The CyberWire Daily

CEO and co-founder of Orca Security Avi Shua shares his thoughts on ways to succeed in cybersecurity. Avi's excitement about cybersecurity began when he was 13 as he tried to think of ways to get around the school's network security. He joined the Israeli Army's Intelligence Unit 8200 and experienced some unique cybersecurity training programs that he would eventually come to teach. Learning to solve problems on your own is a skill Avi acquired and took into his professional career. In his current position, Avi works to advance Orca's mission. He loves that his company works to reduce friction and enables security people to do their jobs. Instead of becoming of plumbers connecting things, Avi says they can do their job and become real security practitioners. We thank Avi for sharing his story with us.

Guests Gage Mele and Yury Polozov join Dave to talk about Anomali's research "Primitive Bear (Gamaredon) Targets Ukraine with Timely Themes." Anomali Threat Research identified malicious samples that align with the Russia-sponsored cyberespionage group Primitive Bear’s (Gamaredon, Winterflounder) tactics, techniques, and procedures (TTPs). Primitive Bear, known primarily to focus on Ukraine, has been very active in 2021. However, the themes of the samples Anomali found, as well as those shared by the security community, could also be used to target multiple former Union of Soviet Socialist Republic (USSR) countries. Anomali Threat Research found malicious .docx files being distributed by Primitive Bear, likely through spearphishing, that attempted to download remote template .dot files through template injection. The research can be found here: Primitive Bear (Gamaredon) Targets Ukraine with Timely Themes

Phishing, with a bogus hardware wallet as bait. Empty threats from a DarkSide impersonator. Cyber vigilantes may be distributing anti-piracy malware. Data security incidents at a cruise line and a US grocery chain. Malek Ben Salem from Accenture looks at optimizing security scanning. Our guest is Edward Roberts of Imperva on their 2021 Bad Bots Report. And a conviction for a crypter, with sentencing to follow. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/117

The US-Russian summit took up cyber conflict, cyber privateering, and cyber deterrence, ending with the prospect of further discussions. Ferocious Kitten’s domestic surveillance. Ransomware gangs are using a lot of initial access brokers. The Molerats are back. Troubleshooting a wave of intermittent Internet interruptions. NSA offers advice on securing business communication tools. Ukrainian police arrest six alleged Clop gangsters. Andrea Little Limbago from Interos on bringing the private sector back into the defense equation. Our guest is Charles Herring of WitFoo, with the case for cybersecurity as an extension of law enforcement. Nine alleged ransomware hoods collared in Seoul.  For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/116

Southwest flights are back in the air after an IT issue disrupted them yesterday. Paradise ransomware source code has been leaked online. Some networked camera feeds may be accessible to unauthorized viewers. TSA is preparing a second, more prescriptive pipeline cybersecurity directive. The Russo-US summit is underway. Our guest is Jay Paz from Cobalt on bad actors targeting hackers. Joe Carrigan looks at malware hosted on Steam. And the “face of Anonymous” has been extradited from Mexico to the US. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/115

Microsoft disrupts a major BEC campaign. The scope of cyberespionage undertaken via exploitation of vulnerable Pulse Secure instances seems wider than previously believed. Secureworks offers an account of Hades ransomware, and differs with others on attribution. Final notes during the run-up to tomorrow’s US-Russia summit, where cyber will figure prominently. Helping employees stay secure. Carole Theriault wonders if the internet of things is becoming the internet of everything. Ben Yelin weighs in on the Supreme Court’s ruling affecting the Computer Fraud and Abuse Act. And Reality Winner has been released to a halfway house. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/114

Volkswagen warns North American customers of a third-party data breach. An “anti-monopoly agenda” advances in the US House Judiciary Committee. Speculation about how the FBI recovered ransom from DarkSide. How EA was hacked. Is Avaddon going out of business? Craig Williams from Cisco Talos explains why they’re calling some cyber criminals “privateers”. Rick Howard shares thoughts on professional development. And a strange case of a gamekeeper turned poacher (allegedly). For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/113

Principal Research Scientist for Human Behavior at Forcepoint, Margaret Cunningham shares her story of how she landed in cybersecurity. With a background in psychology and counseling and not feeling that one-on-one counseling was her thing, Margaret had a transformational moment in her PhD program in applied experimental technology when she realized she could "provide helping services and good work services at a broader scale." Margaret found her professional footing at DHS's Human Systems Integration Branch of Science and Technology Department as the person who figured out how to measure how new technologies impacted human performance. Margaret points out that making connections and reading whatever you can is important to stay up to date in the field. She notes that her statistical analysis skills are an asset. She hopes to create champions in human behavior and performance in the world of technology. We thank Margaret for sharing her story with us.

Guest Adam Tagert is a Science of Security (SoS) Researcher in the National Security Agency Research Directorate. The National Security Agency (NSA) sponsors the Science of Security (SoS) Initiative for the promotion of a foundational cybersecurity science that is needed to mature the cybersecurity discipline and to underpin advances in cyberdefense. Adam works in all aspects of SoS particularly in the promotion of collaboration and use of foundational cybersecurity research. He promotes rigorous research methods by leading the Annual Best Scientific Cybersecurity Paper Competition. Adam joins Dave Bittner to discuss the NSA's SoS Initiative and their Science of Security and Privacy 2021 Annual Report. Information on the SoS Initiative and the report can be found here: Science of Security Science of Security and Privacy 2021 Annual Report

Diplomatic Backdoor afflicts Africa, Europe, and Southwest Asia. Electronic Arts source code stolen. “Fancy Lazarus” is back: despite the name, it’s an extortion gang, not an espionage service. An international law enforcement action takes down a credential market. Making good data available for AI research. There’s a growing appetite for cyber regulation in Washington. Thomas Etheridge from CrowdStrike looks at protecting cloud data, and Matt Chiodi of Palo Alto Networks' Unit 42 has highlights from their Cloud Threat report. And hold that side order of fries - a McBreach is disclosed. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/112

JBS discloses that it paid REvil roughly eleven-million dollars in ransom. REvil not only had a good haul, but the gang made a few points about its brand, too. Colonial Pipeline explains, and defends, its decision to pay ransom. The US Congress has a third-party problem that constituents may or may not notice. Dan Prince from Lancaster University on the science of cybersecurity. Our guest is Kris McConkey from PwC on their Cyber Threats 2020 - Report on the Global Threat Landscape. The FBI’s recovery of some of the ransom Colonial Pipeline paid to the DarkSide was good, but it doesn’t necessarily represent a new normal. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/111

SentinelOne attributes the cyberespionage campaign against Russia’s FSB to Chinese services. President Biden replaces his predecessor’s bans on TikTok and WeChat with a process of engagement, security reviews, and data protection. More on the FBI-led Operation Trojan Shield. Privateering, again. NATO’s Article 5 in cyberspace. Joe Carrigan weighs in on recent high profile cyber incidents. Our guest is Shashi Kiran from Aryaka on their 2021 State of the WAN report. And notes on Patch Tuesday.  For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/110

The FBI seized a large portion of the funds DarkSide obtained from its extortion of Colonial Pipeline. An international sweep stings more than eight-hundred suspected criminals who were caught while using an encrypted chat app law enforcement was listening in on. CISA advises users to update their VMware instances. A new phishing campaign distributes Agent Tesla. Ben Yelin examines renewed controversy surrounding Clearview AI. Our guest is Aimee George Leery from Booz Allen on the challenging intersection of secure spaces and work from home. And a major truck maker discloses a cyber incident. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/109

Dark Side seems to have attacked Colonial Pipeline through an old VPN account. Washington and Moscow prepare for this month’s summit, with cyber on the agenda. DDoS affects German banks. Anonymous may be back, and out to bring to book those who would troll Bitcoiners. Rick Howard looks at process management in security. David Dufour from Webroot on lessons learned from Exchange Server vulnerabilities. And one of Trickbot’s alleged authors has been arrested and arraigned on multiple charges in a US Federal court. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/108

VP of Information Security at Barracuda Dave Farrow shares how a teenage surfer fell in love with software development and made his way in the cybersecurity field. Dave chose to study electrical engineering in college because he wanted to learn something that didn't make sense to him. He says he's done things in his career that he said he'd never do: for example, he went into and fell in love with software development. Taking on leadership of a bug bounty program at Barracuda blossomed into the creation of an internal security team. Dave wants to be the guy who enables the business and not the one who prevented it. He hopes all will come to recognize that there are other threats besides cybersecurity threats to business. We thank Dave for sharing his story with us.

Guest Karl Sigler of Trustwave's SpiderLabs joins Dave Bittner to talk about their research: "Hidden Phishing at Free JavaScript Site". The research describes an interesting phishing campaign SpiderLabs encountered recently. In this campaign, the email subject pertains to a price revision, followed by some numbers. There is no email body, but there is an attachment about an ”investment.” The attachment’s convoluted filename contains characters the file-naming convention doesn’t allow, notably the vertical stroke, “|.” Even though "xlsx" is in the filename, double-clicking the attachment will prompt the user to open it with the default web browser. Thus, the file indeed appears to be an HTML document. Of course, it’s malicious. The research can be found here: HTML Lego: Hidden Phishing at Free JavaScript Site

JBS recovers from its REvil ransomware attack, and this and other apparent instances of privateering will figure among the agenda at the upcoming US-Russia summit. (The US is said to be mulling retaliation.) The White House issues general advice on preparing for ransomware attacks. The Tokyo Olympic committee suffers a data breach. Ransomware may have interrupted some media livestreaming yesterday. Attribution in the MTA attack. Dinah Davis from arctic wolf helps prevent your SOC from becoming ineffective. Carole Theriault warns of data privacy leaks in online home tours. And ransomware-themed phishbait. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/107

Evil, your name is REvil, except when it’s Sodinokibi. That’s what the Bureau says about the JBS ransomware attack, anyway. The US is expected to make strong objections to Russian cyber privateering at the upcoming summit. Other ransomware incidents are disclosed by regional transportation operators. A possible Mustang Panda sighting. Andrea Little Limbago from Interos on cyber related executive orders. Our guest is Terry Halvorsen from IBM on the need for investment, research and collaboration in preventing quantum cyberattacks. And mommas, don’t let your babies grow up to be DDoS jockeys. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/106

Food processing is also vulnerable to ransomware: the case of multi-national meat-provider JBS. The US and Russia are in communication about the possibility that the criminals responsible for the JBS incident might be harbored in Russia. Domains used in the USAID impersonation campaign have been seized by the US Justice Department. Our guest is Melissa Gaddis from TransUnion with results from their Global Consumer Pulse study. Joe Carrigan looks at criminals abusing online search ads. Siemens addresses a critical issue in its PLCs. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/105

Iran’s wiper attacks may have been posing as criminal gang capers. CISA issues an alert on the USAID Constant Contact credential compromise. European governments express concern over reports of US surveillance (enabled, allegedly, by Danish organizations). Epsilon Red ransomware is out and active. Ben Yelin looks at Florida Governor DeSantis’ bill aimed at Social Media companies. Our guest is Giovanni Vigna from VMware with highlights from their 2020 Threat Landscape Report. And police come looking for cannabis farming and find coin-mining rigs instead. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/104

Guest Lenny Zeltser, CISO of Axonius, sits down with the CyberWire's CSO and Chief Analyst Rick Howard to discuss one of Rick's favorite topics, zero trust. Lenny shares his views on this cybersecurity first principle, taking into account changes in mindsets during the COVID-19 pandemic that have necessitated many to move toward zero trust.

Managing Director at Cerberus Sentinel, Chief Compliance Officer and the President of TalaTek, Baan Alsinawi shares her cybersecurity journey from a teenager who wanted to understand computers and held several positions in IT from help desk to systems engineering and cybersecurity. Founding her own business focusing on compliance, Baan says she spends maybe only 20% of her day on technical tasks and that there is always so more to do. Finding the right people for her team is a marker of success for Baan. She talks of the importance of sharing the sense of community of women in technology and nurturing women in the field. We thank Baan for sharing her story with us.

Guest Brandon Hoffman of Intel 471 joins Dave Bittner to share his team's research "How China’s cybercrime underground is making money off big data". Through Intel 471’s observation and analysis of open source information and behavior on multiple closed forums, they found actors adopting the use of legitimate big data technology for cybercrime and monetizing the data they obtain on the Chinese-language underground. The behavior Intel 471 analyzed points to a cycle that involves several different layers of cybercriminals, the use of insider information, and unwitting victims in order to earn ill-gotten gains. The schemes themselves proliferate partly due to China’s desire to be a global epicenter in big data analytics, especially as it pushes to become synonymous with new technology sectors like the Internet of Things (IoT). With China injecting big data into every economic sector, the environment has become ripe for criminals to create and execute schemes that hide in the noise brought on by the amount of data at hand. The research can be found here: How China’s cybercrime underground is making money off big data

A phishing campaign this week appears to be the work of Russia’s SVR. Chinese government threat actors continue to exploit unpatched Pulse Secure instances. FBI renews warnings about unpatched Fortinet appliances. Healthcare organizations still work to recover from ransomware. Rick Howard speaks with author Andy Greenberg on his book Sandworm. Ben Yelin weighs in on questions Senator Wyden has for the Pentagon. And a look at the criminal ransomware market, including the consultants who serve the extortionists. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/103

Chinese-speaking operators are reported to be phishing to compromise devices belonging to Uyghurs. The US Department of Homeland Security issues pipeline cybersecurity regulations. Security companies take various approaches to offering decryptors against ransomware. Huawei would like to chat with President Biden. Rick Howard speaks with authors Peter Singer and Emerson Brooking on their book "LikeWar - The Weaponization of Social Media". Our guest is Darren Shou of NortonLifeLock on the findings of the 6th annual Norton Cyber Safety Insights Report. And a few notes on privateers, then and now, whether on High Barbaree or the dark net. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/102

Hafnium visits Belgium. “Low-sophistication” attacks on operational technology. Updates on healthcare sector ransomware attacks in New Zealand and Ireland. Wipers masquerading as ransomware. “Privateers” are defined as a new category of threat actor. TSA’s new standards for pipeline security. The World Economic Forum has advice for Boards in the oil and gas sector. Rick Howard interviews Liza Mundy on her book "Code Girls - The Untold Story of the American Women Code Breakers Who Helped Win World War II". Joe Carrigan describes fraudulent search engine ad buys. And as one criminal is sentenced, eight more are arrested. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/101

The CryptoCore campaign that looted cryptocurrency exchanges is said to have been the work of North Korea’s Lazarus Group. Insurers are taking a hard look at ransomware and the cyber insurance policies that might cover it. Managing ransomware risk, and a role for standards bodies. Can there be such a thing as responsible disclosure of decryptors and other remediation tools? Ransomware gangs regroup. Perry Carpenter previews the new 8th Layer Insights podcast. Rick Howard speaks with authors Doug Barth and Evan Gilman. And it’s time served plus deportation in the case of an unsuccessful hacker. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/100

Ransomware warnings in the US, Ireland, New Zealand, and Germany--healthcare organizations are said to be at particular risk. Belgium adopts a new cybersecurity strategy. China isn’t happy with freelance cryptominers. Air India sustains a third-party breach of passenger personal data. An FBI analyst is indicted for mishandling classified material. Rick Howard previews this week’s CSO Perspective podcast and kicks off cybersecurity canon week with author Perry Carpenter. And happy birthday, US Cyber Command. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/99

Senior Security Officer at Centers for Medicare and Medicaid Services Michael Bishop Jr. shares his journey from Army infantryman deployed to Iraq to working in cybersecurity. After 12 years in the U.S. Army, Mike found himself in a rough spot. Looking for work and having some personal challenges, Mike's mentor, an Army officer he met while enlisted, recognized Mike's struggles and helped to nudge him toward cybersecurity. Mike credits his mentor with helping him transition to where he is today. Undergoing training for cybersecurity, he was tested in many areas and found the route he wanted to go. We thank Michael for sharing his story with us.

Guest Joe Slowik joins us from DomainTools to discuss his team's research "COVID-19 Phishing With a Side of Cobalt Strike." Multiple adversaries, from criminal groups to state-directed entities, engaged in malicious cyber activity using COVID-19 pandemic themes since March 2020. Adversaries continue to leverage the pandemic, arguably the most significant issue globally as of this writing, in various ways. Yet the most persistent avenue remains using COVID-19 themes for building malicious document files. Examples include lures associated with Cloud Atlas-linked activity and broader targeting of health authorities. Given the continued significance of the pandemic and persistent use of pandemic themes by adversaries, DomainTools researchers continuously monitor for items leveraging COVID-19 content for malicious purposes. While conducting this research, DomainTools analysts identified an interesting malicious document with what appeared to be unique staging and execution mechanisms. Research can be found here: COVID-19 Phishing With a Side of Cobalt Strike

The US remains officially mum on whether it took down DarkSide, but it still looks as if the ransomware gang absconded on its own. Colonial Pipeline now faces legal fallout from its ransomware incident. Speculation about how states might handle cyber privateering. Conti’s attack on HSE is described as “catastrophic.” Russia says it was hit by foreign cyber mercenaries last year. Craig Williams from Cisco Talos explains Discord abuses. Our guest is Jon Ford from Mandiant on their M-Trends 2021 report. And CNA pays cyber extortionists $40 million. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/98

Did DarkSide really see the light and shut down, with a sincere promise of reform and restitution, or is the gang just rebranding? Researchers look at DarkSide ransomware and find complexity and sophistication. Israel says airstrikes in Gaza were intended to take out Hamas cyber ops facilities. Poor practices seem to have exposed data of millions of Android app users. Phishing from call centers and cloud services. David Dufour from Webroot looks at hacker psychology. Our guest is Rob Price from Snow Software on Shadow IT. And who dunnit to SolarWinds? Not the intern. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/97

Colonial Pipeline corrected yesterday’s IT glitch, and its CEO explains the decision to pay the ransom. A rundown of recent ransomware activity. A watering hole for water utilities? Credential harvesting and cryptojacking in the cloud. A banking Trojan spreads from Brazil to Europe. Joe Carrigan looks at keyboard biometrics. Our guest Dotan Nahum from Spectral on shifting left in security development. And the metaphysics of attribution. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/96

A new RIG campaign is distributing WastedLocker. The US Congress considers two bills informed by the Colonial Pipeline incident, and Congressional committees are looking at the company’s response to the attack. More ransomware gangs go offline, but Conti is still trying to collect from the Irish government. Double encryption appears to be an emerging trend in ransomware. Ben Yelin looks at insurance companies clamping down on ransomware payments. Our guest is Nick Gregory of Capsule8 with thoughts on the Linux security landscape. And there’s another problem with stalkerware: third-party risk. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/95

Japan calls out China for cyberespionage. Colonial Pipeline restores service, as organizations look to their own vulnerability to ransomware. The DarkSide gang may have said it’s going out of business, but it’s at least as likely, probably likelier, that they’re either rebranding or absconding. Two other gangs are in business: Conti is hitting Irish health organizations, and Avaddon says it compromised insurer AXA. (AXE-uh) Rick Howard looks at new responsibilities for CISOs. Our guest is Samantha Madrid of Juniper Networks on establishing automation and security integrations seamlessly. And a spy gets fifteen years in a US prison. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/94

Technical account manager Dominique West takes us on her career journey from engineering to cybersecurity. Even though her undergraduate degree was in information systems, Dominique did not learn about cybersecurity until she personally experienced credit card fraud. She had a range of positions from working the help desk in an art museum to vulnerability management and cloud security. Dominique mentions remembering feeling isolated as the only black person and one of few women in many situations. These experiences spurred her into action to create Security in Color to help others navigate their way into cybersecurity and share resources are available to them. Dominique recommends those interested in cybersecurity to go ahead and get your hands dirty out there; figure out what you like and what you don't like and do community. We thank Dominique for sharing her story with us.

The Zero Trust security model asserts that organizations should not trust anything within its perimeters and instead must inspect every traffic and verify anything connecting to its systems before granting access. While Zero Trust is generating a lot of buzz in the cyber world, it’s often hard to determine the implications of this security model.  In this episode of CyberWire-X, guests will discuss the origins of the model, cut through the hype, and discuss what you really need to know to design, implement, and monitor an effective Zero Trust approach. John Kindervag of ON2IT Cybersecurity, also known as the "Creator of Zero Trust," shares his insights with the CyberWire's Rick Howard, and Tom Clavel of sponsor ExtraHop joins Kapil Raina from their partner CrowdStrike to offer their thoughts to the CyberWire's Dave Bittner.

Guest LTC Erica Mitchell from Army Cyber Institute joins us to talk about their infrastructure resiliency research project called Jack Voltaic. The Army Cyber Institute’s (ACI’s) Jack Voltaic (JV) project enables the institute to study incident response gaps alongside assembled partners to identify interdependencies among critical infrastructure and provide recommendations. JV provides an innovative, bottom‐up approach to critical infrastructure resilience in two unique ways. Whereas most federal efforts to improve resiliency focus on regional or multistate emergency response, JV focuses on cities and municipalities where critical infrastructure and populations are most heavily populated. Furthermore, JV deviates from other cybersecurity and national preparedness exercises in that it builds around areas of interest nominated by the participants. Although JV events include national-level capabilities and resources, they are conceptually driven by the concerns of the cities and their infrastructure partners. Through this approach, the ACI, the Army, and the Department of Defense (DoD) are able to harvest insights about potential roles, dependencies, partners, and support requests, while cities are able to discover potential capability gaps and expand their critical infrastructure information-sharing networks before a potential disaster strikes. Research links: Jack Voltaic Cyber Research Project Jack Voltaic 3.0 Cyber Research Report Executive Summary

DarkSide says it’s feeling the heat and is going out of business, but some of its affiliates are still out and active, for now at least. A popular hackers’ forum says it will no longer accept ransomware ads. The Bash Loader supply chain compromise afflicts another known victim. Colonial Pipeline resumes delivery of fuel. Irresponsible disclosure of vulnerabilities hands attackers a big advantage. Carole Theriault looks at NFTs. Joe Carrigan wonders about the return on your ransomware payment investment. And there’s a lot of Amazon-themed vishing going on out there. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/93

The US Executive Order on Improving the Nation’s Cybersecurity is out. Colonial Pipeline partially resumed delivery of fuel yesterday evening, as its preparation for and response to the cyberattack it sustained receive scrutiny. The DarkSide’s extortion of the US pipeline company seems likely to prompt regulatory revision. DarkSide operators say they’ve gotten busy against other targets. Our own Rick Howard speaks with Aaron Sant-Miller, Chief Scientist at BAH, on developments in artificial intelligence. And Verizon’s Database Investigations Report is out. I check in with Verizon’s Chris Novak for highlights from the DBIR. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/92

FireEye provides an overview of the DarkSide ransomware-as-a-service operation. Forcepoint suggests a connection between DarkSide and other ransomware gangs, notably REvil. Colonial Pipeline continues its recovery efforts from the cyber attack it sustained. As ransomware grows more common, CISA offers advice on how to prepare defenses. A new Android banking Trojan is in circulation. Cecelia Marinier from RSA on the RSAC Innovation Sandbox. Bret Arsenault from Microsoft previews his new Microsoft CISO podcast. And yesterday, of course, was Patch Tuesday. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/91

Updates on the DarkSide ransomware attack on Colonial Pipeline. Other ransomware strains, including Avaddon and Babuk are out, and dangerous. Guidelines on 5G threat vectors. Lemon Duck cryptojackers are looking for vulnerable Exchange Server instances. A bogus, malicious Chrome app is circulating by smishing. Ben Yelin examines an online facial recognition platform. Our guest is Mathieu Gorge of VigiTrust on the privacy risks of video and audio recordings. And an update on an espionage trial. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/90

Colonial Pipeline shuts down some systems after a ransomware attack, disrupting refined petroleum product delivery in the Eastern US. We’ll check in with Sergio Caltagirone from Dragos for his analysis. Other ransomware attacks hit city and Tribal governments. Joint UK-US alert on SVR tactics issued, and the SVR may have changed its methods accordingly. SolarWinds revised downward its estimate of the number of customers affected by its compromise. Rick Howard previews his CSO Perspectives podcasts on risk metrics. Four guilty pleas in “bulletproof hosting” RICO case. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/89

VP of Global Solutions Architecture at eSentire Tia Hopkins shares her career journey and talks about its beginnings in engineering and pivots into cybersecurity leadership. Tia shares how she liked to take things apart when she was young, including the brand new computer her mother bought her and how she was fascinated by all the pieces of it spread all across her bedroom floor. As she started studying engineering, Tia learned she was more of a technologist than an engineer. Tia got her start in technology without completing her formal education by what she says is "grit and right place, right time." Once she was in a management role, Tia wanted to validate her knowledge, experience, and ability and not only completed her bachelor's degree, but also two master's degrees. Tia recently started an organization to encourage and grow interest, confidence, and leaders of women of color in the field of cybersecurity. We thank Tia for sharing her story with us.

Good security gets out of the way of users while getting in the way of adversaries. Passwords fail on both accounts. Users feel the pain of adhering to complex password policies. Adversaries simply copy, break, or brute-force their way in. Why, then, have we spent decades with passwords as the primary factor for authentication?From the very first theft of cleartext passwords to the very latest bypass of a second-factor, time and again improvements in defenses are met with improved attacks. The industry needs to trust passwordless authentication.What holds us back from getting rid of passwords? Trust. In this episode of CyberWire-X, guests will discuss a framework of technical controls to ensure only trusted sessions authenticate, regardless of faults or failures in any one factor. We will share a path forward for increasing trust in passwordless authentication. Nikk Gilbert of CISO of Cherokee Nation Businesses and retired CSO Gary McAlum share their insights with Rick Howard, and Advisory CISO of Duo Security at Cisco Wolfgang Goerlich from sponsor Duo Security offers his thoughts with Dave Bittner.

