The CyberWire Daily Podcast 11.15.23
Ep 1948 | 11.15.23

A quick Patch Tuesday retrospective, and then a look at what the threat groups are up to.


Dave Bittner: A look back at Patch Tuesday. BlackCat uses malicious Google ads. Social engineering in the third quarter of 2023. Are small businesses in denial about ransomware? Molerats have some new tools. Israel turns to NSO Group's Pegasus to search for hostages taken by Hamas. Tim Starks from the Washington Post examines the potential aftermath of a Russian group hitting a Chinese bank. In our Learning Layer, Sam Meisenberg helps a student understand and create a strategy for the CISSP CAT. And a cyberespionage campaign is attributed to Russia's SVR.

Dave Bittner: I’m Dave Bittner with your CyberWire intel briefing for Wednesday, November 15th, 2023.

A look back at Patch Tuesday.

Dave Bittner: We begin today with a look back at yesterday’s November Patch Tuesday.

Dave Bittner: Microsoft addressed fifty-eight vulnerabilities, including, BleepingComputer reports, five zero-days. Three of the zero-days (CVE-2023-36036, CVE-2023-36033, and CVE-2023-36025) have been exploited in the wild. The two other zero-days were publicly disclosed before patches were available, but Microsoft says it hasn’t so far seen any evidence of exploitation.

Dave Bittner: VMware addressed a critical authentication bypass vulnerability in VMWare Cloud Director Appliance.

Dave Bittner: Fortinet issued patches for several flaws affecting FortiClient and FortiGate.

Dave Bittner: And SAP has received patches for six flaws, including an improper access control vulnerability with a CVSS score of 9.6, caused by the SAP Business One installation process.

BlackCat uses malicious Google ads.

Dave Bittner: Researchers at eSentire warn that an ALPHV/BlackCat ransomware affiliate is using malware-laden Google ads to target entities in the Americas and Europe. They say, “This affiliate is taking out Google ads promoting popular software, such as Advanced IP Scanner, Slack, WinSCP, and Cisco AnyConnect, to lure business professionals to attacker-controlled websites. Thinking they are downloading legitimate software, the business professionals are actually downloading the Nitrogen malware. Nitrogen is initial-access malware that leverages Python libraries for stealth. This foothold provides intruders with an initial entry into the target organization’s IT environment.”

Social engineering in Q3 2023.

Dave Bittner: Kroll has published its Threat Landscape Report for Q3 2023, finding that social engineering dominated the field last quarter: “This was evidenced by our observations of the dramatic escalation of social engineering tactics, with significant increases in phishing, smishing, valid accounts, voice phishing and other tactics—adding up to the highest volume of incidents we have seen in 2023.” Business email compromise (BEC) attacks rose 13% in Q3 compared to the previous quarter.

Dave Bittner: Kroll’s researchers write, “The increasing volume of social engineering attacks is matched by a broadening range of approaches, whether that is via phone and SMS as the group K2A243 (SCATTERED SPIDER) is known to abuse novel email phishing scams, or directly via Microsoft Teams using DARKGATE malware. As part of the rise in social engineering, business email compromise (BEC) continues to grow steadily in popularity, with both established and newer threat actor groups using a range of tactics to access data and, in some cases, ransom the information.”

Are small businesses in denial about ransomware?

Dave Bittner: A survey by OpenText Cybersecurity has found that a majority (that is, 65%) of small-to-medium-sized businesses don’t believe they’ll be targeted by ransomware attacks. OpenText says, “Findings show a similarity in how small-to-medium sized businesses and enterprises… think about ransomware attacks, including a disconnect about who is a target and growing concern about the use of artificial intelligence by threat actors. While the majority of organizations don't believe they will be attacked, they do understand the business risks as evidenced by increased security spending and plans to expand security teams.”

Dave Bittner: In spite of the security spending and their disinclination to believe that they’ll be targeted by threat actors, 46% of SMBs and enterprises said they were hit by a ransomware attack in the past year.

The Molerats have some new tools (but stick to their familiar targets).

Dave Bittner: Proofpoint researchers yesterday described some new activity by TA402, the Palestinian-aligned threat actor better known as the Molerats, and sometimes called the Gaza Cybergang, Frankenstein, or WIRTE. Between July and October TA402 has used a new downloader, IronWind, which they've used to install shellcode in victim systems. 

