Skip to content
Global PlayerGlobal Player
CyberWire Daily

CyberWire Daily

By N2K Networks

The daily cybersecurity news and analysis industry leaders depend on. Published each weekday, the program also includes interviews with a wide spectrum of experts from industry, academia, and research organizations all over the world.

Episodes

Behind the Google shopping ad masks. [Research Saturday]

Maxim Zavodchik from Akamai joins Dave to discuss their research on "Xurum: New Magento Campaign Discovered." Akamai researchers have discovered an ongoing server-side template injection campaign that is exploiting digital commerce websites. This campaign targets Magento 2 shops, and was dubbed Xurum in reference to the domain name of the attacker’s command and control (C2) server.  The research states "The attacker uses an advanced web shell named “wso-ng” that is activated only when the attacker sends the cookie “magemojo000” to the backdoor “GoogleShoppingAds” component." The research can be found here: Xurum: New Magento Campaign Discovered Learn more about your ad choices. Visit megaphone.fm/adchoices
23/09/23·14m 32s

Enter the Sandman. A look at an initial access broker. Iran’s OilRig hits Israeli targets. Cyber ops and soft power. Update on casino ransomware attacks. Bermuda’s government sustains cyberattacks.

A new APT is found: enter Sandman. Tracking an initial access broker called Gold Melody. Iran’s OilRig group is active against Israeli targets. Cyber ops as an instrument of soft power. Recovery and investigation in the casino ransomware attacks. In our Solutions Spotlight, Simone Petrella speaks with MK Palmore from Google Cloud about talent retention and the cybersecurity skills gap. Our guest is Kristen Marquardt of Hakluyt with advice for cyber startups. And Bermuda points to Russian threat actors. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/182 Selected reading. Sandman APT | A Mystery Group Targeting Telcos with a LuaJIT Toolkit (SentinelOne) GOLD MELODY: Profile of an Initial Access Broker (Secureworks) OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes (We Live Security) Cyber Soft Power | China's Continental Takeover (SentinelOne) MGM Resorts computers back up after 10 days as analysts eye effects of casino cyberattacks (AP News) MGM Restores Casino Operations 10 Days After Cyberattack (Dark Reading) MGM Resorts computers back up after being down 10 days due to casino cyberattacks (CBS News) MGM says its recovered from cyberattack, employees tell different story (Cybernews) 'Power, influence, notoriety': The Gen-Z hackers who struck MGM, Caesars (Reuters) Apple emergency updates fix 3 new zero-days exploited in attacks (BleepingComputer)  Russia linked to cyberattack on government services (Royal Gazette) Learn more about your ad choices. Visit megaphone.fm/adchoices
22/09/23·32m 16s

Don’t get snatched. Trends in phishing, cyber insurance claims, and threats to academic institutions. Hacktivism in the hybrid war. Updates on the ICC attack. MGM says its casinos are back.

CISA and the FBI warn of Snatch ransomware. A look at phishing trends. Ransomware is increasingly cited in cyber insurance claims. Trends in cyber threats to academic institutions. A Russian hacktivist auxiliary disrupts Canadian border control and airport sites. The ICC remains tight-lipped concerning cyberattack. N2K’s Simone Petrella sits down with Chris Krebs at the mWise conference. In today’s Threat Vector segment, David Moulton from Unit 42 takes a peek into the modern threat landscape with Wendi Whitmore, SVP of Uniformity. And MGM Resorts says it’s well on the way to recovery. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/181 Threat Vector links. To learn what is top of mind each month from the experts at Unit 42 sign up for their Threat Intel Bulletin.  Selected reading. #StopRansomware: Snatch Ransomware (Cybersecurity and Infrastructure Security Agency CISA) 2023 .Phishing Trends (ZeroFox) Cyber Insurance Claims Frequency and Severity Both Increased For Businesses in 1H 2023, Coalition Report Finds (Business Wire)  2023 Cyber Claims Report: Mid-year Update (Coalition)  Since 2018, ransomware attacks on the education sector have cost the world economy over $53 billion in downtime alone (Comparitech) Canada blames border checkpoint outages on cyberattack (Record) Cyberattack hits International Criminal Court (SC Media) International Criminal Court hacked amid Russia probe (Register) International Criminal Court under siege in cyberattack that could constitute world’s first cyber war crime (Yahoo News) Our hotels and casinos are operating normally. (FAQ - MGM Resorts) MGM Resorts computers back up after 10 days as analysts eye effects of casino cyberattacks (AP News - 09-20-2023) Learn more about your ad choices. Visit megaphone.fm/adchoices
21/09/23·30m 32s

Hacking the ICC. ShroudedSnooper active, simple, and novel. New criminal malware used against Chinese-speakers. More on the materiality of cyberattacks.

The International Criminal Court reports a "cybersecurity incident." ShroudedSnooper intrusion activity is both novel and simple. Criminal malware targets Chinese-speaking victims. The costs of insider risk. More on the casino attacks (and related social engineering capers). In our Learning Layer segment, Sam Meisenberg drops into a CISSP tutoring session and offers some test-taking tips. Our guest is Aaron Brazelton, Dean of Admissions and Advancement at the Alabama School of Cyber Technology and Engineering. And the Clorox incident shows how one company navigates unfamiliar new SEC rules. Join Sam Meisenberg as he drops into a CISSP tutoring session talking about the difference between due diligence and due care along with some test-taking tips. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/180 Learning Layer. Learning about the CISSP certification from (ISC)² Selected reading. War crimes tribunal ICC says it has been hacked (Reuters) International Criminal Court says cybersecurity incident affected its information systems last week (AP News)  Hackers breached International Criminal Court’s systems last week (BleepingComputer) New ShroudedSnooper actor targets telecommunications firms in the Middle East with novel Implants (Cisco Talos) ShroudedSnooper's HTTPSnoop Backdoor Targets Middle East Telecom Companies (The Hacker News) Chinese Malware Appears in Earnest Across Cybercrime Threat Landscape (Proofpoint)  Hackers who breached casino giants MGM, Caesars also hit 3 other firms, Okta says (Reuters) Las Vegas casino ransomware attacks: Okta in the spotlight (The Stack)  MGM losing up to $8.4M per day as cyberattack paralyzes slot machines, hotels for 8th straight day: analyst (New York Post)  Caesars reports cyberattack but did not go offline (Top Class Actions)  What Las Vegas tourists need to know about casino hacks (Washington Post)  MGM, Caesars Face Regulatory, Legal Maze After Cyber Incidents (Dark Reading) Clorox Cyberattack Brings Early Test of New SEC Cyber Rules (Wall Street Journal) Learn more about your ad choices. Visit megaphone.fm/adchoices
20/09/23·31m 38s

Ransomware in Colombia. An accidental data exposure. Cyberespionage hits unpatched systems. An attack on IT systems disrupts industrial production. Bots and bad actors.

Colombia continues its recovery from last week's cyberattacks. AI training data is accidentally published to GitHub. The cyberespionage techniques of Earth Lusca. Clorox blames product shortages on a cyber attack. Cybersecurity incidents in industrial environments. Where the wild bots are. Joe Carrigan looks at top level domain name exploitation. Our guest is Kristen Bell from GuidePoint Security with a look at vulnerability vs. exploitability. And there’s talk of potential Russia-DPRK cooperation in cyberspace. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/179 Selected reading. More than 50 Colombian state, private entities hit by cyberattack -Petro (Reuters)  Colombia Mulls Legal Action Against US Firm Targeted In Cyber Attack (Barron's) Microsoft mitigated exposure of internal information in a storage account due to overly-permissive SAS token (Microsoft Security Response Center) Microsoft AI Researchers Expose 38TB of Data, Including Keys, Passwords and Internal Messages (SecurityWeek) Earth Lusca Employs New Linux Backdoor, Uses Cobalt Strike for Lateral Movement (Trend Micro)  Chinese hackers have unleashed a never-before-seen Linux backdoor (Ars Technica) The Clorox Company FORM 8-K (US Securities and Exchange Commission)  Clorox Warns of Product Shortages Following Cyberattack (Wall Street Journal) Clorox warns of product shortages, profit hit from August cyberattack (The Street)  Can't find the right Clorox product? A recent cyberattack is causing some shortages (USA Today)  Clorox warns of product shortages after cyberattack (Fox Business)  As flu season looms, hackers force a shortage of Clorox products (Fortune) New Research Finds Cyberattacks Against Critical Infrastructure on the Rise, State-affiliated Groups Responsible for Nearly 60% (Business Wire) Death By a Billion Bots (Netacea) Russian and North Korea artillery deal paves the way for dangerous cyberwar alliance (EconoTimes)  Learn more about your ad choices. Visit megaphone.fm/adchoices
19/09/23·27m 16s

A quick look at some threats from China and North Korea, some engaged in collection, some in theft. BlackCat and other ransomware operators. And a view of cyberwar from Ukraine’s SSU.

Cyber threats trending from East Asia. The Lazarus Group is suspected in the CoinEx crypto theft. Pig butchering, enabled by cryptocurrency. BlackCat is active against Azure storage. a Ukrainian view of cyber warfare. A US-Canadian water commission deals with a ransomware attack. Eric Goldstein from CISA shares insights on cyber threats from China. Neil Serebryany of Calypso explains the policies, tools and safeguards in place to enable the safe use of generative AI. And more details emerge in the Las Vegas casinos’ ransomware incidents. Danny Ocean, call your office. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/178 Selected reading. Sophistication, scope, and scale: Digital threats from East Asia increase in breadth and effectiveness (Microsoft Security Compliance and Identity) Evidence points to North Korea in CoinEx cryptocurrency hack, analysts say (Record)  CoinEx invites hackers to negotiate after suffering data breach (The Times of India BlackCat ransomware hits Azure Storage with Sphynx encryptor (BleepingComputer) MGM websites up, but reservation systems still affected by hack (Las Vegas Review-Journal) The chaotic and cinematic MGM casino hack, explained (Vox) Massive MGM and Caesars Hacks Epitomize a Vicious Ransomware Cycle (WIRED) US-Canada water commission confirms 'cybersecurity incident' (Register)  Ukraine's Fusion of Cyber and Kinetic Warfare: Illia Vitiuk's Stand Against Russian Cyber Operations (AFCEA International) Learn more about your ad choices. Visit megaphone.fm/adchoices
18/09/23·27m 16s

Karl Mattson: Defer gratification. (CISO) [Career Notes]

Karl Mattson, CISO at Noname Security, joins us to share his story. Having started out as a "military brat," traveling the world as the child of a Marine, Karl later joined the Army not long after high school. In the Army, Karl was assigned the career field of intelligence analyst and started working with the NSA. He says that was a real career break. Following the Army, Karl worked in the financial services world as a CISO. At Noname, Karl began by building out internal risk and IT functions into a strong, what he calls spectacular team. Karl recommends "deferring gratification as long as possible" when building your career. He says, "People early in their career, looking at government service, those positions don't, you know, make anybody rich overnight, but they are amazing career cornerstones to build on." He closes sharing the importance of relationships. We thank Karl for sharing his story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices
17/09/23·9m 43s

A look into the emotions and anxieties of the highest levels of decision-making. [Research Saturday]

Guest Manuel Hepfer from ISTARI shares his research on cyber resilience which includes discussions with 37 CEOs to gain insight into how they manage cybersecurity risk. ISTARI and Oxford University's Saïd Business School dive into the minds and experiences of CEOs on how they manage cybersecurity risk. Ask any CEO to name the issues that keep them awake at night and cybersecurity risk is likely near the top of the list – with good reason. With the accelerating digitalisation of business models comes vulnerability to cyberattack. And while spending on cybersecurity increases every year, so does the number of serious incidents. Even the largest and most technologically advanced companies are not immune. CEOs must formally answer to regulators, shareholders and board members for their organisation’s cybersecurity. Yet the majority (72%) of CEOs we interviewed as part of our research said they were not comfortable making cybersecurity-related decisions. The research and associated article can be found here: Research: The CEO Report on Cyber Resilience Article: Make Cybersecurity a Strategic Asset Learn more about your ad choices. Visit megaphone.fm/adchoices
16/09/23·40m 15s

Peach Sandstorm cyberespionage. Criminal attacks against a Colombian telco and two major US casino firms. A thief in the browser. And the Greater Manchester Police are on a virtual manhunt.

"Peach Sandstorm" is an Iranian cyberespionage campaign. A Cyberattack against a telecom provider affects government and corporate online operations in Colombia. Python NodeStealer takes browser credentials. Caesars Entertainment files its 8-K. Some MGM Entertainment systems remain down. Betsy Carmelite from Booz Allen talking about how to leverage cyber psychology. Ron Reiter of Sentra outlines the threats for connected cars. And a third-party incident exposes personal data of the Manchester police. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/177 Selected reading. Peach Sandstorm password spray campaigns enable intelligence collection at high-value targets (Microsoft) Hackers Backed by Iran Caught in Apparent Global Spy Campaign (The Messenger) BNamericas - Colombia cyberattack hits government, corpor... (BNamericas.com) Colombia's judicial branch thrown offline in major cyber attack (Colombia Reports)  Casino giant Caesars Entertainment reports cyberattack; MGM Resorts says some systems still down (AP News) Casino Operators Caesars and MGM Still Reeling From Cyber Attacks (Kiplinger.com)  Groups linked to Las Vegas cyber attacks are prolific criminal hacking gangs (CyberScoop)  MGM still responding to wide-ranging cyberattack as rumors run rampant (Record) Ransomware in the casinos. (CyberWire) MGM Resorts shuts down some systems. (CyberWire) Manchester police officers’ data stolen following ransomware attack on supplier (Record) Contractor Data Breach Impacts 8k Greater Manchester Police Officers (Hackread)  A Second Major British Police Force Suffers a Cyberattack in Less Than a Month (SecurityWeek)  Who is behind the latest wave of UK ransomware attacks? (the Guardian)  Learn more about your ad choices. Visit megaphone.fm/adchoices
15/09/23·31m 16s

Ransomware and materiality. MetaStealer hits businesses. Two looks at cloud risks. His Highness, the Large Language Model.

The MGM Resorts incident is now believed to be ransomware, and how does that inform our view of Materiality of a cyber incident? MetaStealer targets businesses. Cloud access with stolen credentials. The cloud as an expansive attack surface. Johannes Ullrich from SANS describes malware in dot-inf files. In our Industry Voices segment Dave speaks with Oliver Tavakoli, CTO at Vectra, on the complexity and challenges of cloud service security. And welcome back, or not, Your Highness the Large Language Model, Prince of Nigeria. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/176 Selected reading. Caesars Entertainment Paid Millions to Hackers in Attack (Bloomberg)  Caesars Paid Ransom After Suffering Cyberattack (Wall Street Journal)  The Cyberattack That Sent Las Vegas Back in Time (Wall Street Journal)  Pro Take: MGM Casino Hack Shows Challenge in Defending Connected Tech (Wall Street Journal)  ALPHV Ransomware Used Vishing to Scam MGM Resorts Employee, Researchers (Hackread) FBI probing MGM Resorts cyber incident as some casino systems still down (Reuters)  MGM Resorts says cyberattack could have material effect on company (NBC News)  MGM Resorts cybersecurity breach could cost millions, expert says (KLAS)  MGM Resorts shuts down some systems because of a “cybersecurity issue.” (Updated.) (CyberWire) macOS Info-Stealer Malware 'MetaStealer' Targeting Businesses (SecurityWeek)  “Authorized” to break in: Adversaries use valid credentials to compromise cloud environments (Security Intelligence)  Unit 42 Attack Surface Threat Report (Palo Alto Networks) The Nigerian Prince is Alive and Well: Cybercriminals Use Generative… (Abnormal)  Learn more about your ad choices. Visit megaphone.fm/adchoices
14/09/23·25m 39s

How one access broker gets its initial access (it’s through novel phishing). Be alert for deepfakes, US authorities say. The Pentagon’s new cyber strategy. And a reminder: yesterday was Patch Tuesday.

An access broker's phishing facilitates ransomware. 3AM is fallback malware. Cross-site-scripting vulnerabilities are reported in Apache services. US agencies warn organizations to be alert for deepfakes. The US Department of Defense publishes its 2023 Cyber Strategy. Ann Johnson from the Afternoon Cyber Tea podcast speaks with with Jenny Radcliffe about the rise in social engineering. Deepen Desai from Zscaler shares a technical analysis of Bandit Stealer. And a quick reminder: yesterday was Patch Tuesday. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/175 Selected reading. Malware distributor Storm-0324 facilitates ransomware access (Microsoft Security)  3AM: New Ransomware Family Used As Fallback in Failed LockBit Attack (Symantec) Azure HDInsight Riddled With XSS Vulnerabilities via Apache Services (Orca Security) Contextualizing Deepfake Threats to Organizations (US Department of Defense)  Bipartisan push to ban deceptive AI-generated ads in US elections (Reuters) DOD Releases 2023 Cyber Strategy Summary (U.S. Department of Defense) New Pentagon cyber strategy: Building new capabilities, expanding allied info-sharing (Breaking Defense) New DOD cyber strategy notes limits of digital deterrence (DefenseScoop) New Pentagon cyber strategy: Building new capabilities, expanding allied info-sharing (Breaking Defense) CISA Releases Three Industrial Control Systems Advisories (Cybersecurity and Infrastructure Security Agency CISA)  September 2023 Security Updates (Microsoft Security Response Center)  Microsoft Releases September 2023 Updates (Cybersecurity and Infrastructure Security Agency CISA)  Zero Day Summer: Microsoft Warns of Fresh New Software Exploits (SecurityWeek) Microsoft Patch Tuesday: Two zero-days addressed in September update (Computing)  Adobe Releases Security Updates for Multiple Products (Cybersecurity and Infrastructure Security Agency CISA) Microsoft, Adobe fix zero-days exploited by attackers (CVE-2023-26369, CVE-2023-36761, CVE-2023-36802) (Help Net Security)  Adobe fixed actively exploited zero-day in Acrobat and Reader (Security Affairs)  Adobe warns of critical Acrobat and Reader zero-day exploited in attacks (BleepingComputer)  Apple Releases Security Updates for iOS and macOS (Cybersecurity and Infrastructure Security Agency CISA)  SAP Security Patch Day for September 2023 (Onapsis)  Google Rushes to Patch Critical Chrome Vulnerability Exploited in the Wild - Update Now (The Hacker News)  Critical Google Chrome Zero-Day Bug Exploited in the Wild (Dark Reading) Zero-day affecting Chrome, Firefox and Thunderbird patched (Computer)  Learn more about your ad choices. Visit megaphone.fm/adchoices
13/09/23·26m 7s

Phishing with Facebook Messenger bots. Redfly hits a national power grid. Nice platform you got there…shame if something happened to it. MGM Resorts grapples with a “cybersecurity issue.”