Guest Mike McLellan from Secureworks joins us to share his team's insights about SUPERNOVA and threat group attribution. Similarities between the SUPERNOVA activity and a previous compromise of the network suggest that SPIRAL was responsible for both intrusions and reveal information about the threat group. In late 2020, Secureworks® Counter Threat Unit™ (CTU) researchers observed a threat actor exploiting an internet-facing SolarWinds server to deploy the SUPERNOVA web shell. Additional analysis revealed similarities to intrusion activity identified on the same network earlier in 2020, suggesting the two intrusions are linked. CTU™ researchers attribute the intrusions to the SPIRAL threat group. Characteristics of the activity suggest the group is based in China. The research can be found here: SUPERNOVA Web Shell Deployment Linked to SPIRAL Threat Group

CISA outlines the FiveHands ransomware campaign. Circumstantial evidence suggests that some cybergangs are either controlled by or are doing contract work for Russian intelligence services. US Federal agencies turn their attention to software supply chain security. Scripps Health continues its recovery from cyberattack. Insecure home routers in the UK. Daniel Prince from Lancaster University has thoughts on cybersecurity education. Our guest Rupesh Chokshi from AT&T has suggestions for organizations who want to get SASE, but don’t know where to begin. And Ryuk ransomware throws a wrench in research at a European biomedical institute. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/88

Some possible insight into what a Chinese cyberespionage unit is up to. Hackathons, from Beijing to Washington (the one sponsored by Beijing developed an iPhone zero-day used against China’s Uyghurs). Panda Stealer is after crypto wallets. Microsoft's Kevin Magee reflects on lessons learned in the last year. Our own Rick Howard speaks with Todd Neilson from World Wide Technology on Zero Trust. And Peloton deals with a leaky API. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/87

Belgium sustains a DDoS attack that knocks parliamentary sessions offline. New malware strains identified in phishing campaign. Threat actors look for ways of working around multi-factor authentication and open authentication. COVID-19 scams continue online, and attract law enforcement attention. Joe Carrigan describes a compromised password manager. Our guests are Linda Gray Martin & Britta Glade from RSA with a preview of this year’s RSAC conference. And how secure was your high school’s election for homecoming court. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/86

Pulse Secure patches its VPN, and CISA for one thinks you ought to apply those fixes. Apple has also patched two zero-days in its Webkit engine. Scripps Health recovers from what’s said to be a ransomware attack. Researchers describe Genesis, a criminal market for digital fingerprints. Ben Yelin described a grand jury subpoena for Signal user data. Our guest is Ryan Weeks from Datto on the need for cyber resilience in the MSP community. And Japan works on cybersecurity for this summer’s upcoming Olympic Games. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/85

Possible data exposure at the Philippines’ Office of the Solicitor General. In the US, FISA surveillance targets dropped during 2020’s pandemic. The Babuk gang says it’s giving up encryption to concentrate on doxing. A new version of the Buer loader is out in the wild. Rick Howard looks at security in the energy sector. Betsy Carmelite from Booz Allen Hamilton on telemedicine security concerns. The US Justice Department undertakes a review of its cybersecurity policies and strategy. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/84

CEO and co-founder of SafeGuard Cyber Jim Zufoletti shares his journey starting out as an intrepreneur and transformation into a serial entrepreneur in cybersecurity. Jim shares how he got his feet wet working for others as an intrepreneur and catching the entrepreneurial bug in the mid-90s. He has co-founded a number of companies starting with FreeMarkets, a B2B ecommerce company. After that went public and Jim moved on, he went to business school at the University of Virginia and crossed paths with his future co-founder of SafeGuard Cyber. At UVA, Jim was inspired by a professor who exposed him to the effectuation approach to entrepreneurship, Along those lines, Jim recommends those looking to start a business in cyber build their experience portfolio. Jim took what he learned to help build where he is today. His company helps protect the humans in this new digital world with the current work from home environment. And, we thank Jim for sharing his story with us.

Guest Jen Miller-Osborn from Palo Alto Networks' Unit 42 joins Dave to discuss their 2021 Unit 42 Ransomware Threat Report, which highlights a surge in ransomware demands based on a global analysis of the threat landscape in 2020. To evaluate the current state of the ransomware threat landscape, the Unit 42 threat intelligence team and the Crypsis incident response team collaborated to analyze the ransomware threat landscape in 2020, with global data from Unit 42 as well as US, Canada, and Europe data from Crypsis. The report details the top ransomware variants, average ransomware payments, ransomware predictions, and actionable next steps to immediately reduce ransomware risk. The report can be found here: 2021 Unit 42 Ransomware Threat Report

The US Government expands its investigation into Pulse Secure VPN compromises. Microsoft discloses its discovery of BadAlloc IoT and OT vulnerabilities. Someone’s distributing Purple Lambert spyware. Chinese intelligence services seem to be backdooring the Russian defense sector. Financially motivated criminals are exploiting SonicWall VPN vulnerabilities. A look at the emerging criminal market for deepfakes. Josh Ray from Accenture Security on Why Cybersecurity Community Service Matters. Our guest Manish Gupta of ShiftLeft looks at cyber attacks on the CI/CD pipeline. And the World Health Organization attracted impersonators early this month. Again. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/83

An API bug may have exposed credit ratings. A study offers advice for the new anti-ransomware task forces emerging in the US and elsewhere. Israelis warned to keep their cyber-guard up on Quds Day next week. Russia says it would spot any US cyberattack before it hit. The US Congress considers establishing surge cyber response capacity. Dinah Davis from Arctic Wolf has tips on preventing RDP attacks. Rick Howard speaks with Rehan Jalil from Securiti on GDPR. NSA offers advice for security OT networks.  For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/82

Ghostwriter is back, and has moved its “chaos troops” against fresh targets in Poland and Germany. The Naikon APT has a new secondary backdoor. FluBot, temporarily inhibited by police raids, is back, and expanding its infection of Android devices across Europe. Microsoft is rethinking how much, and with whom, it wants to share vulnerability information. Joe Carrigan examines a phone scam targeting Amazon Prime customers. Our guest is Tzury Bar Yochay of Reblaze on open-source software and scalability. And Signal’s discovery of Cellebrite issues is finding its way into court. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/81

FBI, CISA, detail SVR cyber activities. Nine US Combatant Commands see declassification as an important tool in information warfare. A convergence of OPSEC and privacy? Apple fixes a significant Gatekeeper bypass flaw. Babuk ransomware hits DC police. A new twist in credential harvesting. Ben Yelin considers the FTCs stance on racially biased algorithms. Our guest Tony Howlett from SecureLink tracks the evolution of threat hunting. And that was no hack; it was just a careless tweet. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/80

Zoom prankers deceive European members of parliament with a deepfake video call. A password manager is compromised. Europol took a good whack at Emotet yesterday, removing the botnet’s malware from infected machines. US response to the Holiday Bear campaign receives cautious good reviews. A cyberattack interferes with cancer treatments. Caleb Barlow from CynergisTek on emergency notification systems. Rick Howard previews the latest CSO Perspectives podcast focused on the healthcare vertical. And movie-themed phishbait chummed the waters around yesterday’s Oscars. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/79

Proliferation of data continues to outstrip our ability to manage and secure data. The gap is growing and alarming,especially given the explosion of non-traditional smart devices generating, storing, and sharing information. As edge computing grows, more devices are generating and transmitting data than there are human beings walking the planet.  High-speed generation of data is here to stay. Are we equipped as people, as organizations, and as a global community to handle all this information? Current evidence suggests not. The International Data Corporation (IDC) predicted in its study, Data Age 2025, that enterprises will need to rely on machine learning, automation and machine-to-machine technologies to stay ahead of the information tsunami, while efficiently determining and iterating on high-value data from the source in order to drive sound business decisions.  That sounds reasonable, but many well-known names in the industry are trying - and failing - to solve this problem. The struggle lies in the pivot from “big data,” to “fast data,” the ability to extract meaningful, actionable intelligence from a sea of information, and do it quickly. Most of the solutions available are either prohibitively expensive, not scalable, or both. In this episode of CyberWire-X, guests will discuss present and future threats posed by an unmanageable data avalanche, as well as emerging technologies that may lead public and private sector efforts through the developing crisis. Don Welch of Penn State University and Steve Winterfeld of Akamai share their insights with Rick Howard, and Egon Rinderer from sponsor Tanium offers his thoughts with Dave Bittner.

Senior security researcher from Secureworks Marcelle Lee shares her career journey into cybersecurity and how she helps solve hard problems in her daily work. Marcelle came into cybersecurity not through any traditional path. She describes her route from a different field and starting in cyber at her local community college through a grant program. Marcelle took full advantage of the opportunities she had and grew her career from there. She recommends finding your specialty, but continue to build other skills. As a woman in the field, she is a strong proponent of diversity and encouraging others to find what excites them. And, we thank Marcelle for sharing her story with us.

Guest Jason Passwaters of Intel 471 joins us to discuss his team's research into bulletproof hosting (BPH). The research team at Intel 471 defined what a typical BPH service offers and how these services can be stopped in order to limit the damage they have on enterprises, businesses and digital society itself. They examined some popular malware families that actors host or leverage via BPH services. While much more goes into a cybercriminal’s full operation, it would be vastly more difficult to pull off without the ability to host malware and be free from impunity. Finally, they listed of some of the BPH providers that are firmly entrenched in the cybercrime underground and how they give support to other cybercriminal enterprises. By recognizing their behaviors, security teams can begin to take measures to figure out who the actors are, how they operate and what their infrastructure looks like. By doing so, organizations can begin to uncover ways to proactively counter maliciously-used infrastructure before criminals have a chance to launch their attacks.  The blog posts can be found here: Hiding in plain sight: Bulletproof Hosting’s dueling forms Bulletproof hosting: How cybercrime stays resilient Here’s who is powering the bulletproof hosting market

Ransomware operators begin timing their releases for more reputational damage. Another gang is equipping its ransomware with scripts to disable defenses, and yet another is now into stock shorting. The US Postal Inspection Service is apparently monitoring social media. GCHQ’s head warns of the dangers of becoming dependent on China’s technology. Johannes Ullrich from SANS on Commodity Malware Targeting Enterprises. Our guest is Etay Maor from Cato with some of the clever ways criminals avoid detection. And it’s not just sharks interested in undersea cables. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/78

Agencies continue to respond to the Pulse Secure VPN vulnerabilities. Updates on the SolarWinds compromise show that it remains a threat, and that it was designed to escape detection and, especially, attribution. A cryptojacking botnet is exploiting vulnerable Microsoft Exchange Server instances. Facebook takes down two Palestinian groups distributing spyware. Ransomware draws more attention. Craig Williams from Cisco Talos looks at cheating the cheater. Our guest is Bruno Kurtic from Sumo Logic on their Continuous Intelligence Report. And a Cellebrite vulnerability is exposed. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/77

SonicWall zero-days are under active exploitation; mitigations are available. Pulse Secure VPN is also undergoing exploitation, probably by China, and mitigations are available here, too. The US begins work on shoring up power grid cybersecurity. Cyber ops rise with Russo-Ukrainian tension. The help desk at ISIS tells jihadists to stay away from Bitcoin. Joe Carrigan looks at cryptocurrency anonymity. Our guest is Bert Kashyap from SecureW2 on what needs to be done before devices used for learning from home return to schools. And is your password inspired by cinema? For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/76

Update on the Codecov supply chain attack. The Babuk gang says they’ve debugged their decryptor. MI5 warns of “industrial scale” catphishing in LinkedIn. Positive Technologies responds to US sanctions. The US stands down the two Unified Coordination Groups it established to deal with the SolarWinds and Exchange Server compromises. Are all Five Eyes seeing eye-to-eye on China? Ben Yelin explains the legal side of the FBI removing webshells following the Microsoft Exchange Server hack. Our guest is May Habib from Writer on how the AI is helping the security industry with outdated and problematic terminology. And, psst: your kitchen appliances are a bunch of sellouts...or something. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/75

Another supply chain incident surfaces. The Natanz sabotage seems to have landed a punch, but not a knock-out blow against Iran’s nuclear program (and it appears to have been a bomb). China’s “big data” gangs and their place in the criminal economy. Tolerating (and protecting?) ransomware gangs in Russia? Betsy Carmelite looks at the intersection of 5G and zero trust. Rick Howard is focusing on finance and fraud in the latest season of CSO Perspectives. Russia’s counterretaliation for US sanctions in the SolarWinds affair.  For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/74

CEO and Founder of Votiro Aviv Grafi shares his story from serving as a member of the IDF's intelligence forces to leading his own venture. Aviv says his service in the IDF shaped a lot of his thinking and problem solving. Following his military service, Aviv worked to gain more real world and business experience. Starting his own business as a pentester was where the seeds for what would become Votiro would form. Aviv talks about the roller coaster that you experience when starting your own venture and offers some advice. And, we thank Aviv for sharing his story with us.

Guest Deepen Desai joins Dave to talk about Zsaler's research "Return of the MINEBRIDGE RAT With New TTPs and Social Engineering Lures." In Jan 2021, Zscaler ThreatLabZ discovered new instances of the MINEBRIDGE remote-access Trojan (RAT) embedded in macro-based Word document files crafted to look like valid job resumes (CVs). Such lures are often used as social engineering schemes by threat actors. MINEBRIDGE buries itself into the vulnerable remote desktop software TeamViewer, enabling the threat actor to take a wide array of remote follow-on actions such as spying on users or deploying additional malware.The use of social engineering tactics targeting security teams appears to be on an upward trend. The research can be found here: Return of the MINEBRIDGE RAT With New TTPs and Social Engineering Lures

The European Union expresses solidarity with the US over the SolarWinds incident. The UK joins the US in attributing the incident to Russia. Russia objects to US sanctions and hints strongly that it intends to retaliate. IBM discloses new cyber threats to the COVID-19 vaccine cold chain. Iran says Natanz is back in business. Kevin Magee from Microsoft looks at the security of startups. Our guest is Brad Ree of ioXt Alliance with results from their Mobile IoT Benchmark report. And data breaches hit people who park and people who read. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/73

The US announces a broad range of retaliatory actions designed to “impose costs” on Russia for its recent actions in cyberspace, prominently including both the SolarWinds supply chain compromise and attempts to influence elections. More reports on the Natanz incident suggest that a buried bomb was remotely detonated. David Dufour from Webroot has a wakeup call on digital privacy. Our guest is Ganesh Pai from Uptycs on Mitre ATT&CK Evaluations. And IcedID is taking Emotet’s place in the criminal ecosystem. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/72

Updates on Natanz, where the nature of the sabotage remains unclear--it happened, but there are conflicting explanations of how. Electrical utilities on alert for cyberattack, especially after the SolarWinds incident. The US Government takes extraordinary steps to fix the Microsoft Exchange Server compromise. Joe Carrigan analyses effective phishing campaigns. Our guest is the FBI’s Herb Stapleton on their recent IC3 report. And the US Intelligence Community’s Annual Threat Assessment points, in order of diminishing rsk, to China, Russia, Iran, and North Korea. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/71

Updates on the sabotage at Natanz--whether it was cyber or kinetic, Iran has vowed to take its revenge against Israel. NAME:WRECK vulnerabilities affect DNS implementations. Tax season scammers are phishing for credentials. If you liked the investment opportunities those Nigerian princes used to offer, you’re going to love their loaded ATM cards. Ben Yelin looks at data protection and interoperability. Our guest is Jules Martin from Mimecast on the importance of security integration. And in the Netherlands ransomware is inducing a shortage of cheese. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/70

Iran says Israel was responsible for sabotaging the Natanz nuclear facility yesterday, and Tehran promises revenge. Online plotting results in the arrest of a Texas man alleged to have planned an attack on an Amazon Web Services center. Scraped, not hacked, data from LinkedIn and Clubhouse are being hawked online. Andrea Little Limbago from Interos addresses asymmetric power within cyberspace and how that plays out in warfare. Our guest is Giovanni Vigna from VMware on the takedown of the Emotet infrastructure. And the US moves to fill senior cybersecurity positions. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/69

Chief Technology Officer and Senior Vice President, Engineering for Digital Guardian Debra Danielson shares her career journey. From aspirations of becoming an astronaut studying mechanical and aerospace engineering, Finding her first job at a local software company that turned into a long term commitment after it was acquired by another firm. Debra mentions that when she was heads-down programming, there were many women in the field and when she emerged from the cube to take on management and leadership positions, the ratio of women had dropped dramatically. She noted at this time that it took a lot of energy to be different. Debra shared that each time she had challenges in her career, she learned from them. She offers advice of taking risks earlier in your career as you don't know what it could lead to. And, we thank Debra for sharing her story with us.

Guests Gage Mele, Winston Marydasan, and Yury Polozov from Anomali join Dave to discuss their research into Static Kitten targeting government agencies in the UAE and Kuwait. Anomali Threat Research uncovered malicious activity very likely attributed to the Iran-nexus cyberespionage group, Static Kitten (Seedworm, MERCURY, Temp.Zagros, POWERSTATS, NTSTATS, MuddyWater), which is known to target numerous sectors primarily located in the Middle East This new campaign, which uses tactics, techniques, and procedures (TTPs) consistent with previous Static Kitten activity, uses ScreenConnect launch parameters designed to target any MOFA with mfa[.]gov as part of the custom field. Anomali's team found samples specifically masquerading as the Kuwaiti government and the UAE National Council respectively, based on references in the malicious samples. The research can be found here: Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies

Lazarus Group has a new backdoor. Bogus Clubhouse app advertised on Facebook. Cryptojacking goes to school. A ransomware cartel is forming, but so far apparently without much profit-sharing. The US Senate is preparing to make strategic competition with China the law of the land. Dinah Davis from Arctic Wolf looks at phony COVID sites. Our guest is Jaclyn Miller from NTT on the importance of mentoring the next generation. And Russia remains displeased with a lot of Twitter’s content. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/68

Cring ransomware afflicts vulnerable Fortigate VPN servers. Distance learning in France stumbles due to sudden high demand, and possibly also because of cyberattacks. Hafnium’s attack on Microsoft Exchange Servers may have been long in preparation, and may have used data obtained in earlier breaches. Commerce Department adds seven Chinese organizations to its Entity List. 5G security standards in the US are said likely to emphasize zero trust. Atlantic Media discloses a breach of employee data. Caleb Barlow from CynergisTek with a clever way of thinking about ransomware preparedness. Our guest is Amit Kanfer from build.security on authorization, a problem he says remains mostly unsolved. And emissions testing stations in some US states remain down. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/67

Goblin Panda’s upped its game in recent attacks on Vietnamese government targets. The EU is investigating cyberattacks against a number of its organizations. Scraped LinkedIn data is being sold in a hackers’ forum. Facebook talks about the causes of its recent data incident. New Android malware poses as a Netflix app. Joe Carrigan shares comments from the new head of the NCSC. Our guest is Fang Yu from Datavisor with highlights from their Digital Fraud Trends Report. And the Molerats are using voice-changers to phish for IDF personnel. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/66

A watering hole campaign compromised several Ukrainian sites (and one Canadian one). File transfer blues. A couple of looks into the criminal-to-criminal marketplace: establishing a brand and selling malicious document building tools. Ben Yelin has details on a privacy suit against Intel. Our guest is Steve Ginty from RiskIQ on the threat actors behind LogoKit. And notes on the big and apparently old Facebook breach, including why people care about it. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/65

An old leaked database has been delivered into the hands of skids. (The news isn’t that the data are out there; it’s that the skids now have it. For free.) CISA and the FBI warn that APTs are scanning for vulnerable Fortinet instances. Cryptojackers pan for alt-coin in GitHub’s infrastructure. Holiday Bear may have looked for network defenders. Threats to water utilities. Johannes Ullrich explains why dynamic data exchange is back. Our guest is Mark Lance from GuidePoint Security tracking parallels between the SolarWinds attack and the RSA hack a decade ago. And a cyberattack snarls vehicle emission testing. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/64

Co-founder and Chief Strategy Officer for Corelight Greg Bell describes the twists and turns of his career bringing him back to his childhood joy of computers. Working in a myriad of fields from human rights to Hollywood to writing a history of conspiracy belief before pivoting back to technology. Focusing on the relationships within the open source community, Greg works to change and improve the world through his mission-based organization. For those looking to begin their career in cyber, Greg offers that great mentorship and working for great organizations where you can soak in the culture are really important. And, we thank Greg for sharing his story with us.

Guests Fernando Martinez and Tom Hegel from AT&T Alien Labs join Dave to discuss their team's research "Malware using new Ezuri memory loader." Multiple threat actors have recently started using a Go language (Golang) tool to act as a packer and avoid Antivirus detection. Additionally, the Ezuri memory loader tool acts as a malware loader and executes its payload in memory, without writing the file to disk. While this technique is known and commonly used by Windows malware, it is less popular in Linux environments. The research can be found here: Malware using new Ezuri memory loader

Goblin Panda might be out and about. Ubiquiti confirms that an extortion attempt was made, but says the attempted attack on data and source code was unsuccessful. The Accellion compromise claims more university victims. It’s National Supply Chain Integrity Awareness Month in the US. BOLO Mr. Korhsunov. Andrea Little Limbago from Interos on supply chain resilience in a time of tectonic geopolitical shifts. Our guest is Paul Nicholson from A10 Networks on their State of DDoS Weapons report. And some down-market phishing attempts. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/63

US Cyber Command and CISA plan to publish an analysis of the malware Holiday Bear used against SolarWinds. The DPRK is again phishing for security researchers. Exchange Server exploitation continues. Stone Panda goes after industrial data in Japan. Human error remains the principal source of cyber risk. A US Executive Order on cyber hygiene and breach disclosure nears the President’s desk. David Dufour from Webroot on the 3 types of hackers and where you’ve seen them recently. Rick Howard checks in with our guest Sharon Rosenman from Cyberbit on SOC Evolution. And gamers? Don’t cheat. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/62

Charming Kitten is back, and interested in medical researchers’ credentials. Russian services appear to have been reading some US State Department emails (it’s thought their access was confined to unclassified systems). Risk management practices and questions about the risks of growing too blasé about “management.” Recognizing the approach of an intelligence officer. Volumetric attacks are up. Joe Carrigan examines a sophisticated Microsoft spoof. Our guest is Donna Grindle from Kardon on updates to the HITECH ACT. More concerns, in India and the US, about Chinese telecom hardware. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/61

The US Administration continues to prepare its response to Holiday Bear’s romp through the SolarWinds supply chain. Congress is asking for details on what was compromised in the incident, and why the Department of Homeland Security failed to detect the intrusion. The UN offers some recommendations on norms of conduct in cyberspace. Ben Yelin on a New Jersey Supreme Court ruling that phone passcodes are not protected by 5th amendment. Our guest is Frank Kettenstock from FoxIT on the security of PDF files. Developments in ransomware, including Exchange Server exploitation, credible extortion, and attempts to enlist customers against victims.  For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/60

German politicians’ emails are under attack, and the GRU is the prime suspect. Australia’s Nine Network was knocked off the air by a cyberattack, and a nation-state operation is suspected. PHP takes steps to protect itself from an attempt to insert a backdoor in its source code. Apple fixes browser engine bugs. FatFace pays the ransom. Project Zero caught a Western counterterror operation. Betsy Carmelite from Booz Allen Hamilton on Zero Trust. Our guest is Tal Zamir of Hysolate on CISA's new ransomware guidelines. And a guilty plea for one, and almost five-hundred indictments for others. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/59

Vice President of Raytheon's Cyber Offense, Defense Experts Teresa Shea speaks of her journey from math to adapting new technologies on the cutting edge, With a love of math, Teresa was offered a scholarship by the Society of Women Engineering and decided to pursue a degree in electrical engineering. Unsurprisingly, there were few other women in her program, Teresa interned with and then proceeded to work for the National Security Agency becoming their SIGINT director. Following her government career, Teresa worked to help bring new technologies to government through her work at Raytheon. We thank Teresa for sharing her story with us.

Guest Sergio Caltagirone from Dragos joins us to take us through their 2020 ICS Cybersecurity Year in Review report. Dragos's annual ICS Year in Review provides an overview and analysis of ICS vulnerabilities, global threat activity targeting industrial environments, and industry trends and observations gathered from customer engagements worldwide. The goal of the report is to give asset owners and operators proactive, actionable information and defensive recommendations in order to prepare for and combat the world’s most significant industrial cybersecurity adversaries. The report can be found here: 2020 ICS CYBERSECURITY YEAR IN REVIEW

Criminal-on-criminal cyber crime. Ransomware hits European and North American businesses. Big Tech goes (virtually) to Capitol Hill to talk disinformation and Section 230. The head or NSA and US Cyber Command discusses election security and cyber defense with the Senate Armed Services Committee. Russia complains of a US assault on Russia’s “civilizational pillars.” Accenture’s Josh Ray shares his thoughts on securing the supply chain. Our guest is Sergio Caltagirone from Dragos on their 2020 ICS/OT Cybersecurity Year in Review. And there appears to be a minor resurgence of hacktivism. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/58

The FBI warns organizations that Mamba ransomware is out and about in a newly evolved form. Facebook takes down a Chinese cyberespionage operation targeting Uyghurs. Huawei joins the Organization of Islamic Cooperation. Slack thinks it might have made a security and privacy misstep. Caleb Barlow from CynergisTek on Healthcare Interoperability. Our guest is Roei Amit from Deep Instinct on their 2020 Cyber Threat Landscape Report. And a look at fleeceware. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/57

COVID-themed phishbait has shifted to vaccines. Notes on the ransomware exploiting vulnerable Exchange Servers. Purple Fox gets wormy. Sierra Wireless halts operations to remediate a ransomware incident. Notes on ICS vulnerabilities. More victims of third-party risk. Joe Carrigan looks at SMS security issues. Our guest is Ron Brash from Verve Industrial with takeaways from their 2020 ICS Vulnerabilities report. And what are the cybercriminals thinking? For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/56

The CyberWire partners with Recorded Future's threat intelligence podcast and our Dave Bittner is the host. It's a weekly show that comes out each Monday afternoon. We thought you might want to check it out and are adding it to our feed today. We hope you like it and consider subscribing in your favorite podcast app. The COVID-19 global pandemic has, predictably, attracted bad actors intent on using fear and uncertainty as a framework for a variety of actions, from run-of-the-mill money scams to targeting phishing, business email compromise, and even espionage. Recorded Future’s Insikt Group has been following these money trails and correlating them with a spectrum of bad actors around the globe. They recently published their findings in a blog post titled, “Follow the Money: Qualifying Opportunism Behind Cyberattacks During the COVID-19 Pandemic.” On today’s episode we’ve got a pair of Insikt Group analysts joining us to share their expertise. Lindsay Kaye is Director of Operational Outcomes and Charity Wright is a Cyber Threat Intelligence Analyst.

