The CyberWire Daily Podcast 6.20.23
Ep 1847 | 6.20.23

Reddit sees bad luck as a BlackCat attack crosses their path. The C2C market is more mystical nowadays. Hacktivist auxiliaries and false flags in the hybrid war.


Dave Bittner: The BlackCat gang crosses Reddit's path, threatening to leak stolen data. Mystic Stealer malware evades and creates a feedback loop in the C2C market. RDStealer is a new cyberespionage tool, seen in the wild. The United States offers a reward for information on the Cl0p ransomware gang. KillNet, REvil, and Anonymous Sudan form a "DARKNET Parliament" and "sanction" the European banking system. The British Government commits £25 million in cybersecurity aid to Ukraine. Ben Yelin explains cyber disclosure rules proposed by the SEC. Rick Howard speaks with Nancy Wong of AWS about the importance of backups and restores. And what researchers are turning up in cloud honeypots.

Dave Bittner: I'm Dave Bittner with your CyberWire intel briefing for Tuesday, June 20th, 2023.

ALPHV threatens to leak stolen Reddit data.

Dave Bittner: The ALPHV ransomware gang, also known as BlackCat is threatening to release 80 gigabytes of stolen data unless Reddit repeals its unpopular API rate hikes and pays the attackers $4.5 million. Computing reports that the data was taken in February and that ALPHV gained access to the sensitive information by successfully fishing for employee credentials.

Mystic Stealer malware: evasive, and with a feedback loop in the C2C market.

Dave Bittner: A new info stealer has added some mysticism to the C2C market. Mystic Stealer is a new infostealer gaining traction in the cyberthreat landscape. As researchers at CYFIRMA explain, the infostealer saw recommendations from forum veterans who got detested and provide feedback which the threat actors incorporated into the stealer. Mystic Stealer's unknown developers assist with the installation process on the customer's Linux server, then hand over complete control of the command-and-control panel. One of the more dangerous aspects of Mystic Stealer is the community feedback from customers. This allows the developers to make the tool more efficient and effective. Researchers at Zscaler report that the stealer is capable of lifting capture history and autofill data, bookmarks, cookies and stored credentials from nearly 40 different web browsers, amidst lifted credentials and stolen data from crypto wallets.

RDStealer cyberespionage tool in the wild.

Dave Bittner: Bitdefender this morning shared their discovery of a new custom malware strain known as RDStealer, which uses DLL sideloading for the purpose of cyber espionage. The researchers say that side loading, or the practice of downloading an application or program via unofficial software distribution channels, allows the threat actor to monitor incoming Remote Desktop Protocol connections with client drive mapping enabled. The Logutil backdoor then infects the victim's device and lifts sensitive data. Both RDStealer and Logutil are written in the Go programming language, which has the capability of infecting multiple operating systems. Researchers have identified cases impacting both Linux and ESXi. The threat actor, active since at least 2020, is believed to be based in China, although that has yet to be confirmed. The use of custom malware by the hackers has been observed since late 2021 or early 2022. Credential theft and data exfiltration are believed to be this campaign's primary goals.

US offers reward for information on Cl0p ransomware gang.

Dave Bittner: Progress software has disclosed and patched a third vulnerability in its MOVEit file transfer application. The flaw and SQL injection vulnerability CVE-2023-35708 could allow an attacker to submit a crafted payload to a MOVEit transfer application endpoint, which could result in modification and disclosure of MOVEit database content. A proof of concept for the vulnerability was published on June 15th. Cl0p continues its exploitation of MOVEIt vulnerabilities to distribute ransomware. Ransom demands have begun to arrive at US government agencies and other victims. According to Reuters, the US Department of Energy has received two such notices. BleepingComputer reports that the US State Department's Rewards for Justice program is offering up to $10 million for information tying the Cl0p ransomware gang to a foreign government. Cl0p has used MOVEit vulnerabilities to compromise at least two dozen entities, including some US government agencies, SecurityWeek reports.

Anonymous Sudan looks like a Russian front group.

Dave Bittner: Researchers are moved to conclude that Anonymous Sudan is a Russian-run operation, and not the Islamist Patriot hacktivist collective it claims to be. Researchers at CyberCX have released an intelligence update on Anonymous Sudan after that threat group attacked Australian government organizations. The researchers point out that they assess with high confidence that Anonymous Sudan is unlikely to be the simple religious hacktivist group it purports to be, and that Anonymous Sudan is unlikely to be geographically linked to Sudan. CyberCX assesses that the threat group uses a substantial paid-proxy infrastructure across various countries to conduct its attacks. This supposed backwater organization has suspiciously significant funding and a complex operational style. Researchers at Trustwave write that there are clues leading them to believe the gang may be associated with KillNet in some way. The use of DDoS attacks as their attack vector, alongside observed use of Russian, as well as primary targeting of nations in support of Ukraine, are all shared attributes between Anonymous Sudan and KillNet.

