The CyberWire Daily Briefing

"Anonymous Sudan hits US commercial, healthcare targets."

Views expressed in this cybersecurity, cybercrime update are those of the reporters and correspondents.  Accessed on 05 June 2023, 2003 UTC.  Content provided by email subscription to "The CyberWire." 

Source: ("The CyberWire Daily Briefing").

Please click link or scroll down to read your selections.  Thanks for joining us today.

Russ Roberts (

More signal, less noise.

What to consider when choosing a password manager for your business.

Improved security and increased team productivity are just some of the benefits of adding a password manager to your security tech stack. Download 1Password’s latest guide to learn what to look for when evaluating a password manager so you can choose one that best suits your needs.

Daily Briefing

June 5, 2023.

We'd like your feedback.

We're always looking for ways to improve the CyberWire, now N2K Cyber Network, to give you an intelligence-driven news experience that saves you time and keeps you in the know on the latest developments in cybersecurity. Please share your feedback in our 2023 Audience Survey and you will have a chance to win a $100 Amazon gift card. Take the survey.


At a glance.

  • Anonymous Sudan targets Lyft and American hospitals following remarks from US Secretary of State. 
  • NSA releases advisory on North Korean spearphishing campaigns targeting think tanks, universities, and media organizations.
  • MOVEit file transfer vulnerability added to CISA’s known exploited vulnerability catalog. 
  • Moonlighter will test cybersecurity in orbit.
  • "Operation Triangulation" offers an occasion for Russia to move closer to IT autarky.
  • KillNet seems to say it's disbanding (or not).
  • SEC drops cases over improper access to Adjudication Memoranda.
  • Executive and board members are easy targets for threat actors trolling for sensitive information, study finds. 

Anonymous Sudan targets Lyft and American hospitals following remarks from US Secretary of State. 

Anonymous Sudan began targeting US organizations on Saturday in a new distributed denial-of-service (DDoS) campaign after the hacktivists took offense at comments made by the U.S. Secretary of State Anthony Blinken regarding a possible US involvement in Sudan. The hacktivist group posted a threat on its Telegram page today: “Anthony Blinken, you made a big mistake when you thought about invading Sudan. We will continue to target critical infrastructure.” The hacktivists’ targets included US ride-share program Lyft and five US healthcare organizations. The group has reportedly taken a break from targeting the hospitals and Lyft as they are “satisfied” with their results, writing, “The attacks on the Hospitals have been stopped, we will be satisfied with this amount of ‘1 and a half hours.’” It’s unclear if more attacks are to occur, but Anonymous Sudan seems dedicated to pursuing nuisance-level attacks on countries that displease them. (A note–there’s no suggestion in Secretary Blinken’s remarks that the US is considering an “invasion” of Sudan.) 

Sponsored by mWISE

Early bird registration is open. Get the lowest price we offer.

Register now for Mandiant’s mWISE security conference.

NSA releases advisory on North Korean spearphishing campaigns targeting think tanks, universities, and media organizations.

The U.S. National Security Agency (NSA) stated in a press release that it has partnered with five U.S. and Republic of Korea agencies to release a cybersecurity advisory (CSA) titled “North Korea Using Social Engineering to Enable Hacking of Think Tanks, Academia, and Media.” In the advisory, the agencies note that North Korea’s primarily intelligence agency, the Reconnaissance General Bureau (RGB), is responsible for spear phishing campaigns writing “These North Korean cyber actors are known to conduct spearphishing campaigns posing as real journalists, academics, or other individuals with credible links to North Korean policy circles. The DPRK employs social engineering to collect intelligence on geopolitical events, foreign policy strategies, and diplomatic efforts affecting its interests by gaining illicit access to the private documents, research, and communications of their targets.” 