Phishing with Facebook Messenger accounts. Redfly cyberespionage targets a national grid. The exploit trade in the C2C underground market. Phishing attack exploits Baidu link. A repojacking vulnerability. A hacktivist auxiliary looks to its own interests. Ben Yelin marks the start of the Google antitrust trial. In our Industry Voices segment, Adam Bateman from Push Security explains how identities are the new perimeter. And MGM Resorts are dealing with a “cybersecurity issue.” For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/174 Selected reading. Sponsor with batch-filed whiskers: Ballistic Bobcat’s scan and strike backdoor (ESET)  Charming Kitten's New Backdoor 'Sponsor' Targets Brazil, Israel, and U.A.E. (The Hacker News)  Iran's Charming Kitten Pounces on Israeli Exchange Servers (Dark Reading)  Iranian hackers break into networks of more than 30 companies in Israel (ynetnews)  “MrTonyScam” — Botnet of Facebook Users Launch High-Intent Messenger Phishing Attack on Business Accounts (Guardio Labs, via Medium) Facebook Messenger phishing wave targets 100K business accounts per week (BleepingComputer)  Vietnamese Hackers Deploy Python-Based Stealer via Facebook Messenger (The Hacker News)  Redfly: Espionage Actors Continue to Target Critical Infrastructure (Symantec) Sales and Purchases of Vulnerability Exploits (Flashpoint) Phishing Attack Abuses Baidu Link Redirect, Cloudflare, and Microsoft (Vade) New Exploit Puts Thousands of GitHub Repositories and Millions of Users at Risk (Checkmarx.com) After Microsoft and X, Hackers Launch DDoS Attack on Telegram (SecurityWeek) MGM Resorts shuts down some computer systems after cyber attack (Reuters)  Cybersecurity issue prompts computer shutdowns at MGM Resorts properties across US (AP News)  MGM Resorts shuts down IT systems after cyberattack (BleepingComputer) MGM Resorts experiences 'cybersecurity issue' impacting operations and prompting investigation (Fox Business)  MGM resorts says 'cybersecurity issue' may have widespread impact (NBC News)  MGM Resorts blames 'cybersecurity issue' for ongoing outage (TechCrunch)  FBI assisting in MGM cybersecurity investigation as slot machines, website, and emails rem (KSNV)  MGM Resorts Says It Shut Down Some Systems Following Hack (Bloomberg)  Learn more about your ad choices. Visit megaphone.fm/adchoices
12/09/23·32m 6s

UK's NCA and NCSC release a study of the cybercriminal underworld. HijackLoader's growing share of the C2C market. Russia's hacker diaspora in Turkey. Cyber diplomacy, free and frank..

UK's NCA and NCSC release a study of the cybercriminal underworld. HijackLoader's growing share of the C2C market. Russia's hacker diaspora in Turkey. Author David Hunt discusses his new book, “Irreducibly Complex Systems: An Introduction to Continuous Security Testing.” In our Industry Voices segment, Mike Anderson from Netskope outlines the challenges of managing Generative AI tools. And a senior Russian cyber diplomat warns against US escalation in cyberspace. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/173 Selected reading. Ransomware, extortion and the cyber crime ecosystem (NCSC) HijackLoader (Zscaler) New HijackLoader malware is rapidly growing in popularity (Security Affairs) New HijackLoader Modular Malware Loader Making Waves in the Cybercrime World (Hacker News) Spyware Telegram mod distributed via Google Play (Secure List) Millions Infected by Spyware Hidden in Fake Telegram Apps on Google Play (The Hacker News) 'Evil Telegram' Android apps on Google Play infected 60K with spyware (BleepingComputer) Influx of Russian fraudsters gives Turkish cyber crime hub new lease of life (Financial Times) Russia warns "all-out war" with US could erupt over worsening cyber clashes (Newsweek) New strategy for global cybersecurity cooperation coming soon: State cyber ambassador (Breaking Defense)  Learn more about your ad choices. Visit megaphone.fm/adchoices
11/09/23·31m 11s

Caroline Wong: A passion for teaching. [CSO] [Career Notes]

Caroline Wong, Chief Strategy Officer from Cobalt sits down to share her story of her 15+ years in cybersecurity leadership, including practitioner, product, and consulting roles. As well as being a member of our very own Hash Table, Caroline also authored the popular textbook, Security Metrics: A Beginner's Guide and teachers cybersecurity courses on LinkedIn Learning as well as hosts the Humans of InfoSec podcast. Caroline's father pushed her to start her career in engineering, she went to UC Berkeley and got accepted into their Electrical Engineering and Computer Sciences program. As a college student, she was looking for an internship and found eBay, where she says she worked an entry level position available on the information security team, and says the rest is history. She shares that she loves to teach her peers, and how she would like to be remembered for being a good teacher, saying "I think that my favorite part of the work that I get to do is teaching. Um, and in particular, um, being able to communicate about cybersecurity concepts to a wide audience. I have such tremendous gratitude." We thank Caroline for sharing her story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices
10/09/23·10m 14s

No honor in being a criminal. [Research Saturday]

This week, our guest is Reece Baldwin from Kasada discussing their work on "No Honour Amongst Thieves: Unpacking a New OpenBullet Malware Campaign." The Kasada Threat Intelligence team has recently identified a malware campaign targeting users of OpenBullet, a tool popular within criminal communities to conduct credential stuffing attacks. This malware campaign was first uncovered when the team was digging around in a Telegram channel setup to share OpenBullet configurations. Reading through a few of the configurations they identified a function, ostensibly designed to bypass Google’s reCAPTCHA anti-bot solution. Th research states "While the versatility of OpenBullet’s configuration files enable complex attacks, they can also make it difficult for inexperienced attackers to fully understand what requests are being created and what data is being retrieved." The research can be found here: No Honour Amongst Thieves: Unpacking a New OpenBullet Malware Campaign Learn more about your ad choices. Visit megaphone.fm/adchoices
09/09/23·17m 18s

Apple issues an emergency patch. Aerospace sector under attack. DPRK spearsphishes security researchers. Notes from the hybrid war, including Starlink’s judgments on jus in bello.

Apple issues emergency patches. "Multiple nation-state actors" target the aerospace sector. The DPRK targets security researchers. SpaceX interrupted service to block a Ukrainian attack against Russian naval units last year. The International Criminal Court will prosecute cyber war crimes. Operation KleptoCapture extends to professional service providers. Malek Ben Salem of Accenture ponders the long-term reliability of LLM-powered applications. Our guest is Elliott Champion from CSC on how cybercriminals are taking advantage of the Threads platform. And congratulations to the SINET 16. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/172 Selected reading. BLASTPASS: NSO Group iPhone Zero-Click, Zero-Day Exploit Captured in the Wild (The Citizen Lab)  Apple issues software updates after spyware discoveries (Washington Post) Apple patches two zero-days under attack (CVE-2023-41064, CVE-2023-41061) (Help Net Security) CISA, FBI, and CNMF Release Advisory on Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475 | CISA (Cybersecurity and Infrastructure Security Agency CISA) Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475 (Cybersecurity and Infrastructure Security Agency CISA)  AA23-250A: Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475 (Tenable®)  CISA Warning: Nation-State Hackers Exploit Fortinet and Zoho Vulnerabilities (The Hacker News) Active North Korean campaign targeting security researchers (Google) Rigged Software and Zero-Days: North Korean APT Caught Hacking Security Researchers (SecurityWeek) Musk 'switched off Starlink in Ukraine over nuclear fears' (Computing) CNN Exclusive: 'How am I in this war?': New Musk biography offers fresh details about the billionaire's Ukraine dilemma | CNN Politics (CNN)  Ukraine, US Intelligence Suggest Russia Cyber Efforts Evolving, Growing (Voice of America) The International Criminal Court Will Now Prosecute Cyberwar Crimes (WIRED) Technology Will Not Exceed Our Humanity (Digital Front Lines)  Justice Department’s Oligarch Hunters Widen Scope to Include Facilitators (Wall Street Journal)  Apple issues emergency patches. APTs target aerospace sector. DPRK targets security researchers. New BEC phishing kit. Notes from the hybrid war. ICC will prosecute cyber war crimes. SINET 16 announced. (CyberWire) Learn more about your ad choices. Visit megaphone.fm/adchoices
08/09/23·30m 35s

Microsoft releases results of investigation into cloud email compromise. A buggy booking service. Adversary emulation for OT networks. Identity protection trends. Notes from the hybrid war.

Microsoft releases results of their investigation into cloud email compromise. A vulnerability affects a resort booking service. Adversary emulation for OT networks. Identity protection and identity attack surfaces. Sanctioning privateers (with a bonus on vacation ideas). Rob Boyce from Accenture Security tracks new trends in ransomware. Our Threat Vector segment features Mastering IR Sniping A Deliberate Approach to Cybersecurity Investigations with Chris Brewer. And Estonia warns of ongoing cyber threats. On this segment of Threat Vector, Chris Brewer, a Director at Unit 42 and expert in digital forensics and incident response, joins host David Moulton discussing Mastering IR Sniping: A Deliberate Approach to Cybersecurity Investigations. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/171 Threat Vector links. Sniper Incident Response from Cactus Con on GitHub Sniper Incident Response presentation by Chris Brewer on YouTube Selected reading. Results of Major Technical Investigations for Storm-0558 Key Acquisition (Microsoft Security Response Center) Check-Out With Extra Charges - Vulnerabilities in Hotel Booking Engine Explained (Bitdefender) Deep Dive into Supply Chain Compromise: Hospitality's Hidden Risks (Bitdefender)  MITRE and CISA release Caldera for OT attack emulation (Security Affairs)  MITRE Caldera for OT now available as extension to open-source platform (Help Net Security) Silverfort and Osterman Research Report Exposes Critical Gaps in Identity Threat Protection (Silverfort)  United States and United Kingdom Sanction Additional Members of the Russia-Based Trickbot Cybercrime Gang (US Department of the Treasury) Estonian PM: cyberspace is Ukraine war frontline (Euromaidan Press) Cyberwar and Conventional Warfare in Ukraine (19FortyFive) Learn more about your ad choices. Visit megaphone.fm/adchoices
07/09/23·27m 8s

Agent Tesla still hits unpatched systems. Hot wallet hacks. AI and DevSecOps. Notes on Fancy Bear and NoName057(16). And some curious trends in the cyber labor market.

There’s a new Agent Tesla variant. Lost credentials and crypto wallet hacks. Tension between DevSecOps and AI. Fancy Bear makes an attempt on Ukrainian energy infrastructure. A look at NoName057(16). Tim Starks from the Washington Post's Cybersecurity 202. Simone Petrella and Helen Patton discuss People as a security first principle. And cybersecurity jobs seem to be getting tougher (say the people who are doing them). For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/170 Selected reading. New Agent Tesla Variant Being Spread by Crafted Excel Document (Fortinet Blog)  World's Largest Cryptocurrency Casino Stake Hacked for $41 Million (Hackread)  Crypto casino Stake.com loses $41 million to hot wallet hackers (BleepingComputer)  Experts Fear Crooks are Cracking Keys Stolen in LastPass Breach (KrebsOnSecurity)  Global DevSecOps Report on AI Shows Cybersecurity and Privacy Concerns Create an Adoption Dilemma (GitLab) APT28 cyberattack: msedge as a bootloader, TOR and mockbin.org/website.hook services as a control center (CERT-UA#7469) (CERT-UA) Ukraine's CERT Thwarts APT28's Cyberattack on Critical Energy Infrastructure (The Hacker News) Ukraine says an energy facility disrupted a Fancy Bear intrusion (Record) What's in a NoName? Researchers see a lone-wolf DDoS group (Record)  New Research from TechTarget’s Enterprise Strategy Group and the ISSA Reveals Continuous Struggles within Cybersecurity Professional Workforce - ISSA International (ISSA International)  Life and Times 2023 Download Landing Page (ISSA International)  E-book: The Life and Times of Cybersecurity Professionals Volume VI (ESG Global)  Layoffs list extended by Malwarebytes, Fortinet, Veriff, SecureWorks (Cybernews)  Learn more about your ad choices. Visit megaphone.fm/adchoices
06/09/23·31m 23s

In today’s symposium, we talk about a new strand of Chae$ malware, some developments in social engineering, privateers in a hybrid war, cyber ops as combat support, and some default passwords.

A New variant of Chae$ malware is described. A "Smishing Triad" impersonates postal services. A MinIO storage exploit reported. Okta warns of attackers seeking senior admin privileges. LockBit compromises a UK security contractor. DDoS takes down a German financial regulator's site. Infamous Chisel as GRU combat support. Joe Carrigan on Meta uncovering a Chinese influence effort. Our guest is Connie Stack, CEO of Next DLP, discussing data breach notification procedure. And please -PLEASE- remember to change your default passwords. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/169 Selected reading. Threat Profile: Chae$ 4 Malware (Morphisec) "Smishing Triad" Targeted USPS and US Citizens for Data Theft (Resecurity)  'Smishing Triad' Targeted USPS and US Citizens for Data Theft (Security Affairs)  New Attack Vector In The Cloud: Attackers caught exploiting Object Storage Services (Security Joes) Hackers exploit MinIO storage system to breach corporate networks (BleepingComputer)  Okta Warns of Social Engineering Attacks Targeting Super Administrator Privileges (The Hacker News)  More Okta customers trapped in Scattered Spider's web (Register)  Cross-Tenant Impersonation: Prevention and Detection (Okta Security) Breaking: UK MoD attacked by LockBit (Computing) German financial agency site disrupted by DDoS attack since Friday (BleepingComputer)  LogicMonitor customers hacked in reported ransomware attacks (BleepingComputer) LogicMonitor customers hit by hackers, because of default passwords (TechCrunch) Learn more about your ad choices. Visit megaphone.fm/adchoices
05/09/23·28m 34s

Interview Select: Jeff Welgan, Chief Learning Officer at N2K Networks is expanding on the NICE framework in strategic workforce intelligence. [Interview selects]

This interview from August 25th, 2023 originally aired as a shortened version on the CyberWire Daily Podcast. In this extended interview, Dave Bittner sits down with Jeff Welgan, Chief Learning Officer at N2K Networks, to expand on the NICE framework in strategic workforce intelligence. Learn more about your ad choices. Visit megaphone.fm/adchoices
04/09/23·12m 0s

Rick Doten: There is a rainbow of different roles in cybersecurity. [VP] [Career Notes]

This week's guest is Rick Doten, the VP of Information Security at Centene Corporation, he sits down to share his story and provide wise words of wisdom after conquering this industry for 30 years. Rick, like many others in the field started off not knowing what he wanted to do, so he tried out a few things, including doing in-user training and desktop support, eventually evolving to do systems analysis work and designing software. Rick shares that his main day to day roles are spending time helping out the corporate global CISO, CTO, and head of platform within the organization, he shares that his nickname is the neighborhood cat because he's everywhere. Rick shares advice for people getting into the industry for the first time, saying "There is a rainbow of different roles in cyber security, and I feel like I've done all of them in the last 30 years. So there are different things that, that you, the thing that like appeal to you the most because you're going to excel and want to hyper focus on the thing that you really, really are interested in and not the thing that you're not" We thank Rick for sharing his story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices
03/09/23·9m 59s

Thwarting Muddled Libra. [Research Saturday]

Kristopher Russo and Stephanie Regan from Palo Alto Networks Unit 42 join Dave to talk about Threat Group Assessment: Muddled Libra. With an intimate knowledge of enterprise information technology, this threat group presents a significant risk even to organizations with well-developed legacy cyber defenses. Posing threats to organizations in the software automation, BPO, telecommunications and technology industries, Muddled Libra is a threat group that favors targeting large outsourcing firms serving high-value cryptocurrency institutions and individuals. The research can be found here: Threat Group Assessment: Muddled Libra Learn more about your ad choices. Visit megaphone.fm/adchoices
02/09/23·30m 5s

DPRK cyberespionage update. New cybercriminal TTPs. The state of DevSecOps. Hacktivism and the nation-state. Cyberwar lessons learned. A free decryptor for Key Group ransomware.

