The CyberWire Daily Podcast 8.15.23
Ep 1885 | 8.15.23

Investigating China’s Storm-0558. Monti ransomware is back. Evasive phishing. Realtors’ MLS taken down in ransomware incident. News from Russia’s hybrid war. And in-game scams.


Dave Bittner: New targets of Chinese cyberespionage are uncovered. Monti ransomware is back. An evasive phishing campaign exposed. A Realtors' network taken down by cyberattack. A closer look at NoName057(16). Perspective on cyberwar - remember Pearl Harbor, but don’t see it everywhere. Ben Yelin on the Consumer Financial Protection Bureau’s plans to regulate surveillance tech. Microsoft’s Ann Johnson and Charlie Bell ponder the future of security. And scammers are targeting kids playing Fortnite and Roblox.

Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Tuesday, August 15th, 2023.

New targets of Chinese cyberespionage uncovered.

Dave Bittner: The Washington Post reported yesterday on the recent compromise of the Microsoft Cloud, currently under investigation by the US Intelligence Community, as well as by the Cyber Safety Review Board. At least one member of Congress, Representative Don Bacon (Republican, Nebraska 2nd District), a strong supporter of Taiwan who serves on the House Armed Services Committee, said Monday that the FBI had informed him that his email had been compromised in the incident.

Dave Bittner: The espionage itself is remarkable for its successful execution, not for its novelty--intelligence services collect like this whenever they can. The US Government's exposure to the attack, however, was remarkable. As the Post notes, "It was unclear how the government could have prevented it while relying exclusively on Microsoft for cloud, email and authentication services." The risks of the alleged security monoculture will doubtless figure in the Cyber Safety Review Board's inquiry.

Dave Bittner: Microsoft's own assessment of the incident has concluded that the threat group, Storm-0558, was forging Azure Active Directory tokens using an acquired Microsoft account (MSA) consumer signing key. "This was made possible," MIcrosoft wrote yesterday, "by a validation error in Microsoft code." Storm-0558 is an espionage operation. Its targets include "US and European diplomatic, economic, and legislative governing bodies, and individuals connected to Taiwan and Uyghur geopolitical interests." The group's post-compromise activity concentrated on accessing and extracting emails from the targets' accounts. Microsoft (which, we note in full disclosure, is a CyberWire partner) has mitigated this particular risk, and says no customer action is required.

Monti ransomware is back.

Dave Bittner: BleepingComputer reports that the Monti ransomware has resurfaced after a two-month hiatus, and is using a new encryption tool to target VMware ESXi servers at legal and government organizations. Researchers at Trend Micro state that, “Unlike the earlier variant, which is primarily based on the leaked Conti source code, this new version employs a different encryptor with additional distinct behaviors. As of [this] writing, only three security vendors that had the sample tagged it as malicious on VirusTotal.”

Evasive phishing campaign exposed.

Dave Bittner: Netskope has been tracking a sixty-one-fold increase in traffic to phishing pages hosted on the free hosting service Cloudflare R2. The phishing pages are primarily targeting Microsoft login credentials, with a smaller focus on Adobe, Dropbox, and other cloud apps. 

Dave Bittner: The researchers note that the attacks show both misdirection and discrimination. Netskope writes, “To evade detection, they are using two noteworthy techniques to prevent scanners and URL analyzers from detecting the phishing pages. First, they are using Cloudflare Turnstile to protect the pages with a CAPTCHA. This technique prevents scanners and analyzers from visiting the URLs and observing their contents while allowing victims easy access to the pages. Second, many of the pages only load the malicious content if it was passed by another malicious referring site. This helps ensure that only the intended targets are served the phishing content.”

Realtors' network taken down by cyberattack.

Dave Bittner: A cyberattack against data hosting provider Rapattoni Corporation has taken down numerous Multiple Listing Services (MLS) used by realtors around the country. Peg King, a Coldwell Banker agent in Petaluma, told the North Bay Business Journal, “It's paralyzed the real estate industry. We can't add listings. We can't make price changes. We have no idea how to show properties unless we try to figure out who has something listed.”

Dave Bittner: The Real Deal reports that the incident was a ransomware attack, and the FBI is investigating. 

A closer look at NoName057(16).

Dave Bittner: Radware researchers offered an unusually close look at the Russian hacktivist auxiliary NoName057(16). They presented their results at Black Hat, and also shared them with Cybernews, which has an extensive account of the study. They gained their insights by infiltrating the group. "So in the name of research," Cybernews writes, "the two security experts created a fake profile, joined the over 11K other volunteers following the group’s DDoSia Telegram channel, and downloaded detailed instructions on how to participate in the experimental 'gamification' challenge."

