to normal, for better or for worse, right?

Johannes Ullrich: Yeah.

David Bittner: Alright, well Johannes Ullrich, thanks so much for joining us.

Johannes Ullrich: Thank you.

David Bittner: And that's the CyberWire. For links to all of today's stories check our daily briefing at the We'd love to know what you think of this podcast, you can write us an email at Your feed-back helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K's strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team, while making your team smarter. Learn more at This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tre Hester, with original music by Elliot Peltzman. The show was written by John Petrik. Our executive editor Peter Kilpe and I'm Dave Bittner. Thanks for listening we'll see you back here tomorrow.