The CyberWire Daily Podcast 7.5.23
Ep 1856 | 7.5.23

Cyberespionage, extortion, and DDoS as instruments of state policy. Ransomware continues to trouble a wide range of targets across many sectors.


Tré Hester: A Chinese cyberespionage campaign against European governments. The Port of Nagoya closes over ransomware attack BlackCat and SEO poisoning. LockBit seeks to extort a semiconductor manufacturer. Professionals in the cyber underworld. CISA issued a DDoS alert for US companies and government agencies. Microsoft debunks claims of data theft by Anonymous Sudan. Matt O'Neill from the US Secret Service speaks with Dave Bittner about sextortion. Rick Howard sits down with Michael Fuller of AWS to talk about the kill chain, and Avast releases a free decryptor for Akira.

Tré Hester: I'm Tré Hester filling in for Dave Bittner with your CyberWire Intel Briefing for Wednesday, July 5, 2023.

Chinese cyberespionage campaign against European governments.

Tré Hester: We are back after the Independence Day holiday, and here are a few stories we've been following. Beijing's intelligence services are currently deploying PlugX to collect against a range of targets in Europe. Checkpoint researchers describe the Chinese government's cyberespionage campaign against European governments. They call it SmugX and attribute it to Red Delta with some involvement by Mustang Panda. The campaign uses HTML smuggling to deploy a new variant of PlugX against its targets. The group's interest seems to be in Eastern Europe, but the targeted governments, which includes Sweden, United Kingdom, France, Slovakia, Hungary, and Ukraine are not confined to that region.

Port of Nagoya closes over ransomware attack.

Tré Hester: Ransomware continues to infest a wide range of organizations. BleepingComputer reports that just yesterday, the Port of Nagoya, Japan's busiest ocean terminal, sustained a ransomware attack against the Nagoya Port Unified Terminal system. Nikkei Asia says the issue came to light when a port employee noticed anomalies in the system. Investigations revealed the cause to be a ransomware infestation. The Port Authority is working to restore service and expects to have done so by tomorrow morning. In the meantime, most container operations at the port have been suspended. No group has claimed responsibility for the attack, which remains under investigation.

BlackCat and SEO poisoning.

Tré Hester: Familiar criminal ransomware organizations continue to find victims too. The BlackCat ransomware gang is using malvertising to trick victims into installing malicious versions of the win SCP file transfer application, BleepingComputer reportsAccording to researchers at Trend Micro, "The infestation starts once the user searches for Win SCP download on the Bing search engine. A malicious ad for the Win SCP application is displayed above the organic search results. The ad leads to a suspicious website containing a tutorial on how to use Win SCP for automating file transfer. From this first page, the user is then redirected to a clone download webpage for Win SCP. Once the user selects a download button, an ISO is downloaded from an infected WordPress webpage.

LockBit seeks to extort semiconductor manufacturer.

Tré Hester: The LockBit ransomware group has demanded $70 million in exchange for not leaking data allegedly stolen from Taiwanese chip manufacturer TSMC. TSMC told The Register that one of its third-party equipment suppliers, Kinmax, was the source of the breach.

Tré Hester: Security Week quotes TSMC as stating quote, "At TSMC, every hardware component undergoes a series of extensive checks and adjustments, including security configurations, before being installed into TSMC's system. Upon review, the incident has not affected TSMC's business operations, nor did it compromise any of TSMC's customer information. After the incident, TSMC has immediately terminated its data exchange with a concerned supplier in accordance with the company's security protocols and standard operating procedures. TSMC remains committed to enhancing the security awareness among its suppliers and making sure they comply with security standards. The cybersecurity incident is currently under investigation that involves a law enforcement agency." Kinmax said in its own statement, "The leak's content mainly consisted of system installation preparation that the company provided to our customers as default configurations. We would like to express our sincere apologies to the affected customers, as the leaked information contained their names, which may have caused some inconvenience."

Professionals in the cyber underworld.