Dave Bittner: They see NoName ascending as its colleagues in Killnet and Anonymous Sudan decline: NoName is now by a considerable measure more active than other Russian hacktivist auxiliaries. NoName runs a platform, "DDoSia," which, as its name implies affords a way of crowdsourcing distributed denial-of-service (DDoS) attacks against targets in Ukraine and countries that support Ukraine (that latter category of targets is an expansive one, roughly coextensive with the civilized world). The researchers put the tally of attacks in the first half of 2023 at one thousand seventy four. Thirty-two different nations were hit in only one-hundred-seventy-six days.

Dave Bittner: The motivations of the hacktivists participating in DDoSia are mixed. They're driven in part by Russian patriotic zeal, but also in part by the promise of payment. NoName promises hundreds, sometimes thousands, of dollars in alt-coin to participants who earn it, but it's unclear how large the payouts have been. (There are suggestions that the pay amounts to not much more than beer money. That's enough to incentivize a slacktivist, but no one's getting rich on it.) The payment system isn't well constructed. The Radware researchers found that it was relatively easy to manipulate in ways that pulled in cryptocurrency a participant wouldn't otherwise be entitled to.

Dave Bittner: NoName is best known for nuisance-level attacks against vulnerable targets of opportunity, but Radware sees signs of that changing, as the auxiliary looks to higher value, higher payoff targets in critical infrastructure sectors. The researchers also don't see NoName and other hacktivist auxiliaries standing down when Russia's war eventually ends. They'll probably form an enduring feature of the threat landscape.

Perspective on cyberwar: Pearl Harbor it's not.

Dave Bittner: One of the striking features of Russian cyberwar during its invasion of Ukraine has been its surprising lack of decisive effect. When Russia wanted to shut down power generation, it used missiles, not malware. Many have wondered why this has been so.

Dave Bittner: It turns out that cyberwar is real, but it’s not real in the bolt-from-the-blue way many imagined. 

Dave Bittner: Mieke Eoyang, US deputy assistant secretary of defense for cyber policy addressed the mismatch between expectation and reality during a presentation at DefCon. The cyber threat, she argued, is real, just not decisive in the way popular imagination expected it to be. She doesn't put it this way, but it's probably better to analogize cyber operations to espionage, reconnaissance, surveillance, and electronic warfare (and in fact it forms a species of all these) than to massive kinetic strikes. Policymakers often ask, Eoyang said, “Can you just give me a cyber option?” This, however, is tougher than it seems. “'It takes time and preparation, it takes understanding, it takes engineering, it takes coding' to design a cyberattack, she said. 'It’s not what I think a lot of people expect.'” 

Dave Bittner: What a lot of people expected was lights out across the civilized world. What they saw instead was espionage and DDoS.

Scammers target kids playing Fortnite, Roblox.

Dave Bittner: And, finally, you like those in-game purchases, kids? Well, the in-game money isn’t actually the same thing as real money, you know. It’s less fungible.

Dave Bittner: WIRED reports that thousands of websites belonging to “US government agencies, leading universities, and professional organizations” have been hijacked over the past five years to deliver malware or malicious apps under the guise of free in-game currency and skins for Fortnite and Roblox. Many of these scams are targeted at children.

Dave Bittner: According to TechSpot, “Epic Games stresses that there is no legitimate way for players to sell,, gift, or trade V-Bucks – Fortnite's in-game currency. Roblox developers also advise users that it doesn't allow the exchange of its Robux currency through third-party channels and that any pages offering them for free are likely scams.”

Dave Bittner: That’s scams, kids. S-C-A-M-S scams. And the scammers will be the ones dancing to winner-winner-chicken-dinner.

Dave Bittner: Coming up after the break, Ben Yelin on the Consumer Financial Protection Bureau's plans to regulate surveillance tech. Microsoft's Ann Johnson and Charlie Bell ponder the future of security. Stay with us.

Dave Bittner: Microsoft's Ann Johnson is host of "The Afternoon Cyber Tea" podcast right here on the CyberWire network. In this excerpt from her show, she speaks with Microsoft colleague, Charlie Bell, about the future of security. Here's their conversation.

Ann Johnson: Today I'm joined by the Executive Vice President of Microsoft Security, Charlie Bell. Charlie has over four decades of leadership experience in the tech industry, from developing space shuttle software to leading the creation of Amazon Web Services' decentralized engineering system. And now working here at Microsoft, to make the digital world secure and safe for everyone on the planet. Charlie relishes big challenges and believes that bold innovation is possible with deep curiosity, continuous learning, and an emphasis on rapid problem-solving. Welcome to the show, Charlie. So, and you're coming up, as you mentioned, on two years. And obviously, you had this really impactful and meaningful career before Microsoft. So, tell me, why Microsoft and why the pivot to security?

