The CyberWire: Daily Briefing.

"Chinese threat actor hit U.S. organizations with a Microsoft cloud exploit."

Views expressed in this cybersecurity, cybercrime, and cyber espionage update are those of the reporters and correspondents.

Accessed on 12 July 2023, 2316 UTC.

Content provided by email subscription to "The CyberWire:  Daily Briefing.

Source: ("The CyberWire:  Daily Briefing").

Please click link or scroll down to read your selections.

Russ Roberts (

Sponsored by Pentera
The CyberWire.


Secure a front row seat to the first cyber rap battle at Black Hat in the Pentera booth! Vote for the winner at the top of every hour. Get a sneak peek here!

Daily Briefing

July 12, 2023.

At a glance.

  • Chinese threat actor hit US organizations with a Microsoft cloud exploit.
  • Open source tools allow threat actors to exploit a loophole in Microsoft's kernel driver authentication procedures.
  • July Patch Tuesday retrospective.
  • Threat spotlight: email extortion attacks: digital blackmail.
  • Report: Companies allowing personal employee devices onto their network are opening themselves to attack.
  • RomCom update.
  • Beamer phishbait.

Chinese threat actor hit US organizations with a Microsoft cloud exploit.

Late yesterday Microsoft described activity by the Chinese government threat actor it tracks as Storm-0558. The group "gained access to email accounts affecting approximately 25 organizations including government agencies as well as related consumer accounts of individuals likely associated with these organizations," Redmond explained. Microsoft noticed "anomalous" mail activity on June 16th. Investigation subsequently determined that this was part of a cyberespionage campaign that began on or around May 15th of this year. Microsoft said, "They did this by using forged authentication tokens to access user email using an acquired Microsoft account (MSA) consumer signing key." Since discovering the activity, Microsoft has completed mitigating its effects for all the customers involved. According to the Wall Street Journal, the US Government is investigating the scope of the Chinese operation and assessing what damage it might have caused.

Sponsored by mWISE

First look: mWISE 2023 session catalog

Check out the topics, meet the speakers, and sign up for discount registration.

Open source tools allow threat actors to exploit a loophole in Microsoft's kernel driver authentication procedures. 

Microsoft has also dealt with other Chinese exploitation of its products. Cisco Talos researchers discovered that threat actors took advantage of a policy loophole in Windows cross-signed kernel drivers that allowed forgery of timestamps and loading of unverified malicious drivers to expired certificates. “We have observed over a dozen code signing certificates with keys and passwords contained in a PFX file hosted on GitHub used in conjunction with these open source tools,” the advisory notes. Based on the language code discovered in the metadata in the corrupted drivers, the researchers assess the threat actors to be Chinese nationals. The advisory explains that attackers can exploit the loophole to cross the user-kernel barrier, which is crucial for “maintaining the integrity and security of the OS.” Talos has alerted Microsoft, which has since disabled all forged certificates that could have passed through this loophole. 

Sponsored by Halcyon

The key to beating ransomware? Use a solution built to defeat ransomware.

Halcyon is the first dedicated, adaptive solution that combines multiple advanced proprietary prevention engines focused specifically on detecting and stopping ransomware. With the fastest endpoint recovery capabilities, multiple layers of resiliency, bypass and evasion protection, automated key capture for swift decryption and data exfiltration prevention, the Halcyon Anti-Ransomware and Resilience Platform reverses the impact of ransomware attacks in just minutes. This is why Halcyon is the resilience platform Global 2000 companies rely on to defeat ransomware.

July Patch Tuesday retrospective.

Microsoft has issued security fixes for 132 flaws, six of which were being actively exploited in the wild, BleepingComputer reports. One of the disclosed vulnerabilities (CVE-2023-36884), which hasn’t yet been patched, is a remote code execution flaw affecting Microsoft Office. Microsoft says this flaw has been exploited by the Russian cybercriminal group Storm-0978 to conduct cyberespionage against defense and government entities in Europe and North America.

Fortinet has patched a “stack-based overflow vulnerability in FortiOS & FortiProxy [that] may allow a remote attacker to execute arbitrary code or command via crafted packets reaching proxy policies or firewall policies with proxy mode alongside SSL deep packet inspection.”

SAP has issued fixes for numerous vulnerabilities, including one affecting SAP Business Client that was assigned a CVSS score of 10.0. The company stated, “With a variety of new and updated SAP Security Notes, SAP’s July Patch Day was a busy one. Special attention should be paid to the high priority corrections, particularly those affecting SAP Business Client, SAP ECC and SAP S/4HANA (IS-OIL), and SAP NetWeaver (BI CONT ADD ON). As always, applying these patches as soon as possible is recommended to maintain the security and integrity of your SAP systems.”

