The CyberWire Daily Podcast 11.28.23
Ep 1955 | 11.28.23

Hospitals on the hotplate after ransomware attacks.


Dave Bittner: Ransomware targets healthcare organizations. WildCard deploys SysJoker malware. DPRK cryptocurrency theft. The status of Ukraine's IT Army. A Russian news outlet unmasks Killmilk. Our Industry Insights guest today is Guy Bejerano, CEO and Co-Founder of SafeBreach, discussing the benefits of breach and attack simulation. And there’s discord on dark markets about large language models.

Dave Bittner: Today is Tuesday, November 28th 2023. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Dave Bittner: Our top story today involves a major ransomware attack targeting Ardent Health Services, a Tennessee-based healthcare provider, on Thanksgiving, causing significant disruptions across hospitals in East Texas, New Jersey, Idaho, New Mexico, and Oklahoma. The attack affected all thirty of Ardent's US hospitals, necessitating the diversion of ambulances to alternative facilities. In response to the attack, Ardent's technology team immediately started working to protect data and restore system functionality. They took their network offline, suspending access to various IT applications, including corporate servers, the internet, and clinical programs. The incident has been reported to law enforcement, and Ardent is collaborating with third-party forensic and threat intelligence advisors. The extent of any compromised patient health or financial data remains unclear.

Dave Bittner: In a related development, Vanderbilt University Medical Center in Nashville, Tennessee, is probing a cybersecurity incident involving a compromised database. Preliminary findings suggest that the database did not contain personal or protected information about patients or employees.

Dave Bittner: Furthermore, the patient engagement company Welltok reported a breach earlier this year following an attack by the Clop ransomware group. This incident exposed data of at least 426,000 patients from Premier Health in Ohio and another company based in Georgia.

Dave Bittner: These stories highlight the vulnerability of health care organizations, the degree to which attackers are finding them attractive targets, and the challenges security professionals face when preparing for and responding to these threats.

Dave Bittner: BlackBerry's Global Threat Intelligence Report for Q3 2023 reveals a significant 70% rise in unique malware samples compared to the previous quarter. The financial services sector remains the most frequently targeted, with evidence suggesting that the same cybercriminal groups might be attacking various institutions across different economic sectors. This trend is partly attributed to the growth of Malware-as-a-Service (MaaS) platforms like RustyStealer, RedLine, and Lumna Stealer, which are widely available on underground forums and marketplaces. These developments have led to a convergence of attacks on traditional cybercrime targets and critical infrastructure in various countries, facilitated by the use of shared and commodified tools. Additionally, the report highlights a notable 181% increase in unique malware attacks in the healthcare industry.

Dave Bittner: Researchers have discovered a new variant of SysJoker malware, written in Rust, that is actively targeting mostly Israeli entities amid the ongoing conflict between Hamas and Israel. Check Point, who analyzed the malware, hasn't attributed it to any specific group but observes its use aligns with Hamas interests. SysJoker, previously developed in C++, has been employed since 2021 in attacks against infrastructure, potentially linked to the Electric Powder Operation targeting Israel Electric Company, attributed to the Gaza Cybergang. Intezer, first to report on SysJoker, identifies the current activity as the work of an advanced persistent threat (APT) group they name "WildCard." This APT engages in social engineering tactics like phishing emails, fake social media profiles, and bogus news sites, and also exploits legitimate cloud services. Intezer notes that WildCard, whose exact affiliation is unclear, consistently targets Israeli critical sectors including education, IT infrastructure, and possibly electric power generation.

Dave Bittner: Researchers at SentinelOne have identified two North Korean cryptocurrency theft campaigns named “RustBucket” and “KandyKorn.” The RustBucket campaign initially employed a secondary malware called 'SwiftLoader', disguised as a PDF Viewer. This malware activated while victims engaged with a lure document, subsequently retrieving and executing another stage of malware written in Rust. Conversely, the KandyKorn campaign was a more complex, multi-stage operation aimed at blockchain engineers working for a cryptocurrency exchange. It utilized Python scripts to deploy malware that compromised the host’s Discord app, eventually introducing a backdoor Remote Access Trojan (RAT) named 'KandyKorn', developed in C++. Recently, there has been a convergence of these campaigns, with elements of RustBucket (specifically SwiftLoader droppers) being used to deliver the KandyKorn payloads.