A VMConnect supply chain attack is connected to the DPRK. Reports of an aledgedly "fully undetectable information stealer." DB#JAMMER brute forces exposed MSSQL databases. A Cyberattack on a Canadian utility. The state of DevSecOps. A look at hacktivism, today and beyond. Betsy Carmelite from Booz Allen on threat intelligence as part of a third-party risk management program. Our guest is Adam Marré from Arctic Wolf Networks, with an analysis of Chinese cyber tactics. And a free decryptor is released for Key Group ransomware. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/168 Selected reading. VMConnect supply chain attack continues, evidence points to North Korea (ReversingLabs)  Securonix Threat Labs Security Advisory: Threat Actors Target MSSQL Servers in DB#JAMMER to Deliver FreeWorld Ransomware (Securonix) Montreal electricity organization latest victim in LockBit ransomware spree (Record) LockBit ransomware gang targets electrical infrastructure organization in Montreal (teiss) [Analyst Report] SANS 2023 DevSecOps Survey (Synopsys) SANS 2023 DevSecOps Survey (Application Security Blog) Government Agencies Report New Russian Malware Targets Ukrainian Military (National Security Agency/Central Security Service) Russian military hackers take aim at Ukrainian soldiers' battle plans, US and allies say (CNN) Ukraine: The First Cyber Lessons (AFCEA International) The Return of Hacktivism: A Temporary Reprise or Here for Good? (ReliaQuest) Decrypting Key Group Ransomware: Emerging Financially Motivated Cyber Crime Gang (EclecticIQ) Learn more about your ad choices. Visit megaphone.fm/adchoices
01/09/23·31m 33s

GREF and Earth Estries from China. GRU’s Sandworm surfaces again, wielding “Infamous Chisel.” Hacktivist nuisances in the hybrid war. A zero-day is discovered. And the Wolverines are back online.

China deploys tools used against Uyghurs in broader espionage. The Five Eyes call out a GRU cyberespionage campaign. Russian hacktivist auxiliaries hit Czech banks and the platform formerly known as Twitter. A Spring-Kafka zero-day is discovered. Deepen Desai from Zscaler explains RedEnergy Stealer-as-a-Ransomware attacks. Luke Nelson of UHY Consulting on ransomware’s impact on schools. And, hey, go Wolverines: the University of Michigan overcomes a cyberattack that delayed the academic year. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/167 Selected reading. BadBazaar espionage tool targets Android users via trojanized Signal and Telegram apps (We Live Security)  Earth Estries Targets Government, Tech for Cyberespionage (Trend Micro)  Infamous Chisel Malware Analysis Report (Cybersecurity and Infrastructure Security Agency CISA) UK and allies support Ukraine calling out Russia's GRU for new malware campaign (NCSC)  Hackers Attack Czech Banks, Demanding End of Support For Ukraine (Brno Daily)  More Russian attacks on Czech banks: Hackers call for end of support to Ukraine (Expats.cz) Anonymous Sudan hacks X to put pressure on Elon Musk over Starlink (BBC News)  Contrast Assess uncovers Spring-Kafka deserialization zero day (Contrast Security) U. Michigan restores campus internet after cyberattack disrupts first week of classes (EdScoop) Internet restored on University of Michigan campus, ongoing issues still expected (mlive) University of Michigan isn't disclosing details of internet outage cyberattack (Detroit Free Press) Expert weighs in on school cyberattacks as University of Michigan makes progress on internet outages (CBS News) Learn more about your ad choices. Visit megaphone.fm/adchoices
31/08/23·27m 21s

An international hunt bags Qakbot’s infrastructure. Anticipating remediation. Adversaries in the middle. More effective phishbait. Air travel disruption was a glitch, not an attack. Hybrid war update.

An international operation takes down Qakbot. Chinese threat actors anticipated Barracuda remediations. A look at adversary-in-the-middle attacks, making phishbait more effective and the emergence of a new ransomware threat. Narrative themes in Russian influence operations. My conversation with Natasha Eastman from (CISA), Bill Newhouse from (NIST), and Troy Lange from (NSA) to discuss their recent joint advisory on post-quantum readiness. Microsoft’s Ann Johnson from Afternoon Cyber Tea speaks with Cyber Threat Alliance President and CEO Michael Daniel about the current state of cybercrime. And when toilet bowls are outlawed, only outlaws will have toilet bowls. Listen to the full conversation with Natasha Eastman, Bill Newhouse, and Troy Lange here: A joint advisory on post-quantum readiness. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/165 Selected reading. Operation Duck Hunt bags Qakbot. (CyberWire) FBI, Partners Dismantle Qakbot Infrastructure in Multinational Cyber Takedown (Federal Bureau of Investigation) Qakbot Malware Disrupted in International Cyber Takedown (US Department of Justice) Law Enforcement Takes Down Qakbot (Secureworks) Qakbot: Takedown Operation Dismantles Botnet Infrastructure (Symantec)  Chinese APT Was Prepared for Remediation Efforts in Barracuda ESG Zero-Day Attack (SecurityWeek)  Phishing-as-a-Service Gets Smarter: Microsoft Sounds Alarm on AiTM Attacks (The Hacker News) The Lure of Subject Lines in Phishing Emails - How Threat Actors Utilize Dates to Trick Victims (Cofense) The Emergence of Ransomed: An Uncertain Cyber Threat in the Making (Flashpoint) Cancelled flights: Air traffic disruption caused by flight data issue (BBC News) Russian Offensive Campaign Assessment, August 29, 2023 (Institute for the Study of War) Learn more about your ad choices. Visit megaphone.fm/adchoices
30/08/23·29m 47s

A joint advisory on post-quantum readiness. [Special Edition]

In this extended interview, Dave Bittner sits down with Natasha Eastman from the Cybersecurity and Infrastructure Security Agency (CISA), Bill Newhouse from the National Institute of Standards and Technology (NIST), and Troy Lange from the National Security Agency (NSA) to discuss their their recent joint advisory on post-quantum readiness and how to prepare for post-quantum cryptography. You can find the joint advisory here: Quantum-Readiness: Migration to Post-Quantum Cryptography Quantum computing: A threat to asymmetric encryption. Learn more about your ad choices. Visit megaphone.fm/adchoices
30/08/23·22m 42s

Name collision. Spawn of LockBit. Quishing the unwary and the hasty. Trends in healthcare cybersecurity. Inquiries surrounding Russia’s hybrid war against Ukraine.

Name collision as a DNS risk. A LockBit derivative is active against targets in Spain. QR codes as phishbait. Cybersecurity trends in Healthcare. A Russian hacktivist auxiliary hits Polish organizations, while investigation of railroad incidents in Poland continues. Ben Yelin looks at the SEC cracking down on NFTs. Mr. Security Answer Person John Pescatore opens up the listener mail bag. And a look at a probably accidental glitch affecting air travel in the UK. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/164 Selected reading. What's in a name? Strange behaviors at top-level domains creates uncertainty in DNS (Cisco Talos)  Spain warns of LockBit Locker ransomware phishing attacks (BleepingComputer)  Think Before You Scan: The Rise of QR Codes in Phishing (Trustwave SpiderLabs) 78% of Healthcare Organizations Experienced Cyber Incidents in Past Year, 60% of Which Impacted Patient Care (Claroty)  Polish stock exchange, banks knocked offline by pro-Russian hackers (Cybernews)  Two Men Arrested Following Poland Railway Hacking (SecurityWeek)  Century-old technology hack brought 20 trains to a halt in Poland (Cybernews)  Poland investigates train mishaps for possible Russian connection (Washington Post)  Flight chaos ‘to last for days’ after air traffic control failure (The Telegraph)  UK flight chaos could last for days, airline passengers warned (the Guardian)  Government can’t rule out cyber attack caused air traffic chaos (MSN) Learn more about your ad choices. Visit megaphone.fm/adchoices
29/08/23·25m 54s

DPRK's Lazarus Group exploits ManageEngine issues. SIM swapping as a threat to organizations. Ransomware hits a cloud provider. Spawn of LockBit. Train whistling. Influence laundering.

The DPRK's Lazarus Group exploits ManageEngine issues. A Data breach at Kroll is traced to SIM swapping. Unusually destructive ransomware hits CloudNordic. Spawn of LockBit. Polish trains are disrupted by hacktivists. Rick Howard looks at the MITRE attack framework. Our guests are Andrew Hammond and Erin Dietrick from the International Spy Museum. And Influence laundering as a long-term disinformation tactic. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/163 Selected reading. North Korean APT Hacks Internet Infrastructure Provider via ManageEngine Flaw (SecurityWeek) Lazarus Group exploited ManageEngine vulnerability to target critical infrastructure (Help Net Security) Cyber scams keep North Korean missiles flying (Radio Free Asia) Claimant Data Breached in Genesis, FTX and BlockFi Bankruptcy Cases (Wall Street Journal) Kroll data breach exposes info of FTX, BlockFi, Genesis creditors (BleepingComputer) Crypto investor data exposed by a SIM swapping attack against a Kroll employee (Security Affairs) Kroll Employee SIM-Swapped for Crypto Investor Data (KrebsOnSecurity) Kroll Suffers Data Breach: Employee Falls Victim to SIM Swapping Attack (The Hacker News) FTX bankruptcy handler Kroll discloses data breach (The Stack) CloudNordic Faces Severe Data Loss After Ransomware Attack (Hackread)  CloudNordic loses most customer data after ransomware attack | TechTarget (Security)  Lockbit leak, research opportunities on tools leaked from TAs (SecureList) LockBit 3.0 Ransomware Builder Leak Gives Rise to Hundreds of New Variants (The Hacker News) Poland investigates cyber-attack on rail network (BBC News) Poland investigates hacking attack on state railway network (Reuters) Hackers bring down Poland’s train network in massive cyber attack (Ticker News)  The Cheap Radio Hack That Disrupted Poland's Railway System (WIRED) Russia Pushes Long-Term Influence Operations Aimed at the U.S. and Europe (New York Times) Newly declassified US intel claims Russia is laundering propaganda through unwitting Westerners (CNN Politics) Learn more about your ad choices. Visit megaphone.fm/adchoices
28/08/23·27m 50s

Dina Haines: Keep the boat afloat. [Partnership manager] [Career Notes]

This week, we welcome Dina Haines, an Industry Partnership Manager with the National Security Agency's Cybersecurity Collaboration Center. Dina found from a young age, she was always interested in the field, taking after her father who worked in the space industry, paving the way for her to fall in love with the field. She worked in the private sector for a bit, moving around every now and again, eventually landing the position she works now. Dina says her day to day job is helping the NSA to bend and protect cyberspace by bringing in private industry. She says "I try to spend a lot of time listening and seeing where people, where they're coming from, where they're at, you know, potentially in their career, where they're at in their job that day, and then try to, um, support them and bring them up and, and float the entire boat." We thank Dina for sharing her story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices
27/08/23·9m 18s

Google's not being ghosted from vulnerabilities. [Research Saturday]

Tal Skverer from Astrix Security joins to discuss their work on "GhostToken – Exploiting GCP application infrastructure to create invisible, unremovable trojan app on Google accounts." Astrix’s Security Research Group revealed a 0-day flaw in Google’s Cloud Platform (GCP) on June 19, 2022, which was found to affect all Google users. The research states "The vulnerability, dubbed “GhostToken”, could allow threat actors to change a malicious application to be invisible and unremovable, effectively leaving the victim’s Google account infected with a trojan app forever." Google issued a patch to this vulnerability in April of this year, but researchers explain why this can be severe. The research can be found here: GhostToken – Exploiting GCP application infrastructure to create invisible, unremovable trojan app on Google accounts Learn more about your ad choices. Visit megaphone.fm/adchoices
26/08/23·17m 7s

Phishing kits in the C2C market. Cyberespionage, Pyongyang and Beijing editions. Ransomware under the radar. A new hacktivist group says it doesn’t much care for NATO corruption.

Telekopye and the rise of commodified phishing kits. Lazarus Group fields new malware. Implications of China's campaign against vulnerable Barracuda appliances. Abhubllka ransomware's targeting and low extortion demands. Malek Ben Salem of Accenture outlines generative AI Implications to spam detection. Jeff Welgan, Chief Learning Officer at N2K Networks, unpacks the NICE framework and strategic workforce intelligence. And a new hacktivist group emerges, and takes a particular interest in NATO members. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/162 Selected reading. eBay Users Beware Russian 'Telekopye' Telegram Phishing Bot (Dark Reading) Telekopye: Hunting Mammoths using Telegram bot (ESET) Lazarus Group's infrastructure reuse leads to discovery of new malware (Cisco Talos Blog)  FBI fingers China for attacks on Barracuda email appliances (Register) Suspected PRC Cyber ActorsContinue to Globally Exploit Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868) (FBI) Identifying ADHUBLLKA Ransomware: LOLKEK, BIT, OBZ, U2K, TZW Variants (Netenrich) Ransomware ecosystem targeting individuals, small firms remains robust (Record)  Ransomware With an Identity Crisis Targets Small Businesses, Individuals (Dark Reading)  Hacking group KittenSec claims to 'pwn anything we see' to expose corruption (CyberScoop) Learn more about your ad choices. Visit megaphone.fm/adchoices
25/08/23·26m 48s

Trends in the cybercriminal underworld. The prosecution of Lapsus$ and Tornado Cash. More developments in Russia’s hybrid war.

There’s a new sophistication in BEC campaigns. Trends in brand impersonation–crooks still like to pretend they’re from Redmond. The future of Russian influence operations in the post-Prigozhin era. Andrea Little Limbago from Interos shares insights on the new cyber workforce strategy. In our latest Threat Vector segment David Moulton of Palo Alto Networks is joined by Stephanie Ragan, Senior Consultant at Unit 42 to discuss Muddled Libra. And more on the doxing of a deputy Duma chair, who seems to have been selling hot iPhones as a side hustle (maybe). And the growing problem of Synthetic identity fraud. On this segment of Threat Vector, Stephanie Ragan, Senior Consultant at Unit 42, joins host David Moulton to discuss Muddled Libra. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/162 Selected reading. BEC Trends: Payroll Diversion Dominates and Sneaky Multi-Persona Attacks Emerge (Trustwave) Q2 2023 Threat Landscape Report: All Roads Lead to Supply Chain Infiltrations (Kroll) Microsoft Impersonated Most in Phishing Attacks Among Nearly 350 Brands (Abnormal Security) TransUnion Analysis Finds Synthetic Identity Fraud Growing to Record Levels (TransUnion) Ukraine at D+546: Yevgeny Prigozhin dies in a plane crash. (CyberWire) Without Prigozhin, expect some changes around the edges on Russian influence operations (Washington Post) 2023 H1 Global Threat Analysis Report (Radware) Lapsus$: Court finds teenagers carried out hacking spree (BBC News) British court convicts two teen Lapsus$ members of hacking tech firms (Record)  Treasury Designates Roman Semenov, Co-Founder of Sanctioned Virtual Currency Mixer Tornado Cash (U.S. Department of the Treasury)  Tornado Cash Founders Charged With Money Laundering And Sanctions Violations (U.S. Attorney for the Southern District of New York)  Russian Duma leader’s emails hacked and leaked (Cybernews) Ukrainian hackers expose money laundering and sanction evasion by senior Russian politician (teiss)  Learn more about your ad choices. Visit megaphone.fm/adchoices
24/08/23·27m 26s

A creepy new geolocation payload for Smoke Loader. Speed of criminal attack, malware delivery, and the evolution of malicious AI. Ransomware at a Belgian social services agency.

The Smoke Loader botnet has a creepy new payload. Ransomware gets faster. How AI has evolved in malicious directions. The Snatch ransomware gang threatens to snitch. The FSB continues to use both USBs and phishing emails as attack vectors. A ransomware attack shutters Belgian social service offices. Tim Starks from the Washington Post explains a Biden administration win in a DC court. Our guest Ben Sebree of CivicPlus describes how the public sector could combat cybercrime during cloud adoption. And the deadline for comment on US cybersecurity regulations? It’s been extended. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/161 Selected reading. Smoke Loader Drops Whiffy Recon Wi-Fi Scanning and Geolocation Malware (SecureWorks)  Time keeps on slippin’ slippin’ slippin’: The 2023 Active Adversary Report for Tech Leaders (Sophos News)  HP Wolf Security Threat Insights Report Q2 2023 | HP Wolf Security (HP Wolf Security)  Barracuda XDR Insights: How AI learns your patterns to protect you (Barracuda) Deep Instinct Study Finds Significant Increase in Cybersecurity Attacks Fueled by Generative AI (Deep Instinct)  Cyberattack on Belgian social service centers forces them to close (Record) Ukraine’s Military Hacked by Russian Backed USB Malware (Ophtek) Request for Information on Cyber Regulatory Harmonization; Request for Information: Opportunities for and Obstacles To Harmonizing Cybersecurity Regulations (Federal Register) Learn more about your ad choices. Visit megaphone.fm/adchoices
23/08/23·29m 27s

A cyberespionage operation of unclear provenance shifts its targets. Cyberattacks on voting in Ecuador. Other notes from the cyber underworld. And doxing the Duma.

