The CyberWire Daily Podcast 12.4.23
Ep 1959 | 12.4.23

Iran behind attacks on PLCs.


Tre Hester: The US and Israel attribute attacks on PLCs to Iran. Agent Raccoon backdoors organizations on three continents. XDSpy is reported to be phishing the Russian defense sector. Trends in digital banking fraud. Repojacking Go module repositories. Ann Johnson from Afternoon Cyber Tea speaks with Lynn Dohm, executive director of WiCyS, about the power of diverse perspectives. And when it comes to security, don't look to the stars.

Tre Hester: Today is Monday December 4th, 2023. I’m Tré Hester And this is your CyberWire Intel Briefing.

US and Israel attribute attacks on PLCs to Iran.

Tre Hester: The US Cybersecurity and Infrastructure Security Agency (CISA), along with the FBI, NSA, EPA, and the Israel National Cyber Directorate (INCD), recently issued a significant joint Cybersecurity Advisory (CSA) concerning cyber attacks linked to Iran's Islamic Revolutionary Guard Corps (IRGC). The advisory focuses on the exploitation of programmable logic controllers (PLCs) in multiple sectors, emphasizing the broad scope of the threat. Notably, the advisory identifies the IRGC as the perpetrator behind these attacks, a clear attribution that signals the seriousness of the threat.

Tre Hester: The advisory highlights that several US water systems have been targeted, indicating a concentrated effort against critical national infrastructure. It also expands the scope of concern beyond the water and wastewater sector, pointing out that these PLCs, manufactured by Unitronics, are widely used in various industries, including energy, food and beverage manufacturing, and healthcare. These devices are often rebranded, making them appear as products of different manufacturers and companies.

Tre Hester: Additionally, the advisory criticizes the manufacturer for poor security practices, specifically for shipping devices with default passwords and not requiring their reset during installation. This lapse significantly contributes to the vulnerability of these systems.

Tre Hester: The advisory also sheds light on the activities of the CyberAv3ngers, an IRGC persona, detailing both legitimate and false claims of cyberattacks, particularly against Israeli targets, across several sectors such as water, energy, shipping, and distribution, over the past few months. Despite the mixed veracity of these claims, the intent and capability for disruption are evident. In one instance, a related group, Soldiers of Solomon, falsely claimed responsibility for compromising various systems in Israel, using a ransomware named “Crucio”.

Tre Hester: Since November 2023, the IRGC cyber actors have been accessing multiple U.S.-based water and wastewater facilities operating Unitronics Vision Series PLCs, likely exploiting internet-accessible devices with default passwords. These attacks led to defacement messages antagonistic toward Israel.

Tre Hester: This joint advisory underscores the increased prevalence and sophistication of state-sponsored cyberattacks, particularly targeting critical infrastructures, and highlights the urgent need for heightened cybersecurity measures and responsible manufacturing practices.

Current P2Pinfect malware activity, with new capabilities.

Tre Hester: Cado Security has identified a new variant of the P2Pinfect botnet malware, now targeting MIPS architecture, commonly used in routers, Internet of Things (IoT), and other embedded devices. This development indicates a broader targeting strategy by the attackers behind P2Pinfect, aiming to expand the botnet's reach by supporting more processor architectures. The MIPS32 variant of P2Pinfect features advanced defense evasion techniques and leverages Rust for cross-platform development. The rapid expansion of the botnet, coupled with these sophisticated aspects, suggests that a highly skilled threat actor is orchestrating this campaign. 

Agent Raccoon backdoors organizations on three continents.

Tre Hester: Palo Alto Networks's Unit 42 researchers have discovered a new backdoor, named "Agent Raccoon," which has been used to infiltrate organizations across the US, Middle East, and Africa. This backdoor, suspected to be deployed by a nation-state threat actor, has compromised various sectors including education, real estate, retail, non-profit organizations, telecom companies, and government. Agent Raccoon is developed using the .NET (dot net) framework and utilizes DNS to create a covert communication channel with its command-and-control (C2) server. The researchers highlight that this toolset is not yet linked to any specific threat actor and appears to be used in multiple campaigns or clusters, indicating its broad application in cyber espionage activities.

