The CyberWire Daily Podcast 10.25.23
Ep 1934 | 10.25.23

AI ain’t misbehavin’, except when it does. Also, privateers and hacktivist auxiliaries get busy.


Dave Bittner: Teaching AI to misbehave. Ransomware's effect on healthcare downtime. Two reports on the state of cybersecurity in the financial services sector. Possible connections between Hamas and Quds Force. Ukrainian cyber authorities report a rise in privateering Smokeloader attacks. Russian hacktivist auxiliaries strike Czech targets. My conversation with Sherrod DeGrippo, host of The Microsoft Threat Intelligence Podcast. Jay Bhalodia from Microsoft Federal shares insights on multi-cloud security. And Winter Vivern exploits a mail service 0-day.

Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Wednesday, October 25th, 2023.

Teaching AI to misbehave.

Dave Bittner: Researchers at IBM X-Force Red outline ways in which legitimate generative AI tools like ChatGPT can be tricked into creating malicious output like phishing email templates:

Dave Bittner: With only five simple prompts, they successfully manipulated a generative AI model to produce highly convincing phishing emails within just five minutes... Their team usually spends approximately 16 hours crafting a phishing email, excluding infrastructure setup. Consequently, attackers could potentially save almost two days of work by utilizing generative AI models. The phishing email generated by AI was incredibly persuasive, nearly matching the quality of those created by experienced social engineers. This close resemblance marks a significant advancement in the technology.

Dave Bittner: The researchers tested the AI generated phishing lure against a template crafted by humans, and found that the human-made template was slightly more effective at deceiving recipients. That said, the AI doesn’t need to be excellent. It just needs to be good enough.

Ransomware's effect on healthcare downtime.

Dave Bittner: Comparitech has studied the effects of ransomware on healthcare organizations. They’ve found that the downtime caused by these attacks has cost the US economy $77.5 billion since 2016. The researchers state, “[M]edical entities suffered an average downtime of nearly 14 days following an attack. So far 2023 has reported the highest average downtime (18.71 days), closely followed by 2022 (15.71 days). Based on these figures, ransomware attacks may have caused 6,347 days, or 17.4 years, of downtime.” They add, “The cost of downtime to medical organizations over the last three years is estimated at $9.4 million for 2021, $16.2 million for 2022 and $15.5 million so far in 2023. None of these figures exceed 2020’s, however, with an estimated $19.3 million lost to downtime.”

Dave Bittner: There's an ongoing attack against hospitals in Ontario, where five facilities report disruptions that have delayed patient care. CBC reports that the hospitals share a common IT provider, TransForm, which CBC describes as "a non-profit founded by the hospitals to run IT, supply chain and accounts." The incident remains under investigation and details remain unclear, but there's no lack of clarity about the extent of the disruption: it’s been a problem.

Two reports on the state of cybersecurity in the financial services sector.

Dave Bittner: A report by Swimlane on the state of cybersecurity in financial services finds that “20% of respondents have had at least one breach with a total cost of $5 million in the last 12 months.” Additionally, 42% of respondents had a breach that cost at least $1 million in the past year. The top threats seen by financial services organizations are phishing (34%), ransomware (31%), cloud security threats (25%), and insider threats (21%).

Dave Bittner: The report notes, “[T]he impact of successful cyber-attacks is assessed differently depending on the type of financial institution. Wealth management and investment banks rate downtime as the largest concern associated with cyber breaches, but retail banks (whose customers can more easily change service providers) are more concerned with loss of reputation and customer trust.”

Dave Bittner: Another look at the sector comes from Veracode, which this morning released a report looking at “the key factors influencing flaw introduction and accumulation” in the financial services sector. The researchers found that “[w]hile nearly 72 percent of applications in the Financial Services sector contain security flaws, this is the lowest of all industries analyzed and an improvement since last year.” So while there’s work yet to be done, on balance, and compared to other sectors, financial services organizations have upped their game, probably with the help of government regulation.

Possible connections between Hamas and the Quds Force.