HiatusRAT shifts its targets. Ecuador's difficulties with voting is attributed to cyberattacks. Carderbee is an APT targeting Hong Kong. auDA (OOO-duh) turns out not to have been breached. Ukrainian hacktivists claim to dox a senior member of Russia's Duma. Russian influence operations take aim at NATO's July summit. Joe Carrigan describes attacks on LinkedIn accounts. Our guest is John Hernandez from Quest to discuss why he believes the MOVEit flaw is a wakeup call for CISOs. Security, not by obscurity, but by typo. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/160 Selected reading. HiatusRAT Malware Resurfaces: Taiwan Firms and U.S. Military Under Attack (The Hacker News)  New HiatusRAT campaign targets Taiwan and U.S. military procurement system (Security Affairs) HiatusRAT Returns after a Hiatus in a Fresh Wave of Attacks (Cyware Labs) No rest for the wicked: HiatusRAT takes little time off in a return to action (Lumen) Ecuador’s national election agency says cyberattacks caused absentee voting issues (Record) Carderbee: APT Group use Legit Software in Supply Chain Attack Targeting Orgs in Hong Kong Resolution of cyber incident (auDA)  Ukrainian hackers claim to leak emails of Russian parliament deputy chief (Record)  Summit Old, Summit New (Graphika) Summit Old, Summit New: Russia-Linked Actors Leverage New and Old Tactics in Influence Operations Targeting Online Conversations About NATO Summit (Graphika) The simple typo that stopped bank robbers from stealing $1 billion (LAD Bible) Learn more about your ad choices. Visit megaphone.fm/adchoices
22/08/23·29m 34s

DPRK tried to hit RoK-US military exercises. Australian domain administrator auDA may have been breached. WoofLocker's tech support scam. US warns of cyber threats to space systems.

The DPRK's Kimsuky attempts to hit joint military exercises. Australian domain administrator auDA (OW-duh) may have been breached. WoofLocker's version of a tech support scam. The US Intelligence Community warns of cyber threats to space systems. Rick Howard looks at forecasting cyber risk. Deepen Desai from Zscaler shares ransomware trends. And more wartime disinformation out of Russia. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/159 Selected reading. Suspected N. Korean Hackers Target S. Korea-US Drills (SecurityWeek) N. Korean Kimsuky APT targets S. Korea-US military exercises (Security Affairs)  North Korean hackers target US-South Korea military drills, police say (The Economic Times Cyber incident update (auDA)  Australia’s .au domain administrator denies data breach after ransomware posting (Record)  Hackers claim to have breached auDA (iTnews) Catching up with WoofLocker, the most elaborate traffic redirection scheme to tech support scams (Malwarebytes)  WoofLocker Toolkit Hides Malicious Codes in Images to Run Tech Support Scams (The Hacker News) US warns space companies about foreign spying (Reuters)  Intelligence Agencies Warn Foreign Spies Are Targeting U.S. Space Companies (New York Times)  US Warns Space Industry of Growing Risks of Spying and Satellite Attacks (Bloomberg)  Foreign countries targeting tech from US space companies, intel agencies warn (The HIll)  Pentagon urges US space companies to stay vigilant against foreign intelligence (TechCrunch)  Safeguarding the US Space Industry: Keeping Your Intellectual Property in Orbit (DNI)  What To Do About The U.S. Intelligence Community Warning on Safeguarding The Space Industry (OODA Loop)  Countering disinformation with facts - Russian invasion of Ukraine (Government of Canada) Sergey Lavrov: Throwing Russia off balance is ultimate aim (TASS) Moscow says US unwillingness to end Ukraine conflict (Merh News Agency) Russian invaders sending threats to Kherson region’s residents via social media - watchdog (Ukrinform) Learn more about your ad choices. Visit megaphone.fm/adchoices
21/08/23·23m 6s

Luke Vander Linden: With age comes knowledge. [VP] [Career Notes]

This week, our guest is Luke Vander Linden, Vice President of Membership & Marketing from RH-ISAC and host of the RH-ISAC podcast here at the CyberWire. Luke sits down to share his story all the way back to when he was a very young age where he was a child model and actor to where he is now working in the cyber industry. Luke fell into the marketing field after his time as a child actor, where he really started to find his passion. After finding his passion, he decided to branch out to different areas in the field, working in public libraries and advocacy groups, this is where he started to really enjoy the prospect of working with individuals who support organizations, which got him started in the RH-ISAC world. Luke shares that he wears many hats these days, working in the podcast business while also working on the leadership team at RH-ISAC. His advice for people getting into this industry is "I think with age comes this knowledge, but also with experiences. So, I mean, to that point, don't be afraid to go out there and fail, give it a shot." We thank Luke for sharing his story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices
20/08/23·8m 56s

Politicians targeted by RomCom. [Research Saturday]

Dmitry Bestuzhev from Blackberry joins to discuss their work on "RomCom Resurfaces: Targeting Politicians in Ukraine and U.S.-Based Healthcare Providing Aid to Refugees from Ukraine." Research suggests that the RomCom threat team has been tracked carefully following the geopolitical events surrounding the war in Ukraine, and are now targeting politicians in Ukraine who are working closely with Western countries. This group is different from others in that their focus is more on secrets or information which can be useful in geopolitics and specifically the war in Ukraine, instead of financial gain. The research says "Although it is unclear at this point what initial infection vector was used to kick off the execution chain, previous RomCom attacks used targeted phishing emails to point a victim to a cloned website hosting Trojanized versions of popular software." The research can be found here: RomCom Resurfaces: Targeting Politicians in Ukraine and U.S.-Based Healthcare Providing Aid to Refugees from Ukraine Learn more about your ad choices. Visit megaphone.fm/adchoices
19/08/23·22m 48s

Phishing for Zimbra credentials. Developments in PlayCrypt and Cuba ransomware. #NoFilter exploitation. Cyber gangs (and some services) threaten security researchers. Anglo-Saxonia update.

Phishing for Zimbra credentials. PlayCrypt ransomware described. The Cuba ransomware group adopts new tools. #NoFilter. Cyber criminals threaten security researchers. Our guest is Kevin Paige from Uptycs with thoughts on the Blackhat conference. Eric Goldstein, Executive Assistant Director at CISA joins us discussing next steps on the Secure by Design journey. And Russian disinformation takes on "Anglo-Saxonia." For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/158 Selected reading. Mass-spreading campaign targeting Zimbra users (We Live Security) PlayCrypt Ransomware Group Wreaks Havoc in Campaign Against Managed Service Providers (Adlumin SaaS Security) Cuba Ransomware Deploys New Tools: Targets Critical Infrastructure Sector in the U.S. and IT Integrator in Latin America (BlackBerry) NoFilter Attack: Sneaky Privilege Escalation Method Bypasses Windows Security (The Hacker News) Cyber security researchers become target of criminal hackers (Financial Times) Britain plotting to assassinate pro-Russian leaders in Africa, says Moscow (The Telegraph)  Ukraine at D+540: Russification and disinformation. (CyberWire)  Learn more about your ad choices. Visit megaphone.fm/adchoices
18/08/23·29m 35s

A seemingly legitimate but actually bogus host for a proxy botnet. PowerShell Gallery vulnerabilities. Cyber incident at Clorox. Scamming would be beta-testers. Cyber updates from Russia’s hybrid war.

Building a proxy botnet. Active flaws in PowerShell Gallery. A cyber incident disrupts Clorox. Scams lure would-be mobile beta-testers. Lessons learned from the Russian cyberattack on Viasat. An update on cyber threats to Starlink. Robert M. Lee from Dragos shares his thoughts on the waves of layoffs that have gone through the industry. Steve Leeper of Datadobi explains mitigating risks associated with illegal data on your network. And hey, world leader: it’s never too late to stop manifesting a chronic cranio-urological condition, as they more-or-less say in the Quantum Realm. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/157 Selected reading. ProxyNation: The dark nexus between proxy apps and malware (AT&T Alien Labs)  Massive 400,000 proxy botnet built with stealthy malware infections (BleepingComputer)  PowerHell: Active Flaws in PowerShell Gallery Expose Users to Attacks (Aqua Security)  Clorox Operations Disrupted By Cyber-Attack (Infosecurity Magazine)  Cyber Criminals Targeting Victims through Mobile Beta-Testing Applications (IC3)  FBI warns about scams that lure you in as a mobile beta-tester (Naked Security) Incident response lessons learned from the Russian attack on Viasat (CSO Online) Recent Intel Report Reveals New Starlink Vulnerabilities, Increasing Concerns About the Future of Global Satellite Internet (Debrief) Hacked electronic sign declares “Putin is a dickhead” as Russian ruble slumps (Graham Cluley)  Learn more about your ad choices. Visit megaphone.fm/adchoices
17/08/23·31m 10s

China accuses the US of cyberespionage. Backdoors found in NetScaler. Account hijacking campaigns. Raccoon Stealer gets an update. Cryptocurrency recovery scams. Narrative control in the hybrid war.

China accuses the US of installing backdoors in a Wuhan lab. NetScaler backdoors are found. A Phishing scam targets executives. LinkedIn sees a surge in account hijacking. Raccoon Stealer gets an update. Cryptocurrency recovery scams. We kick off our new Learning Layer segment with N2K’s Sam Meisenberg. And a Moscow court fines Reddit and Wikipedia, for unwelcome content about Russia's war. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/156 Selected reading. Ministry warns of data security risks after US agencies identified behind cyberattack on Wuhan Earthquake Monitoring Center (Global Times) China accuses U.S. intelligence agencies as source behind Wuhan cybersecurity attack (ZDNET)  China teases imminent exposé of seismic US spying scheme (Register)  2,000 Citrix NetScaler Instances Backdoored via Recent Vulnerability (SecurityWeek)  Cloud Account Takeover Campaign Leveraging EvilProxy Targets Top-Level Executives at over 100 Global Organizations (Proofpoint) LinkedIn Accounts Under Attack (Cyberint) LinkedIn faces surge of account hijacking (Computing) LinkedIn accounts hacked in widespread hijacking campaign (BleepingComputer) Raccoon Stealer malware returns with new stealthier version (BleepingComputer) FBI warns of increasing cryptocurrency recovery scams (BleepingComputer)  Russia slaps Reddit, Wikipedia with fines (Cybernews) Learn more about your ad choices. Visit megaphone.fm/adchoices
16/08/23·30m 58s

Investigating China’s Storm-0558. Monti ransomware is back. Evasive phishing. Realtors’ MLS taken down in ransomware incident. News from Russia’s hybrid war. And in-game scams.

New targets of Chinese cyberespionage are uncovered. Monti ransomware is back. An evasive phishing campaign exposed. A Realtors' network taken down by cyberattack. A closer look at NoName057(16). Perspective on cyberwar - remember Pearl Harbor, but don’t see it everywhere. Ben Yelin on the Consumer Financial Protection Bureau’s plans to regulate surveillance tech. Microsoft’s Ann Johnson and Charlie Bell ponder the future of security. And scammers are targeting kids playing Fortnite and Roblox. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/155 Selected reading. Chinese spies who read State Dept. email also hacked GOP congressman (Washington Post)  Binary Ballet: China’s Espionage Tango with Microsoft (SecurityHQ) Microsoft Exchange hack to be investigated by US Cyber Safety Board (Computing) Monti ransomware targets VMware ESXi servers with new Linux locker (BleepingComputer)  Evasive Phishing Campaign Steals Cloud Credentials Using Cloudflare R2 and Turnstile (Netskope) Cyberattack on Bay area vendor cripples real estate industry (The Real Deal) Intel insiders go undercover revealing fresh details into NoName hacktivist operations (Cybernews)  Why the US Military Wants You To Rethink the Idea of 'Cyber War' (The Messenger)  A Huge Scam Targeting Kids With Roblox and Fortnite 'Offers' Has Been Hiding in Plain Sight (WIRED) Learn more about your ad choices. Visit megaphone.fm/adchoices
15/08/23·27m 33s

Attacks on industrial systems in Europe and Africa. LolekHosted arrests. Notes from the hybrid war. The CSRB will investigate the cyberespionage campaign that exploited Microsoft Exchange.

An African power generator has been targeted by ransomware. The APT31 group is believed to be responsible for attacks on industrial systems in Eastern Europe. There have been arrests related to the takedown of LolekHosted. Ukraine's SBU has alleged that Russia's GRU is using specialized malware to attack Starlink. Microsoft has decided not to extend licenses for its products in Russia. Rick Howard opens his toolbox on DDOS. In our Solution Spotlight: Simone Petrella and Camille Stewart Gloster discuss the White House release of its cybersecurity workforce and education strategy. And the Cyber Safety Review Board will be investigating cases of cyberespionage against Exchange. Watch the full video of Simone and Camille here: Solution Spotlight: Simone Petrella and Camille Stewart Gloster For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/154 Selected reading. DroxiDat-Cobalt Strike Duo Targets Power Generator Network (Infosecurity Magazine) New SystemBC Malware Variant Targets Southern African Power Company (The Hacker News) Power Generator in South Africa hit with DroxiDat and Cobalt Strike (Security Affairs)  Southern African power generator targeted with DroxiDat malware (Record)  Common TTPs of attacks against industrial organizations. Implants for uploading data (Kaspersky ICS CERT) APT31 Linked to Recent Industrial Attacks in Eastern Europe (Infosecurity Magazine)  Researchers Shed Light on APT31's Advanced Backdoors and Data Exfiltration Tactics (The Hacker News)  LOLEKHosted admin arrested for aiding Netwalker ransomware gang (BleepingComputer) Russian spy agencies targeting Starlink with custom malware, Ukraine warns (The Telegraph) Russia Bans iPhones And iPads For Official Use: Report (BW Businessworld) Microsoft Suspends Extending Licenses For Companies in Russia (RadioFreeEurope/RadioLiberty)  Department of Homeland Security’s Cyber Safety Review Board to Conduct Review on Cloud Security (US Department of Homeland Security) Microsoft Exchange hack is focus of cyber board’s next review (Record)  Microsoft is under scrutiny after a recent attack by suspected Chinese hackers (Windows Central)  The DHS’s CSRB to review cloud security practices following the hack of Microsoft Exchange govt email accounts (Security Affairs) Microsoft's role in data breach by Chinese hackers to be part of US cyber inquiry (Firstpost) Learn more about your ad choices. Visit megaphone.fm/adchoices
14/08/23·27m 15s

Dr. Georgianna Shea: Don't wait to take the initiative. [Technologist] [Career Notes]

Dr. Georgianna Shea, the Chief Technologist at the Transformative Cyber Innovation Lab at the Foundations for Defensive Democracies (FDD) sits down to share her incredible story, moving around to different roles and how that has lead her to where she is today. Her careers have taken her to many different states throughout the years, as she has learned and grew into the roles she took on, from Hawaii to D.C., Dr. Shea has done it all. Sharing some advice, Dr. Shea says "My words of wisdom are take advantage of every opportunity and don't wait for anybody. I try to mentor people and I talk to young people a lot, you know, trying to get into the field and, and I see a lot of waiting on other people." She explains that you are able to work on your own to become an expert, and taking that initiative will be the thing to get you to where you want to be. We thank Dr. Georgianna Shea for sharing her story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices
13/08/23·10m 27s

It's raining credentials. [Research Saturday]

Alex Delamotte from SentinelLabs joins Dave to discuss their work on "Cloudy With a Chance of Credentials | AWS-Targeting Cred Stealer Expands to Azure, GCP." As actors find more ways to profit from compromising services, SentinelLabs finds that cloud service credentials are becoming increasingly targeted. The lack of threats explicitly targeting Azure and GCP credentials up to this point means there are likely many fresh targets. The research states "These campaigns share similarity with tools attributed to the notorious TeamTNT cryptojacking crew. However, attribution remains challenging with script-based tools, as anyone can adapt the code for their own use." The research can be found here: Cloudy With a Chance of Credentials | AWS-Targeting Cred Stealer Expands to Azure, GCP Learn more about your ad choices. Visit megaphone.fm/adchoices
12/08/23·18m 10s

Tehran’s social engineering. CSRB reports on Lapsus$. Call for comment on open-source standards. Coping with a tight labor market. Two private sector incidents in Russia’s hybrid war.

Charming Kitten collects against Iranian expatriate dissidents. The Cyber Safety Review Board reports on Lapsus$. A Call for comment on open-source, memory-safe standards. How NSA is coping with the cyber labor market. Yandex is restructuring. The Washington Post’s Tim Starks joins us with the latest cyber security efforts from the DOD. Our guest is Dan L. Dodson, CEO of Fortified Health Security with insights on protecting patient data. And How Viasat was hacked. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/153 Selected reading. Germany says Charming Kitten hackers target Iran dissidents (Deutsche Welle) Cyber Safety Review Board Releases Report on Activities of Global Extortion-Focused Hacker Group Lapsus$ (US Department of Homeland Security)  Review Of The Attacks Associated with Lapsus$ And Related Threat Groups Report (Cybersecurity and Infrastructure Security Agency CISA) Fact Sheet: Office of the National Cyber Director Requests Public Comment on Open-Source Software Security and Memory Safe Programming Languages (ONCD | The White House)  Amid historic hiring surge, NSA considers hybrid, unclassified work options (Federal News Network) Exclusive: Fear of tech 'brain drain' prevents Russia from seizing Yandex for now, sources say (Reuters) Yandex co-founder Volozh slams Russia's 'barbaric' invasion of Ukraine (Reuters)  Satellite hack on eve of Ukraine war was a coordinated, multi-pronged assault (CyberScoop) Learn more about your ad choices. Visit megaphone.fm/adchoices
11/08/23·31m 7s

A new Magecart campaign. Gootloader’s legal bait. Cryptowallet vulnerabilities. News from the hybrid war. And DARPA’s AI Cybersecurity Challenge.

