The CyberWire Daily Podcast 8.24.23
Ep 1892 | 8.24.23

Trends in the cybercriminal underworld. The prosecution of Lapsus$ and Tornado Cash. More developments in Russia’s hybrid war.


Dave Bittner: There’s a new sophistication in BEC campaigns. Trends in brand impersonation–crooks still like to pretend they’re from Redmond. The future of Russian influence operations in the post-Prigozhin era. Andrea Little Limbago from Interos shares insights on the new cyber workforce strategy. In our latest Threat Vector segment David Moulton of Palo Alto Networks is joined by Stephanie Ragan, Senior Consultant at Unit 42 to discuss Muddled Libra. And more on the doxing of a deputy Duma chair, who seems to have been selling hot iPhones as a side hustle (maybe). And the growing problem of Synthetic identity fraud.

Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Thursday, August 24th, 2023.

Dave Bittner: There are several trends being discussed by industry researchers today. Let’s run through a few of them.

New sophistication in BEC campaigns.

Dave Bittner: First, Trustwave SpiderLabs has published a report on the business email compromise (BEC) landscape in the first half of 2023. The researchers saw an increase of 25% in unique BEC attacks in the first quarter over the final quarter of 2022. February accounted for the highest BEC volume in that period. 

Dave Bittner: History teaches, Trustwave says, that BEC usually picks up in February, after a holiday slump. “As the year begins, people are gearing up for the tax season and the start of new endeavours. Fraudsters are sure to take advantage of this.”

Dave Bittner: The researchers found that Gmail, iCloud, and were the most common free email services abused in BEC attacks.

Supply chain attacks trending.

Dave Bittner: Second, security firm Kroll has observed a “notable shift toward increased supply chain risk” in the second quarter of 2023. This was driven both by the notorious Cl0p gang’s exploitation of a MOVEit Transfer vulnerability, but also by a jump in email compromise attacks.

Dave Bittner: The researchers believe the Cl0p gang has been targeting MOVEit users for the past two years. They write, “Initial Kroll analysis of the MOVEit cases across their client base identified that similar activity targeting MOVEit servers had been observed as far back as 2021, suggesting that the CLOP ransomware group had likely identified the zero-day years earlier and had spent some time creating automated tools to aid them in conducting the mass-exploitation event.”

Trends in brand impersonation.

Dave Bittner: Turning to brand impersonation, Abnormal Security has found that Microsoft is by far the most commonly spoofed brand used in phishing attacks. Microsoft-branded attacks have accounted for 4.31% of all phishing attempts in 2023. Attackers frequently target Microsoft credentials in order to compromise an organization’s Microsoft 365 environment.

Dave Bittner: The crooks are using better grammar and more plausible usage, too, no longer sounding as much like Ensign Chekov having a bad day on the bridge of the Starship Enterprise as they used to. Abnormal has seen an increase in grammatically correct phishing emails. It’s not that they’re becoming better writers, but they’re using generative AI to write their phishing templates, like lazy sophomores cribbing a term paper so they can hit a kegger. The researchers lament, “Unfortunately, the use of generative AI goes beyond emails. Cybercriminals can produce whole websites—complete with logos, brand copy, and images—then link those to their phishing messages. This deepens the impression that these emails really are from the impersonated brand and makes it more likely that the victim will enter their credentials.” It’s enough to make you nostalgic for Clippy.

The future of Russian influence operations in the post-Prigozhin era.

Dave Bittner: Turning to the hybrid war Russia launched against its neighbor Ukraine in the winter of 2022, the most startling news so far this week was yesterday’s plane crash that killed Yevgenyi Prigozhin yesterday. 

Dave Bittner: In cyberspace, the crash (which we have to say is generally regarded as a shoot-down ordered by Russian President Putin) casts further doubt on the future of a prominent player in Russian influence operations. Mr. Prigozhin's troll-farming Internet Research Agency had already indicated after the march on Moscow that it was ceasing operations. It seems likely, however, that its template for disinformation and influence will continue in use by Russian intelligence services, especially the GRU. The Washington Post quotes an assessment by Gavin Wilde, formerly US National Security Council director for Russia, Baltic and Caucasus affairs, now a senior fellow with the Carnegie Endowment for Peace: “Prigozhin was for Russian information operations kind of what Kurt Cobain was for grunge music. The guy ushers in a certain era and perfects a certain craft, but now that he’s gone, what’s likely to follow is a saturated market of copycats, and that will probably end up falling far short of the kind of heyday or the prominence of what it once was."

Russian hacktivist auxiliaries make a major contribution to DDoS threat.

