The CyberWire Daily Podcast 5.24.23
Ep 1830 | 5.24.23

Cybercriminals favor cyberespionage in North Korea, Russia, and parts unknown. Movements and activity in the cyber underworld.


Dave Bittner: Kimsuky has tailored reconnaissance tools. GoldenJackal is an APT quietly active since 2019. Criminals target YouTube viewers with free cracked software. Rheinmetall's data was posted to BlackBasta's extortion site. The "Cuba" gang claims credit for the attack on the Philadelphia Inquirer. CERT-UA identifies a probable Russian cyberespionage campaign. Ireland views cyber assistance to Ukraine as a contribution to collective security. Ann Johnson from Afternoon Cyber Tea speaks with Tyrance Billingsley about Black Tech. Our guest is Oz Alashe from CybSafe on raising VC money amidst a down economy, and KillNet's underperforming hacktivists.

Dave Bittner: I'm Dave Bittner with your CyberWire Intel Briefing for Wednesday, May 24, 2023.

Kimsuky's tailored reconnaissance tools.

Dave Bittner: SentinelOne has observed North Korea's Kimsuky using advanced reconnaissance malware. A new piece of custom malware in use by the hackers' random query has the single objective of file enumeration and information exfiltration. Other observed, random query variants in the wild are much different, having a broader array of capabilities that usually includes keylogging and further malware execution features. The tool is prominent in Kimsuky's arsenal and is commonly distributed through phishing attacks. In the present wave of attacks, the hackers claimed to be the chief executive of Daily NK, a well-known news organization based out of Seoul that reports on North Korean affairs. The Hacker News writes that the gang sends a Microsoft-compiled HTML Help file, which if opened, executes a Visual Basic script that eventually retrieves a second stage payload, a VB script flavor of random query. The malware goes on to harvest system data and transmits them back to the threat actor's C2 server. The outlet reports that the lifted data include system metadata, running processes, installed applications, and files from different folders. Kimsuky is a North Korean advanced persistent threat that's operated since 2012 and is based in North Korea. The gang has been seen targeting human rights activists, defector support organizations, and news services.

GoldenJackal, an APT quietly active since 2019. 

Dave Bittner: The GoldenJackal APT is a newly described threat actor that's been in operation since 2019. Kaspersky explains that the group specializes in long-term infection and information collection against targets in South Asia and the Middle East. The hackers were seen using fake Skype installers and malicious Word documents and 2020. The other known infection vector, the researchers explain, was a malicious document that uses the remote template injection technique to download a malicious HTML page, which exploits the Follina vulnerability. The group sports accustomed toolkit designed for collection, pivoting, and persistence. Kaspersky, as usual, offers no attribution. They do, however, note inconclusive circumstantial similarities between GoldenJackal and Turla, a generally Russian intelligence-service-associated threat actor. Kaspersky attributes the group's low profile to its low victim count and discriminating targeting.

Criminals target YouTube viewers and advertise free cracked software.

Dave Bittner: FortiGuard Labs reports on a continuing campaign against YouTube viewers that exploits hijacked YouTube channels with high subscriber counts. The attackers upload videos that show how to acquire free cracked programs like Adobe Acrobat. Viewers who click links in the video to the cracked software are prompted to download a password-protected archive which is bloated with over one gigabyte of useless files. FortiGuard explains that this is a technique commonly used to bypass antivirus and sandboxes that do not scan files beyond a specific size due to limited CPU and RAM resources. The archive contains an info stealer, a crypto wallet clipper, a crypto minor installer with various minor controllers, and a fake cracked software downloader. In general, users take a significant risk when attempting to download free software from nonvendor sources. In this case, a user who had a crypto wallet could lose more money than if they purchased the software legitimately. Experts recommend not clicking suspicious links advertising free products.

Rheinmetall data posted to BlackBasta's extortion site.

Dave Bittner: BlackBasta, recently seen in action against Swiss-based technology company ABB, continues to show a predilection for attacks against industrial firms. The double extortion ransomware gang published data stolen from German steel defense system and automotive manufacturer, Rheinmetall, on BlackBasta's extortion site this past Saturday. According to BleepingComputer, samples on the site included nondisclosure agreements, technical schematics, passport scans and purchase orders. Rheinmetall confirmed that it had, indeed, come under attack by the Russian criminal organization, which was detected in mid-April. The company notes that the attack only affects the group's civilian business. Due to the strictly separated IT infrastructure within the group, Rheinmetall's military business is not affected by the attack.

