The CyberWire Daily Podcast 7.12.23
Ep 1861 | 7.12.23

Cyberespionage and used car salesmen. Email extortion through embarrassment, not encryption. The personal is the professional. And a look back at Patch Tuesday.


Dave Bittner: A Chinese threat actor hits US organizations with a Microsoft cloud exploit. Open source tools allow threat actors to exploit a loophole in Microsoft's kernel driver authentication procedures. A RomCom update. Beamer phishbait, e-mail extortion attacks, and digital blackmail. A new report concludes companies allowing personal employee devices on their network are opening themselves to attack. Tim Starks from the Washington Post looks at Microsoft's recent woes. Our guest is Eyal Benishti from IRONSCALES with insights on business e-mail compromise. And a July Patch Tuesday retrospective.

Dave Bittner: I'm Dave Bittner with your CyberWire "Intel Briefing" for Wednesday, July 12, 2023.

Chinese threat actor hit US organizations with a Microsoft cloud exploit.

Dave Bittner: Cyber espionage from both China and Russia leads today's news. Late yesterday, Microsoft described activity by the Chinese government threat actor Itrax [assumed spelling] as Storm-0558. The group gained access to e-mail accounts affecting approximately 25 organizations. Including government agencies, as well as related consumer accounts of individuals likely associated with these organizations, Microsoft explained. They say they noticed anomalous mail activity on June 16th. Investigations subsequently determined that this was part of a cyber espionage campaign that began on or around May 15th of this year. Microsoft said that they did this by using forged authentication tokens to access user e-mail using an acquired Microsoft account consumer sign in key. Since discovering the activity, Microsoft has completed mitigating its effects for all the customers involved. According to the Wall Street Journal, the US government is investigating the scope of the Chinese operation and assessing what damage it might have caused.

Open source tools allow threat actors to exploit a loophole in Microsoft's kernel driver authentication procedures. 

Dave Bittner: Microsoft has also dealt with other Chinese exploitation of its products. Cisco Talos researchers discovered that threat actors took advantage of a policy loophole in Windows cross-signed kernel drivers that allowed forgery of time stamps. And loading of unverified malicious drivers to expired certificates. The advisory notes. "We have observed over a dozen code signing certificates with keys and passwords contained in a PFX file hosted on GitHub used in conjunction with these open source tools." Based on the language code discovered in the metadata in the corrupted drivers, the researchers assess the threat actors to be Chinese nationalists. The advisory notes that attackers can exploit the loophole across the user kernel barrier, which is crucial for maintaining the integrity and security of the OS. Talos has alerted Microsoft, which has since disabled all forged certificates that could have passed through this loophole.

RomCom update.

Dave Bittner: Redmond has been looking at Russian cyber espionage, as well. Microsoft yesterday published an alert on activity by Storm-0978, also tracked as DEV-0978 and commonly called RomCom, after the name given the back door it commonly employees. Microsoft states. "We identified a phishing campaign conducted by the threat factor tracked as Storm-0978 targeting defense and government entities in Europe and North America. The campaign involved the abuse of CVE 2023-36884. Which included a remote code execution vulnerability exploited before disclosure to Microsoft via Word documents using lures related to the Ukrainian World Congress." As BleepingComputer observes, CVE 2023-36884 hasn't been fully patched but mitigations are available. RomCom represents a mixture of symbiotic motives. It's a ransomware and extortion operation in pursuit of direct profit, but it also conducts cyber espionage specializing in credential theft. The group is based in Russia and acts in Russia's interests. We note in full disclosure that Microsoft is a CyberWire partner.

"The price is reduced!!!" Act now!

