The CyberWire Daily Briefing.

"Update on Chinese cyber espionage incident."

Views expressed in this cybersecurity, cybercrime, and cyber espionage update are those of the reporters and correspondents.  Accessed on 14 July 2023, 1555 UTC.  Content provided by email subscription to "The CyberWire Daily. Briefing."

Source: ("The CyberWire Daily Briefing").

Please click link or scroll down to read your selections.  Thanks for joining us today.

Russ Roberts (

More signal, less noise.


Secure a front row seat to the first cyber rap battle at Black Hat in the Pentera booth! Vote for the winner at the top of every hour. Get a sneak peek here!

Daily Briefing

July 14, 2023.

At a glance.

  • Developments in the case of China's cyberespionage against government Exchange users.
  • Industrial controller vulnerabilities pose a risk to critical infrastructure.
  • USB attacks have risen three-fold in the first half of 2023.
  • CISA adds two vulnerabilities to its Known Exploited Vulnerabilities Catalog.
  • Ghostwriter's continued activity focuses on Poland and Ukraine.
  • Hacktivist auxiliaries swap DDoS attacks.
  • Lessons learned from cyber warfare in Russia's war.

Developments in the case of China's cyberespionage against government Exchange users.

The Washington Post reports that the US government is still investigating how a Chinese APT carried out attacks against US State and Commerce Department email accounts. Specifically, the government is trying to determine how the threat actor obtained the Microsoft account consumer signing keys used to gain access. Microsoft hasn’t disclosed any vulnerabilities related to the attack. Adam Meyers, senior vice president of intelligence at CrowdStrike, wonders if the attack involved a Microsoft insider, since the hackers would have needed “a more powerful internal key controlled by Microsoft” in order to create consumer signing keys. Jason Kikta, chief information security officer at Automox, stated, “This attack used a stolen key that Microsoft’s design failed to properly validate. The inability to do proper validation for authentication is a habit, not an anomaly.”

The UK’s National Cyber Security Centre (NCSC) is also working with Microsoft to determine the impact of the hacks, according to Reuters.

Sponsored by mWISE

First look: mWISE 2023 session catalog

Check out the topics, meet the speakers, and sign up for discount registration.

Industrial controller vulnerabilities pose a risk to critical infrastructure.

Researchers at Armis discovered nine vulnerabilities affecting Honeywell’s Experion distributed control system (DCS) products, TechCrunch reports. An attacker with network access could exploit the flaws to “remotely run unauthorized code on both the Honeywell server and controllers.”

Curtis Simpson, CISO at Armis, told TechCrunch, “Worst-case scenarios you can think of from a business perspective are complete outages and a lack of availability. But there’s worse scenarios than that, including safety issues that can impact human lives.”

Honeywell issued patches for the flaws last month. Honeywell spokesperson Caitlin E. Leopold said in a comment to TechCrunch, “We have been working with ARMIS on this issue as part of a responsible disclosure process. We have released patches to resolve the vulnerability and notified impacted customers. There are no known exploits of this vulnerability at this time. Experion C300 owners should continue to isolate and monitor their process control network and apply available patches as soon as possible.”

Sponsored by Halcyon

The key to beating ransomware? Use a solution built to defeat ransomware.

Halcyon is the first dedicated, adaptive solution that combines multiple advanced proprietary prevention engines focused specifically on detecting and stopping ransomware. With the fastest endpoint recovery capabilities, multiple layers of resiliency, bypass and evasion protection, automated key capture for swift decryption and data exfiltration prevention, the Halcyon Anti-Ransomware and Resilience Platform reverses the impact of ransomware attacks in just minutes. This is why Halcyon is the resilience platform Global 2000 companies rely on to defeat ransomware.

USB attacks have risen three-fold in the first half of 2023. 