Tré Hester: Cyber-criminal gangs are increasingly operating like professional businesses. According to Melissa Bischoping, Director of Endpoint Security Research at Tanium. In an article for Info Security Magazine, Bischoping dated, "The ransomware as a service approach is almost identical to today's modern businesses, which seek to hire the best talent across different functions. Through public-facing data leaks, sites, telegram channels, or direct recruitment of targets as insider threats, cybercriminals advertise job openings, promoting pay, benefits, and other perks. In fact, the Lapsus$ ransomware group has been advertising job openings since November 2021 targeting employees at large technological firms such as AT&T and Verizon, to lure employees to perform insider jobs in exchange for high pay, up to $20,000 a week. The landscape for cybercriminal jobs is competitive with new ransomware groups and data leak sites popping up constantly."

CISA released a DDoS alert for US companies and government agencies.

Tré Hester: CISA released an alert on June 30, regarding distributed denial of service attacks. "CISA is aware of open-source reporting of targeted denial of service and distributed denial of service attacks against multiple organizations in multipole sectors. These attacks can cost an organization time and money and may impose reputational costs where resources and services are inaccessible." Though the alert does not point fingers that any group, it can be assumed that this is in response to the recent attacks against US and NATO industries by Russian-aligned groups. BleepingComputer assessed that the warning represented a response to Anonymous Sudan's new wave of DDoS attacks against various government and private-sector organizations.

Microsoft debunks claims of data theft by Anonymous Sudan.

Tré Hester: Anonymous Sudan announced the attack on US companies and government websites was in retaliation for announcements US Secretary of State Anthony Blinken made concerning sanctions against certain parties in Sudan's ongoing civil war. Anonymous Sudan, generally regarded as a Russian front organization, on July 1st, claimed in its Telegram channels to have breached Microsoft servers and stolen data belonging to some 30 million customers. "We announce that we have successfully hacked Microsoft and have access to a large database containing more than 30 million Microsoft accounts, including email and password. Price for the full database: $50,000." Microsoft says the claim is baseless, stating, "At this time, our analysis of the data shows that this is not a legitimate claim in an aggregation of data." Just yesterday, Anonymous Sudan also announced an ongoing attack on Riot Games, an American video game developer for League of Legends. Anonymous Sudan has claimed that they have access to Riot's back end of League of Legends. This campaign is a continuation of attacks against American companies in response to the comments made by the Secretary of State concerning the civil war in Sudan. Riot Games would appear to be merely a US-based target of opportunity.

Bravo, Avast.

Tré Hester: And finally, we close with a bit of encouraging news. Avast researchers have developed a decryptor for the Akira ransomware active in the wild since March of this year. It's available at no charge with instructions for use on Avast's Decoded site.

Tré Hester: Coming up after the break, Matt O'Neill from the US Secret Service speaks with Dave Bittner about sextortion. Rick Howard sits down with Michael Fuller of AWS to talk about the kill chain. Stick around.

Tré Hester: In another episode of our continuing series of interviews that our CyberWire colleague Rick Howard gathered at the recent AWS Reinforce Conference, today Rick speaks with Michael Fuller from AWS about the kill chain.

Rick Howard: The CyberWire is an Amazon Web Services media partner, and in June 2023, Jen Eiben, the CyberWire's senior producer and I, traveled to the magical world at Disneyland in Anaheim, California, to attend their AWS Reinforce Conference and talk with senior leaders about the latest developments in securing the Amazon cloud. I got to sit down with Michael Fuller. He's the Director of Product Management External Security Services at AWS, and he's responsible for several AWS security products like guard duty and IDS of sorts, Macie, a data-loss protection service, Security Hub, a security configuration dashboard for your Amazon deployment, Inspector, a vulnerability management service, Detective, a scene, Security Lake, a data lake for your security logs, and I asked him about one of my pet peeves in the infosec community. That both practitioners and vendors tend to focus on tactical technical things like preventing malware and exploits and vulnerabilities and not specifically on a strategy of defeating the 300 or so known attack campaigns from the likes of Fancy Bear Wizard Spider, and the like. I call that strategy the intrusion kill chain prevention strategy. In our discussion, you'll hear us talk about the conference main keynote speech delivered by CJ Moses the AWS CISO. Here's Michael.

Michael Fuller: Yeah, I think one of the exciting things about where we sit is that we also -- you know, customers look to us as a peer. We're also one of the largest companies operating on AWS.

Rick Howard: Yeah.

