The CyberWire Daily Podcast 9.28.23
Ep 1916 | 9.28.23

Buckworm APT’s specialized tools. Cyberattack against Johnson Controls. Oversight panel reports on Section 702. Cyber in election security, and in the US industrial base. Hacktivism versus Russia.


Dave Bittner: The Budworm APT's bespoke tools. Johnson Controls sustains a cyberattack. The US Privacy and Civil Liberties Oversight Board reports on Section 702. The looming government shutdown and cyber risk. Cybersecurity in the US industrial base. X cuts back content moderation capabilities. In our Industry Voices segment, Nicholas Kathmann from LogicGate describes the struggle when facing low cost attacks. Sam Crowther from Kasada shares his team's findings on Stolen Auto Accounts. And Ukrainian hacktivists target Russian airline check-in systems.

Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Thursday, September 28th, 2023.

The Budworm APT's bespoke tools.

Dave Bittner: Symantec (a Broadcom company) says that the Budworm APT (tracked by others as “Emissary Panda” or “APT27”) in August 2023 used a new version of its SysUpdate backdoor to target “a Middle Eastern telecommunications organization and an Asian government.” The researchers note, “The targeting of a telecommunications company and government also point to the motivation behind the campaign being intelligence gathering, which is the motivation that generally drives Budworm activity. That Budworm continues to use a known malware (SysUpdate), alongside techniques it is known to favor, such as DLL sideloading using an application it has used for this purpose before, indicate that the group isn’t too concerned about having this activity associated with it if it is discovered.” The report doesn’t offer an attribution, but government and telecommunications organizations are common targets for cyberespionage.

Johnson Controls sustains cyberattack.

Dave Bittner: Building automation company Johnson Controls International has sustained a major ransomware attack that’s affected the operations of several of the company’s subsidiaries, BleepingComputer reports. The attackers have encrypted the company’s VMWare ESXi servers and claim to have stolen more than 27 terabytes of corporate data. BleepingComputer cites a source as saying that the attackers are demanding a $51 million ransom.

Dave Bittner: Johnson Controls confirmed a “cybersecurity incident” in an 8-K filing with the SEC, stating, “The Company continues to assess what information was impacted and is executing its incident management and protection plan, including implementing remediation measures to mitigate the impact of the incident, and will continue taking additional steps as appropriate. To date, many of the Company’s applications are largely unaffected and remain operational. To the extent possible, and in line with its business continuity plans, the Company implemented workarounds for certain operations to mitigate disruptions and continue servicing its customers. However, the incident has caused, and is expected to continue to cause, disruption to parts of the Company’s business operations.”

Dave Bittner: actively evaluating the extent of the information that was compromised and is implementing its incident management and protection plan to address the incident's impact. While many of the company's applications are still functional, it has had to employ workarounds for certain operations to minimize disruptions and maintain customer service. Nevertheless, the incident has resulted in disruptions to some of the company's business operations, and this disruption is anticipated to persist.

US Privacy and Civil Liberties Oversight Board reports on Section 702.

Dave Bittner: A divided Privacy and Civil Liberties Oversight Board has reported its recommendations concerning Section 702 of the Foreign Intelligence Surveillance Act.

Dave Bittner: Section 702 has been controversial for what critics see as its potential for abusive surveillance of US citizens. Intelligence and law enforcement agencies defend the law as an essential authority for collection, especially collection against terrorist organizations.

Dave Bittner: The first seven recommendations in the report are calls for Congressional action, codifying specifically “the twelve legitimate objectives for signals intelligence collection under Executive Order 14086." They also recommend that Congress introduce more definition and clarity into Section 702, drawing sharper lines over what’s permissible what’s impermissible.

Dave Bittner: The remaining twelve recommendations concern procedures Executive agencies might adopt. Most of these involve increased transparency and controls to ensure that querying in particular doesn’t run afoul of protections against unreasonable search. It also includes calls for replacing manual review of material collected with new, secure automated procedures. And the report also recommends that intelligence and law enforcement agencies improve their measurement of the outcomes of surveillance–did they actually achieve operational goals beyond the collection itself.

Government shutdown and cyber risk.

Dave Bittner: Nextgov outlines the potential cybersecurity implications of a US government shutdown, noting that around 80% of employees at the Cybersecurity and Infrastructure Security Agency (CISA) would be furloughed during a shutdown. Rep. Shontel Brown (Democrat of Ohio) compared the effects of a government shutdown to those of a ransomware attack, saying it “would be dangerous, destructive, and disastrous.” Brown added that a shutdown “would undercut organizations and state and local governments that are relying on federal funds to prevent the crippling ransomware attacks we are discussing in this very hearing.”

Dave Bittner: Rep. Nancy Mace (Republican of South Carolina) countered that the White House could choose to designate CISA employees as essential workers in the event of a shutdown. 

