The CyberWire Daily Podcast 6.22.23
Ep 1849 | 6.22.23

Cyber spies and vulnerability goodbyes. RedLine Stealer and Vidar: the cryptkeepers. Social engineering TTPs.


Dave Bittner: North Korea's APT37 deploys FadeStealer to steal information from its targets. Apple patches vulnerabilities under active exploitation. Access to a US satellite is being hawked in a Russophone cybercrime forum. Russian hacktivist auxiliaries say they've disrupted Unmasking pig-butchering scams. Social engineering as a method of account takeover. Fraudsters are seen abusing generative AI. Sergey Medved from Quest Software describes the "Great Cloud Repatriation". Mark Ryland of AWS speaks with Rick Howard about software-defined perimeters. And embedded URLs in malware.

Dave Bittner: I'm Dave Bittner with your CyberWire intel briefing for Thursday, June 22nd, 2023.

DPRK's APT37 deploys FadeStealer to collect against its targets.

Dave Bittner: Ahn Labs describes a cyberespionage campaign by North Korea's APT37, which deploys a new information-gathering tool, FadeStealer, against its target. The gang's scope seems to cover surveillance of individuals in South Korea whom Pyongyang regards as actually or potentially hostile, North Korean defectors, human rights activists and university professors. The gang, known also by names that include StarCruft, Reaper, and RedEyes, begins their attack with a spearphishing email baited with a password-protected document. Executing the included CHM file also executes PowerShell malware that installs a backdoor. And autorun registry key enables the malware to maintain persistence. The next stage involves the installation of a second backdoor, "AblyGo backdoor", which as its name suggests, exploits the legitimate Golang-based Ably platform. AblyGo enables subsequent privilege escalation, exfiltration, and malware installation. FadeStealer includes eavesdropping functionality, taking control of the affected device's microphone to collect ambient speech and other sounds.

Apple patches vulnerabilities under active exploitation.

Dave Bittner: Apple has patched two security flaws that were used in hacks against thousands of Russian devices, The Washington Post reports. Russia's Federal Security Service, also known as the FSB, has attributed this campaign to the United States National Security Agency, but there's no evidence of NSA involvement apart from the FSB's accusation. The FSB itself has refrained from explaining how they reached their conclusion. An apple spokesperson told Cyberscoop that the company has never worked with any government to insert a backdoor into any Apple product and never will. In its security update, Apple says the hack allowed for the execution of arbitrary code with kernel privileges. Sophos writes that the two vulnerabilities have been patched in Apple's latest update on all devices, with the possible exception of tvOS, which the cybersecurity firm says may just have yet to receive an update. It is strongly advised that those with Apple devices update as soon as possible.

Access to a US satellite is being hawked in a Russophone cybercrime forum.

Dave Bittner: HackerRead reports that a Russian-speaking hacker is offering access to a Maxar Technologies US military satellite for $15,000. The account posting the offer, labs666, offers to receive funds through the trusted third-party payment service Escrow. It's difficult to know what to make of the claim, which seems a little excessive for credibility.

Russian hacktivist auxiliaries say they’ve disrupted 

Dave Bittner: Russian website reported that the so called DARKNET Parliament composed of KillNet, Anonymous Sudan, REvil, claims to have taken down the International Finance Corporation's website The attack started yesterday morning, and the hacktivist auxiliaries called the DDoS attack "just the beginning." The telegram pages for the associated groups are notably light on the usual updates regarding their cyber activities, with KillNet posting a statement that is unusually modest of the group, saying that, "Unfortunately, IFC is no longer working," says KillNet. The claims await confirmation. It's worth noting that is clearly editorially on the side of the Russian hacktivist auxiliaries. The outlet refers to the groups as, "our valiant Anonymous Sudan and KillNet," lending more circumstantial credibility to the conclusion that Anonymous Sudan is a Russian front group.

A look at Cryptor[.]biz, a player in the C2C market.

