The CyberWire Daily Podcast 5.9.23
Ep 1819 | 5.9.23

State-sponsored and state-promoted cyber campaigns. A look at Royal ransomware. A new wave of BEC. Man-in-the-middle attacks rising.


Dave Bittner: An analysis of Royal ransomware. PaperCut vulnerability detection methods can be bypassed. Man-in-the-middle phishing attacks are on the rise. A new wave of BEC attacks from an unexpected source. Thomas Etheridge from CrowdStrike, has the latest threat landscape trends. Our guest is Dan Amiga of Island with insights on the enterprise browser category. And a look into recent Russian cyberattacks against Ukraine.

Dave Bittner: I'm Dave Bittner with your CyberWire intel briefing for Tuesday May ninth, 2023.

Royal ransomware described.

Dave Bittner: Palo Alto network's unit 42 has analyzed the Royal ransomware group and published their findings this morning. The gang responsible has been in operation since at least September of last year, and it's got a lot of Conti Group alumni.

Dave Bittner: They've been actively targeting infrastructure and paying a lot of attention, unfortunately, to healthcare organizations. They've also been see targeting the city of Dallas, Texas, the most prominent victim in a recent wave of attacks against local governments in the United States and Europe.

Dave Bittner: Since Royal was discovered last year, the gang has claimed responsibility for leaking data of 157 organizations on their dump site. They've also been observed hitting 14 organizations within the education sector, some as recently as this month. The unit 42 researchers say that Royal malware enters through a BATLOADER infection, which threat actors usually spread through search engine optimization poisoning, and it proceeds by dropping a cobalt strike beacon as a precursor to the ransomware execution.

PaperCut vulnerability detection methods can be bypassed and Iranian threat actors have joined the fray.

Dave Bittner: Researchers at VulnCheck has described a new attack method bad actors can use to exploit the PaperCut vulnerability discovered back in March. The exploit bypasses detection methods like Sysmon-based indicators, log file analysis, and network signatures.

Dave Bittner: Exploitation of the original vulnerability imitates a normal administrator's login, which is ignored by file log analysis detections. BleepingComputer explains, "As for network signature detection methods, these can be trivially bypassed if the attacker modifies the malicious HTTP request by adding an extra slash or an arbitrary parameter into it." Microsoft has also described developments in PaperCut exploitation and state espionage services are involved. Redmond tweeted that the PaperCut flaws are currently being exploited by Iranian state-backed threat actors, including Mint Sandstorm and Mango Sandstorm. Experts recommend that users update their PaperCut NG/MF versions, as it seems detections are not a feasible option for this exploit. Mitigations are available from PaperCut.

Man-in-the-middle phishing attacks are on the rise.

Dave Bittner: In a report released this morning, Researchers at Cofense Intelligence explained that man-in-the-middle - MtM for short, and more recently person-in-the-middle by many -- have increased by 35% between the first quarter of 2022 and the first quarter of 2023. The threat actors are combining MtM attacks with credential phishing. The goal is to steal usernames, passwords, and session cookies to bypass multi-factor authentication. Ninety-five percent of the observed attacks target Microsoft Office 365 authentication. They also tend to use URL redirection with a notable 89% of campaigns using at least one URL redirect, and 55% using two or more. These MtM phishing attacks evade standard secure connection processes used in most websites by setting up two secure connections between the attacker and the victim and the attacker and the desired website. The attackers then use a proxy login page to harvest credentials from the victim.

A new wave of BEC attacks.

Dave Bittner: Do you associate business email compromised attacks with Nigerian gangs? Well, okay. But there are plenty of other places these crooks work form. Like for example, Israel, of all places. Abnormal security reports arise in Israel-based business email compromised attacks. While many BEC attacks are traceable to West Africa, where their bumpkin cousin, the well-known Nigerian Prince scam flourishes, this threat actor believed to have been active since at least 2021 has no direct Nigerian ties.

Dave Bittner: The gang targets employees within an organization by telling them that their organization is working through an acquisition and needs their help with the required payment. The threat actor assumes two false personae, one typically of the chief executive, the other of an attorney working on mergers and acquisitions. At least 250 campaigns have been traced to this Israeli gang since February of 2021. They've been observed to target large enterprises with high revenues. Victims have been found in more than 61 countries. Recent Russian cyber ops against Ukraine seem to be either hacktivist or frankly, criminal.

Recent Russian cyberattacks against Ukraine.

Dave Bittner: Ukrainska Pravda reports that Russian operators, apparently hacktivist auxiliaries, conducted an unsuccessful cyberattack against E-Queue, Ukraine's system for managing border crossings by commercial trucks. The system is said to be functioning normally. In other cyberattack news from the hybrid war, CERT-UA warns that the "financially motivated" Russian criminal group UAC-0006 is pushing SmokeLoader malware in a phishing campaign. CERT-UA describes UAC-0006's track record and its customary aims, saying that they aim to compromise accountants' PCs, steal authentication data, and create unauthorized payments. The phishing emails are staged from compromised accounts, and they often misrepresent themselves as billing documents. The payload is carried in an attached zip file. So shields up and be careful where you click.