Exchange Server patching is going well, they say, but they also say that patching isn’t enough. Crooks are continuing to look for unpatched instances, and even in the patched systems, you’ve got to check to make sure the bad actors have been found and ejected. AFCEA and Shell both disclose being affected by third-party breaches. Citizen Lab sees no particular problem with TikTok. Ben Yelin ponders possible US response to the Microsoft Exchange Server attacks. Our guest is Alex Gizis from Connectify using VPNs to thwart government internet restrictions in Myanmar. And a major manga fan site is down. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/55

Indian authorities warn the country’s transportation sector that it may be a target for cyberespionage. Google’s Project Zero describes an elaborate and expensive campaign that exploited zero-day vulnerabilities. The SilverFish threat group is elaborate, well-resourced, and well-organized. Threat actors are quietly altering mailbox permissions. REvil is back. Some say “yes” to Moscow; others say “nyet.” Dinah Davis from Arctic Wolf on Security Metrics. Our guest is Graeme Bunton from the DNS Abuse Institute. And two Infraud operators are sentenced. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/54

Chief Security Officer of Microsoft Canada Kevin Magee shares his background as a historian and how it applies to his work in cybersecurity. Likening himself to a dashing Indiana Jones, Kevin talks about how he sees history unfolding and the most interesting things right now are happening in security. Spending time tinkering with things in the university's computer room under the stairs gave way to Kevin's love affair with technology. As Chief Security Officer, Kevin says he uses an analogy: "I think we focus on the arrows, not the the archer" meaning there's too much focus on the attacks rather than the ones mounting them. As a historian and witness to our current history, Kevin sees the changes all affecting cybersecurity. We thank Kevin for sharing his story with us.

Guest Jen Miller-Osborn from Palo Alto Networks' Unit 42 joins us to discuss their research into BendyBear. Highly malleable, highly sophisticated and over 10,000 bytes of machine code. The code behavior and features strongly correlate with that of the WaterBear malware family, which has been active since as early as 2009. The malware is associated with the cyber espionage group BlackTech, which many in the broader threat research community have assessed to have ties to the Chinese government, and is believed to be responsible for recent attacks against several East Asian government organizations. Due to the similarities with WaterBear, and the polymorphic nature of the code, Unit 42 named this novel Chinese shellcode “BendyBear.” It stands in a class of its own in terms of being one of the most sophisticated, well-engineered and difficult-to-detect samples of shellcode employed by an Advanced Persistent Threat (APT). The research can be found here: BendyBear: Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech

Helsinki blames Beijing’s APT31 for cyberespionage against Finland’s parliament. Russia withdraws its ambassador to the US, calling him home for consultation, post the US IC’s report on election influence ops. Risk management for industrial control systems, and especially for an often overlooked part of the power grid. Johannes Ullrich from SANS on Evading Anti-Malware Sandboxes with New CPU Architectures. Our guest is Tony Cole from Attivo on dealing with adversaries already inside your network. A guilty plea in an odd extortion attempt, why China’s wary of Teslas, and the indictment of a hacktivist. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/53

Disinformation about a radiation leak that wasn’t. Another warning about Trickbot. The FBI says cybercrime cost victims more than $4.2 billion last year. Investigation and remediation of the SolarWinds and Exchange Server compromises continue. Crypters become a commodity for malware developers. Robert M. Lee from Dragos on lessons from the recent Texas power outages. Our guest is Bob Shaker from Norton Lifelock looking at baddies targeting online gamers. And some people are looking for jobs in all the wrong places. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/52

The US Intelligence Community has released its report on 2020 foreign election meddling. It found no successful hacking, but a lot of clever influence operations. Ukraine says it stopped a significant Russian cyberespionage campaign. Recovery from the SolarWinds and Exchange Server compromises continues. Joe Carrigan shares thoughts on the Verkada hack. Our guest is Oscar Pedroso from Thimble on getting kids hooked on technology. And no, that celebrity tweeter isn’t really going to send you $2000 for every $1000 you give back to the community. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/51

McAfee describes Operation Diànxùn, a probable Chinese collection effort directed against telecoms and 5G technology. Organizations around the world continue to work to thwart exploitation of Exchange Server vulnerabilities. What’s a webshell, and what can it do? Ben Yelin looks at cell phone data gathered from the US Capitol riot. Our guest is Ross Rustici from ZeroFOX on the evolution of ransomware. And how much does it cost to redirect all your SMS messages to some goon? Said goon needs only sixteen bucks. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/50

Microsoft is looking for a possible leak behind the spread of Exchange Server exploits, and hackers piggyback on webshells placed by other threat actors. The US Government continues to mull how to respond to Holiday Bear and Hafnium. Britain’s PM calls for greater offensive cyber capabilities. India looks for ways of countering China in cyberspace. Sky Global executives indicted for alleged racketeering. Accenture’s Josh Ray takes on defending against nation states. Rick Howard aims the hash table at third party cloud security. And what does it cost to be on a do-not-call list? Nothing. Really. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/49

The SolarWinds Orion SUNBURST exploit forced organizations to determine whether and to what extent they’d been compromised. It’s not enough to eject the intruders and their malware from the networks. Affected organizations also need to know what systems and data had been breached, and for how long. The adversary behind SUNBURST is advanced, quietly breaching the perimeter and moving freely to access, steal, or destroy business-critical data, and to disrupt operations. Joining us to share their expertise on the subject are Ryan Olson of Palo Alto Networks' Unit 42, Bill Yurek of Inspired Hacking Solutions, and we close out the show with Matt Cauthorn, from our sponsor ExtraHop, who joins CyberWire-X to discuss the challenges of detecting such advanced threats, and to share insights from behavioral analysis on what the new breed of threat actor is doing inside our networks.

Coming from her love of math, VP of R&D at Arctic Wolf Networks Dinah Davis shares how she arrived in the cybersecurity industry after finding her niche. Dinah recalls how at a time of indecision, a computer course at university and a job with the Canadian government helped to solidify her career direction. Dinah mentions how "security and cryptography specifically was this perfect mix of real world problem solving and mathematics and computer science all combined into one ball of happiness." Networking played a key role in Dinah's journey. She recommends that those interested in joining the field to go for what they believe in. And, we thank Dinah for sharing her story with us.

Guest Dr. Rosario Cammarota from Intel Labs joins us to discuss confidential computing. Confidential computing provides a secure platform for multiple parties to combine, analyze and learn from sensitive data without exposing their data or machine learning algorithms to the other party. This technique goes by several names — multiparty computing, federated learning and privacy-preserving analytics, among them. Confidential computing can enable this type of collaboration while preserving privacy and regulatory compliance. The research and supporting documents can be found here: Intel Labs Day 2020: Confidential Computing Confidential Computing Presentation Slides Demo video

Microsoft warns that ransomware operators are exploiting vulnerable Exchange Servers. Threat actors continue to look for unpatched instances of Exchange Server. Johannes Ullrich joins us with his thoughts on the incident. REvil ransomware hits a range of fresh targets. Concerns are raised about the effects of the SolarWinds compromise on embedded devices. Our guest is Sally Carson from Cisco making the case that good design can save cybersecurity. And an unspecified cyber incident shuts down Coors Molson. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/48

Norway’s parliament is hit with Exchange Server exploitation. CISA and the FBI issue more advice on how to clean up an Exchange Server compromise. CISA hints at more detailed attribution of the SolarWinds compromise “soon,” and US Cyber Command says military networks were successfully defended. Microsoft’s Kevin Magee of exporting cyber talent. Our guest is Hanan Hibshi from Carnegie Mellon University on their picoCTF online hacking competition. Notes on some evolving criminal techniques, an update on the security camera hacktivist incident, and some news you won’t need, but your friends might. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/47

Patch Tuesday was a big one this month. Microsoft Exchange Server remains under active attack in the wild, with new threat actors hopping on the opportunity. Russia denies it had anything to do with the SolarWinds incident and says the kinds of US response that the word on the street tells them are under consideration would be nothing more than international crime. Hacktivists strike a blow against cameras and stuff. Joe Carrigan has thoughts on Google’s plans for third party cookies. Our guest is Kelvin Coleman from the National Cyber Security Alliance (NCSA) on how educators can better protect students’ privacy during distance learning sessions. And police in the low countries sweep up more than a hundred cybercrooks. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/46

CISA urges everyone to take the Microsoft Exchange Server vulnerabilities seriously. The SolarWinds compromise is also going to prove difficult to mop up. The US is said to be preparing a response to Holiday Bear’s SolarWinds compromise (some of that response will be visible, but some will not). A plea for more OSINT. Ben Yelin from UMD CHHS ponders face scanning algorithms in the job application process. Our guest is Sam Crowther from Kasada, asking why are we still talking about bots? And dragnets haul in some cybercrooks. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/45

Threat actors rush to exploit Exchange Server vulnerabilities before victims get around to patching--it’s like a worldwide fire sale. Rick Howard digs into third party platforms and cloud security. Robert M. Lee from Dragos shares insights on the recent Florida water plant event. The US mulls some form of retaliation against Russia for the SolarWinds supply chain campaign, and it will also need to consider how to respond to China’s operations against Exchange Server. (And another Chinese threat actor may have been exploiting SolarWinds late last year.) For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/44

Army Cyber Institute Technical Director and Chief of Staff Colonel Stephen Hamilton takes us on his computer science journey. Fascinated with computers since the second grade, Stephen chose West Point after high school to study computer science. Following graduation he moved into the signal branch as it most closely matched his interest in ham radio as no branch related directly to computing. He was pulled from the motor pool to help with another area's computing needs and then worked his way to teaching computer science at. West Point and US Cyber Command. Stephen recommends coding it first to help realize the nuances, and then code it again. We thank Stephen for sharing his story with us.

Guest Hossein Jazi of Malwarebytes joins us to take a deep dive into North Korea's APT37 (aka ScarCruft, Reaper and Group123) toolkit. On December 7 2020 the Malwarebytes Labs threat team identified a malicious document uploaded to Virus Total which was purporting to be a meeting request likely used to target the government of South Korea. The meeting date mentioned in the document was 23 Jan 2020, which aligns with the document compilation time of 27 Jan 2020, indicating that this attack took place almost a year ago. The file contains an embedded macro that uses a VBA self decoding technique to decode itself within the memory spaces of Microsoft Office without writing to the disk. It then embeds a variant of the RokRat into Notepad. Based on the injected payload, the Malwarebytes team believes that this sample is associated with APT37. This North Korean group is also known as ScarCruft, Reaper and Group123 and has been active since at least 2012, primarily targeting victims in South Korea. The research can be found here: Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat

A new second-stage backdoor has been found in a SolarWinds compromise victim. Those exploiting the now-patched Exchange Server zero days seem to have done so to establish a foothold in the targeted systems. India continues to investigate a Chinese cyber threat to its infrastructure. Misconfigured clouds leak mobile app data. A major airline IT provider sustains a cyber attack. Dinah David helps us prevent account takeover attacks. Our guest is Troy Hunt from NordVPN. And criminals hack other criminals. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/43

Indian authorities say October’s Mumbai blackout was “human error,” not cybersabotage. CISA directs US civilian agencies to clean up Microsoft Exchange on-premise vulnerabilities. More effects of the Accellion FTA supply chain compromise. Some trends in social engineering. Andrea Little Limbago brings us up to date on the RSA supply chain sandbox. Our guest is Brittany Allen from Sift on a new Telegram fraud ring. And happy National Slam the Scam Day. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/42

India continues to investigate the possibility of RedEcho cybersabotage of its power distribution system, but says any hack was stopped and contained. Microsoft issues an out-of-band patch against a Chinese-run “Operation Exchange Marauder.” The financial sector works to contain an Ursnif outbreak. CISA issues ICS security advisories. Myanmar and the difficulty of stopping cyber proliferation. Joe Carrigan looks at CNAME cloaking. Our guest is author Neil Daswani from Stanford University’s Advanced Security Certification Program, on his upcoming book Big Breaches - Cybersecurity Lessons for Everyone. And another round in the Crypto Wars seems ready to start. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/41

Indian authorities continue to investigate the possibility that Mumbai’s power grid was hacked last October. Apple’s walled garden’s security can inhibit detection of threats that manage to get inside. An Atlantic Council report recommends international action against access-as-a-service brokers to stall proliferation of cyber offensive tools. Ben Yelin has the story of legislators asking the military why they’re so interested in apps serving Muslims. Our guest is John Grange from OppsCompass with insights on the top cloud security mistakes organizations make. Updates on the SolarWinds incident (including an SEC probe into who knew what when). For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/40

Chinese cyber engagement with Indian critical infrastructure is reported: the objective isn’t benign from India’s point of view, but exactly what the objective is, specifically, remains a matter of speculation. The US Governemnt declassifies its report on the murder of Saudi journalist Jamal Khashoggi. The SolarWinds supply chain compromise remains under investigation, with an intern making a special appearance. Maligh search engine optimizations. Rick Howard shares hash table opinions on Google Cloud. Josh Ray from Accenture on Cybercrime and the Cloud. And congratulations to the winner’s of CISA’s President’s Cup. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/39

Head of Product for IBM Security Aarti Borkar shares her journey which included going after her lifelong love of math rather than following in her parents' footsteps in the medical field. In following her passions, Aarti found herself studying computer engineering and computer science, and upon taking a pause from her studies, she found a niche working at IBM in a mix of databases and networking. In her current position, Aarti describes her favorite discussion topics very often involve being around the use of AI for converting security into predictive domains. Aarti reminds us that you should pause and see if you are on the right path. Staying on a path just because you started there can be a bad idea. And, we thank Aarti for sharing her story.

Guest Maurits Lucas from Intel471 joins us to discuss his team's research into cybercrime in China. Data from Intel 471 show that the Chinese cybercrime underground proliferates through use of common methods or platforms, but behaves differently in large part due to the caution that actors take with regard to their identity. While the average citizen must follow the heavy handed nature of the government’s surveillance of cyberspace, Chinese threat actors take special precautions to protect their forums, TTPs and themselves. This leads to the Chinese cybercrime underground being disorderly when compared to others, particularly Russia, which tend to be much more organized. The research can be found here: No pandas, just people: The current state of China’s cybercrime underground

Oxford biology lab hacked. A Zoom impersonation phishing campaign afflicts targets in the EU. Senators disappointed in Amazon’s decision not to appear at this week’s SolarWinds hearing. NSA advocates adopting zero trust principles. CISA issues alerts on industrial control systems. The US Department of Homeland Security describes increases to its cybersecurity grant programs. Dinah Davis examines how healthcare is being targeted by ransomware. Our guest is Michael Hamilton from CI Security on the Public Infrastructure Security Cyber Education System. And NIST’s draft IoT security standards are still open for comment. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/38

FriarFox is a bad browser extension, and it’s interested in Tibet. Ukraine accuses Russia of a software supply chain compromise (maybe Moscow hired Gamaredon to do the work). Egregor hoods who escaped recent Franco-Ukrainian sweeps are thought responsible for DDoS against Kiev security agencies over the weekend. A look at Babuk, a new ransomware-as-a-service entry. VMware servers are patched. Verizon’s Chris Novak looks at the 2021 threat landscape. Our guest is Andrew Hammond from the International Spy Museum. And a US Executive Order on supply chain security. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/37

As more organizations are affected by the Accellion FTA compromise, authorities issue some recommendations for risk mitigation. Ocean Lotus is back, and active against Vietnamese domestic targets. LazyScripter is phishing with COVID and air travel lures. SolarWinds hearings include threat information, exculpation, and calls for more liability protection. Turkey Dog is after bank accounts. Joe Carrigan ponders the ease with which new security flaws are discovered. Rick Howard speaks with our guest Michael Dick from C2A Security on Automotive Security. And some new ICS threat groups are identified. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/36

Ukrainian security services complain of DDoS from Russia. The Accellion compromise is attributed to an extortion gang. Digital Shadow tracks the rise of initial access brokers, new middlemen in the criminal-to-criminal market. A botmaster uses an agile C2 infrastructure to avoid takedowns. IT executives to appear at US Senate hearings on Solorigate. US DHS talks up its cyber strategies. Ben Yelin comments on the latest court ruling on device searches at the border. Rick Howard speaks with Ariel Assaraf from Coralogix on SOAR and SIEM. And don’t be deceived by bogus FedEx and DHL phishbait. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/35

Facebook takes down Myanmar junta’s main page. APT31 clones Equation Group tools. Silver Sparrow’s up to...something or other. Bogus Flash Player update serves fake news and malware. Effects of supply chain compromises spread. Clubhouse’s privacy issues. VC firm breached. CrowdStrike releases its annual threat report. We welcome Josh Ray from Accenture security to our show. Rick Howard examines Google’s cloud services. And a Maryland school concludes its annual cyber challenge. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/34

High Performance Computing Systems Administrator at Brigham Young University Billy Wilson tells his cybersecurity career story translating language skills to technical skills. According to Billy's employer, moving to a technical position at his alma mater occurred because Billy showed this potential and a thirst for learning. He is currently pursuing his master's degree from SANS Technology Institute for Information Security Engineering while working to secure BYU's data for their computationally-intensive research. Billy notes that not everyone has one overarching passion which gives him variety in his work. And, we thank Billy for sharing his story with us.

Guest Bojan Zdrnja of Infigo IS and a certified instructor at SANS Institute shares an incident he discovered where attackers were using a pretty novel way of exfiltrating data and using that channel for C&C communication. The code that was acquired was only partially recovered, but enough to indicate powerful features that the attackers were (ab)using in Google Chrome. The basis for this attack were malicious extensions that the attacker dropped on the compromised system. The research can be found here: Abusing Google Chrome extension syncing for data exfiltration and CC

Microsoft wraps up its internal investigation of Solorigate, which the US Government continues to grapple with, and which has had some effect in Norway. An apparent Iranian APT has been hosting its command-and-control in two Netherlands data centers. Estonia’s annual intelligence report describes Russian and Chinese ambitions in cyberspace. Threat actors are hard at work against Apple’s new processors. Kevin Magee on the Canadian National Cyber Threat Assessment for 2020. Our guest is Mark Testoni from SAP National Security Services on the Biden administration’s first 100 days. Plus, lessons from the ice, and how hackers became cybercriminals. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/33

Watch out for the WatchDog Monero cryptojacking operation. The US Justice Department describes North Korea as “a criminal syndicate with a flag.” CISA outlines the DPRK malware that figures in the AppleJeus toolkit. The Chair of the US Senate Intelligence Committee asks the FBI and EPA for a report on the Oldsmar water system cybersabotage incident. Egregor takes a hit from French and Ukrainian police. Dinah Davis has advice on getting buy-in from the board. Our guest is Bentsi Ben Atar from Sepio Systems on hardware attacks. And the Netherlands Police advise cybercriminals to just move on. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/32

High Bitcoin valuation draws the attention of cybercriminals, and a number of those criminals work for Mr. Kim, of Pyongyang. Alleged criminals, we should say. Centreon offers an update of its investigation of the Sandworm incident ANSSI uncovered. Reports of the Big Hack are received with caution. Patches applied, pulled, and replaced. Joe Carrigan describes a legal dustup between Proofpoint and Facebook over lookalike domains. Our guest is Sinan Eren from Barracuda Networks on their state of cloud networking report. And Florida’s water system cybersabotage provides a good reminder to stay away from unsupported software. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/30

France finds Sandworm’s trail in a software supply chain. Microsoft is impressed by the amount of effort Russian intelligence services put into the SolarWinds campaign. Pyongyang is reported to have attempted to steal COVID-19 vaccine information. Supermicro reiterates objections to Bloomberg's report on alleged hardware supply chain compromises. Static Kitten is phishing in the UAE. Updates on the Florida water utility cybersabotage. Ben Yelin examines to what degree the FBI can access Signal app messages. Rick Howard gathers the hash table to discuss AWS. And a new executive director arrives at our state cybersecurity association. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/30

In this special edition, our extended conversation with Hank Thomas and Mike Doniger from their new company SCVX. Both experienced investors, their plan is to bring a new funding mechanism known as a SPAC to cyber security which, they say, is new to the space.  February 2021 Update: we revisit the topic with guest Hank Thomas to hear the latest on SPACs.

Co-founder and socio-technical lead at Cygenta, Dr. Jessica Barker, shares her story from childhood career aspirations of becoming a farmer to her accidental pivot to working in cybersecurity. With a PhD in civic design, Jessica looked at the creation of social and civic places until she was approached by a cybersecurity consultancy interested in the human side of cybersecurity. She jumped in and the rest is history. Having experienced some negativity as a woman in cybersecurity, Jessica is a strong proponent of diversity in the field. She suggests that newcomers to the industry follow what interests them and jump in. And, we thank Jessica for sharing her story with us.

Guest Dr. Shreyas Sen, a Perdue University associate professor of electrical and computer engineering, joins us to discuss the following scenario:. Instead of inserting a card or scanning a smartphone to make a payment, what if you could simply touch the machine with your finger? A prototype developed by Purdue University engineers would essentially let your body act as the link between your card or smartphone and the reader or scanner, making it possible for you to transmit information just by touching a surface. The research can be found here: Tech makes it possible to digitally communicate through human touch (press release) BodyWire-HCI: Enabling New Interaction Modalities by Communicating Strictly During Touch Using Electro-Quasistatic Human Body Communication (research paper)

Bloomberg revives its reporting on hardware backdoors on chipsets. Has someone bought the source code for the Witcher and Cyberpunk? CISA issues ICS alerts. The FBI and CISA offer advice about water system cybersabotage as state and local utilities seek to learn from the Oldsmar attack. Verizon’s Chris Novak ponders if you should get your Cybersecurity DIY, managed, or co-managed? Our guest is David Barzilai from Karamba Security on the growing importance of IoT security. And, looking for love on Valentine’s Day? Look carefully...and don’t give that intriguing online stranger money, We know, we know, they seem nice, but still... For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/29

Spyware in the Subcontinent. Some crooks auction stolen game source code while others bilk food delivery services. Emotet survived its takedown. Ransomware developments. The US now has a point person for Solorigate investigation and response. Andrea Little Limbago from Interos on her participation in the National Security Institute at George Mason University. Our guest is Chris Cochran from Hacker Valley Studio with a preview of their Black Excellence in Cyber podcast.And there’s no attribution yet in the Oldsmar, Florida, water system cybersabotage, but it’s increasingly clear that the utility wasn’t a hard target.  For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/28

What’s North Korea doing with all that money the Lazarus Group steals? Buying atom bombs, apparently. Iran’s Domestic Kitten is scratching at some international surveillance targets. Not everyone who says they’re a Bear really is one. Parking malware in Discord. Notes on Patch Tuesday. Joe Carrigan details a gift card scam that hit a little close to home. Our guest is Saket Modi, CEO of Safe Security with thoughts on quantifying risk. And the latest on the water system cyber sabotage down in Florida. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/27

Florida water treatment plant sustains cyberattack: the hack was successful, the sabotage wasn’t. A new malware strain is associated with Chinese intelligence services. Ben Yelin tracks a surveillance plane who’s funding has fallen. Our guest is Col. Stephen Hamilton from Army Cyber Institute at West Point. And Huawei’s CEO says, sure, he’d take a call from President Biden. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/26

Myanmar blocks data networks. Notes on offensive cyber operations, from present and former Five Eyes officials. SilentFade seems to be back, with more ad fraud. Iranian cyber operators up their surveillance game. Brazil’s big data breach remains under investigation. Company towns may make a return in Nevada. Rick Howard casts his gaze on the AWS cloud. We welcome Dinah Davis from Arctic Wolf as our newest industry partner. And why in the world are hackers interested in other people’s colonoscopies?  For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/25

Chief strategy officer and chief security officer for Netskope, Jason Clark, shares his journey as he challenges the status quo and works to expand diversity in cybersecurity. Jason started his career by breaking the mold and heading to the Air Force rather than his family legacy of Army service. Following his military service, he became a CISO for the New York Times at age 26 and kept building from there. Jason advises, "You should always be seeking out jobs you're actually not qualified for. I think that's how you grow. If you know you could do the job, and you've got half the skills, go for it." Jason aspires to a legacy of increasing diversity in the cybersecurity industry and founded a non-profit to do just that. And, we thank Jason for sharing his story with us.

This special edition podcast highlights three women, Priyanka, Ashley and Lauren, who chose to focus their careers in cybersecurity for the mission-based organization Northrop Grumman. Kathleen Smith from ClearedJobs.Net joins us as our panel moderator. The CyberWire's Jennifer Eiben hosts the event. We are excited to share this look into the world of women in cybersecurity.

Guest Joe Slowik joins us from Domain Tools to share their research "Current Events to Widespread Campaigns: Pivoting from Samples to Identify Activity" where they examined technical artifacts emerging around the 2020 conflict between Armenia and Azerbaijan in the Caucasus region.  Cyber Threat Intelligence (CTI) practitioners can gain insight into adversary operations by tracking conflicts or geopolitical tensions. Similar to a “follow the money” approach in criminal investigations, looking at conflict zones can reveal cyber capabilities deployed as part of events —either by the parties to the conflict itself, or third parties interested in monitoring events for their own purposes. Based on precedent, analysts can identify developments in adversary operations and technical capabilities by tracking identifiers related to major events and conflict zones. Identifying capabilities deployed to take advantage of such items can yield insights into fundamental attacker tradecraft and behaviors, and enable defense and response for incidents which may strike far closer to home at a later date. The research can be found here: Current Events to Widespread Campaigns: Pivoting from Samples to Identify Activity

Lazarus Group seems to have had an IE zero day. Brazilian power utility discloses a ransomware attack on business systems. TrickBot’s back. Automated attacks are going after web applications. Two security firms report breaches. Patching notes. A look at life in the cleared community. Caleb Barlow from CynergisTek with handling disinformation in our runbooks. And Washington and Moscow hold the usual frank discussions--the Americans, at least, talked about cybersecurity. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/24

Hildegard malware is targeting Kubernetes clusters. Remote access flaws found in consumer security devices. A brief update on the spreading software supply chain incidents. Project Zero sees incomplete patches at the root of most successful zero-day attacks. Recruiting a privateer’s crew. The current mood among ransomware victims. We’ll search for the truth about 5G with Rob Lee and Rick Howard. And who’s behind zoom-bombing remote learning? A hint: the kids aren’t alright. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/23

It appears Chinese intelligence services have been exploiting a vulnerability in SolarWinds to steal data from a US Government payroll system. The presumed Russian intrusion into SolarWinds may have been going on for nine months or more. Three new SolarWinds vulnerabilities are disclosed and patched. Amnesty accuses South Sudan of abusing intercept tools. BEC compromise is involved in gift card scams. Joe Carrigan has thoughts on opt-in privacy policies. Our guest is Dale Ludwig from CHERRY on USB attacks and hardware security. And carders steal from other carders. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/22

Myanmar’s junta jams the Internet. Operation NightScout looks like a highly targeted cyberespionage campaign delivered through a compromised supply chain. SonicWall zero day is being actively exploited in the wild. StrangeU and RandomU are filling a niche in the criminal-to-criminal market. Ben Yelin ponders whether the Solarwinds attack can be considered an act of war. Our guest Jamie Brown from Tenable on the National Cyber Director position and what it means for the Biden administration. Another data breach is associated with Accellion FTA. And it’s Groundhog Day, campers. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/21

Untangling Solorigate, and distinguishing primary targets from collateral damage (or maybe side benefits, or maybe battlespace preparation). Congress asks NSA for background on an earlier supply chain incident. The Cyberspace Solarium Commission offers the new US Administration some transition advice. Rick Howard hears from the hash table on Microsoft Azure. Andrea Little Limbago from Interos on the intersection of COVID and cyber vulnerabilities. And the week gets off to a rough start for smart Britons. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/20

Founder and CEO of nonprofit Bits N' Bytes Cybersecurity Education and undergraduate student at Stanford University, Kyla Guru shares her journey from GenCyber Camp to becoming a cybersecurity thought leader. Seeing the need. for cybersecurity education in her own community spurred Kyla into action engaging our civilian population in understanding their role in the cybersecurity space. Kyla recommends putting yourself out there: taking courses, getting more knowledge, getting internships, meeting people and going to conferences. Kyla thinks her generation has an inquisitive mind and feels that is where advocacy and education come in with cybersecurity. She shares for any young person "thinking about maybe starting something in security, this is definitely the time to do so." And, we thank Kyla for sharing her story with us.