Dave Bittner: Recorded Future's Insikt Group has found an application distributed over Telegram and used by Hamas operators. "The application is configured to communicate with Hamas's Izz ad-Din al-Qassam Brigades website. Infrastructure analysis associated with the website led to the identification of a cluster of domains that mimic the domain registration tradecraft of TAG-63 (AridViper, APT-C-23, Desert Falcon), a cyber group that we believe operates at the behest of the Hamas terrorist organization." The Quds Force, a unit of Iran's Islamic Revolutionary Guard Corps, is known to provide cyber technical assistance to Hamas, and the Insikt Group thinks it likely they're doing so in this case.

Ukrainian cyber authorities report a rise in privateering Smokeloader attacks.

Dave Bittner: Russia has stepped up cyberattacks directed against Ukraine and Ukraine's international supporters. Some have been financially motivated, others aiming simply at disruption.

Dave Bittner: Kyiv's National Cybersecurity Coordination Center (NCCC) reported Tuesday that it was investigating an increase in Russian criminal attacks using Smokeloader malware. The NCCC explicitly characterizes the threat actors as "financially motivated cybercriminals." Effectively that makes them privateers who supplement the efforts of the Russian intelligence and security services, and of the hacktivist auxiliaries those services direct. 

Dave Bittner: Smokeloader is commodity criminal malware bought and sold in the C2C market. The Record notes that it trades in underworld souks markets from $400 for the basic model, up to $1650, nicely loaded. 

Dave Bittner: The NCCC's full report, available in both Ukrainian and English language versions, explains that a variety of Russian criminal groups are using Smokeloader, and that in some cases they're achieved their payoff by diverting funds from online transactions. The report includes a set of indicators of compromise, and advice to organizations on how they might present the privateers with a harder target.

Russian hacktivist auxiliaries strike Czech targets.

Dave Bittner: reports that hacktivist auxiliaries have been engaged in disruptive attacks against Czech targets. Distributed denial-of-service (DDoS) attacks interrupted online services at the Prague Airport, the Czech Interior Ministry, and the Chamber of Deputies. Researchers at the security firm Avast noted that the use of the DDoSia platform points clearly to NoName057, the well-known Russian hacktivist auxiliary. The attacks were apparently intended as retaliation for Czech support for Ukraine at the Crimea Platform summit, which met in Prague on Tuesday. It’s worth noting they achieved no more than the familiar nuisance results, neither compromising data nor interrupting operations.

Winter Vivern exploits a mail service 0-day.

Dave Bittner: ESET warns that the Winter Vivern threat actor has been exploiting a cross-site-scripting zero-day vulnerability (CVE-2023-5631) in the Roundcube Webmail server since October 11th, 2023. RoundCube released patches for the flaw on October 16th. Winter Vivern used the flaw to conduct cyberespionage operations against European government entities and a think tank.

Dave Bittner: The researchers don’t attribute Winter Vivern to any particular nation-state, but they do note that it may be tied to the Belarus-aligned threat actor MoustachedBouncer. ESET concludes, “Despite the low sophistication of the group’s toolset, it is a threat to governments in Europe because of its persistence, very regular running of phishing campaigns, and because a significant number of internet-facing applications are not regularly updated although they are known to contain vulnerabilities.”

Dave Bittner: So, unsophisticated, espionage-focused, and targeting European governments. Circumstantially that sounds like Belarus. Belarus, it should be noted, is one of two unambivalent supporters of Russia’s war against Ukraine. The other is North Korea, and that’s hardly the company one wants to keep, regardless of how epic their mustache may be.  Even if you’re a bouncer with the worst Fu Manchu stache ever.

Dave Bittner: Coming up after the break, my conversation with Sherrod DeGrippo, host of the Microsoft Threat Intelligence Podcast, and Jay Bhalodia from Microsoft Federal shares insights on multi-cloud security. Stay with us. [ Music ] [ Music ] As federal agencies have adopted multiple clouds for their analytic and compute capabilities, a strong security strategy has been a critical necessity. Jay Bhalodia is Managing Director for Security and Customer Success at Microsoft Federal, and in this "Sponsored Industry Voices" segment, he shares insights on the multi-cloud experiences of stakeholders in the federal space.

