The CyberWire: Latest Cybersecurity News.

"Chinese cyberespionage described, SEO poisoning, HTML smuggling, DDos Alert."

Views expressed in this cybersecurity, cybercrime, and cyberespionage update are those of the reporters and correspondents.  Accessed on 05 July 2023, 1541 UTC. Content provided by email subscription to "The CyberWire."

Source: ("The CyberWire").

Please click link or scroll down to read your selections.  Thanks for joining us today.

Russ Roberts (

More signal, less noise.

Early bird registration is open. Get the lowest price we offer.

Register now for Mandiant’s mWISE security conference.

Daily Briefing

July 5, 2023.

At a glance.

  • Chinese cyberespionage campaign against European governments.
  • BlackCat and SEO poisoning.
  • LockBit seeks to extort semiconductor manufacturer.
  • CISA released a DDoS alert for US companies and government agencies.
  • Microsoft debunks claims of data theft by Anonymous Sudan.
  • Port of Nagoya closes over ransomware attack.
  • Hacker spoofs a school and pilfers exam papers from British education boards.
  • Professionals in the cyber underworld.
  • Avast releases a free decryptor for Akira.

Chinese cyberespionage campaign against European governments.

Check Point researchers describe a Chinese government cyberespionage campaign against European governments. They call it "SmugX," and attribute it to Red Delta, with some involvement by Mustang Panda. The campaign uses HTML Smuggling to deploy a new variant of PlugX against its targets. The groups' interest seems to be Eastern Europe, but the targeted governments (which include Sweden, the United Kingdom, France, Czechia, Slovakia, Hungary, and Ukraine) aren't confined to that region.

Sponsored by Expel

Wish you had a cheat sheet for AWS investigations? Expel created one!

We remediate loads of cyber incidents in Amazon Web Services (AWS), and some common themes have emerged re: attacker use of APIs. We’ve noticed they map nicely to MITRE ATT&CK tactics.

So we captured them in a mind map of possible attack paths once hackers are inside an AWS environment. This resource should be helpful if you ever find yourself chasing a baddie through the cloud and want to catch them sooner than later.

BlackCat and SEO poisoning.

The Russophone BlackCat ransomware gang (also known as “ALPHV”) is using malvertising to trick victims into installing malicious versions of the WinSCP file-transfer application, BleepingComputer reports. According to researchers at Trend Micro, “The infection starts once the user searches for ‘WinSCP Download’ on the Bing search engine. A malicious ad for the WinSCP application is displayed above the organic search results. The ad leads to a suspicious website containing a tutorial on how to use WinSCP for automating file transfer. From this first page, the user is then redirected to a cloned download webpage of WinSCP (winsccp[.]com). Once the user selects the “Download” button, an ISO file is downloaded from an infected WordPress webpage.”

Sponsored by AuditBoard

The InfoSec Survival Guide to Continuous Compliance

For a security compliance program to be effective, it must be built into the fabric of the organization, its processes, and its people. In AuditBoard’s The InfoSec Survival Guide: Achieving Continuous Compliance, security and compliance experts explore the need for a new approach to rapidly expanding compliance demands and dive into solutions at every stage of the compliance life cycle to help InfoSec teams of all maturity levels improve and optimize their practices.

LockBit seeks to extort semiconductor manufacturer.

The LockBit ransomware group is asking for $70 million in exchange for not leaking data allegedly stolen from Taiwanese chip manufacturer TSMC, the Register reports. TSMC told the Register that one of its third-party equipment suppliers, Kinmax, was the source of the breach.

SecurityWeek quotes TSMC as stating, “At TSMC, every hardware component undergoes a series of extensive checks and adjustments, including security configurations, before being installed into TSMC’s system. Upon review, this incident has not affected TSMC’s business operations, nor did it compromise any TSMC’s customer information. After the incident, TSMC has immediately terminated its data exchange with this concerned supplier in accordance with the Company’s security protocols and standard operating procedures. TSMC remains committed to enhancing the security awareness among its suppliers and making sure they comply with security standards. This cybersecurity incident is currently under investigation that involves a law enforcement agency.”

Kinmax said in a statement, “The leaked content mainly consisted of system installation preparation that the company provided to our customers as default configurations. We would like to express our sincere apologies to the affected customers, as the leaked information contained their names which may have caused some inconvenience.”