For 20 years, the cybersecurity practitioner’s goto move when confronted with a new risk or compliance requirement has been to install a technical tool somewhere in the security stack to cover it. Over time, the number of tools that the infosec team has to manage has slowly grown. With the advent of bring-your-own device to the workplace, CIOs choosing SaaS applications to do work that has been traditionally handled in the data center, and organizations rushing to deploy their services into hybrid cloud environments, the number of individual data islands where company material information is routinely stored and must be covered by the security stack has increased. The complexity of this situation is immense. Two strategies have emerged to address this problem. The first is to continue down the path of installing more technical tools in each data island to cover the risk and having the infosec team manually process the telemetry of all the security devices with bigger teams and helper-automation-tools like SOAR platforms and SIEM databases. The second strategy is to choose a security vendor's platform that performs most of the security tasks on all the data islands but now makes the organization reliant on a single point of failure. Joining Rick Howard from the CyberWire's Hash Table's group of experts to consider the matter are Mike Higgins from Haven Health and Greg Notch from the National Hockey League, and later in the show, Rick speaks with Lior Div of Cybereason, who gives their point of view on this debate.

Guest Yonatan Striem-Amit joins us from Cybereason to share their Nocturnus Team research into Kimsuky. The Cybereason Nocturnus Team has been tracking various North Korean threat actors, among them the cyber espionage group known as Kimsuky, (aka: Velvet Chollima, Black Banshee and Thallium), which has been active since at least 2012 and is believed to be operating on behalf of the North Korean regime. The group has a rich and notorious history of offensive cyber operations around the world, including operations targeting South Korean think tanks, but over the past few years they have expanded their targeting to countries including the United States, Russia and various nations in Europe. The research can be found here: Back to the Future: Inside the Kimsuky KGH Spyware Suite

Lebanon Cedar is quietly back, and running a cyberespionage campaign through vulnerable servers. Social engineering of vulnerability researchers is now attributed to the Lazarus Group. That “SolarWinds” incident is a lot bigger than SolarWinds. Notes on social media and the short squeeze. Verizon’s Chris Novak looks at the changing landscape of ransomware payments. Our guest Professor Brian Gant from Maryville University examines cybersecurity threats of the new U.S. administration. And the GAO thinks the US State Department should use “data and evidence.” For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/19

Updates from CISA on Supernova. US Cyber Command recommends patching Sudo quickly. US and Bulgarian authorities take down the NetWalker ransomware-as-a-service operation. Influencers drive a big short-squeeze in the stock market. Thomas Etheridge from CrowdStrike on Recovering from a ransomware event. Our guest Zack Schuler from Ninjio examines the security challenges of Work From Anywhere. And another influencer is charged with conspiracy to deprive people of their right to vote. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/18

Europol leads an international, public-private, takedown of Emotet. Four security companies describe their brushes with the compromised SolarWinds Orion supply chain. Solorigate is one of the issues US President Biden raised in his first phone call with Russian President Putin. New vulnerabilities and threats described. Our guest Michael Hamilton of CI Security questions how realistic CISA's latest guidance on agency forensics may be. Joe Carrigan looks at bad guys taking advantage of Google Forms. And the Internet is back in business on the US East Coast. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/17

Google reports North Korean social engineering of vulnerability researchers. Anonymous resurfaces, maybe, and tells Malaysia’s government it’s not happy with them. Notes on false credentialism and workforce development from the National Governors Association cyber summit. Kevin Magee from Microsoft Canada on the launch of the Rogers Cybersecurity Catalyst at Ryerson University to support Canadian Cybersecurity Startups. Our guest is James Stanger from CompTIA on their ultimate DDoS guide. And does America need a Cyber Force? Some think so. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/16

Russia’s FSB warns businesses to be on the lookout for American cyberattacks after the White House says it’s reserving its right to respond to the Solorigate cyberespionage campaign. SonicWall investigates an apparent compromise of its systems. Senator asks the US DNI for an explanation of DIA purchases of geolocation data from commercial vendors. OPC issues described. Andrea Little Limbago from Interos on the tech "naughty list" of restricted or sanctioned companies. Rick Howard previews his first principles analysis of Microsoft Azure. And a happy birthday to the word “robot,” now one-hundred years young. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/15

Program Director for Public Policy and External Affairs at the University of Maryland's Center for Health and Homeland Security Ben Yelin shares his journey from political junkie to Fourth Amendment specialist. Several significant life defining political developments like the disputed 2000 election, 9/11, and the Iraqi war occurred during his formative years that shaped Ben's interest in public policy and his desire to pursue a degree in law. An opportunity to be a teaching assistant turned out to be one of those sliding door scenarios that led Ben to where he is now, a lawyer in the academic and consulting worlds specializing in cybersecurity and digital privacy issues. Through his work, Ben hopes to elevate the course of the debate on these very important issues. And, we thank Ben for sharing his story with us.

Guest Mark Arena from Intel471 joins us to discuss his team's research into Trickbot and its evolution from a banking trojan to a long-standing, most likely well-resourced operation that was taken down last year. Mark shares some insight into Trickbot's order of operations and what went on behind the scenes that his team working with Brian Krebs were able to discover. Since the separate and independent actions taken against Trickbot, Intel471 has observed successful disruption of its command and control infrastructure. However, the actors linked to Trickbot have not ceased their criminal activities. These actors have continued engaging in ransomware activity, using BazarLoader instead of Trickbot. Intel471 is unable to assess the long-term impact of the Trickbot disruption activity or whether Trickbot will continue to be used by cybercrime groups. This analysis covers the period from Sept. 22, 2020 until Nov. 6, 2020. The research can be found here: Trickbot down, but is it out?

Twice, it’s maybe an indicator. Once, it’s nuthin’ at all...to the machines. The Reserve Bank of New Zealand works to clean up its data sources. Wormy student laptops. Daily Food Diary is a glutton for your data. Ransom DDoS. Caleb Barlow examines how we handle disinformation in our runbooks and response plans. Our guest Ron Gula from Gula Tech Adventures shares his thoughts on proper public cyber response to the SolarWinds attack. And should we worry about that White House Peloton? For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/14

Microsoft researchers detail the lengths to which the Solorigate threat actor went to stay undetected and establish persistence. LuckyBoy malvertising is described. Business email compromise as a reconnaissance technique? More reminders about the risks that accompany remote work. Ben Yelin looks at cyber policy issues facing the Biden administration. Rick Howard speaks with Frank Duff from Mitre on their ATT&CK Evaluation Program. And good riddance to the Joker’s Stash (we hope). For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/13

Another security company discloses a brush with the threat actor behind Solorigate. Advice on hardening Microsoft 365 against that same threat actor. Chimera turns out to be interested in airlines as well as semiconductor manufacturing intellectual property. Former President Trump’s last Executive Order addresses foreign exploitation of Infrastructure-as-a-Service products. Joe Carrigan looks at a hardware key vulnerability. Our guest is Chris Eng from Veracode with insights from their State of Software Security report. And investigation of that laptop stolen from the Capitol continues. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/12

The European Medicines Agency says stolen emails about vaccine development were altered before being dumped online. Another backdoor is found associated with the SolarWinds supply chain campaign. DNS cache poisoning vulnerabilities are described. FBI renews warnings about vishing. Iran’s “Enemies of the People” disinformation campaign. Vishing is up. Rick Howard previews his hashtable discussion on Solarigate. Verizon’s Chris Novak looks at cyber espionage. And the FBI makes an arrest in connection with a laptop taken during the Capitol Hill riot. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/11

Dave's got the story of a landlord who may run afoul of the Computer Fraud and Abuse Act, Ben wonders if the big tech CEOs could be held liable for contact tracking apps, and later in the show my conversation with Joseph Cox. He is a Senior Staff Writer at Motherboard and will be discussing his recent article How Big Companies Spy on Your Emails. While this show covers legal topics, and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney.  Links to stories: Apple and Google CEOs should be held responsible for protecting coronavirus tracking data, says GOP Sen. Hawley The twitter thread from Dave's story Got a question you'd like us to answer on our show? You can send your audio file to caveat@thecyberwire.com or simply leave us a message at (410) 618-3720. Hope to hear from you.

Microsoft's Corporate Vice President of Cybersecurity Business Development Ann Johnson brings us on her career journey from aspiring lawyer to cybersecurity executive. After pivoting from studying law, Ann started working with computers and found she had a deep technical aptitude for technology and started earning certifications landing in cybersecurity because she found an interest in PKI. At Microsoft, Ann says she solves some of the hardest problems every day. She recommends getting a mentor and finding your area of expertise. She leaves us with three dimensions she hopes to be her legacy: 1. diversity in more than just gender, 2. bringing a human aspect to the industry, and 3. being empathetic to the user experience. We thank Ann for sharing her story with us.

Guest Selena Larson, senior cyber threat analyst at Dragos, Inc., joins us to discuss their research into recent observations of ICS-targeting threats to manufacturing organizations.  Cyber risk to the manufacturing sector is increasing, led by disruptive cyberattacks impacting industrial processes, intrusions enabling information gathering and process information theft, and new activity from Industrial Control Systems (ICS)-targeting adversaries. Dragos currently publicly tracks five ICS-focused activity groups targeting manufacturing: CHRYSENE, PARISITE, MAGNALLIUM, WASSONITE, and XENOTIME in addition to various ransomware activities capable of disrupting operations.  Manufacturing relies on ICS to scale, function, and ensure consistent quality control and product safety. It provides crucial materials, products, and medicine and is classified as critical infrastructure. Due to the interconnected nature of facilities and operations, an attack on a manufacturing entity can have ripple effects across the supply chain that relies on timely and precise production to support product fulfillment, health and safety, and national security objectives.  Ransomware adversaries are adopting ICS-aware functionality with the ability to stop industrial related processes and cause disruptive – and potentially destructive – impacts. Dragos has not observed ICS-specific malware targeting manufacturing operations on the same scale or sophistication as that used in the disruptive TRISIS and CRASHOVERRIDE malware attacks that targeted energy operations in Saudi Arabia and Ukraine, respectively. However, known and ongoing threats to manufacturing can have direct and indirect impact to operations. This report provides a snapshot of the threat landscape as of October 2020 and is expected to change in the future as adversaries and their behaviors evolve.  The research can be found here: ICS Threat Activity on the Rise in Manufacturing Sector

Well-constructed phishing and smishing are reported out of Tehran. Estimates of SolarWinds compromise insurance payouts. Notes from industry on the convergence of criminal and espionage TTPs. Social engineering hooks baited with greed. Ring patches a bug that could have exposed users’ geolocation (and their reports of crime). Advice on cyber best practices from CISA and NSA. Robert M. Lee has thoughts for the incoming Biden administration. Our guest is Sir David Omand, former Director of GCHQ, on his book, How Spies Think: Ten Lessons in Intelligence. And an ethics officer is accused of cyberstalking. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/10

There are other things going on besides Solorigate and deplatforming. There’s news about the SideWinder threat actor and its interest in South Asian cyberespionage targets. Google’s Project Zero describes a complex and expensive criminal effort. CISA discusses threats to cloud users, and offers some security recommendations. A scam-as-a-service affiliate network spreads from Russia to Europe and North America. Awais Rashid looks at shadow security. Our own Rick Howard speaks with Christopher Ahlberg from Recorded Future on Cyber Threat Intelligence. And SolarLeaks looks more like misdirection, Guccifer 2.0-style. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/9

Speculation grows that the Solarigate threat actors were also behind the Mimecast compromise. SolarLeaks says it has the goods taken from FireEye and SolarWinds, but caveat emptor. Notes on Patch Tuesday. Joe Carrigan has thoughts on a WhatsApp ultimatum. Our guest is Andrew Cheung of 01 Communique with an update on quantum computing. And farewell to an infosec good guy. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/8

A cyberespionage campaign, so far not attributed to any threat actor, continues to prospect government and industry targets in Colombia. A new bit of malware is found in the SolarWinds backdoor compromise. Mimecast certificates are compromised in another apparent software supply chain incident. Ubiquiti tells users to reset their passwords. A brief Capitol Hill riot update. Bidefender releases a free DarkSide ransomware decryptor. Ben Yelin revisits racial bias in facial recognition software. Our guest is Jessi Marcoff from Privitar on trend toward Chief People Officers. And Europol announces the takedown of the DarkMarket. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/7

Similarities are found between Sunburst backdoor code and malware used by Turla. CISA expands advice on dealing with Solorigate. Courts revert to paper...and USB drives. More members of the US Congress report devices stolen during last week’s riot. Online inspiration for violence seems distributed, not centralized. Caleb Barlow examines protocols for handling inbound intel. Rick Howard looks at Solorigate through the lens of first principles. And platforms as publishers? For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/6

Vice President of Security and Support Operations of Alert Logic Tom Gorup shares how his career path led him from tactics learned in Army infantry using machine guns and claymores to cybersecurity replacing the artillery with antivirus and firewalls. Tom built a security automation solution called the Grunt (in recollection of his role in the Army) that automated firewall blocks. He credits his experience in battle-planning for his expertise in applying strategic thinking to work in cybersecurity, noting that communication is key in both scenarios. Tom advises that those looking into a new career shouldn't shy away from failure as failure is just another opportunity to learn. We thank Tom for sharing his story with us.

Deep Instinct's Shimon Oren joins us to talk about his team's research on "Why Emotet's latest wave is harder to catch than ever before - Part 2." Emotet appears to have reemerged more evasive than before, this time with a payload delivered from a loader that security tools aren’t equipped to handle. Emotet, the largest malware botnet today, started in 2014 and continues to be one of the most challenging threats in today’s landscape. This botnet causes huge damage by spreading ransomware and info stealers to its infected systems. Recently, a rise in the number of Emotet infections was observed in France, Japan, and New Zealand. The high number of infections shows the effectiveness of the Emotet malware at staying undetected. Shimon joins us to discuss how Deep Instinct investigated the payload that was encrypted inside the loader, analyzes the next steps in the infection process, and discovers the techniques used to make this malware difficult to analyze. The original blog post and updated post on the research can be found here: Emotet Analysis: Why Emotet’s Latest Wave is Harder to Catch than Ever Before Why Emotet's latest wave is harder to catch than ever before - Part 2

Solorigate and its effect on sensitive corporate information. The DC riots show the cybersecurity consequences of brute physical access to systems. A North Korean APT resurfaces with the RokRat Trojan. Ransomware remains very lucrative, and why? Because people continue to pay up. Thomas Etheridge from CrowdStrike on The Role of Outside Counsel in the IR Process.Our guest is Larry Lunetta from Aruba HPE on how enterprises can bolster security in the era of hybrid work environments. And a criminal hacker gets twelve years in US Federal prison. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/8

CISA updates its guidance on Solorigate, and issues an alert that the threat actor may have used attack vectors other than the much-discussed SolarWinds backdoor. Some reports suggest that a widely used development tool produced by a Czech firm may have been compromised. The cyberespionage campaign is now known to have extended to the Department of Justice and the US Federal Courts. Robert M. Lee shares lessons learned from a recent power grid incident in Mumbai. Our guest is Yassir Abousselham from Splunk on how attackers find new ways to exploit emerging technologies. Cyber implications of the Capitol Hill riot. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/4

The US Cyber Unified Coordination Group says the Solorigate APT is “likely Russian in origin.” Threat actors are scanning for systems potentially vulnerable to exploitation through a Zyxel backdoor. ElectroRAT targets crypto wallets. Babuk Locker is called the first new ransomware strain of 2021. The New York Stock Exchange re-reconsiders delisting three Chinese telcos. Joe Carrigan from Johns Hopkins joins us with the latest clever exploits from Ben Gurion University. Our guest is Jens Bothe from OTRS Group the importance of the US establishing standardized data privacy regulations. And Julain Assange is denied bail. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/3

More assessments of the Solorigate affair, with an excursus on Pearl Harbor. Shareholders open a class action suit against SolarWinds, but no signs of an enforcement action for speculated insider trading. Emissary Panda seems to be working an APT side hustle. Kevin Magee has insights from the Microsoft Digital Defense Report. Our guest is Jason Passwaters from Intel 471 with a look at the growing range of ransomware as a service offerings. And to-ing and fro-ing on Chinese telecoms at the New York Stock Exchange. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/2

Updates on the spreading consequences of Solorigate, including Microsoft’s disclosure that threat actors gained access to source code repositories. A hard-coded backdoor is found in Zyxel firewalls and VPNs. Kawasaki Heavy Industries says parties unknown accessed sensitive corporate information. Slack has been having troubles today. Andrea Little Limbago from Interos on democracies aligning against global techno-dictators. Our guest is Drew Daniels from Druva with a look at the true value of data. And a British court declines to extradite WikiLeaks’ Julian Assange to the United States. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/1

Vice President of Global Systems Engineering Ellen Sundra shares her career path from life as a college grad who found her niche by creating a training program to a leader in cybersecurity. She realized that training and educating people was her passion. Ellen sees her value in providing soft skills as a natural balance to her technical team at Forescout Technologies. Being a woman in a male-dominated world proved to be a challenge and gaining her confidence to share her unique point of view helped her excel in it. Ellen recommends keeping your eyes open for how your skill set fits into cybersecurity. Find your perspective and really embrace it! We thank Ellen for sharing her story with us.

Researchers at Cisco's Talos Unit recently published research exploring the tactics, technics and procedures of the global malvertising ecosystem. Craig Williams is head of Talos Outreach at Cisco, and he guides us through the life cycle of malicious online ads, along with tips for protecting yourself and your organization. The research can be found here:  https://blog.talosintelligence.com/2019/07/malvertising-deepdive.html

This interview from November 6th, 2020 originally aired as a shortened version on the CyberWire Daily Podcast. In this extended interview, Rick Howard speaks with Andy Greenberg on the Sandworm Indictments.

Rick explains the network defender evolution from defense-in-depth in the 1990s, to intrusion kill chains in 2010, to too many security tools and SOAR in 2015, and finally to devsecops somewhere in our future.

Four members of the CyberWire’s Hash Table of experts: Don Welch: Interim CIO of Penn State University Helen Patton: CISO for Ohio State University Bob Turner: CISO for the University of Wisconsin at Madison Kevin Ford: CISO for the State of North Dakota discuss SOC Operations in terms of intrusion kills chains, defensive adversary campaigns, insider threats, cyber threat intelligence, zero trust, SOC automation, and SOC analyst skill sets.

The idea of operations centers has been around as far back as 5,000 B.C. This show covers the history of how we got from general purpose operations centers to the security operations centers today, the limitations of those centers, and what we need to do as a community make them more useful in our infosec program.

This is the fifth episode in a planned series that discusses the development of a general purpose cybersecurity strategy for all network defender practitioners-- be they from the commercial sector, government enterprise, or academic institutions-- using the concept of first principles.

Cyber threat intelligence analyst Selena Larson takes us on her career journey from being a journalist to making the switch to industrial security. As a child who wrote a book about a green goldfish who dealt with bullying, Selena always liked investigating and researching things. Specializing in cybersecurity journalism led to the realization of how closely aligned or similar skills are required from an investigative journalist and a cyber threat intelligence analyst. Our thanks to Selena for sharing her story with us.

Researchers at Symantec have been tracking Seedworm, a cyber espionage group targeting the Middle East as well as Europe and North America. The threat group targets government agencies, oil & gas facilities, NGOs, telecoms and IT firms. Al Cooley is director of product management at Symantec, and he joins us to share their findings. The original research can be found here: https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group

Dave shares a story of airport penetration testing with high degree of yuck-factor. Joe explores research on protecting passwords from social engineering. The catch-of-the-day comes courtesy of Graham Cluley's email spam box. Dave interviews Wired's Security Staff Writer Lily Hay Newman on her article tracking Nigerian email scammers.  Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.

Dave has an update on Baltimore’s spyplane, Ben describes concerns over violations by the FBI, CIA, NSA of FISA court rules, and later in the show our conversation with Kim Zetter on her recent article in The Intercept, titled “How Cops Can Secretly Track Your Phone.” It’s all about stingrays and dirtboxes, so stick around for that. While this show covers legal topics, and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney.  Links to stories: Elizabeth Goitein on Twitter In appeals court, Baltimore surveillance plane suit gets a mixed reaction Got a question you'd like us to answer on our show? You can send your audio file to caveat@thecyberwire.com or simply leave us a message at (410) 618-3720. Hope to hear from you.  Thanks to our sponsor, KnowBe4.

Cozy Bear lived up to its reputation for quiet patience. Counting the cost of the SVR cyberespionage campaign. What do intelligence services do with all the data they collect? An Iranian influence campaign sought to foment US post-election violence. Joe Carrigan looks at social engineering aimed at domain registrars. Our guest is John Worrall from ZeroNorth on the importance of security champions. And a last look ahead at 2021.

The US continues to count the cost of the SVR’s successful cyberespionage campaign. Attribution, and why it’s the TTPs and not the org chart that matters. Emotet makes an unhappy holiday return. It seems unlikely that NSA and US Cyber Command will be separated in the immediate future. Big Tech objects, in court, to NSO Group and its Pegasus spyware (or lawful intercept product, depending on whether you’re in the plaintiff’s or the respondent’s corner). Ben Yelin looks at hyper realistic masks designed to thwart facial recognition software. Our guest Neal Dennis from Cyware wonders if there really isn't a cybersecurity skills gap. And a quick look at some more predictions. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/245

Cozy Bear’s big sweep through US networks gets bigger, longer, more carefully prepared, and worse in every way. IBM uncovers a big, conventionally criminal “evil mobile emulator farm,” and that’s no good, either. Citizen Lab finds more to complain about with respect to alleged abuse of NSO Group’s Pegasus tools. Awais Rashid from Bristol University on taking a risk-based approach to security. Rick Howard speaks with Cyral CEO Manav Mital on infrastructure as code. And tech executives are worried about Pandas and Bears and Kittens, oh my. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/244

CEO and co-founder of Dragos Robert Lee talks about how he came to cybersecurity through industrial control systems. Growing up with parents in the Air Force, Robert's father tried to steer him away from military service. Still Rob chose to attend the Air Force Academy where he had greater exposure to computers through ICS. Robert finds his interest lies in things that impact the physical world around us. In his work, Dragos focuses on identifying what people are doing bad and helping people understand how to defend against that. Rob describes the possibility of making a jump to control system security from another area recommending you bring something to the table. Rob talks about the world he would like to leave to his son and his hopes for the future. We thank Rob for sharing his story with us.

On August 24, 2020, Snyk announced the discovery of suspicious behaviors in the iOS version of a popular advertising SDK known as Mintegral. At that time, they had confirmed with partners in the advertising attribution space that at minimum, Mintegral appeared to be using this functionality to gather large amounts of data and commit ad attribution fraud. Their research showed that Mintegral was using code obfuscation and method swizzling to modify the functionality of base iOS SDK methods without the application owner’s knowledge. Further, their research proved that Mintegral was logging all HTTP requests including its headers which could even contain authorization tokens or other sensitive data. Since that time Mintegral announced that they were opening the source of their SDK to the market. While the SDK can only be downloaded by registered partners, a major game publisher shared the source code with Snyk for further analysis. They also continued their research by digging deeper into the Android versions of the SDK in which they hadn’t found similar behaviors at the time of the initial disclosure.  This has resulted in some significant discoveries that necessitate an update to the previous disclosure. Additionally, Mintegral and the community at large have responded to the situation, and Snyk felt a summary of the events was a good way to finalize their research into this SDK. Joining us on Research Saturday to discuss their research is Snyk's Alyssa Miller. The original blog and Snyk's update can be found here: SourMint: malicious code, ad fraud, and data leak in iOS SourMint: iOS remote code execution, Android findings, and community response

Cozy Bear’s software supply chain compromise and its massive cyberespionage effort against the US Government and the associated private sector, is still being untangled. But it’s very extensive, very bad, and very tough to remediate. Both CISA and NSA have advice about the incident, and we check in with Robert M. Lee from Dragos for his thoughts. John Pescatore from SANS advocates renewing our focus on information security. Iran may be running a ransomware campaign for influence purposes. The Joker’s Stash criminal souk appears to have taken a hit. And don’t let your guard down during the holidays. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/243

The SolarWinds supply chain compromise may not have been an act of war, but it was certainly a very damaging espionage effort. The FBI, CISA, and ODNI are leading a whole-of-government response to the incident. Three companies have collaborated on a killswitch for the Sunburst backdoor’s initial command and control. HPE discloses a zero day in its SIM software. ODNI will delay its report on Chinese election influence ops. Thomas Etheridge from CrowdStrike on their Services Front Lines report. Our guest is Derek Manky from Fortinet with 2021 threat insights. And, of course, some predictions. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/242

SolarWinds breach reportedly affected parts of the Pentagon. Microsoft and partners seize and sinkhole command-and-control domain used by Sunburst malware. The threat actor behind the breach used a novel technique to bypass multi factor authentication at a think tank. Facebook takes down competing inauthentic networks focused on Africa. Joe Carrigan has insights on Amnesia 33. Our guest, Greg Edwards from CryptoStopper, shares his experience getting back online after a Derecho. And the execution of the FCC’s rip-and-replace plan will likely fall to the next US administration. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/241

SolarWinds’ 8-K suggests the possible scope of the Sunburst incident. CISA leads the US Federal post-attack mopping up as more agencies are known to have been affected. How FireEye found the SolarWinds backdoor. GCHQ is looking for possible signs of Sunburst in the UK. Operation Earth Kitsune is attributed to North Korea. Google explains yesterday’s outage. Ben Yelin looks at retail privacy issues. Our guest is Jasson Casey from Beyond Identity on going passwordless. And if you have trouble getting things done while working from home, maybe blame it on the dogs. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/240

FireEye traces its breach to a compromised SolarWinds update to its Orion Platform. CISA issues an Emergency Directive to get control of an attack that is known to have affected at least two Federal Departments. Rick Howard shares lessons from season three of CSO Perspectives. Betsy Carmelite from Booz Allen continues her analysis of their 2021 Cyber Threat Trends Report. And while reports attribute the supply chain attack to Russia’s SVR, Moscow says Cozy Bear didn’t do nuthin’.  For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/239

For many years, public and private sector cybersecurity experts have warned of a large-scale, massively impactful cyber attack on critical infrastructure (CI). Whether you call it a cyber doomsday, a cyber extinction, or as former Defense Secretary Leon Panetta termed it, a “Cyber Pearl Harbor,” the message is clear: it's not a matter of if, it's a matter of when, and it's not just critical infrastructure that's vulnerable. More recently, experts have started to raise the alarm around not just CI, but other systems as well, notably position, navigation and timing (PNT) services. PNT includes things like GPS devices -- extensions of IT systems which are widely used by both private and public sector organizations, and particularly vulnerable to attack thanks to their open source origins and lack of native security controls.  While there is no magic bullet to solve the cybersecurity challenge, there's growing consensus that an effective strategy is going to require large-scale cooperation and coordination between the public and private sectors. While the government is uniquely equipped to source and promulgate guidelines and standards like the Federal Information Processing Standards (FIPS) and NIST Special Publication 800 Series, private sector partners have the expertise to implement these standards across industries. The private sector is also a major driver of innovation in security, making use of sophisticated analytics, AI, and other tools to improve not only native security controls but also hygiene, threat detection, and response. In this episode of Cyberwire-X, guests will discuss the benefits of public/private partnership for cybersecurity, the roles of each, and how the threat of a "Cyber Pearl Harbor" informs the priorities of both. Joining us today are Keith Mularski from EY, Rob Lee from Dragos, and Egon Rinderer from Tanium.