Charlie Bell: Well, like I said, I was looking at- when I started thinking about, well, what- what is the big problem in the world that I want to work on? And the more I thought about it, it's- security is, I call it the mother of all problems because almost everything we do in technology can become a weapon in the hands of someone. And so, you think about all the advances that humanity has had, you know, since fire, and everything that we create in the computer world and the technology world can be turned around and used as a weapon. And so, you can't really make the kind of progress we all want to make unless we first solve this problem. So, it's kind of the mother of all problems. Unless you feel secure- imagine, you know, all the work that we're going to do to change the world of transportation. We're going to have a lot of autonomous cars and we're going to have all the rail that's driven by software and just all the transportation world is incredibly digital now. Well, it's a surface area that makes you very nervous about what attackers might do, or power infrastructure. You know, we've seen attacks on gas pipelines. You know, one of the things we hate about ransomware is they go after hospitals. And so, when you think about this problem, until you solve this problem, we have to walk afraid in everything we want to advance because everything we add could end up being a new source of a problem. So, for me, this was, like, the biggest problem of all. And the other thing that makes it very interesting is you have a bunch of bad actors out there who are innovating to try to create new problems. And getting ahead of that innovation.

Ann Johnson: I know you know this. And as you look to solve that, I listen in on, you know, and participate in a lot of the calls you have with your leadership team. And one of the things that always struck me and that I think is really poignant to security is this leadership philosophy you have around rapid problem solving. Can you tell us a little bit more about that and explain why you think speed and acceleration of problem solving is so relevant, particularly in the security space?

Charlie Bell: Yeah. Well, a couple of things. One is, as I said, it's the mother of all problems. And so, if you want to think of it is, you've got to be faster than the fastest innovation. So, take the absolute tip of the spear in what's happening, and you've got to move that fast if you want to protect. And so that's one driver of speed. You know, we're seeing it play out in generative AI right now. Microsoft's the first mover in this space, but we've got to move really, really fast in the security world just to make sure that customers can confidently move forward with it. But also, you've got to remember what I said before, that the attackers are constantly innovating. Again, you have humans out there actively innovating all the time. And so, the speed that you move, you've just got to move faster than they do, and so speed is everything. The other thing I'll say is, the nice thing about speed is you accumulate it. And so, the faster you innovate, the more quickly you get to the next thing and the more you can build upon what you already did. And the- it's the way to think of it, it's like the first derivative of the rate that you're traveling. So, the speed of innovation is incredibly important. And recognize that it's kind of a- it's a community thing. There's no genius that's going to figure everything out here. It's going to be a crowdsourced kind of view of all the ideas that come in, and then make sure that you can quickly harness those ideas and get them in the hands of the people who need them.

Ann Johnson: It's incredibly important. Let's switch a little and talk innovation, right? Microsoft has been in the news and internally hyper focused on AI, which I've long believed is going to be a step change for the cybersecurity industry. So, what do you think about the overall promise of AI and what global issues, you know, not- even outside security, do you think are going to be addressed with AI?

Charlie Bell: Well, the first thing I'll say is, you know, we talk about the asymmetry of the attack or the fact that, you know, they come at us from any point. It's like first move in a chess game, they get to move first. But we actually have an asymmetry, too. The asymmetry on our side is data. We get to see everything. You know, Microsoft, we talk about the 65 trillion signals a day, but we have a tremendous amount of data. The nice thing about AI is it's all discipline. It doesn't care about a particular discipline. It thinks about across all of it, and thinks about it with lightning speed. It knows- it can say, oh, I need to go look at the access logs for X, and pull a query, and grab it, and use that information to provide context for the next action that it's going to take. And it does all that at machine speed. And so, if there ever is going to be anything that totally changes that asymmetry, it is AI.

Dave Bittner: Ann Johnson is the host of Microsoft's "Afternoon Cyber Tea" podcast. You can find that right here on the N2K CyberWire network.

Dave Bittner: And joining me once again is Ben Yelin. He is from the University of Maryland's Center for Health and Homeland Security, and also my co-host on the "Caveat" podcast. Ben, welcome back.

Ben Yelin: Good to be with you again, Dave.

Dave Bittner: Interesting story, this comes from the folks over at Reuters, and it's titled, "U.S. Watchdog to Announce Plans to Regulate Surveillance Industry". What's going on here, Ben?