Dave Bittner: KrebsOnSecurity has described in detail, one of the more popular crypting services available to the criminal underworld. Crypting, KrebsOnSecurity explains, is disguising or crypting your malware so that it appears benign to antivirus and security products. is a tried and true crypting service recommended by RedLine Stealer and Vidar as one of the more reliable places a criminal can go to get malware crypted. KrebsOnSecurity tracks email addresses involved with and links these in turn to usernames and websites associated with a particular individual. As KrebsOnSecurity puts it, "It makes a lot of sense for cybersecurity researchers and law enforcement alike to focus attention on the top players in the crypting space for several reasons. The most critical reason," Krebs writes, "is that the threat actors recommending the use of the crypter tend to be among the most experienced and connected malicious coders on the planet."

Pig-butchering unmasked.

Dave Bittner: Trend Micro has published a report with their latest take on pig-butchering, a type of cryptocurrency scam in which victims are tricked into investing in fraudulent cryptocurrencies. The flow of a pig-butchering scam begins with the addition of potential victims to a fake chat group on investing. The firm writes that if a victim shows interest in investing, the conversation evolves into a one-on-one chat. From there, the victim is introduced to a fake brokerage service and prompted to transfer funds to its website. This cycle repeats itself as new victims find their place in the grasp of the malicious actor. The researchers determined that one group of pig-butchering scammers made nearly $4 million between January and March of 2023.

Social engineering for account takeover.

Dave Bittner: Avanan outlines a social engineering attack in which threat actors compromise a victim's work email account and use the account to request a payroll information change. This specific attack sees threat actors posing as company employees reaching out to their respective HR departments requesting a change in the bank account associated with their direct deposit. Avanan notes that people change banks all the time. Sometimes people want the money split into multiple accounts. Whatever it is, it's not unusual to receive this sort of request.

Fraudsters abuse generative AI. 

Dave Bittner: Sift has released its Q2 2023 Digital Trust and Safety Index focused on "Fighting fraud in the age of AI automation" and discussing the use of generative AI in social engineering schemes and the fears from consumers surrounding the new technology. The fears aren't entirely groundless. Sift writes that within the last six months, 68% of consumers noticed an increase in the frequency of spam and scams, likely driven by the surge in AI-generated content. The company's data also shows a 40% jump in blocked fraudulent content from 2022 to the first quarter of 2023. This increase is anticipated to continue into the future. The threat associated with AI is that it lowers the barrier to entry for fraud and social engineering scams. There's an easy plausibility to the language it generates that outdoes the text non-native (or even less gifted native) speakers produce.

Embedded URLs found in malware.

Dave Bittner: And finally, cybersecurity firm Cofense has found that compromised domains make up over half of embedded URLs used to deliver malware. "Compromised domains," the firm says, "are accessible by actors of varying skill levels, are effective at bypassing secure email gateways, and are somewhat effective at fooling potential victims." Abused domains such as those using Google Docs or Microsoft OneDrive, made up 37% of embedded URLs. These domains are highly effective, but short-lived due to quick detection by the hosting services. Domains that were created by the threat actors themselves accounted for just 11% of embedded URLs. The researchers note that created domains are typically used by more advanced threat actors, are not highly effective at bypassing secure email gateways, and are highly effective at tricking victims. So make sure that the website you're using to buy your newest swimsuit for the summer will only take your money and not any of your sensitive data. Actually receiving the swimsuit would be nice too.

Dave Bittner: Coming up after the break. Sergey Medved from Quest Software describes the Great Cloud Repatriation. Mark Rylan from AWS speaks with Rick Howard about software-defined perimeters. Stay with us.

Dave Bittner: Sergey Medved is VP of Product Management at Quest Software, a provider of cloud management services, among other offerings. I spoke with him about a trend he and his colleagues are tracking of clients moving some critical assets back on-prem, what some are calling The Great Cloud Repatriation.

Sergey Medved: A lot of companies are evaluating costs, a lot of companies are evaluating their security posture, and this IT environment is a living organism in a sense that things are changing every year, and so that naturally is putting some CISOs and CIOs into a spot where they're starting to look at their cloud strategies and reevaluate them.