Dave Bittner: Russian intelligence services prospecting diplomatic targets in Ukraine used an ad for a nicely-loaded, deeply-discounted, used BMW as phishbait to attract their prospects eyes and clicks. Palo Alto Networks Unit 42 says. "The campaign, directed against 22 of the 80 embassies in Kyiv, was run by APT29, Cozy Bear, that is Russia's SVR Foreign Intelligence Service." The phish hooks were LNK files masquerading as images. The campaign's goal was espionage collection against the embassies and their contacts. The car itself was real, as was the innocent original version of the flier. The black BMW5 Series sedan belongs to a Polish diplomat assigned to Kyiv and he was indeed interested in selling it. Suspicions were aroused when he got calls inquiring about the price, which at 7,500 euros was lower than the one he posted. Cozy Bear evidently reasoned that a lower price would attract more clicks. Reuters reports that the diplomat still has the car. He'll try to sell it when he gets back to Poland, stating, "After this situation, I don't want to have any more problems." The phishbait represents a departure from that used in earlier campaigns. Those lured had tended to be more obviously diplomatic invitations to embassy events, notes on humanitarian aid, and so on. Unit 42 concludes with a warning. "As the above campaigns show, diplomats should appreciate that APT's continually modify their approaches, including through spear phishing, to enhance their effectiveness. They will seize every opportunity to entire victims into compromise. Ukraine and its allies need to remain extra vigilant to the threat of cyber espionage to ensure the security and confidentiality of their information." And if you're in the market for a 2011 Beamer, buyer beware.

Threat spotlight: email extortion attacks: digital blackmail.

Dave Bittner: Barracuda released a threat spotlight on extortion attacks this morning, but these are not the large-scale ransomware extortions most seen in recent headlines. These attacks instead amount to digital blackmail. The attacker threatens to expose a compromising picture or information about an individual unless the victim pays money. Attackers often purchase victim's login credentials or find them through data breaches to prove that their threat is legitimate. Almost all of the attacks ask for less than $2,000, which seems like chicken feed by cybercriminal standards. But Barracuda analyzed over 300,000 e-mails that made demands at this level. Research showed that a small number of attackers were responsible for most of the e-mails in the study sample with the top ten bitcoin addresses appearing in about 30% of the e-mails. And the top 100 addresses appearing in about 80% of the e-mails. Barracuda remains optimistic about this threat if only because the small number of criminals responsible means that each is a high payoff target for law enforcement. Barracuda says. "First, we suspect that if law enforcement is able to track down even a small number of these attackers, they can significantly disrupt this threat. Second, since extortion attackers seem to be copying each other and following very similar templates. E-mail security vendors should be able to block a large percentage of these attacks with relatively simple detectors." To the authorities everywhere, good hunting for the creeps behind these scams.

Report: Companies allowing personal employee devices onto their network are opening themselves to attack.

Dave Bittner: SpyCloud released its Malware Readiness & Defense report today which was conducted with a survey of almost 320 midmarket and enterprise IT security professionals from the US and the UK. To assess how organizations are detecting and addressing the threat of malware as a precursor to cyberattacks like account takeover and ransomware. One of the main problems discovered was the lack of regulation by the businesses for employees mixing unauthorized applications and work credentials in their personal and work devices. SpyCloud wrote in their press release. "Fifty-seven percent of organizations allow employees to sync browser data between personal and corporate devices. Enabling threat actors to syphon employee credentials and other user authentication data through infected personal devices while remaining undetected." SpyCloud also explained that organizations are struggling with shadow IT due to employees using unsanctioned applications and employees being allowed to use their personal and work devices interchangeably.

July Patch Tuesday retrospective.

Dave Bittner: Finally, yesterday, of course, was Patch Tuesday. Microsoft issued security fixes for 132 flaws, six of which were being actively exploited in the wild, BleepingComputer reports. One of the disclosed vulnerabilities, CVE 2023-36884, which hasn't yet been patched, is a remote code execution flaw affecting Microsoft Office. Microsoft says this flaw has been exploited by the Russian cybercriminal group Storm-0978 to conduct cyber espionage against defense and government entities in Europe and North America. Fortinet has patched a stack-based overflow vulnerability in FortiOS and FortiProxy. That may allow a remote attacker to execute arbitrary code or command via crafted packets reaching proxy policies or firewall policies with proxy mode alongside SSL deep packet inspection. SAP has issued fixes for numerous vulnerabilities, including one affecting SAP Business Client that was assigned a CDSS score of 10.0. Adobe has patched 12 security flaws in Adobe InDesign, including a deserialization of untrusted data vulnerability that could lead to arbitrary code execution. And Apple has rolled back its Rapid Security Response updates for iOS and macOS after the patch caused issues that prevented some websites from displaying properly. The company stated yesterday, "Rapid Security Response's iOS 16.5.1b, iPadOS 16.5.1b, and macOS 13.4.1b will be available soon to address the issue." As always, review your systems, and as CISA would say, apply updates per vendor instructions. And admins, we wish you a happy and resolute round of patching.