Adobe has patched twelve security flaws in Adobe InDesign, including a deserialization of untrusted data vulnerability that could lead to arbitrary code execution, SecurityWeek reports.

Apple has rolled back its Rapid Security Response updates for iOS and macOS after the patch caused issues that prevented some websites from displaying properly, according to SecurityWeek. The company stated yesterday, “Rapid Security Responses iOS 16.5.1 (b), iPadOS 16.5.1 (b), and macOS 13.4.1 (b) will be available soon to address this issue.”

Sponsored by AuditBoard

Effective Third-Party Risk Management: What Organizations Can Do.

Third-party risk is becoming increasingly expansive as organizations rely on a burgeoning network of external vendors to operate. Read about some of the regulations emerging to combat this issue, how organizations ranked third-party risk concerns in the International Data Corporation (IDC)’s Future of Trust Survey, and how technology solutions can help organizations coordinate an effective response.

Threat spotlight: email extortion attacks: digital blackmail.

Barracuda released a threat spotlight on extortion attacks this morning, but these are not the large-scale ransomware extortions most seen in recent headlines. These attacks instead amount to digital blackmail. The attacker threatens to expose a compromising picture or information about an individual unless the victim pays money. “Attackers often purchase victims’ login credentials or find them through data breaches to ‘prove’ that their threat is legitimate.” Almost all of the attacks ask for less than $2,000 which seems like chicken feed (by cybercriminal if not consumer standards), but Baracuda analyzed over 300,000 emails that made demands at this level. Research showed that a small number of attackers were responsible for most of the emails in the study sample, with “the top 10 bitcoin addresses appearing in about 30% of emails, and the top 100 addresses appear in about 80% of emails.”

Barracuda remains optimistic about this threat, if only because the small number of criminals responsible means that each is a high-payoff target for law enforcement. “First, we suspect that if law enforcement is able to track down even a small number of these attackers, they can significantly disrupt this threat. Second, since extortion attackers seem to be copying each other and following very similar templates, email security vendors should be able to block a large percentage of these attacks with relatively simple detectors.”

Report: Companies allowing personal employee devices onto their network are opening themselves to attack.

SpyCloud released its Malware Readiness & Defense report today, which was conducted with a survey of almost 320 “mid-market and enterprise IT security professionals from the US and UK” to assess “how organizations are detecting and addressing the threat of malware as a precursor to cyberattacks like account takeover and ransomware.” One of the main problems discovered was the lack of regulation, by the businesses, for employees mixing unauthorized applications and work credentials on their personnel and work devices. “57% of organizations allow employees to sync browser data between personal and corporate devices – enabling threat actors to siphon employee credentials and other user authentication data through infected personal devices while remaining undetected,” SpyCloud wrote in its press release. IT also explained that organizations are struggling with applying “shadow IT” due to employees using unsanctioned applications, and employees being allowed to use their personal and work devices interchangeably.

RomCom update.

Microsoft yesterday published an alert on activity by Storm-0978, also tracked as DEV-0978 and familiarly called "RomCom," after the name given the backdoor it commonly employs. "Microsoft has identified a phishing campaign conducted by the threat actor tracked as Storm-0978 targeting defense and government entities in Europe and North America. The campaign involved the abuse of CVE-2023-36884, which included a remote code execution vulnerability exploited before disclosure to Microsoft via Word documents, using lures related to the Ukrainian World Congress." As BleepingComputer observes, CVE-2023-368884 hasn't been fully patched, but mitigations are available. RomCom represents a mixture of symbiotic motives. It's a ransomware and extortion operation in pursuit of direct profit, but it also conducts cyberespionage, specializing in credential theft. The group is based in Russian and acts in Russia's interests.

"The price is reduced!!!" Act now!

Russian intelligence services prospecting diplomatic targets in Ukraine used an ad for a nicely-loaded, deeply-discounted, used BMW as phishbait to attract their prospects' eyes (and clicks). Palo Alto Networks' Unit 42 says the campaign, directed against twenty-two of the eighty embassies in Kyiv, was run by APT29, Cozy Bear, that is, Russia's SVR foreign intelligence service. The phish hooks were LNK files masquerading as images. The targeted diplomatic missions were those of Albania, Argentina, Canada, Cyprus, Denmark, Estonia, Greece, Iraq, Ireland, Kuwait, Kyrgyzstan, Latvia, Libya, the Netherlands, Norway, Slovakia, Spain, Sudan, Turkey, Turkmenistan, the United States, and Uzbekistan. The campaign's goal was espionage, collection against the embassies and their contacts.

