The CyberWire Daily Briefing.

"Recent cyberespionage campaigns.  New infection vectors for Mirai."

Views expressed in this cybersecurity, cybercrime, and cyberespionage update are those of the reporters and correspondents.  Accessed on 23 June 2023, 1537 UTC.  Content provided by email subscription to "The CyberWire Daily Briefing."

Source: ("The CyberWire Daily Bulletin").

Please click link or scroll down to read your selections.  Thanks for joining us today.

Russ Roberts (

Sponsored by Mandiant Worldwide Information Security Exchange (mWISE)
The CyberWire.

Early bird registration is open. Get the lowest price we offer.

Register now for Mandiant’s mWISE security conference.

Daily Briefing

June 23, 2023.

Join the Q2 Cybersecurity Analyst Call

We'd like to invite you to the Q2 Cybersecurity Analyst Call on Thursday, June 29th, 2023 at 2pm EST to take a look at exactly which developments and topics were the most important this quarter. Join our host, CSO, Chief Analyst, & Senior Fellow, Rick Howard, with N2K Networks President, Simone Petrella, and CISO of Centene, Alan Berry for an insightful discussion about industry events from this quarter that have made material impacts. This live event is typically a CyberWire Pro exclusive, but will be open to all readers and listeners! Be sure to submit questions and/or topics with your registration. Register now.

We also invite your feedback.

We're always looking for ways to improve the CyberWire, now N2K Cyber Network, to give you an intelligence-driven news experience that saves you time and keeps you in the know on the latest developments in cybersecurity. Please share your feedback in our 2023 Audience Survey and you will have a chance to win a $100 Amazon gift cardTake the survey.


At a glance.

  • Update on Barracuda ESG exploitation.
  • Camaro Dragon’s current cyberespionage tools spread through infected USB drives. 
  • Mirai update: new infection vectors.
  • Microsoft Threat Intel report: Midnight Blizzard, a Russian SVR threat actor.
  • Ukraine experiencing a "wave" of cyberattacks during its counteroffensive.
  • "Anonymous Sudan" is neither.
  • Proof-of-concept: Microsoft Teams as potential attack vector.

Update on Barracuda ESG exploitation.

Proofpoint has tweeted updates on exploitation of CVE-2023-2868, a vulnerability found in Barracuda's Email Security Gateway (ESG). UNC4841, the "aggressive and highly skilled actor conducting targeted activity" is believed to be acting on behalf of the Chinese government. Its targets, geographically, have been, from the most to least frequently affected, the United States, Norway, Taiwan, and Poland. By sector, UNC4841 has been most interested in academic institutions, defense establishments, and the US Federal Government.

Michael Raggi, Staff Threat Research Engineer at Proofpoint, explained. “Proofpoint has observed intermittent exploitation attempts by Chinese state-aligned threat actor UNC4841 targeting CVE-2023-2868 from October 2022 through May 29, 2023. This vulnerability was being actively used in the wild by an APT actor as recently as three weeks ago. While the phishing campaigns involved conventional espionage operations, the threat actor also exhibited a sustained focus on scientific research, energy entities, and public health data which demonstrates a more complex tasking than initially disclosed publicly. This zero-day vulnerability continues an increasing trend of vulnerable email gateway appliances being exploited via advanced exploits contained within phishing emails.”

Barracuda has issued both mitigations and patches.

Sponsored by CyberArk

The future of security is identity and with CyberArk, the future of identity is secure.

With 84% of organizations experiencing an identity-related breach, identity is the new battlefield. As the pioneers of privileged access management, we started by protecting the most privileged users and most critical data. With intelligent privilege controls, today we’re applying the same levels of security and protection to every identity – both human and machine. CyberArk offers the most advanced identity security platform in the world, surrounding every identity with a powerful force field of continuous protection.

Camaro Dragon’s current cyberespionage tools spread through infected USB drives. 

Check Point Research released a report focusing on a USB-propagated malware campaign that it attributes to the Chinese-based espionage group Camaro Dragon. The Check Point Research Incident Response Team (CPIRT) discovered the malware while investigating an incident in a European hospital earlier this year. “The investigation showed that the malicious activity observed was likely not targeted but was simply collateral damage from Camaro Dragon’s self-propagating malware infections spreading via USB drives.” Patient Zero, as CPR calls the first victim, initially received the infection while attending a conference in China and connecting a USB drive to a colleague's already infected computer. 

The malware hides all of the victim’s files on the drive and shows a program that appears to merely display the files, but which launches a backdoor in the background. The tools involved in the infection, WispRider and HopperTick, seem to align with other tools used by Camaro Dragon, including TinyNote (a Go-based backdoor) and HorseShell (a malicious router firmware). 