Michael Fuller: And we've been doing it for some time. So we actually started the service team in AWS Security. We are one of the only service teams that were actually within our internal security team versus, you know, on the services side. And we did that intentionally because, you know, our internal security team and all of Amazon's security was also a customer focus of ours as being one of the biggest customers on AWS. And so, that also helps us, you know, inform what we're building, and it also allows us to remain grounded, because, you know, internally they're -- it's almost like a sibling. They're very blunt on saying, hey, you're building something that may sound really good on paper, but this doesn't really help us.

Rick Howard: Yeah.

Michael Fuller: Yeah, you know, so they keep us like grounded on, are you really moving the ball forward in practice? And I think that helps a lot with our customers, as well, because they look to us on like how do you guys solve this in Amazon? You know, you guys are building on AWS. You're using the same services we're using? How did you solve this problem, zero trust as an example? And then we're able to share what we've done internally and our journey along that. And then, what services we've developed and capabilities across AWS overall that we -- there's form for them to be able to kind of replicate what's been successful for us.

Rick Howard: So we looked at, you know, other security vendors. You know, they have intelligence teams and the way they market themselves is they produce intelligence reports on some adversary out there. And we have the MITRE ATT&CK Framework that is an open-source collection of bad-guy activity. But there's very little discussion about what goes on in cloud environments. I mean, they have in the MITRE ATT&CK Framework, there's a section on it but it's pretty, you know, weak sauce, right? And now we're in -- we've been in the cloud now for over a decade. I'm sure you guys are seeing adversaries that are operating in the cloud, but you just don't see people talking about their procedures. I'm wondering, do you guys plan to be public about that stuff anytime in the future?

Michael Fuller: I think you'll see more of it. I think if you look at CJs keynote at this event, you know, he said more this time than I've ever seen before, right? So I think there's we're trying to figure out ways to do it in a, you know, tasteful way where we're not looking like we're trying to market, or you know, spread fear or anything along the lines. But we do a tremendous amount internally within AWS Security and through our team, and we're very collaborative in that way. We do see a lot. A lot of that gets worked into our products on behalf of customers into things like GuardDuty and other places. And you're right, we just haven't talked about it quite as much as probably some would like, and so likely, you'll likely see more of that from us.

Rick Howard: Well, I think it was just interesting because I mean, CJ mentioned it in his keynote. There's of the cloud and in the cloud, and I don't expect you guys to talk about what's going on of the cloud, internal to, you know, what's Amazon, but the things that the customers are seeing, the people that are operating in the cloud, I would expect we'd see those attack sequences made public. So if like the CyberWire got hit, we're Amazon customers, right? If we got hit, we'd like to be able to share that intelligence across and say, you know, you should have these controls for Wizard Spider or whatever, right, campaign that's going on. So I would love to be able to see that.

Michael Fuller: Yeah, we do. We do it internally. Like I said, we're just -- we haven't been as great at marketing it essentially. We're really focused on kind of substance and getting it in our hands of our customers, and so we do talk about it with customers directly, and we do incorporate it into the services, and I think you'll see more of us talking more publicly about it, again, in an Amazonian way.

Rick Howard: In an Amazonian way, I love that. Well, thank you, sir, for coming on and explaining this. I really appreciate it.

Michael Fuller: Yeah, absolutely. Thank you for making the trip out. Hope to see you at the next Reinvent.

Tré Hester: That's Rick Howard speaking with Michael Fuller of AWS.

Dave Bittner: I am pleased to welcome back to the show Matt O'Neill. He is Deputy Special Agent in Charge for Cyber with the US Secret Service. Matt, welcome back.

Matt O'Neill: Thank you.

Tré Hester: I know a focus for you and your colleagues is trying to track down and prevent sextortion. It's a tough thing to talk about, but it's important. Can you unpack it for us here? When we say sextortion, what exactly are we talking about?

Matt O'Neill: Yes. So in many cases, what will happen is somebody will communicate with the victim online. So bad actors will target folks on social media sites. Specifically, whether it's Instagram, Tik-Tok, Facebook, and engage them in conversation, and then eventually recommend them sending a photo of them, you know, usually of, you know, something that, you know, like their bodily parts.

Tré Hester: So they're sparking a romance sort of, or maybe romance may be more sophisticated than it deserves to be described, right?