Computational Social Scientist Andrea Little Limbago shares her journey as a social scientist in cybersecurity. Andrea laments that she wishes she'd known there is no straight line between what you think you want to do and then where you end up going. Beginning her career in international relations and courted by the Department of Defense's Joint Warfare Analysis Center while teaching at New York University, Andrea began her work in cybersecurity. Her team was one of the first to start thinking about the intersection of cybersecurity and geopolitics and quantitative modeling. Andrea reminds us there are many paths and skills needed in cybersecurity and hopes she opened some doors for others. We thank Andrea for sharing her story with us.

From US Department of Justice: "On Oct. 15, 2020, a federal grand jury in Pittsburgh returned an indictment charging six computer hackers, all of whom were residents and nationals of the Russian Federation (Russia) and officers in Unit 74455 of the Russian Main Intelligence Directorate (GRU), a military intelligence agency of the General Staff of the Armed Forces.  These GRU hackers and their co-conspirators engaged in computer intrusions and attacks intended to support Russian government efforts to undermine, retaliate against, or otherwise destabilize: (1) Ukraine; (2) Georgia; (3) elections in France; (4) efforts to hold Russia accountable for its use of a weapons-grade nerve agent, Novichok, on foreign soil; and (5) the 2018 PyeongChang Winter Olympic Games after Russian athletes were banned from participating under their nation’s flag, as a consequence of Russian government-sponsored doping effort.  Their computer attacks used some of the world’s most destructive malware to date, including: KillDisk and Industroyer, which each caused blackouts in Ukraine; NotPetya, which caused nearly $1 billion in losses to the three victims identified in the indictment alone; and Olympic Destroyer, which disrupted thousands of computers used to support the 2018 PyeongChang Winter Olympics. The indictment charges the defendants with conspiracy, computer hacking, wire fraud, aggravated identity theft, and false registration of a domain name." Returning to Research Saturday this week to discuss their research of NotPetya and Olympic Destroyer are Cisco Talos' Craig Williams and Matt Olney. The indictment and Cisco's research can be found here: Six Russian GRU Officers Charged in Connection with Worldwide Deployment of Destructive Malware and Other Disruptive Actions in Cyberspace New Ransomware Variant "Nyetya" Compromises Systems Worldwide The MeDoc Connection Who Wasn’t Responsible for Olympic Destroyer? Olympic Destroyer Takes Aim At Winter Olympics

Tracking OceanLotus. US advisory warns of cyberthreats active against schools trying to deliver distance learning. Adrozek joins credential harvesting and adware. MountLocker’s criminal affiliate program. The FCC takes action against Chinese companies deemed security risks. Predictions, and holiday advice. Johannes Ullrich from the SANS technology institute wonders what’s in your clipboard? Our guest is Nina Jankowicz from Wilson Center on her new book - How to Lose the Information War - Russia, Fake News, and the Future of Conflict. And internship opportunities at CISA. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/238

Facebook faces a US antitrust suit. Cyberespionage hits the European Medicines Agency, apparently looking for COVID-19 vaccine information. Emissary Panda is out and about. A simple ransomware campaign goes for success through volume. Stolen SQL databases are offered for sale back to their owners. React to the FireEye breach, but don’t over-react. We welcome Kevin McGee from Microsoft Canada to the show. Our guest is Liviu Arsene from Bitdefender with insights Business Threat Landscape report for 2020. Flash nears its end-of-life. Predictions for 2020, and another guilty plea in the Mirai case. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/237

Norway calls out the GRU for espionage against the Storting. The SVR (probably) hacks FireEye. Huawei tested recognition software designed to spot Uighurs. 2021 predictions from Avast hold that next year might be the year deepfakes come into their own. CISA issues a long list of industrial control system alerts. Joe Carrigan looks at the iOS zero-click radio proximity vulnerability. Our guest is Matt Drake, director of cyber intelligence at SAIC on what the recents elections can tell us about threat intelligence. And yesterday was Patch Tuesday--do you know where your vulnerabilities are? For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/236

AMNESIA:33 vulnerabilities infest the IoT supply chain. Lawful intercept spyware allegedly finds its way from Mexican police into the hands of drug cartels. Finland’s parliament approves exclusion of telecom equipment on security grounds. The US National Defense Authorization Act’s cyber provisions. Online fraud seems to have become a side hustle. Ben Yelin responds to Supreme Court arguments in a Computer Fraud and Abuse Act case. Our guest is Darren Mar-Elia from Semperis on group policy security. And Moscow police are looking for the crooks who hacked secure delivery lockers. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/235

NSA warns that Russian state-sponsored actors are actively exploiting patched VMware vulnerabilities in the wild. A CISA alert puts Iran on notice. DeathStalker hired guns are now active in North America. Darknet contraband markets are experiencing the sort of pressure and consolidation legitimate markets undergo. Rick Howard checks in with the hash table on CSO and CISO roles. My continued conversation with Betsy Carmelite from Booz Allen on their 2021 Cyber Threat Trends Report. And a weird shift in North Korean propaganda...is Pyongyang having a Hallmark moment? For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/234

Director of Cyber Security Insights at Verve Industrial aka self-proclaimed industrial cybersecurity geek Ron Brash shares his journey through the industrial cybersecurity space. From taking his parents 286s and 386s to task to working for the "OG of industrial cybersecurity," Ron has pushed limits. Starting off in technical testing, racing through university at 2x speed, and taking a detour through neuroscience with machine learning, Ron decided to return to critical infrastructure working with devices that keep the lights on and the water flowing. Ron hopes his work makes an impact and his life is memorable for those he cares about. We thank Ron for sharing his story with us.

While SSL/TLS encryption is the industry standard for protecting data in transit from prying eyes, encryption has, itself, become a threat. It is often leveraged by attackers to sneak malware past security tools that do not fully inspect encrypted traffic. As the percentage of traffic that is encrypted continues to grow, so do the opportunities for attackers to deliver threats through encrypted channels. To better understand the use of encryption and the volume of encrypted traffic that is inspected, Zscaler's research team, ThreatLabZ, analyzed encrypted traffic across the Zscaler cloud for the first nine months of 2020, assessing its use within specific industries. The study also set out to analyze the types of attacks that use encryption and the extent of the current risk.  Returning to Research Saturday this week to discuss the report is Zscaler's CISO and VP of Security Research, Deepen Desai. The research can be found here: 2020: The State of Encrypted Attacks Blog 2020: The State of Encrypted Attacks Report

Predictions for 2021 focus on ransomware: it’ll be better, more aggressive, bigger, and a greater problem in every way. Cyberespionage and the cold chain. Cybercriminal interest in COVID-19 vaccines extends to both theft and fraud. Johannes Ullrich on the .well-known Directory. Our guest is Michael Magrath from OneSpan on what the financial sector needs to consider now that we’re post-election season. And what’s one effect of the pandemic? Dog fraud. Ask the Better Business Bureau. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/233

Chinese intelligence services are prospecting think tanks and prospective members of the next US Administration. Spearphishing the vaccine cold chain. Expect vaccine-themed phishing. After a temporary, pre-US election suppression, TrickBot’s back. Holiday shopping season is bot-season. Consumers are thought likely to get upset about smart device privacy in 2021. Awais Rashid from Bristol University on privacy at scale. Our guest is JP Perez-Etchegoyen from Onapsis on the risk associated with interconnected cloud and SaaS apps. And suppose you’re a cybercriminal...we know, but suppose. What do you tell your sweetie you do for a living? For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/232

The Shadow Academy prospects universities in a domain shadowing campaign. Notes on Turla’s Crutch, an information-stealing backdoor. Bismuth was using crytpojacking as misdirection. CISA and the FBI warn think tanks that cyberspies are after them. North Korean cyberespionage is interested in COVID-19 treatments. Our guest is Carey O’Connor Kolaja from AU10TIX on combating fraud in the financial services and payment industry. David Dufour from Webroot has 2021 predictions. And a member of the Apophis Group gets eight years in prison. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/231

Cryptojacking from Hanoi. Dormant networks rise again, for no easily discernible reason (but it doesn’t look good). A gang is hitting German victims with the Gootkit banking Trojan, and sometimes mixing it up with a REvil ransomware payload. Conti ransomware hits IoT chipmaker. SCOTUS reviews the Computer Fraud and Abuse Act. A few predictions for 2021. Ben Yelin on Congress passing an IoT security bill. Our guest is Stephen Harvey from BitSight, who’s tracking the correlation between companies with strong cybersecurity and financial success. And it may be back to school tomorrow in Baltimore County. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/230

North Korean operators phish a major pharma company. The Bandook backdoor is back, and probably being distributed by mercenaries. A school district cancels classes after a ransomware attack. Man U continues to work on recovering its systems. Former CISA Director says there are no signs of foreign manipulation of US elections. Rick Howard wonders what exactly all those CISOs do. Betsy Carmelite from Booz Allen with insights from their 2021 Cyber Threat Trends Report. And Cyber shopping and the forever sales. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/229

Cybersecurity attorney Camille Stewart shares how her childhood affinity for making contracts pointed to her eventual career as an attorney. Having a computer scientist father contributed to Camille's technical acumen and desire to include technology in her life's work. Camille has worked various facets of cybersecurity law from the private sector, federal government, on the Hill and in the Executive Branch, and now as part of Big Tech as Head of Security Policy and Election Integrity for Google Play and Android where she creates policy geared towards making sure users are safe on their platform and equipped to make informed decisions.. We thank Camille for sharing her story with us.

The goal of malicious activity is to compromise the system to install some unauthorized software. Increasingly that goal is tied to one thing: the user. Over the past several years, we as an industry improved exploit mitigation and the value of working exploits has increased accordingly. Together, these changes have had an impact on the threat landscape. We still see large amounts of active exploitation, but enterprises are getting better at defending against them. This has left adversaries with a couple of options, develop or buy a working exploit that will defeat today's protections, which can be costly, or pivot to enticing a user to help you. In today's threat landscape, adversaries are always trying to develop and implement the most effective lures to try and draw users into their infection path. They've tried a multitude of different tactics in this space, but one always stands out — current events. Joining us on this week's Research Saturday from Craig Williams from Cisco's Talos Outreach team to walk us through how current events are used as lures. The research and blog post can be found here:  Adversarial use of current events as lures

Observers see a shift in Russia’s influence tactics, but prank calls are (probably) not among those tactics. An event site suffers a data breach, and warns customers to be alert for spoofing. COVID-19 contact tracing continues to arouse privacy concerns. Joe Carrigan has tips for safe online shopping during the holidays. Our guest is Dmitry Volkov from Group-IB with insights from their latest Hi-Tech Crime Trends report. Ransomware hits another US school district, and social media are being used to intimidate cooperating witnesses. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/228

Mustang Panda goes to church, but not in a good way. Hoods are trying to spoof the FBI with Bureau-themed domains. Dodgy routers and suspect smart doorbells. A quick look at the incoming US Administration, from a cybersecurity point of view. Someone’s allegedly swapping iPads for concealed carry permits--say it ain’t so, Santa Clara County. DHS investigates Windows help desk scammers. Ben Yelin on a Massachusetts ballot initiative involving connected cars. Our guest is Larry Roshfeld from AffirmLogic on the pros and cons of a Treasury Dept advisory that could put companies who facilitate ransomware payments in legal jeopardy. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/227

Qbot is dropping Egregor ransomware, and RagnarLocker continues its recent rampage. Cryptocurrency platforms troubled by social engineering at a third party. TrickBot reaches version 100. Stuffed credentials exposed in the cloud. COVID-19 practices may endure beyond the pandemic. Advice for safer online shopping over the course of the week. Malek Ben Salem from Accenture Labs has methods for preserving privacy when using machine learning. Rick Howard digs deeper into SOAR. And someone’s hacking a Premier League side. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/226

Founder and CEO of Immersive Labs James Hadley takes us through his career path from university to cybersecurity startup. James tells us about his first computer and how he liked to push it to its limits and then some. He joined GCHQ after college and consulted across government departments. Teaching in GCHQ's cyber summer school was where James felt a shift in his career. As a company founder, he shares that he is very driven, very fast and also very caring. James offers advice to those looking to get into the industry recommending they chase what interests them rather than certifications. We thank James for sharing his story with us.

Identity and access are intrinsically connected when providing security to cloud platforms. But security is only effective when environments are properly configured and maintained. In the 2H 2020 edition of the biannual Unit 42 Cloud Threat Report, researchers conducted Red Team exercises, scanned public cloud data and pulled proprietary Palo Alto Networks data to explore the threat landscape of identity and access management (IAM) and identify where organizations can improve their IAM configurations. During a Red Team exercise, Unit 42 researchers were able to discover and leverage IAM misconfigurations to obtain admin access to a customer’s entire Amazon Web Services (AWS) cloud environment – a potentially multi-million dollar data breach in the real-world. These examples highlight just how serious the failure to secure IAM can be for an organization. Joining us in this week's Research Saturday to discuss the report for Palo Alto Networks' Unit 42 is CSO of Public Cloud, Matt Chiodi. The research can be found here: Highlights from the Unit 42 Cloud Threat Report, 2H 2020

Her Majesty’s Government discloses the existence of a National Cyber Force. Hanoi tells Facebook to crack down on posts critical of Vietnam’s government. Chinese cyberespionage campaign targets Japanese companies. Egregor ransomware prints its extortion notes in hard copy. SEO poisoning with bad reviews. Mike Benjamin from Lumen on credential stuffing and password spraying. Our guest is Mark Forman from SAIC with a look at government agencies' COVID-19 response. And CISA may have a permanent director inbound. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/225

Ghosts in the virtual machines. Cloudbursts in the forecast. The US Intelligence Community is preparing a report on foreign election interference. CISA has a new interim director. A view of the threat landscape from Canada. Caleb Barlow from Cynergistek on reclassifying the internet as critical infrastructure. Our guests are Shai Cohen and Brooke Snelling from TransUnion on building trust in a digital consumer landscape. And a look into the near future. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/224

FunnyDream? No, it’s real: a cyberespionage crew operating against Southeast Asian governments. President Trump fires US CISA Director Krebs. Twitter and Facebook CEOs testify before the Senate as legislators consider Section 230. The extradition hearing for Huawei’s CFO continues in Vancouver. Joe Carrigan looks at fleeceware on the Google Play store. Rick Howard speaks with Tenable’s Steve Vintz on communication between C-Suites and security teams. And the most common passwords in 2020 are now out, and “password” only comes in at Number 4. We’re not sure that really represents progress, because wait ‘til you hear Number 1. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/223

Hidden Cobra inserts Lazarus malware into security management chains. Malsmoke malvertizing doesn’t need exploit kits, anymore. Ransomware operators shift toward social engineering as the ransomware-as-a-service criminal market flourishes. Draft EU data transfer regulations implement the Schrems II decision. Robert M. Lee from Dragos shares a little love for the lesser-known areas of ICS security. Our guest is Greg Smith from CAMI with insights on promoting cyber capabilities at the state level. And the next thing in disinformation? No surprises here: it’s COVID-19 vaccines. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/222

Nation-states continue to probe COVID-19 vaccine researchers. The Global Commission on the Stability of Cyberspace proposes international norms for promoting stability in cyberspace. DarkSide ransomware-as-a-service operators sweeten their offer with storage options. TroubleGrabber is stealing credentials via Discord. SAD DNS code pulled from GitHub. Betsy Carmelite from Booz Allen with a forward-looking view of 5G. Rick Howard takes a look at SOAR. Many patches remain unapplied, and CMMS wants US Defense contractors to move toward positive security.  For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/221

Americas Security R&D Lead for Accenture Malek Ben Salem shares how she pivoted from her love of math and background in electrical engineering to a career in cybersecurity R&D. Malek talks about her interest in astrophysics as a young girl, and how her affinity for math and taking on challenges lead her to a degree in electrical engineering. She grew her career using math for data mining and forecasting eventually pursuing a masters and PhD in computer science where she shifted her focus to cybersecurity. Malek now develops and applies new AI techniques to solve security problems at Accenture. We thank Malek for sharing her story with us.

In the late 90s, hackers who discovered vulnerabilities would sometimes send an email to Bugtraq with details. Bugtraq was a notification system used by people with an interest in network security. It was also a place that might have been monitored by employees of software companies looking for reports of vulnerabilities pertaining to their software. The problem was - there wasn't an easy way to track specific vulnerabilities in specific products.  It was May 1999. Larry Cashdollar was working as a system administrator for Bath Iron Works under contract by Computer Sciences Corporation. Specifically, he was a UNIX Systems Administrator, level one. His team managed over 3,000 UNIX systems across BIW's campuses. Most of these were CAD systems used for designing AEGIS class destroyers. This position gave me access to over 3,000 various flavors of UNIX ranging from Sun Solaris to IBM AIX. Joining us in this week's Research Saturday to discuss his journey from finding that first CVE through the next 20 years and hundreds of CVEs is Akamai Senior Response Engineer Larry Cashdollar. The research can be found here:  MUSIC TO HACK TO: MY FIRST CVE AND 20 YEARS OF VULNERABILITY RESEARCH

CISA says US elections were secure, that recounts are to be expected in tight races. (But election-themed malspam continues, of course.) A news platform is flagged as a GRU front. A new ransomware strain takes payment through an Iranian Bitcoin exchange. The Jupyter information-stealer is out and active. David Dufour on detecting deepfakes and misinformation. Dr. Jessica Barker on her new book Confident Cyber Security - How to Get Started in Cyber Security and Futureproof Your Career. And PlunderVolt is a $30 proof-of-concept. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/220

BlackBerry tracks a mercenary group providing cyberespionage services. A rundown from Dragos on threat actors engaging with industrial targets. An Iot botnet is active in the cloud. A research team offers a new proof-of-concept for DNS cache poisoning, and another group of researchers demonstrates a novel power side-channel attack. Patch Tuesday notes. Joe Carrigan wonders if you’re likely to get your money’s worth when paying baddies. Our guest is Michael Daniel from the CTA on the merging fields of cybersecurity and information operations. And a pro-tip: you do know that they can usually see you on Zoom, right? For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/219

As we are not publishing in observance of Veterans Day, we thought you might like to check out a couple of episodes of our weekly Word Notes short form podcast that comes out on Tuesdays. Check it out and subscribe today! Technology, software and hardware deployed without explicit organizational approval. In the early days of the computer era from the 1980s through the 2000s security and information system practitioners considered shadow IT as completely negative. Those unauthorized systems were nothing more than a hindrance that created more technical debt in organizations that were already swimming in it with the known and authorized systems.

As we are not publishing in observance of Veterans Day, we thought you might like to check out a couple of episodes of our weekly Word Notes short form podcast that comes out on Tuesdays. Check it out and subscribe today! From the intrusion kill chain model, a program that provides command and control services for an attack campaign. While the first ever deployed RAT is unknown, one early example is Back Orifice made famous by the notorious hacktivist group called “The Cult of the Dead Cow,” or cDc, Back Orifice was written by the hacker, Sir Dystic AKA Josh Bookbinder and released to the public at DEFCON in 1998.

Criminals get the news like everyone else, and online crime continues to follow current events. It’s up, it’s down, it’s up again--forget it: it’s TrickBot. A cyber incident affects computer maker Compal. Zoom settles an FTC complaint. Price check in the criminal markets. Ben Yelin on a Canadian shopping mall's collection of over 5 million shopper's images. Our guest is Ben Brook from Transcend with best practices in privacy and data protections.And spare a thought for a veteran tomorrow. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/218

Alerts and guidelines on securing the software supply chain (and the hardware supply chain, too). OceanLotus is back with its watering holes. Two significant breaches are disclosed. Malek Ben Salem from Accenture Labs explains privacy attacks on machine learning. Rick Howard brings the Hash Table in on containers. And, hey, we hear there’s weird stuff out there about vaccines, but GCHQ is on the case. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/217

CEO and consultant Richard Clarke took his inspiration from President John F Kennedy and turned it into the first cybersecurity position in federal government. Determined to help change the mindset of war, Richard went to work for the Department of Defense at the Pentagon following college during the Vietnam War. From Assistant Secretary of the State Department, he moved to the White House to work for President George W. Bush's administration where he kept an eye on Al-Qaeda and was tasked to take on cybersecurity. Lacking any books or courses to give him a basic understanding of cybersecurity, Richard made it his mission to raise the level of cybersecurity knowledge. Currently as Chairman and CEO at Good Harbor Security Risk Management, Richard advises CISOs. We thank Richard for sharing his story with us.

Cisco Talos discovered PoetRAT earlier this year. Since then, they observed multiple new campaigns indicating a change in the actor's capabilities and showing their maturity toward better operational security. They assess with medium confidence this actor continues to use spear-phishing attacks to lure a user to download a malicious document from temporary hosting providers. They currently believe the malware comes from malicious URLs included in the email, resulting in the user clicking and downloading a malicious document. These Word documents continue to contain malicious macros, which in turn download additional payloads once the attacker sets their sites on a particular victim. As the geopolitical tensions grow in Azerbaijan with neighboring countries, this is no doubt a stage of espionage with national security implications being deployed by a malicious actor with a specific interest in various Azerbajiani government departments. Joining us in this week's Research Saturday to discuss the research from Cisco's Talos Outreach is Craig Williams. The research can be found here:  PoetRAT: Malware targeting public and private sector in Azerbaijan evolves

The US Justice Department takes down twenty-seven domains being used by Iran’s Islamic Revolutionary Guard Corps. Booz Allen offers its take on the 2021 threatscape. Russia declares itself innocent of bad behavior in cyberspace, but many remain skeptical. Johannes Ullrich from SANS looks at Supply Chain Risks and Managed Service Providers. Our own Rick Howard speaks with Wired’s Andy Greenberg about the recent Sandworm indictments. Silk Road’s mission billion dollars appear to have been found, and the US Government is working on a forfeiture action. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/216

CISA declares a modest but satisfying victory for election security, but cautions that it’s not over yet. Criminal gangs are using election-themed phishbait in malspam campaigns. A new strain of ransomware attacks virtual machines. Robert M. Lee from Dragos on the impact climate change could have on ICS security. Our guest is Kelly White of RiskRecon on healthcare organizations managing risk across extensive third party relationships. And if you wondered if the criminals who offered to securely destroy the data they stole if the victims paid the ransom, well, signs point to “no.” For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/215

Election security, hunting forward, rumor control, and the value of preparation. Maze may be gone (so its proprietors say) but its affiliate market has moved on to Egregor ransomware-as-a-service. An illicit forum has leaked large repositories of personal information online. Joe Carrigan shares thoughts on hospital systems getting hit by ransomware. Our guest is Alan Radford from One Identity who wonders whether robots should have identities. And two more ex-eBayers are indicted in the Massachusetts cyberstalking case.  For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/214

Notes on Election Day security, from CISA. The Maze gang finally releases its press release announcing that it’s going out of business. Mr. Snowden applies for dual Russian-American citizenship. Ben Yelin shares his thoughts on Mark Zuckerberg’s recent Senate testimony. Our guest is Karlo Zanki from Reversing Labs on Hidden Cobra. And a botmaster gets eight years after copping a US Federal guilty plea to conspiracy. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/213

Another look at Pyongyang’s Kimsuky campaign. Phishing with bogus Google Docs. How Tehran got its hands on voter information. Rick Howard looks at containers and serverless functions. Malek Ben Salem shares the results of Accenture’s 2020 Cyber Threatscape report. And looking ahead to the election influence endgame. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/212

Communications consultant and podcaster Carole Theriault always loved radio and through her career dabbled in many areas .She landed in a communications and podcasting role where she helps technical firms create audio and digital content. In fact, Carole is the CyberWire's UK Correspondent. She says cybersecurity is good place to go because of the many different avenues available and "you don't even have to be a tech head" (though Carole has quite a technical pedigree). Our thanks to Carole for sharing her story with us.