Dave Bittner: So if there’s a shutdown–and that remains a big if, since there’s always the possibility of an eleventh-hour continuing resolution before Federal Fiscal New Year’s Day on October 1st–there will be some degradation of Federal services.

Cybersecurity in the US industrial base.

Dave Bittner: Aprio has released the results of a survey looking at cybersecurity in the manufacturing industry, finding that “nearly two-thirds of manufacturers experienced unauthorized access to their companies’ networks and data in the past year.” The survey also found that “fewer than half of companies surveyed report having a cybersecurity policy and only 36% have enhanced IT security.”

Dave Bittner: Aprio adds, “Manufacturers can leverage digital tools to achieve competitive advantage by sharing information across functions and with supply-chain partners to improve productivity and respond in real-time to operational problems. But most companies are not utilizing this – in fact, 39% of surveyed manufacturers are using 5G networks and only 21% are using edge computing.”

X cuts back content moderation capabilities.

Dave Bittner: X (the platform formerly known as Twitter) has disabled a feature for reporting election misinformation, Reuters reports. The Information says X has also cut half of its election integrity team, including the team’s head, Aaron Rodericks. X owner Elon Musk said in a post that the team “was undermining election integrity.”

Dave Bittner: The Hill notes that X said last month that it was expanding its elections safety team to “focus on combating manipulation, surfacing inauthentic accounts and closely monitoring the platform for emerging threats.”

Dave Bittner: Social media in general and X, formerly Twitter, in particular, have been used to establish and amplify disinformation during elections. The US elections in November 2024 are expected to receive a great deal of attention from foreign, especially Russian, disinformation operators.

Ukrainian hacktivists target Russian airline check-in systems.

Dave Bittner: Several Russian airlines warned customers to expect difficulties at the gates. Aeroflot, Pobeda, Azur Air, and Rossiya at least have experienced problems with their check-in systems. Aeroflot offered an explanation in its Telegram channel: “Attention to passengers flying on Aeroflot Group airlines. Due to a global failure in the Leonardo reservation system, check-in at airports in the company’s route network is difficult." "Global" should be interpreted as "general," because Leonardo is a home-grown Russian airline reservation system. It was developed by Sirena-Travel, a subsidiary of the Russian state-owned tech conglomerate, Rostec, in 2014, but the system came into use only last year, when Western tech companies pulled out of the Russian market after the invasion of Ukraine.

Dave Bittner: Cybernews describes the issue as a distributed denial-of-service (DDoS) attack, with Leonardo "flooded" by traffic. The IT Army of Ukraine, a cyber auxiliary group operated on behalf of Ukraine, claimed responsibility. “While you’re sipping your artisanal latte, our 'noble' neighbors to the north are stuck in queues, trying to book flights,” the IT Army taunted in its Telegram channel. “Well done, IT Army!” The attack was over in a matter of hours, and service is now said to be returning to normal, although as of this writing it’s not quite there yet.

Dave Bittner: Coming up after the break, Nicholas Kathmann from LogicGate describes the struggle when facing low-cost attacks. Sam Crowther from Kasada shares his team's findings on stolen auto accounts. Stay with us. Attackers enjoy the advantage of inexpensive readily available tools to help them do their deeds, which means a relatively low investment for them but a steady barrage of things to deal with for defenders. In this sponsored Industry Voices segment, I speak with Nicholas Kathmann, CISO of risk and compliance management platform provider LogicGate, on the struggles organizations face with low-cost attacks.

Nicholas Kathmann: So phishing attempts is a prime example of this. It costs next to nothing or, in many cases, free to send a phishing -- you know, a phishing email. But the companies, the victims are spending a lot of money on anti-phishing technology and, you know, different types, different email filtering capabilities and user awareness training to try to protect against that free attack.

Dave Bittner: And how do we differentiate between something that is merely a nuisance and something that is truly potentially dangerous?

Nicholas Kathmann: I mean, I would say, if you design your systems correctly and you, you know, I call it embrace the incident, you're going to have incidents. Things are going to get through. If you're -- you know, your systems are designed properly, your security architecture is designed properly, IM roles are designed properly, almost anything becomes a nuisance. So if you don't have all that stuff in place, so, you know, we used to call it the Cadbury effect a long time ago. There's a different term for it now. But the hardshell gooey center, once you get into an organization, everything is just wide open and unlocked. Every, you know, successful phishing attempt turns into a major incident or major issue, whereas if everything's properly locked down, you're using MFA, you're using, you know, device trust, you know, you have your admin accounts separated from your normal user accounts, you know, things like that, you have different, you know, trust boundaries around different applications and you, you know, you've embraced more of the zero trust type of architecture approach, somebody simply getting a, you know, the username and password for your system or even a username, password, and an MFA token, the damage -- you know, the blast radius is much smaller. And that really just becomes a nuisance at that point. You're just resetting passwords and tokens.

