The CyberWire Daily Bulletin.

"ALPHV threatens to leak stolen Reddit data."

Views expressed in this cybersecurity, cybercrime, cyber espionage update are those of the reporters and correspondents.  Accessed on 20 June 2023, 1942 UTC.  Content supplied by email subscription to "The Cyberwire Daily Bulletin."

Source: ("The CyberWire Daily Bulletin").

 Please click link or scroll down to read your selections.  Thanks for joining us today.

Russ Roberts (

More signal, less noise.

Early bird registration is open. Get the lowest price we offer.

Register now for Mandiant’s mWISE security conference.

Daily Briefing

June 20, 2023.

Join the Q2 Cybersecurity Analyst Call

We'd like to invite you to the Q2 Cybersecurity Analyst Call on Thursday, June 29th, 2023 at 2pm EST to take a look at exactly which developments and topics were the most important this quarter. Join our host, CSO, Chief Analyst, & Senior Fellow, Rick Howard, with N2K Networks President, Simone Petrella, and CISO of Centene, Alan Berry for an insightful discussion about industry events from this quarter that have made material impacts. This live event is typically a CyberWire Pro exclusive, but will be open to all readers and listeners! Be sure to submit questions and/or topics with your registration. Register now.

We also invite your feedback.

We're always looking for ways to improve the CyberWire, now N2K Cyber Network, to give you an intelligence-driven news experience that saves you time and keeps you in the know on the latest developments in cybersecurity. Please share your feedback in our 2023 Audience Survey and you will have a chance to win a $100 Amazon gift cardTake the survey.


At a glance.

  • ALPHV threatens to leak stolen Reddit data.
  • Mystic Stealer malware: evasive, and with a feedback loop in the C2C market.
  • RDStealer cyberespionage tool in the wild.
  • US offers reward for information on Cl0p ransomware gang.
  • Anonymous Sudan looks like a Russian front group.
  • KillNet, REvil, and Anonymous Sudan form a "DARKNET Parliament" and “sanction” the European bBanking system.
  • British Government commits £25 million in cybersecurity aid to Ukraine.
  • What's turning up in cloud honeypots.

ALPHV threatens to leak stolen Reddit data.

The ALPHV ransomware gang (also known as BlackCat) is threatening to release 80 gigabytes of stolen data unless Reddit repeals its unpopular API rate hikes. (And pays the attackers $4.5 million.) Computing reports that the data were taken in February, and that ALPHV gained access to the sensitive information by successfully phishing for employee credentials. For more on ALPHV and Reddit, see CyberWire Pro.

Sponsored by CyberArk

The future of security is identity and with CyberArk, the future of identity is secure.

With 84% of organizations experiencing an identity-related breach, identity is the new battlefield. As the pioneers of privileged access management, we started by protecting the most privileged users and most critical data. With intelligent privilege controls, today we’re applying the same levels of security and protection to every identity – both human and machine. CyberArk offers the most advanced identity security platform in the world, surrounding every identity with a powerful force field of continuous protection.

Mystic Stealer malware: evasive, and with a feedback loop in the C2C market.

Mystic Stealer is a new info stealer gaining traction in the cyber threat landscape. As researchers at Cyfirma explain, “The stealer was made available for testing to well-known veterans within the forum, who verified its effectiveness and provided valuable feedback for further enhancements. The threat actors diligently incorporated these recommendations into the stealer, resulting in ongoing updates and improvements. Consequently, Mystic Stealer has begun to establish a stronger foothold in the threat landscape, as evidenced by the rising number of command and control (C2) panels observed in the wild.” 

Mystic Stealer’s unknown developers assist with the installation process on the customer’s Linux server and then hand over complete control of the command-and-control panel. One of the more dangerous aspects of Mystic Stealer is the community feedback from customers. This allows the developers to make the tool more effective and efficient. Researchers at Zscaler report that, “Key data theft functionality includes the ability to capture history and auto-fill data, bookmarks, cookies, and stored credentials from nearly 40 different web browsers. In addition, it collects Steam and Telegram credentials as well as data related to installed cryptocurrency wallets. The malware targets more than 70 web browser extensions for cryptocurrency theft and uses the same functionality to target two-factor authentication (2FA) applications.” For more on Mystic Stealer, see CyberWire Pro.

Sponsored by Expel

Wish you had a cheat sheet for AWS investigations? Expel created one!

We remediate loads of cyber incidents in Amazon Web Services (AWS), and some common themes have emerged re: attacker use of APIs. We’ve noticed they map nicely to MITRE ATT&CK tactics.

So we captured them in a mind map of possible attack paths once hackers are inside an AWS environment. This resource should be helpful if you ever find yourself chasing a baddie through the cloud and want to catch them sooner than later.