Dave Bittner: The group has also shifted away from using malicious Dropbox links and toward deploying XLL and RAR file attachments, presumably the better to evade detection. TA402's targeting has continued to follow its historical pattern of prospecting Arabic-speaking governmental organizations in the Middle East and North Africa. It hasn't so far shown a shift toward direct support of the war between Hamas and Israel.

Israel turns to NSO Group's Pegasus to search for hostages taken by Hamas.

Dave Bittner: Israeli authorities are said, Axios reports, to be using NSO's Pegasus zero-click intercept tool to track cellphones belonging to hostages, murdered civilians, and Hamas terrorists in their effort to locate surviving hostages. NSO Group is said to be approaching US officials to ask for relaxation of strictures against its tools, which it argues have become vital to collection against terrorist organizations. There are so far few signs that the US is moving toward such relaxation, imposed after many reports that Pegasus was widely abused by repressive governments, but there do appear to have been some approaches by European governments advocating for NSO Group's restoration to American good graces.

Cyberespionage campaign attributed to Russia's SVR.

Dave Bittner: Ukraine’s National Cyber Security Coordination Center (NCSCC) has published its analysis of a widespread cyberespionage campaign that this past September hit diplomatic targets in Azerbaijan, Greece, Romania and Italy. The foreign ministries of Azerbaijan and Italy were particularly hard hit. The campaign was widely regarded at the time as a Russian intelligence operation, and the NCSCC attributes it directly to APT29, Cozy Bear, a unit of Russia's SVR foreign intelligence service.

Dave Bittner: The phishbait was familiar: a BMW (one owner, nicely loaded, for sale by owner, etc.) was offered for sale. The NCSCC gives the enemy service due props for intelligent social engineering: "APT29 ingeniously employed benign-looking lures in the form of enticing BMW car sale photos and documents, expertly crafted to draw in unsuspecting victims." And while the bait may have been old (still, however, effective), the phish hook was new. "The lure documents contained hidden, malicious content that exploited the WinRAR vulnerability, granting attackers access to the compromised systems." 

Dave Bittner: The SVR also made creative use of the legitimate Ngrok tool, which is used to provide temporary, public URLs during web development and testing. In this case it enabled them to communicate with infected targets in ways that can be difficult to detect.

Dave Bittner: In this case the intelligence goal seems only tangentially related to Russia's invasion of Ukraine, except insofar as trouble in the Near Abroad inevitably has repercussions for that war. The SVR appears to have been interested in Azerbaijan's intentions with respect to Nagorno-Karabakh, the province Azerbaijan has disputed with Armenia, and which Azerbaijan seized on September 19th and 20th of this year.

Dave Bittner: Cozy Bear, Fancy Bear’s less ostentatious cousin, has been implicated in several other high-profile incidents. These include both Russian intrusion into US targets related to the 2016 US elections, and the 2020 supply chain attack against SolarWinds users.

Dave Bittner: Coming up after the break, Tim Starks from The Washington Post examines the potential aftermath of a Russian group hitting a Chinese bank. In our "Learning Layer," Sam Meisenberg helps a student understand and create a strategy for the CISSP CAT. Stay with us. In the latest edition of our "Learning Layer" segment, N2K's Sam Meisenberg works with student Ethan Cook to understand and create a strategy for the CISSP CAT.

Sam Meisenberg: Welcome to the "Learning Layer." This is your host, Sam Meisenberg, and in this segment you're going to be dropped into a continuation of a tutoring session. And we have a student, Ethan, here who is studying and he's a couple weeks away from a CISSP exam. So -- enjoy, and even if you're not studying for the CISSP, I still think you're going to get something out of it. So here we go. So how are you feeling? You're, like, a couple weeks away.

Ethan Cook: I'm feeling good. The content is definitely starting to stick in more --

Sam Meisenberg: Nice.

Ethan Cook: -- feeling well, doing a lot of the practice tests and, like, practice questions, answering a lot of them right.

Sam Meisenberg: How have your scores been on the practice tests?

Ethan Cook: I would say passing for most of them. You know --

Sam Meisenberg: Passing what? What do you mean by passing?

Ethan Cook: Scoring, like --

Sam Meisenberg: Give me a percent.

Ethan Cook: About, like, 78% --

Sam Meisenberg: Okay.

Ethan Cook: -- to 80%. Still have room to improve --

Sam Meisenberg: Sure.

Ethan Cook: -- but definitely -- definitely passing.

Sam Meisenberg: I think that's a pretty high score. I say, look, if you are -- if you're in the high seventies, low eighties, that's where you want to be because, remember, a 70-80% in your practice questions is not going to translate to, like, 80% on exam day because you're taking the CAT. Right?