A New Magento campaign is discovered. Gootloader malware-as-a-service afflicts law firms. Researchers find security flaws affecting cryptowallets. Panasonic warns of increasing attacks against IoT. A Belarusian cyberespionage campaign outlined. The five cyber phases of Russia's hybrid war, and lessons in resilience from Ukraine's experience. In our Threat Vector segment, Kristopher Russo, Senior Threat Researcher for Unit 42 joins David Moulton to discuss Muddled Libra. Kayla Williams from Devo describes their work benefiting the community at BlackHat. And a new DARPA challenge seeks to bring artificial intelligence to cybersecurity. On this segment of Threat Vector, Kristopher Russo, Senior Threat Researcher for Unit 42, joins host David Moulton to discuss part one of two Muddled Libra. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/152 Threat Vector links. Threat Group Assessment: Muddled Libra Guest: Kristopher Russo: From practitioner to researcher Kristopher Russo has spent years entrenched in various specializations of cybersecurity. As a researcher focused on ransomware and cybercrime he brings a from the trenches perspective to cyber threat intelligence. Selected reading. Xurum: New Magento Campaign Discovered (Akamai) Gootloader: Why your Legal Document Search May End in Misery (Trustwave) Fireblocks Researchers Uncover Vulnerabilities Impacting Dozens of Major Wallet Providers (Fireblocks) New BitForge cryptocurrency wallet flaws lets hackers steal crypto (BleepingCompute Panasonic Warns That IoT Malware Attack Cycles Are Accelerating (WIRED)  MoustachedBouncer: Espionage against foreign diplomats in Belarus (We Live Security)  Belarus hackers target foreign diplomats with help of local ISPs, researchers say (TechCrunch)  Pro-Russian hackers claim attacks on French, Dutch websites (Record)  Zhora: Russia's cyber 'war crimes' will outlast invasion (Register) The Power of Resilience (Cybersecurity and Infrastructure Security Agency CISA) Biden-Harris Administration Launches Artificial Intelligence Cyber Challenge to Protect America’s Critical Software (The White House) AIxCC (AIxCC) The Biden administration wants to put AI to the test for cybersecurity (Washington Post) Learn more about your ad choices. Visit megaphone.fm/adchoices
10/08/23·31m 23s

Cyberespionage by several intelligence services, some of contracted out. Developments in the cyber underworld. Vulnerabilities reported in CPUs. Some notes on Patch Tuesday.

Reports of a Wide-ranging cyberespionage campaign by China's Ministry of State Security. EvilProxy phishing tool targets executives, and defeats multifactor authentication. Vulnerabilities in CPUs. Yashma ransomware targets a wide range of countries. MacOS threat trends. Is there a Russian attempt to disrupt British elections? Rob Boyce from Accenture checks in from the Blackhat conference. Maria Varmazis talking with Black Hat Aerospace Village's Kaylin Trychon and Steve Luczynski. Ukraine claims to have stopped a Russian spyware campaign. And Patch Tuesday has come and gone, but the vulnerabilities remain–unless, of course, you’ve applied the patches. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/151 Selected reading. Chinese hackers targeted at least 17 countries across Asia, Europe and North America (Record) RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale (Recorded Future) Cloud Account Takeover Campaign Leveraging EvilProxy Targets Top-Level Executives at over 100 Global Organizations (Proofpoint)  ‘Downfall’ vulnerability leaves billions of Intel CPUs at risk  (CyberScoop)  New Inception attack leaks sensitive data from all AMD Zen CPUs (BleepingComputer) New Yashma Ransomware Variant Targets Multiple English-Speaking Countries (The Hacker News)  Suspected Vietnamese hacker targets Chinese, Bulgarian organizations with new ransomware (Record) Black Hat USA 2023 – Bitdefender macOS Threat Report Reveals Key Dangers for Mac Users (Bitdefender)  Russia ‘tops list of suspects’ in cyber attack which exposed data of 40m UK voters (The Telegraph) Electoral Commission hack: Five things you need to know (Computing) ‘Hostile actors’ hacked British voter registry, electoral agency says (Washington Post) Electoral Commission apologises for security breach involving UK voters’ data (the Guardian)  Ukraine says it prevented Russian hacking of armed forces combat system (Reuters)  Ukraine says it thwarted attempt to breach military tablets (Record) Russian secret services try to penetrate operation planning electronic system of Ukraine's army (Ukrainska Pravda) Patch Tuesday: Adobe Patches 30 Acrobat, Reader Vulns (SecurityWeek)  Patch Tuesday: Microsoft (Finally) Patches Exploited Office Zero-Days (SecurityWeek) Microsoft Releases August 2023 Security Updates (Cybersecurity and Infrastructure Security Agency CISA) Fortinet Releases Security Update for FortiOS (Cybersecurity and Infrastructure Security Agency CISA) Adobe Releases Security Updates for Multiple Products (Cybersecurity and Infrastructure Security Agency CISA)  Patch Tuesday review: August 2023. (CyberWire) Learn more about your ad choices. Visit megaphone.fm/adchoices
09/08/23·29m 45s

Challenges to intelligence-sharing. The complexity of supply-chain security. Ransomware developments. Notes on Russia’s hybrid war, including possible sensor data manipulation.

Reports on a 2020 Chinese penetration of Japan's defense networks. MOVEit-connected supply chain issues aren't over. Akamai looks at the current state of ransomware. Mallox ransomware continues its evolution. Machine identities and shadow access. Ukrainian hacktivist auxiliaries hit Russian websites. Joe Carrigan unpacks statistics recently released by CISA. Our guest is Jeffrey Wheatman from Black Kite discussing the market shift from SRS to cyber risk intelligence. And radiation sensor reports from Chernobyl may have been manipulated. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/150 Selected reading. China hacked Japan’s sensitive defense networks, officials say (Washington Post)  Japan says cannot confirm leakage after report says China hacked defence networks (Reuters) MOVEit hack spawned around 600 breaches but isn't done yet - cyber analysts (Reuters) Mallox Ransomware Group Revamps Malware Variants, Evasion Tactics (Dark Reading) TargetCompany Ransomware Abuses FUD Obfuscator Packers (Trend Micro) New IAM Research by Stack Identity Finds Machine Identities Dominate Shadow Access in the Cloud, Revealing Easy Attack Vector for Hackers (Business Wire) Ukraine-Linked Group Claims It Hacked Website Of Moscow Property Registration Bureau (RadioFreeEurope/RadioLiberty) Ukraine-linked group claims it hacked Moscow property registration bureau website – RFE/RL (Euromaidan Press) Pro-Ukrainian hackers breach Moscow engineering service website (New Voice of Ukraine) Ukrainian state agencies targeted with open-source malware MerlinAgent (Record) The Mystery of Chernobyl’s Post-Invasion Radiation Spikes (WIRED)  Learn more about your ad choices. Visit megaphone.fm/adchoices
08/08/23·28m 55s

Pyongyang’s new friendship with Moscow apparently only goes so far. Reptile rootkit in the wild. Cloudzy updates. Cl0p’s torrents. And notes on cyber phases of Russia’s hybrid war.

North Korean cyberespionage against a Russian aerospace firm. The Reptile rootkit is used against South Korean systems. An update on Cloudzy. Cl0p is using torrents to move data stolen in MOVEit exploitation. Andrea Little Limbago from Interos wonders about the dangers of jumping head first into new technologies? Rick Howard ponders quantum computing. And Meduza is back on Apple Podcasts. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/149 Selected reading. Exclusive: North Korean hackers breached top Russian missile maker (Reuters) North Korean hackers stole secrets of Russian hypersonic missile maker (Euractiv)  Comrades in Arms? | North Korea Compromises Sanctioned Russian Missile Engineering Company (SentinelOne) Reptile Rootkit: Advanced Linux Malware Targeting South Korean Systems (The Hacker News)  UPDATE: Cloudzy Command and Control Provider Report (Halcyon) Reptile Rootkit: Advanced Linux Malware Targeting South Korean Systems (The Hacker News) Clop ransomware now uses torrents to leak data and evade takedowns (BleepingComputer) Ukraine may be winning ‘world’s first cyberwar’ (The Kyiv Independent) Apple has removed Meduza’s flagship news podcast ‘What Happened’ from Apple Podcasts, without explaining the reason (Meduza) Learn more about your ad choices. Visit megaphone.fm/adchoices
07/08/23·28m 24s

Manuel Hepfer: Discipline, self motivation, and steam. [Research] [Career Notes]

Manuel Hepfer a cybersecurity researcher from ISTARI sits down to share his story with us. Manuel shares as a kid he was very interested in STEM, and in school he remembered a programming class that he fell in love which made him want to pursue a career in cyber. Studying at the University of Oxford he began working towards acquiring a degree in Cybersecurity and Strategic Management. He found research to be a passion and wanted to share his passion, he decided he wanted to publish, so Manuel published an article in MIT Sloan management review that's titled "Make Cybersecurity a Strategic Asset." He shares that finding a passion, like he did, is the key to working in cyber, saying "I think what I learned at the time is the value of discipline and self motivation. And now you can always come up with a lot of discipline and self motivation, but you'll run out of steam at some point if you're not very passionate about some of the things that you're doing." We thank Manuel for sharing his story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices
06/08/23·8m 53s

Who is that stealing my credentials? [Research Saturday]

Aleksandar Milenkoski from SentinelOne joins to discuss their work on "Kimsuky Strikes Again | New Social Engineering Campaign Aims to Steal Credentials and Gather Strategic Intelligence." Researchers have been tracking the North Korean APT group Kimsuky and their attempt at a social engineering campaign targeting experts in North Korean affairs. The research states "The campaign has the objective of stealing Google and subscription credentials of a reputable news and analysis service focusing on North Korea, as well as delivering reconnaissance malware." Kimsuky has been tracked engaging in extensive email correspondence using spoofed URLs and extensive email correspondence, along with Office documents weaponized with the ReconShark malware. The research can be found here: Kimsuky Strikes Again | New Social Engineering Campaign Aims to Steal Credentials and Gather Strategic Intelligence Learn more about your ad choices. Visit megaphone.fm/adchoices
05/08/23·16m 26s

2022’s top exploited vulnerabilities are still a risk. Rilide in the wild. Abusing a legitimate tool. Malicious PyPi packages. A brief update on the cyber aspects of Russia’s hybrid war.

The Five Eyes warn against top exploited vulnerabilities. The Rilide info stealer in the wild. Malicious PyPI packages. Valerie Abend, Global Cyber Strategy Lead from Accenture, unpacks the Securities and Exchange Commission’s recently announced cyber regulations. In our Solution spotlight: Our own Simone Patrella speaks with Microsoft’s Ann Johnson on how Microsoft is attracting and retaining top cyber talent. And cyber attacks continue to gutter on both sides of Russia's war against Ukraine. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/148 Selected reading. CISA, NSA, FBI, and International Partners Release Joint CSA on Top Routinely Exploited Vulnerabilities of 2022 | CISA (Cybersecurity and Infrastructure Security Agency CISA) CISA, NSA, FBI and International Partners Issue Advisory on the Top Routinely Exploited Vu (National Security Agency/Central Security Service) New Rilide Stealer Version Targets Banking Data and Works Around Google Chrome Manifest V3 (Trustwave) Tunnel Vision: CloudflareD AbuseD in the WilD (GuidePoint Security)  VMConnect: Malicious PyPI packages imitate popular open source modules (ReversingLabs)  Bilyana Lilly on how cybersecurity assistance to Ukraine has helped thwart Russian cyberattacks (CyberScoop) Microsoft says Russia-linked hackers behind dozens of Teams phishing attacks (Reuters) Ukraine's invisible battle to jam Russian weapons (BBC News) How Ukraine’s cyberwarriors are upending everyday life in Russia (Times) Learn more about your ad choices. Visit megaphone.fm/adchoices
04/08/23·27m 4s

Action in the cybercriminal underworld. Russia’s FSB and SVR are both active, and so are their hacktivist auxiliaries. NSA offers advice on configuring next-generation firewalls.

Open Bullet malware is seen in the wild. Threat actors exploit a Salesforce vulnerability for phishing. BlueCharlie (that’s Russia’s FSB) shakes up its infrastructure. Midnight Blizzard (and that’s Russia’s SVR) uses targeted social engineering. How NoName057(16) moved on to Spanish targets. Robert M. Lee from Dragos shares his reaction to the White House’s national cybersecurity strategy. Our guest Raj Ananthanpillai of Trua warns against oversharing with ChatGPT. And NSA releases guidance on hardening Cisco next-generation firewalls. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/147 Selected reading. No Honour Amongst Thieves: A New OpenBullet Malware Campaign (Kasada) “PhishForce” — Vulnerability Uncovered in Salesforce’s Email Services Exploited for Phishing… (Medium) Hackers exploited Salesforce zero-day in Facebook phishing attack (BleepingComputer) Hackers exploit Salesforce email zero-day for Facebook phishing campaign (Computing)  Russia-based hackers building new attack infrastructure to stay ahead of public reporting (Record)  Midnight Blizzard conducts targeted social engineering over Microsoft Teams (Microsoft Security)  Unraveling Russian Multi-Sector DDoS Attacks Across Spain (Radware) Pro-Russian Hackers Claim Cyberattacks on Italian Banks (MarketWatch)  NSA Releases Guide to Harden Cisco Next Generation Firewalls (National Security Agency/Central Security Service) Cisco Firepower Hardening Guide (US National Security Agency) Learn more about your ad choices. Visit megaphone.fm/adchoices
03/08/23·29m 2s

An illicit market in account restoration. Resilience and the cyber workforce: a snapshot. New post-exploitation technique in Amazon Web Services.

An illicit market in account restoration. Resilience and the cyber workforce. New post-exploitation techniques in Amazon Web Services. Incursions into Norwegian government networks went on for four months. Rob Boyce from Accenture Security describes a “Perfect Storm” in the Dark Web threat landscape. Carole Theriault shares mental health social media warnings for teens. And the Russian legislation seeks to reduce or eliminate online privacy. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/146 Selected reading. Amazon employees leak secret info that marketplace sellers can buy on Telegram (CNBC) Cyber Workforce Benchmark Report (Immersive Labs) Mitiga Security Advisory: Abusing the SSM Agent as a Remote Access Trojan (Mitiga) Cado Security Labs 2023 Threat Findings Report (Cado Security) Cyberattack on Norway Ministries Lasted at Least Four Months (Bloomberg) CISA and International Partner NCSC-NO Release Joint Cybersecurity Advisory on Threat Actors Exploiting Ivanti EPMM Vulnerabilities (Cybersecurity and Infrastructure Security Agency) Putin Outlaws Anonymity: Identity Verification For Online Services, VPN Bypass Advice a Crime (TorrentFreak) Russia Is Returning to Its Totalitarian Past (Foreign Policy) Learn more about your ad choices. Visit megaphone.fm/adchoices
02/08/23·24m 34s

Cyberespionage tradecraft, including shopping in the C2C market. Seeking satcom resilience. Sanctions against disinformation. A quick look at current OT threats.

C2-as-a-service with APTs as the customers. Cyberespionage activity by Indian APTs. Gamers under attack. StarLink limits Ukrainian access to its systems. The EU levies new sanctions against “digital information manipulation.” Ukraine's Security Service takes down money-laundering exchanges. Ben Yelin unpacks fediverse security risks. Our guests are Mike Marty, CEO of The Retired Investigators Guild, & Tom Brennan, executive director of CREST, discussing their efforts on cybercrime investigation and cold case resolution. And Nozomi's OT IoT security report, sees a lot of opportunistic, low-grade whacking at industrial organizations. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/145 Selected reading. Cloudzy with a Chance of Ransomware: Unmasking Command-and-Control Providers (C2Ps) (Halcyon)  APT Bahamut Targets Individuals with Android Malware Using Spear Messaging - CYFIRMA (CYFIRMA)  Hackers steal Signal, WhatsApp user data with fake Android chat app (BleepingComputer) Patchwork Hackers Target Chinese Research Organizations Using EyeShell Backdoor (The Hacker News) Hackers exploit BleedingPipe RCE to target Minecraft servers, players (BleepingComputer)  Call of Duty Self-Spreading Worm Takes Aim at Player Lobbies (Dark Reading)  Call of Duty worm malware used to hack players exploits years-old bug  (TechCrunch)  Elon Musk 'refuses to turn on Starlink' for Crimea drone attack (The Telegraph) How Elon Musk Was Able to Exert Control in Ukraine War (The Street) EU strikes Russia again as digital infowar rages on (Cybernews)  Ukraine Cracks Down on Illicit Financing Network (Gov Info Security)  Unpacking the OT & IoT Threat Landscape with Unique Telemetry Data (Nozomi Networks)  China's Volt Typhoon APT Burrows Deeper Into US Critical Infrastructure (Dark Reading) Learn more about your ad choices. Visit megaphone.fm/adchoices
01/08/23·29m 11s

The US has a new cyber workforce and education strategy. US hunts disruptive Chinese malware staged in US networks. Malware warnings, and an update on Russia’s hybrid war.