"Cuba" gang claims credit for the attack on the Philadelphia Inquirer.

Dave Bittner: The cyberattack The Philadelphia Inquirer sustained at mid-month may now be attributed to a specific criminal group, the "Cuba" ransomware gang has claimed responsibility. The Inquirer closely held the information behind the attack it sustained, disclosing few details. The paper's operations were significantly disrupted, and outsiders speculated that the paper was being extorted by cybercriminals.

Yesterday BleepingComputer reports those suspicions received some confirmation. The "Cuba" ransomware group on May 23rd posted data stolen from the Inquirer on Cuba's extortion portal. The files, which Cuba says it obtained on May 12th, are said to include financial documents, correspondence with bank employees, account movements, balance sheets, tax documents, compensation, and source code. The gang is unaffiliated with the government or nation of Cuba. Rather, it's a Russian government-directed criminal and espionage organization.

CERT-UA identifies probable Russian cyberespionage campaign.

Dave Bittner: Ukraine's CERT reports that an apparent Russian cyber espionage campaign has succeeded in compromising accounts belonging to the Embassy of Tajikistan. The threat actors, whom Ukraine tracks as UAC-0063 have used those accounts in a phishing campaign designed to install a keylogger, a backdoor, and a file stealer in targeted devices. In addition to Ukraine, the campaign has affected organizations in Mongolia, Kazakhstan, Kyrgyzstan, Israel, and India. Bank Info Security writes that the campaign bears some similarities to past operations by FancyBear, Russia's GRU.

Ireland views cyber assistance to Ukraine as a contribution to collective security.

Dave Bittner: The Irish Times says that Ireland has been rendering significant cybersecurity support to Ukraine during Russia's war, and that Dublin regards that assistance as a contribution to collective security.

Slackers, bro.

Dave Bittner: And finally, KillNet founder Killmilk announced today that he's dismissing the core roster of the gang because it's 50 constituent groups with their 1,250 members aren't participating in hacktivism, or at least not enough. So they're all fired. He added that when KillNet returns, if it does, it will be with a whole new roster. Killmilk will be working alone until he rebuilds the group. He says he'll begin drafting a new roster tomorrow. So spare a thought for your local hacktivist auxiliary. It's so hard to find good help nowadays.

Dave Bittner: Coming up after the break, Ann Johnson from Afternoon Cyber Tea speaks with Tyrance Billingsley about Black tech. Our guest is Oz Alashe from CybSafe on raising VC money amidst a down economy. Stay with us.

Dave Bittner: Oz Alashe is CEO and founder of CybSafe, a British software as a service company and provider of a platform that helps businesses reduce cyber risk. Among the many awards and accolades Oz Alashe has received is the MBE, member of the Most Excellent Order of the British Empire. Our conversation centers on the state of VC funding for cybersecurity in uncertain financial times, and specifically, how that might affect Black entrepreneurs.

Oz Alashe: Most VCs out there want great ideas that are likely to deliver real value into the market, and of course, real value back to shareholders and investors. And so, any Black founder who's looking for VC money we'll need to be able to demonstrate that they have that. And the reason that I guess we're talking about it is because there is no shortage of information that suggests that, you know, quite often, many of the people that they will be pitching to, many of the organizations that they will be attempting to present their ideas, and their teams to won't necessarily look like them. They maybe won't necessarily even understand the same context, circumstance, and experience that they've had, and therefore -- and they will be less likely to raise money. The stats tell that story. My experience has been wholly positive. You know, I've never really had a conversation with a VC that wasn't unpleasant, or at least wasn't any more pleasant than I think it's supposed to be sometimes, is the truth. But what is very, very true is that Black founders will need to be really clear about how their opportunity is going to deliver return and value, and they can't take for granted that people will necessarily understand where they're coming from, especially if they don't necessarily come from the same places and backgrounds that many of the other founders that the VCs look at -- will have come from.