RDStealer cyberespionage tool in the wild.

Bitdefender this morning shared their discovery of a new custom malware strain known as RDStealer, which used DLL sideloading for the purpose of cyberespionage. The researchers say that sideloading, or the practice of downloading an application or program via unofficial software distribution channels, allows the threat actor to monitor “incoming Remote Desktop Protocol (RDP) connections with client drive mapping enabled.” The Logutil backdoor then infects the victim’s device and lifts sensitive data.

Both RDStealer and Logutil are written in the Go programming language, which has the capability of infecting multiple operating systems; researchers have identified cases impacting both Linux and ESXi. The threat actor, active since at least 2020, is believed to be based in China, though that has yet to be confirmed. The use of custom malware by the hackers has been observed since late 2021 or early 2022. Credential theft and data exfiltration are believed to be this campaign’s primary goals. 

Sponsored by Scytale

Are you compliant yet? You better be if you want your prospects to buy.

Your prospects are demanding SOC 2 and you're not closing deals without it. Scytale's security compliance automation platform helps companies get compliant and stay compliant with frameworks like SOC 2, ISO 27001, HIPAA, GDPR and PCI-DSS without breaking a sweat. 

Save hundreds of hours with streamlined compliance and dedicated support, remain compliant all year round with automated monitoring and alerts, and most importantly, boost sales by providing proof of information security to your customers.

US offers reward for information on Cl0p ransomware gang.

Progress Software has disclosed and patched a third vulnerability in its MOVEit file transfer application. The flaw is a SQL injection vulnerability (CVE-2023-35708) that could allow an attacker to “submit a crafted payload to a MOVEit Transfer application endpoint which could result in modification and disclosure of MOVEit database content.” A proof-of-concept for the vulnerability was published on June 15th.

Cl0p continues its exploitation of MOVEit vulnerabilities to distribute ransomware. Ransom demands have begun to arrive at US Government agencies and other victims. According to Reuters, the US Department of Energy has received two such notices. BleepingComputer reports that the US State Department's Rewards for Justice program is offering up to $10 million for information tying the Cl0p ransomware gang to a foreign government. Cl0p has used the MOVEit vulnerabilities to compromise at least two dozen entities, including some US government agencies, SecurityWeek reports For more on Cl0p, and developments in the MOVEit vulnerability exploitation, see CyberWire Pro.

Anonymous Sudan looks like a Russian front group.

Researchers are moved to conclude that Anonymous Sudan is a Russian-run operation, and not the Islamist patriotic hacktivist collective it claims to be.

Researchers at CyberCX have released an intelligence update on Anonymous Sudan after that threat group attacked Australian government organizations. The researchers point out that they assess, with high confidence, that Anonymous Sudan is unlikely to be the simple religious hacktivist group it purports to be, “and that Anonymous Sudan is unlikely to be geographically linked to Sudan.” CyberCX assesses that the threat group uses a substantial paid proxy infrastructure across various countries to conduct its attacks.This supposed backwater organization has suspiciously significant funding and a complex operational style.

Researchers at Trustwave write “There are numerous clues left behind by Anonymous Sudan pointing toward the group being associated in some manner with Killnet. The primary indicator is that Anonymous Sudan’s preferred attack vector is DDoS attacks, the attack type that Killnet has conducted. Other circumstantial evidence pointing toward a Russian connection is that the Anonymous Sudan Telegram posts are mostly in Russian (with some in English), and the targets are all nations that support Ukraine in its fight against Russia.” For more on Anonymous Sudan, see CyberWire Pro.

KillNet, REvil, and Anonymous Sudan form a "DARKNET Parliament" and “sanction” the European banking system.

KillNet, in partnership with REvil and Anonymous Sudan, announced last Wednesday, June 14th, that they would attack European banking systems. They seem at least in part to have kept their promise. This isn’t the general attack on the SWIFT interbank funds transfer system the operators have been threatening, and it’s always difficult to determine the effectiveness of these attacks, but it seems the hacktivist auxiliaries successfully carried out a distributed denial of service (DDoS) attack against the European Investment Bank (EIB). EIB has confirmed that they are experiencing a cyber attack which is affecting the status of their website in a tweet on June 19th writing, “We are currently facing a cyber attack which affects the availability of and We are responding to the incident.” 

The hacktivist triumvirate also claims to have created a “DARKNET Parliament.” A communiqué announced, “72 hours ago, three heads of hacker groups from Russia and Sudan held a regular meeting in the DARKNET parliament, and came to a common decision: SOLUTION №0191. Today we are starting to impose sanctions on the European banking transfer systems SEPA, IBAN, WIRE, SWIFT, WISE.” Although the groups may have successfully disrupted the EIB’s website, the damage done is probably transitory. The incident represents another politically motivated, nuisance-level attack (accompanied by tiresome long-winded gasconade) of the sort that’s become commonplace during the current phase of Russia’s hybrid war.