The US issues a National Cyber Workforce and Education strategy. Hunting Chinese malware staged in US networks. CISA warns of Barracuda backdoor. WikiLoader malware is discovered. P2Pinfect is a malware botnet targeting publicly-accessible Redis servers. Johannes Ullrich from SANS describes attacks against YouTube content creators. Rick Howard previews his conversation with AWS Ciso CJ Moses. And Russia’s SVR continues cyberespionage against Ukrainian and European diplomatic services. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/144 Selected reading. FACT SHEET: Biden-Harris Administration Announces National Cyber Workforce and Education Strategy, Unleashing America’s Cyber Talent (The White House)  National Cyber Workforce and Education Strategy: Unleashing America’s Cyber Talent (The White House) The White House releases the US National Cyber Workforce and Education Strategy. (CyberWire) US hunts Chinese malware staged to interfere with US military operations. (CyberWire) U.S. Hunts Chinese Malware That Could Disrupt American Military Operations (New York Times) CISA Releases Malware Analysis Reports on Barracuda Backdoors (Cybersecurity and Infrastructure Security Agency CISA)CISA: New Submarine malware found on hacked Barracuda ESG appliances (BleepingComputer)  Out of the Sandbox: WikiLoader Digs Sophisticated Evasion (Proofpoint)  Cado Security Labs Encounter Novel Malware, Redis P2Pinfect (Cado Security)  P2PInfect: The Rusty Peer-to-Peer Self-Replicating Worm (Unit 42) BlueBravo Adapts to Target Diplomatic Entities with GraphicalProton Malware (Recorded Future) BlueBravo Adapts to Target Diplomatic Entities with GraphicalProton Malware (Recorded Future Insikt Group)  BlueBravo Deploys GraphicalProton Backdoor Against European Diplomatic Entities (The Hacker News) Learn more about your ad choices. Visit megaphone.fm/adchoices
31/07/23·26m 44s

Morgan Adamski: Seeing around corners. [Collaboration] [Career Notes]

Morgan Adamski from the National Security Agency (NSA) sits down to talk about her path to getting into cybersecurity. Remembering back to when she was a kid, she recalls using old technology to chat with friends online, that's where it all began for Morgan. She shares how in high school she fell in love with the concept of debating and being on a team. During her high school career, 9/11 occurred, and she became fascinated with who was behind the biggest attack America had seen in the 21st century, driving her to pursue a degree in National Security. Coming out of college, she was able to get a job in the DIA, after working there for two years, she found herself at the NSA, where she is now. Morgan shares how her leadership style helps her to not only connect dots on problems, but also see around corners, saying "it's not just about connecting the dots, it's about seeing around the corners and so that helps me better predict, um, how do I build an organization that's successful three to five years down the road." We thank Morgan for sharing her story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices
30/07/23·8m 18s

Phishing for leeches. [Research Saturday]

Ashlee Benge from ReversingLabs discussing their research titled "Operation Brainleeches: Malicious npm packages fuel supply chain and phishing attacks." Researchers recently discovered over a dozen malicious packages published to the npm open source repository. These packages are targeting Microsoft 365 users and appear to target application end users while also supporting email phishing campaigns. Research supports that the malicious campaign encompassed more than a dozen files designed to steal sensitive user credentials. The research states "This most recent campaign caught our attention because of a number of features and characteristics in related npm packages that correlate with malicious intent." The research can be found here: Operation Brainleeches: Malicious npm packages fuel supply chain and phishing attacks Learn more about your ad choices. Visit megaphone.fm/adchoices
29/07/23·19m 30s

A new joint advisory from the US and Australia. BackConnect evolution. Cl0p counts coup. Ransomware trends. DDoS for influence. It’s “dot-mil,” Nigel.

A joint warning on IDOR vulnerabilities. IcedID’s BackConnect protocol evolves over one year. Cl0p claims to have accessed data from another Big Four accounting firm. Ransomware victims increased significantly in 2023. Cyberattacks support influence operations. Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger joins us to discuss the Biden Administration's recent cyber initiatives. Eric Goldstein, Executive Assistant Director at CISA, looks at cybersecurity performance goals. And spelling counts. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/143 Selected reading. Preventing Web Application Access Control Abuse (Joint Cybersecurity Advisory: ACSC, NSA, CISA)  Inside the IcedID BackConnect Protocol (Part 2) (Team Cymru)  Deloitte denies Cl0p data breach impacted client data in wake of MOVEit attack (ITPro)  Ransomware Report: Q2 2023 (ReliaQuest) Kenya ICT minister admits cyber-attack on eCitizen portal, insists data secure (The East African) Anonymous Sudan: the group behind recent anti-Kenya cyberattacks (TechCabal)  Kenya President Ruto to skip Russia-Africa Summit (The East African) UK accidentally sent military emails meant for US to Russian ally (POLITICO) Learn more about your ad choices. Visit megaphone.fm/adchoices
28/07/23·31m 24s

Mirai hits the honeypots. Medical device telemetry attacked. More on infostealers in the C2C market. Third-party risk management practices. Cyber skills gaps in the UK. SiegedSec hits NATO sites

The Mirai botnet afflicts Tomcat. CardioComm services are downed by cyberattack. Uptycs calls infostealers “organization killers" as related security incidents double in a year. Legacy third-party risk management practices meet with dissatisfaction. Cyber skill gaps reported in the UK's workforce. Our guest is George Prichici of OPSWAT with a look at a Microsoft Teams vulnerability. Our new Threat Vector segment features a conversation with David Moulton and Michael Sikorski on the potential threats from LLMs and AI. And SiegedSec hits NATO sites. On this first segment of Threat Vector, Michael "Siko" Sikorski, CTO & VP of Engineering for Unit 42, joins host David Moulton to discuss LLMs & AI and the impacts to expect on social engineering, phishing, and more. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/142 Threat Vector links. Palo Alto Networks Unit 42 Selected reading. Tomcat Under Attack: Exploring Mirai Malware and Beyond (Aquasec) CardioComm, a provider of ECG monitoring devices, confirms cyberattack downed its services (TechCrunch)  Detecting the Silent Threat: 'Stealers are Organization Killers' (Uptycs) Cyber security skills in the UK labour market 2023 (DSIT) NATO investigates alleged data theft by SiegedSec hackers (BleepingComputer) NATO investigating apparent breach of unclassified information sharing platform (CyberScoop)  SiegedSec Compromise NATO (Cyberint) Learn more about your ad choices. Visit megaphone.fm/adchoices
27/07/23·28m 35s

A malign AI tool: FraudGPT. Stealer logs in the C2C market. Signs in the blockchain that some Conti alumni are working with the Akira gang. And a kinetic strike against a cyber target.

FraudGPT is a chatbot with malign intent. Stealer logs in the C2C market. Signs in the blockchain that some Conti alumni are working with the Akira gang. Tim Starks from Washington Post's Cybersecurity 202 on the White House’s new National Cyber Director nominee. Maria Varmazis speaks with David Luber, Deputy Director of NSA's Cybersecurity Directorate, on space systems as critical infrastructure. And a kinetic strike against a cyber target: Ukrainian drones may have hit Fancy Bear’s Moscow digs. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/141 Selected reading. FraudGPT: The Villain Avatar of ChatGPT (Netenrich)  Stealer Logs & Corporate Access (Flare) Over 400,000 corporate credentials stolen by info-stealing malware (BleepingComputer) The Alarming Rise of Infostealers: How to Detect this Silent Threat (The Hacker News) Conti and Akira: Chained Together (Arctic Wolf) Ukraine-Russia war: Ukraine vows further drone strikes on Moscow and Crimea (The Telegraph)  Learn more about your ad choices. Visit megaphone.fm/adchoices
26/07/23·26m 55s

Norway continues to investigate a cyberattack. The view from Russia. Trends in data breaches, ransom payments, and security self-perception. Apple patches iOS.

A zero-day attack of undetermined origin targets government offices in Norway. Russia accuses the US of cyber aggression. Data breaches exact a rising cost. 74% of survey respondents say their company would pay ransom to recover stolen or encrypted data. Executives and security teams differ in their perception of cyber threat readiness. Mr. Security Answer Person John Pescatore looks at risk metrics. Joe Carrigan on a new dark market AI tool called Worm GPT. And Apple issues urgent patches. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/140 Selected reading. Norway says Ivanti zero-day was used to hack govt IT systems (BleepingComputer) Norway investigates cyberattack affecting 12 government ministries (Record) Norwegian government IT systems hacked using zero-day flaw (BleepingComputer) Putin ally accuses US of planning cyberattacks on Russian critical infrastructure (Al Arabiya English)  Cost of a Data Breach Report 2023 (IBM Security) Ransom Monetization Rates Fall to Record Low Despite Jump In Average Ransom Payments (Coveware)  2023 Cyber Threat Readiness Report (Swimlane)  Apple Releases Security Updates for Multiple Products (Cybersecurity and Infrastructure Security Agency CISA) Apple fixes 16 security flaws with iOS 16.6, two actively exploited (9to5Mac) Apple Rolls Out Urgent Patches for Zero-Day Flaws Impacting iPhones, iPads and Macs (The Hacker News) Apple fixes new zero-day used in attacks against iPhones, Macs (BleepingComputer)  iOS 16.6: Apple Suddenly Releases Key iPhone Update With Urgent Fixes (Forbes)  Learn more about your ad choices. Visit megaphone.fm/adchoices
25/07/23·25m 57s

DPRK’s RGB shows improved targeting and tool-sharing. Cl0p updates. Two new RATs. Weak radio encryption standard. Razzlekhan will cop a plea.

North Korea's increasingly supple cyber offensives. A look at Cl0p. The NetSupport RAT's fake update vectors. HotRat is a Trojan that accompanies illegally pirated software and games. Crackable radio encryption standard: a bug or a feature? Chris Novak from Verizon discusses ransomware through the lens of the DBIR. Carole Theriault describes a ransomware attack that hit close to home. And an alleged money-laundering crypto-rapper is back in the news. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/139 Selected reading. North Korea Leverages SaaS Provider in a Targeted Supply Chain Attack | Mandiant (Mandiant) Ransomware Roundup - Cl0p (Fortinet Blog) FakeSG enters the 'FakeUpdates' arena to deliver NetSupport RAT (Malwarebytes) Researchers Find ‘Backdoor’ in Encrypted Police and Military Radios (Vice)  Unmasking HotRat: The hidden dangers in your software downloads (Avast) Researchers Find ‘Backdoor’ in Encrypted Police and Military Radios (Vice)  Crypto rapper 'Razzlekhan,' husband reach plea deal over Bitfinex hack laundering (Reuters) Learn more about your ad choices. Visit megaphone.fm/adchoices
24/07/23·24m 34s

Don Welch: Being a good leader. [CIO] [Career Notes]

Don Welch, Chief Information Officer from New York University sits down to share his exciting start into his cyber career. Much like many other people who started in this industry, Don went into the military, which is where it all started for him. He was told he needed to take two specialties, and so along with mechanical engineering, he decided to go into computer science as well. After taking his two crafts, he decided to leave the Army and go into the civilian world where he took a couple jobs in cyber. He landed a few jobs at different prestigious universities, including Penn State University, University of Michigan, and now New York University. He shares that being a good leader will take you far in life, saying "I will say that if you are a great leader, ultimately, you sit in your office and do nothing because you have developed your team and empowered them, and they're making all the decisions, everything runs like clockwork and you have nothing to do." We thank Don for sharing is story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices
23/07/23·10m 24s

Infostealer Malware 101: mitigating risks and strengthening defenses against this insidious threat. [CyberWire-X]

With the relentless advancements in technology and a workforce more digitally-enabled than ever before, businesses today face an unprecedented challenge of protecting their sensitive information from cybercriminals. Infostealer malware, often disguised as innocuous files or hidden within legitimate-looking emails, stealthily infiltrate employee and contractor devices – managed and unmanaged – exfiltrating all manner of data for the purposes of executing follow-on attacks including ransomware. The data at risk includes customer details, financial information, intellectual property, and R&D plans stolen from compromised applications that were accessed from infostealer-exfiltrated authentication data like credentials and active session cookies/tokens. This episode digs into the proliferation of infostealers and provides actionable steps for businesses of any size or industry to mitigate the threat. In this episode of CyberWire-X, N2K’s CSO, Chief Analyst, and Senior Fellow, Rick Howard, is joined in the first half by Hash Table member Rick Doten to discuss the early days of incident response and the current thinking of post-infection remediation (PIR) actions. In the second half of the show, CyberWire podcast host Dave Bittner talks with our episode sponsor SpyCloud’s Director of Security Research, Trevor Hilligoss. They chat about the challenges for enterprises and security leaders to identify what was stolen from malware-infected devices and how proper post-infection remediation implemented into existing incident response workflows can help prevent this data from causing ransomware. Trevor shares highlights from an industry report of over 300+ security leaders from North America and the UK on where they stand on malware identification and remediation, and what additional work can be done to minimize cybercriminals' access and impact. Learn more about your ad choices. Visit megaphone.fm/adchoices
23/07/23·30m 49s

Welcome to New York, it's been waitin' for you. [Research Saturday]

Joshua Miller from Proofpoint joins Dave to discuss findings on "Welcome to New York: Exploring TA453's Foray into LNKs and Mac Malware." In mid May, TA453, also known as Charming Kitten, APT42, Mint Sandstorm, and Yellow Garuda, was found sending a benign conversation lure masquerading as a senior fellow with the Royal United Services Institute (RUSI) to the public media contact for a nuclear security expert at a US-based think tank focused on foreign affairs. The research states that "the email solicited feedback on a project called “Iran in the Global Security Context” and requested permission to send a draft for review." Proofpoint shares it's findings and what you can expect from the threat group. The research can be found here: Welcome to New York: Exploring TA453's Foray into LNKs and Mac Malware Learn more about your ad choices. Visit megaphone.fm/adchoices
22/07/23·18m 32s

Cyberespionage and developments in the cyber underworld, including an offering in the C2C market. Russian hacktivist auxiliaries stay busy (and so do their masters in the organs).

The Lazarus Group targets developers. Threat actors target the banking sector with fake LinkedIn profiles and open source supply chain attacks. Vulnerabilities reported in OpenMeetings. HTML smuggling is sold in the C2C market. Johannes Ullrich from SANS describes attacks against niche web apps. Our guest is Damir Brecic of Inversion6 discussing the privacy and security concerns of Meta's new Threads app. And Romania's SVR reports a pattern of Russian cyberattacks. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/138 Selected reading. GitHub warns of Lazarus hackers targeting devs with malicious projects (BleepingComputer) Cyberattack on GitHub customers linked to North Korean hackers, Microsoft says (Record) Security alert: social engineering campaign targets technology industry employees (The GitHub Blog) First Known Targeted OSS Supply Chain Attacks Against the Banking Sector (Checkmarx) A Twist in the Code: OpenMeetings Vulnerabilities through Unexpected Application State (Sonar)  Fresh Phish: HTML Smuggling Made Easy, Thanks to a New Dark Web Phish Kit (INKY)  KillNet Showcases New Capabilities While Repeating Older Tactics (Mandiant). Pro-Russian hacktivists increase focus on Western targets. The latest is OnlyFans. (CyberScoop). Anonymous Sudan DDoS strikes dominate attacks by KillNet collective (SC Media) Romanian Intelligence General: All Russian secret services attempted cyber attacks against Romania (ACTMedia) Learn more about your ad choices. Visit megaphone.fm/adchoices
21/07/23·23m 0s

Malvertising meets SEO poisoning. Fast moving on MOVEit exploit remediation. Ransomware trends. Cyberespionage, sanctions, and influence ops. Ave atque vale Kevin Mitnick.

Sophos analyzes malvertising through purchased Google Ads. The MOVEit vulnerability is remediated faster than most. The DeliveryCheck backdoor is used against Ukrainian targets. SORM is under stress. Ukrainian police roll up another bot farm working in support of Russian influence operations. AJ Nash from ZeroFox provides insights on the White House cybersecurity labeling program. David Moulton from Palo Alto Networks Unit 42 introduces his new segment "Threat Vector." And we bid farewell to Kevin Mitnick. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/137 Selected reading. Bad ad fad leads to IcedID, Gozi infections (Sophos News) New research reveals rapid remediation of MOVEit Transfer vulnerabilities (Bitsight)  GRIT Ransomware Report-2023-Q2 (Guidepoint Security)  Russia’s Turla hackers target Ukraine’s defense with spyware (Record)  Russian Hackers Probe Ukrainian Defense Sector With Backdoor (Bank Info Security)  Russia’s vast telecom surveillance system crippled by withdrawal of Western tech, report says (Record)  Ukraine’s cyber police dismantled a massive bot farm spreading propaganda (Security Affairs) Kevin David Mitnick, August 6, 1963 - July 16, 2023. (Dignity Memorial) Learn more about your ad choices. Visit megaphone.fm/adchoices
20/07/23·28m 35s

Patches and exploits. Watching threats develop in the dark web. Spyware vendors added to the US Entity List. WhatsApp risk. And notes from the hybrid war.

Vulnerabilities are identified and patched in Citrix Netscaler products and Adobe Coldfusion. The banking sector should be monitoring the dark web for leaked credentials and insider threats. Spyware vendors are added to the US Entity List. WhatsApp accounts may be at risk. Verizon’s Chris Novak shares insights on Log4j from this year’s DBIR. Our guest is Candid Wüest of Acronis discussing the findings of their Year-end Cyberthreats Report. Skirmishes in the cyber phases of Russia's war. And how do you demobilize cyber forces (especially the auxiliaries) once the war is over? For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/136 Selected reading. Exploited 0-days, an incomplete fix, and a botched disclosure: Infosec snafu reigns  New critical Citrix ADC and Gateway flaw exploited as zero-day (BleepingComputer)  Citrix alerts users to critical vulnerability in Citrix ADC and Gateway (Computing) Adobe, Microsoft and Citrix vulnerabilities draw warnings from CISA (Record) Active Exploitation of Multiple Adobe ColdFusion Vulnerabilities (Rapid7) Dark Web Threats Against The Banking Sector › Searchlight Cyber (Searchlight Cyber) WhatsApp Remote Deactivation Warning For 2 Billion Users (Forbes) The United States Adds Foreign Companies to Entity List for Malicious Cyber Activities - United States Department of State (United States Department of State)  Commerce Adds Four Entities to Entity List for Trafficking in Cyber Exploits (Bureau of Industry and Security)  Russian hackers may be behind 'DDoS' attack on NZ Parliament website (Stuff)  Russian medical lab suspends some services after ransomware attack (Record)  If you want peace, prepare for… cyberwar - Friends of Europe (Friends of Europe)  Learn more about your ad choices. Visit megaphone.fm/adchoices
19/07/23·29m 23s

Some guidance from the US government (including device security labels). Supply chain security. Developments in the cyber underworld (including a gang with some perverse integrity).

