The CyberWire Daily Podcast 9.26.23
Ep 1914 | 9.26.23

Crooks phish for guests; spies phish for drone operators. ZenRAT is used in an info-stealing campaign. More MOVEit-related incidents (some involving Cl0p). DeFi platforms hit. The UK hunts forward.


Dave Bittner: An advanced phishing campaign hits hospitality industry. An information-stealing campaign deploys ZenRAT. More MOVEit-related data breaches are disclosed. Mixin Network suspends deposits and withdrawals. The OpenSea NFT market warns of third-party risk to its API. Phishing for Ukrainian military drone operators. Mr. Security Answer Person John Pescatore shares thoughts in Cisco acquiring Splunk. Ann Johnson from the Afternoon Cyber Tea podcast interviews Deb Cupp sharing a lesson in leadership. And the UK adopts a hunt-forward approach to cyber war.

Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Tuesday, September 26th, 2023.

Advanced phishing campaign hits hospitality industry.

Dave Bittner: Cofense is tracking “a well-crafted and innovative social engineering attack that targets the hospitality industry to deliver advanced information stealer malware.” The campaign is ongoing, with 85% of the phishing emails observed within the past sixty days. The researchers state, “As of now, the campaign only targets the hospitality sector, primarily targeting luxury hotel chains and resorts, and uses lures relative to that sector such as booking requests, reservation changes, and special requests.”

An information-stealing campaign deploys ZenRAT.

Dave Bittner: Proofpoint this morning reported that a new malware strain, ZenRAT, is currently being distributed by bogus installation packages misrepresenting themselves as coming from the Bitwarden password manager. How ZenRAT is being distributed is unknown, but once it's in the victims' device, the remote access Trojan exhibits information stealing capabilities. ZenRAT is unusual in that it specifically targets Windows devices. Users of other operating systems who follow the malicious link the fake installer offers are simply redirected to a benign site. What threat actor is behind the RAT, and what information they're seeking to collect remain unknown, but Windows users are advised to be on their guard.

More MOVEit-related data breaches are disclosed.

Dave Bittner: Three more organizations have disclosed data breaches related to exploitation of issues (now for some time patched) with the widely used MOVEit software.

Dave Bittner: JDSupra reports that Sovos Compliance, LLC, has determined that six more of its clients may have had data exposed via exploitation of MOVEit file transfer software. These clients–UBS Financial Services Inc, Atlantic Shareholder Services, Patelco Credit Union, Bangor Savings Bank, Pan-American Life Insurance Group, Inc. and Celink–may have seen the names and Social Security numbers of their own customers accessed by unauthorized parties.

Dave Bittner: Children born in Ontario between 2010 and 2023 and their mothers may have had their personal information exposed in a Cl0p ransomware attack against the Better Outcomes Registry & Network (BORN), a provincial government agency in Ontario. BleepingComputer reports that up to 3.4 million people may have been affected. The data exposed includes full name, home address, postal code, date of birth, and health card number. Some affected parties also experienced compromise of detailed medical information.

Dave Bittner: The third organization is the National Student Clearinghouse. According to SecurityWeek, students at some nine-hundred colleges and universities may have had their personal data exposed through the National Student Clearinghouse’s use of MOVEit. It was a ransomware attack. The data included “name, date of birth, contact information, social security number, student ID number, and school-related records, including degree and enrollment records and course-level data.” Which data were exposed varies from student to student.

Mixin Network suspends deposits and withdrawals.

Dave Bittner: BleepingComputer reports that Mixin Network, which describes itself as “a free and lightning fast peer-to-peer transactional network for digital assets... with more than $1B total value secured,” announced Monday that it had suspended deposits and withdrawals after it was attacked Saturday. The attack is said to have cost Mixin’s users some $200 million. CoinTelegraph reported Monday that Mixin founder Xiaodong Feng said that the “core asset” stolen was Bitcoin. Developers would compensate users “up to a maximum of 50%” for the theft, with the remainder distributed to the victims as “tokenized liability claims” Mixin would in time repurchase “with its future profits." Decrypt points out an issue a number of blockchain mavens have complained about: from its description of the incident, it might appear that Mixin was less decentralized than people may have believed.

OpenSea NFT market warns of third-party risk to its API.

Dave Bittner: Decrypt reports that OpenSea, a large online marketplace for non-fungible tokens (that is, NFTs, as they’re universally known) has warned users of its API that they should swap their keys. Whether they do so or not, all keys will expire on October 2nd. It’s a case of nth-party risk. Bitcoinist reports that on Friday one of OpenSea’s vendors, the blockchain data analytics company Nansen, disclosed that one of its own third-party vendors had been compromised. The unnamed vendor had informed Nansen that an unauthorized party had gained admin rights to “an account used to provision customer access to our platform.” About 6.8% of Nansen’s customers were said to have been affected. Thus to OpenSea's customers, it's a case of risk within risk within risk: a matryoshka of risk, with some hood as the innermost nested doll.. 

Phishing for Ukrainian military drone operators.