Dave Bittner: Radware's recently published 2023 H1 Global Threat Analysis Report looks, inter alia, at the current state of global distributed denial-of-service (DDoS) attacks and finds two Russian hacktivist auxiliaries atop the threat leader board. The researchers find that layer 7 attacks--layer 7 is the application layer--have surged, as have high-volume, long-duration attacks, while other forms of DDoS somewhat diminished. "NoName057(16) was the most active hacker group on Telegram, claiming 1459 DDoS attacks, followed by Anonymous Sudan with 660 attacks, and Team Insane PK with 588 attacks." NoName057(16) and Anonymous Sudan are Russian operations. The group that showed in third place, Team Insane PK, is an Islamist group operating for the most part from Pakistan against targets in India.

Developments in two criminal cases.

Dave Bittner: The Southwark Crown Court in London has found two teenagers, members of the Lapsus$ Group, responsible for cyberattacks against companies that included Uber, Nvidia, and Rockstar Games, the BBC reports. One of the youths, aged 18, has been remanded; the other, a seventeen-year-old, remains out on bail. Both are awaiting sentencing.

Dave Bittner: In the United States, the US Attorney for the Southern District of New York has announced the indictment of Roman Storm and Roman Semenov, founders of Tornado Cash, on charges of "conspiracy to commit money laundering, conspiracy to commit sanctions violations, and conspiracy to operate an unlicensed money transmitting business." They are alleged to have handled more than a billion dollars in illicit transactions, including "hundreds of millions" laundered on behalf of North Korea's Lazarus Group. 

Dave Bittner: The US Department of the Treasury also announced yesterday that it had sanctioned Mr. Semenov for operating his mixer service in the interest of North Korea. Treasury said, "As a result of today’s action, all property and interests in property of the designated individual that are in the United States or in the possession or control of U.S. persons must be blocked and reported to OFAC [Treasury's Office of Foreign Assets Control]. OFAC’s regulations generally prohibit all dealings by U.S. persons or within the United States (including transactions transiting the United States) that involve any property or interests in property of blocked or designated persons."

Dave Bittner: Mr. Storm was arrested yesterday. Mr. Semenov, a Russian citizen, remains at large, still very much in the wind.

More on the doxing of a deputy Duma chair.

Dave Bittner: Turning to some hacktivist auxiliaries working in the interest of Ukraine, Cybernews close-reads the material posted about Aleksandr Babakov [bah-BAH-koff]  by InformNapalm and notices some interesting things. The deputy chairman of the Duma may have had a side-hustle smuggling iPhones into Russia, where the banned devices fetch a good price on the illicit market. The leaked documents the Ukrainian hacktivist auxiliary, Cyber Resistance, turned over to InformNapalm also include evidence of more obviously political misbehavior, including vote-rigging in bogus Crimean referenda. Kyiv's intelligence services have hailed, Teiss says, the "BabakovLeaks" as constituting a useful contribution to the cause of Ukraine. 

Dave Bittner: Some questions remain unanswered, like, where was Mr. Babakov selling the iPhones? Out of the trunk of his Tchaika? [CHAI-kuh]

Synthetic identity fraud grows.

Dave Bittner: And, finally, analysis by TransUnion has found that synthetic identity fraud has reached record levels, particularly in the auto finance industry. TransUnion explains, “Synthetic fraud is the use of personally identifiable information (PII) to fabricate a person or entity in order to commit a dishonest act for personal or financial gain.” Synthetic identity exposure in the auto industry reached $1.8 billion in the first half of 2023, making the sector an attractive target for fraudsters.

Dave Bittner: The researchers note that the retail industry has had the highest rate of digital fraud this year: “In the first half of 2023, the retail and video gaming industries saw the highest rates of suspected digital fraud globally at 10.6% and 7.0%, respectively, followed by telecommunications at 5.3%. Globally, insurance and logistics were the industries with the lowest suspected digital fraud attempt rate in H1 2023. Among all industries, the suspected digital fraud rate stood at 5.3%, up from 4.5% one year ago.”

Dave Bittner: Coming up after the break, in our latest "Threat Vector" segment, David Moulton of Palo Alto Networks is joined by Stephanie Ragan, Senior Consultant at Unit 42, to discuss Muddled Libra. Andrea Little Limbago from Interos shares insights on the new cyber workforce strategy. Stay with us.

Dave Bittner: In the latest edition of our sponsored "Threat Vector" segment, Palo Alto Networks' David Moulton speaks with Stephanie Ragan, Senior Consultant at Unit 42. Their conversation centers on Muddled Libra. Here's the "Threat Vector."

Stephanie Ragan: It's not always possible from an investigative side to be able to tell whether AI is used, and honestly, it's not always our goal. We're really focused on ejecting the threat actor from the environment and getting our clients back up and running.