Sponsored by Kolide

The Dirty Secret of OS Updates.

Users don't install updates, and IT admins won't force installs via a restart. But installing OS updates is a top priority for both security and IT. 

When you make it part of conditional access, you can finally get it done without massive lists of exemptions or mountains of support tickets.

Watch the on-demand demo to learn how Kolide enables device trust for teams with Okta, ensuring only secure devices can access your apps.

CISA released a DDoS alert for US companies and government agencies.

Cybersecurity and Infrastructure Security Agency (CISA) released an alert on June 30th regarding distributed denial of service (DDoS) attacks: “CISA is aware of open-source reporting of targeted denial-of-service (DoS) and distributed denial-of-service (DDoS) attacks against multiple organizations in multiple sectors. These attacks can cost an organization time and money and may impose reputational costs while resources and services are inaccessible.” Though the alert does not point fingers at any groups, it can be assumed that this is in response to the recent attacks against US, and NATO industries by Russian-aligned groups. BleepingComputer assessed that the warning represented a response to Anonymous Sudan’s new wave of DDoS attacks against various government and private sector organizations. “Since the start of the week, Anonymous Sudan claimed they had taken down the website of (the U.S. Treasury Dept's Electronic Federal Tax Payment System) and the U.S. Commerce Dept. website. BleepingComputer confirmed that was down at the time of the attack claimed by the threat group on their Telegram channel. Today (June 30th), they also claimed another DDoS attack that targeted Stripe's dashboard for managing business payments, refunds, and operations.” 

Anonymous Sudan announced the attack on U.S. companies and government websites in retaliation for comments made by the US Secretary of State Anthony Blinken regarding the civil war in Sudan. On June 1st, Mr. Blinken announced sanctions and business advisories for the Sudanese Armed Forces (SAF), and Rapid Support Forces (RSF). For more information on Anonymous Sudan’s Russian ties, see CyberWire Pro

Microsoft debunks claims of data theft by Anonymous Sudan.

Anonymous Sudan (generally regarded as a Russian front organization) on July 1st claimed in its Telegram channels to have breached Microsoft servers and stolen data belonging to some thirty-million customers. “We announce that we have successfully hacked Microsoft and have access to a large database containing more than 30 million Microsoft accounts, email and password. Price for full database: 50,000 USD,” the group posted. Microsoft says the claim is baseless. “At this time, our analysis of the data shows that this is not a legitimate claim and an aggregation of data,” a Microsoft representative told BleepingComputer. “We have seen no evidence that our customer data has been accessed or compromised."

Just yesterday, Anonymous Sudan also announced an ongoing attack on Riot Games, an American video game developer for League of Legends. Anonymous Sudan has claimed that they have access to Riot's “back end of League of Legends.” This campaign is a continuation of attacks against American companies in response to comments made by the Secretary of State concerning the civil war in Sudan. Riot Games would appear to be merely a US-based target of opportunity.

The CyberWire's continuing coverage of Russia's war against Ukraine, with special attention to the cyber phases of that war, may be found here.

Port of Nagoya closes over ransomware attack.

The Port of Nagoya, Japan's busiest ocean terminal, sustained a ransomware attack against the Nagoya Port Unified Terminal System on July 4th, BleepingComputer reports. Nikkei Asia says the issue came to light when a port employee noticed anomalies in his system. Investigation revealed the cause to be a ransomware infestation. The port authority is working to restore service and expects to have done so by tomorrow morning. In the meantime most container operations at the port have been suspended. No group has claimed responsibility for the attack, which remains under investigation.

Hacker spoofs a school and pilfers exam papers from British education boards.

School Week released a report regarding a hacker who posed as a school to gain access to Pearson, OCR, and AQA exam boards. AQA is the UK’s largest school examination board. Though few details are available, School Week explained that exams written by students were exported and sold online. “Schools Week understands the incidents relate to a school’s email system being hacked and then used to request papers from the exam boards – before the exam was taken. It is not known which exams this relates to,” they write. Police are reported to be in the early stage of investigating the hack and are working with both the National Crime Agency and the Department for Education.

Professionals in the cyber underworld.