The malware spreads through human interaction with infected machines. Check Point writes, “The ability to propagate autonomously and uncontrollably across multiple devices enhances this threat’s reach and potential impact. This approach not only enables the infiltration of potentially isolated systems but also grants and maintains access to a vast array of entities, even those that are not primarily targeted.” The researchers have since noticed several newer variations of these backdoors, all seeming to originate in Southeast Asia. Check Point reports that Camaro Dragon uses its own FTP servers and third-party services like Google Drive to exfiltrate data.

Sponsored by Expel

Wish you had a cheat sheet for AWS investigations? Expel created one!

We remediate loads of cyber incidents in Amazon Web Services (AWS), and some common themes have emerged re: attacker use of APIs. We’ve noticed they map nicely to MITRE ATT&CK tactics.

So we captured them in a mind map of possible attack paths once hackers are inside an AWS environment. This resource should be helpful if you ever find yourself chasing a baddie through the cloud and want to catch them sooner than later.

Mirai update: new infection vectors.

A version of the Mirai botnet is exploiting vulnerabilities affecting D-Link, Arris, Zyxel, TP-Link, Tenda, Netgear, and MediaTek devices, BleepingComputer reportsAccording to Palo Alto Networks’ Unit 42, “The threat actors have the ability to gain complete control over the compromised devices, integrating those devices into the botnet. These devices are then used to execute additional attacks, including distributed denial-of-service (DDoS) attacks.”

Akamai has observed Mirai botnet samples exploiting CVE-2023-26801, a command injection vulnerability affecting certain versions of LB-LINK wireless routers. The researchers stated, “This can lead to various security risks, including unauthorized access, device compromise, and further exploitation within the network.”

Sponsored by Scytale

Are you compliant yet? You better be if you want your prospects to buy.

Your prospects are demanding SOC 2 and you're not closing deals without it. Scytale's security compliance automation platform helps companies get compliant and stay compliant with frameworks like SOC 2, ISO 27001, HIPAA, GDPR and PCI-DSS without breaking a sweat. 

Save hundreds of hours with streamlined compliance and dedicated support, remain compliant all year round with automated monitoring and alerts, and most importantly, boost sales by providing proof of information security to your customers.

Microsoft Threat Intel report: Midnight Blizzard, a Russian SVR threat actor.

Microsoft has released a new intelligence profile on a Russian Foreign Intelligence Service (SVR) threat actor it now calls Midnight Blizzard (formerly NOBELIUM). This threat actor targets government agencies, non-governmental organizations, and diplomatic personnel in an intelligence gathering operation. Microsoft writes, “They utilize diverse initial access methods ranging form stolen credentials to supply chain attacks, exploitation of on-premise environments to laterally move to the cloud, exploitation of service providers’ trust chain to gain downstream customers, as well as ADFS malware known as FOGGYWEB and MAGICWEB. Midnight Blizzard is tracked by partner security companies as APT29, UNC2452, and Cozy Bear.” Midnight Blizzard uses a “cyber fire-and-maneuver” technique, moving between low-reputation IP addresses that are used for only a short period of time. This helps them obfuscate their operations. In response to this threat actor Microsoft announced that it has added protections to Defender Antivirus, Defender for Endpoint, Defender for Cloud Apps, and Azure Active Directory. 

Ukraine experiencing a "wave" of cyberattacks during its counteroffensive.

US Deputy National Security Advisor Anne Neuberger told the FT Cyber Resilience Summit yesterday, “We know Ukraine is currently experiencing a significant surge in cyberattacks in parallel to the kinetic aspects.” The Record reports that she specified neither the scope of the attacks nor the sectors that were receiving hostile attention. 

"Anonymous Sudan" is neither.

There's a growing consensus that Anonymous Sudan, which represents itself as a hacktivist organization with Islamist sympathies operating in Sudan, is neither an Anonymous affiliate nor Sudanese. Cybernews summarizes the evidence that points to the group's status as a KillNet affiliate, which means in turn that it's working for the Russian intelligence services. Much of the evidence leading to the conclusion that Anonymous Sudan is a Russian front group comes from research by Australian security firm CyberCX, and Anonymous Sudan wasn't happy about being outed. The group yesterday said it had conducted a distributed denial-of-service (DDoS) attack against CyberCX's website (no signs of disruption this morning), explaining, "The reason for the attack: stop spreading rumors about us, and you must tell the truth and stop the investigations that we call the investigations of a dog." The "dog" insult is a nice but too obvious gesture toward the culture of the Sahel, but, really, few will be deceived. Straight up, Anonymous Sudan is Russian.