XDSpy reported to be phishing the Russian defense sector.

Tre Hester: Russian cybersecurity firm F.A.C.C.T. (pronounced “fast”) reported that the cyberespionage group XDSpy has been targeting a Russian metallurgical company and a ballistic missile development firm through phishing attacks, falsely presenting the emails as coming from a nuclear weapons design institute. The Record notes that little is known about XDSpy, active since at least 2011 and likely state-directed. Cybersecurity company ESET, which monitored XDSpy until losing access in Russia and Belarus following Russia's invasion of Ukraine, noted the group's unsophisticated toolkit but exceptional operational security, hindering attribution to any specific government. XDSpy's activities primarily focus on Eastern Europe, including Russia and the Balkans. While The Record refrains from attributing XDSpy to any nation, it mentions that recent cyberespionage against Russia has mostly originated from North Korea and China, with interests aligning in the theft of technical information, similar to XDSpy's objectives.

Trends in digital banking fraud.

Tre Hester: New research from BioCatch's reveals a 64% increase in mobile banking fraud in 2023 compared to the previous year. The study highlights a shift in criminal tactics, moving from bot-driven web-based fraud to emulator-based mobile banking fraud. While there's a rise in both legitimate and illegitimate uses of emulators, the report emphasizes a notable, sometimes drastic, increase in emulator usage. Although there's a slower growth in reported fraud cases, BioCatch cautions that this may be due to delays in fraud detection and reporting, suggesting the actual extent of fraud could be higher. This trend indicates a changing landscape in digital banking security, with fraudsters adapting and evolving their methods to exploit mobile banking platforms.

Repojacking Go module repositories.

Tre Hester: VulnCheck's report on repository hijacking, or repojacking,  in the Go module ecosystem reveals a significant vulnerability. The study found over 15,000 repositories at risk due to changes in GitHub usernames or account deletions. These repositories are crucial, supporting more than 800,000 Go module-versions. VulnCheck emphasizes that resolving these repojackings is a responsibility that falls on either Go or GitHub, as it's impractical for a third party to register 15,000 GitHub accounts. Until a solution is implemented, the report advises Go developers to remain vigilant about the modules they use and to stay informed about the status of the repositories from which these modules originate. This highlights a critical aspect of software development: being mindful of the foundations on which your code stands.

Who saw that coming?

Tre Hester: And finally, Security Affairs reports a data exposure incident at WeMystic, a service focused on astrology, spiritual well-being, and esotericism, which also operates an online store selling items like natural stones and tarot cards. An unprotected MongoDB database left 34 gigabytes of data, including sensitive customer information, exposed to the internet. The breach involved over thirteen million files, revealing names, email addresses, dates of birth, IP addresses, gender, astrological signs, and user system data. Although WeMystic has now secured the database, it remained open for five days. In a cosmic twist of fate, it seems even the stars couldn't predict this celestial-sized data leak.

Tre Hester: Today we have Ann Johnson, host of Microsoft's Afternoon Cyber Tea podcast, speaking with WiCyS director, Lynn Dohm, about the power of diverse perspectives. [ Music ] Today we have Ann Johnson, from the Afternoon Cyber Tea podcast, speaking with Lynn Dohm, executive director of WiCyS about the power of diverse perspectives. Here's Ann.

Ann Johnson: Today I'm joined by Lynn Dohm, the executive director of Women in Cybersecurity, or WiCyS for short. Lynn brings more than 25 years of organizational and leadership experience to the Women in Cybersecurity, WiCyS, team. Lynn is passionate about the need for diverse mindsets, skill sets, and perspectives. She aims to facilitate learning opportunities and discussions on leading with inclusion, equity, and allyship. Lynn has collaborated with businesses, nonprofits, grants and philanthropies to help produce outcomes aligned with cybersecurity workforce initiatives. Welcome to Afternoon Cyber Tea, Lynn.

Lynn Dohm: Thanks, Ann. It's a pleasure to be here.

