The CyberWire Daily Podcast 8.23.23
Ep 1891 | 8.23.23

A creepy new geolocation payload for Smoke Loader. Speed of criminal attack, malware delivery, and the evolution of malicious AI. Ransomware at a Belgian social services agency.


Dave Bittner: The Smoke Loader botnet has a creepy  new payload. Ransomware gets faster. How AI has evolved in malicious directions. The Snatch ransomware gang threatens to snitch. The FSB continues to use both USBs and phishing emails as attack vectors. A ransomware attack shutters Belgian social service offices. Tim Starks from the Washington Post explains a Biden administration win in a DC court. Our guest Ben Sebree of CivicPlus describes how the public sector could combat cybercrime during cloud adoption. And the deadline for comment on US cybersecurity regulations? It’s been extended.

Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Wednesday, August 23rd, 2023. 

The Smoke Loader botnet has a new payload.

Dave Bittner: Smoke Loader will be a familiar name to many of you, and the notorious botnet is back in the news today. 

Dave Bittner: Secureworks this morning announced that the Smoke Loader botnet has been dropping a new malicious payload, a custom Wi-Fi scanning executable. Secureworks is calling that executable “Whiffy Recon,” and what it’s after, apparently, is the geolocation of infected systems. Secureworks writes that “ It triangulates the infected systems' positions using nearby Wi-Fi access points as a data point for Google's geolocation API.’

Dave Bittner: This new activity was first observed on August 8th. It’s not yet known what Smoke Loader’s criminal operators will do with the information, but there are a number of possibilities. The Wi-Fi data are scanned every sixty seconds and enriched with geolocation information. Secureworks speculates that “Demonstrating access to geolocation information could be used to intimidate victims or pressure them to comply with demands.”

Dave Bittner: So imagine a text, “I’d like to buy you a drink. In fact, I’d like to buy you the same drink you had at the Dew Drop Inn in Rabbit Hash, Kentucky, at 11:47 PM Eastern Daylight Time last Friday.” Hah, we’re kidding–there is no Dew Drop Inn in Rabbit Hash. But Whiffy Recon isn’t a joke. It’s creepy. Read Secureworks’ report on this latest Smoke Loader small contribution to the quantum of human misery and take appropriate precautions. 

Ransomware gets faster.

Dave Bittner: Sophos’s 2023 Active Adversary report for Tech Leaders has found that the speed of ransomware attacks has increased significantly since the beginning of 2023: “One key finding in the report is that the time available to respond to a ransomware attack has dwindled to nearly half of what it was at the start of the year. The median dwell time in ransomware attacks dropped from nine days in 2022 to just five days in the first half of 2023. With adversaries accelerating the execution of their attacks, defenders have less time to detect and stop them before files are encrypted.”

Dave Bittner: The report also found that in all types of attacks, the average time to gain control of Active Directory is just sixteen hours.

Recent trends in malware delivery.

Dave Bittner: HP Wolf Security has released its quarterly Security Threat Insights Report, finding that QakBot spam activity spiked in Q2 2023: “[C]reative QakBot campaigns saw threat actors connecting different blocks together to create unique infection chains. By switching up different file types and techniques, they were able to bypass detection tools and security policies. 32% of the QakBot infection chains analyzed by HP in Q2 were unique.”

Dave Bittner: The researchers also observed a “multilingual” malware campaign using several programming languages to avoid detection: “Firstly, it encrypts its payload using a crypter written in Go, disabling the anti-malware scanning features that would usually detect it. The attack then switches language to C++ to interact with the victim’s operating system and run the .NET malware in memory – leaving minimal traces on the PC.”

How AI has evolved in malicious directions.

Dave Bittner: Barracuda outlines the ways in which AI is being used for malicious purposes. In addition to enabling attackers to craft convincing phishing emails, AI can be used to automate evasive attacks: “[C]ommand line utilities powered by AI can rapidly adapt to changes in a target's defenses, identify vulnerabilities, or even learn from previous failed attempts to improve subsequent attacks. An early example of such a tool is ‘WormGPT,’ which is already being advertised on an underground forum and can be used by threat actors to automate the generation of malicious scripts and commands and adapt them dynamically to each specific target.”

Dave Bittner: Independently, Deep Instinct describes some of the ways in which generative AI has begun to trouble security professionals. "The top three generative AI threat issues," respondents to Deep Instinct's survey said, "include growing privacy concerns (39%); undetectable phishing attacks (37%); and an increase in the volume and velocity of attacks (33%)." The best-known member of this new class of threat is WormGPT, now being traded in criminal-to-criminal underground markets.

A novel extortion threat.