The statement named the threat actors associated with these attacks as: Kimsuky, Thallium, APT43, Velvet Chollima, and Black Banshee. In many cases the threat actors will pretend to be real journalists to build rapport with their targets, typically the actors will then ask questions regarding current events and U.S. expert opinion on North Korean affairs. The actors will also masquerade as scholars, think tank advisors and officials from the government in email correspondence. Eventually, they will send a fake email pretending to be the target’s email service provider requesting that they reset their password, threatening to permanently delete the target's account if they fail to follow the instructions. NSA advises all potential targets to consider the risks before clicking on links sent over email from unverified sources. Additionally, they suggest training employees on spearphishing awareness writing “Implement a user training program and phishing exercises to raise awareness among users about the risks of visiting websites, clicking on links, and opening attachments. Reinforce the appropriate user response to phishing and spearphishing emails.”

Sponsored by CyberArk

The future of security is identity and with CyberArk, the future of identity is secure.

With 84% of organizations experiencing an identity-related breach, identity is the new battlefield. As the pioneers of privileged access management, we started by protecting the most privileged users and most critical data. With intelligent privilege controls, today we’re applying the same levels of security and protection to every identity – both human and machine. CyberArk offers the most advanced identity security platform in the world, surrounding every identity with a powerful force field of continuous protection.

MOVEit file transfer vulnerability added to CISA’s known exploited vulnerability catalog. 

CISA added Progress MOVEit Transfer SQL Injection Vulnerability (CVE-2023-34362) to its Known Exploited Vulnerabilities Catalog on June 2nd. Mandiant reports that this vulnerability seems to have been used on May 27th by UNC4857 and describes it as “a newly created threat cluster with unknown motivations that has impacted organizations operating in a wide range of industries based in Canada, India, and the U.S.” Mandiant’s researchers add that the threat actors are deploying a newly discovered web shell called LEMURLOOT which is used for data theft. “LEMURLOOT provides functionality tailored to execute on a system running MOVEit Transfer software, including the ability to generate commands to enumerate files and folders, retrieve configuration information, and create or delete a user with a hard-coded name. Initial analysis suggests that the LEMURLOOT web shell is being used to steal data previously uploaded by the users of individual MOVEit Transfer systems,” write researchers.” Mandiant adds that it’s unable to conclusively attribute this new activity to an established threat group, but they list FIN11 and UNC2546 as groups of interest due to shared tactics, techniques and procedures (TTPs). The researchers add that they have also noticed Cl0p searching for partners that utilize SQL injection, so it may be possible that the ransomware group is associated with this exploit. For more on the MOVEit issue, see CyberWire Pro.

Sponsored by Scytale

Are you compliant yet? You better be if you want your prospects to buy.

Your prospects are demanding SOC 2 and you're not closing deals without it. Scytale's security compliance automation platform helps companies get compliant and stay compliant with frameworks like SOC 2, ISO 27001, HIPAA, GDPR and PCI-DSS without breaking a sweat. 

Save hundreds of hours with streamlined compliance and dedicated support, remain compliant all year round with automated monitoring and alerts, and most importantly, boost sales by providing proof of information security to your customers.

Moonlighter will test cybersecurity in orbit.

The launch of the Moonlighter satellite, a government funded satellite coined “the world's first and only hacking sandbox in space” was delayed from yesterday to today due to high winds, Spaceflight Now reports. The launch was scheduled for lift off from the Kennedy Space Center aboard a SpaceX Falcon 9 on a resupply mission to the International Space Station. Earlier Sunday, the outlet reports, another Falcon 9 rocket saw a launch from the neighboring Cape Canaveral Space Force Station.

The Moonlighter was built by the Aerospace Corporation, the Register reports, “a federally funded research and development center in Southern California, in partnership with the US Space Systems Command and the Air Force Research Laboratory.” The satellite will support cybersecurity training and exercises in orbit, with software developed by those working in the infosecurity and aerospace engineering fields.

"Operation Triangulation" offers an occasion for Russia to move closer to IT autarky.