David Moulton: Welcome to "Threat Vector," a segment where Unit 42 shares unique threat intelligence insights, new threat actor TPTs, and real-world case studies. Unit 42 is a global team of threat intelligence experts, incident responders, and proactive security consultants dedicated to safeguarding our digital world. I'm your host, David Moulton, Director of Thought Leadership for Unit 42. In today's episode, I'm going to talk with Stephanie Ragan, a Senior Consultant with Unit 42. Stephanie started her career in law enforcement and now specializes in compromised assessment and incident response. In our last episode, I spoke with Chris Russo, a Senior Threat Researcher with Unit 42 focused on ransomware and cybercrime, about Muddled Libra. Chris painted a picture of a determined and dangerous adversary. Today I want to talk with Stephanie to hear her insights and advice when it comes to responding to an attack from Muddled Libra and groups like them. To kick us off, can you share the number of matters that you've been involved with when it comes to Muddled Libra?

Stephanie Ragan: Yeah, my numbers are likely a little higher since we're not always confident on attribution. However, I've worked definitely at least a half dozen cases with Muddled Libra.

David Moulton: And can you share a detail or an insight from a matter that really sticks out to you?

Stephanie Ragan: One of the things that really sticks out to me about Muddled Libra cases has been the reconnaissance portion of the investigation. A lot of the times we see threat actors doing a really light reconnaissance, trying to figure out where they're at in the environment and how they can navigate. I've seen them deep-dive the how-to and the technical docs. They're really trying to get a really deep understanding of the environment and how to connect and change their level of persistence as well as further their access into the environment.

David Moulton: So Chris mentioned that this group is prolific when it comes to use of phishing kits and social engineering. What are some of the ways that you've seen success in combating these approaches?

Stephanie Ragan: These approaches are really successful because it's focused on that human factor. People are focused on their jobs, getting their jobs accomplished. MFA is a huge must, and moving towards more secure methods of MFA, getting away from using SMS for our multifactor authentication, really thinking about, where is your data stored when it comes to help desk information. We've seen phishing and spoofing of help desk personnel, so really thinking critically about where is the information that the user might use to reset their password through the help desk. One of the things that we've talked about that they use a lot of is domain typo squatting and also buying access from initial access brokers. Things like dark web and domain monitoring can also help in these situations to help you know quickly when credentials might be available on the dark web or when you have certain things like mistyped domains and slightly misconfigured domain URLs that have been developed and are created that spoof your sites.

David Moulton: Stephanie, tell our listeners what it takes to help a client recover from one of these attacks.

Stephanie Ragan: Especially with a Muddled Libra attack, I think moving quickly to understand the level of persistence that has been able to be attained at the time of detection is really important. IR playbooks are essential, knowing the actions that you're going to need to take before you're in the emergency environment. Password resets, asset resets, those have to have a plan around them, because when you're in large environments and you're trying to reset passwords for thousands of users, that's very difficult. It's going to be a kind of that whack-a-mole game to keep kicking them out of one account, but they can use another one to get right back in. Another crucial piece with Muddled Libra and many threat actors today is getting to out-of-band comms very quickly as well. A lot of threat actors, including Muddled Libra, like to sit on and listen to whatever your chat platform of choice is and trying to understand what actions the IT team and maybe the investigators are taking, getting out of band, and being able to really coordinate your approach quickly to get your environment reset is very important.

David Moulton: Final question for you. Do you expect that there'll be copycat groups out there that take Muddled Libra's playbook and use it, expand on it?

Stephanie Ragan: I think that the idea of copycats is an interesting one in this era of cyber. Being able to see the success of Muddled Libra and other groups like them and have enough information about them to be able to copy, definitely I can see people doing that. However, one of the things to keep in mind is that we hear a lot about like RaaS, ransomware as a service, initial access brokers, and things like that. So we're seeing a lot of blending of TTPs, IOCs, indicators, but also, as far as that goes, things that look like the same threat actor that might be slightly different because they're sharing resources and have really become this complex marketplace today.

David Moulton: Stephanie, thanks for joining me today on "Threat Vector" and for sharing your insights and experience defending against Muddled Libra. If you're interested in reading more about this threat actor group, visit the Unit 42 Threat Research Center and look for the threat group assessment on Muddled Libra. We'll be back on the CyberWire Daily in two weeks. Until then, stay secure. Stay vigilant. Goodbye for now.

Dave Bittner: That's Unit 42's Stephanie Ragan speaking with David Moulton from Palo Alto Networks.