Jay Bhalodia: For our Federal customers, they're all invested in a multi-cloud strategy. When you look at directional signal, for example, like the Department of Defense announcing the Joint Warfighting Cloud Capability, or JWCC -- that contract was announced in December -- it -- it's -- it's a major step and signal that the federal government, the DoD, is in a multi-cloud journey. As we look to -- across the full landscape of our Federal customers, whether they're in the civilian space, the DoD space, or the intelligence space, they all have a strategy that includes engaging with multiple cloud vendors and Microsoft is -- is pleased to be one of those cloud service providers providing that support to the customer.

Dave Bittner: Can we go through some of -- both of the opportunities and -- and the challenges for organizations that are embracing a multi-cloud approach?

Jay Bhalodia: Yeah, absolutely. You know, one -- one of the lenses that I'm going to look at that is -- 'cause of where I sit, we'll look at that in the context of security. But, you know, the customers have -- have determined and made a decision to go down a multi-vendor, multi-cloud service provider model. There are great opportunities to -- to use a set of capabilities that are -- that are unique to each cloud, provide opportunities for mission, for their business, and really accelerate the -- the transformation of the services, how efficiently, how effectively they can provide those. And at the same time, when you look at it from a security lens, anytime you increase complexity of -- of your digital estate, it's an opportunity for attack surface. It's an opportunity for an adversary to leverage a weakness in one place to be able to move across your entire estate. So there are opportunities for greater transformation, greater services, greater capabilities, to the citizens that our Federal customers serve. And through that process, there are also opportunities for us to strengthen security if done correctly. If not done correctly, there are opportunities and -- and disadvantages to creating more gaps for our adversary.

Dave Bittner: As one of the major players in this space, how do you approach the reality of a multi-cloud environment, that -- that your customers want to work with you but also with other providers and it's in your best interests to make that as frictionless as possible?

Jay Bhalodia: It's a great question. One of the things about Microsoft is we're not only a cloud service provider, but we're also a security vendor. And so it's very natural for us to -- to look at the -- the broader landscape of our customers. As a cloud service provider with Azure, we're operating capabilities and we're protecting the customer on our premises. As an industry-leading security vendor, we've been providing and protecting the customers on their premises for a long time, and it's just natural for us to extend into protecting the customers in other clouds. So we've been at that multi-vendor responsibility set for a while. We've -- we've secured and defended Linux, iPhones, the IoT devices that are sitting on your network which you may or may not even know about. But we're also -- have the opportunity to take our Azure security capabilities not just to secure to Azure but to be able to provide that across all various cloud platforms.

Dave Bittner: Could you give us some examples of -- of some of the -- the common operational models that you all see here?

Jay Bhalodia: Yeah, that's a -- it's a -- it's a great question. The -- our customers, they benefit from having this common view into the operational picture. When you look at something -- something like identity, right, is -- is your user the same person on their laptop as they are on -- on the server when they're there? As they are in the cloud properties, whether that's Azure or GCP or AWS? So without a effective multi-cloud strategy, you -- you -- you turn multi-cloud into multiple silos. And so for Microsoft, I think identity is a big area of consideration there. We -- we recently released our -- our digital defense report. And that -- that is looking across all the signals and telemetry we get in -- as one of the largest cloud service providers. And one of the things that really stood out to me is the ten-fold, year-over-year increase in password-based attacks. So attackers are getting increasingly focused on the identity-based attacks. And so when you have these multi-clouds, including your premises, you potentially can create identity silos across your -- your -- your premises, across your enterprise. You can increase your attack surface for those identity-based attacks. With the permission [inaudible 00:15:11] being what they are, if -- if you get compromised in one silos, the attacker is looking to pivot across your entire digital estate. So this kind of creates a -- a nightmare, not only of -- of surface, but it also creates a situation where your SOC analysts, your responders, when minutes matter, they're sitting there correlating. Like, was this the right person? Was this the same person? So building a -- a multi-cloud identity strategy, I think, that -- that is a critical aspect to building a multi-cloud strategy in general.

