The CyberWire Daily Podcast 12.13.23
Ep 1966 | 12.13.23

The United Kingdom's catastrophic ransomware attack.


Dave Bittner: The UK faces a looming threat of a catastrophic ransomware attack. The Senate confirms a new National Cyber Director. The rivalry between malware groups BatLoader and FakeBat. BazarCall phishing attack and its unusual use of Google Forms. A serious vulnerability threatens K-12 student data. Spiderman game developer Insomniac Games becomes the latest ransomware victim. Today’s guest is Tim Starks from the Washington Post’s Cybersecurity 202 with China’s influence operations in Taiwan, along with a look back at 2023. We'll touch on Microsoft's Patch Tuesday and why outdated password policies are still a problem.

Dave Bittner: It’s Wednesday December 13th 2023. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

UK reportedly at high risk of catastrophic ransomware attack.

Dave Bittner: We begin today with news from the Guardian that the UK government is reportedly at high risk of a catastrophic ransomware attack due to insufficient planning and investment, as warned by a parliamentary committee. The joint committee on national security strategy highlighted the UK's vulnerability to a major cyber-attack on its critical national infrastructure (CNI), which includes essential assets like energy, water, transportation, health, and telecommunications.

Dave Bittner: Recent examples of such attacks include the NHS incident last year, where patient data was compromised, and the 2020 Redcar and Cleveland council ransomware attack, which led to weeks of system lockdown and costly damages. The government, particularly the Home Office and former home secretary Suella Braverman, have been criticized for not prioritizing ransomware as a policy issue, focusing instead on issues like illegal migration.

Dave Bittner: The report stressed that the UK's CNI is dependent on private, third-party IT systems, making it more susceptible to cyber-attacks. Future attacks could threaten physical security or human life, for instance, by sabotaging CNI operations or hijacking cyber-physical systems like shipping vessels. The NHS is noted as particularly at risk due to outdated IT infrastructure and insufficient capacity for even basic upgrades.

Dave Bittner: Harjinder Singh Lallie, from the University of Warwick, pointed out the potential for wide-ranging impacts on the NHS, including disruptions to appointments, medical records, and staff payment systems. He suggested more frequent updates to operating systems and hardware to reduce costs and disruption.

Dave Bittner: Most ransomware groups targeting the UK are believed to be based in Russia, with North Korean and Iranian groups also posing threats. The UK's support for Ukraine in the current conflict has heightened its risk of being targeted.

Dave Bittner: Margaret Beckett, the chair of the joint committee, remarked on the UK's status as a highly cyber-attacked nation and criticized the government's inadequate response. The government, however, claims to be well-prepared, citing a £2.6 billion investment in cybersecurity and the implementation of minimum standards through the NCSC's Cyber Essentials scheme.

US Senate confirms National Cyber Director.

Dave Bittner: Meanwhile, on this side of the pond, the US Senate yesterday confirmed Harry Coker, Jr. as National Cyber Director in the White House Office of the National Cyber Director, where he will serve as the principal advisor to the President on cybersecurity policy and strategy. He will the second person to hold the office since its creation in 2021. Coker is a retired senior executive at the Central Intelligence Agency and a career Naval officer. He most recently served as Executive Director of the National Security Agency. The first National Cyber Director was Chris Inglis, who held the post from 2021 until February of this year.

A risk assessment of access to AI models.

Dave Bittner: The Institute for Security and Technology (IST) convened a working group that released a study on the risks associated with increasing access to AI foundation models. The researchers found that greater access escalates the risk of malicious use, such as fraud, crimes, social and democratic disruption, and critical infrastructure interference. This access also raises concerns about compliance failures, removing human oversight, and capability overhang, where models develop unforeseen capabilities.

Dave Bittner: On the positive side, wider access to these AI models can spur faster innovation and allow for more extensive stress-testing, red teaming, and vulnerability identification by a broader range of developers and users.