The car itself was real, as was the innocent original version of the flyer. The black BMW 5-series sedan belongs to a Polish diplomat assigned to Kyiv, and he was indeed interested in selling it. Suspicions were aroused when he got calls inquiring about the price, which at €7500 was lower than the one he'd posted. Cozy Bear evidently reasoned that a lower price would attract more clicks. Reuters reports that the diplomat still has his car. He'll try to sell it when he gets back to Poland, because "After this situation, I don't want to have any more problems."

The phishbait represents a departure from that used in earlier campaigns. Those lured had tended to be more obviously diplomatic: invitations to embassy events, notes on humanitarian aid, and so on. Unit 42 concludes with a warning: "As the above campaigns show, diplomats should appreciate that APTs continually modify their approaches – including through spear phishing – to enhance their effectiveness. They will seize every opportunity to entice victims into compromise. Ukraine and its allies need to remain extra vigilant to the threat of cyber espionage, to ensure the security and confidentiality of their information."

The CyberWire's continuing coverage of Russia's war against Ukraine, with special attention to the cyber phases of that war, may be found here.



Today's issue includes events affecting Albania, Argentina, Australia, Belarus, Canada, China, Cyprus, Denmark, Estonia, the European Union, Greece, India, Iraq, Ireland, Japan, the Republic of Korea, Kuwait, Kyrgyzstan, Latvia, Libya, NATO/OTAN, the Netherlands, Norway, Russia, Slovakia, Spain, Sudan, Turkey, Turkmenistan, Ukraine, the United Kingdom, the United States, and Uzbekistan.


July Cyber Security Summits (Multiple locations / Virtual, July 13 - 27, 2023) Join us In-Person and network over breakfast, lunch & a cocktail reception on 7/13 in Raleigh-Durham, on 7/20 in DC and 7/27 in Pittsburgh. Learn about the latest threats and solutions from The FBI, U.S. DHS / CISA, IBM Security & more. Earn CPE/CEU credits with your attendance. Get $100 off admission w/ code CyberWire23 at

Uplevel your cloud security posture with CSPM. (Virtual, July 27, 2023) Is cloud security posture management (CSPM) right for your organization? Watch the webinar to learn about the four generations of CSPMs and building versus buying CSPM tools as well as use cases and real-world CSPM examples. Register today.

Securing Digital Transformation: OT Cybersecurity Innovation and Resilience (Virtual, August 3, 2023) Join Jon Lavender, CTO, Dragos, Mark Ryland, Director, Office of the CISO, AWS, and Anthony Pierce, Field CTO, Splunk for A Cyber Wire industry panel “Securing Digital Transformation: OT Cybersecurity Innovation and Resilience” discussing secure digital transformation, managing OT/IT cyber risk and the Cloud.

mWISE early bird registration is open. Get the lowest price we offer. Washington, D.C. or online (Washington, D.C. / Virtual, September 18 - 20, 2023) Early bird registration for Mandiant’s mWISE, the targeted security conference where we use the power of collective intelligence to combat emerging threats. Get the best price we offer at this highly targeted, vendor-neutral, community-focused event. mWISE Conference 2023 Registration is Open


Dateline: Russia's hybrid war against Ukraine.

Ukraine at D+503: Support and cooperation, but no NATO membership, yet. (CyberWire) Ukraine gets closer ties to NATO, but not membership, yet, and the cyber phases of Russia's war show ...

Russia-Ukraine war: List of key events, day 504 (Al Jazeera) As the conflict enters its 504th day, these are the main developments.

Back To Bakhmut: The Ukrainian Forces Trying To Trap Russian Troops In A Ruined City (RadioFreeEurope/RadioLiberty) "Our job is to…make a bad day for the Russians." Following a lull in the fighting, the Ukrainian ...

Find MORE on our website.

Attacks, Threats, and Vulnerabilities

Mitigation for China-Based Threat Actor Activity (Microsoft On the Issues) Microsoft and others in the industry have called for transparency when it comes to cyber incidents ...

Microsoft mitigates China-based threat actor Storm-0558 targeting of customer email (Microsoft Security Response Center) Microsoft mitigates China-based threat actor Storm-0558 targeting of customer email

Chinese hackers breach U.S. government email through Microsoft cloud (Washington Post) Cyberspies from China exploited a fundamental gap in the Microsoft cloud, enabling them to conduct a ...

Find MORE on our website.

Security Patches, Mitigations, and Software Updates

Mitigating CVE-2023-3595 and CVE-2023-3596 Impacting Rockwell Automation ControlLogix Firmware (Dragos) Review guidance provided by Rockwell Automation and Dragos on how to mitigate vulnerabilities ...