On this Special Edition, our extended conversation with author and New York Times national security correspondent David E. Sanger. The Perfect Weapon explores the rise of cyber conflict as the primary way nations now compete with and sabotage one another. ‌

The U.S. government has charged seven men in relation to hundreds of cyber attacks against organizations in the U.S. and multiple other countries in Asia and Europe. Two of the men, who were based in Malaysia, were arrested and their extradition to the U.S. has been requested. The other five are based in China and remain at large. The attacks were attributed to a China-linked organization dubbed APT41 and involved a combination of intellectual property theft and financially motivated cyber crime. While some of our peers monitor APT41 as a single operation, Symantec regards it as two distinct actors: Grayfly and Blackfly. Joining us in this week's Research Saturday to discuss the research from Symantec's Threat Hunter Team is Jon DiMaggio. The research can be found here:  APT41: Indictments Put Chinese Espionage Group in the Spotlight

Ransomware becomes endemic in the healthcare sector. Cyber metaphors--we read a good one this morning. Does your cyber insurance indemnify you against state-sponsored attacks? More guilty pleas in the ex-eBayers’ cyberstalking case. US Cyber Command and others advise everyone not to see foreign election meddling where it isn’t. David Defour looks at the spookiest malware of 2020. Our guest is Travis Leblanc from Cooley on the European court Invalidating the EU-US Privacy Shield. And what do we make of National Cybersecurity Awareness Month as it recedes into our collective rearview mirror? For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/211

Some familiar threat actors--both nation-states and criminal gangs--return to the news: Venomous Bear, Charming Kitten, Wizard Spider, and Maze. Mike Benjamin from Lumen looks at the Mozi malware family. Our guest is Neal Dennis from Cyware on why it's time for organizations to step up their data sharing. And Big Tech’s day on Capitol Hill involved more discussion of censorship and bias than it did Section 230 of the Communications Decency Act. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/210

US authorities warn that North Korea’s Kimsuky APT is out and about and bent on espionage, with a little cryptojacking on the side. As the US elections enter their endgame, observers point out that the appearance of hacking can be just as effective for foreign influence operations as the reality. CISA continues to tweet rumor control and election reassurance. Joe Carirgan share developments in end-to-end encryption. Our guest is Bilyana Lilly from RAND on Russia’s strategic messaging on social media (and the disinformation that may be a part of it). Big Tech returns to Capitol Hill. And another guilty plea in the strange case of eBay-related cyberstalking. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/209

EI-ISAC reports a curious election-related phishing campaign, widespread, but indifferently coordinated and without an obvious motive. Nitro discloses a “low impact security incident.” A breach at a law firm affects current and former Googlers. Finnish psychological clinic Vastaamo dismisses its CEO for not disclosing a breach promptly. Ben Yelin looks at a controversial White House to divvy up 5G spectrum. Carole Theriault shares results from Panaseer’s 2020 GRC Peer Report. And a terrorist murder finds support online. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/208

The US Treasury Department sanctions a Russian research institute for its role in the Triton/Trisis ICS malware attacks. Coordinated inauthenticity with a commercial as well as a political purpose. The Clean Network project gains ground in Central and Eastern Europe. Rob Lee from Dragos on insights on the recent DOJ indictments of Russians allegedly responsible for the Sandworm campaign. Rick Howard explores SD-WANs. Data breaches afflict a large Finnish psychiatric institute. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/207

Associate Professor of Computer Information Systems at the University of Tulsa Sal Aurigemma shares how his interest in how things worked shaped his career path in nuclear power and computers, Being introduced to computers in high school and learning about the Chernobyl event led Sal to study nuclear engineering followed by time in the Navy as a submarine officer. On the submarine, Sal had to understand how systems worked from soup to nuts and that let him back to IT. As a computer engineer, Sal spent a lot of time on network troubleshooting and was eventually introduced to cybersecurity. Following 9/11, cybersecurity took on greater importance. Sal's research focuses on behavioral cybersecurity. To newcomers, he suggests heading into things with an open mind and doesn't recommend giving users 24-character passwords that have two upper, two lower, and two special characters that cannot be written down. We thank Sal for sharing his story with us.

Ben-Gurion University researchers have developed a new artificial intelligence technique that will protect medical devices from malicious operating instructions in a cyberattack as well as other human and system errors. Complex medical devices such as CT (computed tomography), MRI (magnetic resonance imaging) and ultrasound machines are controlled by instructions sent from a host PC. Abnormal or anomalous instructions introduce many potentially harmful threats to patients, such as radiation overexposure, manipulation of device components or functional manipulation of medical images. Threats can occur due to cyberattacks, human errors such as a technician's configuration mistake or host PC software bugs. As part of his Ph.D. research, Tom Mahler has developed a technique using artificial intelligence that analyzes the instructions sent from the PC to the physical components using a new architecture for the detection of anomalous instructions. Joining us in this week's Research Saturday to discuss his research is CBG - Cyber@Ben Gurion University's Tom Mahler. The research can be found here:  A Dual-Layer Architecture for the Protection of Medical Devices from Anomalous Instructions

Under show notes you can put: This interview from October 23rd, 2020 originally aired as a shortened version on the CyberWire Daily Podcast. In this extended interview, Rick Howard speaks with David Sanger on his new HBO documentary on his book “The Perfect Weapon”

Energetic Bear is back, and maybe getting ready to go berserk in a network near you, Mr. and Mrs. United States. Someone’s selling publicly available voter and consumer information on the dark web. Sanctions against the GRU for the Bundestag hack. The US sanctions Qods Force and associated organizations for disinformation efforts. Johannes Ullrich has tips for preventing burnout. Our Rick Howard speaks with author David Sanger about his new HBO documentary The Perfect Weapon. How Iran was caught in the emailed voter threat campaign. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/205

Emailed election threats to US voters are identified as an Iranian influence operation, disruptive, and so more in the Russian style. Both Iran and Russia appear to be preparing direct marketing influence campaigns. Cyber criminals are also exploiting US election news as phishbait. Seedworm is said to be ‘retooling.” Caleb Barlow from Cynergistek on contact tracing and privacy as students head back to school. Our guest is Jadee Hanson from Code 42 on juggling priorities and protecting her organization as external and internal threats constantly take aim. And TASS deplores the “blatant Russophobia” of recent Five Eyes’ official remarks. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/205

TrickBot came back, but so did its nemesis from Redmond--Microsoft and its partners have taken down most of the new infrastructure the gang reestablished. CISA publishes election rumor control. The Cyberspace Solarium Commission has a white paper on supply chain security. Japan says it will take steps to secure next summer’s Olympics. Joe Carrigan takes issue with Twitter and Facebook limiting the spread of published news stories. Our guest is Carolyn Crandall from Attivo with a look at the market for cyber deception tools. And a familiar name exits the industry. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/204

America’s NSA reviews twenty-five vulnerabilities under active exploitation by Chinese intelligence services. The UK’s NCSC accuses the GRU of more international cyberattacks. The US Justice Department brings its long-expected anti-trust suit against Google. Ben Yelin examines overly invasive company Zoom policies. Our guest is Jessica Gulick from Katczy with a visit to the Cyber Carnival Games. And a warning on “abandonware.” For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/203

Updates on influence ops and campaign hacking show that the opposition has its troubles, too. TrickBot operators seem to have returned to business. Schools’ remote learning programs are providing attractive targets for cybercriminals. Iranian news outlets say ports were the targets of last week’s cyberattacks. David Dufour explains how phishing campaigns capitalized on a global crisis. And Charlie Tibor says, “hello world” (we paraphrase). For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/202

Senior VP of Cyber Operations at KnowBe4, Rosa Smothers, talks about her career as an early cybersecurity professional in what she describes as the Wild, Wild West to her path through government intelligence work. Rosa shares how she always knew she wanted to be involved with computers and how being a big Star Trek nerd and fan particularly of Spock and Uhura helped shape her direction. Following 9/11, Rosa wanted to work for the government and pursue the bad guys and she did just that completing her bachelor's degree and starting in the Defense Intelligence Agency as a cyber threat analyst focusing on extremist groups. She joined the CIA and worked on things you see in the movies, things that are science fictionesque. Rosa recommends talking with people to get your feet wet to find your passion. We thank Rosa for sharing her story with us.

Bitdefender researchers recently uncovered a sophisticated APT-style attack targeting an international architectural and video production company. The attack shows signs of industrial espionage, similar to another of Bitdefender’s recent investigations of the StrongPity APT group. The real-estate industry is highly competitive, and information exfiltrated by APT mercenary group can give negotiation advantages to other players in high-profile real-estate contracts. While APT groups traditionally could only be afforded by governments or were financially motivated purely out of self-interest, they recently appear to have become a commodity. Joining us in this week's Research Saturday to discuss the research is Global Cybersecurity Researcher Liviu Arsene from Bitdefender. The research can be found here:  APT Hackers for Hire Used for Industrial Espionage

Phishing through redirector domains. Content moderation, influence operations, and Section 230. A Twitter outage is due to an error, not an attack. QQAAZZ money-laundering gang members indicted. Johannes Ullrich tracks Mirai Bots going after Amanda backups. Our guest is Richard Hummel from Netscout with research on cybersecurity trends and forecasts. And some ruminations about range safety for cyber exercises.  For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/201

Tehran says this week’s cyberattacks are under investigation. Silent Librarian returns to campus for academic year 2020-2021. Crooks are posing as nation-state hackers. Domestic disinformation reported in Guinea and Ghana. Disinformation, content moderation, and the difficulties presented by both. US Cyber Command’s forward engagement campaign. Mike Benjamin from Lumen on how bad actors reuse infrastructure. Our guest is Ralph Sita from Cybrary with a look at their "Skills Gap" research report. And an extended meditation on the Scunthorpe Problem. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/200

Reports of cyberattacks against Iranian government and, possibly, economic targets, are circulating, but details are sparse. Norway accuses Russia of hacking parliamentary emails. A cybercriminal gang’s secret is volume. A social engineering campaign singles out victims with US IP addresses. Joe Carrigan on a million dollar REvil recruitment offer. Our guest is Paul Nicholson from A10 Networks with a look at the "State of DDoS Weapons". And the US Treasury Department warns banks to be on the lookout for signs of unemployment fraud. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/199

Trickbot gets hit by both US Cyber Command and an industry team led by Microsoft. CISA and the FBI warn that an unnamed threat actor is chaining vulnerabilities, including Zerologon, to gain access to infrastructure and government targets. Ben Yelin shares his thoughts on the US House’s report on monopoly status for some of tech's biggest players. Our guest is David Higgins from CyberArk on how work from home has put a light on privilege access security. And the Five Eyes plus two call for legal access to encrypted communications. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/198

Ben describes a decades-long global espionage campaign alleged to have been carried out by the CIA and NSA, Dave shares a story about the feds using cell phone location data for immigration enforcement, and later in the show our conversation with Drew Harwell from the Washington Post on his article on how Colleges are turning students’ phones into surveillance machines. Links to stories: ‘The intelligence coup of the century’ RIGGING THE GAME Spy sting Federal Agencies Use Cellphone Location Data for Immigration Enforcement Got a question you'd like us to answer on our show? You can send your audio file to caveat@thecyberwire.com or simply leave us a message at (410) 618-3720. Hope to hear from you.

Investigative journalist and author Geoff White talks about tracing a line through the dots of his career covering technology. Geoff shares that he has always been "quite geeky," but came to covering technology after several roles in the journalism industry. Newspapers, magazines and television were all media Geoff worked in before covering technology. Geoff got into journalism not due to the glamour sometimes associated with it, but because he wanted to fight for the public to cover stories that helped those who didn't have massive amounts of money, power or a huge lobbying campaign in political circles. When writing his book, Crime Dot Com, Geoff reflected on the cybercrime and cybersecurity stories he's covered and saw how things started falling into place. Our thanks to Geoff for sharing his story with us.

Containers offer speed, performance, and portability, but do they actually contain? While they try their best, the shared kernel is a disturbing attack surface: a mere kernel vulnerability may allow containerized processes to escape and compromise the host. This issue prompted a new wave of sandboxing tools that use either unikernels, lightweight VMs or userspace-kernels to separate the host OS from the container's OS. One of these solutions is Kata Containers, a container runtime that spawns each container inside a lightweight VM, and can function as the underlying runtime in Docker and Kubernetes. Kata's virtualized containers provide two layers of isolation: even if an attacker breaks out of the container, he is still confined to the microVM. Joining us in this week's Research Saturday to discuss the research is Yuval Avrahami from Palo Alto Networks Unit 42. The research presented at Black Hat USA 2020 can be found here:  Escaping Virtualized Containers

A Parliamentary committee issues a scathing report on Huawei’s connection to the Chinese government and the Communist Party of China. Facebook takes down coordinated inauthenticity with a domestic focus in four countries. Twitter goes after influence operators in four other countries. Betsy Carmelite addresses threats to telehealth platforms. Our guests are the FBI’s Herb Stapleton and the US Secret Service’s Greg McAleer new multi-agency mission center to tackle the highest priority cyber criminal threats facing the US. And two of the former eBayers charged in a cyber-stalking case have taken their expected guilty pleas. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/197

Add the Bahamut cyber mercenaries to the shadow armies for hire in cyberspace. Reports associate the SlothfulMedia RAT with Chinese intelligence services, and claim that it’s being used against India and China. The US takes down domains the Islamic Revolutionary Guard Corps uses to push disinformation. Trends in phishbait. Caleb Barlow rethinks a TED talk he gave a while back, given what we’ve learned from COVID-19. Our guest is Dr. Greg Rattray from Next Peak on 'Advanced Persistent Threats' a term, by the way, that he coined. And Moscow says, hey, we don’t meddle in anyone’s elections. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/196

Cyber ops accompany fighting in the Caucasus. Iranian threat group exploits Zerologon in the wild. The Kraken gets unleashed in Southeast Asia, of all places. Emotet is back, and it’s after state and local governments. The US House identifies the Four Horsemen of Silicon Valley. Monero gains criminal market share. The US Comptroller of the Currency moves for clarity in alt-coin regulation. Joe Carrigan takes a look at ransomware trends. Our guest is Mathew Newfield from Unisys with remote school safety tips for students and parents. And a cyberattack from Waikiki. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/195

Spyware version of Mirai detected in the wild. The People’s Liberation Army is told, by its government, to lighten up on US election stories. Centripetal wins a major patent lawsuit. Excel is not a big data tool. John McAfee is arrested on US tax charges. Our guest is Roger Barranco from Akamai on tracking increased DDoS attacks. Ben Yelin on a case involving warrants for Wifi location data. And an aid to chastity is found to be hackable, but at least it errs on the side of continence. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/194

Attacks on maritime shipping organizations raise concerns about global supply chains. Someone’s pushing spyware through the firmware. Someone else is messing with the heads of Trickbot’s masters. A new ransomware strain, Egregor, shows again that a ransomware attack amounts to a data breach. Huawei may be losing ground in Europe. Mike Benjamin from Lumen on DDoS ransoms. Scott Algeier from IT-ISAC looks back on 20 years of information sharing. And criminals give their fingerprints to police, virtually. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/193

Commandant for the National Security Agency's National Cryptologic School Diane M. Janosek shares the story of her career going global Diane explains how she's always been drawn to doing things that could help and raise the nation. From a position as a law clerk during law school, to the role of a judicial clerk, and joining the White House Counsel's office, Diane was exposed to many things and felt she experienced the full circle. Moving on to the Pentagon and finally, the NSA, Diane transitioned into her current role where she orchestrates the educational environment for military and civilian cyber and cryptologists worldwide for the nation. Diane encourages those who love to learn to join the multidisciplinary cybersecurity field. Our thanks to Diane for sharing her story with us.

Threat actors and cybercriminals that don’t have the ability to develop their own ransomware for malicious campaigns can turn to the Smaug Ransomware as a Service (RaaS) offering, which is available via a Dark Web Onion site. At least two threat actors are operating the site, providing ransomware that can be used to target Windows, macOS, and Linux machines. The site is built with ease of use in mind. To launch an attack, threat actors simply need to sign up, create a campaign, and then start distributing the malware. The site also handles decryption key purchasing and tracking for victims. Joining us in this week's Research Saturday to discuss the research is Anomali's Joakim Kennedy and Rory Gould. The research can be found here:  Anomali Threat Research Releases First Public Analysis of Smaug Ransomware as a Service

SlothfulMedia is the new RAT in town. Emotet spam counts on political commitments. ESET describes two distinct spyware campaigns in the Middle East and Eastern Europe. Hackers are paying more attention than usual to the maritime sector. Awais Rashid from the University of Bristol on privacy concerns of contact tracing apps. Our guest is Krystle Portocarrero from Juniper Networks on the continued rise of encryption and the technical and privacy challenges that come with it. And the US Treasury Department cautions all that paying up in a ransomware attack might land you in sanctions hot water. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/192

Two ransomware incidents now seem worse than originally believed. Hacking hospitals raises concerns for patient safety. It appears Fancy Bear was the group that hacked the US Federal agency CISA warned about recently. Chris Novak from Verizon considers whether investigations should be performed under attorney client privilege and if that privilege will hold. Alex Mosher from MobileIron explains how yours truly got phished. With Cookies. And interruptions to trading on Japan’s exchanges seem to be due to technical problems, and not to cyberattack. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/191

Ransomware gangs continue to look for an opportunistic payday. Another exposed database is found, and secured. Captchas and padlock icons have their place, but they’re not a guarantee of security. Microsoft explains how to reduce exposure to Zerologon. The US looks to reduce dependence on foreign microelectronics. Joe Carrigan has thoughts on Facebook running SuperPAC ads. Our guest is Sanjay Gupta from Mitek on how online marketplaces can balance security with biometrics. And there’s just one shopping day before National Cybersecurity Month. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/190

Three (count ‘em) three big ransomware attacks are in progress. One of them has moved into its doxing phase. Microsoft resolves authentication problems that briefly disrupted services yesterday. Tracking trends in cyberattacks--the sophistication seems to lie in the execution. The US Defense Department now has an interim rule implementing its CMMC program. Ben Yelin describes the extensive use of facial recognition software by the LAPD. Our guest is Christy Wyatt from Absolute on their Endpoint Resilience report. And why do hackers hack? To a large extent it seems they do so...because they can. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/189

The TikTok ban has been delayed; the November goal for the company’s change in ownership still stands, at least for now. Microsoft takes down infrastructure used by a Chinese cyberespionage group. Huawei’s CFO returns to court in Vancouver. The UK shows some of its cyber offensive hand. DDoS in Hungary; malware in Texas. The strange and sad case of eBay and a newsletter. Rick Howard shares lessons learned from his CSO Perspectives podcast. Our guest is Thomas Etheridge from CrowdStrike on mitigating the risk of public cloud key compromises. And REvil wants to recruit more criminal affiliates. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/188

Director of security operations at Syntax Richard Torres talks about his path leading him working in juvenile justice to becoming a private investigator to physical security at a nuclear power plant to cybersecurity presently. Always a fan of police shows, Richard became a member of the Air Force Junior ROTC in high school and began his path there. Richard shares the challenges of working in several facets of the security industry including his transition from SWAT team member to cybersecurity. He notes the role that diplomacy plays when you're trying to get honesty and be steered in the right direction. Our thanks to Richard for sharing his story with us.

Throughout March and April, QuoIntelligence (QuoINT) observed four attacks (i.e. sightings) utilizing various tools from the Golden Chickens (GC) Malware-as-a-Service (MaaS) portfolio – they recently declassified their findings, after first notifying their clients. Further, during their analysis of the sightings, QuoIntelligence confirmed the GC MaaS Operator, Badbullzvenom, released improved variants with code updates to three tools in the service portfolio. Joining us in this week's Research Saturday to discuss the research is QuoIntelligence's Vice President of Threat Intelligence, Chaz Hobson.  The research can be found here:  Latest Golden Chickens MaaS Tools Updates and Observed Attacks

Facebook takes down three Russian networks for coordinated inauthenticity: a lot of activity but not much evident ROI. Russia calls for confidence-building measures in cyberspace. CISA detects a successful incursion into an unnamed Federal agency. Governments warn of heightened rates of cyberattacks against medical organizations. Mike Benjamin from Lumen joins us with details on Alina malware. Our guest is James Dawson with insights on how to best calibrate your security budget. And there’s a not-guilty plea in the case of the attempted bribery of a Tesla insider. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/187

Zerologon is being actively exploited in the wild. The OldGremlin ransomware gang picks on Russian targets. Thought Fancy Bear was done with NATO? (Think again.) The US Treasury Department sanctions more organizations and individuals for malign influence operations. Betsy Carmelite from BAH on vaccine laboratory cybersecurity. Our guest is Shena Tharnish from Comcast Business with insights for small businesses concerned with COVID-19 related phishing. And four of the defendants indicted in the eBay cyberstalking case have chosen their pleas. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/186

Facebook takes down coordinated inauthenticity. A ransomware-involved death is attributed to DoppelPaymer. CISA and the FBI warn of coming election disinformation. LokiBot is back in a big way. Operation DisrupTor collars a hundred-seventy Darknet contraband merchants. Joe Carrigan comments on the botched ransomware attack in Germany that led to a woman's death. Our guest is Matt Davey from 1Password on why single sign on isn’t a silver bullet for enterprise security. And patriotic hacktivism flares along the Blue Nile. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/185

In an unusual lapse, Microsoft briefly left a Bing backend server exposed online--now fixed. Sources say the CIA has concluded that Russian President Putin is personally involved in setting the direction of operations designed to influence the US elections, The deal to spin out TikTok Global to avoid a US ban may not be enough, Europe looks for more control over tech companies. Activision’s hack seems to be a mere rumor. Ben Yelin on section 230 of the communications decency act. Our guest is Ramon Pinero from Blackberry on the challenges of coordinating public services during the pandemic. And a Dark Overlord cops a plea. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/184

CISA tells the Feds to patch Zerologon by midnight tonight. Cerberus surges after its source code is released. Rampant Kitten, an Iranian surveillance operation, is described. The US bans on WeChat and TikTok were both postponed. Justin Harvey from Accenture marks three years since wannacry with a look at ransomware. Our own Rick Howard on red and blue team operations. And police in Germany are looking for ransomware attackers on a homicide charge. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/183

The cybersecurity space is nothing if not crowded. Yet despite all the fantastic offers and promises being made by vendors, the sober reality persists that spending has not equated to improved security. Did you know that 80% of IT security budgets are focused on detection and containment controls, even though 70% of security experts believe that a greater focus on prevention would strengthen their security posture? Joining the conversation are Bob Olsen from Ankura giving his insight on the many options out there when buying cyber security systems and platforms. Later, we will be joined by Steve Salinas, Head of Product Marketing at Deep Instinct, as he addresses this paradox of why organizations are spending their scarce budget in ways that are contrary to their interests.

Cyber Initiative and Special Projects Fellow at the Hewlett Foundation Monica Ruiz shares her career development from aspirations of being a weather woman to her current role as a grantmaker and connector in cybersecurity. Monica discusses how her international study experience changed her outlook and brought her to the field of security. She shares the difficulties she faced as a woman of color when when not that many people look like you, and how she used that as her reason to move forward and better the cybersecurity field through her work. Our thanks to Monica for sharing her story with us.

After the 2016 General Election, the talk was all around foreign meddling. Rumors swirled that some votes may have been changed or influenced by state-sponsored actors. Sanctions and accusations followed. Four years later, is the U.S. any more prepared to protect the results of its largest elections? More than you may realize. Talos researchers take a deep dive into election security after spending the past four years talking to local, state and national officials, performing their own independent research and even watching one state plan an election in real-time. Joining us in this week's Research Saturday to discuss the report on this timely topic is Cisco Talos' Matt Olney.  The research can be found here:  What to expect when you’re electing: Talos’ 2020 election security primer.

The US Commerce Department announces a clampdown on TikTok and WeChat, to begin Sunday. An overview of the Grayfly and Blackfly units of APT41. Maze begins delivering payloads inside a VM. A ransomware attack on a Düsseldorf hospital is implicated in the death of a patient. Google wants less stalkerware and misrepresentation in the Play store. Caleb Barlow from Cynergistek on the Military's CMMC program. Our guest Galina Antova from Claroty highlights importance of secure remote access in industrial systems during times of crisis. And an alleged fox was allegedly guarding the henhouse. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/182

Cerberus is available for free, the Empire Market’s old and betrayed customers are probably looking for another marketplace where English is spoken, and it seems the Russian mob is selling access to North Korea’s Lazarus Group. NSA thinks US elections will be safe and secure, but that influence operations are probably here to stay. Betsy Carmelite from BAH on medical device security, our guest is Jonathan Langer from Medigate on lessons to help clinical and IT leaders at institutions heavily affected by COVID-19. Two Iranians are indicted for espionage and theft, and more evidence allegedly surfaces of Huawei’s role in sanctions evasion.  For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/181

CISA and the FBI warn of extensive Iranian cyberattacks that exploit flaws in widely used VPNs. The US indicts two men for website defacements undertaken for the benefit of Iran, and in retribution for the US drone strike that killed Quds Force commander Soleimani. The US has also indicted seven in a cybercrime and cyberespionage wave conducted in conjunction with Wicked Panda. Ethiopian strife made worse by social media. Joe Carrigan describes scammers using fake alerts on web sites. Our guest is Kevin Ford, CISO of the state of North Dakota on their move to offer free anti-malware to all state k-12 institutions. And ByteDance’s plans for TikTok grow clearer. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/180

Details of the Zerologon vulnerability are published, and it seems a serious one indeed. CISA describes Chinese cyberespionage practices--they’re not exotic, but they’re effective. What’s the difference between highly targeted market research and intelligence collection against individuals? Better commercials? Ben Yelin explains a 9th circuit court opinion with 4th amendment implications. Our guest is Exabeam’s Richard Cassidy on why when it comes to insider risk, context is everything. And there’s been a data breach at the VA. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/179

Social engineers use text from legitimate recent warnings. Cybercrooks go for whatever they can get from software about to reach the end of its life. A big database filled with individual information is leaked from a Chinese government contractor. In the race to do whatever it is US companies hope to do with TikTok, Microsoft is apparently out, but Oracle is apparently in. Rick Howard looks at red versus blue. Our gust is Colby Prior, Infrastructure Engineer for AusCERT, on running honeypots. And the FBI wants you to know, contrary what you may have seen online, that Oregon wildfires are not extremist arson. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/178

A reading of “Ode to Wealthy Elite”, written circa August 16, 2016. From “The collected works of the Shadow Brokers, volume I,” read by D.W. Bittner, compiled and edited by the CyberWire. The Shadow Brokers represent themselves as hackers who sell stolen exploits, hacking tools, and other scandalous material online to the detriment of Wealthy Elite, whose hidden hands the ShadowBrokers wish to convince you secretly move the world's events. Their online auctions have been notorious fizzles, finding few takers, but they continue to reappear with their offers from time to time. The smart money bets that the Brokers are a Russian intelligence service operation. They communicate in Hollywood scriptwriter broken English as opposed to any known natural language.