Dave Bittner: I'm wondering if you could give us a -- a little view behind the scenes here. You know, it's my understanding that, you know, while organizations like Microsoft and the other major cloud providers are healthy competitors, that there's a good amount of collaboration that goes on behind the scenes, particularly when it comes to security.

Jay Bhalodia: I -- I love that question. I -- I'm a big believer in all of us are better than one of us. Like we just talked about, attackers don't limit their attacks to a compliance boundary or a cloud boundary. In -- in fact, they -- they look for greater opportunities to exploit across these clouds. Really proud of Microsoft in this space. We've been an industry leader. It was almost seven years ago that our -- our President, Brad Smith, stood onstage at RSA and talked about a digital Geneva Convention. The foundation of that was greater collaboration across industry. So I also appreciate the -- the partnership and the leadership from government, whether that's CISA providing the Joint Cyber Defense Collaborative, better known as JCDC, or whether that's the acting National Cyber Director, Kemba Walden, showing up at DEFCON to meet industry, to meet our security research folks. There's a lot of leadership from -- from our -- our government entities pulling all of industry together. But we've also seen industry partner -- partnership, too, independent of leadership from government. I really appreciate stories. There's a recent HTTP DDoS attack, one of the largest in history, and all of the cloud service providers, including Microsoft, were involved in how do we work together and -- and how do we share this information, this telemetry, and so we can protect the internet at whole? You know, at the end of the day, if one of our cloud service providers comes back and says hey customer, if we say Azure wasn't breached but their other cloud service provider was, that's not a win for our customer. And I think as -- as -- as service providers, we see that there is that -- to make our successful customer, we have to meet them where they are, and we have to be able to partner together.

Dave Bittner: That's Jay Bhalodia, Managing Director for Security and Customer Success at Microsoft Federal. [ Music ] It is my pleasure to welcome to the podcast Sherrod DeGrippo. She is the host of the Microsoft Threat Intelligence Podcast right here on the CyberWire network. She is also Director of Threat Intelligence Strategy at Microsoft. Sherrod, thank you so much for joining us today.

Sherrod DeGrippo: Hi, Dave. I'm so happy to be here. This is so cool.

Dave Bittner: Well, let's start with the beginning here. What prompted your desire to host the Microsoft Threat Intelligence Podcast?

Sherrod DeGrippo: Well, I started at Microsoft earlier this year. I've been in information security for -- 19 years. And Microsoft has always had that mystique of -- what are they doing back there? What's going on? What does it look like behind the scenes? And I was really lucky because my leadership was super supportive of, hey, let's tell the stories about the threat actors and let's tell the stories of the threat intelligence analysts, security researchers, incident responders that are doing this work day to day -- and it's been fascinating finding out what goes on.

Dave Bittner: Well, describe to me what -- what the -- the breadth is of the things that you're hoping to cover here on the show.

Sherrod DeGrippo: Primarily, we want to talk about what's going on in the threat landscape. Like, what are the threat actors doing? What are they thinking? What is their next move? Why do they do the things that they do? And then understanding what drives the individual analyst and researchers that are doing threat intelligence and security work at Microsoft every day. It's really interesting. Some of them are driven by worry. Some of them are driven by the puzzle, the game, the mystery. It's interesting hearing the way that each of them have a point of view on the threat actors that they chase every day.

Dave Bittner: I was listening to one of the recent episodes -- this was Episode 2: Incident Response with Empathy -- and that word empathy really caught my eye here. Why -- why focus on that?

Sherrod DeGrippo: Well, that guest is Matthew Zorich from Microsoft Incident Response -- he's an incident responder on that side of the house -- and he really approaches his work with this extreme empathy for people who can't necessarily do a lot of this themselves. And he offers a lot of free tools, guides, workflows for organizations that maybe don't have the ability to call in Microsoft's top-tier incident response teams to, you know, drop in out of a helicopter and come in and take over. He really thinks about those smaller organizations, the small businesses. And a lot of what he does is takes those practices from his large enterprise engagements and provides some guidance to help secure small/medium business and individuals that I found really fascinating.