Dave Bittner: That's a really interesting point, and I think, you know, over the past couple of years, we've seen, certainly, an emphasis on the importance of diversity in cybersecurity, the importance of diversity in thought. That, you know, people from different backgrounds bring different approaches to problem solving. How does that play into where we find ourselves today, to the reality of that situation? Is it -- can it be a help? Is it a hindrance? Is it neutral? What's your insight there?

Oz Alashe: Yeah, so, in my experience, I think it should absolutely be a help. You know, the cybersecurity industry is extremely problem focused, and we all exist as security professionals to address challenges that really come about because of the intersection between people and technology and the future, the things that we're trying to do as a society with technology and the things that individuals are trying to do -- solving problems. And so, the challenge that we've got as security professionals is really making sure that we can address those problems and address those challenges and face into that future, given everything the adversary wants to do, with the biggest range of minds that we can possibly apply to these challenges. So you can't really do that if you don't have a diverse group of people, and a diverse group of people tend to come from a range of different backgrounds, a range of different places. And so, diversity of mind and thought is important, as is diversity of ethnicity, as is diversity of gender, as is diversity of socioeconomic group. All of these things bring different backgrounds. And so, what we see today, I believe, is an increasingly diverse landscape, but it needs to happen faster, because the problem set isn't going away. The challenges are only increasing, and we need even more brilliant minds applying themselves to these challenges.

Dave Bittner: Do you suppose it's fair to say, or is it overstating it, that a Black entrepreneur coming into a meeting like this may have to be more prepared than someone else?

Oz Alashe: I don't think it's unfair to say that. I, as a Black man myself and a Black founder myself and, indeed, having had a few other, or at least one other career before this, as well, the reality is that, unfortunately, sometimes we face prejudice. We face people who either wittingly or unwittingly expect certain things because of what they see in front of them, rather than actually listening to what is being said, or indeed, actually maybe even seeing past what is in front of them. And so, with that in mind, I do think it's right that Black founders do need to be doubly prepared. That's not to say that everybody they're speaking to is either racist, or indeed doesn't want them to succeed. It's just simply to say that, actually, you can't take that for granted. Unfortunately, prejudice, as its termed and described, affects so many different people, and in the same way that as a man, I couldn't possibly fully understand the prejudice, and indeed, the benefits that I get, as a male, necessarily fully compared to, for example, some of my female founders. The same is true with non-Black founders and Black founders. And so, they do need to turn up more prepared, more prepared to ensure that actually the good idea that hopefully is as good as an idea as anybody else's, is going to be heard, is going to be understood and is going to get the opportunity that it needs to succeed.

Dave Bittner: What's your advice for folks who are in this situation? You know, looking around the room and not seeing very many people who look like them? Do you have any words of wisdom?

Oz Alashe: I don't know that they would be words of wisdom, Dave. I'm not entirely sure that I am the wisest person, but I would happily share my thoughts, and indeed, my experiences as well. I guess my first recommendation is to not be fazed by it. The reality is that if you are an entrepreneur or wanting to be an entrepreneur and a founder of a company that is going to do something really quite spectacular, as far as impacting the world is concerned, then being in a room full of people who don't look like you should not and knock you off your stride. It's not ideal. It's not what we would seek, but it is the reality of the world today, and actually, it doesn't necessarily need to be a bad thing. There are so many good VCs and investors out there who really only care about the problem that's to be solved and the opportunity in the market. So don't be fazed by it would be maybe one bit of advice I would give by people. Go, do your best, be your best, and help these people understand why you truly are going to change something spectacular. The other thing I would say is to maybe speak to other people who are in the same situation as you. That's founders, regardless of backgrounds. Ultimately, the more that you can hear and learn about the experience of raising money, the more it's going to feel less alien to you, and that, in itself, is going to help. But the other thing I would say is bear in mind that, ultimately, what you are doing is selling an idea yourself and your team, and of course, ideally, your business. You know, depending on what stage you're at, you already have a business. You're already generating revenue. And indeed, you already have customers and all of those things need to be presented well. It doesn't matter what color you are. If you present them badly, you're not going to go anywhere. So again, I would just really focus on making the most of the opportunity rather than focusing too much on the disadvantages. Ultimately, the disadvantages are not ideal, but they are absolutely surmountable.

Dave Bittner: That's Oz Alashe, CEO and founder of CybSafe.

