The CyberWire Daily Podcast 5.17.23
Ep 1825 | 5.17.23

A joint warning on BianLian ransomware. Fleeceware offers AI as bait for the gullible. Cyberespionage updates. And Ukraine formally joins NATO’s CCDCOE.


Dave Bittner: Cyber agencies warn of BianLian ransomware. There's a new gang using leaked Baduk-based ransomware. Chinese-government-linked threat actors target TP-link routers with custom malware. ChatGPT-themed fleeceware is showing up in online stores. Ukraine is now a member of NATO's Cyber Center. Tim Starks from the Washington Post shares insights on Section 702 renewal. Our guest is Ismael Valenzuela from BlackBerry sharing findings from their Global Threat Intelligence Report, and the CIA's offer to Russian officials may have had some takers.

Dave Bittner: I'm Dave Bittner with your CyberWire Intel Briefing for Wednesday, May 17, 2023.

Cyber agencies warn of BianLian ransomware.

Dave Bittner: We begin today's news with an alert about a currently active ransomware operation. The Australian Cybersecurity Center, the US FBI and SISA have issued a joint warning about BianLian ransomware. The criminal group behind it has been especially active against targets in Australia, but it represents a general threat. The advisory says the group gains access to victim systems through valid remote desktop protocol credentials. It uses open-source tools and command-line scripting for discovery and credential harvesting, and exfiltrates victim data via File Transfer Protocol, Rclone, or Mega. BianLian had formerly used a double-extortion approach but has recently shifted toward a model that relies solely on threats to release the victim's data, as opposed to encrypt or destroy it. BianLian Group engages in additional techniques to pressure the victim into paying the ransom. For example, printing the ransom note to printers on the compromised network. Employees of victim companies also reported receiving threatening phone calls from individuals associated with the group.

RA Group, a new ransomware gang using leaked Baduk-based ransomware.

Dave Bittner: Researchers at Cisco Talos published a report Tuesday detailing a new criminal group which is using custom ransomware based on leaked Baduk code in double-extortion attacks against US and South Korean business sectors. Telos explained that this is just the most recent group to use Baduk-based ransomware. A member of Baduk reportedly leaked the group's source code on the dark web in September of 2021. The adversaries go by the name are RA Group and target insurance, pharmaceutical, wealth management, and manufacturing companies in the US and South Korea, encrypting their data and threatening to sell it to the highest bidder on the dark web unless the company pays a ransom. Unlike some other approaches to extortion, this method puts a time restriction on the victim, which increases the pressure to pay.

Chinese government-linked threat actors target TP-link routers with custom malware. 

Dave Bittner: A Chinese state sponsored threat actor researchers are calling "Camaro Dragon" is using a custom backdoor named "Horse Shell" to infect TP Link routers. In a report released May 16th, Check Point Research found that this advanced, persistent threat is using tailored access tools to infect TP-Link routers specifically targeting European or foreign affairs entities. Check Point states, "The discovery is yet another example of a longstanding trend of Chinese threat actors to exploit Internet-facing network devices and modify their underlying software or firmware. The APT's "Horse Shell" backdoor is a custom implant that allows the organization to maintain persistence on the infected machine." Check Point writes, "The implant provides the attacker with three main functionalities: remote shell, file transfer, and tunneling. The implant is not specific to TP-Link routers. It can be configured to affect other firmware, as well. The attack vector used to gain infiltration and infection is so far undetermined. There are significant code overlaps between "Camaro Dragon's" tools and those used by "Mustang Panda" enough to suggest that the two APTs with pony/car-inspired names are related, but Check Point stopped short of identifying them. More research remains to be done, and in the meantime, they're tracking the groups separately.

ChatGPT-themed fleeceware.

Dave Bittner: Interest in AI is prompting scammers to turn to AI-themed fleeceware which they're posting in both the Apple and Google stores. Fleecewear, which enrolls the victim in a free trial that subsequently converts quietly into an unwanted continuing subscription, tends to fly under the online store's security radar, as it occupies a gray area between direct fraud and an offer that's nothing more than a bad deal. They typically don't, for example, collect personal data; nor do they make an overt attempt to subvert the platform's security measures. Sophos researchers detail the ways in which the scam is playing out. They follow five distinct fleecware operations, all of which promise ChatGPT live AI functionality. One of them even trades on ChatGPT's name calling itself ChatGBT, hoping thereby to gull careless readers eager to get in on the AI. One of the marks of fleeceware is that it charges for products or services that are legitimately offered for free. The current scams are no different. Open AI offers basic ChatGPT functionality for free on its website.