KillNet, REvil, and Anonymous Sudan form a "DARKNET Parliament" and “sanction” the European banking system.

Dave Bittner: Speaking of KillNet, in partnership with our REvil and Anonymous Sudan, they announced Wednesday that they would be attacking European banking systems. They seem at least in part to have kept their promise. This isn't the general attack on the SWIFT interbank funds transfer system, the operators had been threatening, and it's always difficult to determine the effectiveness of these attacks, but it seems the hacktivist auxiliary successfully carried out a DDoS attack against the European Investment Bank. EIB has confirmed that they are experiencing a cyberattack which is affecting the status of their website. The hacktivist triumvirate also claims to have created a DARKNET Parliament. A communique announced that they are going to impose sanctions on European banking transfer systems SEPA, IBAN, WIRE, SWIFT, and WISE. Although the groups may have successfully disrupted the EIB's website, the damage done is probably transitory. The incident represents another politically motivated nuisance-level attack of the sort that's become commonplace during the current phase of Russia's hybrid war.

British Government commits £25 million in cybersecurity aid to Ukraine.

Dave Bittner: His Majesty's government on Sunday announced that it would allocate £25 million to aid Ukraine's cybersecurity efforts. Prime Minister Rishi Sunak describes the funding as critical to harden the nation's cyber defense. The new grant builds on and significantly expands last year £6.35 million tranche of cybersecurity assistance.

What's turning up in cloud honeypots.

Dave Bittner: And finally, Orca Security researchers channeled their inner Winnie the Pooh deploying honeypots on a variety of environments to measure the movements of bad actors. This morning, Orca released a report detailing insights into attacker tactics, techniques and procedures, as well as the things that attract attackers. In the 2023 Honeypotting in the Cloud Report, the researchers placed honeypots, which are faux traps intended to lure cyber criminals away from actual threats, on a variety of environments, including AWS S3, buckets, GitHub and DockerHub, among others. Each of the nine deployed honeypots was said to contain a secret, which in this case was an AWS secret access key. Key insights from the report include the rapid discovery by threat actors of vulnerabilities, as these honeypots were discovered within minutes of their deployment. The usage of the key however, varies between different environments. The researchers saw GitHub keys used within two minutes, whereas with S3 buckets, exploitation took upwards of eight hours. Certain resources and environments are more attractive to malicious actors. More popular resources can be easy to access and contain a treasure trove of sensitive information. Orca researchers don't advise automated protection solutions, recommending instead tailored strategies for defending each resource against threats.

Dave Bittner: Coming up after the break, Ben Yelin explains cyber disclosure rules proposed by the SEC. Rick Howard speaks with Nancy Wong from AWS about the importance of backups and restores. Stay with us.

Dave Bittner: My CyberWire colleague Rick Howard was recently at the AWS Reinforce Conference in Anaheim, California, where he caught up with Nancy Wong, Director of Engineering and General Manager at Amazon Web Services. They spoke about the importance of backups and restores.

Rick Howard: The CyberWire is an Amazon Web Services media partner, and in June 2023, Jen Eiben the CyberWire Senior Producer and I traveled to the magical world at Disneyland in Anaheim, California, to attend their AWS Reinforce Conference and talk with senior leaders about the latest developments in securing the Amazon cloud. I got to sit down with Nancy Wong, the General Manager of Data Protection at AWS. I asked her if there was a single thread from her perspective that explained the theme of this year's conference.

Nancy Wong: Data resiliency, so as data is the new oil or how it powers businesses, that means as a digital business today, right, you're going to have tons of sensitive customer data, sensitive business information data or critical data that is important to how your business functions, and you need to make sure that's protected, starting by knowing where it is in your persistent data platforms, and also what measures and policies you're taking to protect and secure that data.

Rick Howard: Well, that feeds right into one of my first principle cybersecurity strategies. I call it resilience. Before you can make sure you can survive a catastrophic event, you have to know where your material data and workloads are located so that you can properly back them up and restore them if needed. AWS has made it pretty easy to back all that stuff up, and that's phenomenal, but what's still really hard, especially for smaller businesses, is restoring the material data in the central workloads in a timely manner so that my customers never even noticed that there was an outage. I don't really want to be good at backups. What I really want to be good at is restores. So full disclosure here, Nancy, you know, the CyberWire is an Amazon customer, and we have a rigorous backup plan, but what I really need is an easy button that allows me to restore everything quickly and efficiently if there was ever some kind of trouble, you know, like some kind of outage or a ransomware attack, or you know me, Rick Howard, fat fingering the configuration and causing the cloud instance to go up in flames.