Dave Bittner: Can you give us some specific examples of some of the things that are making CISOs take a closer look at this?

Sergey Medved: Yeah, the biggest trend, I think, several years ago was obviously security, so a lot of public cloud providers either did not have the capabilities to support the latest regulatory requirements, for example, HIPAA, or country-specific data storage rules. That has changed, right? And so I think we're now seeing a shift towards cost where, again, the CIOs and very often it's a board conversation as well, are realizing that a lot of the applications that they migrated into the cloud in the past, maybe some of them don't really necessarily have to be there, and that's taking a toll on both the cost side of things, but also on the user experience, because we're seeing more and more of those hybrid environments where your data perhaps is on-premise, and some of the applications are running in the cloud, and so there is obviously this data latency issue, but also, as I said, cost. The cloud provider cost has been fairly flat relatively in the last several years, but the cost of, you know, buying servers or real estate in data centers or power supplies has been trending down steadily in the last decade or so, and so again, if you're in the CIO position, if you look at it, you start to reevaluating and realizing that in many cases, it may be more cost efficient for you to run your workloads, some of the workloads on-premise.

Dave Bittner: What are some of the specific types of data that folks are finding they want to pull back to be on-prem?

Sergey Medved: Well, it comes- when it comes to regulation, right, it's anything that's HIPAA-compliant, for example, data or PCI or payments-related data. That's pretty clear. For a lot of nonregulated industries, so outside maybe of finance and healthcare, we're seeing a lot of intellectual property data or sensitive data that that customers are starting to look to move into the private clouds or on-prem, right? If you are, for example, BMW or another, you know, big major company where 20 or 50 years ago, your competitive position was how quickly you could produce cars and, you know, put them in the hands of the customers, now it's more about the innovation that you're doing at your company, right? So every manufacturing company these days is a technology company, and so technology is all about data, so you need to be looking at what- which data is truly, you know, the core of your business, and which data you want to protect, and so that can be anything around the intellectual property, the designs maybe if you're, again, a car manufacturer, or if you're a services provider, it can be your customer data as well.

Dave Bittner: Is there a concern about added complexity here when you're running a hybrid operation?

Sergey Medved: Absolutely, absolutely. So at the end of the day, you're balancing between cost and customer experience, because if you just go and you try to reduce cost, and that's your primary goal and objective, then you probably would end up with a an on-prem, you know, data center somewhere. But at the end of the day, your customer experience is also equally important whether it's your external customer or your- you're serving your internal customers, your employees. Say it's an HR system or whatnot. And so we're doing software development. And so, for the CIOs, it's a balancing act. It's making sure that the applications that- whether you put them into the cloud or they're on-premise, the latency of those applications is acceptable. The data is flowing, you know, quickly between them. You're not suffering from outages because, you know, if you put data in- or your applications between the cloud, the hybrid environment cloud and on-prem, you're just expanding both the attack surface from a cybersecurity standpoint, but you're also expanding your sort of the weak spots of your architecture or the points of failure.

Dave Bittner: Do you suppose that we'll see some ebb and flow with this between the cloud providers and the on-prem providers? You know, I can imagine waves back and forth of- you know, as cloud got more popular, then the on-prem got less expensive because it wasn't as much in demand. But now if we're swinging back to on-prem, maybe the demand makes that a little more expensive and cloud prices go down? Do you think there's anything to that line of thinking?

Sergey Medved: Oh, absolutely. As I said, it's ebbs and flows. Again, with hyperscalers, in the past, they've taken steps to meet government and industry requirements, so specific cloud services are now available from major players available for classified data, HIPAA-compliance, government data, country-specific requirements, especially in some Asian countries and Europe, and this allows for many of the businesses to, again, reconsider moving data back into the cloud, in some cases, right? Storing your backups, for example, is a good example, very often, in the past, the companies are going to flock to the cloud, then they realize that there is the risk of misconfiguration in the cloud, right, something that would place your data, your backups in the cloud, at risk. They moved it to, you know, on-premise to their private clouds and private environments. Now, again, they're starting to look back at the cloud offerings, because Azure, like soft and AWS, Amazon and Google have- Google has stepped up their game in offering new capabilities that allow customers to store their data in sort of an immutable way.