Mandiant reports that USB attacks have risen by three times in the first half of 2023. The report details two new USB attack campaigns: the SOGU malware infection that targets industries across the globe, and the SNOWYDRIVE infection that seems to target oil and gas companies across Asia. Both campaigns use a USB drive for initial infection and propagation, while installing malware that steals sensitive information from the host computer. SOGU is the more prevalent USB infection campaign and has spread to various sectors, including pharmaceutical, IT, energy, communications, and healthcare organizations across North America, Europe, Asia, and Oceania. “While some threat actors targeted specific industries or regions, Campaign 22-054 [Mandiant’s name for this USB threat] appears to be more opportunistic in nature. This campaign may be part of a long-term collection objective or a later-stage follow-up for subjects of interest to state-sponsored threat actors.” USB campaigns are especially dangerous as they are a method for attacking air-gapped systems, that is, systems with no connection to the outside internet. The most famous example of a USB-based attack was Stuxnet which, as Trellix explains, was an infection spread to Iranian nuclear facilities delivered by USB sticks. 

Sponsored by AuditBoard

Effective Third-Party Risk Management: What Organizations Can Do.

Third-party risk is becoming increasingly expansive as organizations rely on a burgeoning network of external vendors to operate. Read about some of the regulations emerging to combat this issue, how organizations ranked third-party risk concerns in the International Data Corporation (IDC)’s Future of Trust Survey, and how technology solutions can help organizations coordinate an effective response.

CISA adds two vulnerabilities to its Known Exploited Vulnerabilities Catalog.

The Cybersecurity and Infrastructure Security Agency (CISA) has added two vulnerabilities to its Known Exploited Vulnerabilities Catalog CVE-2023-37450 (Apple Multiple Products WebKit Code Execution Vulnerability) and CVE-2022-29303 (SolarView Compact Command Injection Vulnerability). CISA explains, “These types of vulnerabilities are frequent attack vectors for malicious cyber actors and pose significant risks to the federal enterprise.” CVE-2022-29303 is rated as a 9.8 on CVSS and affects SolarView’s Compact and has a mandatory update and fix date for federal users of August 3rd. About CVE-2023-37450, CISA writes ”Apple iOS, iPadOS, macOS, and Safari WebKit contain an unspecified vulnerability that can allow an attacker to execute code when processing web content.” Federal civilian Executive agencies have until August 3rd to “apply updates per vendor instructions or discontinue use of the product if updates are unavailable.”

Ghostwriter's continued activity focuses on Poland and Ukraine.

Yesterday Cisco Talos researchers described the recent activity of a Belarusian threat actor engaged in cyberespionage between April of 2022 and June of 2023. "Ukraine’s Computer Emergency Response Team (CERT-UA) has attributed the July campaign to the threat actor group UNC1151, as a part of the GhostWriter operational activities allegedly linked to the Belarusian government." The attack begins with a malicious Microsoft Office document, usually either an Excel or PowerPoint file, which, if opened, delivers an executable downloader and a payload hidden in an image file. "The final payloads include the AgentTesla remote access trojan (RAT), Cobalt Strike beacons and njRAT." The targets are Ukrainian and Polish military and governmental organizations.

Hacktivist auxiliaries swap DDoS attacks.

Russian and Ukrainian hacktivist auxiliaries have both recently conducted distributed denial-of-service (DDoS) attacks. The Center for European Policy Analysis (CEPA) calls it "crowdsourced cyber warfare," the principal organizers of which have been, on the Russian side, NoName057(16), and on the Ukrainian side, the Ukrainian IT Army. None of the attacks, CEPA rightly notes, have amounted to much more than a nuisance. They are, however, easy to mount, and require little in the way of technical skill to pull off. They may represent the upper limits of the crowdsourced approach to organizing a cyber auxiliary.

Lessons learned from cyber warfare in Russia's war.

The Center for Strategic and International Studies looks at the record of the war so far and draws some lessons that might inform thinking about cyber warfare in the future. In sum, the lessons suggest that some of the catastrophic fears that have surrounded cyber warfare appear less likely after a year-and-a-half of operational experience. The study draws three major conclusions:

  • "Cyber operations will play a supporting rather than decisive role in major theater wars." Intelligence collection and operational deception are likely to be cyber's most prominent contribution, once the shooting starts.
  • "War will still be a continuation of politics by other means and rely on the more tangible effects of violence than on the elusive effects of compromising information networks." As the fight escalates along the spectrum of conflict, sure kinetic effects will be preferred to the uncertain results of cyber operations.
  • "The merits of cyber operations continue to be their utility as a tool of political warfare because they facilitate an engagement short of war that leverages covert action, propaganda, and surveillance but in a manner that poses a fundamental threat to human liberties."