Dave Bittner: Coming up after the break, Tim Starks from the Washington Post looks at Microsoft's recent woes. Our guest is Eyal Benishti from IRONSCALES with insights on business email compromise. Stay with us.

Dave Bittner: Eyal Benishti is CEO of e-mail security platform IRONSCALES. They recently published their first threat index report and one of the topics covered is business e-mail compromise. I asked Eyal Benishti for the details.

Eyal Benishti: So I think the interest in BEC was very interesting. As a matter of fact and, you know, it's something that I tend to kind of mention when speaking with CISOs and other professional. What we see is that for the first time, BEC basically eclipse ransomware and becoming even a bigger problem than it used to be.

Dave Bittner: And what sort of options are available to folks to put in place to better protect themselves from business e-mail compromise?

Eyal Benishti: So to protect against business e-mail compromise, companies need something that is more behavioral and [inaudible] in order to understand. And again, most cases, BEC are [inaudible] to come- [inaudible] to come from someone or something that you already know. So it will come from a colleague, whether somebody you're working with or, you know, someone- some of the vendors that you're working with, or some type of service that is familiar to you. And in order to be able to protect people from impersonation attempts, a solution must be able to understand the user, the user behavior, the social [inaudible] for this user. User is- what is considered trusted by every specific user and then look for anomalies and, you know, all the known patterns, like I mentioned. Like impersonation and specific language that is being used in order to stop this [inaudible]. Because in most cases, there is no real indication of compromise. Like I mentioned, there will be no bad ID behind this mail, and in most cases, there will be no link or attachment. It will just come from someone or somebody that he allegedly know asking to do something that he's not supposed to do. So be able to kind of learn more advanced models at the mailbox level, able to understand behavior and anomaly is a critical part in stopping BEC. The other element is obviously fixing stuff like awareness. Make sure that your users are aware that impersonation might happen. That e-mails that lands in their mailbox, so despite the fact that it went to some layer of defense, can still be malicious by intent and sometimes even by content. So educating people, delivering awareness content. Phishing simulation and training, which is a more proactive way to train users is highly recommended. And basically, build a culture of people that know that they are part of the solution and they're expected to report on things that seems a little bit phishy in their environment. Because when people are reporting on something that looks suspicious, then we have a chance and we can do something about it. Especially if, you know, the organization is equipped with an automated solution that can streamline anything from investigating things that people find suspicious. To the point that we can even go and flow it back from all the affected mailboxes. And when you have this type of culture and when you have these types of solutions that can help automate and remediate things that are slipping through protection layers. Then you can have a much, much better multilayer type of defense against BEC and malicious e-mails.

Dave Bittner: One of the things that caught my eye in the report was how many of the threats are what you describe as unknown. These are novel threats, things that haven't been seen before. I mean, how do folks defend against that? If something is new, is this, again, looking for behavioral defenses here?