Dave Bittner: What are your recommendations for people to come at this, to be able to properly set their priorities and balance their approach here?

Sergey Medved: It's all about planning at the end of the day. Large companies like Gartner and Forrester are doing a lot of advising in the space, and I think Gartner has a market guide for it, but at the end of the day, again, without purpose of planning, the cloud can be more expensive, it can be less secure, so that's the result that cloud repatriation is the result of it. So proper roadmapping for the workloads, proper planning for migrations when companies move their data, whether it's on-premise or to the cloud, that's a key component of making sure that the future workloads and the data are both secure and delivering on the promise of the customer experience and cost.

Dave Bittner: That's Sergey Medved from Quest Software.

Dave Bittner: In our continuing series of interviews, my CyberWire colleague Rick Howard gathered at the recent AWS Reinforce Conference. Rick checks in with Mark Ryland of AWS. The topic of their conversation is software-defined perimeters.

Rick Howard: The CyberWire is an Amazon Web Services media partner, and in June 2023, Jen Eiben, the CyberWire senior producer, and I traveled to the magical world at Disneyland in Anaheim, California, to attend their AWS Reinforce Conference and talk with senior leaders about the latest developments in securing the Amazon cloud. I got to sit down with Mark Ryland, the Director of the Office of the Chief Information Security Officer at AWS to talk about Amazon's version of a software-defined perimeter, a concept that I've been talking about for a few years now that can greatly enhance any organization's zero-trust journey. Amazon calls their version Verified Access, coupled with a specially designed open-source authorization language that they call Seeder.

Mark Ryland: There's a number of use cases that when we think about zero trust, we kind of break it into sort of three general use cases. One is human access to applications. Another is software-to-software scenarios where again, you want even your software to be validated each time it calls in, say, another microservice. And then there's another kind of broad category that we can think of as either IoT or industrial IoT or, you know, kind of that whole topic. Again, it's a software-to-software scenario, but it's often involving things like, you know, factory floor operations, smart highways, smart buildings, all that kind of part. And that also is considered, you know, broadly speaking, one of the primary use cases. So in that first use case, which is a very common one and one with a lot of focuses, I have human users. They need to access applications typically like enterprise apps. And historically, we would do that with VPN technology. Right? So you log into a VPN. Now I'm inside the corpnet, and now I have the same access as when I was on the physical network, but again, often that access is very broad and very maybe inappropriately broad, and so --

Rick Howard: In hindsight, it's ridiculous that we did it that way. Right?

Mark Ryland: Yes. That's right. Although we do have in our principal engineering community at Amazon, we have a tenet which is respect what went before, so you have to understand there are probably reasons that made sense at the time, but in any case, you're right. And so what verified access does is it gives you that- you think of it as a smart proxy capability that you were- you come with your identity, so you use your SAML token or your OIDC token that you got from Okta or Azure AD or some identity provider, and you show up at this edge capability and say, hey, I want to access this enterprise application. And there we run a series of security checks on each and every request, so again, it's this constantly being verified, things like device health, you know, network location, all these different parameters, identity, the claims that come in through the identity provider, augmenting those claims with other kinds of trust signals. And then we run this Seeder policy, and Seeder is a very exciting launch as well this --

Rick Howard: Yeah, goes hand in hand.

Mark Ryland: -- week, which is we're both using it inside our services, but also open sourcing the language and the runtime so that anyone can use it, which is a very optimized authorization language. And the Seeder policy then will tell you, you know, and that's kind of the security team has decided from under what circumstances can users- you know, if you have an MFA, you can do certain things. If you don't, there's other things you could do. You make those initial kind of high-level authorization decisions. Then you pass the identity claims back to the backend application, which then kind of runs this perhaps as it did before, say, as if you'd VPNed in. Now over time, we expect that customers will begin to externalize authorization decisions of their apps also using Seeder --

Rick Howard: Right.