Cybercriminal gangs are increasingly operating like professional businesses, according to Melissa Bischoping, Director of Endpoint Security Research at Tanium. In an article for Infosecurity Magazine, Bischoping stated, “The [ransomware-as-a-service] approach is almost identical to today’s modern businesses, which seek to hire the best talent across different functions. Through public-facing data leak sites (DLS), telegram channels or direct recruitment of targets as insider threats, cyber-criminals advertise job openings, promoting pay, benefits and other perks. In fact, the LAPSUS$ ransomware group has been advertising job openings since November 2021, targeting employees at large technology firms such as AT&T and Verizon to lure employees to perform insider jobs in exchange for high pay (up to $20,000 a week). The landscape for cyber-criminal jobs is competitive, with new ransomware groups and data leak sites popping up constantly.”

Bravo, Avast.

Avast researchers have developed a decryptor for the Akira ransomware active int he wild since March of this year. It's available at no charge, with instructions for use, on Avast's Decoded site.



Today's issue includes events affecting Belarus, Canada, China, Czechia, Estonia, the European Union, France, Germany, India, Japan, NATO/OTAN, Russia, Slovakia, Sweden, Taiwan, Ukraine, the United Kingdom, and the United States.


July Cyber Security Summits (Multiple locations / Virtual, July 13 - 27, 2023) Join us In-Person and network over breakfast, lunch & a cocktail reception on 7/13 in Raleigh-Durham, on 7/20 in DC and 7/27 in Pittsburgh. Learn about the latest threats and solutions from The FBI, U.S. DHS / CISA, IBM Security & more. Earn CPE/CEU credits with your attendance. Get $100 off admission w/ code CyberWire23 at

Uplevel your cloud security posture with CSPM. (Virtual, July 27, 2023) Is cloud security posture management (CSPM) right for your organization? Watch the webinar to learn about the four generations of CSPMs and building versus buying CSPM tools as well as use cases and real-world CSPM examples. Register today.

Securing Digital Transformation: OT Cybersecurity Innovation and Resilience (Virtual, August 3, 2023) Join Jon Lavender, CTO, Dragos, Mark Ryland, Director, Office of the CISO, AWS, and Anthony Pierce, Field CTO, Splunk for A Cyber Wire industry panel “Securing Digital Transformation: OT Cybersecurity Innovation and Resilience” discussing secure digital transformation, managing OT/IT cyber risk and the Cloud.

mWISE early bird registration is open. Get the lowest price we offer. Washington, D.C. or online (Washington, D.C. / Virtual, September 18 - 20, 2023) Early bird registration for Mandiant’s mWISE, the targeted security conference where we use the power of collective intelligence to combat emerging threats. Get the best price we offer at this highly targeted, vendor-neutral, community-focused event. mWISE Conference 2023 Registration is Open


Dateline: Russia's hybrid war against Ukraine.

Ukraine at D+496: Still sorting out the March on Moscow. (CyberWire) Russia continues to sort out the consequences of the Wagner Group's mutiny.

Russia-Ukraine war: List of key events, day 497 (Al Jazeera) As the war enters its 497th day, these are the main developments.

Ukraine-Russia war latest: Babies injured in Russian missile strike on town centre (The Telegraph) Two babies have been wounded after a Russian strike in a residential area of Pervomaiskyi in ...

Find MORE on our website.

Attacks, Threats, and Vulnerabilities

Chinese Threat Actors Targeting Europe in SmugX Campaign - Check Point Research (Check Point Research) Introduction In the last couple of months, Check Point Research (CPR) has been tracking the activity ...

Hackers target European government entities in SmugX campaign (BleepingComputer) A phishing campaign that security researchers named SmugX and attributed to a Chinese threat actor ...

Chinese hackers target European embassies with HTML smuggling technique (Record) The espionage effort, labeled SmugX by cybersecurity researchers at Check Point, has similarities to ...

Find MORE on our website.

Security Patches, Mitigations, and Software Updates

WordPress plugin lets users become admins – Patch early, patch often! (Naked Security) Ultimate Member plugin lets rogue users choose their own site capabilities, including becoming ...


BlackFog State of Ransomware Report (BlackFog) June was the second busiest month of 2023 with 46 publicly disclosed ransomware attacks recorded, ...

Understanding the Growing Professionalism of Cyber-Criminals (Infosecurity Magazine) Melissa Bischoping says organizations must know how threat actors are transforming their operations ...