Eyal Benishti: You know, we can detect against known threats by having a good threat intel and protection-based solution that can stop what is known to be bad. We can have AI and [inaudible] detection against things that are not necessarily known to be bad but are bad by context. So coming with some bad intent and attempting to impersonate something that we know, like we mentioned. They follow a specific pattern. We call them the known unknowns. And in order to detect the unknown unknowns like, you know, people- organization really need to kind of adopt a real-time threat intelligence [inaudible]. Which in our view, can only achieved by, at the end of the day, cloud source this whole effort of detecting what is slipping through threat intelligence and AI models. And again, it's back to the user that we spoke about. How do you train your users to report these kinds of e-mails? How do you equip security team with automated tools that help them to quickly investigate or automatically investigating and remediating these type of e-mails? And then how do you take it even one level up and provide organization with a tool that actually allow them to collaborate with each other in real time? And help them be aware to the fact that they are, you know, they are not the first one to deal with this type of e-mail incidents. A7nd other companies are already made a decision or passed a verdict about a similar type of e-mail that they probably want to do the same. So at the end of the day, in order to be able to detect the unknown unknowns, or the [inaudible] in our world, organization really need to adopt a continuous AI approach. You know, how do you build or how do you adopt an AI solution that can continuously learn about new threats and all the time in real time? Because when we talk about machine learning and AI, they're just as good as the data that we feed into them. So if I feed a model with yesterday's data, no matter how great the model is, it's ability to predict something that it's never seen before is close to zero. On the other hand, if I have online models that are constantly learning, and not just learning based on raw data and metadata, but they're learning from human beings kind of interacting with them. And pushing new type of intelligence in real time. Then we have a more continuous type of AI approach that can constantly learn and close the feedback loop and be able to detect new trends, sometimes even in seconds. And stay as close as possible to what is trending out of millions of new phishing e-mails that are being created on a daily basis. We're expecting these numbers to grow significantly, again, with all the ChatGPT and AI, [inaudible] AI that we're seeing out there. So there will be a lot of unknown unknowns out there and our only way to detect them is to be able to quickly feed our models with relevant, up-to-date data.

Dave Bittner: That's Eyal Benishti, CEO of IRONSCALES.

Dave Bittner: It is always my pleasure to welcome back to the show Tim Starks. He is the author of The Cybersecurity 202 at the Washington Post. Tim, great to have you back.

Tim Starks: Yes, great to be back.

Dave Bittner: As we are recording here, today, there are a couple of developments related to Microsoft that you've been covering and some of your colleagues at the Post have been covering, as well. What's going on here, Tim?

Tim Starks: So the- I think the bigger development, not that the other one is small, is from a story that my colleagues Ellen Nakashima, Joseph Menn, and Shane Harris, wrote up today. That is quite the all-star lineup. Those are, you know --

Dave Bittner: Yeah.

Tim Starks: Shane Harris is one of the guys I followed his early reporting on cyber and was like, "That's great. I'd love to do what he does." Ellen Nakashima is my favorite reporter. Joseph Menn is just one of the really great cyber reporters out there, too. So they broke a story about how Chinese hackers are- have used this vulnerability in Microsoft's cloud that has allowed them to target US government e-mail accounts. Microsoft itself says that there are only 25 organizations that this has affected, but it does include government agencies. The FBI's looking into it. You know, it doesn't look like the Pentagon, intelligence, or military accounts were affected. So we're still learning about this one. It's the latest in a line of, you know, Microsoft issues where the US government has been affected. You know, SolarWinds was one of the biggest ones, obviously.

Dave Bittner: Right.

Tim Starks: Because, you know, that was part of that Microsoft vulnerability. So this is another problem with Microsoft coming up and being a part of an espionage campaign. This is a, you know, apparently again from China.

Dave Bittner: I saw some interesting commentary. Folks were saying that Microsoft did sort of the equivalent of a Friday afternoon news dump on a Tuesday afternoon by sort of a quiet blog post about this. And I suppose they were obligated to reveal this because the government was involved?

Tim Starks: I think so. I mean, certainly they would have been aware that some central news stories were about to come out about it, so --

Dave Bittner: Yeah.

Tim Starks: -- first, you know, if they knew we were- would be writing about it, they would have been obligated and our story came out at I think 1:00 AM.

Dave Bittner: Hm.

Tim Starks: So it's not terribly surprising that they did it when they did. Perhaps they could have done it earlier, but at a certain point, they had to have done it.

Dave Bittner: Yeah. And what's the story that you covered in the 202, also Microsoft related?

Tim Starks: Yeah, so this was something that Microsoft had talked about earlier in the day where there's a Russian group called RomCom. I like that name a lot, by the way.

Dave Bittner: Mm-hmm.