The study concludes with appropriate policy recommendations: increase public-private partnership, improve cyber diplomacy and international information-sharing, and work to counter "cyber-enabled information operations."

The CyberWire recently drew its own set of lessons from the cyber phases of Russia's special military operation. They may be found here.

The CyberWire's continuing coverage of Russia's war against Ukraine, with special attention to the cyber phases of that war, may be found here.



Today's issue includes events affecting Australia, Belarus, China, India, NATO/OTAN, Norway, New Zealand, Poland, Russia, Solomon Islands, Ukraine, the United Kingdom, and the United States.


July Cyber Security Summits (Multiple locations / Virtual, July 13 - 27, 2023) Join us In-Person and network over breakfast, lunch & a cocktail reception on 7/13 in Raleigh-Durham, on 7/20 in DC and 7/27 in Pittsburgh. Learn about the latest threats and solutions from The FBI, U.S. DHS / CISA, IBM Security & more. Earn CPE/CEU credits with your attendance. Get $100 off admission w/ code CyberWire23 at

Uplevel your cloud security posture with CSPM. (Virtual, July 27, 2023) Is cloud security posture management (CSPM) right for your organization? Watch the webinar to learn about the four generations of CSPMs and building versus buying CSPM tools as well as use cases and real-world CSPM examples. Register today.

Securing Digital Transformation: OT Cybersecurity Innovation and Resilience (Virtual, August 3, 2023) Join Jon Lavender, CTO, Dragos, Mark Ryland, Director, Office of the CISO, AWS, and Anthony Pierce, Field CTO, Splunk for A Cyber Wire industry panel “Securing Digital Transformation: OT Cybersecurity Innovation and Resilience” discussing secure digital transformation, managing OT/IT cyber risk and the Cloud.

mWISE early bird registration is open. Get the lowest price we offer. Washington, D.C. or online (Washington, D.C. / Virtual, September 18 - 20, 2023) Early bird registration for Mandiant’s mWISE, the targeted security conference where we use the power of collective intelligence to combat emerging threats. Get the best price we offer at this highly targeted, vendor-neutral, community-focused event. mWISE Conference 2023 Registration is Open


Dateline: Russia's hybrid war against Ukraine.

Ukraine at D+505: Russia copes with hard-war dissent. (CyberWire) Fighting remains an artillery-heavy slog as Ukraine pushes against Russian entrenchments. Moscow ...

Russia-Ukraine war: List of key events, day 506 (Al Jazeera) As the conflict enters its 506th day, these are the main developments.

Russia-Ukraine war live: Wagner a fading force in Ukraine, says US; Kyiv rules out invasion from Belarus (the Guardian) Most Wagner fighters still however in occupied areas of Ukraine, says Pentagon press secretary

Find MORE on our website.

Attacks, Threats, and Vulnerabilities

UK says it's working with Microsoft to understand impact of Chinese email hack (Reuters) Britain's National Cyber Security Centre (NCSC) said on Thursday it was working with Microsoft to ...

What we know (and don’t know) about the government email breach (Washington Post) Government emails got hacked in a suspected attack on Microsoft from China. Here’s what we know — ...

Yet Another MS CVE: Don’t Get Caught In The Storm! (Cynet) A new vulnerability (CVE-2023-36884) “Office and Windows HTML Remote Code Execution Vulnerability” ...

Find MORE on our website.

Security Patches, Mitigations, and Software Updates

CISA Releases Nine Industrial Control Systems Advisories (Cybersecurity and Infrastructure Security Agency CISA) CISA released nine Industrial Control Systems (ICS) advisories on July 13, 2023. These advisories ...

Cisco Releases Security Update for SD-WAN vManage API (Cybersecurity and Infrastructure Security Agency CISA) Cisco has released a security update to address a critical vulnerability affecting SD-WAN vManage ...

Apple Re-Releases Urgent Zero-Day Patches With Fix for Website Access Issue (SecurityWeek) Apple has re-released its Rapid Security Response updates for iOS and macOS after fixing a website ...

Find MORE on our website.


Organizations Lack Tools to Monitor Cloud Data, Creating Critical Gaps in Security Coverage (Business Wire) Laminar survey reveals more than 1 in 2 security professionals either can’t or are unsure if they ...