Dave Bittner: Emsisoft researcher Brett Callow reports that the Snatch ransomware gang has begun telling non-paying victims that the gang will give insurance companies details of how the attack succeeded. The threat is that this knowledge will induce the underwriters to decide that the incident isn't covered. It's a crude approach with little evident understanding of how insurance coverage works, but it's novel, and shows the determination of at least one gang to ratchet up the pressure on its marks.

A ransomware attack shutters Belgian social service offices.

Dave Bittner: The Charleroi branch of Belgium's social services agency, the Public Center of Social Action, the  CPAS in its French acronym, closed its offices yesterday after sustaining what appears to be, according to Sudinfo, a ransomware attack. Only emergency services will be available until remediation is complete, which is expected Thursday. Belgian organizations have recently sustained ransomware attacks at roughly the typical Western European rate. The country is home to both NATO headquarters and the capital of the European Union, but this incident seems to be a straightforwardly criminal one.

FSB continues to use both USBs and phishing emails as attack vectors.

Dave Bittner: Older threats continue to gutter on in Russia’s hybrid war against Ukraine. Ophtek reports that the FSB's Shuckworm group is using both phishing emails and malicious USB drives as infection vectors in ongoing cyberespionage attempts against Ukrainian targets. The typical payload carried in either method of delivery is Pterodo malware, a backdoor that’s been in use for some time. In Trend Micro's accounting at least since October 2019.

Deadline for comment on US cybersecurity regulations extended to October 31st.

Dave Bittner: And, finally, you now have more opportunities to tell the US Federal Government how to put its regulatory house into better order. 

Dave Bittner: The US Office of the National Cyber Director (ONCD) has invited public comment "on opportunities for and obstacles to harmonizing cybersecurity regulations, per Strategic Objective 1.1 of the National Cybersecurity Strategy." The challenge involved in understanding the implications of regulatory overlap is complicated, and ONCD has extended the deadline for comments from September 15th to October 31st. Comments may be submitted through www dot regulations dot gov. Let the ONCD know what you think.

Dave Bittner: Coming up after the break, Tim Starks from the Washington Post explains a Biden Administration win in a D.C. court. Our guest Ben Sebree of CivicPlus describes how the public sector could combat cybercrime during cloud adoption. Stay with us.

Dave Bittner: Public sector organizations provide an attractive target for threat actors, often combining critical missions like 911 services with limited budgets that come with the territory. Ben Sebree is Senior Vice President of R&D at online platform provider CivicPlus, and he joins us with thoughts on how public sector organizations can better protect themselves.

Ben Sebree: We kind of see a myriad of different cloud maturities or just technology maturities within the public sector right now, especially in local government, which is where most of our expertise is in. Starting in about the year 2000 with the pandemic, there was a rush in local government in order to take all of these in-person services and different processes and turn them into a remote friendly service industry since we wanted public safety and everything to really be at the top of mind for serving the residents of those different municipalities. So there was a rush for cloud adoption from technologies that were more, you know, internally hosted, were accessible outside of office building or something like that, or were just very in-person. So we see that there's a lot of cloud adoption that's happened over the last two years, and then we've seen that a lot of those have been on a very rapid pace. So really ensuring that we're doing good cloud practices from a security standpoint is pretty key for government right now.

Dave Bittner: You know, we always hear that folks in the public sector, in particular, come up against budget limitations. What are your recommendations for them to balance that reality against their security needs?

Ben Sebree: Absolutely. Security is definitely something that is from mind when it comes to highly regulated industry, and public sector is very highly regulated. There's a lot of sensitive information that governments can have, so really ensuring that we're investing in keeping breaches from happening from a government standpoint is something that's pretty top of mind for not only local governments itself, but just there's a lot of interest from CISA and other organizations to ensure that that infrastructure is secure as well as it's just something that we need to do to ensure that the residents of our country have their data protected.

Dave Bittner: What are your recommendations for these organizations to come at this, and any tips or words of wisdom?

Ben Sebree: Yeah, absolutely. So the biggest thing that we need to keep in mind when we're adopting cloud, when it's something that we might have had as a manual paper process before or if it was something that we managed our own servers beforehand, we want to really make sure that we understand the shared responsibility model as it comes to CSPs or cloud service providers. So the cloud service providers are really responsible for the security of the cloud, of the services that you're using, but you, as a user of the cloud, are responsible for the security in the cloud, so the applications that you're putting in the cloud, the data that you're storing in the cloud, and the configurations of those specific services are the responsibility of the client of the CSP and not of the CSP itself. There's a lot of really great tools out there that really help do some checking and auditing of those different systems to make sure that they are set up correctly, but really understanding that it is a shared responsibility between both the CSP and the public sector who is leveraging that cloud provider is probably the most key piece of advice that we can give to folks [inaudible] cloud.

Dave Bittner: Do you find that there's some common misunderstandings there as people go down this path?