Ukraine is now a member of NATO's Cyber Centre.

Dave Bittner: Ukraine is not a NATO member, but it's now a contributing participant, along with Ireland, Iceland, and Japan in NATO's Cooperative Cyber Defense Center of Excellence, the CCDCOE. Computing reports that progress toward that status began shortly after Russia's invasion last year. It's now a formal reality. The CCDCOE is headquartered in Tallinn, Estonia, and Ukraine's ambassador to Estonia, Mariana Betsa, said the session was "an important event that serves an important step on Ukraine's path to NATO." She added, "In the light of Russia's continuous military aggression and hybrid war, Ukraine joining CCDCOE further strengthens our state's cyber capability. I want to thank the CCDCOE sponsor states for inviting Ukraine to join. I also extend my special gratitude to the Republic of Estonia as the hosting state for their support and assistance on our path to NATO CCDCOE."

The CIA's offer to Russian officials may have had some takers.

Dave Bittner: And finally, the CIA recently published a video invitation offering disaffected Russians, especially officials, a secure way of contacting them, and it may be attracting some takers. The Wall Street Journal reports that an official has told them it is resulting in contact. The official declined to say how many Russians had made contact or what information they were offering, but the tone of the remarks is broadly optimistic. The message that went out through a range of social media channels was a digital expression of the goals the CIA's Deputy Director of Operations, David Marlowe, said back in November. He said, "We're looking around the world for Russians who are as disgusted with that as we are because we're open for business."

Dave Bittner: Coming up after the break, Tim Starks from the Washington Post shares insights on Section 702 renewal. Our guest is Ismael Valenzuela from BlackBerry sharing the findings from their Global Threat Intelligence Report. Stay with us.

Dave Bittner: Ismael Valenzuela is VP of Threat Research and Intelligence at Blackberry. I spoke with him about the findings from their most recent Global Threat Intelligence Report.

Ismael Valenzuela: Some of the things that we saw is an increasing trend in use of info stealers. This is everything around malware also related to the microeconomic situation. A lot of people after the pandemic, or during the pandemic, working from home. Still, you know, we have a lot of remote work, hybrid work. So, attackers are taking, you know, advantage of these new remote access capabilities to use these info stealers to steal corporate credentials, sell them on the black market. And this has been leveraged both by cybercrime and also nation states right of the so called APTs. And in this report, we talk about the most prevalent one, which is called the Redline that steals a lot of credentials out of systems, browsers, FTP details, VPN details, and much more. Something else that we also saw that we haven't seen for some time is that attackers are trying to maximize their investment by targeting different platforms, not just desktop, but if I can, from the mindset of the attacker or the business mindset, if with the same effort I can create a piece of malware that works on a desktop, on a server, on a mobile platform, on Windows, or Mac OS, or Linux. That's a much better investment, right, or use of my time. So that's what we're seeing, and we're seeing that there are more instances of malware written in languages like Rust or Golang that can be used across platforms.

Dave Bittner: Based on the information that you all have gathered here, what are your recommendations? How should organizations best go about protecting themselves?

Ismael Valenzuela: Well, we always go to the default answers with this, right? We say, "Oh, we just ensure that we keep everything patched, that -- and we often call these best practices. I don't know what you think about it, but it sounds boring, right? Best Practices, sounds like boring. It's important, right? We need to do that, but that's not enough. I think that's like the bare minimum because attackers know that a lot of people that are, you know, they do implement these best practices, but for example, patching. This is something we have to have. But if there is a supply-chain attack, patching is not going to -- the best defense against that -- it's not going to prevent that from happening. So I think that at the same time, there will be organizations out there saying, well, you know, will I be a victim of a supply chain attack? So it all comes down to building a proper threat model, and that starts with -- that's a strategy really. Before going and implementing defenses, we need to think about who has something, who has an interest out there, right, in my organization? What do we have that could be interesting for anybody out there? And it could be cyber criminals, and we know that nobody is outside of the scope of those, or it could be a nation state, something a little bit more targeted, and we see this constantly, especially in this world where the geopolitics are so complex right now. We see a lot of a lot of those motivated attacks. But in general, you know, having a zero-trust mindset philosophy to approach any defensive strategy where physical attacks are part of that, and a proper threat model, according to your industry, to your profile, to your geolocation, where you conduct business, that's important.