Nancy Wong: That happens. I have made many a mistake deleting a resources by mistake.

Rick Howard: I've never, ever done that. So is that somewhere in the future where I can just hit an Amazon button and the entire CyberWire instance is recovered and fully functional somewhere? Is that -- it's on the roadmap somewhere?

Nancy Wong: It is, so actually today, using AWS backup, which actually I think a better name for it could probably be AWS backup and restore --

Rick Howard: Yeah.

Nancy Wong: -- since, you know, the point of backing things up is to restore them, is today you can restore at the single-resource level, so you mentioned EC2 instance. We also backup EBS Volumes. We also support RDS, and so on, so forth, all the file and object platforms as well, and also the ability as I said to backup the entire CloudFormation stack, but also restore it as a stack. Now, without, you know, sharing what's in the kitchen right now under works, is also, you know, a focus on, for example, game day testing, right? So you can have the best intentions, but when, let's say, an event actually occurs, how do you know that you're compliant? And then more importantly, how can you be sure that you can bring your business back on line within an allowable framework or timeframe. And so that really happens with regular testing, right? So placing emphasis on not just testing whether something can be restored, but actually testing the entire drill as a runbook. And it's really that runbook and that automation, making sure that you have the steps documented, because look, everything may not be just captured in IT systems. Some of it might be personnel related as well, so how can you essentially write that down as a recipe so that later when you're doing, let's say, regular drills for compliance reasons, or let's say an actual event actually happens, right, you're not doing it ad hoc and just hoping that everything works. You have a foolproof and tested and validated plan that it actually works.

Rick Howard: In the keynotes this week, there was a lot of discussion about zero trust, and I could sense the ghost of John Kindervag, the man who penned the original zero trust white paper over a decade now, in all of those discussions. Do you want to wrap up our conversation with any last thoughts about zero trust?

Nancy Wong: Specifically, from a data protection perspective, I want to, you know, work with more customers to define protect surfaces, right, which John, you know, Kindervag writes a lot about, which is knowing what you have in your environment, and what's important to protect, and making sure that you are intentional about the way that you're protecting and securing those resources, and inherently your customer data.

Rick Howard: Excellent. That's a good wrap up for it. Thank you very much for coming on the show.

Nancy Wong: Of course. Thanks for having me.

Rick Howard: All right.

Dave Bittner: That's Rick Howard speaking with Nancy Wong from AWS.

And joining me once again is Ben Yelin. He's from the University of Maryland Center for Health and Homeland Security, and also my co-host over on the Caveat podcast. Ben, welcome back.

Ben Yellin: Good to be with you, Dave.

Dave Bittner: So, recently, the US Securities and Exchange Commission, the SEC, has proposed some rules that would require publicly traded companies to disclose cybersecurity incidents in public filings within days of their discovery. This has drawn some attention and criticism and support. Can you unpack this for us? What's going on here, Ben?

Ben Yellin: Sure. So the SEC, just in its authorization as a commission, has the authority to require public companies to make routine disclosures of facts that are materially relevant to investors. So this is a way of regulating financial markets. Investors should be aware of potential risks for their investments, and in that spirit, the SEC has finalized a proposed rule that would require these companies to disclose cybersecurity incidents in public filings within days after their discovery. So industry was relatively up in arms. This has been a fight that's been going on for a couple of years now.

Dave Bittner: Right.

Ben Yellin: There are really several concerns here. One is compliance is very difficult. When we're talking about particularly smaller, publicly traded companies, being able to disclose these incidents within days of their discovery is often extremely burdensome for the companies themselves, for their staffs, and just might be an inhibition on their ability to conduct business. Particularly if they're not aware of the attack, if it takes a while for the attack to penetrate their networks --

Dave Bittner: Right.

Ben Yellin: -- that's something that could be problematic. There are also national security concerns about identifying these vulnerabilities. If the SEC has records that XYZ Company was a victim of a cyberattack, that could be inviting further attacks by- and kind of making people aware or potentially bad actors aware of our weaknesses in the private sector.

Dave Bittner: Mm-hm, right. So somebody drained the moat, so come on into the castle.