Ethan Cook: Mm-hmm.

Sam Meisenberg: Which is like a whole different experience.

Ethan Cook: Yeah, I actually wanted to talk about that a little bit because I've studied for certification exams in the past. I got my Sec Plus.

Sam Meisenberg: Nice.

Ethan Cook: And did well on those, but those are more traditional. And I've --

Sam Meisenberg: Yeah.

Ethan Cook: -- since starting this, heard a lot about the CAT and how it's a very different experience and it's very intimidating. And I kind of have some anxiety about that. I was wondering if you could walk me through that a little bit.

Sam Meisenberg: You -- okay. So you -- you're in the right place 'cause I think what I want to assure you of is there's nothing to be afraid of. It's literally the same experience. It's just a multiple choice exam. It's just the format is a little bit different. So I can walk you through there and kind of tell you what to expect. So do you know what the -- here's a -- here's a -- I know you're tired of answering questions, but here's another question. Do you know what the 'A' stands for in "CAT?"

Ethan Cook: Adaptive?

Sam Meisenberg: Adaptive! Exact -- so all that means is the test is adapting to you as a test taker. So when you answer a question -- right? Say you -- you're on question number one. If you get that question correct, the next question it feeds you is going to be slightly harder. And then you say you get that question right, the question after that, again, slightly harder. And then question number four, you get it wrong, the next question is slightly easier. All that means is it's taking your input from the previous question and your answer, and then feeding you kind of the next question to get to your, like, knowledge and skill level. So that's all we mean by adaptive. It's responding to you as the test taker. If you open the hood of a CAT, what's happening is it's trying to get you to a level where you get every other question wrong. So what that means is on exam day, passing could mean getting, like, 55% of the questions correct. So when you are doing your practice questions now, life is good because you're getting 80% correct. On exam day, it's going to be a weird feeling 'cause you could be doing well and being, sort of, on the route to passing but getting, like, 55% of them right. So it's going to be a weird experience. You're going to feel like you're getting punched in the face every other question. But that's normal. So just walk in expecting that.

Ethan Cook: Yeah. And I saw that, like, there's a range of questions --

Sam Meisenberg: Uh-huh.

Ethan Cook: -- whereas, like, you know, with Sec Plus it was a set number of questions -- I forget off the top of my head how many it was -- but --

Sam Meisenberg: Well, sort of. Sec Plus is up to 90.

Ethan Cook: Up to 90. Okay.

Sam Meisenberg: You could see anywhere from, like, 85 to 90. But, yes, point taken.

Ethan Cook: But with this one, I saw -- I think it was 125 to 175. It's a pretty wide margin there.

Sam Meisenberg: Right. Exactly. So -- and the interesting thing about that is -- so the minimum -- let's clarify those numbers. The minimum that you're going to see is 125. So you are definitely going to see 125 questions at least, no matter who you are on exam day. After 125, the test could end at any point. So what that means is, again, testing at question 125 whether you're above or below this thing called the "passing threshold." And if you are above at 125, you pass. If you are below at 125, you failed. If you are straddling that passing threshold at 125, it keeps feeding you questions until you are clearly above or below. Now that sort of feeding, those extra overtime questions, can go all the way up to 175. So here's the important thing from a time management perspective. You need to anticipate seeing 175 questions.

Ethan Cook: Yeah.

Sam Meisenberg: You need to walk in there planning to see 175 because imagine if you run out of time at question 150, well, then -- then you're going to fail. Right? Because then you basically -- the -- the machine doesn't have enough sort of data on you and it looks back at your last fifty questions and sees whether you're above or below the passing threshold. And if you're below at any point, then you fail. That's a long way of saying -- I don't think the technical pieces matter -- you're not going to pass if you run out of time.

Ethan Cook: But you also -- kind of on the same line of thought -- if I'm at question 170, I'm still in the test. I'm still -- 'cause it would have failed me if I was too low already, so I should still treat those last questions with the same level of seriousness as question 126.

Sam Meisenberg: So you actually need to be more focused and more serious -- questions 126 to 175. What I mean by that is that, think of it as, like, over time, in some senses, because every question matters because there are fifty experimental questions on the CISSP -- fifty! That's a lot.

Ethan Cook: Yeah.

Sam Meisenberg: But they are all built into the first 125.

Ethan Cook: Okay.

