The CyberWire Daily Podcast 7.17.23
Ep 1864 | 7.17.23

Developments in the C2C market. Cyberespionage against Westminster. Notes from Russia’s hybrid war. And don’t take that typo to Timbuktu.


Dave Bittner: WormGPT is a new AI threat. TeamTNT seems to be back. Chinese intelligence services actively pursue British MPs. Gamaredon's quick info theft. Russia’s FSB bans Apple devices. The troll farmers of the Internet Research Agency may not yet be down for the count. Anonymous Sudan claims a "demonstration" attack against PayPal, with more to come. Carole Theriault looks at popular email lures. My conversation with N2K president Simone Petrella on the White House’s National Cybersecurity Strategy Implementation Plan. And, friends, don’t take this typo to Timbuktu.

Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Monday, July 17th, 2023.

WormGPT, an "ethics-free" text generator.

Dave Bittner: Researchers at SlashNext describe a generative AI cybercrime tool called “WormGPT,” which is being advertised on underground forums as “a blackhat alternative to GPT models, designed specifically for malicious activities.” The tool can generate output that legitimate AI models try to prevent, such as malware code or phishing templates. 

Dave Bittner: SlashNext asked WormGPT to write an email “intended to pressure an unsuspecting account manager into paying a fraudulent invoice.” The researchers state, “The results were unsettling. WormGPT produced an email that was not only remarkably persuasive but also strategically cunning, showcasing its potential for sophisticated phishing and BEC attacks. In summary, it’s similar to ChatGPT but has no ethical boundaries or limitations. This experiment underscores the significant threat posed by generative AI technologies like WormGPT, even in the hands of novice cybercriminals.” 

Dave Bittner: Aren’t there safeguards in generative AI to prevent this? Well, yes, in the newer ones like ChatGPT. But WormGPT was built from older, wild wild West open-source versions that lacked such safeguards.

TeamTNT seems to be back.

Dave Bittner: Researchers at SentinelOne and Permiso Security released joint reports suggesting that TeamTNT, a threat actor notorious for attacking Amazon Web Services (AWS), may be gearing up to attack Microsoft Azure and Google Cloud Platform. “Throughout June 2023, an actor behind a cloud credentials stealing campaign has expanded their tooling to target Azure and Google Cloud Platform (GCP) services. Previously, this actor focused exclusively on Amazon Web Services (AWS) credentials... These campaigns share similarity with tools attributed to the notorious TeamTNT cryptojacking crew. However, attribution remains challenging with script-based tools, as anyone can adapt the code for their own use,” writes Alex Delamonte from SentinelOne.

Dave Bittner: Permiso brought some attribution to the threat actors by correlating usernames and passwords used and keyboard layouts writing, “Both the username and password are indicative of a keyboard run - the username on the home row keys and the password on the upper row keys. However, with all other characters being Latin the likely scenario that would produce a single ü is the usage of a virtual keyboard. Since the ü immediately follows the letter p in the password, the only two virtual keyboard layouts that contain an ü adjacent to the p character are for the Estonian and German languages.”

Dave Bittner: Both SentinelOne and Permiso note that the actor has retooled its code to target Azure and Google Cloud Platform. Additionally, they have made changes to the file hosting as SentinelOne explains, “The actor no longer hosts files in an open directory, which complicates efforts to track and analyze these campaigns. Instead, C2 activity relies on a hardcoded username and password combination that are passed as arguments to the curl command.”

Dave Bittner: Aqua Security reported on the early stages of this incipient campaign. While it seems to be in its development and testing phase, the campaign could turn into a massive threat targeting cloud infrastructure. “Aqua Nautilus researchers identified an infrastructure of a potentially massive campaign against cloud native environments. This infrastructure is in early stages of testing and deployment, and is mainly consistent of an aggressive cloud worm, designed to deploy on exposed JupyterLab and Docker APIs in order to deploy Tsunami malware, cloud credentials hijack, resource hijack and further infestation of the worm. We strongly believe that TeamTNT is behind this new campaign.” 

Dave Bittner: And if it materializes, that campaign could be worse than the old-style cryptojacking that used to be TeamTNT’s stock in trade.

Chinese intelligence services target British MPs.

Dave Bittner: The British Parliament’s Intelligence and Security Committee (ISC) has published a report outlining China’s interest in the UK. The report states, “In relation to the cyber approach, whilst understanding has clearly improved in recent years, China has a highly capable cyber – and increasingly sophisticated cyberespionage – operation: however, this is an area where the ‘known unknowns’ are concerning. Work on continuing coverage of its general capabilities must be maintained alongside further work on Chinese offensive cyber and close-proximity technical operations.” The report also found that “China frequently targeted Parliamentarians in their cyber operations.”

Gamaredon's quick-strike cyberespionage.