The CyberWire's continuing coverage of Russia's war against Ukraine, with special attention to the cyber phases of that war, may be found here.

Proof-of-concept: Microsoft Teams as potential attack vector.

Researchers at Jumpsec have discovered a way to use Microsoft Teams as a vector for malware delivery, BleepingComputer reports. Researcher Max Corbridge explains, “Exploitation of the vulnerability was straightforward using a traditional IDOR technique of switching the internal and external recipient ID on the POST request.” Corbridge adds, “When sending the payload like this, it is actually hosted on a Sharepoint domain and the target downloads it from there. It appears, however, in the target inbox as a file, not a link.”

Microsoft acknowledged the vulnerability, but told Jumpsec that it “did not meet the bar for immediate servicing.”

Dror Liwer, co-founder of Coro, stated, “While we normally hear about email as the most common entry point for attackers, we see Teams, Slack, and other messaging platforms as a quickly developing vector. Attackers will always look for a path of least resistance, and while email has been a very lucrative method, less people expect an attack through Teams, and as such are more easily targeted.”



Today's issue includes events affecting Australia, Canada, China, Japan, Romania, Russia, Taiwan, Ukraine, the United Kingdom, and the United States.


On-demand Webinar: Build an Effective Endpoint Detection and Response Strategy (Virtual, June 16 - 25, 2023) Are you ready to simplify your endpoint security? Join the live virtual event to discover how you can safeguard your AWS environment with tools available in AWS Marketplace. Watch Now.

Workforce Intelligence: What It Is And Why You Need It For Cyber Teams (Virtual, June 21 - 28, 2023) Just as you regularly evaluate and upgrade technology to improve performance, the same approach must apply to your people. N2K’s Jeff Welgan and Yameen Huq discuss workforce intelligence and how it can optimize your cyber talent development strategy.

July Cyber Security Summits (Multiple locations / Virtual, July 13 - 27, 2023) Join us In-Person and network over breakfast, lunch & a cocktail reception on 7/13 in Raleigh-Durham, on 7/20 in DC and 7/27 in Pittsburgh. Learn about the latest threats and solutions from The FBI, U.S. DHS / CISA, IBM Security & more. Earn CPE/CEU credits with your attendance. Get $100 off admission w/ code CyberWire23 at

mWISE early bird registration is open. Get the lowest price we offer. Washington, D.C. or online (Washington, D.C. / Virtual, September 18 - 20, 2023) Early bird registration for Mandiant’s mWISE, the targeted security conference where we use the power of collective intelligence to combat emerging threats. Get the best price we offer at this highly targeted, vendor-neutral, community-focused event. mWISE Conference 2023 Registration is Open


Dateline: Russia's hybrid war against Ukraine.

Ukraine at D+484: Missile strikes, cyberattacks, and (allegedly) wicked counselors. (CyberWire) 36,000 Western-trained Ukrainian troops prepare to enter battle.

Russia Detains Five It Claims Tried To Buy Nuclear Material To Discredit Moscow (RadioFreeEurope/RadioLiberty) Moscow says it has detained several people it claims are linked to Ukraine who were trying to buy ...

Zelensky says Russia is planning to sabotage Zaporizhzhia nuclear plant (Washington Post) Ukrainian President Volodymyr Zelensky warned Thursday that Russian forces were preparing a ...

Find MORE on our website.

Attacks, Threats, and Vulnerabilities

Beyond the Horizon: Traveling the World on Camaro Dragon’s USB Flash Drives (Check Point Research) Executive summary Introduction In early 2023, CPIRT investigated an incident at a European hospital. ...

Chinese malware accidentally infects networked storage (Register) Hides itself from popular Asian AV, also uses games to do its dirty work

Microsoft Teams bug allows malware delivery from external accounts (BleepingComputer) Security researchers have found a simple way to deliver malware to an organization with Microsoft ...

Find MORE on our website.

Security Patches, Mitigations, and Software Updates

CISA Releases Four Industrial Control Systems Advisories (Cybersecurity and Infrastructure Security Agency CISA) CISA released four Industrial Control Systems (ICS) advisories on June 22, 2023. These advisories ...

Apple Releases Security Updates for Multiple Products | CISA (Cybersecurity and Infrastructure Security Agency CISA) Apple has released security updates to address vulnerabilities in multiple products. An attacker ...