Cybersecurity Sales Engineer Brandon Robinson shares how he built his career in technology and the barriers he experienced along the way. He talks about how his job involves him interacting with customers at the highest levels making sure their solution is meeting needs. In addition, Brandon describes how as a black man and a trailblazer, he's been met with resistance. His positive spin on moving ahead involves relying on himself. Brandon's advice: find your passion, don't be intimidated and you will be met with success. Our thanks to Brandon for sharing his story with us.

Researchers at Symantec spotted a Sodinokibi targeted ransomware campaign in which the attackers are also scanning the networks of some victims for credit card or point of sale (PoS) software. It is not clear if the attackers are targeting this software for encryption or because they want to scrape this information as a way to make even more money from this attack. Joining us in this week's Research Saturday to discuss the report is Jon DiMaggio of Symantec.  The research can be found here:  Sodinokibi: Ransomware Attackers also Scanning for PoS Software, Leveraging Cobalt Strike

Kittens and Pandas and Bears, oh my. Ransomware gets its skates on, but it still has loose idiomatic control. CISA has some advice on email. While at home on pandemic lockdown, a lot of people (not you) are spending too much time on unedifying sites. Momentum Cyber looks at the state of the cybersecurity sector in 2020. The SINET 16 have been announced. Chris Novak from Verizon on understanding the complexities of PFI breach investigations. Our guest is Steve Vintz from Tenable on why CFOs should lean into cybersecurity issues. And, finally, take a moment today to remember 9/11. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/177

Ransomware hits a major data center provider, but appears to have left service unaffected. There’s a thriving criminal market for website defacement tools: vandals can be consumers, too. CDRThief does what its name implies. ByteDance tried negotiating TikTok’s American future. Ireland’s Data Protection Commission starts enforcing Schrems II against Facebook. Awais Rashid outlines software development security pitfalls. Our guest is John Morello from Palo Alto with insights from their new State of Cloud Native Security report. And China’s ambassador to the UK has his Twitter account hacked. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/176

Back to school time for everyone...or it would be, if it weren’t for all that ransomware. The sad criminal underworld stealing from online gamers. Notes on Patch Tuesday. Joe Carrigan considers digital comfort zones. Our guest is Sandra Wheatley from Fortinet with key findings from their new report on the cybersecurity skills shortage. And some thoughts on election security and disinformation from the US Cybersecurity and Infrastructure Security Agency. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/175

Thanos is back, but as ransomware or a wiper? Cyber agencies in France, Japan, and New Zealand warn of a spike in Emotet infections. Australian authorities say 186,00 were affected by the breach at Services NSW. Georgia decries cyberespionage at its Lugar Lab. COVID-19 cyberespionage efforts have been intense, as have counterintelligence efforts designed to defend labs and supply chains. Rick Howard looks at identity management. Ben Yelin covers tightened surveillance of political advisors. And Anonymous may have a successor: K-pop stans. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/174

Dave shares a story about our own state of Maryland trying to crack down on ransomware, Ben shares a New York Times story about facial recognition software, and later in the show our conversation with Stuart Thompson from the New York Times on the article, Twelve Million Phones, One Dataset, Zero Privacy. Links to stories: How ransomware bill would tighten focus on the threat in Maryland The Secretive Company That Might End Privacy As We Know It Got a question you'd like us to answer on our show? You can send your audio file to caveat@thecyberwire.com or simply leave us a message at (410) 618-3720. Hope to hear from you.

Technology attorney and startup chief of staff Elizabeth Wharton shares her experiences and how she came to work with companies in technology. Elizabeth talks about how she always liked solving problems and Nancy Drew mysteries, but not litigation. These morphed finding into her home in the policy legal world and some time later, technology law. Elizabeth describes how she loves planning and strategy in her work and encourages others to ask questions and absorb all of the information. Our thanks to Elizabeth for sharing her story with us.

A look at the realities of ransomware from Sophos, including an industry-first detailed look at new detection evasion techniques in WastedLocker ransomware attacks that leverage the Windows Cache Manager and memory-mapped I/O to encrypt files. A complementary article examines the evasion-centric arms race of ransomware, providing a months-long review of how cybercriminals have been escalating and markedly changing evasion techniques, tactics and procedures (TTPs) since Snatch ransomware in December 2019.  The research also breaks down the five early warning signs organizations are about to be attacked by ransomware and why ransomware attacks continue to occur. Joining us on this week's Research Saturday to walk us through the research and share their findings is Sophos' Principal Research Scientist Chet Wisniewski and EVP & Chief Product Officer Dan Schiappa. The media alert and research articles can be found here:  Media Alert: Sophos Reports on the Realities of Ransomware WastedLocker’s techniques point to a familiar heritage Ransomware’s evasion-centric arms race 5 signs you’re about to be hit by ransomware The realities of ransomware: extortion goes social Ransomware: why it’s not just a passing fad

Ransom DDoS: it’s been around for awhile, but now it’s become a much bigger thing. Phishing campaigns are putting malicious payloads into legitimate file-sharing services. Malek Ben Salem from Accenture on proactive "alpha innovator" organizations. Our guest is Joseph Marks from The Washington Post on his recent coverage of election security. And it’s time to go back to school, at least virtually, with all the attendant cyber risk. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/173

Updates on cyberattacks against Norway’s parliament and the Hedmark region. A popular TikTok page is infested with scammers. Magecart’s Inter scanner gains criminal market share. Thomas Etheridge from CrowdStrike on the many potential benefits of outsourced threat hunting. Our guest is Lauren Bean Buitta from Girl Security on closing the gender gap in national security. Heading back to school in Miami? Not so fast, kids. And in Northumberland? Same goes there. (That’s Northumberland, England, by the way, not Northumberland, Pennsylvania.) For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/172

Facebook’s August takedowns included coordinated inauthenticity from Pakistan, Russia (that’s St. Petersburg, with a waystation in DC), and a US strategic communication firm. CISA and the FBI say nope, the Russians weren’t in voter databases. A Chinese APT turns its attention from Europe back to Tibet. A new cryptocurrency stealer is active in Central Europe. New Zealand DDoS attacks may be an extortion attempt. Joe Carrigan has the story of a reporter's stolen Facebook account. Our guest is Ophir Harpaz from Guardicore Labs with their Botnet Encyclopedia. And there may be another teenage mastermind behind last month’s Twitter hack. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/171

An election hack that wasn’t. More DDoS in New Zealand’s stock exchange. A look at how Iranian cyber contractors make money as a byproduct of cyberespionage. Malware sneeks past Apple’s notarization process. The bandit economy that’s grown up around Fortnite. Ben Yelin looks at how the upcoming US elections could direct the nation’s cybersecurity strategies. Our guest is Julian Waits from Devo with highlights from their 2nd annual SOC performance report. And the US Army’s youngest branch celebrates a birthday. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/170

New Zealand’s stock exchange continues to fight through offshore DDoS attacks. Sunday’s Internet outage was a glitch, not an attack. China enacts new technology export controls that may impede the sale of TikTok. Danish authorities investigate allegations of data sharing with NSA. North Korea says it doesn’t rob banks, but Americans do. Caleb Barlow looks at security validation and how it can help manage vendors and SOCs. Rick Howard has the CSO Perspective on Identity Management. And a look at Terracotta, a botnet serving up ad fraud. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/169

Host of Darknet Diaries podcast Jack Rhysider shares his experiences from studying computer engineering at university to his strategy of using gamification on his career that led to him landing in the security space. Jack talks about how his wide experiences came together in security and what prompted him to learn podcasting. Jack endeavors to share the whole story through his podcasts while making them entertaining, enlightening and inspirational. Our thanks to Jack for sharing his story with us.

Docker containers have been gaining popularity over the past few years as an effective way of packaging software applications. Docker Hub provides a strong community-based model for users and companies to share their software applications. This is also attracting the attention of malicious actors intending to make money by cryptojacking within Docker containers and using Docker Hub to distribute these images. Palo Alto Networks' Unit 42 researchers identified a malicious Docker Hub account, azurenql, active since October 2019 that was hosting six malicious images intended to mine the cryptocurrency, Monero. The images hosted on this account have been collectively pulled more than two million times. Additionally, when last checked minexmr.com for this wallet ID, Palo Alto's team saw recent activity indicating that it’s still being used. Joining us on this week's Research Saturday is Jen Miller-Osborn from Palo Alto Networks' Unit 42 group to share the research and findings. The research and blog post can be found here:  Attackers Cryptojacking Docker Images to Mine for Monero

Denial-of-service attacks continue to cripple New Zealand’s NZX stock exchange. The Empire criminal market has exited, and done so with its users funds. US authorities have filed for civil forfeiture of Hidden Cobra’s stolen crytpo assets. An Instagram hijacking campaign is under way. Qbot and Emotet are back, and together again. The former Green Beret who allegedly spied for the GRU offers an insight into his (alleged) motives. We welcome our newest partner to the show, Betsy Carmelite from BAH. Our guest is Mark Calandra from CSC on their 2020 domain security report that revealed shortfalls among the Forbes Global 2000. And the unnamed company cited in the arrest of a Russian national this week has now been named: it’s Tesla.  For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/168

Several Magecart campaigns turn out to be the work of one gang. The unfortunate persistence of DDoS-for-hire services. Ransomware’s growing sophistication as a class of criminal enterprise. Andrea Little Limbago from Interos on supply chain attacks & risks. Our guest is Mark Testoni from SAP's NS2 on how Covid-19 reshaped classified work. And hey kids: the BeagleBoyz are on a crime spree. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/167

New Zealand’s stock exchange has sustained two distributed denial-of-service attacks this week. CISA and FBI issue an alert about GoldenSpy. Two cyber mercenary groups are engaged in industrial espionage for hire. Thailand decides to crack down on sites that host content the government deems illegal. Joe Carrigan looks at new types of crimes made possible by AI. Our guest is Shane Harris from The Washington Post on an Elite CIA unit which failed to secure its own systems. And a Russian national faces US charges of conspiracy to damage a computer. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/166

Security trends during the pandemic include shifts in underworld markets and some enduring changes in the way organizations approach cybersecurity. Discount phones come preloaded with adware and fleeceware. TikTok files its lawsuit. Ben Yelin on the Massachusetts Attorney General creating a data privacy office. Our guest is Nitzan Miron from Barracuda Networks on how brick & mortar shops have accelerated their shift online. And spoofing a Bitcoin exchange to spread malware.  For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/165

Iranian wannabes successfully use Dharma ransomware against soft targets. SourMint hid an ad-fraud and info-stealing package in an SDK. A former US Army officer and sometime Government contractor is charged with working for the GRU. DarkSide ransomware rises as affiliates go into business on their own. Awais Rashid from the University of Bristol on aligning cyber security metrics with business goals. Rick Howard talks data loss prevention with members of the Hash Table. And copycat DDoS extortionists pretend to be, who else? Fancy Bear. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/164

Managing director of the Cyber Readiness Institute Kiersten Todt shares how she came to be in the cybersecurity industry helping to provide free tools and resources for small businesses through a nonprofit. She describes how her work on the Hill prior to and just after 9/11 changed. Kiersten talks about the diversity of skills that benefit work in cybersecurity and offers her advice on going after what you want to do. Our thanks to Kiersten for sharing her story with us.

The goal of malicious activity is to compromise the system to install some unauthorized software. Increasingly that goal is tied to one thing: the user. Over the past several years, we as an industry improved exploit mitigation and the value of working exploits has increased accordingly. Together, these changes have had an impact on the threat landscape. We still see large amounts of active exploitation, but enterprises are getting better at defending against them. This has left adversaries with a couple of options, develop or buy a working exploit that will defeat today's protections, which can be costly, or pivot to enticing a user to help you. In today's threat landscape, adversaries are always trying to develop and implement the most effective lures to try and draw users into their infection path. They've tried a multitude of different tactics in this space, but one always stands out — current events. Joining us on this week's Research Saturday from Craig Williams from Cisco's Talos Outreach team to walk us through how current events are used as lures. The research and blog post can be found here:  Adversarial use of current events as lures The CyberWire's Research Saturday is presented by Juniper Networks. Thanks to our sponsor Enveil, closing the last gap in data security.

Transparent Tribe upgrades Crimson RAT. Cuba, North Korea, and Saudi Arabia are also interested in influencing the upcoming US election. The University of Utah restored from backups after a ransomware attack, but paid the ransom to prevent the crooks from publishing stolen data. Uber’s former CSO has been charged with allegedly covering up a hack the company sustained in 2016. Justin Harvey from Accenture on how the pandemic has affected Incident Response. Gerald Beuchelt from LogMeIn on how secure remote access may or may not be. And a popular fertility app was found to be sharing data with advertisers without users’ permission. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/163

Ukraine warns that Russia’s Gamaredon Group is running a phishing campaign ahead of Ukraine’s independence day. CISA and the FBI publish details on a North Korean remote access Trojan. Google patches a serious Gmail flaw. Marriott faces another lawsuit over its 2018 data breach. The WannaRen ransomware operators have released a decryption key. Rob Lee from Dragos with lessons learned from recent virtual conferences. Our guest is Rachel Tobac from SocialProof with her insights on social engineering and the Twitter hack.  For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/162

Phone spearphishing is catching on after the Twitter hack. Taiwan blames China for hacking government agencies. FritzFrog botnet is cryptomining, for now. Whoever’s behind GoldenSpy is trying to cover their tracks. WastedLocker ransomware is successful without stealing data. The US Senate Select Committee on Intelligence releases its final report on Russian interference with the 2016 election. Joe Carrigan looks at shady SIM cards. Our guest is Nathan Jones from WhiteCanyon Software on secure data destruction. And an AI company exposes millions of medical records. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/161

Suspected patriotic hacktivists are defacing websites. A cryptomining worm is stealing AWS credentials. Cruise company Carnival suffered a ransomware attack that involved data theft. US measures against Huawei are expected to make things much more difficult for the Chinese company. Ben Yelin on new tools tracking cyber data on US borders. Our guest is Jesse Rothstein from ExtraHop on what happens to enterprise security when the network goes dark. And a look at the organizational structure of North Korea’s hacking units. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/160

North Korea harasses defectors. Researchers have been exploiting a bug in Emotet to inoculate systems against the malware for the past six months. CISA warns of KONNI spearphishing. RedCurl APT conducts corporate espionage. The US announces more restrictions on Huawei’s access to US-made chips. Chris Novak from Verizon on the evolving role of cyber insurance. Rick Howard on data loss prevention. And Australian schools are without email after an unpleasant experience with Reply-All. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/159

Founder and CEO Stu Sjouwerman takes us on a journey of how his career developed from starting a software service company to currently focusing on the infosec side of the business where his team essentially helps to create human firewalls. Stu talks about learning all aspects of the business while creating startups and suggests you learn to speak the language of the area you are looking to get into. He even touches on predicting the future and taking over the world. Our thanks to Stu for sharing his story with us.

Teachers, students, admin, parents: The education sector has possibly the most diverse user base, each requiring its own user privileges, access requirements, and behavioral trends. Yet besides this, there are a number of unique challenges to securing an educational environment, including ensuring broad attack surface protection, minimal false positives, and maintaining a cost-effective security posture. Join us in as we chat with Kevin Ford, Chief Information Security Officer for the state of North Dakota, about these challenges for securing statewide educational institutions and their networks. Later, we will be joined by Steve Salinas, Head of Product Marketing at Deep Instinct and Matthew Fredrickson, Director of IT at Council Rock School District, in what should be a steep learning curve on protecting educational environments.

Bitdefender researchers have recently found the APT group StrongPity has been targeting victims in Turkey and Syria. Using watering hole tactics to selectively infect victims and deploying a three-tier C&C infrastructure to thwart forensic investigations, the APT group leveraged Trojanized popular tools, such as archivers, file recovery applications, remote connections applications, utilities, and even security software, to cover a wide range of options that targeted victims might be seeking. Joining us on this week's Research Saturday to discuss the research is Bitdefender's Liviu Arsene.  You can find the research here: StrongPity APT – Revealing Trojanized Tools, Working Hours and Infrastructure Our thanks to ExtraHop and Reservoir Labs for sponsoring this week's show.

Bitdefender researchers have recently found the APT group StrongPity has been targeting victims in Turkey and Syria. Using watering hole tactics to selectively infect victims and deploying a three-tier C&C infrastructure to thwart forensic investigations, the APT group leveraged Trojanized popular tools, such as archivers, file recovery applications, remote connections applications, utilities, and even security software, to cover a wide range of options that targeted victims might be seeking. Joining us on this week's Research Saturday to discuss the research is Bitdefender's Liviu Arsene.  You can find the research here: StrongPity APT – Revealing Trojanized Tools, Working Hours and Infrastructure

An update on Fancy Bear and its Drovorub rootkit. Karma Panda, a.k.a. CactusPete, is scouting Eastern European financial and military targets with the latest version of a venerable backdoor. How criminals and terrorists exploit COVID-19, and how law enforcement tracks them down. Caleb Barlow from Cynergistek covers security assessments and HIPAA data. Our guest is Ryan Olson from Palo Alto Networks on the 10th Anniversary of Stuxnet. And those celebrity endorsed investment scams aren’t actually endorsed by celebrities, and they’re not actually good investments. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/158

NSA and FBI release a detailed report on a GRU toolset. North Korea’s Operation Dream Job phishes in Israeli waters. CISA warns of COVID-19 loan relief scams. Malek Ben Salem from Accenture with highlights from their 2020 Security Vision report. Our guest is Mike Hamilton from CI Security, who clears the air on election security and the shift to absentee status. And crooks are using infection and job loss as retail phishbait. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/157

Regional rivals tussle in cyberspace, and governments have it out with dissidents and the opposition. Market penetration as an instrument of state power. TikTok gets more unwelcome scrutiny over its privacy practices. Joe Carrigan on a credential harvesting phishing scheme using Zoom as bait. Our guest is Avi Shua from Orca Security on accidental vulnerabilities. And suppressing creepware is apparently harder than it looks. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/156

Belarus shuts down its Internet after its incumbent president’s surprising, perhaps implausible, no...really implausible landslide reelection. Papua New Guinea undergoes buyer’s remorse over that Huawei-built National Data Centre it sprung for a couple of years ago. Versions of Chrome found susceptible to CSP rule bypass. Zoom is taken to court over encryption. Patch Tuesday notes. Ben Yelin looks at mobile surveillance in a Baltimore criminal case. Carole Theriault returns to speak with our guest, Alex Guirakhoo from Digital Shadows with a look at dark web travel agencies. And card-skimmers hit a university’s online store. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/155

The CyberWire's newest show is here - it’s called Word Notes, and it just launched today with 10 binge-able episodes. Think of it as your audio infosec glossary. It’s not an interview show, it’s just fun, informative, 2-3 minute podcasts that explain security terms, related concepts, and gives you a little bit of context. Be sure to subscribe to Word Notes wherever you get your podcasts to hear a new Word Note every Tuesday. 

A network mapping tool that pings IP addresses looking for a response and can discover host names, open communications ports, operating system names and versions. Written and maintained by Gordon Lyon, a.k.a. Fyodor, it is a free and open source software application used by both system admins and hackers alike and has been a staple in the security community for well over two decades.

The US Office of the Director of National Intelligence has released an appreciation of the goals of election interference among three principal US adversaries, Russia, China and Iran. Anomali offers a look at the ransomware-as-a-service market with its research on Smaug. The CyberWire’s Rick Howard continues his exploration of incident response. Andrea Little Limbago from Interos on cyber regionalism. And the tangles that need to be untangled in the TikTok affair, with a deadline looming less than a month from now. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/154

Cyber threat intelligence analyst Selena Larson takes us on her career journey from being a journalist to making the switch to industrial security. As a child who wrote a book about a green goldfish who dealt with bullying, Selena always liked investigating and researching things. Specializing in cybersecurity journalism led to the realization of how closely aligned or similar skills are required from an investigative journalist and a cyber threat intelligence analyst. Our thanks to Selena for sharing her story with us. 

Cyber threat intelligence analyst Selena Larson takes us on her career journey from being a journalist to making the switch to industrial security. As a child who wrote a book about a green goldfish who dealt with bullying, Selena always liked investigating and researching things. Specializing in cybersecurity journalism led to the realization of how closely aligned or similar skills are required from an investigative journalist and a cyber threat intelligence analyst. Our thanks to Selena for sharing her story with us.

“Cyberbunker” refers to a criminal group that operated a “bulletproof” hosting facility out of an actual military bunker. “Bullet Proof” hosting usually refers to hosting locations in countries with little or corrupt law enforcement, making shutting down criminal activity difficult. Cyberbunker, which is also known as “ZYZtm” and “Calibour”, was a bit different in that it actually operated out of a bulletproof bunker. In September of last year, German police raided this actual Cyberbunker and arrested several suspects. While most of the group's assets were seized during the initial raid, the IP address space remained and was later sold to Legaco Networks. Before being shut down, Legaco Networks temporarily redirected the traffic to the SANS Internet Storm Center honeypots for examination. Joining us on this week's Research Saturday from SANS Technology Institute is graduate student Karim Lalji and Dean of Research Johannes Ullrich to discuss their experiences.  The research and blog post can be found here:  Real-Time Honeypot Forensic Investigation on a German Organized Crime Network Cyberbunker 2.0: Analysis of the Remnants of a Bullet Proof Hosting Provider

President Trump issues Executive Orders restricting TikTok and WeChat in the US. A Chinese APT has been active in industrial espionage against Taiwan’s semiconductor industry. Intel sustains a leak of sensitive company intellectual property. Rewards for Justice communicated to Russian and Iranian individuals by text message. Coordinated inauthenticity from Romanian actors, probably criminals. Magecart moves to homoglyph attacks. Craig Williams from Cisco Talos on ransomware campaigns making use of Maze and Snake malware. Our guest is Monica Ruiz from the Hewlett Foundation Cyber Initiative on the potential for a volunteer cyber workforce. And, sorry Fort Meade--there are limits to telework. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/153

The US announces five new lines of effort for the Clean Network program, and none of them are exactly mash notes for Beijing. The US is also offering rewards of up to ten million dollars for information about foreign computer crimes aimed at interfering with US elections. Australia’s new cybersecurity strategy is out. Maze may have hit Canon. Rob Lee from Dragos addresses speculation of an ICS supply chain back door. Our guest is Theresa Lanowitz from AT&T Cybersecurity on 5G security threats to businesses. And a bail hearing is disrupted by Zoom-bombing. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/152

NSA, yes, NSA, has some privacy advice. Interpol offers its take on where cybercrime is going during the time of the pandemic. Iran’s Oilrig is getting clever with its data exfiltration. The FBI would like to know when you’re finally going to move on from Windows 7--like, c’mon people. Joe Carrigan looks at pesky ads from the Google Play store. Our guest is Bobby McLernon from Axonius on how federal cybersecurity is particularly vulnerable during the shutdown. And a not-guilty plea from one of the three alleged Twitter hackers, along with some notes on how whoever dunnit dunnit. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/151

The US attributes the Taidoor remote access Trojan to the Chinese government. Sources tell Reuters that documents used in an attempt to influence the last British general election were taken from the compromised email account of the trade minister. Pegasus spyware is found deployed against churchmen and political opposition figures in Togo. China denounces the American smash-and-grab of TikTok. Ben Yelin looks at international law and attribution. Our guest is Ameesh Divatia from Baffle on misconfigured databases being attacked within just hours after coming online. And the Blackbaud ransomware attack continues to affect new victims. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/150

Microsoft is in talks to acquire TikTok as the US hints that it may be considering action against other Chinese software companies. Three young men have been charged in the Twitter hack. An apparent distributed denial-of-service attack turns out to have been a glitch. We welcome Verizon’s Chris Novak to the show. Rick Howard talks incident response. And updates on the Garmin hack suggest shifts in the ransomware threat. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/149

Director of Security Engineering at Marketa and Host of Hacker Valley Studio podcast Chris Cochran describes his transitions throughout the cybersecurity industry, from an intelligence job with the Marine Corps, to starting the intelligence apparatus for the House of Representatives, then on to leading Netflix's threat intelligence capability. Chris points out that when pivoting to different roles and responsibilities, you must rely on your own strengths to move forward and bring value to your work. Our thanks to Chris for sharing his story with us.

Director of Security Engineering at Marqeta and Host of Hacker Valley Studio podcast Chris Cochran describes his transitions throughout the cybersecurity industry, from an intelligence job with the Marine Corps, to starting the intelligence apparatus for the House of Representatives, then on to leading Netflix's threat intelligence capability. Chris points out that when pivoting to different roles and responsibilities, you must rely on your own strengths to move forward and bring value to your work Our thanks to Chris for sharing his story with us.

NortonLifeLock Research Group (NRG) released a prototype browser extension called BotSight that leverages machine learning to detect Twitter bots in real-time. The tool is intended to help users understand the prevalence of bots and disinformation campaigns within their Twitter feeds, particularly with the increase in disinformation of COVID-19. Joining us on this week's Research Saturday to discuss this tool is Daniel Kats from NortonLifeLock Research Group. You can find the research here: Introducing BotSight

An update on social engineering at Twitter. A quick look at the phishing kit criminal market. The European Union sanctions individuals and organizations in Russia, China, and North Korea for involvement in notorious hacking campaigns. North Korea’s North Star campaign is back and dangling bogus job offers in front of its marks. Deceptikons snoop into European law firms. Zully Ramzan from RSA on Digital Contact Tracing. Our guest is Tom Kellermann from Vmware Carbon Black on top financial CISOs analyzing the 2020 attack landscape. And both NSA and NIST have some advice on shoring up your security. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/148

Yesterday’s antitrust hearings in the US House of Representatives focus on Big Tech’s big data as something open to use in restraint of trade. And there are questions about community standards as well. The BootHole vulnerability may not represent an emergency, but it will be tough to fix. Android malware masquerades as COVID-19 contact-tracers. The FBI warns against Netwalker ransomware. China says it didn’t hack the Vatican. Justin Harvey from Accenture demystifies red teaming. Our guest is Christopher Ahlberg from Recorded Future on trends in threat intelligence. And somebody’s spoofing a British MP: he’s looking at you, Peoples Liberation Army. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/147

Alleged Russian influence operations described by US intelligence services. “Ghostwriter” targets the Baltic region with anti-NATO false narratives. Chinese intelligence is said to have compromised Vatican networks. Loss of customer PII seems the costliest kind of data breach. VPN bugs represent a risk to OT networks. Big Tech comes to Capitol Hill, virtually. Michigan’s online bar exam knocked offline, briefly, by a cyber attack. Joe Carrigan on password stealers targeting gaming. Our guests are Troy Smith and Mike Koontz from Raytheon on defending communications operations across cloud platforms. And a superseding indictment for two ex-Twitterati charged with snooping for Saudi Arabia. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/146

Cloudflare says that reported Ukrainian breaches aren’t its issue. Trend Micro describes a new and unusually capable strain of malware. Garmin is reported to have obtained a decryptor for WastedLocker ransomware. Third-party risk continues in the news, as do misconfigured databases that expose personal information. Huawei’s CFO alleges misconduct by Canadian police and intelligence agencies. Ben Yelin examines the EFF's online Atlas of Surveillance. Dave DeWalt with SafeGuard Cyber on the evolving threat landscape as folks return to the workplace. And the Twitter incident seems to have been a problem waiting to appear. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/145

A vigilante appears to be interfering with Emotet’s payloads. A fintech breach is blamed on a third-party service provider. A list of Cloudflare users is dumped online. There’s a going-out-of-business sale over at the Cerberus cybergang. Malek ben Salem from Accenture Labs on DeepFake detection. Our own Rick Howard gathers the Hash Table to sort some SOCs. And Garmin, restoring its services after last week’s attack, may have been the victim of Evil Corp’s WastedLocker ransomware. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/144

Privacy and data security lawyer, Dominique Shelton Leipzig shares that she has always wanted to be a lawyer, ever since she was a little girl. She talks about what her role is with clients in protecting and managing their data, sometimes adhering to up to 134 different data protection laws for global companies. Learn that not a lot has changed for an African-American woman partner at an Amlaw 100 firm as far as diversity during Dominique's career, and how Dominique suggests young lawyers should address those odds. Our thanks to Dominque for sharing her story with us. 