58 per cent of malware families sold as service are ransomware (The Siasat Daily) A new study has revealed that 58 per cent of malware families sold as a service are ransomware.

Find MORE on our website.


Nordic firms ride wave of cyber M&A activity (Defense News) The mergers and acquisitions are taking place as Sweden seeks NATO membership, and neighboring ...

Nokod Security raises $8 million to enhance low-code/no-code app security (Help Net Security) Nokod Security announced its $8 million seed round, which will be used to establish a presence in ...

Outdid Raises $2.5 Million to Provide Identity Verification in a Private and Trustless Manner (Business Wire) Seed Round Led by Jump Crypto followed by Superscrypt

Find MORE on our website.

Products, Services, and Solutions

New infosec products of the week: June 30, 2023 (Help Net Security) The featured infosec products this week are from: Cequence Security, Delinea, Index Engines, and ...

Axio Global Unveils Cyber-Physical Attack Quantifier at Lloyd’s Lab Demo Day (Business Wire) Innovative Solution Helps Critical Infrastructure Organizations Understand Cyber-Physical Damage ...

Fortanix Launches Industry-First Confidential Data Search for Regulated Encrypted Data (Business Wire) Data security leader pioneers a unified, high-performance solution that is thousands of times faster ...

Find MORE on our website.

Technologies, Techniques, and Standards

CISA Announces Updates to the Election Security Team (Cybersecurity and Infrastructure Security Agency) Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly announced today that ...

CyberSentry Program Launches Webpage (Cybersecurity and Infrastructure Security Agency CISA) It should come as no surprise that our nation’s critical infrastructure is under concerted threat ...

Shining Light on NIST and Its Influence on SaaS Security (CPO Magazine) The National Institute of Standards and Technology (NIST) is one of the leaders in developing ...

Find MORE on our website.

Design and Innovation

Endor Labs Details Results of Using AI, ChatGPT to Detect Malware (Acceleration Economy) An Endor Labs study sheds light on ways to use ChatGPT in defensive cybersecurity. The company ...

‘Shadow’ AI use becoming a driver of insider cyber risk (Computer Weekly) Off-the-books use of generative AI tools will inevitably lead to a costly, high-profile data breach ...

Artificial intelligence is a familiar-looking monster, say Henry Farrell and Cosma Shalizi (The Economist) The academics argue that large language models have much older cousins in markets and bureaucracies

Legislation, Policy, and Regulation

Taiwan Looks to Ukraine Playbook in Race to Build Satellite Internet (Wall Street Journal) Kyiv’s ability to maintain broadband access inspires Taipei to boost communications resilience in ...

China’s Anti-Espionage Law Raises Foreign Business Risk (Forbes) Revisions to the law allow China significant leeway to investigate and prosecute foreign ...

Nations urged to be responsible in cyberspace after meeting in Vancouver (IT World Canada News) Representatives of 16 countries wound up two days of meetings on cybersecurity in Vancouver this ...

Find MORE on our website.

Litigation, Investigation, and Law Enforcement

Judge limits Biden administration in working with social media companies (AP News) A judge on Tuesday prohibited several federal agencies and officials of the Biden administration ...

Federal Judge Limits Biden Officials’ Contacts With Social Media Sites (New York Times) The order came in a lawsuit filed by the attorneys general of Missouri and Louisiana, who claim the ...

Briefing: Court Blocks Biden Administration From Pressuring Social Media Firms Over Covid ‘Disinformation' (The Information) A judge on Tuesday granted a preliminary injunction preventing the Biden administration from ...

Find MORE on our website.


Grow your brand, generate leads, and fill your funnel.

With the industry’s largest B2B podcast network, popular newsletters, and influential readers and listeners all over the world, companies trust the CyberWire to get the message out. Learn more.
The CyberWire logo
Twitter IconFacebook IconLinkedIn IconEmail Icon

Copyright © 2023, CyberWire Inc. Views and assertions of the various sources cited, Selected Reading articles, and images are those of the authors and artists, not the CyberWire, Inc.

This email was sent to
why did I get this?  |  unsubscribe  |  manage subscription preferences

The CyberWire · 8110 Maple Lawn Blvd Ste 200 · Fulton, MD 20759-2694 · USA


Popular posts from this blog

SecurityWeek Briefing.

Cyber War Newswire

SecurityWeek Briefing.