Dave Bittner: Well, let's come at it from the other direction, then. I mean, what are your recommendations for folks to best come at this? What -- what are some of the strategies you think folks should put in place?

Nicholas Kathmann: So I think a lot of it would start with really just going through attack simulations. So what would happen if this did happen and kind of, you know, almost tabletop it but do more realistic tabletop. So a phishing attempt -- attack happened against a finance user. Okay. So you can either, you know, have your security team or your IT team or somebody knowledgeable within there created as a finance user and now go look around and see what they have access to. What can they actually do. Or you can pay pen test firms to do this for you, as well, and really just figure out, you know, what -- what do they have access to they shouldn't have had access to and start to restrict these things down. And then go to the next scenario, and just keep working down the list of scenarios of different attack types that can be used against you. And then just, you know, systematically destroy the -- you know, it's in -- in rescue, you can go through and you can, you know, reduce the risk of it happening or reduce -- or just reduce the likelihood, or you can reduce the impact. My -- what I would say here is what I recommend here is use the free technology, the free mechanisms, the free security controls built into, you know, your office suite, your file sharing suite, your rules like that. So reduce the impact as much as humanly possible.

Dave Bittner: Yeah. Can we dig into that a little bit? I mean, how do you recommend that folks set their priorities here? Everybody has a limited amount of time and a limited amount of resources. What's a wise way for folks to calibrate how they come at this specific problem?

Nicholas Kathmann: So a big thing is just getting security involved early on in the project or any project that's coming up. So once -- you know, I always said, if you -- if you bring in a security architect after the solution's already created, now the security architects coming in, you know, proverbially calling the baby ugly. It's already there. There's already a timeline. It's usually, like, you know, you get the call for a half-an-hour meeting to approve a solution, you know, a week before it's set to go live. This is -- this is where all the mistakes happen. If you bring in security architecture, if you bring in the security and compliance and privacy teams from the very beginning, before -- you know, during project inception, we're going to roll out new application XYZ, but we don't know what that looks like yet, we don't have any diagrams. We haven't written any code, that's when you can really start to get ahead of the problems before they become problems. And so, really, it's just getting ahead, making sure that, from the very beginning, security, compliance, privacy are all stakeholders at the table and can start bringing in the requirements and making sure that, you know, everybody who -- the implementers of the technology and the application owners and the -- all of stakeholders understand really what's required so they can keep that in mind and be educated throughout the entire project lifecycle.

Dave Bittner: What about the communications with the powers that be, you know, the -- think folks like the board of directors, you know, making sure that they're informed and on board with the plans here?

Nicholas Kathmann: Yep. So, I mean, this is really -- this -- this is going to be where setting clear, clear guidelines, clear, you know, goalposts for the different application owners is going to be really important. So everybody's seen organizations where there's I call it the paper tiger. There's policies and procedures that the compliance team knows inside and out and that they use to past, you know, attestations and compliance things. But if you ask any of the end users, even if they've read, you know, signed off that they follow those policies, they probably can't state more than one control. So this is really, you know, making sure that, when you're designing these policies, these procedures, these standards, these guidelines that you do have, you know, technical stakeholders reviewing it. You do have leadership reviewing it, as well, so that, by the time you go to get it approved, everybody's aware of every line that's in there and that it's not -- and that, you know, people understand what the requirements are. And they've seen it, and they know exactly where to get that, you know, that standard or that guideline that says this is what we should be doing. That's the first step is just making sure that you're socializing all of your policies, all other standards, you know, in advance, far in advance of actually making them, you know, final in [inaudible 00:15:24]. But then, once you're there, that becomes the guideline. And just making sure that you have a way to measure projects and, you know, different applications against that guideline. And anytime they're not getting that guideline, that becomes findings that goes into a risk register. And then that goes up into the summary reports that you're bringing up to the board, in terms of this department and, you know, their projects, their applications have introduced these amount of risks for not meeting the standards. And then let -- you know, let it from there, they make the decision of do we accept this, or do we go back and say, no. You need to fix this. That's Nicholas Kathmann, Chief Information Security Officer at LogicGate. Bot management firm Kasada recently published a report outlining their discovery of nearly 15,000 stolen automotive customer accounts for sale online, with credentials being sold for as little as $2 on Telegram. Sam Crowther is CEO at Kasada.

Sam Crowther: Our threat research team found evidence that some criminal syndicates had been launching credential stuffing attacks against large particular US-based auto manufacturers and selling the compromised accounts which, you know, contain obviously the VIN numbers, the makes and models of the vehicles, the PII of the owners within -- within some of their Telegram communities. And it was at a scale that was quite alarming to go from zero to where they -- where they landed. So it raised just massive red flags on our side. And we figured this is absolutely something we need to talk more about. 11 What kind of scale are we talking about here? How many stolen accounts did you all track? So initial two waves, there was about 15,000 US accounts for these cars that came up for sale.