Dave Bittner: Securonix is following a phishing campaign that’s targeting the Ukrainian military with malware-laden attachments posing as drone instruction manuals. The threat actor, which Securonix identifies as one Ukraine's CERT-UA tracks as UAC-0154, deploys maliciously altered Microsoft help files (.chm) to deliver the malware. “The payload is an obfuscated binary that gets XOR’d and decoded to produce a beacon payload for MerlinAgent malware. Once the payload establishes communication back to its C2 server, the attackers would have full control over the victim host. While the attack chain is quite simple, the attackers leveraged some pretty complex TTPs and obfuscation methods in order to evade detection.” Securonix tracks the campaign as STARK#VORTEX.

Dave Bittner: UAC-0154 has been using MerlinAgent for some time. The malware is an open-source, post-exploit command-and-control tool, a remote-access Trojan (RAT). It's intended for legitimate research and testing, but as is the case with so many other tools, it's a dual-use item. In August CERT-UA said UAC-0154 had deployed MerlinAgent in another phishing campaign, in this case one that dangled "INTERNAL CYBER THREAT.chm" as the bait in emails that misrepresented themselves as coming from CERT-UA.

Dave Bittner: The nature of the phishbait shows that Ukrainian military units, drone users in particular, are being targeted. Securonix notes that the social engineering aspect of the campaign allows the documents to bypass technical defenses. “It’s apparent that this attack was highly targeted towards the Ukrainian military given the language of the document, and its targeted nature,” the researchers write. “Files and documents used in the attack chain are very capable of bypassing defenses, scoring 0 detections for the malicious .chm file. Typically receiving a Microsoft help file over the internet would be considered unusual. However, the attackers framed the lure documents to appear as something an unsuspecting victim might expect to appear in a help themed document or file.”

Dave Bittner: UAC-0154 remains unattributed, but whoever's behind it, from UAC-0154's targeting seems to be acting at the very least against the Ukrainian interest, and therefore it’s acting, objectively and concretely, as the Stalinists used to say,  in the Russian interest.

The UK adopts a hunt-forward approach to cyber war.

Dave Bittner: Lieutenant [leff-ten-ant] General Tom Copinger-Symes, deputy commander of the United Kingdom’s Strategic Command, where he holds responsibility for the Ministry of Defence’s offensive and defensive cyber capabilities, told the Record in a long interview that his command has, on the strength of lessons learned from Russia's hybrid war against Ukraine, decided to adopt a hunt-forward strategy similar to that followed by US Cyber Command. And we say, good hunting, General.

Dave Bittner: Coming up after the break, Mr. Security Answer Person John Pescatore shares thoughts about Cisco acquiring Splunk. Ann Johnson from "Afternoon Cyber Tea" interviews Deb Cupp, sharing a lesson in leadership. Stay with us. [ Music ]

Computer-Generated Voice: Mr. Security Answer Person. [ Music ] Mr. Security Answer Person. [ Music ]

John Pescatore: Hi, I'm John Pescatore, Mr. Security Answer Person. Today's question, "I just read that Cisco is acquiring Splunk for a huge amount of money. Does that make sense to you?" The only reason large Company A buys Company B is to convince investors that Company A's financial value will go up. Seventy percent of the time that does not happen. Even if it does, 70% of the time customers of Company B's products end up unhappy. The investors in publicly traded companies are stockholders, and increased value means the stock price goes up, which often has nothing to do with the quality of a company's products. For non-publicly traded companies, it is venture capitalists and other speculative financial investors who want reasons to increase the claim valuation of the startup to justify their positions. Customers are not investors and are almost never top of mind in merger and acquisition decisions, let alone in huge deals like this one, which is potentially the fifth largest in history. In this particular case, investors these days favor sticky software subscription-based revenue, like Splunk's, over lumpy hardware type revenue, like Cisco's, unless the stock is Apple, of course. Investors have also seen that cybersecurity stocks have higher growth potential and are more recession-proof than broader IT stocks like Cisco's. By buying Splunk, Cisco just about doubles the portion of its revenue that is cybersecurity with a big infusion of software subscriptions. But let's do the unthinkable and consider the users of Splunk's products. Will this acquisition be good for them? Will Cisco make decisions that make Splunk either a better or a more cost-effective SIM solution? Does anyone remember Cisco MARS? Cisco has been in the SIM market before through licensing of software first from net forensics and then by acquisition of Protego over 15 years ago. Cisco never executed very well in the SIM market. It is actually hard for infrastructure companies like Cisco to focus on the unique drivers in cybersecurity. In this particular case, Splunk and Cisco also compete in what Gartner calls the "application performance monitoring and observability market" that is even larger than the SIM market and has the potential of even faster growth in tandem with what everybody's calling "digital experience management," a very sexy sounding market. That potential is surely one of the reasons Cisco is paying such a high premium for Splunk. So the bad news is Splunk may become much better at observability for applications and digital experiences, but not so much in security, but there is a possible good news scenario. Better integration between security operation centers and network operation centers is an underutilized force multiplier, using common tools in dashboard for both network application performance and security event monitoring, and have a lot of benefits when done right. You can use the news of this gigantic acquisition to try to drive better integration between your NOC and SOC teams. Of course, from our perspective, "done right" means reducing false positives and false negatives seen by analysts and not so much worrying about maximizing smiley faces and thumbs up from users. Getting that balance right is not easy. If you're a Splunk customer, make sure Cisco gives you a roadmap for how that's going to happen. One final thought, the real cost of switching security products is never as high as we often think. If you don't get reassurance from Cisco or any other security product vendor, don't be afraid to look at alternatives and make a change.