Juniper Networks Releases Security Advisory for Junos OS and Junos OS Evolved (Cybersecurity and Infrastructure Security Agency CISA) Juniper Networks has released a security advisory that addresses a vulnerability in Junos OS and ...

Find MORE on our website.


The bored teenagers who can disrupt the world (The Spectator Australia) Most of us live a strange double life when it comes to hacking. We read headlines saying that our ...


NYC's First Cyber Academy Cohort Looks Back (GovTech) The cybersecurity upskilling program is educating its second cohort, tweaking the material with ...

Devo Names Trevor Crompton Area Vice President of EMEA (PR Newswire) Devo Technology, the cloud-native security analytics company, today announced the leadership ...

Barracuda welcomes Siroui Mushegian as CIO (PR Newswire) Barracuda Networks, Inc., a trusted partner and leading provider of cloud-first security solutions, ...

Find MORE on our website.

Products, Services, and Solutions

New infosec products of the week: June 23, 2023 (Help Net Security) The featured infosec products this week are from: Cymulate, Edgescan, ESET, iStorage, and Netskope.

Dasera Introduces Free 'Ski Lift,' Elevating Data Security and Governance for Snowflake Users (Business Wire) Automated, Self-Service Data Security and Governance Now Available for Snowflake Users – At No Cost

LastPass Unveils its Channel Partner Program and Commitment to a Partner-Centric Community (Business Wire) Allegiance Partner Program designed to help LastPass partners boost profitability and improve ...

Find MORE on our website.

Technologies, Techniques, and Standards

NSA shares tips on blocking BlackLotus UEFI malware attacks (BleepingComputer) The U.S. National Security Agency (NSA) released today guidance on how to defend against BlackLotus ...

SSDF and IoT Cybersecurity Guidance: Building Blocks for IoT Product Security (NIST) NIST’s IoT cybersecurity guidance has long recognized the importance of secure software development ...

Secure Technology Alliance Celebrates 30 Years of Cross-Industry Achievement Spanning Identity, Payments, Access Control and Beyond (GlobeNewswire News Room) Milestones include contributions to U.S. adoption of EMV chip cards, advancements in PIV cards, ...

Find MORE on our website.

Research and Development

Eight teams of hackers will compete to breach U.S. satellite in space (Newsweek) Protecting satellites from hacks is becoming more important as industries from agriculture to ...

Corsha Announces $1.8 Million AFWERX TACFI Grant Award (Corsha) Corsha launches pilot to determine how to enable AFSC to securely move data from additive ...


Boise State partners with MARS Suite Corporation to address cyber threats, demand for talent (Boise State News) Boise State University’s Institute for Pervasive Cybersecurity is partnering with cybersecurity ...

Support for cybersecurity clinics across the U.S. (Google) Our new $20 million collaboration with the Consortium of Cybersecurity Clinics will expand and ...

Legislation, Policy, and Regulation

Why is it so rare to hear about Western cyber-attacks? (BBC News) Could a cyber-attack on a Russian technology company provide a rare insight into a Western hack?

Romanias Cybersecurity Chief Proposes Banning TikTok (UrduPoint) TikTok should be banned in Romania as it may send data to the Chinese government, Anton Rog, the ...

US cyber ambassador says China can win on AI, cloud (Register) Calls on governments to combat 'playbook' that propelled Huawei to prominence

Find MORE on our website.

Litigation, Investigation, and Law Enforcement

Crypto malware ring targeting Canada busted in Ukraine (Cybernews) The criminals operated in a rented office space and demanded that new staff members take a polygraph ...

Twitter may face fines in Australia over hate speech (Axios) Australia's online safety regulator sent a legal notice to Twitter demanding the social network ...

Former FBI analyst who kept classified records in home sentenced to prison (The Hill) Correction: Former FBI analyst Kendra Kingsbury is a resident of Kansas. The information was ...

Find MORE on our website.


Grow your brand, generate leads, and fill your funnel.

With the industry’s largest B2B podcast network, popular newsletters, and influential readers and listeners all over the world, companies trust the CyberWire to get the message out. Learn more.
The CyberWire logo
Twitter IconFacebook IconLinkedIn IconEmail Icon

Copyright © 2023, CyberWire Inc. Views and assertions of the various sources cited, Selected Reading articles, and images are those of the authors and artists, not the CyberWire, Inc.

This email was sent to
why did I get this?  |  unsubscribe  |  manage subscription preferences

The CyberWire · 8110 Maple Lawn Blvd Ste 200 · Fulton, MD 20759-2694 · USA


Popular posts from this blog

SecurityWeek Briefing.

Cyber War Newswire

SecurityWeek Briefing.