The CyberWire Daily Podcast 7.9.24
Ep 2103 | 7.9.24

Uniting against APT40.


The UK’s NCSC highlights evolving cyberattack techniques used by Chinese state-sponsored actors.A severe cyberattack targets Frankfurt University of Applied Sciences. Russian government agencies fall under the spell of CloudSorcerer.CISA looks to Hipcheck Open Source security vulnerabilities. Avast decrypts DoNex ransomware. Neiman Marcus data breach exposes over 31 million customers. Lookout spots GuardZoo spyware. Cybersecurity funding surges. Our guest is Caroline Wong, Chief Strategy Officer at Cobalt, to discuss the state of pentesting and adapting to the impact of AI in cybersecurity. Scalpers Outsmart Ticketmaster’s Rotating Barcodes.

Today is Tuesday July 9th 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

The UK’s NCSC highlights evolving cyberattack techniques used by Chinese state-sponsored actors.

The UK’s National Cyber Security Centre (NCSC), alongside partners including Australia’s ASD and the US's CISA, issued an advisory on APT40, a Chinese state-sponsored cyber group. APT40 targets entities in various countries, exploiting network vulnerabilities and public-facing applications. They use advanced techniques like rapid deployment of exploits for newly discovered vulnerabilities, reconnaissance, and web shells for persistent access. The advisory includes case studies highlighting their methods, such as credential harvesting and network scanning. Organizations are advised to implement stringent security measures like prompt patching, multi-factor authentication, and network segmentation to mitigate these threats.

A severe cyberattack targets Frankfurt University of Applied Sciences. 

Frankfurt University of Applied Sciences experienced a severe cyberattack, leading to a complete shutdown of its IT systems. The attack, which occurred on Saturday evening, compromised parts of the university's infrastructure despite high security measures. The incident has been reported to the police and relevant authorities. External access and some services have been disabled, affecting communications and safety systems like elevators. The extent of the damage is still unknown, and it is unclear when systems will be fully restored. On-site courses continue, but online enrollment and external communications are currently unavailable.

Russian government agencies fall under the spell of CloudSorcerer.

Researchers at Kaspersky Lab have identified a new hacker group, CloudSorcerer, using advanced cyberespionage tools to target Russian government agencies. First observed in May, CloudSorcerer's techniques are similar to CloudWizard but utilize unique malware, indicating a new threat actor. Their custom malware leverages GitHub for command and control, and services like Yandex Cloud and Dropbox for data collection. The malware's modular structure allows for various independent tasks, such as data exfiltration and system manipulation. The initial access method remains unclear, but overlaps with activity tracked by Proofpoint, which observed related attacks on a U.S. organization.

CISA looks to Hipcheck Open Source security vulnerabilities. 

In March, CISA held its inaugural Open Source Software (OSS) Security Summit to enhance OSS security. The event featured OSS leaders and a tabletop exercise to collaboratively respond to a hypothetical vulnerability in critical OSS. Now, an article by Aeva Black, Section Chief, Open Source Software Security at CISA, focuses on increasing visibility into OSS usage and risks, vital for federal agencies and critical infrastructure. The agency is developing a framework to assess OSS trustworthiness, considering project activity, product vulnerabilities, protection measures, and policies. To scale this effort, CISA is funding a tool called Hipcheck for automating these assessments. This initiative aims to fortify OSS security through transparency, collaboration, and proactive security principles.

By promoting the Secure by Design campaign and encouraging early and consistent security practices, CISA seeks to prevent exploitation of OSS by malicious actors. The collective effort of the cybersecurity and OSS communities is crucial for maintaining a robust and secure open-source ecosystem, ultimately benefiting federal agencies, critical infrastructure, and the public.

Avast decrypts DoNex ransomware. 

Researchers at Avast discovered a cryptographic flaw in DoNex ransomware, allowing them to provide a decryptor to victims since March 2024. Announced at Recon 2024, the flaw had been kept secret for operational security. DoNex, initially called Muse, evolved through several rebrands before stabilizing in April 2024. The ransomware targets the US, Italy, and the Netherlands and uses advanced encryption methods. Avast's decryptor leverages the identified flaw to help victims recover their files without paying the ransom. The decryption process requires providing an original and an encrypted file for reference.