Dave Bittner: Well, let's talk about the information that was taken here and why it matters for folks. I mean, I think people are kind of used to getting reports that some of their information has been compromised, you know, their name, their address, maybe something like that. But I think it's fair to say most of us don't think about things like the VINs of our cars.

Sam Crowther: I completely agree, right? I'm like, when you buy a car from a manufacturer, particularly modern ones and you sign up for the account to manage your servicing or even, you know, manage the vehicle remotely, you never really think too much about what's going into it and the sort of access and information that it has.

Dave Bittner: Well, let's talk about some of the things that folks can do with a VIN here. What are the risks?

Sam Crowther: Something known as car cloning, where criminals can take stolen VIN numbers and use it to create replica tags so that, you know, you get pulled over when you're driving your car in, you know, Maryland, right? And the police are, like, Hey. We've -- you know, we've got a warrant for this or whatever it is when you get pulled over. And it's actually because someone else who committed a crime who's duped your car's information has done it, you know, somewhere else in the state, right, which is really, really problematic. There's also the potential for basically the duplication of ownership papers. So someone could own your car from the government's eyes. It's pretty concerning. And when you couple that with the information around where the individuals live, how to contact them, it can start to -- start to become, you know, a really scary form of identity fraud.

Dave Bittner: How so? How would folks use this information specifically?

Sam Crowther: You can leverage all the contact and VIN information. It's also possible to, like, take out loans, for example, against the car, like additional cash out which I guess is like the ultimate goal for almost any, you know, identity theft, right, is -- is money from the banks that's tied to someone else. What's really interesting, though, on the actual, like, seller's side is how popular and how cheap seemingly these accounts were, right. Like, normally, to get your hands on enough information to properly commit identity fraud, you know, it's going to cost you 500 to 1000 bucks, whereas you look at some of these automotive accounts, and you can pay as little as $2. And you basically have all the information you need to get started.

Dave Bittner: What are your recommendations for folks to protect themselves against this sort of thing?

Sam Crowther: So look. The number one would be -- and I know it's said over and over again but unique passwords, particularly on systems like this. I know it's probably not something many of us think about being overly sensitive. But the reality is it's actually quite important for us to protect it. So making sure that, you know, access to that account is, you know, to a favorite, it can be it's a strong password. And then, you know, if you can disable certain functionality or you can avoid having some of these accounts entirely, maybe if it's not going to, you know, impede your user experience, it may be best to do so, right. And a lot of cases, most people don't need these accounts. Most of the cars attached to these were old, from what we could see. And there was no act to control them remotely for these older models. So there was really no big value add, yet they've sort of been, you know, driven to sign up by the manufacturer.

Dave Bittner: Is there any responsibility from the car manufacturers here? I mean, have -- have they chimed in on any of their attempts to secure this kind of thing?

Sam Crowther: Huge responsibility, right? Like, this is ultimately their problem. If this happened in any other industry where the information was as sensitive, there would be outrage. Like, imagine if, you know, the -- the MyChart accounts you have for your medical information had the same problem, like, the impact will be pretty material. And, functionally, this is very sensitive PII. So we've reached out and tried to notify the manufacturers. One has engaged; the others have remained silent. The one that's engaged has been really good and proactive about actually, you know, properly digging in and looking at what went wrong and how to address it, which is great to see.

Dave Bittner: Yeah. Where do you suppose we're headed here? I mean, could you see regulations coming that could help tie these sorts of things down better?

Sam Crowther: General security, you know, rules and regulations around liability is something that will help here, right. You know, the world is so fast-paced. And particularly if you take the case of auto manufacturers who have been ripped out of the Stone Age very, very quickly, there's just so many different unique cases and datasets and data types to deal with. But, you know, laws around, hey, what is acceptable for an organization to lose when it comes to customer data, right? How many accounts can be compromised before there are some, you know, whether it's, like, criminal or other sorts of charges brought against the company? That's really where this needs to go. And if you look at other countries, they're starting to move there, right? Like, actually, in my home country of Australia has recently implemented some new laws around liability if organizations are shown to be negligent. And the penalties are really severe, right, similar to what you'd see in the European Union. I really think that's the best way to do it because right now the equation these companies make is what's the chance we get caught? How much is it going to cost us if we get caught? You know, we're fine to accept that risk without actually really considering what the impact of their customers is.

Dave Bittner: That's Sam Crowther from Kasada. And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at We'd love to know what you think of this podcast. You can email us at Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K's strategic workforce intelligence optimizes the value of your biggest investment: your people. We make you smarter about your team while making your team smarter. Learn more at This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tr Hester with original music by Elliott Peltzman. The show was written by our editorial staff. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We will see you back here tomorrow.