Sam Meisenberg: So what that means is questions 126 to the end, there are no experimental questions. Everything matters. Everything is going to affect your score, and going above or below the passing threshold. So you need to be, like, uber focused. And then I know we've talked earlier about the time management piece. That's why you want to spend more time on those questions from 126 to 175 'cause those are the things that will make or break your score.

Ethan Cook: Awesome. Thank you. That -- that -- that explanation really helps clarify the differences between a CAT and a traditional exam.

Sam Meisenberg: So I know that I helped clarify, but how are you feeling? Are you feeling any less anxious?

Ethan Cook: Oh, definitely less anxious. It's -- I think it's always better to know what you're dealing with --

Sam Meisenberg: Mm-hmm.

Ethan Cook: -- than kind of sitting there and -- in ignorance. But definitely would say the exam is still intimidating, but I think that nothing's going to change that. I think I just kind of have to go and get it done with.

Sam Meisenberg: That's right. And -- and look, ultimately, too, I -- I think you kind of hit the right balance. You don't want to be thinking about, like, how the CAT operates on exam day. You don't want to be, like, oh, my gosh! This is an easy question. Does that mean I got a question wrong? Like, you're just going to psych yourself out and not focus on the content. And, ultimately, it's an exam of whether you know your stuff or not. Time management is important. Test day strategy is important -- absolutely. But ultimately the content -- whether you know your stuff -- that's the thing that's going to, you know, take you to the promised land.

Ethan Cook: Yeah. Content is key.

Sam Meisenberg: Content is key. Go off-game. Now one logistical note, this segment, we discussed the current four-hour version of the exam which is 125 to 175 questions. But in April of 2024, the exam will be updated. It will be a three-hour test that has 100 to 125 questions. Thank you for tuning in to this segment of the "Learning Layer." I hope you got something out of it. And if you, yourself, are studying for a certification exam and you have any questions about the content or test-day strategy, please feel free to let me know by emailing This is Sam Meisenberg, and we'll see you next time on "Learning Layer." Happy studying.

Dave Bittner: That's N2K's Sam Meisenberg speaking with student Ethan Cook. And it is always my pleasure to welcome back to the show Tim Starks. He is the author of the Cybersecurity 202 at The Washington Post. Tim, welcome back.

Tim Starks: Hey there.

Dave Bittner: I'm enjoying your recent reporting here on Ransomware Gang and perhaps they -- they went a little bit too far by going after some folks in China. Can you lay out your reporting here for us?

Tim Starks: Yeah. So the Ransomware Gang Lockbit, they managed to get ahold of a -- a U.S. division of the -- the biggest bank in China, and actually the biggest lender by assets in the entire world. It's called the Industrial and Commercial Bank of China, the Financial Services Division -- ICBC we'll just call it for the rest of this talk. So kind of -- kind of a rare target to hit that -- that's this big. Also a rare target to hit that's a Chinese state-owned organization. Obviously, the U.S. arm is a little different, but it's rare to see a Russian gang, as Lockbit is suspected of being, go after a Chinese state-owned target. It's happened once -- one other time this year with a -- with a newspaper that China state owns, but that's a big difference something that has millions worth of -- worth of assets, and that might actually impact people in China who are high up in the Communist Party. The sort of trigger for this was that -- was that Chris Krebs, the former CISA director, had said on Twitter, "I think -- I think Lockbit is going to be going through some things." That's a funny way of saying -- a funny way of saying that they're in trouble. Right?

Dave Bittner: Right. Nice -- nice understatement there.

Tim Starks: Yeah. I mean, he -- and he was pointing to the way, you know, the U.S. started focusing in on -- I believe it was -- was it DARKSIDE? Or -- yeah, it was DarkSide that -- that did the Colonial Pipeline hack. You know? That really energized the United States because suddenly, you know, a part of our economy was being affected and in a way that was very much obvious to the -- to the pocketbook of the average person. Even though the -- the fuel panic that -- that was caused by that was a little bit people's own fault. it still was a -- an indirect result of that pipeline hack. So I talked to a good number of people who -- who were saying, yeah, this is going to be bad for them. Not sure what they were thinking.

Dave Bittner: Yeah. I mean, is -- is it possible that this was an affiliate or that they weren't aware of who they were hitting? What do you think?