The US Federal government issues voluntary security guidelines. Possible privilege escalation within Google Cloud. An APT compromises JumpCloud. FIN8 reworks its Sardonic backdoor and continues its shift to ransomware. Ben Yelin looks at privacy legislation coming out of Massachusetts. Our guest is Alastair Parr of Prevalent discussing GDPR and third party risk. And some noteworthy Russian cyber crime–they don’t seem to be serving any political masters; they just want to get paid. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/135 Selected reading. Biden-Harris Administration Announces Cybersecurity Labeling Program for Smart Devices to Protect American Consumers (The White House) The Biden administration announces a cybersecurity labeling program for smart devices (AP News)CISA Develops Factsheet for Free Tools for Cloud Environments (Cybersecurity and Infrastructure Security Agency CISA) Free Tools for Cloud Environments (CISA) NSA, CISA Release Guidance on Security Considerations for 5G Network Slicing (Cybersecurity and Infrastructure Security Agency CISA) ESF Members NSA and CISA Publish Second Industry Paper on 5G Network Slicing (National Security Agency/Central Security Service) Bad.Build: A Critical Privilege Escalation Design Flaw in Google Cloud Build Enables a Supply Chain Attack (Orca Security) Orca: Google Cloud design flaw enables supply chain attacks (Security | TechTarget)  Google fixes ‘Bad.Build’ vulnerability affecting Cloud Build service (Record) JumpCloud discloses breach by state-backed APT hacking group (BleepingComputer) JumpCloud: A 'state-sponsored threat actor' compromised our systems (Computing)  JumpCloud says nation-state hackers breached its systems | TechCrunch (TechCrunch) JumpCloud, an IT firm serving 200,000 orgs, says it was hacked by nation-state (Ars Technica) [Security Update] Incident Details - JumpCloud (JumpCloud) July 2023 Incident Indicators of Compromise (IoCs) (JumpCloud) FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware (Symantec by Broadcom) RedCurl hackers return to spy on 'major Russian bank,' Australian company (Record)  Learn more about your ad choices. Visit megaphone.fm/adchoices
18/07/23·30m 28s

Developments in the C2C market. Cyberespionage against Westminster. Notes from Russia’s hybrid war. And don’t take that typo to Timbuktu.

WormGPT is a new AI threat. TeamTNT seems to be back. Chinese intelligence services actively pursue British MPs. Gamaredon's quick info theft. Russia’s FSB bans Apple devices. The troll farmers of the Internet Research Agency may not yet be down for the count. Anonymous Sudan claims a "demonstration" attack against PayPal, with more to come. Carole Theriault looks at popular email lures. My conversation with N2K president Simone Petrella on the White House’s National Cybersecurity Strategy Implementation Plan. And, friends, don’t take this typo to Timbuktu. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/134 Selected reading. WormGPT, an "ethics-free" text generator. (CyberWire) TeamTNT (or someone a lot like them) may be preparing a major campaign. (CyberWire) Chinese government hackers ‘frequently’ targeting MPs, warns new report (Record)  Gamaredon hackers start stealing data 30 minutes after a breach (BleepingComputer)  Russia-linked APT Gamaredon starts stealing data from victims between 30 and 50 minutes after the initial compromise (Security Affairs) Armageddon in Ukraine – how one Russia-backed hacking group operates (CyberSecurity Connect) Russian hacking group Armageddon increasingly targets Ukrainian state services (Record) Russia bans officials from using iPhones in U.S. spying row (Apple Insider) Prigozhin's Media Companies May Resume Work As Mutiny Fallout Dissipates, FT Reports (Radio Free Europe | Radio Liberty) Anonymous Sudan claims it hit PayPal with 'warning' DDoS cyberattack (Tech Monitor)  Typo leaks millions of US military emails to Mali web operator (Financial Times) Learn more about your ad choices. Visit megaphone.fm/adchoices
17/07/23·25m 5s

Jennifer Addie: Finding creative solutions. [COO] [Career Notes]

Jennifer Addie, COO and CWO from VentureScope and MACH37 Cyber Accelerator sits down to share her incredible story, bringing creativity into the cyber community. Growing up Jennifer always loved the human side of things, and learning that she had a knack for computers helped her to realize what type of field she wanted to pursue as an adult. She started working jobs dealing in programming, database administration, product development, and it was there in the design of those products where she felt the deep need for security, emerging as critical in her consciousness. She shares how she likes to be on a personal level with the people she works with, always wondering where people came from and why they are passionate, being a very interactive leader. Jennifer also says that she believes bringing creativity into the field is what helps her solve any form of problem the best stating "I absolutely agree with the idea that, that creativity is far more than artistic capability. It is very much centered on problem solving and in fact, the master's degree that I received in creativity focuses on creative problem solving as a process." We thank Jennifer for sharing her story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices
16/07/23·9m 46s

SCARLETEEL zaps back again. [Research Saturday]

Michael Clark from Sysdig joins with Dave to discuss their research on SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto. New research from Sysdig threat researchers found that the group continues to thrive with improved tactics. Most recently, they gained access to AWS Fargate, a more sophisticated environment to breach, thanks to their upgraded attack tools. The research states "In their most recent activities, we saw a similar strategy to what was reported in the previous blog: compromise AWS accounts through exploiting vulnerable compute services, gain persistence, and attempt to make money using cryptominers." Had Sysdig not thwarted SCARLETEEL's attack, they estimated that they would have mined $4,000 per day until they were stopped. The research can be found here: SCARLETEEL 2.0: Fargate,Kubernetes, and Crypto Learn more about your ad choices. Visit megaphone.fm/adchoices
15/07/23·17m 22s

Update on Chinese cyberespionage incident. ICS vulnerabilities. USB attacks. New KEVs. Updates from Russia's hybrid war, as hacktivists swap DDoS attacks and observers draw lessons learned.

Developments in the case of China's cyberespionage against government Exchange users. Industrial controller vulnerabilities pose a risk to critical infrastructure. USB attacks have risen three-fold in the first half of 2023. CISA adds two vulnerabilities to its Known Exploited Vulnerabilities Catalog. Ghostwriter's continued activity focuses on Poland and Ukraine. Hacktivist auxiliaries swap DDoS attacks. Awais Rashid from University of Bristol shares insights on threat modeling. Our guest is Chris Cochran from Huntress on the challenges small and medium sized businesses face with cyber security. And lessons learned from cyber warfare in Russia's war. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/133 Selected reading. UK says it's working with Microsoft to understand impact of Chinese email hack (Reuters)  What we know (and don’t know) about the government email breach (Washington Post) Yet Another MS CVE: Don’t Get Caught In The Storm! (Cynet) China Hacking Was Undetectable for Some Who Had Less Expensive Microsoft Services (Wall Street Journal) Security flaws in Honeywell devices could be used to disrupt critical industries (TechCrunch) APT Exploit Targeting Rockwell Automation Flaws Threatens Critical Infrastructure (SecurityWeek) Rockwell Automation ControlLogix Bugs Expose Industrial Systems to Remote Attacks (The Hacker News)  USB drive malware attacks spiking again in first half of 2023 (BleepingComputer) CISA Adds Two Known Vulnerabilities to Catalog (Cybersecurity and Infrastructure Security Agency CISA) Malicious campaigns target government, military and civilian entities in Ukraine, Poland (Cisco Talos Blog) Belarus-linked hacks on Ukraine, Poland began at least a year ago, report says (Record) Crowdsourced Cyber Warfare: Russia and Ukraine Launch Fresh DDoS Offensives (CEPA). Cyber Operations during the Russo-Ukrainian War (CSIS) Learn more about your ad choices. Visit megaphone.fm/adchoices
14/07/23·30m 52s

Taking steps to stop a Chinese APT. Implementing the US National Cybersecurity Strategy. LokiBot is back. Malware masquerading as a proof-of-concept. Swapping cyber ops in a hybrid war.

CISA and the FBI issue a joint Cybersecurity Advisory on exploitation of Microsoft Exchange Online. Implementing the US National Cybersecurity Strategy. FortiGuard discovers a new LokiBot campaign. Training code turns out to be malicious in a new proof-of-concept attack discovered on GitHub. Russia resumes its pursuit of a "sovereign Internet." The GRU's offensive cyber tactics. Chris Novak from Verizon discusses business email compromise and the 2023 DBIR. Our guest is Joy Beland of Summit 7 on the role of Managed Service Providers in the supply chain to the Defense Industrial Base. And a probable Ukrainian false-flag operation. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/132 Selected reading. CISA and FBI Release Cybersecurity Advisory on Enhanced Monitoring to Detect APT Activity Targeting Outlook Online (Cybersecurity and Infrastructure Security Agency CISA) Enhanced Monitoring to Detect APT Activity Targeting Outlook Online (Cybersecurity and Infrastructure Security Agency CISA) How a Cloud Flaw Gave Chinese Spies a Key to Microsoft’s Kingdom (WIRED) Chinese hackers breached U.S. and European government email through Microsoft bug (Record) FACT SHEET: Biden-Harris Administration Publishes the National Cybersecurity Strategy Implementation Plan | The White House (The White House) National Cybersecurity Strategy Implementation Plan (White House) LokiBot Campaign Targets Microsoft Office Document Using Vulnerabilities and Macros (Fortinet Blog) New PoC Exploit Found: Fake Proof of Concept with Backdoor Malware (Uptycs) Russia Is Trying to Leave the Internet and Build Its Own (Scientific American) The GRU's Disruptive Playbook (Mandiant)  Hack Blamed on Wagner Group Had Another Culprit, Experts Say (Bloomberg)  Learn more about your ad choices. Visit megaphone.fm/adchoices
13/07/23·32m 18s

Cyberespionage and used car salesmen. Email extortion through embarrassment, not encryption. The personal is the professional. And a look back at Patch Tuesday.

A Chinese threat actor hits US organizations with a Microsoft cloud exploit. Open source tools allow threat actors to exploit a loophole in Microsoft's kernel driver authentication procedures. A RomCom update. Beamer phishbait, email extortion attacks and digital blackmail. A new report concludes companies allowing personal employee devices onto their network are opening themselves to attack. Tim Starks from the Washington Post looks at Microsoft’s recent woes. Our guest is Eyal Benishti from IRONSCALES with insights on business email compromise. And a July Patch Tuesday retrospective. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/131 Selected reading. Mitigation for China-Based Threat Actor Activity (Microsoft On the Issues) Microsoft mitigates China-based threat actor Storm-0558 targeting of customer email (Microsoft Security Response Center) Chinese hackers breach U.S. government email through Microsoft cloud (Washington Post)  U.S. Government Emails Hacked in Suspected Chinese Espionage Campaign (Wall Street Journal) Old certificate, new signature: Open-source tools forge signature timestamps on Windows drivers (Cisco Talos Blog) Storm-0978 attacks reveal financial and espionage motives (Microsoft Security)  Microsoft: Unpatched Office zero-day exploited in NATO summit attacks (BleepingComputer)  Diplomats Beware: Cloaked Ursa Phishing With a Twist (Unit 42) Russian hackers lured embassy workers in Ukraine with ad for a cheap BMW (Reuters) Threat spotlight: Extortion attacks (Barracuda) The SpyCloud Malware Readiness And Defense Report (SpyCloud) July 2023 Security Updates (Security Update Guide - Microsoft Security Response Center) Microsoft Releases July 2023 Security Updates (Cybersecurity and Infrastructure Security Agency CISA)  Microsoft July 2023 Patch Tuesday warns of 6 zero-days, 132 flaws (BleepingComputer)  Fortinet Releases Security Update for FortiOS and FortiProxy (Cybersecurity and Infrastructure Security Agency CISA) Adobe Releases Security Updates for ColdFusion and InDesign (Cybersecurity and Infrastructure Security Agency CISA)  Apple's Rapid Security Response Patches Causing Website Access Issues (SecurityWeek)  SAP Security Patch Day – July 2023 (SAP) Return of the ICMAD Critical Vulnerabilities in 2023 (Onapsis) Learn more about your ad choices. Visit megaphone.fm/adchoices
12/07/23·32m 33s

Collective defense in cyberspace. Notes on gangs, privateers, and hacktivist auxiliaries. Amazon Prime Day is now a commercial holiday (like Black Friday): crooks have noticed–stay safe.

NATO considers Article 5 in cyberspace, while Cyberattacks conducted in the Russian interest target the NATO summit. Anonymous Sudan remains a nuisance-level irritant. Cl0p's surprising use of MOVEit exploits. Asylum Ambuscade is a case study in privateering. There are reports of a breach at Razer. An indictment in a cyber incident at a California water treatment facility. Genesis Market's fire sale. Carole Theriault on the data Amazon customers provide with some suggestions on curbing it. Our guest is Dmitry Bestuzhev, senior director in Cyber Threat Intelligence for Blackberry. And Amazon Prime Day is upon us–the crooks have noticed. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/130 Selected reading. A Cybersecurity Wish List Ahead of NATO Summit (SecurityWeek) NATO’s Christian-Marc Lifländer on how the alliance can take a ‘proactive’ cyber stance (Record) Ukraine has set the standard on software power (POLITICO) RomCom Threat Actor Suspected of Targeting Ukraine's NATO Membership Talks at the NATO Summit (BlackBerry) Threat group testing more sophisticated DDoS hacks, authorities warn (Cybersecurity Dive) Move It on Over: Reflecting on the MOVEit Exploitation (Huntress) Cl0p has yet to deploy ransomware while exploiting MOVEit zero-day (SC Media)  Asylum Ambuscade: crimeware or cyberespionage? (WeLiveSecurity) Crimeware Group Asylum Ambuscade Ventures Into Cyber-Espionage (Infosecurity Magazine) Razer investigates data breach claims, resets user sessions (BleepingComputer)  Razer Data Breach: Alleged Database and Backend Access Sold for $100k (HackRead) Alleged Razer data breach: Hacker demands US$100K in crypto in exchange for stolen data (Vulcan Post) Razer gets pwned as hackers steal source code (Cyber Security Connect)  Razer Cyber Attack: Gaming Hardware Giant Faces Data Breach (The Cyber Express)  Amazon Prime Day: Buyers Beware of Phishing Campaigns Targeting Online Shoppers (Veriti) Tracy Resident Charged With Computer Attack On Discovery Bay Water Treatment Facility (US Attorney for the Northern District of California) Tracy man indicted for illegally accessing water treatment network (CBS News) Technician Indicted for Hacking California Water Treatment Facility (HackRead) Tracy Man Charged With Computer Attack On Discovery Bay Water Treatment Facility (Contra Costa News)  Genesis Market gang tries to sell platform after FBI disruption (Record)  Amazon Prime Day: Buyers Beware of Phishing Campaigns Targeting Online Shoppers (Veriti)  Learn more about your ad choices. Visit megaphone.fm/adchoices
11/07/23·27m 19s

New phishing campaigns hit Microsoft 365 and Adobe users. Big Head ransomware. Multichain bridge compromised. CISA adds a KEV. Progress patches MOVEit. Telegram's role in Russia's war.