Ben Yelin: So, we've talked both on this podcast and on "Caveat" about the problem of data brokers. So, it's very profitable to scrape data from users and sell it. Some of the entities that are purchasing this data include U.S. government agencies and local law enforcement agencies, which puts people's first and fourth amendment rights at risk. If the government can go around fourth amendment protections and simply purchase data that might implicate people in the commission of a crime or any illegal activity, then that's kind of a run-around of our constitutional rights.

Dave Bittner: Right.

Ben Yelin: So, with that in mind, the agency in charge of consumer financial protection, the Consumer Financial Protection Bureau, is planning to announce a plan to regulate companies that track and sell people's personal data. This is something that's been an interest of the Biden administration over the past years. There's been a nexus between this issue and reproductive rights. After the Dobbs Decision, one of the things that President Biden tried to do was get the Federal Trade Commission to protect the data privacy of women seeking reproductive health who are in states where that has been criminalized.

Dave Bittner: I see.

Ben Yelin: We've also seen lawsuits by the Federal Trade Commission, which is distinct from the Consumer Financial Protection Bureau. They sued an Idaho company for selling geolocation data, saying that it could be traced to private places like abortion clinics, religious institutions, et cetera.

Dave Bittner: Right.

Ben Yelin: Basically, what this proposal would do is expand the number of companies subject to the Fair Credit Reporting Act, which is a 1970s law regarding consumer privacy. And the amendments to this act proposed by the administration that they're going to try and put into regulation would cover the use of data derived from payment histories, personal income, and criminal records. One thing that they're emphasizing here is the disclosure of something called Credit Header Data. So, these are the names, addresses, and social security numbers at the top of the big three credit bureaus. People, oftentimes, have to give that information to the credit bureaus to secure a loan. And they don't want to punish people by submitting that information only to have it be sold to data brokers who sell it to somebody who tries to punish them for something.

Dave Bittner: I see.

Ben Yelin: So, that's really the focus here. So, I think it's a promising step for those who are concerned about digital privacy and this phenomenon of data brokers and the sale of data online.

Dave Bittner: It's interesting to me that they're going to be using the Fair Credit Reporting Act which is a, you know, a pre-internet law, right, right?

Ben Yelin: Right.

Dave Bittner: So, rather than coming- I mean, I guess if it's good enough to use and you have it in your back pocket and it exists and you don't have to, you know, go around the horn with Congress to get something new, then I guess that it's the quickest way to come at something like this?

Ben Yelin: Yeah, that's exactly what's happening here. It's going to get- it would be very hard to get a polarized Congress, one where you have each party controlling a single chamber to agree on a law like this. Even though, there is bipartisan support for reigning in data brokers.

Dave Bittner: Yeah.

Ben Yelin: But I think what they're trying to do here is leverage laws that are already on the book. Now, this does lead to a packed work approach. This only really addresses information collected by the three major credit bureaus. So, it's relatively limited in scope, even though that's a lot of information and, basically, more than any other industry. People do give a lot of sensitive information to these reporting agencies. But it is still limited in scope, so that's just one downside of relying on this federal statute. It becomes kind of a patchwork where you address problems one agency at a time.

Dave Bittner: Yeah. I mean, I wonder if it puts these surveillance industry companies on notice that they're going to be getting more scrutiny from the federal government. I suppose the cynical take would be that, if they come at them for a limited amount of things, then, you know, the government can kind of, you know, wash their hands and say, well.

Ben Yelin: Say, "We're doing something about it."

Dave Bittner: Yeah, look, we're doing something.

Ben Yelin: Yeah.

Dave Bittner: But if- I guess time will tell if this is actually has any meaningful dent in the methods and degree to which this surveillance economy operates.

Ben Yelin: Yeah, I mean, I think the way you put it, a surveillance economy is correct. There's a lot of money to be made in this. So, I think the industry would be okay with limited regulations pertaining to very specific things like credit reporting, but if we started talking about blanket bans on data brokers, then the industry would freak out, rightfully, because it would threaten their ability to make a profit. All of this data is very valuable.

Dave Bittner: Yeah.

Ben Yelin: You know, you do have to balance the effect that it would have on the market with I think the really real need to protect people's digital privacy from these data brokers.

Dave Bittner: Right. All right, well we'll keep an eye on it to see, as it develops, what it actually does affect. But, interesting development for sure. Ben Yelin, thanks so much for joining us.

Ben Yelin: Thanks, Dave.

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at the We'd love to know what you think of this podcast. You can Email us at Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cyber security. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K's strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at This episode was produced by Liz Irvin and Senior Producer, Jennifer Eiben. Our mixer is Tre Hester with original music by Elliott Peltzman. The show was written by our editorial staff. Our Executive Editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.