The CyberWire Daily Podcast 5.12.23
Ep 1822 | 5.12.23

Babuk resurfaces for criminal inspiration. Alert on PaperCut vulnerability exploitation. Too many bad bots. Phishing-as-a-service in the C2C market. KillNet's PMHC regrets.


Dave Bittner: Babuk source code provides criminal inspiration. CISA and the FBI release a joint report on PaperCut. There are more bad bots out there than anyone would like. Phishing-as-a-service tools in the C2C market. CISA's Eric Goldstein advocates the adoption of strong controls, defensible networks, and coordination of strategic cyber risks. Our CyberWire producer Liz Irvin speaks with Crystle-Day Villanueva, learning and development specialist for Lumu Technologies. And KillNet's short-lived venture, with a dash of regret.

Dave Bittner: I'm Dave Bittner with your CyberWire "Intel Briefing" for Friday, May 12th, 2023.

Babuk source code as criminal inspiration.

Dave Bittner: The leaked Babuk ransomware source code has become a treasure trove for ransomware operators, Bleeping Computer reports. The Babuk code was leaked on a Russian forum in September of 2021, and SentinelLabs researchers discovered 10 ransomware families throughout the second half of 2022 and the first half of 2023 using VMware ESXi lockers based on the Babuk code. The researchers wrote in their release that there is a noticeable trend that actors increasingly use the Babuk Builder to develop ESXi and Linux ransomware. The malware compromises VMware ESXi servers on Linux machines. The researchers noted that the talent pool for Linux malware developers is surely much smaller in ransomware development circles, which have historically held demonstrable expertise in crafting elegant Windows malware. Use of Babuk code is expected to increase and may do so in tandem with the anticipated growth of the Go-based locker version that targets network-attached storage devices.

CISA and FBI release a joint report on PaperCut NG/MF vulnerability exploitation.

Dave Bittner: CISA and the FBI have released a joint report detailing the PaperCut vulnerability CVE-2023-27350. The FBI has observed the Bloody ransomware gang attempting to exploit the vulnerability on PaperCut's servers, belonging to education section targets. If an organization finds it's been compromised, CISA and the FBI urge them to create a backup of their PaperCut servers, wipe the application server, and restore the database from a safe backup point before April 2023. Organizations can also mitigate the risk by updating their applications to the latest version, in which the vulnerability has been fixed.

More bad bots out there than anyone would like.

Dave Bittner: Imperva's 10th edition of the Bad Bot report, regarding autonomous bot traffic on the internet, found that in 2022 almost 50% of all internet traffic was from automated bots, marking a 5% increase in automated traffic. The report also showed that good bots are increasing in prevalence, with 17% of all traffic, and bad bots, or those used by bad actors to troll for vulnerabilities, increased to 30%.

Phishing-as-a-service tools in the C2C market.

Dave Bittner: A new phishing-as-a-service offering called Greatness places advanced capabilities in the hands of even relatively raw rookie hackers, Talos Intelligence reports. The Greatness tool allows for more advanced capabilities within the phishing-as-a-service realm, including multifactor authentication bypass, IP filtering, and integration with telegram bots. The tool is focused specifically on Microsoft 365 phishing pages and provides users with a builder to create convincing faux login pages. Users have to deploy and configure a phishing kit that they are given an API key for. According to the researchers, the phishing kit and API work as a proxy to the Microsoft 365 authentication system, forming a man-in-the-middle attack and stealing the victim's authentication credentials or cookies.

Dave Bittner: Companies have been most often targeted by Greatness, the record reports. Manufacturing, healthcare, and technology are the three most commonly targeted sectors in these attacks, Talos researchers report, with the United States, United Kingdom, Australia, South Africa, and Canada making up almost the entirety of the targeted base. And finally, we've been watching KillNet's social media chatter for the hacktivist auxiliary's latest self-presentation.

KillNet’s short-lived PMHC venture: new services amidst the reorganization regret. 

Dave Bittner: KillNet's impresario Killmilk expressed doubt about the Russian hacking auxiliary's organizational change to a private military hacking company on Tuesday during a heart-to-heart with the group's followers. Killmilk explain that he had made a terrible mistake in making the group a PMHC and took full responsibility for what he now regrets as a misstep. He explained that while attempting to acquire more servers for their botnet, he had drawn the attention of the FBI, and as a result, the organization's botnet was seized. He then added that he would not be going to the government for support, and requested donations from his fanbase. He ended his heart-to-heart by saying, give us all we ask for and within 30 days there will only be Native Americans left in the USA. Presumably he meant that with the correct material supply, he and his no-longer merry band of renegades could and would send the U.S. back to the Stone Age. Since this airing of grievances, the organization has changed its telegram handle back to the original We Are KillNet. On Thursday, May 11th, the group announced that thanks to the donations they had received, they would be able to purchase more resources and continue their patriotic labor of love. It remains unconfirmed whether KillNet's botnet infrastructure was swept up by the FBI's Operation Medusa, but if KillNet's botnet were indeed tightly coupled to the FSB's network Operation Medusa expunged from its U.S. computers, then this would be a key indicator of KillNet's ties to the Russian agents.