Dave Bittner: Coming up after the break, Thomas Etheridge from CrowdStrike has the latest threat landscape trends. Our guest is Dan Amiga of Island with insights on the enterprise browser category. Stay with us.

Dave Bittner: So much of what we do online these days happens through our web browser, and it's not surprising that browsers themselves make an attractive target for adversaries. In the past few years, we've seen the emergency of a category of enterprise browsers, which promise to be customizable and more secure. Dan Amiga is co-founder and CTO of Island, a provider of enterprise browsers, and I caught up with him at the RSA conference for some details.

Dan Amiga: What I think the modality of the browser everybody know about and I have this saying which is my mother and somebody that works at JP Morgan, they use the same browser. It doesn't make any sense. It's two different sets of requirements. And what we've done is we've built a browser that plays really well with the enterprise. So it interconnects to your networking lair. It connects to your SAS applications, your identify provider, your device posture controls. So think about it as a platform where we packed the security world, the IT world, but those are the productivity world into - that operating system that is called a browser. And when you do that, a lot of the things IT and security has been doing for years become somewhat obsolete. Like, why would you need to have a man-in-the-middle proxy to filter out traffic if you can have it done in the browser, there. Right? Why would you need to install another VPN tool if you already have that VPN connectivity in the browser? Why would you have to buy a [inaudible] manager if you have it built in to the browser? So we saw that by building it, it brings out a lot of simplicity, but also a new use cases, like BYOD, which is a big problem with organizations today, like folks, they don't like having lots of tools installed on their own computer. Right? So we see a lot of interesting use cases there when you build up also that it's targeted for the enterprise, and I think the last piece - and we call this the length of the [inaudible]. It's that folks don't like to work on remote environments, on video environments, etcetera. So we had this enterprise browser idea, I'd say a long, long, long time, and what I saw is I saw a lot of folks that used to work for me in my previous companies, they were in their 20s, and I was like in 10 years, those the guys that are going to run the banks, they're going to run healthcare, they're going to run a lot of companies. They're going to be the major workforce. These guys don't like a lot of things that are stopping them in the way of doing their work. They don't like VDIs and VPNs, and all of that stuff. So when you build all of that stack into something that's as easy to install as Zoom, it looks like Chrome, it just brings a lot of simplicity, but also good user experience. Like, the work becomes faster, etcetera.

Dave Bittner: So help me understand, here. When we're talking about, for example, someone working from home, is the enterprise browser an opportunity to separate the work life from the personal life? In other words, use your personal browser for your personal stuff and your enterprise browser for your work life?

Dan Amiga: Absolutely. So you go on Facebook or Instagram, or what have you, your personal life goes on whatever browser you like. Right? But once you need to access Salesforce or [inaudible] resources, any business-related applications, you're being enforced to use Island. Now, think about the alternative. The alternative is you're being blocked from doing work on your BYOD, or the alternative is you have to install a VPN, VDI into an environment. It's not an experience they like and it costs thousands of dollars for the organization, like the VDI session. It's about 1,000 to $2,000 a session. So really, that two modalities, you can have your own, whatever browser you want for your personal life, and then the enterprise browser for your work life.

Dave Bittner: And coming kind of from the other side, can the security team and the organization say you may only access this corporate stuff through your enterprise browser?

Dan Amiga: Correct. So we would - usually, it's being done in several ways, but you can integrate, let's say, with the organization identity provider. Right? Or with tools the organization have today and enforce that. So think about, again, I like to use the Zoom metaphor. Let's say you don't have Zoom on your computer. I send you a Zoom invite, you click on that invite, and if you don't have Zoom, you'll be prompt to download it, and then the Zoom session launches.

Dave Bittner: Right.

Dan Amiga: Enterprise browser is the same. Right? So you're trying to log in to a business application from a consumer browser, from Chrome, or Edge, Firefox, Safari, etcetera, and you're being prompt to download Island, or it automatically launches if it was pre-installed. And then you get all of the security and IT tools built in.

Dave Bittner: I would imagine, too, that there's a privacy component here for the - you know, for the users to have that separation between my personal browser and my work browser. If I'm the enterprise, I'm not interested in what the person's doing in their free time, and I don't want to log that. I don't want to know. So there's kind of a win there for both sides to keep those two things separate, but still to cohabitate on a single device.

Dan Amiga: Privacy is a huge thing in this space, so we have hundreds of customers to date in Island and they range from a hospital or the healthcare industry, to the hospitality industry, financial, even tech companies here in the Valley, some pretty big names, and each one has different privacy requirements. The geographically distributed, some would want to audit more than the others, etcetera. And by having these two modalities of your personal browser and your enterprise browser, you can really deliver that, and the organization - a lot of organizations should not see into your personal stuff. Today, they're forced to. They have to decrypt SSL, the DLP tools are injecting themselves into every app, etcetera. We make it possible, so the organization doesn't see the data. We even - for the end user, we even added some controls to reflect the privacy level. So let's say you go to a website and it's not being monitored. It's a personal website, but you happen to use the enterprise browser for it. You get a privacy indication that says that data is not being sent anywhere.