Dave Bittner: The Moscow-based news outlet Gazeta has reportedly identified the person behind the hacker alias "Killmilk" as Nikolai Serafimov. Serafimov, known for being media-savvy yet maintaining a concealed identity, often appeared with his face hidden by a balaclava, resembling a stereotypical hacker image. Despite his marketing acumen, he is considered technically unskilled and more of a self-promoter. His reputation has been tarnished by accusations from former colleagues, who label him a thief involved in running a DDoS-for-hire service and participating in various charity scams. These actions are alleged to harm the Russian cause. His former associates have been hesitant to disassociate from him due to fear of retaliation, as Killmilk allegedly possesses compromising information about their identities. The public exposure of his identity indicates a potential decline in his influence and reputation in the hacking community.

Dave Bittner: The Center for European Policy Analysis (CEPA) published an essay analyzing the IT Army of Ukraine, highlighting the legal ambiguities often surrounding such organizations. The IT Army is compared to US military auxiliaries like the Civil Air Patrol (CAP) and the Military Auxiliary Radio System (MARS), serving as an auxiliary force with a different mission but similar status. Operating under effective authority, the IT Army claims to be a non-combatant entity that adheres to the laws and customs of war, a claim supported by current evidence. CEPA notes that the IT Army primarily engages in distributed denial-of-service (DDoS) attacks. The essay also proposes that the IT Army could serve as a model for smaller or less resource-endowed nations that are unable to sustain a full-scale military cyber command, offering an alternative approach to cyber defense and warfare. 

Dave Bittner: Coming up after the break, our guest, Guy Bejerano, CEO and cofounder of SafeBreach, discusses the benefits of breach and attack simulation. Stay with us. A growing number of organizations are finding that breach and attack simulation plays a critical role in their enterprise security programs, automating threat vector testing to enhance defenses. In this sponsored Industry Voices segment, Guy Bejerano, a former CISO himself and now CEO at SafeBreach, shares insights on developing effective breach-and-attack simulation strategies.

Guy Bejerano: First of all, you need to understand as an organization, you know, what is your strategy? What are the business scenarios that you're protecting? And once you have that, to apply a breach-and-attack simulation technology to actually challenge that and to make sure that you're doing the right things is everything. And so it doesn't matter if you're an organization that relies on detection, for example. A lot of OT organizations are not really preventing because preventative controls in an OT environment is really challenging. So, if you're relying on detection, you want to make sure that whatever detection rule you have will actually fire at the right moment. And the only way to do that is an idle waiting for an attack to happen, which is not that good, or to test it. And so that type of strategy can be tested continuously. If you're an organization that relies on segmentation or prevention, you can actually test your controls to make sure that you're getting the most out of them in those fields as well. So using BAS technology to really test your strategy and make sure that it's operating as expected is a critical path.

Dave Bittner: You know, I think BAS is still relatively new on the block. And I'm curious what you found with your customers in terms of strategies for getting buy-in from other teams in the organization to adopt a deployment of a proactive BAS program.

Guy Bejerano: What we see and where BAS really shines is the ability to focus the security programs. So instead of just, you know, chasing a long tail of problems, which are generic and doesn't really say how much you've impacted in terms of reducing the risk, the BAS -- the group BAS program and technology can help you to, first of all, measure in an empirical way to prove out to other teams on what's the impact you're making here. And so you're getting a lot of buy-in from other teams. The other one is that, you know, you're dealing with less issues because, again, when you're tuning your program to be around the critical business scenarios and you're testing against those threats that -- that will make the most impact on your business, all of a sudden the discussion is elevated in terms of being strategic. And you're focusing on less -- less issue. So it's not about, you know, patching for one ability. It's about is making sure that the attacker's path is almost impossible. And it makes everything around it more accurate and actually easier. So working with other teams, we found the BAS solutions really help to the security and to explain and to show data, and they're getting more support from other teams.

Dave Bittner: How do you measure success? You know, when you're looking at things like KPIs and metrics, what sort of things should people be focusing on to -- to see how well they're doing?