Neiman Marcus data breach exposes over 31 million customers. 

Retailer Neiman Marcus disclosed a May 2024 data breach exposing over 31 million customer email addresses, according to an analysis by Troy Hunt of Have I Been Pwned. Initially reported to affect 64,472 people, the breach also compromised names, contact info, birth dates, gift card info, partial credit card numbers, Social Security numbers, and employee IDs. The breach was linked to the Snowflake data theft attacks, with data sold on hacking forums. A joint investigation revealed the attack targeted organizations without multi-factor authentication on Snowflake accounts.

Lookout spots GuardZoo spyware. 

Researchers at Lookout have identified GuardZoo, an Android spyware targeting Middle Eastern military personnel through apps with military and religious themes. This spyware is linked to a Houthi-aligned threat actor and primarily affects victims in Yemen, Saudi Arabia, Egypt, Oman, UAE, Qatar, and Turkey. GuardZoo, derived from the Dendroid RAT, can act as a conduit to download additional malware, posing significant risks. Recent samples disguise as apps like "Constitution of the Armed Forces," exposing sensitive military documents. This advanced surveillanceware poses a growing threat, urging heightened security measures.

Cybersecurity funding surges. 

PinPoint Search Group has published research analyzing cybersecurity vendor funding. In Q2 2024, the cybersecurity vendor landscape saw significant financial activity with a total of $4.3 billion raised over 92 funding rounds, and 33 acquisitions. Key acquisitions included Cisco's purchase of ArmorBlox and Thales acquiring Tesserent. Notable funding rounds involved companies like Dig Security, which raised $100 million, and Cyera, securing $300 million.

The report highlights a mix of seed and late-stage investments, reflecting a growing interest in sectors like AppSec, Threat Intel, and Data Security. Examples include Sekoia raising $37.5 million in XDR and Blackpoint Cyber's $190 million for detection and response.

Overall, the quarter underscores robust investor confidence in cybersecurity startups and established vendors, driven by increasing cyber threats and the need for advanced security solutions.



Up next, on our Industry Voices segment, Cobalt’s Chief Strategy Officer Caroline Wong joins me to discuss the state of pentesting and adapting to the impact of AI in cybersecurity. 

We’ll be right back

Welcome back. Thanks to Caroline and Cobalt for joining us. We’ve got a link in the show notes to Cobalt’s State of Pentesting 2024 report. 


Scalpers Outsmart Ticketmaster’s Rotating Barcodes. 

And finally,  a report from 404media describes a lawsuit by online event ticketing company AXS which reveals that ticket scalpers have found ways to circumvent anti-scalping measures put in place by platforms like Ticketmaster and AXS. By reverse-engineering ticket generation methods, scalpers can create genuine entry barcodes on their own infrastructure, effectively bypassing the “untransferable” restrictions. This allows them to sell and transfer these tickets, undermining the security measures intended to prevent scalping.

AXS accuses the scalpers of hacking and creating counterfeit tickets, although the tickets are often legitimate and scan correctly at events. Security researchers demonstrated how these barcodes, which rotate every few seconds for security, can be recreated if a token is extracted from the Ticketmaster app. This process has allowed scalpers to sell tickets through secondary markets like StubHub and SeatGeek using services such as Secure.Tickets and, which operate in the shadows with little online presence.

Fans are left confused and concerned about the legitimacy of their purchases, but these methods usually result in valid tickets. Despite the efforts of Ticketmaster and AXS to control and restrict ticket transfers, scalpers have consistently found ways to exploit the systems, raising questions about the efficacy of current security measures and the ongoing battle between ticket platforms and scalpers.

Ah Ticketmaster…seems their security is as transparent as their fees. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

And that’s the CyberWire.

We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to

We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.

N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at


This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.