Dave Bittner: KillNet's de-rebranding came after the group launched its own telegram-based cryptocurrency exchange. They've boasted that they can deliver cash to anyone in the Russian Federation and that they're looking to expand to other countries. The group is charging a 6% processing fee for amounts under $5000, dropping as amounts grow larger, with the fee for transferring more than $100,000 coming in at a low, low 3%. Last but not least, KillNet announced its Telegram-based OSINT tool, which they claim to be the best in the world in the right hands. The Telegram bot reportedly allows for name searches, social media account research, IP address tracing, license plate lookups, and various other phone number and email address queries, many of which only apply to Russia. Why anyone would use KillNet's OSINT tool instead of an off-the-shelf tool with multi-country querying capabilities is not immediately clear. An interesting puzzle is that the tool seems to only query Russian-owned social media and public databases, which seems to go against KillNet's promise not to operate against or inside of Russia proper. Perhaps the OSINT is for domestic surveillance. In any case, there's been some barking in Russian State-controlled media that Russians insufficiently enthusiastic about the special military operation are not really worthy of the name Russian at all.

Dave Bittner: Coming up after the break, CISA's Eric Goldstein advocates the adoption of strong controls, defensible networks, and coordination of strategic cyber risks. Our CyberWire producer Liz Irvin speaks with Crystle-Day Villanueva, learning and development specialist for Lumu Technologies. Stay with us.

Dave Bittner: And I am pleased to be joined by Eric Goldstein. He is executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency. Eric, welcome back to the show.

Eric Goldstein: Thank so much, Dave. Good to be here.

Dave Bittner: You know, you and I have spoken about CISA's mission of stopping the threat, and I want to touch today on hardening the terrain, of increa - making it harder for those bad folks to - to come at us. What can you share with us about that part of our mission?

Eric Goldstein: Thanks Dave. You know, one of the most challenging aspects of cybersecurity for any organization is quite simply the breadth of guidance, best practices, standards that they may have to adopt. And what we, what we have seen is perhaps a lack of understanding of which controls, which mitigations, which investments are most effective in actually protecting an organization against the threats that we in the community see in the wild. If an organization, as almost all do, have a limited security budget for the next quarter or the - the next fiscal year, how do they allocate those security dollars to the most effect? And so we are really focused at CISA, worked with the broader community, both experts in cybersecurity companies as well as operators of critical infrastructure to really identify those most important controls and mitigations, and then being laser-focused on both encouraging and measuring adoption so we can actually step back and say, the country is getting more secure year-on-year, and we think our adversaries are going to have a harder time getting after their goals and achieving objectives on American networks.

Dave Bittner: How do you all do that? I mean, how do you measure success?

Eric Goldstein: You know, we were really excited last year to release the first iteration of what we call our cybersecurity performance goals, and this is a really succinct list of now 39 security outcomes and actions all aligned around the NIST Cybersecurity Framework and prioritized by cost, complexity, and impact. And the goal of the performance goals is for any organization, but - but particularly small and medium ones, to be able to step back and say, you know, I really cannot build a fully mature, fully modern security program this quarter, this fiscal year, maybe even next. What can I do to most increase my odds of preventing, detecting, responding to, and recovering from a cybersecurity incident? And that's what the performance goals gives you, is that really prioritized list of specific actions and outcomes to take, again, aligned around those variables that enable prioritization. So the entities can say, you know, I'm going to do those lowest-cost, highest-impact actions first and then build from there. What we're doing now is figuring out, how can we in an aggregate - aggregate and automized way, measure progress? And so some of the performance goals, for example those focused around remediating known exploited vulnerabilities, or as we call them, KEVs, we can measure ourselves, right? We can see the prevalence of KEVs in internet-facing host across the country. Some of these will be working with, with partners in the tech community o say, well, at an aggregate level, how are we doing on multifactor authentication adoption nationally and across sectors, and some of them are really going to be our regional cybersecurity team members going out, knocking on doors, doing assessments using a self-service tool that we now have online, and really figuring out how we're doing. But we feel this is the most effective way to drive adoption of the most important risk reduction measures and then measure in progress so we can actually see how we're doing and drive further investment where needed.