Microsoft's Ann Johnson is host of the afternoon Cyber Tea Podcast. Right here on the CyberWire Podcast Network, she recently spoke with Tyrance Billingsley about Black Tech. Here's part of their conversation.

Ann Johnson: And today, we're going to talk about the power of community and the rebirth of Tulsa, Oklahoma, as a center for Black leadership and cultivation of Black potential. I'm joined today by Tyrance Billingsley II, a born-and-raised Tulsan entrepreneur, ecosystem builder, and community leader with a background in politics and community organizing. For the past three years, Tyrance has been seeding the narrative of Black Wall Street as the world's premier Black innovation economy through Black Tech Street, an organization where he is the founder and executive director. Welcome to Afternoon Cyber Tea, Tyrance.

Tyrance Billingsley: Thank you so much, Ann. It's a pleasure to be here.

Ann Johnson: So that brings us directly back to Black Tech Street. This is an organization initiative you founded because you had that passion, and you wanted to have that impact for your mission. Tell us more about Black Tech Street. What was the purpose behind the organization, and how actually did it come to be? I'd love to understand the origin story.

Tyrance Billingsley: Absolutely. So being a born and raised Tulsan and relative of Tulsa Race Massacre survivors, I had heard about the excellence of Black Wall Street. It was deeply rooted in my identity. So I eventually ended up asking myself a question where I said what could Black Wall Street have been, had it been supported and not destroyed? And when I thought about the level of tenacity that it took for these entrepreneurs to build these incredible businesses during Jim Crow, the smashing through walls, and the out-of-the-box thinking, it showed a lot of parallels with the attitude you have to have to be successful in the tech industry, and that's essentially led me to this kind of three-pronged epiphany. You know, one tech is one of the only industries in which you can build intergenerational wealth and seven to 10 years via successful company exit. Two, tech is the core medium through which all global innovation is consistently taking place. And three, by the year 2030, there were projected to be as many as 4.3 million high-paying vacant tech jobs due to a tech talent shortage. So when I put all three of these things together, I not only saw an incredible wealth-building opportunity for Black people, I kind of saw the Black Wall Street vision pushed to a new horizon. So this led me to surmise, had Black Wall Street been supported and not destroyed, it would be nothing other than the nation's premier Black tech ecosystem. So that's where the name Black Tech Street comes from, and that's our mission -- working to rebirth Black Wall Street as a tech hub, but also, kind of use Black tech Street is this banner that catalyzes a movement that sees Black people embrace tech as a means to build wealth and impact the world.

Ann Johnson: So community, one of the aspects of Black Tech Street that you emphasize is community, and communities provide us with a sense of connection, a sense of support, and also, we can build communities for learning where people have the ability to have resources that are so critical. Why is community so important to Black Tech Street, and tell us a little about the community that you have and you're building in Tulsa?

Tyrance Billingsley: Absolutely. So community is so critical to Black Tech Street because community was critical to Black Wall Street. What made Black Wall Street successful were so many different actors collaborating in ways that uplifted each other, and they were able to fill in each other's gaps. They were able to make up any lack that the other had by providing key services. So community is critical to Black Tech Street, because it's built on the foundation of Black culture, but also, the Tulsa community and particularly the Black Tulsa community, we have a saying called, you know, "What you do for me without me you do to me." And that essentially emphasizes that even if you're trying to help, even if you want to do something that's good for the community, you have to do it alongside them. You can't sit up in an ivory tower or in some room and say we're going to think of something cool to do for Black people, but we're not going to involve them in the process. We're not going to have their fingerprints all over the plan. That's not how things get done in the Greenwood Community in Tulsa. It's pretty core for us to be able to operate.

Dave Bittner: That's Ann Johnson from Afternoon Cyber Tea speaking with Tyrance Billingsley. You can hear more of that conversation on the Afternoon Cyber Tea Podcast. You can find that wherever you get your podcasts.

Dave Bittner: And that's this CyberWire. For links to all of today's stories, check out our Daily Briefing at We're privileged that N2K podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K's strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at This episode was produced by Liz Irvin and Senior Producer, Jennifer Eiban. Our Mixer is Trey Hester with original music by Elliot Peltzman. The show was written by Rachel Gelfand. Our Executive Editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.