Ben Yellin: Exactly. And then the other concern is there's the separate statute passed by Congress, the Cyber Incident Reporting for Critical Infrastructure Act, which requires reports of incidents of cybersecurity incidents in critical infrastructure sectors to the federal government, and so there's an allegation among critics that that's going to be duplicative of this SEC Rule. In terms of that last problem, I don't think it's really duplicative because many operators of critical infrastructure are not publicly traded companies, and it still makes sense that they should- because of the risks of harm to our critical infrastructure, it still makes sense that they report to the federal government that they've been the victim of a cyberattack, but that's certainly distinct from what the SEC is trying to regulate here where it's a warning to potential investors. So that's, I think, a very important distinction here. It's more of a complement to the critical infrastructure requirements that were passed last year, and less of a direct conflict. I also think, you know, the national security risks, the risks of further undermining cybersecurity in the private sector by showing people that these risks exist, I think that's taking a relatively short view when we should be taking a long view, that we can improve the overall health of our cybersecurity ecosystem by having better information sharing so that regulators can more efficiently employ existing policy, tools, research, etc., and potentially we can catalyze better cybersecurity behavior so that companies have some disincentive to make themselves vulnerable to potential cyber risks. So I think the regulations here are promising and will have a big impact on these private center- private sector entities that are publicly traded, and I'm very curious to see what the rollout of this looks like when it's actually put into practice.

Dave Bittner: Yeah, it's interesting to me. I kind of think of this as being- by putting a time frame on this of being a couple of days, I can imagine an organization being hot and heavy in the midst of incident response, right, and basically--

Ben Yellin: Right.

Dave Bittner: -- saying to the regulators, listen, you're asking us to file a report and the building is still on fire.

Ben Yellin: Right.

Dave Bittner: You know, let us put the fire out. We are happy to comply, but can we put the fire out first? And I wonder if that's a reasonable approach of saying- coming up with whatever the standard would be in your incident response lifecycle, where- of the cybersecurity incident response equivalent of, you know, we got a steaming pile of rubble here, but the fire is out. Now, it's- now we can do the report, because not all fires are the same.

Ben Yellin: Yeah, I mean, I can understand why that would be burdensome, but we do do that in all different types of situations. I mean, the NTSB is on the scene of a major accident in our transportation infrastructure before the rubble is cleaned up.

Dave Bittner: Yeah.

Ben Yellin: And they're certainly taking records of it and, you know, they have people on the ground who might be distracting from the cleanup effort there, so it's not like this is something that's entirely unheard of.

Dave Bittner: Right.

Ben Yellin: I just think that, yes, while it might be burdensome, the advantages of having this ecosystem where there is information sharing just vastly outweighs the disadvantages of compliance on the part of some of these companies. That is obviously in the eye of the beholder. As somebody who is not responsible for cybersecurity at a publicly traded company, I get that it's easy for me to say--

Dave Bittner: Right.

Ben Yellin: -- but, you know, that would be my initial reaction to these regulations.

Dave Bittner: Yeah. So we have a rules proposal here from the SEC. How do these things typically play out from this point of actually going into force?

Ben Yellin: Oh, man, well, I don't want to get into how the Administrative Procedure Act works, and all of that mumbo jumbo.

Dave Bittner: Okay.

Ben Yellin: But generally, rules, there's a 30-day timeline once the rules have been finalized before any rule can actually go into effect, but they have already had their notice and comment period, so people have had the opportunity to weigh in. I suspect that once they finalize the regulation, it goes through proper review from the relevant federal entities like OIRA, which is the Office of Information and Regulatory Affairs. Once it goes through the Office of Management and Budget, then it's published in the Federal Register. I will say Congress has their chance, as they have done many times, to reject this rule if they think it's overstepping its bounds, and if they think the policy is damaging. There's this thing called the Congressional Review Act, where Congress, through a simple majority votes in both the House and the Senate can reject a recently enacted federal rule, and that would take the rule out of existence. The only problem is that the President has the power to veto any Congressional Review Act resolution. I believe those have been the only vetoes so far in Joe Biden's presidency, because of course, why wouldn't the President veto Congress trying to supersede the rules that his own administration has already made?

Dave Bittner: I see.

Ben Yellin: But that's certainly something that we could see down the line.

Dave Bittner: Yeah. All right. Interesting development to keep an eye on, for sure. Ben Yellen, thank you for joining us.

Ben Yellin: Thank you.

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at We'd love to know what you think of this podcast. You can email us at Your feedback helps us ensure we're delivering the information and insights that keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K's strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is Tre Hester with original music by Elliott Peltzman. The show was written by Rachel Gelfand. Our Executive Editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.