Dave Bittner: How much of - of this is influence, of - of, you know, stateside diplomacy of being able to communicate both with the private sector but then also among your - your fellow government agencies to - to try to - to drive this forward?

Eric Goldstein: Thanks Dave. Influence is a huge part of it, and as you note, there's really a few elements. First of all, there is just ensuring broad awareness among the security community, making sure that CISO's, IT teams, practitioners, understand first of all the importance of prioritizing those controls and mitigations that are actually tied back to the threats were are seeing and reduce the most real-world risk, and then also making sure that we're communicate with business leaders to help them have that conversation, and we are doing a tremendous amount of work talking to board directors. For example, we've recently supported the National Association of Corporate Directors on their Cyber Risk Handbook to really drive the understanding of cybersecurity as a business risk, and the utilization of prioritized controls and mitigations therein, and then of course there's influence across the government community, so that when our peer organizations who have different leverage of authority, maybe incentives, maybe grants, maybe regulation, are looking to - to drive some behavior that we could all lock around the same kernel of best practice so we're all moving in the same direction, in an organized cohesive way.

Dave Bittner: For our listeners, you know, folks who want to do their part, any words of wisdom here, how they can contribute to CISA's mission?

Eric Goldstein: Absolutely. I - and this - and this topic, I'll offer a few things. The first is go to our website,, navigate over to Cybersecurity Performance Goals. You can put it in the search bar or just do a backslash CPGs, and take the self-assessment. See how you're doing in adopting the performance goals. Maybe consider reaching out to one of our regional team members for a conversation about where to go next. Give us feedback on the performance goals. So we have a GitHub repo that is perpetually open. I'll note we released the second revision of the performance goals only a few months after the first, and we're going to keep doing cycles of these cross-sector goals even as we get development of sector-specific goals this year, but give us feedback. If these goals are useful to your enterprise, let us know how. If there are ways they could be more useful, that's even better. And then third and finally, you know, really do focus on some of those most impactful risk reduction measures. One I'll call out is we know that many organizations have a backlog of vulnerabilities a mile and a half long. We also know that most of those vulnerabilities will never be exploited by an adversary or they exist in a condition on the enterprise network that makes them less exploitable. That's what we are really focused at CISA, both on driving mitigation of those known exploited vulnerabilities, those that we know adversaries are already targeting in the wild, as well as getting organizations to adopt what we call stakeholder-specific vulnerability categorization, which is one example, and there are several others out there, of how entities can say, you know, I'm not going to make it through this backlog of vulnerabilities in the products I'm using. How can I invest my resources towards the most useful effect by focusing on those that are exploitable in my environment, that adversaries are focusing on, and that would cause the most impact to my business functions if they were exploited? That's the kind of thing that we think can drive best use of security dollars in what we know is inevitably a limited environment.

Dave Bittner: Eric Goldstein is executive assistant director for cybersecurity at the Cybersecurity and Infrastructure Security Agency. Eric, thanks so much for joining us.

Eric Goldstein: Thanks as always, Dave.

Dave Bittner: Continuing to share some of the content we gathered at the RSA conference, our CyberWire producer Liz Irvin spoke with Crystle-Day Villanueva, learning and development specialist for Lumu Technologies. Liz files this report.

Crystle-Day Villanueva: My name is Crystle-Day Villanueva and I'm the learning and development specialist for Lumu Technologies.

Liz Irvin: Fantastic. Alright, so is this your first time at RSA?

Crystle-Day Villanueva: No, this is my second time.

Liz Irvin: Oh, fantastic.

Crystle-Day Villanueva: But it's been years, so I think my first time was just before the pandemic.

Liz Irvin: Alright, so how has this compared to your last time?

Crystle-Day Villanueva: It's - I think it's - it makes a big difference in the cast of, like, where your company is from before. So the first year that I came, we were very much in our first year as a startup. So we - we had a much smaller booth, we really had to fight to get attention, like, you know, the presence. And you're competing with some very amazing companies, right? Very innovative. So in the first - the first year, it was intense. Smaller team doing full eight-hour shifts every day, and today we're a bit more established and we have a lot more integrations and partnerships, so there's - it's nice to have people come and visit us, and be like Lumu and know you. So seeing that growth between the first year and now is spectacular.

Liz Irvin: That's fantastic. So have you seen any differences from that before-COVID era until now, after COVID?

Crystle-Day Villanueva: Yes, I've seen a lot of in - in terms of, like, everyone being more respectful within the booths of other booths. So I think, like, especially for the main floor, before COVID there was a lot of people on microphones and very loud sessions, and it was very disruptive. Like it was very hard to concentrate, people were fighting for attention. Now it's a lot more like everyone's in the same mindset, everyone's respectful for - to each other's space, and everyone's messaging, because we're all for, like, a good time, as well as cybersecurity.