Ben Sebree: Absolutely. I think there's a lot of misunderstandings around that specifically and some of that is around the cloud, and leveraging the cloud is really nice because they manage so much for you, the infrastructure, upgrades to the infrastructure, and just constant R&D dollars going into protecting the services that are in the cloud, and so it's really easy to just assume that they have 100% of that managed. And so really, really kind of diving in and understanding what our responsibilities are or what a class responsibility is of leveraging the cloud and that people are generally the weakest link in the security models that we have there is really important for our municipalities as they go and adopt the infrastructure.

Dave Bittner: Yeah, it really sounds like there's almost a false sense of security that some people have.

Ben Sebree: Sometimes, yeah, and so that's why it's really important to make sure that we evangelize, and as we do our own due diligence on the providers that we might be looking at leveraging, we want to make sure that it's a very clear shared responsibility matrix to where we know exactly what we're responsible for and what exactly the cloud service provider is responsible for.

Dave Bittner: What are you tracking in terms of trends here? I mean, are you finding that the maturity level continues to grow, and the gap between public sector and private sector organizations, are you seeing that narrow at all?

Ben Sebree: Yeah, I think we definitely are. We're seeing, especially with the -- with the pandemic and everything going remote, we're seeing a lot of innovation that's happening within the public sector specifically around creating those remote experiences or those online experiences for the residents of those municipalities. And one piece of really interesting data that we have, and we can show correlation but we can't show causality yet, is that residents trust their local governments more and more as more and more digital services go online, and it's a correlation right now, and so it'll be interesting in next few years to see if it's actually a causation of digital services, building that transparency and that trust between residents and their local government.

Dave Bittner: Where do you suppose we're headed here? You know, as you look towards the horizon, what sort of place do you suppose these organizations are going to find themselves in?

Ben Sebree: You know, I think we're going to find that there's going to be a lot of adoption of different technologies and innovations, and we're going to move more towards smart cities and the ability to self-serve, especially as employment and just finding talent becomes harder and harder and a lot more expensive, so we want to create those automations where possible and those self-service ways that more tech-savvy individuals who are residents of those municipalities want to engage with their government. Some folks want to go in person and engage with their government that way, and some folks just really want to do it from the couch and be able to have access to all the services.

Dave Bittner: That's Ben Sebree from CivicPlus.

Dave Bittner: It is always my pleasure to welcome back to the show Tim Starks. He is the author of the Cybersecurity 202 at the Washington Post. Tim, great to have you back.

Tim Starks: Howdy, Dave.

Dave Bittner: So in today's 202, you are covering some wins here from the Biden Administration when it comes to their cyber agenda. What's going on here, Tim?

Tim Starks: Yeah, so last year, the Treasury Department moved to sanction what's commonly referred to as a "cryptocurrency mixer" where the idea is that the nature of the transactions and who's moving things around is obscured by this, and there's an argument that it's about privacy, but there's an argument from the Treasury Department that this is actually about money laundering, in this particular case, and that -- I think they calculated that $7 billion worth had been laundered there, some -- a significant percentage of which was transactions involving stolen cryptocurrency, in particular from North Korea. So they sanctioned this organization last year, said, you know, Americans can't really do business with it, and some folk who use the service decided to sue over this, saying that it was a violation of First Amendment rights, a violation of Fifth Amendment rights, and some other complaints. Now, this is the kind of thing that the administration has said in their strategy that they really want to do, that they want to disrupt the flow of money. They want to disrupt the nature of the operations of cyber gangs. And so this was an important kind of piece of what they want to be doing. The lawsuit presented an obstacle for them, but in this particular case, a judge in Texas said, "Not even going to go to trial with this or any other summary judgment" to the Biden Administration, so pretty clear-cut win for them, at least for now, because there's always the chance for appeals, and there's indications that there might be, but in terms of what they were trying to get done with these kinds of sanctions, this is a win for them that's pretty significant.

Dave Bittner: What was the argument they were trying to make for being able to use this, and what did the judge take issue with?

Tim Starks: Yeah, it's a roundabout sort of process with an Emergency Powers Act that the President has, and if you recall, it's interesting that this was something that might have seemed insignificant to me at the time and people have joked about, but there's this constant emergency declaration that has -- that is being made on cyber by all administrations. They kind of renew every year. It's like, well, if all the time is an emergency, then what's it like when there's not an emergency? Because it doesn't seem to be a case where there isn't one. But in the case of the legal foundation, this is key because this gives them some authority to go after entities which -- and this gets into some legal definitions of the nature of an entity and the nature of a person. In this case, there's been an established bit of case law and usage where the administration has said, "No, we can go after these kinds of entities." One of the complaints from the people who filed the suit, the plaintiffs, is that they are not that kind of entity, they're not really associated in the way of a traditional organization that could be defined this way, but the judge rejected that. So that's the start -- that's the start of the foundation of what they're -- the basis of the power, but then they actually have, you know, they have some rebuttals to the idea that this was about First Amendment or Fifth Amendment.