Dave Bittner: CERT-UA released an official threat summary of UAC-0010. UAC-0010 (more commonly “Gamaradon,” or “Armageddon”) is a Russian persistent threat actor operated by the FSB. CERT-UA attributes the success Gamaredon has enjoyed to several defectors from Ukraine’s SBU who went over to the FSB in 2014. The threat group uses email and messenger apps like Signal, WhatsApp, and Telegram as an initial attack vector, sending corrupted Microsoft Word documents with malicious macros to the victim. UAC-0010 then uses an infostealer, “GAMMASTEEL,” which steals files between thirty and fifty minutes of the initial infection. GAMMASTEEL also works to replicate itself by infecting all Microsoft documents on the infected computer to propagate the malware when those files themselves are exported. GAMMASTEEL also corrupts any USB drive plugged into the computer. 

FSB bans Apple devices.

Dave Bittner: Russia's FSB has banned the use of Apple devices by government officials, effective today. Apple Insider traces the decision to Russian claims that Apple has been colluding with the US National Security Agency (NSA) to intercept Russian communications. Apple has denied any such cooperation with NSA.

Reports of the Internet Research Agency's demise now seem premature.

Dave Bittner: It appears that the blackout of Mr. Prigozhin's own media properties was both temporary and exaggerated. One of those properties, the notorious troll farm doing business as the Internet Research Agency, is among those that have remained in business, earlier reports to the contrary.

Anonymous Sudan claims "demonstration" attack against PayPal.

Dave Bittner: Anonymous Sudan, which, its name notwithstanding, is a cat's paw for Russian intelligence services, mounted a brief distributed denial-of-service (DDoS) attack against PayPal. TechMonitor reports that the attack lasted only thirty seconds, but that Anonymous Sudan described it as a "demonstration" of the ways in which it will use PayPal to attack targets in the United Arab Emirates and the United States.

Hey, everybody: it's "dot mil," not "dot ml."

Dave Bittner: And, finally, spelling counts, don’t you know?

Dave Bittner: Here’s one more reason why. Dot mil is the US military top-level domain. Dot ML belongs to Mali. If you were trying to reach the sergeant major in Picatinny, don't blame him if your email went off to Timbuktu instead. The Financial Times has the story of how a common typographical error is misrouting a lot of email. The wayward communications are said to include "highly sensitive information, including diplomatic documents, tax returns, passwords and the travel details of top officers." And it's not a new problem, either: "Despite repeated warnings over a decade, a steady flow of email traffic continues to the .ML domain, the country identifier for Mali, as a result of people mistyping .MIL, the suffix to all US military email addresses." You tell ‘em and you tell ‘em, but what’re you gonna do?Coming up after the break, Carole Theriault looks at popular email lures. My conversation with N2K President Simone Petrella, on the White House's national cybersecurity strategy implementation plan. Stick around.

Dave Bittner: It is always my pleasure to welcome back to the show, Simone Petrella. She is the president at N2K. Simone, we recently had the National Cybersecurity Strategy Implementation Plan shared from the White House, and I'm eager to check in with you on how you feel about this. What the response is. Is this what we need? And is this the right plan at the right moment? Where do you stand here?

Simone Petrella: I think first and foremost, the step of codifying implementation and really tangential actions across federal agencies coming from the White House is a substantial positive step that builds upon the existing executive orders and things that had really put cybersecurity on the forefront of the executive priority list, even preceding this administration. So this really does take it to the next level and I think it is a positive step overall. And, you know, there are two major fundamental shifts that the implementation plan calls for, especially when it comes to allocating the roles, responsibilities, and resources in cyberspace. The first is that it puts a huge onus on federal sector agencies to really assume a greater share of the burden for mitigating cyber risk, as well as putting that onus on private sector counterparts. So it shows how federal agencies can support those private sector counterparts, both sectors have a lot of work to do. And the second is that it's increasing the incentives that exist to kind of favor long-term investments into cybersecurity, which I think is really interesting and creative.

Dave Bittner: Hmm, one of the things that struck me was how overt it is in laying out who is responsible for what.

Simone Petrella: Yeah.

Dave Bittner: There isn't a lot of ambiguity here.

Simone Petrella: No, and CISA's got its work cut out for them. But yes, I think that it was very explicit in pointing out which agency was the lead for each of the individual imperatives, and then who are the supporting agencies that would be contributing to it. And what I think will be most interesting is to see how each of those individual agencies go to implement, because if you read each of the recommendations, some of them are quite broad, they don't necessarily articulate how an agency can accomplish that goal. So there's a lot of leeway given to the agency to kind of figure it out.

Dave Bittner: There are five fundamental pillars that they lay out here; defending critical infrastructure, disrupting and dismantling threat actors, shaping market forces to drive security and resilience, investing in a resilient future, and forging international partnerships to pursue shared goals. How do you respond to those five as the top level items here?