Computer-Generated Voice: Mr. Security Answer Person.

John Pescatore: Thanks for listening. I'm John Pescatore, Mr. Security Answer Person.

Computer-Generated Voice: Mr. Security Answer Person.

Dave Bittner: Mr. Security Answer Person with John Pescatore airs the last Tuesday of each month right here on the CyberWire. Send your questions for Mr. Security Answer Person to [ Music ] Microsoft's Ann Johnson is host of the "Afternoon Cyber Tea" podcast right here on the CyberWire Podcast Network. In a recent episode, she interviewed Deb Cupp, sharing a lesson in leadership. Here's a segment from that show.

Ann Johnson: Today we have a very special episode of "Afternoon Cyber Tea." I am thrilled, excited to be joined by Deb Cupp who's the President of Microsoft Americas. Deb leads the $70 billion business responsible for delivering the full product and services portfolio of Microsoft to customers based in the United States, Canada, and Latin America. Welcome to "Afternoon Cyber Tea," Deb. I'm just thrilled to have you on.

Deb Cupp: I'm so happy to be here. It's great to be here with you, and thank you.

Ann Johnson: So what does "Team Crazy" mean to you, and how did you end up centering on that as part of your leadership philosophy?

Deb Cupp: Yeah, it's, you know, I think it just describes me well, and I think back to earlier when I was talking about sports. I mean, I grew up playing sports, and I've -- and all team sports, by the way, so I always felt inspired by what teams can create together, and you learn so much being an athlete around people playing their positions and recognizing that everybody has strengths and everybody has weaknesses or areas of opportunity, and when you put people in positions to do their very best and the team works exceptionally well together, you can accomplish things you could never accomplish as an individual and it's powerful. It's powerful watching people achieve things collectively together that they didn't think they could. You know, I feel like I'm an arranger. I like to sort of organize people and I believe I can see strengths and I have an ability to sort of get a sense of where they belong and putting them in places to let them thrive. That is -- it gives me energy. I think it gives me an opportunity to say team is everything, and I think it's important the way teams come together collectively.

Ann Johnson: How did you get to your first board service and what surprises were there?

Deb Cupp: Yeah, sure. So, oh, it was an interesting process, Ann, and I think it's very different depending on what type of board. So I think I would first start by saying, when people say, "I want to join a board," I think you have to understand what you're actually saying. So part of it is, the demystifying is also somewhat of understanding just what a board is. So there's non-profit boards, there's for-profit boards, there's startup boards, there's, you know, boards of public companies, so there's all different types of boards. So I think one thing I always encourage people to do is just learn about the opportunities across different types of boards. Most people will start in a non-profit or a local board. It could be anything that you just have an opportunity to step in and provide some guidance or leadership, and I'll get to in a second what that actually looks like, and I think it's, as we know, it's a great opportunity to kind of get outside your company or your existing job and kind of both contribute in a different way and also learn, which I think is pretty amazing.

Ann Johnson: You know, when you think about board and you think about business leaders, how do organizations improve the representation of women at very senior levels, including boards, and do you have a bold call to action here?

Deb Cupp: Yeah, you know what I think, Ann, we all know a lot of people, and so one of the things that I committed to after I joined the board is I made, you know, I met a lot of people through that process and I realized I know a lot of amazing women who also want to be on board, so I personally just took a list of people, I emailed all the contacts that I made in recruiting firms, other companies, and I just said, "Hey, these -- here are some amazing women, so as you are looking for -- if you're searching for another board candidate at another company, I'd ask you to give these folks a call." It was so easy. You create connections for upwards of 20 people in a minute. So if everybody just did that, like I am so grateful, as I started my board journey, for the women who talked to me before I even knew what I wanted to do, and that was the other -- that's the other call to action I would have. If somebody calls you and says, "Hey, can you just talk to me about what it means and how I do this," take the call, you know, help somebody out. If everybody does that -- it doesn't matter if you're a man, woman, doesn't matter. Take the call. Help somebody else out. Provide a list of incredibly qualified people that you know you know and pass them around.

Dave Bittner: That's Ann Johnson from the "Afternoon Cyber Tea" podcast interviewing Deb Cupp. You can find the "Afternoon Cyber Tea" podcast right here on the CyberWire Podcast Network. [ Music ] And that's the CyberWire. For links to all of today's stories, check out our daily briefing at We'd love to know what you think of this podcast. You can email us at Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is Tre Hester, with original music by Elliott Peltzman. The show is written by our editorial staff. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. [ Music ]