Matt O'Neill: Yes, without a doubt, and so, what'll happen is they'll -- the victim will send a photo, and then almost immediately, the bad actor will start extorting them for money and threatening them that if they don't provide X amount of dollars, depending on who the victim is, and again, they do their due diligence. They know generally, if this person is a juvenile how much money they probably would have, or if they're an executive, if they're married, because again, we disclose a lot in our social media. So they're doing their own sort of open-source analysis as to who their targets are. And so, the extortion amount will be largely based on how much you can afford to pay, and then, what will happen is the victim will send money, whether it's through a cryptocurrency exchange, or whether it's through prepaid cards, to the threat actor, and then the extortion continues. It doesn't just stop, and so, what we're seeing is it's a very underreported crime, because when we get reached, contacted by a victim, we will do our own investigation. And invariably, we'll find evidence of not just one victim, but scores of victims. And so, then we'll go through the process of trying to reach out to the victims, let them know that we're working this case, as well.

Tré Hester: Can we talk about the mindset of someone who finds themselves falling victim to this? I mean, I imagine, of course, there's embarrassment; there's fear. What's the case that you make that while you're in the midst of all this, in addition to everything you're dealing with, it's a good thing to reach out to law enforcement, folks like you and your colleagues?

Matt O'Neill: So what the Secret Service agents that contact the victim will try to tell them is a few things. The first is they're not alone. There's resources through victim witness coordinators to try to help support them through these difficult times. Also, we're a global investigative organization, and we have made significant arrests overseas. And so, it is not this person that is untouchable overseas. We will find them, and we will work with wherever they're located, the law enforcement there, to make arrests. Sextortion, to me, personally is a case -- are cases that I take very personally. When I was working up in New Hampshire, back in 2014, I worked with the Department of Justice on one of the first sextortion cases, and the victim wound up committing suicide a few years later, largely as a result of the trauma faced during the several months of this sextortion behavior. And so, wherever we've tried to get involved in/engaged in these cases, that's something that the Secret Service takes very seriously. The Secret Service will work with the FBI, HSI, and any other federal partner that is engaged in these crime schemes. But it is something that affects men, women, girls, boys, all alike.

Tré Hester: How much of this is an educational component, of getting the word out as you say, that you're not alone but that also, there is not going to be any additional shame here, right?

Matt O'Neill: Right. So that is something that the Secret Service Cyber Fraud Task Forces are trying to push out to all of their local communities. That we highly encourage victims to report. They can report it through the IC3 website. They can report it to their Cyber Fraud task forces. They can report it to the FBI. They can report it to their local police, and we're trying to get a handle on how large this problem is. We see it somewhat anecdotally, but we also, the Secret Service has a rich history of following the money. Most of our financially motivated cyber criminals get arrested after we have followed the money, and this is no different. So when a Secret Service agent or analyst is following money in a sextortion case, they will find other victims. And so, we know that the problem is a lot larger than reported.

Tré Hester: Do you have success stories here? Is there -- I think people might think that this sort of thing, you know, goes into a black hole somewhere, but any success stories to share?

Matt O'Neill: Yes. So the Secret Service investigated a bad actor in New Hampshire named Ryan Valley, who was sextorting dozens of girls throughout New England, who was -- he was subsequently charged and convicted and served several years in prison. There are other instances that arrests have been made that have not been publicly disclosed yet. But I will say with confidence, the US Secret Service, we have a team in our Global Investigative Operations Center focused specifically on sextortion and working with our federal partners at both the Department of Justice and the FBI and HSI on several organized groups, and I anticipate more arrests to come shortly.

Tré Hester: All right, well, Matt O'Neill is Deputy Special Agent in Charge for Cyber with the US Secret Service. Matt, thanks so much for joining us.

Matt O'Neill: Thank you.

Tré Hester: And that's The CyberWire. For links to all of today's stories, check out our daily briefing at We'd love to know what you think of this podcast. You can email us at Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. This episode was produced by Liz Irvin and Senior Producer, Jennifer Eiben. Our mixer is me, with original music by Elliot Peltzman. The show was written by our editorial staff. Our executive editor is Peter Kilpe, and I'm Tré Hester filling in for Dave Bittner. Thanks for listening. We'll see you back here tomorrow.