Research roundup.

Dave Bittner: ThreatX released a report highlighting that most API attacks involve programmatic access, such as automated interactions aiming to scrape data or exploit vulnerabilities. The report emphasizes the importance of robust anti-bot solutions and improved user authentication and validation mechanisms to counter these threats.

Dave Bittner: Tenable researchers found vulnerabilities in the Edulog Parent Portal, used in 7,500 K-12 school districts for tracking students' routes. These flaws, now patched, could have allowed someone with a free account to access API endpoints, potentially revealing sensitive information like student names, bus routes, parent contact details, GPS data, and even encrypted passwords for school district integrations.

Dave Bittner: Sophos has analyzed how ransomware gangs interact with the media, observing their increasing professionalism in press and reputational management. This includes issuing 'press releases', creating sophisticated graphics, and recruiting English-speaking writers. These gangs recognize the newsworthiness of their actions and use media attention to enhance their credibility and pressure victims. Sophos advises the media to avoid engaging with threat actors unless it serves the public interest or provides useful intelligence for defenders.

Dave Bittner: Abnormal Security has identified a BazarCall phishing attack that cleverly uses Google Forms to appear legitimate. The scam involves sending an email about a pending subscription charge and providing a fake customer support number. When a victim calls, they are tricked into installing malware. In this instance, the attacker creates a fake invoice using Google Forms, entering the victim's email address to ensure they receive a copy of the form, which is disguised as a Norton Antivirus payment confirmation. The use of Google Forms allows the email to be sent from a legitimate address, increasing the likelihood of it bypassing security filters.

Dave Bittner: eSentire researchers are monitoring two rival Russophone malware-as-a-service groups, BatLoader and FakeBat. FakeBat, likely a former client of BatLoader, has started its own similar operation. These groups deceive employees by creating Google Ads and websites that mimic legitimate software sites, tricking them into downloading malware loaders disguised as business software. Both BatLoader and FakeBat are focused on infecting corporate employees with various malware types as per their customers' choices. BatLoader's attacks have resulted in companies being infected with Royal Ransomware, Gozi Banking Trojan, credential stealers, and remote access trojans.

Spiderman games developer hit with ransomware.

Dave Bittner: Ransomware group Rhysida claims to have hacked video game developer Insomniac Games, posting limited data as proof. This data includes a screenshot and character art from Insomniac's upcoming Wolverine game, passport scans of employees, and personal documents belonging to Yuri Lowenthal, the voice actor for Insomniac’s popular Spider-Man games. The leak also features internal emails and confidential documents. Rhysida is threatening to release the full data set in seven days and is auctioning it off starting at 50 bitcoins (over US$2 million). Sony, the owner of Insomniac Games, acknowledges the incident and is investigating, but believes no other divisions are affected.

Patch Tuesday.

Dave Bittner: Microsoft's latest Patch Tuesday was relatively light, featuring a total of 35 vulnerabilities. This set comprises 4 critical, 30 important, and one moderate vulnerability. Additionally, the update includes five Chromium patches as part of Microsoft Edge. Prior to this release, only one of these vulnerabilities was publicly known. Notably, none of the vulnerabilities patched in this update were being actively exploited.

Dave Bittner: Coming up after the break, my conversation with Tim Starks from The Washington Post's Cybersecurity 202. We're talking China's influence operations in Taiwan, along with a look back at 2023. Stick around. It is always my pleasure to welcome back to the show Tim Starks. He is the author of The Cybersecurity 202 at The Washington Post. Tim, welcome back.

Tim Starks: Dave, sir.

Dave Bittner: I want to start off with highlighting a bit of a scoop that you and your colleagues at the 202 have here, reporting on research from Graphika. What do you have here today?