Privacy and data security lawyer, Dominique Shelton Leipzig shares that she has always wanted to be a lawyer, ever since she was a little girl. She talks about what her role is with clients in protecting and managing their data, sometimes adhering to up to 134 different data protection laws for global companies. Learn that not a lot has changed for an African-American woman partner at an Amlaw 100 firm as far as diversity during Dominique's career, and how Dominique suggests young lawyers should address those odds. Our thanks to Dominque for sharing her story with us.

On April 29, 2020, the Salt management framework, authored by the IT automation company SaltStack, received a patch concerning two CVEs; CVE-2020-11651, an authentication bypass vulnerability, and CVE-2020-11652, a directory-traversal vulnerability. On April 30, 2020, researchers at F-Secure disclosed their vulnerability findings to the public, with an urgent warning for Salt users - patch now. Before the weekend was out, criminals were deploying malware and targeting vulnerable Salt installations, successfully affecting operations at Ghost, DigiCert, and LineageOS. The malware is a cryptominer, but there is an additional component, a Remote Access Tool written in Go called nspps. Researchers at Akamai have also observed in-the-wild attacks on Salt vulnerabilities.  Joining us on this week's Research Saturday is Larry Cashdollar, Senior Security Response Engineer at Akamai, to discuss this issue.  The research can be found here:  SaltStack Vulnerabilities Actively Exploited in the Wild

CISA and NSA warn of a foreign threat to US critical infrastructure. A look at what the Bears have been up to lately. The Blackbaud extortion incident shows its ripple effects. An awful lot of Twitter employees had access to powerful admin tools. China orders a US consulate closed in a tit-for-tat response to the closure of China’s consulate in Houston. Andrea Little Limbago on cyber in a re-globalized world system. Our guest is Dominique Shelton Leipzig from Perkins Coie LLP on the CA Consumer Privacy Act. And DJI drones may be a bit nosey. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/143

Twitter updates the news of last week’s incident: the attackers seem to have accessed some direct messages. France’s partial permission for Huawei to operate in that country now looks like a ban with a 2028 deadline. A quiet cryptominer. The cyber threat to British sport. Awais Rashid from the University of Bristol on cyber security and remote working. John Ford from IronNet Cybersecurity with updated 2020 predictions and cyber priorities. And bosses and employees see things differently, cyberwise. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/142

“Meowing” is now a thing: the automated discovery and wiping of exposed and unprotected databases. The US indicts two Chinese nationals on eleven counts of hacking and reports evidence that Chinese intelligence services are now using cybercriminals as contractors. Mike Schaub from CloudCheckr on why COVID-19 has ignited modernization projects for government agencies. Joe Carrigan on counterfeit Cisco routers. The US State Department tells China to close its consulate in Houston. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/141

The Intelligence and Security Committee of Parliament has rendered its report on the Russian cyber threat. Trend Micro reports on the workings of the cyber criminal underground economy. Ben Yelin on U.S. Customs and Border Protection collecting license plate data. Our guest is Kevin O'Brien from GreatHorn on the role of business policies in security to keep users safe during high-risk events. And it turns out that Russia has no hackers whatsoever: Moscow’s Finance Minister says so, so you can take that to the bank. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/140

Notes on last week’s Twitter hack, and on the allure of original gangster and other celebrity usernames. Using marketing databases for intelligence collection. The US Government mulls a ban on TikTok. Johannes Ullrich from SANS on Google Cloud storage becoming a more popular phishing platform. Our own Rick Howard on security operations centers, and a preview of the latest episode of his CSO Perspectives podcast. And more reaction to alleged Russian and Chinese attempts to hack COVID-19 biomedical research. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/139

Computer security writer, podcaster and public speaker Graham Cluley describes learning to program on his own from magazines, creating text adventure games for donations, and his journey from programming to presenting and writing with a bit of tap dancing on the side. Along the way, Graham collaborated with others and learned to communicate so that all could understand, not just techies. Our thanks to Graham for sharing his story with us. 

Computer security writer, podcaster and public speaker Graham Cluley describes learning to program on his own from magazines, creating text adventure games for donations, and his journey from programming to presenting and writing with a bit of tap dancing on the side. Along the way, Graham collaborated with others and learned to communicate so that all could understand, not just techies. Our thanks to Graham for sharing his story with us.

Researchers at Symantec spotted a Sodinokibi targeted ransomware campaign in which the attackers are also scanning the networks of some victims for credit card or point of sale (PoS) software. It is not clear if the attackers are targeting this software for encryption or because they want to scrape this information as a way to make even more money from this attack. Joining us in this week's Research Saturday to discuss the report is Jon DiMaggio of Symantec.  The research can be found here:  Sodinokibi: Ransomware Attackers also Scanning for PoS Software, Leveraging Cobalt Strike

The Twitter hack is looking more like high-grade, low-end crime. It also worries people over the disinformation potential it suggests. People care, they really do, that someone hacked COVID-19 biomedical research (we’ll explain). Australia joins the UK, Canada, and the US in blaming Russia for Cozy Bear’s capers. Russia says it didn’t do nothin’. Rob Lee from Dragos with thoughts on the Ripple 20 vulnerabilities on industrial control systems. Our guest is Sal Aurigemma from University of Tulsa on fake ANTIFA twitter accounts. And CISA’s serious about getting the Feds to apply Tuesday’s Windows patch. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/138

Twitter sustained a major incident in which celebrity accounts were hijacked yesterday. It seems to have been a social engineering caper, but it’s motivation, nominally financial, remains unclear. British authorities call out Russia for an influence campaign mounted during last year’s elections. Cozy Bear is back, and sniffing for COVID-19 biomedical intelligence. Craig Williams from Cisco Talos on Dynamic Data Resolver, a plugin that makes reverse-engineering malware easier. Our guest is Ashlee Benge, formerly from ZeroFox, on emerging and persistent digital attack tactics facing the financial services industry. And Chinese intelligence services are spearphishing Hong Kong Catholics. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/137

A 2018 Presidential finding authorized extensive CIA cyber operations against Russia, China, Iran, and North Korea. Wattpad may have been breached. The SEC asks its registrants to take steps to protect themselves against ransomware. Free VPNs’ databases found exposed. Joe Carrigan on privacy vs. security on Android devices. Our guest is Chris Deluzio from Pitt Cyber on election security. And Beijing woofs in the direction of London over the UK’s Huawei ban. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/136

The British Government decides to ban Huawei. More on the malware associated with Golden Tax software package. The Molerats appear to be behind some spyware misrepresenting itself as a secure chat app. The Porphiex botnet is back distributing a new ransomware strain. The odd case of the Data Viper breach. Ben Yelin tracks a ruling from the DC circuit court on the release of electronic surveillance records. Our guest is Ann Johnson from Microsoft discussing her keynote at RSA APJ, The Rise of Digital Empathy. And SAP has a patch out--if you’re a user, CISA advises you to take this one seriously. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/135

President Trump says he authorized US Cyber Command’s retaliation against Russia’s Internet Research Agency for midterm election meddling. North Korean financially motivated hacking as a sign of internal power dynamics. TrickBot accidentally deploys a new module. TikTok, privacy, and security. LinkedIn hacker convicted. Justin Harvey from Accenture on what should and shouldn’t go in emails. Our guest is Matt Davey from 1password on the under-celebrated role of IT in the work from home transition. And advice to alleged criminals on the lam: give ‘em a low silhouette. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/134

Cybersecurity and disinformation researcher Bilyana Lilly shares her career path from studying where she was always a foreigner to an expert on the Russian perspective. While studying international law in Kosovo, Bilyana realized there are no winners in war. Through her work, she hopes to bring a greater understanding of Russia's strategic thinking. Our thanks to Bilyana for sharing her story with us.

Cybersecurity and disinformation researcher Bilyana Lilly shares her career path from studying where she was always a foreigner to an expert on the Russian perspective. While studying international law in Kosovo, Bilyana realized there are no winners in war. Through her work, she hopes to bring a greater understanding of Russia's strategic thinking. Our thanks to Bilyana for sharing her story with us.

Built into virtually every hardware device, firmware is lower-level software that is programmed to ensure that hardware functions properly. As software security has been significantly hardened over the past two decades, hackers have responded by moving down the stack to focus on firmware entry points. Firmware offers a target that basic security controls can’t access or scan as easily as software, while allowing them to persist and continue leveraging many of their tried and true attack techniques. Joining us on this week's Research Saturday is Maggie Jauregui, security researcher at Dell, to discuss this issue.  The research can be found here:  Three firmware blind spots impacting security

Unpatched and beyond-end-of-life systems are (again) at risk. Conti ransomware appears to be steadily displacing its ancestor Ryuk in criminal markets. Are privacy laws as consumer friendly as they’re often taken to be? There may be some grounds for doubt. German security services warn of the espionage potential of Chinese companies’ data collection. Huawei skepticism grows in Germany, Canada, and the UK. Zully Ramzan from RSA on zero trust. Our guest is Conan Ward from QOMPLX on the unfortunate reality of cyber insurance in light of the 3rd anniversary of NotPetya. And Ray Hushpuppi says the Feds didn’t extradite him; they kidnapped him. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/133

Facebook takes down more coordinated inauthenticity. Preinstalled malware is found in discount phones available under the FCC’s Lifeline program. The Evilnum APT continues its attacks against fintech platforms and services. Joker Android malware adapts and overcomes its way back into the Play store. FreddieMac discloses a third-party databreach. Johannes Ullrich from SANS on defending against Evil Maids with glitter. Our guest is Rohit Ghai from RSA with a preview of his keynote, Reality Check: Cybersecurity’s Story. And the Royal Military College of Canada’s hack attack remains under investigation. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/132

The Natanz blast looks like traditional sabotage. CISA releases its strategy for securing industrial control systems. Authorities in Germany seize DDoSecrets’ server pursuant to a US request. Microsoft takes down COVID-19-themed BEC and phishing infrastructure. FBI Director denounces China’s cyberespionage. Joe Carrigan helps review personal privacy measures for ios and Android. Rick Howard speaks with Steve Moore from Exabeam with insights from a year spent interviewing CISOs. And some DDoS and ransomware attempts. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/131

Explosions at Iranian nuclear sites remain unexplained, but look increasingly like conventional sabotage as opposed to cyberattacks. The Cosmic Lynx gang sets a high bar for business email compromise. The Purple Fox exploit kit gets an upgrade. Ben Yelin describes a 5th amendment compelled decryption case that may be headed to the Supreme Court. Our guest is Hugh Thompson, Chairman of the RSA Conference Program, on the human element of cyber security and lessons learned shifting a conference online. And a network of coordinated inauthenticity and fictitious personae is found pushing an Emirati official line. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/130

An Iranian nuclear installation may have been hacked. Or maybe not, but in any case it was damaged. Huawei gets more skeptical looks. European police round up hundreds of online contraband dealers. Thomas Etheridge from CrowdStrike on the increased need for speed, scale, and remote investigative and recovery services. Our guest is Tobias Whitney from Fortress Information Security on the Asset to Vendor Network (A2V). And an accused Nigerian money-launderer (and an admitted influencer) is now in US custody, facing Federal charges. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/129

CEO Matt Devost, describes many firsts in his career, including hacking into systems on an aircraft carrier at sea. He shares how he enjoys solving hard problems and the red teamer perspective, and how he was able to translate those into a career. For those interested in cybersecurity, Matt advises opportunities for self-directed learning including heading down to your basement and building your own lab. Our thanks to Matt for sharing his story with us.

CEO, Matt Devost, describes many firsts in his career including hacking into systems on an aircraft carrier at sea. He shares how he enjoys solving hard problems and the red teamer perspective, and how he was able to translate those into a career. For those interested in cybersecurity, Matt advises opportunities for self-directed learning including heading down to your basement and building your own lab. Our thanks to Matt for sharing his story with us.

Evil Corp seems to have been shuffling through some newspaper sites. Don’t take the gangs’ communiqués at face value, but some appear to be trolling for unprotected MongoDB databases. A look at Taurus, an information-stealer being sold in criminal-to-criminal markets. Chinese law and online security. The EARN-IT Act is being debated. Justin Harvey on “Smishing”. Our guest is Jeff Styles from FireMon on COVID-19 increasing misconfiguration risks. And there’s trouble in Tilted Towers. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/128

EvilQuest ransomware found in pirated versions of Little Snitch app. Out-of-band patches from Microsoft and Oracle. Extensive Chinese surveillance of Uighurs described. Hong Kong and the world react to China’s new National Security Law. The US FCC finds both Huawei and ZTE are threats to national security. Joe Carrigan on password stealers that target gaming. Our guest is Kiersten Todt from the Cyber Readiness Institute on how COVID-19 has changed small business security and what to expect going forward. And Britain rethinks its position on Huawei and 5G infrastructure. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/127

NSA and CISA agree: take Palo Alto’s advisory about its PAN-OS operating system seriously. StrongPity is back and active against targets in Turkey and Syria. A big Bitcoin scam is using spoofed news outlets and bogus celebrity endorsements to lure victims. A large trove of PII has appeared in the dark web. Ben Yelin from UMD CHHS on whether or not the EARN IT Act violates the constitution, our guest is Brad Stone with Booz Allen Hamilton on how technology is changing the battlefield and why cyber is becoming so important in the DoD space. Finally, both Australia and India look to shore up their defenses against cyber threats from China. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/126

The University of California San Francisco pays Netwalker extortionists nearly a million and a half to recover its data. A Kashmir utility restores business systems after last week’s cyberattack. The website defacements in Ethiopia continue to look more like hacktivism than state-sponsored activity. Our own Rick Howard talks about wrapping up his first season of CSO Perspectives. Our guest is Sanjay Gupta from Mitek discussing how online marketplaces can balance security with biometrics. Data are exposed at an e-learning platform. Three prominent cyber-hoods go down in US Federal courts. And Lion says the beer is flowing, post ransomware. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/125

Vice President of Marketing, Kathleen Booth, shares her career path from political science and international development to marketing for a cybersecurity company. Early dreams of acting morphed into goals of making the world a better place. Chief marketer and podcaster Kathleen is doing just that. She shares how proving your worth can lead to success. Listen for Kathleen's advice on getting your foot in the door. Our thanks to Kathleen for sharing her story with us.

Vice President of Marketing, Kathleen Booth, shares her career path from political science and international development to marketing for a cybersecurity company. Early dreams of acting morphed into goals of making the world a better place. Chief marketer and podcaster Kathleen is doing just that. She shares how proving your worth can lead to success. Listen for Kathleen's advice on getting your foot in the door. Our thanks to Kathleen for sharing her story with us.

A new report examines how five related APT groups operating in the interest of the Chinese government have systematically targeted Linux servers, Windows systems and Android mobile devices while remaining undetected for nearly a decade. The report comes on the heels of the U.S. Department of Justice announcing several high-profile indictments from over 1,000 open FBI investigations into economic espionage as part of the DOJ’s China Initiative. Joining us in this week's Research Saturday to discuss the report is Eric Cornelius of Blackberry.  The research can be found here:  Decade of the RATs: Novel APT Attacks Targeting Linux, Windows and Android

This is an extended interview of our conversation with Camille Stewart and Lauren Zabierek originally aired in our daily podcast 06/26/2020.  In response to anti-black racism and the deaths of countless black people, the country and the world are standing up against systemic racism in response. Many in the cybersecurity community have been searching for ways to amplify the voices of black and brown practitioners in the national security/foreign policy space. Inspired by the ShareTheMic campaign on Instagram, Camille Stewart  (@CamilleEsq on Twitter) and Lauren Zabierek (@LZXDC on Twitter)  have teamed up to launch the ShareTheMicInCyber Twitter campaign. On June 26, 2020, prominent members of the cybersecurity community will spend the day tweeting about a Black cybersecurity practitioner.  More info on Sharethemicincyber  Camille Stewart's essay 

Microsoft urges Exchange server patching. Sure it does your taxes, but it’s got another agenda, too: the GoldenSpy backdoor may be in your tax software if you do business in China. Magecart ups its game. DDoSecrets says they’re not going to roll over for Twitter’s “Nixonian” schtick. Camille Stewart from Google and Lauren Zabierek from Harvard’s Belfer Center on the #Sharethemicincyber event and why systemic racism is a threat to cybersecurity. Rick Howard wraps up cybersecurity canon week with guests Richard Clarke and Robert Knake, authors of The Fifth Domain. And there’s another unsecured Amazon S3 bucket, and this exposure could present a serious risk to some people who already have trouble enough. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/124 - More info on the #Sharethemicincyber event. - Camille Stewart's essay on systemic racism in cyber.

Akamai’s report on the record-setting DDoS attack it stopped this week. Glupteba GLOOP-tib-yeh and Lucifer malware strains described. Apple and Google move their defaults in the direction of greater privacy. The US designates Huawei and Hikvision as controlled by China’s military. A superseding indictment in Julian Assange’s case. The EU looks at GDPR and likes what it sees. REvil gets ready to sell stolen data. David Dufour from Webroot with tips on navigating new workplace realities. Our guest is David Sanger, author of The Perfect Weapon - War, Sabotage, and Fear in the Cyber Age. And the Navy recruiting campaign that wasn’t. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/123

Twitter permanently suspends DDoSecrets for violating its policy with respect to hacked material. DDoSecrets explains its thinking with respect to BlueLeaks. A quick look at a Hidden Cobra hunt. Sino-Australian dispute over hacking may be moving into a trade war phase. Lessons on election management. What do cybercriminals watch when they binge-watch? Joe Carrigan explains the Ripple 20 vulnerabilities. Cybersecurity Canon week continues with Joseph Menn, author of Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World. And some notes on the most malware-infested movie and television fan communities. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/122

International conflicts and disputes are attended by hacking in South Asia, Australia, and Africa. The US designates four Chinese media outlets as foreign missions, that is, propaganda outfits. Sodinokibi ransomware sniffs at paycard and point-of-sale systems. Ben Yelin on TSA’s facial recognition program. Cybersecurity Canon Week continues with our guest is Bill Bonney, Co-Author of CISO Desk Reference Guide. And Evil Corp is back, apparently because you just can’t keep a bad man down. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/121

BlueLeaks dumps stolen police files online. A report of spyware delivered via network injection. COVID-19 apps and databases are reported to have indifferent privacy safeguards, and there’s been one big recent leak. India and Australia both on alert for Chinese cyberattacks. Our own Rick Howard on intelligence operations. It’s cybersecurity Canon Week, our guest is Todd Fitzgerald, author of CISO Compass. And New Zealand piles on in the case of a Russian alt-coin baron. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/120

Johannes Ullrich relays his experiences from studying the hard sciences to his career shift to cybersecurity. Basic principles, superhero origin stories, physics labs and radiation all figure in. And there’s a lot in common with network security best practices. Have a listen to what Johannes has learned and what he hopes to impart on his students.  Our thanks to Johannes for sharing his story with us. 

Dean of Research, Johannes Ullrich, relays his experiences from studying the hard sciences to his career shift to cybersecurity. Basic principles, superhero origin stories, physics labs and radiation all figure in. And there’s a lot in common with network security best practices. Have a listen to what Johannes has learned and what he hopes to impart on his students. Our thanks to Johannes for sharing his story with us.

Slack is a cloud-based messaging platform that is commonly used in workplace communications. Slack Incoming Webhooks allow you to post messages from your applications to Slack. Generally, Slack webhooks are considered a low risk integration. A deeper dive into webhooks shows that this is not entirely accurate.  Joining us in this week's Research Saturday is Ashley Graves from AT&T Cybersecurity's Alien Labs to discuss her research.  The research can be found here:  Slack phishing attacks using webhooks

A look at the “state-based cyber actor” the Australian government is concerned about. Some signs of Chinese retaliation for Five Eyes’ skepticism of Huawei. Johannes Ullrich explains malware triggering multiple signatures in anti-malware products. Our guest is Geoff White, author of Crime Dot Com, on how he tracked down the creator of the Love Bug. And an alert about the possibility of some COVID-19-themed fraud from the Lazarus Group. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/119

Sino-Indian conflict extends to cyberspace. InvisiMole connected to Gamaredon. Spyware found in Chrome extensions. Phishing around technical defenses (and some criminal use of captchas). The US Justice Department releases its study of Section 230 of the Communications Decency Act. Zully Ramzan from RSA on privacy and security in a post-COVID world. Our guest is Michael Powell from NCTA on the importance of the UK cybersecurity sector. And Zoom decides to make end-to-end encryption generally available. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/118

Ripple20 vulnerabilities are reported in the IoT software supply chain. North Korean operators go for intelligence, but also for cash, and they’re phishing in LinkedIn’s pond. Sino-Indian tensions find expression in cyberspace. A long look at the Russian influence operation, Secondary Infektion. Joe Carrigan from JHU ISI on why older adults share more misinformation online. Our guest Will LaSala from OneSpan tracks the increase in online banking fraud during COVID-19. And the strange case of the bloggers who angered eBay may have more indictments on the way. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/117

What does Beijing want to know about US Presidential campaigns? Position papers, mostly. A redacted version of the CIA’s inquiry into the WikiLeaks Vault 7 material is out. That DDoS attack you read about on Twitter? Never happened. Former eBay employees face Federal charges of conspiracy to commit cyberstalking and witness tampering. Ben Yelin explains a judge refusing to sign off on a potential Facebook facial recognition settlement. Our guest is Randy Vanderhoof from the Secure Technology Alliance on mobile drivers licenses. And where would you store “niche” dating app material? In a misconfigured AWS S3 bucket. Where else? For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/116

A new Android spyware tool is deployed against China’s Uyghur minority. Anonymous claims it disrupted the Atlanta Police Department’s website yesterday to protest a police shooting. An apparently legitimate security firm has apparently been selling malware to criminals. Breachstortion joins sextortion as a criminal tactic. Craig Williams from Cisco Talos on Astaroth, an information-stealer that has been targeting Brazil, Our own Rick Howard on risk assessments. And why spelling always counts. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/115

Each week we step inside the diverse and fascinating worlds of cybersecurity professionals around the globe and hear their personal stories in their own words. This will be a regular feature in our daily feed, but it will also have it's own feed wherever all the fine podcasts can be found.  This week, we hear from Tom Quinn as he takes us from his first experience with modern computers in the military to his current role as a CISO. It's important to understand how the technology works, but it's also important to understand how people work. And, to make a difference. Our thanks to Tom for sharing his story with us. 

Financial firm CISO, Tom Quinn, takes us from his first experience with modern computers in the military to his current role as a Chief Information Security Officer. It's important to understand how the technology works, but it's also important to understand how people work. And, to make a difference. Our thanks to Tom for sharing his story with us.

Proactive, efficient threat mitigation and risk management require understanding adversaries’ fundamental thought processes, not just their tools and methods. Cyber threat intelligence analysts combed through 15 years (2004 to 2019) of public sources that have documented the activities of one prolific threat actor, Russia’s military intelligence agency, the GRU. Analysis shows that the timing, targets, and impacts of this activity mirrored Russian strategic concerns about specific events and developments.  Joining us in this week's Research Saturday are Brad Stone & Nate Beach-Westmoreland from Booz Allen Hamilton to discuss their report and some of the 33 case studies presented in it. The research can be found here:  Bearing Witness: Uncovering the Logic Behind Russian Military Cyber Operations

Twitter’s transparency efforts see through accounts being run by Chinese, Russian, and Turkish actors. Zoom is working to both comply with Chinese law and contain the reputational damage involved in doing so. Industrial firms recover from Ekans infestations. Caleb Barlow from CynergisTek on how hospital CISOs are dealing with the COVID-19 situation. Our guest is Ronald Eddings from Palo Alto Networks and the Hacker Valley Studio Podcast on strategies for finding and managing security architects. And it’s not Posh Spice who’s got the attention of Maze; it’s just her M&A advisors. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/114

The Gamaredon Group is back, and what’s their secret? Like Crazy Eddie’s, it’s volume! Doxing during times of unrest. Phoney contact-tracing apps are snooping on personal information in at least ten countries. Thanos is a criminal favorite in the ransomware-as-a-service market. Another skirmish in the Crypto Wars is brewing up on Capitol Hill. David Dufour from Webroot on how organizations can successfully navigate their new workplace realities. Our guest is Chester Wisniewski from Sophos on fleeceware apps found in the Apple app store. And no, really, Elon Musk is not on YouTube offering you Bitcoin. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/113

Notes on Patch Tuesday--it was a fairly big one this time. Honda continues its investigation of the incident it sustained over the weekend, and outsiders see it as a ransomware attack. Facebook is said to have developed a Tails zero-day to help the FBI with a notorious case. Crooks are turning to search engine optimization. IBM and Google cloud services recovered quickly from outages. You’re unlikely to get rich from a breach settlement. Joe Carrigan describes free online courseware aimed at Community College students. Our guest is Dennis Toomey from BAE on how financial institutions need to enact stronger cyber protocols as employees migrate to working from home. And BellTroX says, hey, it was just helping some private eyes. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/112