The Record reports that, in response to FSB claims that Apple colluded with the US National Security Agency (NSA) to facilitate NSA access to Russian users' iPhones, Russia is moving to equip officials with phones running Rostelecom's Aurora operating system. Apple has denied working with NSA or any other intelligence service to compromise the security of the devices it sells. "As described on its website," the Record explains, "Aurora gives customers complete control over data processing and complies with Russia’s government security guidelines." The move toward greater autarky has a dual motivation. The first is concern for security. The second is concern to maintain a national IT capability in the face of international sanctions levied in response to Russia's war against Ukraine.

"Operation Triangulation," as Kaspersky researchers called a campaign they say they detected in iOS devices, presumably the same campaign the FSB complained of, remains mysterious. ComputerBild offers a rundown of how the campaign may have unfolded, and notes some possible similarities to other operations using commercial spyware.

KillNet seems to say it's disbanding.

Citing chatter in the hacktivist auxiliary's VKontakte channel, Cybernews reports that KillNet says it's disbanding. The reasons are unclear, but the group's admin posted, “I do not intend to single out the rest, no one deserves an acclaim and a comment. Killnet has been completely disbanded.” The announcement came after resignations and expressions of dissatisfaction. How seriously the announcement should be taken remains to be seen, in some ways the announcement looks more like a do svidaniya to a disgruntled member than a dissolution.

The CyberWire's continuing coverage of Russia's war against Ukraine, with special attention to the cyber phases of that war, may be found here.

SEC drops cases over improper access to Adjudication Memoranda.

The US Securities and Exchange Commission (SEC) on Friday announced that it was dropping a number of cases in which Enforcement staff received improper access to restricted Adjudication Memoranda. The SEC attributed the incident to inadequate internal controls over sensitive information. "We deeply regret that the agency’s internal systems lacked sufficient safeguards surrounding access to Adjudication memoranda," the SEC said, "and we are continuing our work to ensure that, going forward, work product from the Adjudication staff is appropriately safeguarded. We take this lapse in controls very seriously and are committed to both informing the public about the scope of this issue and preventing any similar lapses in the future."

Executive and board members are easy targets for threat actors trolling for sensitive information, study finds. 

Companies spend millions on cybersecurity to protect their corporate infrastructure, but what are the cybersecurity mitigations in place to protect the devices of the executives of the company when not at work? This is the question posed in a study by BlackCloak in their report titled “Understanding the Serious Risk to Executives’ Personal cybersecurity and Digital Lives.” “Organizations are allocating millions of dollars to protect their information assets and employees but are neglecting to take steps to safeguard the very vulnerable digital assets and lives of key executives and board members. Sponsored by BlackCloak, the Ponemon Institute surveyed five-hundred-fifty-three IT and IT security practitioners familiar with programs and policies used to prevent cybersecurity threats against executives and their digital assets,” write researchers. Apparently most companies don’t protect the personal devices of their executives and board members. 58% of companies polled didn’t incorporate the risk of key executive member’s personal devices into their cyber security risk portfolio, and 62% of the companies had no dedicated services to respond to attacks on the high ranking members. For more on the risk to leaders' digital safety, see CyberWire Pro.



Today's issue includes events affecting Argentina, Australia, Brazil, Canada, China, the European Union, Guatemala, the Holy See, Iran, Ireland, the Democratic People's Republic of Korea, the Republic of Korea, Kuwait, Mexico, Moldova, NATO/OTAN, Panama, Russia, Spain, Sudan, Switzerland, Ukraine, the United Kingdom, the United States, Uruguay, and Venezuela.