Tim Starks: Yeah. So Graphika is one of these organizations that does research on influence operations, disinformation campaigns. And we, obviously, are preoccupied in the United States about our election and worrying about disinformation there, but they have found a disinformation campaign dating back to May of 2022 affecting the upcoming elections in Taiwan next month. Taiwan has been warning -- the Taiwanese leaders have been warning that China is interfering in their elections. Graphika does not explicitly say that China is behind this; they say we can't attribute who's behind. However, if you look at the research, there are a lot of indicators that this is probably Chinese actors, whether it's the Chinese government or not. Because they're in the Chinese language, there are Chinese memes and videos, the fluency in -- with the Taiwanese language is poor. And it just so happens that the campaign -- it just seems to be accidentally sort of favoring the organization -- the political group that is well-known for being closer to a pro-China position and criticizing explicitly the independence-minded political party there and candidate. So it looks like it fits into the pattern of things we've seen with China. And while most of it has been taken down, it's not entirely down. So it's interesting that there are still some elements of it that are -- that are floating around out there.

Dave Bittner: And is this a cautionary tale for us as we continue to roll downhill towards our own election season here?

Tim Starks: Yeah, I think so. I mean, what's interesting about China and election disinformation is that they've kind of dipped their toe in it before with us, but not like, you know, Russia did in 2016 or even subsequent elections. There were signs in the last major election in 2020 that China was getting more interested in this, and 2022, and this seems like they're -- they're full-fledged into it with Taiwan. Now, Taiwan is of greater interest to them, perhaps, than the United States for many reasons, but if you combine this with the discussion that we've heard from US officials that China is getting more brazen with its cyberattacks, not less, it seems like this would give them every -- this is a bit of a -- it could be potentially a bit of a test run for them for the US.

Dave Bittner: Yeah.

Tim Starks: Obviously -- you know, they've obviously -- when it's come to Taiwan and the US and there's been an overlap of disinformation, you know, if you'll recall when then-House Speaker Nancy Pelosi visited not long after, they had a bunch of disinformation campaigns related in Taiwan to Pelosi and Taiwan. So there's a bit -- there's like a Ven diagram of overlap here, and concern, as far as the US and Taiwan.

Dave Bittner: Well, let's switch gears here. As we're coming towards the end of the year, and this is for the two of us, you and I, the last conversation we're going to have before the New Year. Looking back on 2023, how does this year shape up for you when it comes to cybersecurity?

Tim Starks: Yeah, it's -- you know, I've been doing this for a long time. I know you have, too, Dave. There are a couple of things that stand out to me about this year. I've written about this, and others have written about it, but I feel like it's maybe been underappreciated that the MOVEit-based attack -- ransomware attack is arguably the biggest cyberattack of all time, but I don't think we've heard people talk about it that much that way. Because it ultimately ended up affecting more than 2,000 organizations. If you look at the number of people who were affected by it, it's above 60 million. So the other thing that's interesting about that, of course, is that it's -- it's attacking these kinds of organizations that get you into other organizations. We've seen a lot of attacks like that this year.

Dave Bittner: Right.

Tim Starks: So that seems like a wave of the future and a big landmark with one specific attack and the way of the future on the attack vector.

Dave Bittner: It's interesting that MOVEit is -- I guess the word that comes to mind for me is "diffuse" and perhaps that's why it's not getting so much attention.

Tim Starks: Yeah, I think that's it. I mean, when you think of the very big attacks or big landmark kind of attacks it's like the Sony attack, for instance, right?

Dave Bittner: Mm-hmm.

Tim Starks: It was one big organization that was affected. This is lots and lots of organizations affected. The other thing that's interesting about this, and this is -- this is a multiyear trend -- I don't know about you, but I didn't use MOVEit before the attack. I don't think I'd even heard of MOVEit before the attack. Same thing with SolarWinds; I didn't know much about SolarWinds. So there's kind of all these sorts of players that are big players in the IT world who you could attack and really reap a lot of gains from if you're a cyberattacker, and they fit into that pattern, as well.