Tim Starks: Romantic comedies are a great organization to imitate. Anyway, this is a campaign where Windows was, again, exploited with an unpatched bug in Windows and Office products. They are working to address that flaw and this campaign is going after apparently NATO targets. So there's the summit in Lithuania that's happening and, you know, BlackBerry had some research on this that they came out with. And they apparently are- RomCom is impersonating a Ukrainian organization. That's obviously ongoing Russia-Ukraine cyber hostilities that are all taking center stage in the NATO summit now. But also, there's this sort of side campaign of issues that are coming up in cyberspace related to NATO.

Dave Bittner: Yeah. To what degree is Microsoft sort of taking it on the chin for these vulnerabilities or is this something that could happen to anybody or are they getting more than their share of criticism here?

Tim Starks: It is certainly something that can happen to anybody, but, you know, there are two things that are of note here. One, you know, Microsoft is so massive. They're such a part of everybody's daily e-mail. They're such a part of all those Office products, that they're going to be a juicy target that anybody who's a hacker is gonna want to go after.

Dave Bittner: Right.

Tim Starks: But they do have, you know, a history of not maybe doing as good a job of taking care of these things as they- as people think they ought to. You know, you can talk about Apple security compared to Microsoft. That's always been a point of comparison. Apple seems to do a better job, overall. But they're also just not quite as widespread. So I think it's a mix of both, that they're just omnipresent in a way that nobody else is and also that there are- this is a track record here that suggests that they could be doing better than they are.

Dave Bittner: Yeah. It's complicated, right?

Tim Starks: Yeah.

Dave Bittner: I mean, not to give Microsoft a free pass, but I mean it's certainly interesting to analyze, you know, these things. As you say, they're- they are a big, juicy target, but at the same time, they got a responsibility to look after these things.

Tim Starks: Yeah, they have such a unique position in the ecosystem, if you'll allow me to use a sort of stupid, jargony term.

Dave Bittner: Yeah.

Tim Starks: They also make a lot of money off of security, doing security, and I, you know, I wrote an article a couple of years back about how they are- I think the best quote in the story was Microsoft is both part of the problem and part of the solution.

Dave Bittner: Right.

Tim Starks: And if you look at how much work they do on security and how many things they reveal about what's going on in cyberspace. Not just about what's going on with their own company but also what's going on with threat actors. They've made some pretty big revelations about what's happening in the cybersecurity world and the hacking world. Where if, you know, I think I wrote the comparison I had at the time was. That they have powers that are, in some ways, superior to the federal government's or certain federal government agencies, anyway. They don't have the ability to, you know, punish hackers, but they have research capabilities and they have access to resources that are unparalleled in certain ways.

Dave Bittner: Yeah. I remember that, you know, this was years ago when Microsoft was on a bit of a tear of buying up some, you know, antivirus companies.

Tim Starks: That's another one, yeah.

Dave Bittner: Right, and there was some raised eyebrows of, you know, of the joke was since, you know, they're the problem and the solution. They're buying companies that take care of some of the vulnerabilities that were inherent in Windows at the time. Of course, I mean --

Tim Starks: Right, right, yeah, yeah. That's a good business model, right?

Dave Bittner: Right.

Tim Starks: Have some vulnerabilities in your system. Buy the companies that solve the vulnerabilities. Repeat, rinse, you know.

Dave Bittner: Yeah, yeah. I mean, it's practically an old chestnut and I think perhaps at this point not entirely fair, but it certainly was a criticism, at the time.

Tim Starks: Yeah, that, I mean, the scenario I mentioned was obviously not what's happening, but it certainly comes to mind.

Dave Bittner: Yeah, absolutely. All right, well, Tim Starks is the author of The Cybersecurity 202 at the Washington Post. Tim, always a pleasure to have you join us.

Tim Starks: Yes, always.

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our "Daily Briefing" at We'd love to know what you think of this podcast. You can e-mail us at Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly-changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector. As well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K's strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is Tré Hester with original music by Elliott Peltzman. The show was written by our editorial staff. Our executive editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.