Mark Ryland: -- and another service we launched which we call Verified Permissions. So you can think of Verified Permissions as a service where if I'm writing or rewriting an enterprise app, I will externalize authorization from my business- to get out of my business logic. That's not where it belongs. It should be in a system designed specifically for permissioning. An AVP, [inaudible] Verified Permissions is that service. Again, it's a seeder language, central control of your policies and management of policies, but the business logic is no longer- you know, the authorization is no longer embedded in business logic, which is a much better way to build enterprise apps.

Rick Howard: So let me try to summarize what Seeder is. It's a programming language designed specifically to handle IAM functions, right, and doesn't do anything else. It's just, you know, Mark is authorized to get to this workforce and Rick isn't kind of things, right?

Mark Ryland: Right. And you might ask a reasonable question, do we- did we need to invent another one? There are a couple of them out there.

Rick Howard: Yeah.

Mark Ryland: You and I have a little bit of gray hair, so we remember Zakamole [phonetic], which has been around for ages and more recently, OPA, Open Policy Agent has a language called Rego. We looked hard at those. We didn't really want to invent something new, but we decided this was such an important area, and for very specific reasons those just didn't really meet the requirements. We also have a- I didn't- the third thing option, right? We have an IAM policy language now for our for our APIs, and that was another option. But looking at all those options, we made, you know, a very strategic decision that this is so important that we really have to build a very optimized language, optimized in a couple of ways. Number one, the language itself has got to be expressive and easy to read, but not too expressive because if you give someone kind of a Turing complete language, you can write things like loops that never end.

Rick Howard: Yeah, yeah, which I've done, many times, yeah, in my younger days.

Mark Ryland: Yes, and so it has to- you have to be able to prove that these are programs that will stop executing at some point, and if they won't, then you reject them in your language verification. And that's the other key point is that we- the team that built this was half software engineers with expertise in authorization systems, and it was half formal verification computer scientists, people that do this kind of, you know, automated reasoning we call it, or formal verification, applying their expertise to both the design of the language so that the language itself can be- the intent you express can be formally verified as you essentially upload it, and reject it if for some reason it doesn't have --

Rick Howard: Right.

Mark Ryland: -- the proper computational constraints, but the implementation of the language is also formally verified, so every time we do a code check in our build of this new feature or whatever, then there's a bunch of formal verification proofs that run against every single code change, so we've used it both to make- to increase the certainty of the correctness of our implementation, but also to- it was- the design of the Seeder language was heavily influenced by the need of formal verification, so that's makes it, I think, quite unique.

Rick Howard: So the Seeder language and what was the name of the product again?

Mark Ryland: Verified Access.

Rick Howard: Thank you.

Mark Ryland: Yeah.

Rick Howard: It's only for Amazon right now. Is there- are you guys looking over the horizon so you might be able to use the same ideas for other kinds of services or --

Mark Ryland: Absolutely --

Rick Howard: Yeah.

Mark Ryland: -- yeah. And it's already seeing uptake in the open-source community. There's a couple of ISPs out there that already have adopted it for their kind of authorization-as-a-service systems --

Rick Howard: Yeah.

Mark Ryland: -- that they're- they have in market, and that's very exciting to see. And we help customers use it internally. Even if you don't use our cloud service, just use this very high-quality very, you know, carefully engineered open-source language and set of libraries and tests and proofs and so forth, that you can just build right into your application if you want to do that, so we're very excited about, you know, kind of helping the industry to solve a problem. One other thing I'll mention is that, you know, there's been this ongoing debate about, you know, role-based access control versus attribute-based access control, and Seeder was designed very consciously to support both models very well.

Rick Howard: It's not an either-or.

Mark Ryland: Yeah, exactly.

Rick Howard: It's just do what you got to do.

Mark Ryland: Yeah.

Dave Bittner: That's Mark Ryland from AWS speaking with the CyberWire's Rick Howard.

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at We'd love to know what you think of this podcast. You can email us at Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security team supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K's strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is Tre Hester with original music by Elliott Peltzman. The show was written by Rachel Gelfand. Our Executive Editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.