Dave Bittner: Can we dig in a little bit on -- on empathy itself? I mean, I -- I have a sense that empathy is kind of having a moment right now in cybersecurity --

Sherrod DeGrippo: Oh, good.

Dave Bittner: -- that -- that folks -- well, I mean, I think it's fair to say it's been a long time coming. But I feel like I'm seeing more and more of an emphasis on it and an acknowledgement that, you know, this isn't just ones and zeros, but this human side is critical as well. Is -- is that your experience?

Sherrod DeGrippo: That is my experience, and I want that to be more of my experience.

Dave Bittner: Mm.

Sherrod DeGrippo: I think people really understand in security the impact that they have, and they see day to day the impacts that breaches and incidents have on the victims. And, you know, in security, a lot of us are, you know, driven by anxiety, driven by paranoia, driven by, you know, this weaponization of our own kind of clinical focus on what could go wrong. And I think that we've really come to empathize with some of those victims. And I think that's really healthy and important.

Dave Bittner: Yeah. What has your own journey been like since you've joined Microsoft here? I mean, as -- as -- as I think you alluded to, Microsoft is huge, one of the most major players in the industry. Been around a long time. What's it like for an individual to join an organization of that size?

Sherrod DeGrippo: That's definitely been an interesting experience. I think the overwhelming theme has been -- wait, what? I say that about ten times a day. What? We do what? Everything from, you know, telemetry on every possible source you could think of. You know? We've got so much telemetry -- everything from Bing to host-based, network-based. We've got cloud. We've got email. We've got telemetry coming from every direction and --

Dave Bittner: Hmm.

Sherrod DeGrippo: -- the question is always -- how do we leverage that telemetry to make our customers safer and more informed about the threat landscape, what threat actors are doing, creating intelligence? It's quite a firehose, obviously, but I think what people suspect who have never worked at Microsoft and can see, the people here are super, super smart and they're really focused. Especially in the threat intelligence orb, they're really focused on making people safer, whether it's consumer, enterprise, the network as a whole, the internet as a whole. Everybody wants to do the right thing and -- there's just a lot, lot more people than I'm used to doing it.

Dave Bittner: Hmm. Well, you've got some interesting guests coming up. Can you give us a -- a little bit of a sneak preview of some of the things we can look forward to?

Sherrod DeGrippo: Sure. We're going to release next, in addition to the three that are up already, we've got a focus on the Typhoon threat landscape actors which are primarily based out of China, and a look at what that landscape is doing, is going to do. You know, we focus on several threat actor groups and China is one that we're always watching. So we've got that coming up next. We're also doing some deep dives with some detection engineers where we watch the movie Heat and we kind of talk about some of the social engineering from the classic Michael Mann film that is really, in my opinion, the best threat actor psychology that you can see on display because, I mean, it's got Robert De Niro, Al Pacino. Like, it's got incredible actors. But they really expose their inner thoughts as criminals -- one last heist. Doing it for whatever reasons they're doing it for. And so we kind of watch some scenes in the movie and talk about, you know, how does this apply, for example, to the social engineering landscape in email? And in one case, you know, Robert De Niro is a masterful social engineer.

Dave Bittner: Hmm. Well, the podcast is the Microsoft Threat Intelligence Podcast and its host is Sherrod DeGrippo, Director of Threat Intelligence Strategy at Microsoft. Sherrod, thank you so much for joining us.

Sherrod DeGrippo: Thanks for having me, Dave. Good to talk to you. [ Music ] [ Music ]

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our "Daily Briefing" at We'd love to know what you think of this podcast. You can email us at Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly-changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K's strategic workforce intelligence optimizes the value of your biggest investment -- your people. We make you smarter about your team while making your team smarter. Learn more at This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is Tre Hester, with original music by Elliott Peltzman. The show was written by our editorial staff. Our Executive Editor is Peter Kilpe and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow. [ Music ]