British Government commits £25 million in cybersecurity aid to Ukraine.

HM Government on Sunday announced that it would allocate £25 million to aid Ukraine's cybersecurity efforts. Prime Minister Rishi Sunak explained, "Russia’s appalling attacks on Ukraine are not limited to their barbaric land invasion, but also involve sickening attempts to attack their cyber infrastructure that provides vital services, from banking to energy supplies, to innocent Ukrainian people. This funding is critical to stopping those onslaughts, hardening Ukraine’s cyber defences and increasing the country’s ability to detect and disable the malware targeted at them." The new grant builds on and significantly expands last year's £6.35 million tranche of cybersecurity assistance.

The CyberWire's continuing coverage of Russia's war against Ukraine, with special attention to the cyber phases of that war, may be found here.

What's turning up in cloud honeypots.

Orca Security this morning released a report detailing insights into attacker tactics, techniques, and procedures (TTPs), as well as the things that attract attackers. In the 2023 Honeypotting in the Cloud Report, the researchers placed honeypots — faux traps intended to lure cybercriminals away from actual threats — on a variety of environments, including AWS S3 Buckets, GitHub, and DockerHub, among others. Each of the nine deployed honeypots was said to contain a secret, which, in this case, was an AWS secret access key.

Key insights from the report include the rapid discovery by threat actors of vulnerabilities, as these honeypots were discovered within minutes of their deployment. The usage of the key, however, varies between different environments; the researchers saw GitHub keys used within two minutes, whereas with S3 buckets, exploitation took upwards of eight hours. Certain resources and environments are more attractive to malicious actors: more popular resources can be easy to access and contain a treasure trove of sensitive information. Orca researchers don’t advise automated protection solutions, recommending instead tailored strategies for defending each resource against threats.



Today's issue includes events affecting China, the European Union, India, Iran, Israel, the Republic of Korea, Malaysia, the Isle of Man, Montenegro, NATO/OTAN, Pakistan, the Philippines, Poland, Russia, Saudi Arabia, Ukraine, the United Kingdom, and the United States.


On-demand Webinar: Build an Effective Endpoint Detection and Response Strategy (Virtual, June 16 - 25, 2023) Are you ready to simplify your endpoint security? Join the live virtual event to discover how you can safeguard your AWS environment with tools available in AWS Marketplace. Watch Now.

Virtual Banking & Finance Cyber Security Summit (Virtual, June 22, 2023) Log on to join us nationwide at this Virtual Summit exclusively for the finance and banking industry. Learn how to protect your business from the latest threats and best practices to secure your infrastructure. Earn up to 8 CPE/CEU credits with your attendance. FREE admission w/ code CyberWire23 at

mWISE early bird registration is open. Get the lowest price we offer. Washington, D.C. or online (Washington, D.C. / Virtual, September 18 - 20, 2023) Early bird registration for Mandiant’s mWISE, the targeted security conference where we use the power of collective intelligence to combat emerging threats. Get the best price we offer at this highly targeted, vendor-neutral, community-focused event. mWISE Conference 2023 Registration is Open


Dateline: Russia's hybrid war against Ukraine.

Ukraine at D+481: An operational pause and a Darknet Parliament. (CyberWire) Ukraine continues to make slow progress during what amounts to an operational pause. Russian ...

Russia-Ukraine war at a glance: what we know on day 482 of the invasion (the Guardian) Ukraine claims to have shot down 32 of 35 drones in overnight Russian attack; both sides said to be ...

Heavy casualties on both sides as Ukraine offensive edges forward (the Guardian) British intelligence report comes as Kyiv celebrates liberation of eighth settlement in south of ...

Find MORE on our website.

Attacks, Threats, and Vulnerabilities

Hackers strike Iranian government, releasing presidential documents (Yahoo) Latest trove includes letter concerning protests addressed to intelligence chief from Raisi’s office

Data Breach at New BreachForums: 4,000 members' data leaked (HackRead) Follow us on Twitter @Hackread - Facebook @ /Hackread

Group-IB Discovers 100K+ Compromised ChatGPT Accounts on Dark Web Marketplaces; Asia-Pacific region tops the list (Group-IB) Group-IB, a global cybersecurity leader headquartered in Singapore, has identified 101,134 ...

Find MORE on our website.

Security Patches, Mitigations, and Software Updates

Microsoft resolves ‘dangerous’ new Azure vulnerabilities (Record) Microsoft recently fixed two vulnerabilities affecting two Azure-related tools that would have ...