Dave Bittner: Any thoughts as we come into the new year here? I know it -- you know, we're all reticent to read the tea leaves, as it were, and make predictions, but is it fair to say that 2024 is shaping up to be just as interesting if not more so?

Tim Starks: Yeah, it'll always be -- it will always -- it feels like it'll almost be more interesting. What's -- what's -- you know, I don't know if you remember, coming into this year there was a lot of talks about ransomware attacks being down the prior year. Or at least -- or at least not on the -- on the sort of steady rise they've been on. Well, now that -- that's back to being the case that ransomware attacks are back -- back on the increase.

Dave Bittner: Yeah.

Tim Starks: One thing I've learned from being a cyber reporter, even though it's my job to try to anticipate the threats and trends, it's an exciting and scary place to write about because as much as I think about what's next, it's never what I think it is. It's always something else that comes -- like, MOVEit being a perfect example. It's always hard to anticipate what the next thing is going to be. Nobody -- you know, even though there were indicators in 2016 that there was going to be -- that there had been some vulnerabilities in voting machines and that there had been attacks on presidential campaigns, nobody saw anything like that coming before it happened in 2016. Not the scale of it. Not the way it happened.

Dave Bittner: Yeah.

Tim Starks: It's one of those things where I think about it a lot, and I have no confidence in my ability to predict where hackers are going.

Dave Bittner: Fair enough. I join you in that -- in that lack of confidence in predictive abilities.

Tim Starks: Mm-hmm.

Dave Bittner: Well, Tim Starks is the author of The Cybersecurity 202 with The Washington Post. Tim, thank you so much for joining us throughout this year; it has been a true pleasure for me, and I look forward to our future conversations.

Tim Starks: Yeah, man, I've loved doing it. Thank you for having me this year.

Dave Bittner: And finally, a study by the Georgia Institute of Technology has uncovered that a significant number of popular websites are stuck in a password policy time warp, reminiscent of 1985. Their examination of over 20,000 websites revealed a concerning trend; 75% of these sites allow passwords shorter than the recommended eight characters, with some even accepting single-character passwords. Additionally, 40% of the sites limit password lengths to less than the advised 64 characters. Surprisingly, 72% permit the use of dictionary words, and 88% allow the users to choose passwords that have been previously breached. Alarmingly, a third of these websites don't support the use of special characters in passwords, and nearly 40% accept "123456," the most popular and insecure password. The study also found that a significant portion of websites are still operating under the NIST 2004 password policy guidelines, with just under 17% following an even older recommendation from 1985. Stronger security standards are notably less common, with only a fraction of sites adhering to the more secure NIST 2004 Level 2 guidelines. Furthermore, the researchers' evaluation of website login policies revealed that nearly 2,000 domains dangerously transmit and store passwords in plaintext. Around 3,200 websites disable copy-pasting for crucial fields, and numerous sites employ typo-tolerant password authentication, increasing their vulnerability to various cyberattacks. User enumeration attacks are made easier by the nearly 6,000 websites that provide revealing error messages. Only a minority of sites implement login rate limiting to prevent brute-force attacks, and worryingly, 570 websites were found to be sending plaintext passwords via email, a potential breach of the EU's GDPR. The researchers suggest that modernizing web frameworks and standardizing password policies could drastically improve online security. They recommend outreach campaigns and updates to popular web software to address these widespread authentication issues, emphasizing that software improvements could significantly reduce the number of vulnerable sites In the digital security dance, it appears that while some are doing the cybersecurity shuffle, others are still slow-waltzing with outdated password policies. And that's the CyberWire. For links to all of today's stories, check out our Daily Briefing at the We'd love to know what you think of this podcast. You can email us at We're privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world's preeminent intelligence and law enforcement agencies. N2K strategic workforce intelligence optimizes the value of your biggest investment, your people. We make you smarter about your team while making your team smarter. Learn more at This episode was produced by Liz Irvin. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.