Lack of trust biggest challenge to adequate cyber resilience (SecurityBrief Asia) “To navigate the current threat landscape, trust is imperative. There needs to be trust in teams, ...

Ransomware attacks on the finance sector (Comparitech) From 2018 to June 2023, 225 financial organizations have been hit by a ransomware attack. We ...

Find MORE on our website.


Cyber Leak? Cybersecurity Funding Falls 63% In Q2 (Crunchbase News) Venture funding for cybersecurity dropped to just slightly more than $1.6B in the second quarter; ...

Council Post: A Unicorn Loses Its Horn: Considerations For Choosing The Right Cybersecurity Vendor (Forbes) Business leaders should learn a lesson from the past and make decisions for cybersecurity vendors ...

Cloudflare, Palo Alto Networks and Zscaler tumble as Microsoft expands in cybersecurity (CNBC) Microsoft has grown its security business to over $20 billion per year, and the new effort might ...

Find MORE on our website.

Products, Services, and Solutions

Contrast Security Recognized as a Leader in G2 Summer 2023 Enterprise Grid Report for IAST (Contrast Security) The code security platform was also named a Leader in the SAST and DAST categories by the world’s ...

Fenix24 Wins Gold in the 15th Annual 2023 Golden Bridge Awards® (PR Newswire) Fenix24, an industry-leading cyber disaster recovery firm that is transforming the post-breach ...

The Economic Benefits of Using DomainTools - DomainTools | Start Here. Know Now. (DomainTools) n a study commissioned with Enterprise Strategy Group, using DomainTools can quantify wins ...

Find MORE on our website.

Technologies, Techniques, and Standards

New CVSS Version Unveiled Amid Rising Cyber Threats (Infosecurity Magazine) FIRST has released details of version 4.0 of the standard, which aims to address criticisms of CVSS ...

The Board’s Role in Cloud Adoption (Google Cybersecurity Action Team) We are often asked if the cloud is more secure than on-premise infrastructure. The short answer is ...

Beazley’s Hannes warns of cyber “blind spot” as boardroom focus diminishes (The Insurer) Cyber risk has moved down the priorities of global business leaders over the past two years, amid ...

Find MORE on our website.

Design and Innovation

Mustafa Suleyman: My new Turing test would see if AI can make $1 million (MIT Technology Review) The Modern Turing Test would measure what an AI can do in the world, not just how it appears. And ...

Legislation, Policy, and Regulation

Home Minister Amit Shah to launch cyber volunteer squads at G20 conference in Gurgaon (The Indian Express) Shah will address the inaugural session of the G20 conference on “Crime and Security in the age of ...

Australia raises concern over Solomon Islands policing plan with China's top diplomat (Reuters) Australia has raised China's plan to take a policing role in the Pacific Islands nation of Solomon ...

Solomon Islands Says Chinese Police to Assist Cyber, Community Security (VOA) U.S., Australia, New Zealand and Solomon Islands' opposition party have called for Prime Minister ...

Find MORE on our website.

Litigation, Investigation, and Law Enforcement

Democrats say ‘potentially illegal’ taxpayer data breach warrants DOJ investigation (Fox Business) Democratic lawmakers are calling for an investigation following a probe that they said revealed ...

Professors sue Texas over TikTok ban, signaling First Amendment fight (Washington Post) It’s the third lawsuit to challenge state action against TikTok on constitutional grounds.

ChatGPT Under Investigation by FTC (Wall Street Journal) The agency is investigating whether OpenAI’s chatbot has harmed individuals by publishing false ...

Find MORE on our website.


Grow your brand, generate leads, and fill your funnel.

With the industry’s largest B2B podcast network, popular newsletters, and influential readers and listeners all over the world, companies trust the CyberWire to get the message out. Learn more.
The CyberWire logo
Twitter IconFacebook IconLinkedIn IconEmail Icon

Copyright © 2023, CyberWire Inc. Views and assertions of the various sources cited, Selected Reading articles, and images are those of the authors and artists, not the CyberWire, Inc.

This email was sent to
why did I get this?  |  unsubscribe  |  manage subscription preferences

The CyberWire · 8110 Maple Lawn Blvd Ste 200 · Fulton, MD 20759-2694 · USA


Popular posts from this blog

SecurityWeek Briefing.

Cyber War Newswire

SecurityWeek Briefing.