Third MOVEit bug fixed a day after PoC exploit made public (Register) Millions of people's personal info swiped, Clop leaks begin with 'Shell's stolen data'


Fortinet Global Zero Trust Report Finds Majority of Organizations are Actively Implementing Zero Trust But Many Still Face Integration Challenges (Fortinet) Almost half of respondents reported significant challenges related to a lack of integration between ...

Cybercriminals return to business as usual in a post-pandemic world (Help Net Security) Emotet's presence has been intermittent, with the group also showing signs of lethargy in adapting ...


2023 Information Security Overview (PitchBook) The 2023 Information Security Overview includes market maps of VC-backed companies; business model ...

Natixis Has $15.63 Million Stock Holdings in Rapid7, Inc. (NASDAQ:RPD) (Defense World) Natixis lifted its position in shares of Rapid7, Inc. (NASDAQ:RPD – Get Rating) by 44.6% during the ...

US Investors Sniffing Around Blacklisted NSO Group Assets (Dark Reading) Pressure mounts on the NSO Group's business viability as Khashoggi widow joins group of plaintiffs ...

Find MORE on our website.

Products, Services, and Solutions

How Tanium Can Help With The MOVEit Vulnerability (CVE-2023-34362) (The Tanium Success Community) On May 31, 2023, Progress reported a vulnerability in MOVEit Transfer and MOVEit Cloud that could ...

Dashlane Releases Passkey Support on Android (Dashlane) Dashlane is bringing third-party passkey support to Android 14 users. Now they can use Dashlane on ...

Traceable AI Announced as Launch Partner for Wiz Integration (WIN) (Business Wire) Traceable and Wiz enhance cloud security by correlating threats across APIs, Kubernetes, containers, ...

Find MORE on our website.

Technologies, Techniques, and Standards

Are federal agencies’ post-quantum cryptography preparations on track? (FedScoop) Federal agencies are supposed to be preparing for quantum hacking. Their progress is unclear.

NSA Cyber Official Discusses Cyber Partnerships (Meritalk) As cyberattacks continue to be on the rise, information sharing between the public and private ...

Town and county teams simulate responding to cyber attacks (News Letter Journal) The name of this game is cybersecurity, and the real-world consequences can be disastrous.

Find MORE on our website.

Design and Innovation

AI's evolving role in strengthening enterprise cybersecurity efforts (Strategy Magazine) AI is a crucial component of modern cybersecurity measures, as it increases process efficiency, ...


US Army Cyber Command, DSU sign education partnership agreement (Dakota News Now) DSU is one of only three universities in the entire nation that has matched all three credential ...

GameAbove elevates Eastern Michigan University’s Cybersecurity Program with a $1.6M gift to its College of Engineering and Technology (Eastern Michigan University) The robust cybersecurity program will soon include new research and certificate

Legislation, Policy, and Regulation

Cybersecurity Malaysia CEO urges Malaysians to say "No" to paying ransomware (TechNave) If you or your company got targeted by ransomware, is there a way to recover your data, or ...

Five big takeaways from Europe’s AI Act (MIT Technology Review) The AI Act vote passed with an overwhelming majority, but the final version is likely to look a bit ...

Exclusive: OpenAI Lobbied E.U. to Water Down AI Regulation (Time) In public, OpenAI is calling for stronger AI guardrails. But documents show the company lobbied to ...

Find MORE on our website.

Litigation, Investigation, and Law Enforcement

US govt offers $10 million bounty for info on Clop ransomware (BleepingComputer) The U.S. State Department's Rewards for Justice program announced up to a $10 million bounty ...

US offers $10m for information on Clop gang (Computing) Seeking evidence of links between the ransomware gang and state authorities

Law enforcement shutdown a long-standing DDoS-for-hire service (Security Affairs) Polish police, as part of the international law enforcement operation PowerOFF, dismantled a ...

Find MORE on our website.


Grow your brand, generate leads, and fill your funnel.

With the industry’s largest B2B podcast network, popular newsletters, and influential readers and listeners all over the world, companies trust the CyberWire to get the message out. Learn more.
The CyberWire logo
Twitter IconFacebook IconLinkedIn IconEmail Icon

Copyright © 2023, CyberWire Inc. Views and assertions of the various sources cited, Selected Reading articles, and images are those of the authors and artists, not the CyberWire, Inc.

This email was sent to
why did I get this?  |  unsubscribe  |  manage subscription preferences

The CyberWire · 8110 Maple Lawn Blvd Ste 200 · Fulton, MD 20759-2694 · USA


Popular posts from this blog

SecurityWeek Briefing.

Cyber War Newswire

SecurityWeek Briefing.