Upcoming Cyber Security Summits: Salt Lake City, Hartford & National Channel & MSSP Summit (Multiple Locations, June 7 - 15, 2023) Join us In-Person and network over breakfast, lunch & a cocktail reception in Salt Lake City on 6/7, Hartford on 6/13 and at the National Channel & MSSP Cyber Summit in Chicago on 6/15. Learn about the latest threats and solutions from The FBI, U.S. DHS / CISA, Darktrace & more. Earn up to 8 CPE/CEU credits with your attendance. Get $100 off admission w/ code CyberWire23 at

Virtual Banking & Finance Cyber Security Summit (Virtual, June 22, 2023) Log on to join us nationwide at this Virtual Summit exclusively for the finance and banking industry. Learn how to protect your business from the latest threats and best practices to secure your infrastructure. Earn up to 8 CPE/CEU credits with your attendance. FREE admission w/ code CyberWire23 at

mWISE early bird registration is open. Get the lowest price we offer. Washington, D.C. or online (Washington, D.C. / /Virtual, September 18 - 20, 2023) Early bird registration for Mandiant’s mWISE, the targeted security conference where we use the power of collective intelligence to combat emerging threats. Get the best price we offer at this highly targeted, vendor-neutral, community-focused event. mWISE Conference 2023 Registration is Open


Dateline: Russia's hybrid war against Ukraine.

Ukraine at D+466: Battle handover. (CyberWire) With continued skirmishing in occupied territories and inside Russia itself, the Wagner Group hands ...

Russia-Ukraine war: List of key events, day 467 (Al Jazeera) As the war enters its 467th day, here’s a look at the main developments.

Russian air strikes repelled over Kyiv, but hit regional airfield (Reuters) Russia launched a fresh wave of air strikes against Ukraine early on Sunday, striking an airfield in ...

Find MORE on our website.

Attacks, Threats, and Vulnerabilities

New Security Warning Issued For Google's 1.8 Billion Gmail Users (Forbes) Google has confirmed a dangerous new Gmail problem that affects all users...

He’s leading Mexico’s probe of the Dirty War. Who’s spying on him? (Washington Post) President Andrés Manuel López Obrador took office vowing to investigate Mexico’s worst human rights ...

U.S., ROK Agencies Alert: DPRK Cyber Actors Impersonating Targets to Collect Intelligence (National Security Agency/Central Security Service) The National Security Agency (NSA) is partnering with several organizations to highlight the ...

Find MORE on our website.

Security Patches, Mitigations, and Software Updates

Google Workspace brings a major security innovation to customers with passkeys (Google Workspace Blog) More than 9 million organizations can allow their users to sign in to Google Workspace and Google ...

Microsoft is killing Cortana on Windows starting late 2023 (BleepingComputer) After introducing a string of AI-powered assistants for its products, Microsoft has now announced ...

Microsoft's New Authentication Strength Feature Provides More Control Over CA Policies (Petri) Microsoft has announced the general availability of Conditional Access authentication strength ...


We've created a monster, as predicted (Inside Cyber Warfare) Information security is an industry that grows fat on eating itself

Runaway AI Is an Extinction Risk, Experts Warn (WIRED) A new statement from industry leaders cautions that artificial intelligence poses a threat to ...

AI Won’t Wipe Out Humanity (Yet) (WIRED) This week, we discuss the real and imagined dangers of generative artificial intelligence, which ...

Find MORE on our website.


Galvanick raises $10 million for its industrial cybersecurity platform (Help Net Security) Galvanick announced its $10 million seed round and plans to use the capital to expand its Industrial ...

Ex-Microsoft Industry Veteran Joins Resecurity as COO (PR Newswire) Resecurity, Inc. (USA), a Los Angeles-based cybersecurity company protecting Fortune 500 companies, ...

Products, Services, and Solutions

New infosec products of the week: June 2, 2023 (Help Net Security) The featured infosec products this week are from: Bitdefender, ConnectSecure, CYTRACOM,, ...

Red Sift Launches Relevance Detection as the First GPT-4-Powered Asset Discovery and Classification Solution (Business Wire) New AI Feature Enhances OnDOMAIN’s Capabilities To Secure Unknown Vulnerabilities And Strengthen ...

Data-Driven Goals and Science-Based Strategy (Palo Alto Networks Blog) Palo Alto Networks is committed to protecting everyone’s digital way of life. We are proud to be ...