Ann Johnson: So let's talk a little bit. I read something, Lynn, in the WiCyS blog recently that resonated with me. The blog said, and I'm quoting it, "one of the most impactful ways that we can create a welcoming environment is through our words. In every space that we enter, we have the opportunity to use language that makes everyone around us feel comfortable and to feel safe." I like this because it is not enough to just hire women into the industry; organizations actually have to be intentional every day to create inclusive environments to make people want to say -- Brett, our CISO, likes to say, "You go where you're invited, you stay where you're welcome." So what is your perspective on inclusivity and what practical advice would you give to our listeners on how they can help create a more inclusive environment in their organizations?

Lynn Dohm: Well, this is one of my favorite topics. I really appreciate and love that fact that you're bringing up inclusion here, because it's extremely important. The focus is always like, we need to build a diverse cybersecurity workforce, we need, you know, to diversify; what are we going to do to diversify? But when you peel back the layers, you then realize that the lack of diversity is a symptom of the lack of inclusion. But as the whole world keeps talking about diversifying the workforce, we know that sometimes in some instances it can turn into a feel-good metric. Because it's a data point and it's a metric you can measure. And so for some organizations out there, they might measure their diversity numbers, they might put in some initiatives, very likely early career. And a year from now, they can measure those diversity metrics again, and if they grew ever so slightly, they can feel good about themselves and pat themselves on the back and feel like their job is well done. And that's all fine and dandy, but inclusion, inclusion is much more complicated, and it's not normally talked about because it's complicated. Because inclusion is a feeling and it's not a data point. It's not this metric you can measure. But it's a feeling and it's more of a feeling felt when you're excluded. And so for WiCyS, it was really important for us to have this conversation with industry leaders about the state of inclusion and how were we going to quantify inclusion in order for us to open up the doorways for these conversations. So we partnered with Aleria and we quantified the experiences of exclusion for women in cybersecurity to identify the state of inclusion. The findings were really, really interesting, that, you know, there was 50% of women that feel like their career and lack of advancement opportunities within the organization was their primary source of exclusion in the workplace. And it was super interesting to us and our research partner because it wasn't found in any other industries. So for us to continue to do the good work that we're doing within WiCyS, we have to not only focus on the pipeline but also that leaky pipe. And that's where the inclusivity really needs to be focused on. And so we put together so many resources, like inclusive language, that's an open source stack, and we're always adding to that inclusive language in the cybersecurity workforce. We have documents on inclusive leadership, how to be an ally to women in cybersecurity, and so many others -- how to create a neuro diverse event, that's a very interesting one, too. So we have all these resources available for everyone to have access to so that they could pay attention. Because we hear time and time again -- and as a matter of fact, even at a recent event I went to, I gathered all these stories that the lack of inclusion is very prominent and exists very much so. And day to day, we hear stories about managers that put up their new hires on their leadership slide decks and label the slide deck diversity hire. We have instances where industry professionals are showcasing, are going out to, you know, universities and offering their time, volunteering their time, for elevator pitches, only to say to the only female in her room that the elevator pitch was excellent, but her necklace and her nails were distracting. Like these instances are happening right here and right now. So our words do matter. How we express ourselves matter. How we create this culture of inclusion truly does matter in the cybersecurity workforce, not only for us to attract diverse talent, but for those individuals to be retained and to be able to elevate and advance themselves because of it.

Tre Hester: That's Ann Johnson, from the Afternoon Cyber Tea podcast, speaking with Lynn Dohm, executive director of WiCyS. [ Music ] And finally, Security Affairs reports a data exposure incident at WeMystic, a service focused on astrology, spiritual well-being, and esotericism, which also operates an online store, selling items like natural stones and Tarot cards. An unprotected MongoDB database left 34 gigabytes of data, including sensitive customer information, exposed to the Internet. The breach involved over 13 million files, revealing names, email addresses, dates of birth, IP addresses, gender, astrological signs, and user system data. Although WeMystic has now secured the database, it remained open for five days. In a cosmic twist of fate, it seems that even the stars could not predict the celestial size data leak. [ Music ] And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at We'd love to know what you think of this podcast. You can email us at Your feedback helps us ensure we're delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity. This episode was produced by Liz Irvin. Our mixer is me, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe. And I'm Tre Hester, filling in for Dave Bittner. Thanks for listening. We'll see you back here tomorrow. [ Music ]