Liz Irvin: So since COVID, do you think RSA is back in full swing? Do you think, like, this is, like, going to be the new norm from now on, or do you think it's going to change anymore throughout the years?

Crystle-Day Villanueva: Well, I think it's definitely in full swing. Like, I think it's changed a lot in terms of, like, safety and protocol and how you check in, so I think that's been really good. The only reason I would only consider it, like, changing a bit is if regulations change for standards or if something else were to happen big. Fingers crossed it doesn't, but other than that, I mean, everyone's here. It's always fantastic to come because it's such an international presence as well. So hearing all the different languages, and people being like, hey, I want to reach out, we're in Europe. We're in Asia. We're in Canada. So I - I think we're good to go.

Liz Irvin: How have you liked this RSA so far? Anything that you've seen on the floor that really excites you?

Crystle-Day Villanueva: I know this is going to be cheesy, but like, food. [laughter]

Liz Irvin: Yeah, yeah.

Crystle-Day Villanueva: Food, I mean like, just the diversity of, in terms of, like, food and representation. Like, being a Filipino American, it's nice to see some of, like the Asian food represented there, as well as, like, different wine labels from California. Like, I'm originally from the bay, so it's nice to kind just see that. But also just, I like that there's a lot more partnership this year. So I've noticed, so for example, our organization has different types of partners with, like, Forgepoint, and it be a thing where, like, oh, come to our party, spread the word of your brand, they can come up, and then they'll invite them, and they'll come the next day. So there's a lot more of, like, this collab.

Liz Irvin: Yeah, yeah. How does it feel to be here at RSA representing all of the women? I mean, you look around and there's a lot of men here, you know?

Crystle-Day Villanueva: Yes.

Liz Irvin: And - and - and there's a definitely a gender gap in this industry.

Crystle-Day Villanueva: Of course.

Liz Irvin: So - so like, what does it feel like to be here supporting women?

Crystle-Day Villanueva: So I think in the first year it was definitely a lot more intimidating, and that was also my first year at RSA. Like, that is actually a very good point. Compared to my first year, two years ago, and now, I have noticed a lot of more of a presence for - for women, especially women of color, which I'm very stoked about. So I - it's - it's really empowering. Like, I remember when it was my first year, it was technically, like, my second and a half year in cyber, but my second company, so you know, you come in here, and it can be really overwhelming. And you can't help but have imposter syndrome, right? And I told them, you know, if you have that feeling, that's a good thing, because that means you actually care about making an impact and you care about this industry. So if you feel that way, that's a good thing. It's - I'd be worried if someone came in as a first-timer and was like, I got this.

Liz Irvin: Oh my gosh, yeah.

Crystle-Day Villanueva: You know, and had no doubt? I was like, okay, I don't know if you really know what it's about.

Liz Irvin: Absolutely.

Crystle-Day Villanueva: Because the learning curve is huge, right?

Liz Irvin: Of course, yeah.

Crystle-Day Villanueva: So what was nice was that there was a few people that came to my booth, and they were like, this is my first time in RSA. Or they'd be like, honestly, it's my first year in cyber, and like. And I'm like, girl, I've been there, as a woman, as a woman of color. It's totally fine. And I was more than happy to reassure them. I'm like, everything you feel, if you feel like this isa lot, it's totally normal, and it's okay, and you're going to do well. Like, I'm here three, four years later, and I'm doing well. You will too.

Liz Irvin: Yeah, yeah. I got to agree. That's - that's perfect. So have you, I'm sure you've heard of the abbreviation for chief information security officer.

Crystle-Day Villanueva: Uh huh.

Liz Irvin: How do you pronounce that abbreviation?

Crystle-Day Villanueva: I would say CISO.

Liz Irvin: CISO? Okay. Awesome.

Crystle-Day Villanueva: Yeah. [laughter].

Liz Irvin: Alright, that's the last question. Thank you so much for taking the time.

Crystle-Day Villanueva: Yeah, of course. Thank you for pulling me aside. This was a really nice conversation.

Liz Irvin: Yeah. It was.

Dave Bittner: That's CyberWire producer Liz Irvin speaking with Crystle-Day Villanueva from Lumu Technologies.

And that's the CyberWire. For links to all of today's stories, check out our daily briefing at Be sure to check out this weekend's "Research Saturday" and my conversation with Aleksandar Milenkoski and Juan Andres Guerrero-Saade from Sentinel One's Sentinel Labs. We're discussing Operation Tainted Love, Chinese APTs target telcos in new attacks. That's "Research Saturday", check it out. We'd love to know what you think of this podcast. You can email us at Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tre Hester, with original music by Elliott Peltzman. The show was written by John Petrik. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here next week.