Dave Bittner: And this organization is called "Tornado Cash"?

Tim Starks: Correct, yes, Tornado Cash, and a fairly prominent company, Coinbase, was a backer of this lawsuit. Interestingly, as well, the Electronic Frontier Foundation was a backer of this lawsuit on a different kind of cyberish related issue. After these sanctions, there was a Tornado Cash project that was open source on GitHub, and GitHub took it get down. So the argument from Electronic Frontier Foundation is that this was actually going to make it harder for people to work on cyber issues and privacy issues. That was also rejected.

Dave Bittner: Interesting. Is this the final word or are these folks going to appeal?

Tim Starks: It does look like they're going to appeal, and, you know, one of the people who is I think the top legal officer for Coinbase had said that they're going to support an appeal. Nothing has been decided yet, but they were always of the mind that this was probably going to need to go up the chain of appeals, to the appeals court.

Dave Bittner: I want to touch on some other reporting that you've done. You and your colleagues put out a survey looking at sort of the regulatory regime we find ourselves in here. Can you share some of the insights you gained from that?

Tim Starks: Yeah, and this is very related to the kind of thing that we're talking about today. The administration has been, first off, they've had the strategy, the National Cybersecurity Strategy since earlier this year, but they've been working on it for a long time and it reflected a lot of the work that they'd already been doing. So the administration came in with the idea, "We're going to be -- we're going to press a couple different things on cyber." One is what we were just talking about with the sort of disruptive operations, and the other was to make a more regulatory push. And there was a case with the Environmental Protection Agency where they had a setback in court over this. So we talked about that in today's, but going back to the overall fundamental regulatory picture, we had asked people back at the beginning of the Biden Administration, "Do we need to have more regulations in cybersecurity?" Because there's always been this idea that it should be hands-off, that it should be public- private cooperation.

Dave Bittner: Right. Move fast and break things.

Tim Starks: You and I love that term, because we've discussed it before and how common it was for a while. Well, the Biden Administration still says they want to do that, but they also are being more regulatory than any previous administration. What we wanted to do was check in with people and say, "Okay, they've been in office for a year and a half plus, two years, really, and a half plus, and let's see what people think about how they're doing on these regulations," and we gave them the choices of not going far enough, hitting the sweet spot, essentially, or going too far, and pretty close to a significant majority, very close majority, I think it was 49% of the people we polled said "not going far enough," and then another significant percentage said "hitting the right -- hitting the right target," but if you look at the answers that -- where they get specific, that it's a little bit more mixed than that, where some people say they're going too far in some cases and not far enough in other cases. And then a pretty small percentage, I think it was close to 15% that said they're going too far. So it was a little bit eye-opening because I wasn't sure -- I thought it might be a different kind of mix. I mean, I do think that probably our audience, by virtue of being a lot of cyber experts, might place a different emphasis point on the need to go further than maybe some other kinds of people might if we just talk to -- if we just talk to the business community, I'm sure that the business community as a whole would say, "Yeah, going too far," or at least some significant percentage of it would, but we also have business groups on the answers, so it's not like they're not reflected there. It's just that I think that the results might be a little skewed in terms of like who our audience is that we poll.

Dave Bittner: It's interesting, again, tying into our first story we talked about here, how the administration is able to use the tools that it has, like those emergency powers you mentioned to sort of get things done despite a dysfunctional Congress.

Tim Starks: Yeah, and what's -- you know, when we talk about the EPA case, that's a case of them not having maybe the kinds of authorities that they need legally to do this, and that might have been why they had the trouble they did. If you look at what they're using, they're using the Clean Water Act, and I would say even if you agree with their interpretation of that, it is a liberal interpretation, and this -- I don't mean liberal politically. I mean, it's an interpretation that is potentially stretching the boundaries of what the Clean Water Act should be able to do. So they have some authorities that are pretty clear-cut and have not run into any legal trouble. I think the EPA one is the only one that has run into legal trouble, regulatory, and that's because it's on the outer edges. So there are some things that they would -- that the administration has said they would like to do, but they know they need more authority from Congress, and the EPA one was one where they were looking at legislation for a pretty long time and then they said, "Well, let's just do it this way," and I think that -- I think that getting some help from Congress on this is going to be difficult with Republicans controlling the House. They've already -- they've pretty strongly indicated that they don't want to help the administration on this.

Dave Bittner: Right. All right, well, Tim Starks is the author of the Cybersecurity 202 at the Washington Post. Tim, thanks so much for joining us.

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at We'd love to know what you think of this podcast. You can email us at Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K's strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tre Hester, with original music by Elliott Peltzman. The show was written by our editorial staff. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.