Dave Bittner: Can you make the case here for organizations engaging with someone who provides threat intelligence? You know, at an organization like yourselves, and certainly there are other providers out there. For folks who aren't doing that, how do you describe the value proposition there?

Ismael Valenzuela: I'm glad you asked this, because when I talk about threat intelligence, it's one of these words that can mean a lot of things, right, to different people. So, how do we package this or how do we make it actionable? One of the ways in which we do this is with the reports that you see. We try to make an effort to make this understandable to a lot of different audiences, not just the technical people, which of course, they want to know the analysis, right? They need to get into the details of the malware, how it works, but also to somebody like a CISO. I talk to a lot of CISOs of organizations that have maybe one or two security people, and that's it. That's what I call the all-around defender, right? The guy that has to wear a lot of hats and secure the endpoint, the servers, the cloud, the network, everything and more. They do not have the ability to have a lot of people maybe doing threat hunting or things like that. You know, it sounds fascinating but the reality is that these guys are just trying to put out fires, trying to patch machines, trying to do incident response. They don't have time for this, but they all need to make decisions and prioritize where am I going to invest the little time I have, or the little money I have, and how do I do this in a way that it's going to be meaningful to my organization? And that's where the threat intelligence can help. Threat intelligence has like different tiers. It could be operational or tactical at the bottom of that, you know, pyramid, or it could be strategic. And this type of strategic information could be in the form of maybe a PowerPoint presentation. For example, if this organization that we're discussing here, fictitious organization, conducts business in Asia, there's so much interesting activity right now in Southeast Asia. We're seeing a lot of attacks against countries like Singapore, a lot of activity in Taiwan with actors that are very -- you know, nations in the area that are very interested in seeing what's happening in some of these countries, not only with government agencies, but also with mining companies, telecommunications, anybody that could be -- that could have interesting information, right, that a government might be interested in? What could happen if there is, you know, maybe an invasion of Taiwan in the near future? How can that change the whole business outlook for these organizations? What's the activity that's happening right now? How do we detect this? This could be a presentation that could be for a CISO that could translate this information or present it to the board on, look. Based on our profile, this is what we should invest in more. This is what we shouldn't be doing or stop doing.

Dave Bittner: That's Ismael Valenzuela from BlackBerry.

Dave Bittner: Joining me once again is Tim Starks. He is the author of the "Cybersecurity 202" at the Washington Post. Tim, it's always great to welcome you back.

Tim Starks: Hello, hello.

Dave Bittner: So very interesting report you put out in a recent "Cybersecurity 202" here. You're really looking at Section 702 surveillance and reaching out to your network for insights on that. Can we start off with some explanatory stuff here for folks who may not be familiar with it? How do you describe Section 702?

Tim Starks: Yeah, so it is a part of the 1978 Foreign Intelligence Surveillance Act. It's always interesting how many of these laws that govern our -- some of our modern digital rules are dated back that far, although the Section 702 didn't get created until well after 9/11. This is a part of the law that says that the US intelligence community can conduct bulk, widespread surveillance on foreign targets, ostensibly, originally for counterterrorism purposes, without an explicit warrant for each of those pieces of surveillance. The reason it's controversial from the start was that you can target those foreign targets, but they might be communicating with people in the United States, and then after, there are ways for people to, in any security community, security government community, to access or query those communications based on American identifiers. So you get into some real privacy concerns there but what you also hear from the Biden administration, especially with the Section 702 powers about to expire at the end of this year, that it is a very, very powerful tool. It is, perhaps, their most powerful tool in certain ways, and that it is increasingly mostly being used to counter cybercrime.

Dave Bittner: So, you reached out to your Network folks who subscribe to the "202" for insights here, and you got some interesting responses.