Dave Bittner: Oh, interesting.

Dan Amiga: Yeah. So and also, the enterprise can set controls on anonymization, anonymization of Ips, anonymization of data. So you can definitely create some interesting privacy improvements.

Dave Bittner: That's Dan Amiga from Island.

And it is my pleasure to welcome back to the show Tom Etheridge. He is the Chief Global Services Officer at CrowdStrike. Great to have you here and to be face-to-face here at the RSA conference.

Tom Etheridge: Nice to be here, Dave. Thanks for having me.

Dave Bittner: Yeah. So before we dig too deep into things, I just - I'm interested in your general feeling for this year's show, here.

Tom Etheridge: First of all, I think it's the population is much bigger than I was anticipating. Really great turn out, a lot of great activities in the demo and both areas, and really good client interactions. A lot of discussion about some of the topics I'm sure we're going to touch on in this session.

Dave Bittner: Yeah. Are you sensing anything from some of the economic headwinds that we've been seeing, here? I'm thinking both on the industry side, but then clients, it's on the top of their minds, as well.

Tom Etheridge: Certainly, we see a lot of activity around consolidation of agents running on endpoints. It's certainly a topic we talked to customers and prospects about. How do I achieve some economies of scale in savings by reducing the number of agents that are running on my endpoint yet provide the same kind of capabilities in detection and prevention, and monitoring, you know, enhancements that I'm looking for from a product or a platform. We've seen a lot of folks shift from point solutions to suites, to now platform play. So a lot of folks looking to consolidate and save money by moving towards platforms that deliver more extensible capabilities.

Dave Bittner: Can we touch on some of the threats that you and your colleagues at CrowdStrike are tracking these days? What are the big ones that you have your eye on?

Tom Etheridge: So Dave, in our global threat report, we talk about the increase that we've seen year over year with e-crime, about a 20% increase. Breakout time, which is a measurement that we use to assess from the time a threat actor gains initial access in an environment to the time they move laterally. We're seeing that still under two hours, so about 84 minutes. The speed at which threat actors are moving is quite aggressive, and on the e-crime side, we've seen a shift towards not so much removing or not deploying ransomware, we're seeing threat actors gain access to an environment, seek to ex-fill data that's sensitive or important to the victim, and then instead of deploying ransomware, come back with an extortion payment, you know, for leaking that data on an open forum. So moving from pure ransomware deployment to data extortion as a means to, you know, monetize their operations.

Dave Bittner: Can we talk about the global big picture? Obviously, we have the invasion of Ukraine by Russia and the cyber aspects of that. As one of the global operators, you know, you all have a hand in the defense of the western world. What's your take on where we stand with that? I think most people feel as thought Russia has really underperformed, here. What are you all tracking?

Tom Etheridge: Well, what we saw was during the initial campaigns, we saw the combination of both cyber-related activities and threat actors from, you know, the Russian organizations targeting Ukraine primarily with, you know, destructive attacks and misinformation types of attacks to kind of change, you know, change what the strategy and perceptions were about the initial campaign. Things have obviously slowed a little bit in terms of most of the kinetic warfare continues, but we think that in the springtime when the, you know, the rainy season, muddy season ends, we do expect that there might be some resurgence of both cyber-related attack activity as well as the continued kinetic activity.

Dave Bittner: How do you think this informs the rest of the players around the world, in terms of potential future conflicts and the role that cyber plays?

Tom Etheridge: I think this is not a secret. I think most organizations and countries are very concerned about the impact that cyber plays in providing a low-cost means to do destructive harm to organizations that they might be targeting from a military perspective. It's certainly proven to be effective, here, with Russia and what they've been doing with Ukraine.

Dave Bittner: Yeah. You know, looking forward towards the rest of this year and beyond, where do you suppose we're headed, and what are the trends that you all are tracking? Is there any sense that we're gaining ground, here?

Tom Etheridge: There's a few things that I think are important to bring up, and there's certainly themes, here, from the RSA event. We've heard a lot of talk about artificial intelligence, and technologies like ChatGPT. Very important, really great engineering effort to pull together technologies like that to help improve automation, improve the scale at which hunting, and response-related activities can be performed. Make no mistake, it's not a [inaudible] for good, old-fashioned human, you know, hunting and human response-related activities. We're monitoring the good use cases that we see with tools like ChatGPT, but equally, we're concerned about the use cases for doing evil with those types of toolings.

Dave Bittner: Yeah. All right, well, Thomas Etheridge, thanks so much for joining us.

Tom Etheridge: Thank you, David.

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at the We'd love to know what you think of this podcast. You can email us at Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that n2k and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2k's strategic workforce intelligence optimizes the value of your biggest investment: your people. We make you smarter about your team, while making your team smarter. Learn more at This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Trey Hester, with original music by Elliot Peltsman. The show was written by John Petrik. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here, tomorrow.