Dave Bittner: And it is always my pleasure to welcome back to the show Andrea Little Limbago. She is Senior Vice President of Research and Analysis at Interos. Andrea, it is great to have you back, and I want to touch base today and get your reaction to the White House's National Cybersecurity Strategy.

Andrea Little Limbago: Yeah, no, thanks for having me, Dave, and this is, you know, it's a welcome strategy, you know, always, you know, the devils are in the details and so forth, but actually putting together a strategy and, you know, the first step in really identifying what is a big gap and, you know, it's interesting when we think about the workforce gap, and it'd be great to talk about some of the different experiences that we've had, but there is a, you know, the talent gap, but there's also a hiring challenge. So it's almost, that there is a supply and demand disconnect going on across the entire industry that really keeps exacerbating it. So I was pleasantly surprised to see it. I think it's -- I think it's done well. It had a lot of great input from a variety of different interests, and I think it's something that's, you know, it's critical, both for our national security and our economic security going forward. So I think it also highlights just the role that that workforce development's going to play, especially in cybersecurity going forward as a core component of our government. So it's very welcome.

Dave Bittner: You know, you mentioned the sort of disconnect between the hiring side and the gap in -- with employees. What do you suppose is driving that?

Andrea Little Limbago: I think there are a couple different things. It's almost hard to figure out where to start off. On the one hand, cybersecurity as an industry, in many ways, it hasn't been around for, you know, centuries, like finance has been, and even, you know, a couple of decades ago, you'd say there was a tech, and then, you know, we've slowly evolved, and some companies don't necessarily even have more than one security person for small and medium-sized businesses, and so very often, the needs are more so presented as someone middle career or senior career to help fill the gap for what they're hiring for, and at that level, there may not be enough people out there to fill those gaps, and there has been less on the company side to want to do workforce training and development. They really want to hire someone coming in at that higher level, even if it's a -- even if that means they've been opening for a year and they could have taken that year, brought someone in who, you know, out of college has their degree, is eager, ready to learn, instead of training them, and so that's starting to change. We are starting to see more companies look both for more junior-level candidates or, you know, provides them on-the-job-training, and so I think that's really what's going to have to be needed, but we're also just seeing, you know, cybersecurity industry just notorious for their job applications listing. You know, you need to have these 30 criteria --

Dave Bittner: Right, right.

Andrea Little Limbago: That are ridiculous to --

Dave Bittner: Five years of experience for a technology that's only been around for three.

Andrea Little Limbago: That's exactly right, yeah. So you see that gap, too, and then -- and then, as we know, you have many underrepresented groups unless you check off every single box. They're not going to apply, and then we also have a lot -- see a lot of job descriptions that are written for, you know, that kind of has some talk commentary in there, so that also. So yeah, I think a lot has evolved, honestly, over the last 10 years in that area. We're moving in the right direction.

Dave Bittner: Yeah.

Andrea Little Limbago: And that's -- and actually, I think some of those movements are reflected in the workforce strategy. So we're getting there, but still a lot more needs to be done on both sides.

Dave Bittner: Well, getting back to the White House's strategy here, any other things in particular that caught your eye?

Andrea Little Limbago: I like very much that it focuses on some of the adjustments for the federal workforce, for the federal training, really. Our federal hire really does need to adjust to bring in the top talent, and so it was almost -- get some good introspection going on there and acknowledging that there's a challenge there. So I like that. I really do like that, you know, it takes an all-of-society approach to cybersecurity and really focuses on really raising, you know, the skill gap across all of the U.S. society, and so even whether they're going in the workforce, just making everyone in our population a much more cyber-aware population. So I think, you know, for whatever age you are, you know, everyone is on some sort of technology right now. So that means there's going to be some, you know, insecurity that goes along with it, so just raising the bar on that I think is really a -- I think that was important point to note, and in some cases, it almost seems like it's lending some insights from Estonians and the other countries that have done this a lot better, largely as a forcing function from having, you know, major wide-scale cyberattacks 15 years ago, but it's taking some lessons learned from other countries as well, so I think that was a good component of it, because it really does have to be an all-society approach to it, to that help fill in the gap, because even, you know, whatever industry you're in, you know, it has to be something that is -- becomes an important issue to discuss and have that awareness.

Dave Bittner: Yeah, there's no getting around it, right? I mean, it's part of everybody's everyday lives now.

Andrea Little Limbago: Exactly.

Dave Bittner: Yeah. All right, well, Andrea Little Limbago, thanks for joining us.

Andrea Little Limbago: All right, thank you, Dave.

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at We'd love to know what you think of this podcast. You can email us at Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security team supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K's strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tre Hester, with original music by Elliott Peltzman. The show was written by our editorial staff. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.