Tim Starks: Yeah, so we have a subset of our subscribers that we call with a capital N the Network, and they are people who are experts that we've decided to, when we do a poll, ask them a question and report on their results statistically, but then also for those who are willing to offer an explicit on-the-record comment, why they voted the way they did or why they took the answer they did. In this case, there were three choices. One was just reauthorize it as is, another was reauthorize it with changes, and another was don't reauthorize it. And in this in this case, the pretty significant majority, 64%, said reauthorize it but make some changes, and then another 20% said reauthorize it. So that's, you know, that's a pretty significant percentage. They're saying, "We need this power." And, you know, another complicator in getting this thing reauthorized is that Republicans have taken issue with FISA overall (not this particular section), due to some, some negative reports about how this was used to spy on the Trump campaign or Trump campaign official. And, you know, actual audits for saying, yeah, this is not -- the way they did this was very faulty. So, you know, the gripes about FISA usage in this case seem quite legitimate. So, you have a combination of folk on the left and the right, who don't like this Section 702, but the people who are in the cyber field that are our readers and parts of our network are saying we need to keep this, for the most part.

Dave Bittner: Can we go through the arguments here? I mean, for those who are saying that we want to reauthorize and perhaps do so with changes, versus those who are saying, no. We need to scrap this and start over.

Tim Starks: Yeah, which is interesting, because if you look at the percentage of people who are the majority saying we need to reauthorize this changes, they don't have one answer, which is another indicator of how difficult this is going to be right? We already mentioned the conflict on the left and right, but people don't have a unified idea about the specific way in which we need to make changes. So that's one of the sort of stealth aspects of the survey result is that we see, yeah, how more complicated is going to be? So one example of a change that people have talked about is we mentioned that that issue of people being able to query Americans' data or access it indirectly through the sort of incidentally collected communications that were targeting foreigners. There is some suggestion that we need a warrant requirement for that -- for American -- for the American part of it. Then there are issues related to the EU and the data privacy situation we've got going with them. They have had objections to the way 702 has been used in a bulk way to collect information on people there. That's another issue to consider. There's also the fact that apparently, you know, for that -- we mentioned that American warrant requirement, there's some concern from our -- from some of our folk in the Network poll who said, actually, if you do that, that's going to make the EU even more mad, because they're already mad that we're treating them as a sort of second-class target. So, that targeting part is a complicator. On the side of people who are in favor of renewing it, they do cite the Biden administration arguments, which are, this is an extremely, extremely powerful tool. It has saved lives on the counterterrorism side. It's one of the reasons why we don't have sort of terror attacks all these days. On the on the negative side, there are people who are saying it's just too much privacy violation. It's unconstitutional fundamentally. The range of opinions was really fascinating.

Dave Bittner: Yeah. How do you suppose this is going to play out? I mean, as you mentioned, we've got till the end of the year to make something happen here.

Tim Starks: Oh, God. Why are you doing this to me, Dave? You know, I've covered Congress for so long and it's always hard to predict what they're going to do. And my default mode is always to say they're pro- -- if there's something that they might do, they probably will not. In this case, in this case, I think there's a chance, you know, there have been times where they've sort of punted this kind of thing. Oh, that deadline is coming up. We weren't ready. We'll just renew it for six more months, and then they fight about it for a longer time. And then, oh, we're not ready yet. Let's for six months. And then, eventually, they'll come around to something, you know, permanently. I think that there's room for compromise here. The issue is how much of it the administration will accept. You know, I mentioned that American warrant requirement, American system requirement. The administration says that's not workable; it won't work. At some point, maybe they might come to a compromise in Congress, but will the administration buy it? And if they don't, obviously, there's veto authority. So it's a tough one. You know, there are times where I feel confident that I think I know how things are going to go. I don't feel good about this one. I have no clue, honestly.

Dave Bittner: Fair enough. Fair enough. What do you think? Where's it going to go? What do you think? Well, we're out of time, Tim. Tim Starks is the author of the "Cybersecurity 202" at the Washington Post. Tim, always a pleasure.

Tim Starks: It was it was a pleasure until the end, Dave.

Dave Bittner: I'll talk to you next time.

Tim Starks: Later.

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at We'd love to know what you think of this podcast. You can email us at Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security team supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K strategic workforce intelligence optimizes the value of your biggest investment -- your people. We make you smarter about your team while making your team smarter. Learn more at This episode was produced by Liz Irvin and Senior Producer, Jennifer Eiben. Our mixer is Trey Hester, with original music by Elliot Peltzman. The show was written by John Petrik. Our Executive Editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.