Guy Bejerano: So there's a great question. So, in terms of KPIs, there are few measurements that can be used here. And really depends on the way -- on your risk appetite and how you're looking at -- at security in terms of strategy. Definitely measure your time to detect. So think about an organization that relies on a lot of detection rules and detection engineering. You'll be able to actually test your detection mechanisms and making sure that, first of all, they will fire at the right time, that the alert is getting to the right person, that, you know, the right ticket is opening in your ticketing system and you can close the entire operational cycle. Very easy to measure. I think that detection time is critical, obviously, because -- because the ability or ability to actually take action before something material has to be a real issue. You can measure. So KPIs can be around reducing your attack surface over time. So, you know, you can -- you can fire millions of attacks, let's say, different permutations of ransomware against your controls, and you can see how over time, you're reducing the ability of an attacker to exploit your systems, again, you know, in a certain way. And that's also very measurable and easy to show for. Can look at things like in terms of, again, KPIs. What's the ROI I'm getting from my security controls? So I want to make sure that, you know, if my security budget is increasing in 20%, I can show my board that I'm reducing my risk in whatever percent you choose to. But it's all measurable. That's another KPI. Can be a business KPI. And it can be operational KPI like, you know, I have 50 different gateways, and I have the same solution that protects all gateways. I want to make sure that I'm getting the same output for my security control. So hold your vendors accountable for what they promised. And with the BAS solution, you can actually do that. So you can make sure that your Palo Alto, your CrowdStrike, your Splunk will actually work as expected across the organization.

Dave Bittner: You know, if I'm a CISO, and I need to make this case that this is something I want to implement, you know, I'm imagining myself walking in and talking to my board of directors. Any tips on how I -- how I communicate the value of this for the various decision-makers and stakeholders? 

Guy Bejerano: Well, first of all, I think that, regardless of what BAS technology you deploy, I think that, you know, for CISO -- and, again, coming from CISO position in my history, it's most important to -- whenever you're in the boardroom to talk about business impact and not just security. You don't do security for security. It's all about the business and what's the business impact. So if you're able to establish that type of legal with your board and create a repeatable model where you present data and show for, you know, what's your exposure against certain threats, and what's the effect of the business can be, a downtime can be, loss of data, etc. And if you can have that empirical way of measuring the impact and provide that information to the board, I think that's very interesting and what we see -- what we see around. So, first of all, define the strategy you're going after. And then tie to data. Data is everything. And if you -- if you can repeat that quarter of a quarter and be predictable, much like, you know, CFOs, then you're starting to create value to the board.

Dave Bittner: You know, I know you were a former CISO yourself. And I'm curious, you know, based on your experience, where do you suppose that we're headed here in terms of proactive security as you look towards the horizon and some of the challenges that we're facing?

Guy Bejerano: Yeah. You know, as we look at the horizon and the fact that, you know, attackers are becoming more sophisticated, you know, everything is more automated, obviously, with the insertion of AI and other technologies, you will not have the level of proactiveness to a point where you have enough time to act before an impact is carried. So if you look at the time that it takes for a new threat to be materialized in the market, and if it, you know, matter of days, it's around six or seven days, something like an SLA around understanding how we're not exposed to a threat before the time of materialization in the market, I think it's critical. So automation embeds within everything that you do in your operation's testing capabilities so you'll be able to know firsthand and -- and to be the first one to know about something that can happen. And you can take action. We have, for example, 24 hours SLA. So whenever there's a CIRC alert or an FBI alert and the IOCs or TPs are available, we add it to the product in 24 hours. That's our promise to our customers so they can take action before that certain threat is populated through the entire market.

Dave Bittner: That's Guy Bejerano, CEO at SafeBreach. And, finally, the emergence of large language models like WormGPT and FraudGPT sold on underground forums has sparked widespread attention. Sophos X-Ops conducted an in-depth study revealing a mixed reception among cybercriminals. While several GPT derivatives boast capabilities akin to these models, skepticism prevails with some labeled as scams. Many in the criminal community find tools like ChatGPT overrated and unsuitable for malware creation, citing operational security concerns and detection risks. While some use LLMs for mundane coding or forum enhancements, their application in generating malware remains largely aspirational and limited to proof of concept. Unskilled actors struggle with prompt restrictions and code errors, highlighting a gap between interest and practical application. Intriguingly, these forums also host discussions on AI's broader implications, echoing the same logical, philosophical, and ethical debates seen elsewhere. And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at Before we go, a quick reminder that today is Giving Tuesday, an opportunity to show your support for your favorite charitable organization or nonprofit. We hope you'll spare a moment and consider giving to an organization that has meaning for you. We've included a list of some of our team's favorite worthy causes in our show notes. We'd love to know what you think of this podcast. You can email us at Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security team supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K'd strategic workforce intelligence optimizes the value of your biggest investment: your people. We make you smarter about your team while making your team smarter. Learn more at This episode was produced by Liz Irvin and senior producer Jennifer Eiben. Our mixer is Tr Hester with original music by Elliott Peltzman. Our executive producer is Brandon Karpf. Our executive editor is Peter Kilpe. And I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.