Tim Starks: Exactly right. That is one of the possibilities, you know, Allan Liska from Recorded Future brought up to me. Also echoed in another of the comments that's in the story, it seems as though Lockbit does not have much quality control on who they decide to tag team with. They seem to just, sort of, like, whoever wants to pay for the -- for our malware can have it. And now you're an affiliate. And then, you know, once -- once it's out there, Lockbit -- the Lockbit name is on it, they can't necessarily say "not our fault, it's an affiliate." Well, you're still directly connected to who did it. So that is one theory about what happened. Affiliates are going to be maybe more indiscriminate about who they go after. First off, ransomware is often a -- an indiscriminate thing anyway. But -- but there is a -- there's a sort of catch and release thing that can happen. Right? Like, oh, you know, we caught a big fish. We do not want this -- we do not want this shark on our board.

Dave Bittner: Right. Right. Here -- here -- here is your key to unlock everything that we inadvertently locked.

Tim Starks: Exactly. Yeah, yeah.

Dave Bittner: Please carry on.

Tim Starks: That's the -- that's the release part. Here you go, shark.

Dave Bittner: Right.

Tim Starks: Go on back into the ocean.

Dave Bittner: Yeah.

Tim Starks: But -- but, you know, I -- I think in this case, you know, whoever -- whoever did this decided to pursue it and -- and if the Gang is to be believed and, of course, we -- we can't always trust what the Ransomware Gangs claim, they are after all criminals in life we're living, they say ICBC paid. So they -- if they did pay, it was probably a pretty decent fee. I mean, you know, this -- this caused some trouble for the treasuries markets and -- and -- and -- and to -- to -- to see some Reuters reporting on it, you know, it almost caused some real problems for the bank overall because of the assets they have and who they work with. So it -- it -- it really was -- there was really a serious incentive for them to pay, if they did, in fact pay.

Dave Bittner: Any speculation on how this may play out from here? I mean, do we expect Lockbit to get a slap on the wrist, or might they be looking at a shutdown?

Tim Starks: Yeah. It's not -- you know, if you -- I think if you look back to what happened with Colonial Pipeline and the U.S. went after them, got their -- got some of the assets back, got some of the stolen money back, that is -- I guess the ransom payment back -- it wasn't long after that that DarkSide kind of folded and -- and rebranded or disbursed. That's certainly a possibility. China might decide to "extract some pain" -- I believe one of the quotes from one [inaudible 00:22:59] was -- extract some pain from Lockbit directly. Or it could be a situation where Russia, you know, says, hey, we've been kind of protecting you. Now you're on your own. Or they might help China, you know, go after these guys. If -- if you'll recall, there was a brief moment before the Ukraine war where the U.S. and Russia were working together to go after a Ransomware Gang -- it was REvil -- or REvil, depending on who you talk to -- where they actually helped -- helped go after some members and arrested them if the PR videos and -- and the actual appearance in court -- courts were to be believed. Now how sincere that effort was by Russia, you know, there was a lot of speculation at the time that this was a -- a weird kind of diplomacy to -- to say, hey, we'll help you on these Ransomware Gangs if you leave us alone. Let me go after Ukraine. And not -- not a lot has necessarily come of that since. There have been some dropped charges. There's been some circulation that maybe some of these people are still going through the court systems. It's a little opaque over there in Russia.

Dave Bittner: Yeah.

Tim Starks: So it's possible that Russia just does something like that to -- to signal to China that, hey, we're not going to let them do this to you. And then that could also send a signal to other people that, no -- no, you're not allowed to go after China. They are not -- maybe they're not an ally, but they're close enough that we would prefer that you don't go after them.

Dave Bittner: Right. I -- I would love to be a -- a fly on the wall with some of the -- the diplomatic communiques between the -- the Chinese folks and the Russians saying, "What -- what's going on here, friend?"

Tim Starks: If you get a hold of it, please -- if you get a hold of those, can we -- can we -- those -- those cables, please, please put them on air.

Dave Bittner: Will do.

Tim Starks: And read them all -- just make a whole session out of your -- out of your podcast that day. Like --

Dave Bittner: There we go.

Tim Starks: -- they said [screaming].

Dave Bittner: Right. Right. Lots of -- lots of screaming and gnashing of teeth. All right. Well, Tim Starks is the author of the Cybersecurity 202 at The Washington Post. Tim, thanks so much for joining us.

Tim Starks: Hey, thank you.

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at We'd love to know what you think of this podcast. You can email us at Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly-changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's pre-eminent intelligence and law enforcement agencies. N2K's Strategic Workforce Intelligence optimizes the value of your biggest investment -- your people. We make you smarter about your team while making your team smarter. Learn more at This episode was produced by Liz Irvin and Senior Producer Jennifer Eiben. Our mixer is Tre Hester, with original music by Elliott Peltzman. The show was written by our editorial staff. Our Executive Editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.