Find MORE on our website.

Technologies, Techniques, and Standards

Introducing the book: Cybersecurity First Principles (Help Net Security) In this Help Net Security video, Rick Howard discusses his book - Cybersecurity First Principles: A ...

How defense contractors can move from cybersecurity to cyber resilience (Help Net Security) The methods by which defense contractors have attempted to achieve effectiveness differ from the ...

Zero trust in an app centric world with Okta. (CyberWire) Rick Howard, the CSO, Chief Analyst, and Senior Fellow at N2K Cyber, formerly the CyberWire, ...

Find MORE on our website.

Design and Innovation

How to Grease a Chatbot: E-Commerce Companies Seek a Backdoor Into AI Responses (The Information) When Andy Wilson’s company received its first successful client referral through ChatGPT, he was ...

How to survive AI? Microsoft publishes a list of skills needed by human employees in 2023 (Vulcan Post) Execution of any task may soon become near-instantaneous - humans will be evaluated on the idea and ...

If Pinocchio Doesn't Freak You Out, Sydney Shouldn't Either (WIRED) Why do people panic when an AI chatbot tells us it “wants to be human," but not when inanimate ...

Find MORE on our website.

Research and Development

Moonlighter space-hacking satellite readies for launch (Register) 'World's first and only' orbiting infosec playpen due to blast off Sunday

Live coverage: SpaceX delays space station cargo launch until Monday (Spaceflight) Watch our live coverage of the countdown and launch of a SpaceX Falcon 9 rocket from Launch Complex ...

Moonlighter Fact Sheet | The Aerospace Corporation (Aerospace Corporation) To maintain and strengthen domain supremacy for the nation, The Aerospace Corporation (Aerospace) ...

Find MORE on our website.


How university cybersecurity clinics can help cities fight ransomware (CyberScoop) Cybersecurity faculty and students can be a valuable resource to help local governments and business ...

Legislation, Policy, and Regulation

China Cracks Down on Surge in AI-Driven Fraud (Wall Street Journal) Authorities warn of swindlers using hyper-realistic content generated by artificial intelligence.

Kuwait-US boost cooperation to enhance cybersecurity (ACE Times) The US continues to seek international partnerships to promote a global cyberspace, where countries ...

Canada facing rising threat from cyberattacks, defence minister says (Reuters) Canadian Defence Minister Anita Anand said on Saturday that the country's critical infrastructure ...

Find MORE on our website.

Litigation, Investigation, and Law Enforcement

This ‘zombie case’ could have big ramifications for cybersecurity firms (Washington Post) New court ruling sends a ‘chilling’ message to cyber companies, judge argues

ENIGMA SOFTWARE GROUP USA, LLC, Plaintiff-Appellant, v. MALWAREBYTES, INC., Defendant-Appellee. (US Court of Appeals for the 9th Circuit) The panel affirmed in part and reversed in part the district court’s judgment dismissing a lawsuit ...

US Treasury sanctions Iranian cloud provider ‘facilitating’ Tehran censorship (Record) The company ArvanCloud is “a key partner” in the Iranian regime’s effort to set up a parallel ...

Find MORE on our website.


Grow your brand, generate leads, and fill your funnel.

With the industry’s largest B2B podcast network, popular newsletters, and influential readers and listeners all over the world, companies trust the CyberWire to get the message out. Learn more.
The CyberWire logo
Twitter IconFacebook IconLinkedIn IconEmail Icon

Copyright © 2023, CyberWire Inc. Views and assertions of the various sources cited, Selected Reading articles, and images are those of the authors and artists, not the CyberWire, Inc.

This email was sent to
why did I get this?  |  unsubscribe  |  manage subscription preferences

The CyberWire · 8110 Maple Lawn Blvd Ste 200 · Fulton, MD 20759-2694 · USA


Popular posts from this blog

SecurityWeek Briefing.

Cyber War Newswire

SecurityWeek Briefing.