July 2023 Security Updates (Security Update Guide - Microsoft Security Response Center) This release consists of the following 130 CVEs and 2 Advisories

Microsoft Releases July 2023 Security Updates (Cybersecurity and Infrastructure Security Agency CISA) Microsoft has released updates to address multiple vulnerabilities in Microsoft software. An ...

Find MORE on our website.


ESET Threat Report H1 2023 (WeLiveSecurity) The H1 2023 issue of ESET Threat Report reviews the key trends and developments that shaped the ...

2023 State of Web Application Security - OPSWAT (OPSWAT) The OPSWAT survey gathers information from security professionals worldwide to discover the most ...

The SpyCloud Malware Readiness And Defense Report (SpyCloud) The Survey: 300+ security & IT leaders and practitioners from mid-sized and enterprise organizations ...

Find MORE on our website.


SpecterOps Closes Series A Extension From Ballistic Ventures, Bringing Funding Round Total to $33.5M (Business Wire) Investment will drive company-wide expansion across BloodHound Enterprise, BloodHound FOSS, ...

NCC Group welcomes new Chief Technology Officer, Si├ón John (Mynewsdesk) Joining from Microsoft and with 25 years of cyber security experience across strategy, business ...

Qualys Names Dino DiMarino Chief Revenue Officer (PR Newswire) Qualys, Inc. (NASDAQ: QLYS), a pioneer and leading provider of disruptive cloud-based IT, security, ...

Products, Services, and Solutions

Fenix24 Partners with CrowdStrike to Offer Customers Single Rapid Response Solution (PR Newswire) Fenix24, an industry-leading cyber disaster recovery firm that is transforming the post-breach ...

Consent and Preference Management Platform Cassie Debuts First-Party Data Features To Empower Marketers And Improve The Consumer Experience (PR Newswire) Today Cassie, the consent and preference management platform serving Fortune 500 companies globally, ...

Privacy pain points for marketers report (Cassie) Navigating compliance in a cookieless future

Find MORE on our website.

Technologies, Techniques, and Standards

Listen: FBI Eyes Evolving Tech to Combat ‘Cybercrime as a Service’ (Government CIO) The agency’s intelligence and law enforcement capabilities are keeping pace with technological ...

Research and Development

Virginia Tech researchers find vulnerabilities in code of popular reverse engineering tools (Virginia Tech News) Through the team's mathematical proofs, software programmers can now be sure that their code is free ...


How Are Higher Ed Cyber Attacks Evolving? (GovTech) Despite efforts to combat ransomware attacks on higher ed institutions, the education sector remains ...

Legislation, Policy, and Regulation

The Quad: Tackling the spider, not cobwebs, in cyberspace (Lowy Institute) A security pact, but not as we know it. How a commitment to uplift software security will reap ...

South Korea, NATO to boost partnership on security, cyber threats (Reuters) South Korea and NATO will expand cooperation on global security issues including Ukraine and North ...

FS-ISAC signs MoU with the Cyber Security Agency of Singapore (Finextra Research) FS-ISAC has signed a Memorandum of Understanding (MoU) with the Cyber Security Agency of Singapore ...

Find MORE on our website.

Litigation, Investigation, and Law Enforcement

3 tax prep firms shared 'extraordinarily sensitive' data about taxpayers with Meta, lawmakers say (AP News) Some congressional Democrats say three large tax preparation firms sent “extraordinarily sensitive” ...

Alleged cybercriminals had a busy day in court (Washington Post) Alleged Lapsus$ gang member, Silk Road adviser and accused cyber pro face legal consequences

Former Security Engineer For International Technology Company Arrested For Defrauding Decentralized Cryptocurrency Exchange (US Attorney for the Southern District of New York) Damian Williams, the United States Attorney for the Southern District of New York, Chad Plantz, the ...

Find MORE on our website.


Grow your brand, generate leads, and fill your funnel.

With the industry’s largest B2B podcast network, popular newsletters, and influential readers and listeners all over the world, companies trust the CyberWire to get the message out. Learn more.
The CyberWire logo
Twitter IconFacebook IconLinkedIn IconEmail Icon

Copyright © 2023, CyberWire Inc. Views and assertions of the various sources cited, Selected Reading articles, and images are those of the authors and artists, not the CyberWire, Inc.

This email was sent to
why did I get this?  |  unsubscribe  |  manage subscription preferences

The CyberWire · 8110 Maple Lawn Blvd Ste 200 · Fulton, MD 20759-2694 · USA


Popular posts from this blog

SecurityWeek Briefing.

Cyber War Newswire

SecurityWeek Briefing.