Simone Petrella: I think that they have the right categories. Ultimately it comes down to unusual security and that's where being able to identify and defend our critical infrastructure, how we think about the threat actors that are a threat to those things, how do we think about the realities of the market forces, because so much of our interdependence and technology is actually a result of a private sector market reliance, whether it be for critical infrastructure, Internet of Things, supply changes, anything in that regard. The recognition that this is an effort and investment we need to make now to even give ourselves a chance to have a more resilient future I think is a strong step in the right direction. And last but not least, we have to at least acknowledge that that can't be done in a vacuum. We're too reliant even on the supply chains to work with international partners and other countries and if we don't have clear goals and sort of standards of relationships, none of that can get accomplished.

Dave Bittner: Seeing what's been laid out here by the White House, what do you think this means for folks in the workforce development area, in terms of you know, preparing folks to be able to complete this mission?

Simone Petrella: Well interestingly enough, and obviously you know, the workforce issues are near and dear to our heart, it's probably the least well-defined section within Pillar 4 of the entire implementation plan and the onus is put on the Office of the National Cyber Director again to come up with a workforce strategy, which has not been published yet. So TBD.

Dave Bittner: More to come.

Simone Petrella: Bated breath.

Dave Bittner: Right. Right, but I guess there's acknowledgement that that is an area that needs to be a focus.

Simone Petrella: Absolutely, and I think the acknowledgement is inherent not only in this document, but the fact that the White House has an entire task force that has been tasked with creating a like workforce and education and training strategy at the national level. And that has been true even before the, like the publication of the cybersecurity strategy or this implementation plan.

Dave Bittner: From your point of view, you know, you're on the ground, has this been getting a positive response? Are people generally in favor of what's being laid out here?

Simone Petrella: I think so, it's interesting because most of the conversations I've had are with folks who are representatives in the private sector and so there's an overarching recognition and knowledge that this strategy's been put out and it's important. But the most near term impacts are on the federal agencies that are tasked to actually execute on some of these pillars. And so I don't think that we are at a point yet where the true effects of kind of what all these agencies put in place are felt. Like we're going to have to wait and see what happens when we think about supply chain risk, or you know, here's an interesting one to point out, that the DoJ is going to use the False Claims Act to try and go after federal contractors who are deceptive in their cybersecurity practices and they collect government money, like that's really interesting and potentially scary if you are in a position to kind of do that kind of work and get government dollars. So, I think those are the areas you're going to start to see either the real pain or the real support from the affected industries that aren't the federal government, once these types of things go into effect.

Dave Bittner: Alright, well Simone Petrella is president at N2k. Simone, thank you so much for taking the time for us.

Dave Bittner: Chances are you have received an email warning you in strong words that your storage is full and unless you log in and fix it, bad things are going to happen. Carole Theriault looks at these sorts of email lures in this report.

Carole Theriault: Another day, another scam. This is one that hadn't made it into my echo chamber, perhaps because I'm not a Microsoft and Hotmail user, but I thought I would share as millions of people out there do rely on these systems for some of their online needs. But saying that, I think I could be a potential victim of this type of scam were I unwarned. You see, I'm one of those people that doesn't clean out the inbox very often and I handle a lot of big files. I also don't clean out my cloud storage very often. So intermittently I get these warnings that my storage is full. I'm sure I'm not the only data hoarder out there, you guys, you know what I'm talking about. So, were I to get a message saying that my cloud was full and that I needed to login to my account to address the issue, I might be duped into clicking on the link because I'd be distracted and absent minded and I wouldn't be paying attention. So accord to which those of you with a Microsoft account have 5 Gigs of free storage space on OneDrive as part of the package. This is where you store items on your account, including files, photos, attachments, apps, and once you've used up this free storage, you then either have to delete items to make space, or pay for more storage. So if you've received an email warning you that your storage is full, it is worth double checking that it is legitimate because which have seen scam emails that try to trick you into giving away personal data through a phishing email impersonating Microsoft. The email includes the following text; "Your cloud storage is full. You have reached your storage limit, but as part of your loyalty program, you can now receive an additional 50 Gigs for free before the files on your cloud drive are deleted." But there is a kind of telltale sign in this scam that the email address reportedly looks very unlike anything Microsoft would send you. So if you're a Microsoft user and you hover close to your storage limit, you will receive an email from Microsoft, the address being, telling you how much you're over by and include a link to subscribe to get more storage. It'll also include links to your email with large attachments, prompting you to delete them as well as links to your OneDrive where you can delete items to free up storage space. And the thing is, scams like this work in part because we are distracted. So, pay attention because if you fall for a scam like this, or any scam, and you find that you were duped by an online miscreant, you may find your bank calls it authorized fraud, which means you may not get your funds back. This was Carole Theriault, for the CyberWire.

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at Don't forget to check out the "Grumpy Old Geeks" podcast where I contribute to a regular segment called "The Dark Side with Dave." I join Jason and Brian on their show for a lively discussion of the latest security news every week, and find Grumpy Old Geeks where all the fine podcasts are listed. We'd love to know what you think of this podcast, you can email us at Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K Strategic Workforce Intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team, while making your team smarter. Learn more at This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is Tré Hester, with original music by Elliot Peltzman. The show was written by our editorial staff. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening, we'll see you back here tomorrow.