New phishing campaigns afflict users of Microsoft 365 and Adobe. An analysis of Big Head ransomware. Multichain reports a crypto heist with over $100 million stolen. CISA makes an addition to the Known Exploited Vulnerability Catalog. Progress Software issues additional MOVEit patches. The FBI’s Deputy Assistant Director for Cyber Cynthia Kaiser joins us with examples of the agency’s technical disruption operations. Our guest is Scott Piper Principal Cloud Security Researcher at Wiz sharing findings of their State of the Cloud 2023 report. And Telegram's role in news about Russia's war. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/129 Selected reading. M365 Phishing Email Analysis – eevilcorp (Vade Secure) New Phishing Attack Spoofs Microsoft 365 Authentication System (HackRead) Tailing Big Head Ransomware’s Variants, Tactics, and Impact (Trend Micro) New ‘Big Head’ ransomware displays fake Windows update alert (BleepingComputer) Unfolding Cybersecurity Crisis: Aptos Network and Multichain Face Cyber-Attacks (CryptoMode) More than $125 million taken from crypto platform Multichain (Record) Exploit of Fantom, Moonriver and Dogechain Crypto Bridges Confirmed by Multichain Team (CoinDesk) CISA Adds One Known Vulnerability to Catalog (CISA) Google patches 43 Android Vulnerabilities Including 3 actively exploited zero-days (Cyber Security News)  Progress Software Releases Service Pack for MOVEit Transfer Vulnerabilities (CISA) After Zero-Day Attacks, MOVEit Turns to Security Service Packs (SecurityWeek) Killnet as a private military hacking company? For now, it's probably just a dream (Record) Telegram has become a window into war (The Verge) Learn more about your ad choices. Visit megaphone.fm/adchoices
10/07/23·31m 15s

Eric Tillman: A creative way into cyber. [Intelligence] [Career Notes]

Eric Tillman, Chief Intelligence Officer at N2K Networks sits down and shares his incredibly creative journey. Eric loved being creative from a young age. When he started to think about a career he wanted to incorporate his love of creativity into his love for tech and turn it into an intelligence career. Eric started by joining the Navy, which set him on this path to work in cyber where he shared his talents with several big companies, including, Booz Allen Hamilton, Lockheed Martin, and Okta, eventually ending up at our very own N2K Networks. Eric shares the advice that there is something for everyone in this field, and even though he wanted to start his journey in a creative way, he found that combining his love for tech and art helped him to pave the way to where he is now. He says " A lot of people get here from a very technical background and um, it really almost doesn't matter um, where you came from, there is something in cybersecurity that takes advantage of the skills that you bring to the table and, um, either way, there's plenty of room here for everyone." We thank Eric for sharing his story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices
09/07/23·11m 24s

Moez Kamel and the cybersecurity ecosystem for New Space. [T-Minus Deep Space]

Moez Kamel, Threat Management Specialist at IBM Security, joins us on T-Minus Deep Space for a special edition all about the cybersecurity ecosystem in the New Space industry. You can follow Moez on LinkedIn and his work at IBM’s Security Intelligence blog. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our weekly intelligence roundup, Signals and Space, and you’ll never miss a beat. And be sure to follow T-Minus on Twitter and LinkedIn. Selected Reading Cybersecurity in the Next-Generation Space Age, Pt. 1: Introduction to New Space Cybersecurity in the Next-Generation Space Age, Pt. 2: Cybersecurity Threats in the New Space Cybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space  Cybersecurity in the Next-Generation Space Age, Pt. 4: New Space Future Development and Challenges     Audience Survey We want to hear from you! Please complete our 4 question survey. It’ll help us get better and deliver you the most mission-critical space intel every day. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at space@n2k.com to request more info. Want to join us for an interview? Please send your pitch to space-editor@n2k.com and include your name, affiliation, and topic proposal. T-Minus is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
09/07/23·32m 36s

Creating PANDA-monium. [Research Saturday]

Thomas Etheridge from CrowdStrike sits down to discuss their work on "Business as Usual: Falcon Complete MDR Thwarts Novel VANGUARD PANDA (Volt Typhoon) Tradecraft" In May of 2023, industry and government sources detailed China-nexus activity where they found the threat actor dubbed Volt Typhoon targeted U.S. based critical infrastructure entities. CrowdStrike's Intelligence team tracked this actor as VANGUARD PANDA.  With CISA’s advisory on VANGUARD PANDA and its link to Chinese adversaries who are increasingly targeting US businesses and critical infrastructure, CrowdStrike’s blog dives deeper into the risks of VANGUARD PANDA. The research says "One specific VANGUARD PANDA incident stands out to review in detail. Falcon Complete responded to a detection that was triggered by suspicious reconnaissance commands executed under an Apache Tomcat web server running ManageEngine ADSelfService Plus." The research can be found here: Business as Usual: Falcon Complete MDR Thwarts Novel VANGUARD PANDA (Volt Typhoon) Tradecraft Learn more about your ad choices. Visit megaphone.fm/adchoices
08/07/23·17m 3s

Joint advisory warns of Truebot. Operation Brainleaches in the supply chain. API key reset at Jumpcloud. More MOVEit vulnerability exploitation.

US and Canadian agencies warn of Truebot. A look at "Operation Brainleaches." Jumpcloud resets API keys. An update on the MOVEit vulnerability exploitation. Andrea Little Limbago from Interos shares insights on rising geopolitical instability. Our guest is Mike Hamilton from Critical Insight discussing what you need to know about NIST 2.0. OSCE trains Ukrainian students in cybersecurity. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/128 Selected reading. CISA and Partners Release Joint Cybersecurity Advisory on Newly Identified Truebot Malware Variants (Cybersecurity and Infrastructure Security Agency CISA) Increased Truebot Activity Infects U.S. and Canada Based Networks | CISA (Cybersecurity and Infrastructure Security Agency CISA)  Operation Brainleeches: Malicious npm packages fuel supply chain and phishing attacks (ReversingLabs) Mandatory JumpCloud API Key Rotation (JumpCloud) JumpCloud resets admin API keys amid ‘ongoing incident’ (BleepingComputer) JumpCloud Says All API Keys Invalidated to Protect Customers (SecurityWeek) More organizations confirm MOVEit-related breaches as hackers claim to publish stolen data (TechCrunch) Important information about MOVEit Transfer cyber security incident | Shell Global (Shell Global) Shell Confirms MOVEit-Related Breach After Ransomware Group Leaks Data (SecurityWeek) OSCE helps future generation of Ukraine’s law enforcers and emergency personnel build skills for safe work in cyberspace (OSCE) Learn more about your ad choices. Visit megaphone.fm/adchoices
07/07/23·30m 22s

The Port of Nagoya continues its recovery from ransomware. Charming Kitten ups its game. Spyware in the Play store. Risks to electrical infrastructure. And a quick update on hacktivist auxiliaries.

LockBit 3.0 claims responsibility for Nagoya ransomware attack. Charming Kitten sighting. Spyware infested apps found in Google Play. Threats and risks to electric vehicle charging stations. Solar panels and cyberattacks. Dave Bittner speaks with Eric Goldstein, Executive Assistant Director for Cybersecurity at CISA, to talk about CISA’s effort for companies to build safety into tech products.Rick Howard sits down with Clarke Rodgers of AWS to discuss the mechanics of CISO roundtables. And Hacktivist auxiliaries remain active in Russia's hybrid war. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/127 Selected reading. Pro-Russian hackers target Port of Nagoya, disrupting loading of Toyota parts (The Japan Times)  Port of Nagoya resumes operations later than planned after Russian hack (The Japan Times)  Ransomware Halts Operations at Japan's Port of Nagoya (Dark Reading)  Nagoya Port Faces Disruption After Ransomware Attack (Infosecurity Magazine)  Welcome to New York: Exploring TA453's Foray into LNKs and Mac Malware | Proofpoint US (Proofpoint) Two spyware tied with China found hiding on the Google Play Store (Pradeo) EV Charger Hacking Poses a ‘Catastrophic’ Risk (WIRED)  Exploited Solar Power Product Vulnerability Could Expose Energy Organizations to Attacks (SecurityWeek) The Continued Expansion of Cyber Incidents by Non-State Actors in the War in Europe (OODA Loop).   Russian railway site allegedly taken down by Ukrainian hackers (Record) Learn more about your ad choices. Visit megaphone.fm/adchoices
06/07/23·26m 53s

Cyberespionage, extortion, and DDoS as instruments of state policy. Ransomware continues to trouble a wide range of targets across many sectors.

Chinese cyberespionage campaign against European governments. The Port of Nagoya closes over ransomware attack. BlackCat and SEO poisoning. LockBit seeks to extort a semiconductor manufacturer. Professionals in the cyber underworld. CISA issued a DDoS alert for US companies and government agencies. Microsoft debunks claims of data theft by Anonymous Sudan. Matt O'Neill from the US Secret Service speaks with Dave Bittner about sextortion. Rick Howard sits down with Michael Fuller of AWS to talk about the kill chain. And Avast releases a free decryptor for Akira. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/126 Selected reading. Chinese Threat Actors Targeting Europe in SmugX Campaign - Check Point Research (Check Point Research) Hackers target European government entities in SmugX campaign (BleepingComputer) Chinese hackers target European embassies with HTML smuggling technique (Record) Japan’s largest port stops operations after ransomware attack (BleepingComputer)  BlackCat ransomware pushes Cobalt Strike via WinSCP search ads (BleepingComputer) BlackCat Operators Distributing Ransomware Disguised as WinSCP via Malvertising (The Hacker News) TSMC Says Supplier Hacked After Ransomware Group Claims Attack on Chip Giant (SecurityWeek) TSMC confirms data breach after LockBit cyberattack on third-party supplier (TechCrunch) Taiwan Semiconductor Denies LockBit's $70M Hack Claim (Bank Info Security) Semiconductor giant says IT supplier was attacked; LockBit makes related claims (Record) DoS and DDoS Attacks against Multiple Sectors (Cybersecurity and Infrastructure Security Agency CISA) CISA issues DDoS warning after attacks hit multiple US orgs (BleepingComputer) Microsoft denies data breach, theft of 30 million customer accounts (BleepingComputer) Microsoft Denies Major 30 Million Customer-Breach (Infosecurity Magazine) Decrypted: Akira Ransomware (Avast Threat Labs) Learn more about your ad choices. Visit megaphone.fm/adchoices
05/07/23·25m 11s

Two viewpoints on the National Cybersecurity Strategy. [Special Edition]

Earlier this month, the White House released the National Cybersecurity Strategy, the first issued since 2018. The strategy refocuses roles, responsibilities, and resource allocations in the digital ecosystem, with a five pillar approach. Those pillars are: defending critical infrastructure, disrupting threat actors, shaping market forces to drive security and resilience, investing in a resilient future, and forging international partnerships. We wanted to delve into the strategy and its intended effects further, so Dave Bittner spoke with representatives from industry and inside government. Dave first speaks with Adam Isles, Principal and Head of Cybersecurity Practice at The Chertoff Group, sharing industry's take on the strategy. Following that conversation, Dave had a discussion with Steve Kelly, Special Assistant to the President and Senior Director for Cybersecurity and Emerging Technology at the National Security Council, for a look at the strategy from inside the White House. Links to resources: Point of View: 2023 National Cybersecurity Strategy The Chertoff Group's blog National Cybersecurity Strategy 2023 US GAO Snapshot: Cybersecurity: Launching and Implementing the National Cybersecurity Strategy Learn more about your ad choices. Visit megaphone.fm/adchoices
04/07/23·35m 3s

Interview Select: Will Markow, VP of Applied Research from Lightcast, is talking with Simone Petrella about how to use data to make strategic workforce decisions.

This interview from June 16th, 2023 originally aired as a shortened version on the CyberWire Daily Podcast. In this extended interview, Simone Petrella sits down with Will Markow, VP of Applied Research from Lightcast, to discuss how to use data to make strategic workforce decisions. You can also view the video of the full interview here: Simone Petrella and Will Markow discuss workforce management. Learn more about your ad choices. Visit megaphone.fm/adchoices
03/07/23·26m 56s

Liji Samuel: Leaping beyond the barrier. [Certification] [Career Notes]

Liji Samuel from NSA sits down to share her exciting career path through the years until she found a job working for as Chief of Standards and Certification at NSA's Cyber Collaboration Center. She starts by sharing that she had always wanted to work in the STEM field, explaining that growing up she was surrounded with older cousins who were choosing STEM careers and it became an interesting topic for her. She accounts working for a number of companies that helped her grow into the role she is in now. Cybersecurity became a big buzzword for her, causing her to step out of the agency into US cyber command to help take up a management position for the architecture and engineering division. From there, she continued her cybersecurity journey first as the exploration director before moving into where she is now. Liji shares that there were barriers along the way that she had to endure and hop over to get to the right path. She says "So there are challenges and barriers that come across constantly with our work. Um, one just has to pause and reflect on how we can work with it, around it, or influence like our stakeholders and jointly create a vision around it." We thank Liji for sharing her story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices
02/07/23·9m 52s

The power behind artificial intelligence. [Research Saturday]

Daniel dos Santos, Forescout's Head of Security Research is sharing insights from a recent exercise his team conducted on AI-assisted attacks for OT and unmanaged devices. Using ChatGPT, Forescout’s research team converted an existing OT exploit developed in Python to run on Windows to demonstrate how easy it is to create an AI-assisted attack that converts the original exploit into alternative programming languages. The research states "our goal was to convert an existing OT exploit developed in Python to run on Windows to the Go language using ChatGPT." This would then allow it to run faster on Windows and run easily on a variety of embedded devices. The research can be found here: AI-Assisted Attacks Are Coming to OT and Unmanaged Devices – the Time to Prepare Is Now Learn more about your ad choices. Visit megaphone.fm/adchoices
01/07/23·18m 54s

CISA would like agencies to look to their management interfaces. Hacktivist auxiliaries and a role for OSINT in Russia’s hybrid war against Ukraine.

US Federal Government working to secure management interfaces. NoName057(16)’s DDoSia campaign grows, and targets Wagner, post-insurrection. Update: Unidentified hackers attack Russian satellite communications company, claiming to be Wagner. The role of OSINT in tracking Russia's war. Manoj Sharma of Symantec discusses trends he's hearing about generative AI. Becky Weiss from AWS talks with Rick Howard about the math behind their security. Cyber awareness over a holiday. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/125 Selected reading. CISA Wants Exposed Government Devices Remediated In 14 Days (Dark Reading) 50 US Agencies Using Unsecured Devices, Violating Policy (Bank Info Security) CISA working with agencies to pull exposed network tools from public internet (Record) Following NoName057(16) DDoSia Project’s Targets (Sekoia.io Blog) Pro-Russia DDoSia hacktivist project sees 2,400% membership increase (BleepingComputer) Hackers attack Russian satellite telecom provider, claim affiliation with Wagner Group (CyberScoop) Hackers claim to take down Russian satellite communications provider (Record) Days of Chaos: How OSINT Helps Us Understand the Putin-Prigozhin Schism (Flashpoint)  Preparing for cyber threats over the Fourth of July. (CyberWire) Learn more about your ad choices. Visit megaphone.fm/adchoices
30/06/23·31m 51s

Something new, in ransomware. Notes on cyberespionage by the Lazarus Group and Charming Kitten. Security CI/CD operations. FINRA says hold the emojis. Dispatches from the hybrid war’s cyber front.

8base ransomware is overlooked and spiking. GuLoader targets law firms. Akira ransomware for Linux systems targets VMs. Kaspersky tracks the Lazarus group: typos and mistakes indicating an active human operator. Charming Kitten goes spearphishing. Securing continuous integration/continuous delivery operations. No emojis for the SEC, please.Unconfirmed reports say the Wagner Group hacked a Russian satellite communications provider. Our guest is Hanan Hibshi from Carnegie Mellon's picoCTF team. Chris Novak from Verizon discusses their 2023 Data Breach Investigations Report (DBIR). And Anonymous Sudan wants you to know that they’re not just a bunch of deniable Russian crooks–where’s the love, man? For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/124 Selected reading. 8Base Ransomware: A Heavy Hitting Player (VMware Security Blog)  GuLoader Campaign Targets Law Firms in the US (Morphisec)  Akira Ransomware Extends Reach to Linux Platform (Cyble)  Andariel’s Mistakes Uncover New Malware in Lazarus Group Campaign (Infosecurity Magazine) Charming Kitten Updates POWERSTAR with an InterPlanetary Twist (Volexity) CISA and NSA Release Joint Guidance on Defending Continuous Integration/Continuous Delivery (CI/CD) Environments | CISA (Cybersecurity and Infrastructure Security Agency CISA) NSA and CISA Best Practices to Secure Cloud Continuous Integration/Continuous Delivery Environments (National Security Agency/Central Security Service) Wall Street Regulators’ New Target: Emojis (Wall Street Journal)  Russian satellite telecom Dozor allegedly hit by hackers (Cybernews) Hacking Group Says It Attacked Microsoft for Sudan. Experts Say Russia’s Behind It (Bloomberg)  ‘Hactivists’ who targeted Microsoft claim they’re working for Sudan (Fortune) Learn more about your ad choices. Visit megaphone.fm/adchoices
29/06/23·29m 13s

Two threats in the wild, and a third in proof-of-concept. Swiss intelligence expects an uptick in Russian cyberespionage. Privateers and auxiliaries in a hybrid war.

JokerSpy afflicts Macs. ThirdEye (not so blind). Mockingjay process injection as proof-of-concept. Switzerland expects Russia to increase cyberespionage as agent networks are disrupted. The fracturing of Conti, and the rise of its successors. The Washington Post’s Tim Starks explains the security of undersea cables. Our guest is ​​Brian Johnson of Armorblox to discuss Social Security Administration impersonation scams. And the "UserSec Collective" says it's recruiting hacktivists for the Russian cause.  For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/123 Selected reading. JokerSpy macOS malware used to attack Japanese crypto exchange (AppleInsider)  Prominent cryptocurrency exchange infected with previously unseen Mac malware (Ars Technica) New Fast-Developing ThirdEye Infostealer Pries Open System Information (Fortinet Blog) Process Mockingjay: Echoing RWX In Userland To Achieve Code Execution (Security Joes) New Mockingjay Process Injection Technique Could Let Malware Evade Detection (The Hacker News) New Mockingjay process injection technique evades EDR detection (BleepingComputer) Ukraine war made Switzerland hub for Chinese, Russian spies: Swiss intelligence (South China Morning Post)  Swiss intelligence warns of fallout in cyberspace as West clamps down on spies (Record)  The rise and fall of the Conti ransomware group (Global Initiative)  The Trickbot/Conti Crypters: Where Are They Now? (Security Intelligence)                                                                                                                        Ukraine at D+489: An influence contest, post-mutiny. (CyberWire)  Learn more about your ad choices. Visit megaphone.fm/adchoices
28/06/23·28m 22s

Anatsa Trojan's new capabilities. Third-party breach hits airlines. Gas station blues. What’s up with the Internet Research Agency? Infrastructure threats. And DDoS grows more sophisticated.

Anatsa Trojan reveals new capabilities. Airlines report employee data stolen in a third-party breach. Canadian energy company SUNCOR reports a cyberattack. What of the Internet Research Agency? Microsoft warns of a rising threat to infrastructure. Joe Carrigan describes an ill-advised phishing simulation. Mr. Security Answer Person John Pescatore takes on zero days. And DDoS grows more sophisticated. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/122 Selected reading. Anatsa banking Trojan hits UK, US and DACH with new campaign (TreatFabric)  Anatsa Android trojan now steals banking info from users in US, UK (BleepingComputer)  Thousands of American Airlines and Southwest pilots impacted by third-party data breach (Bitdefender) American Airlines, Southwest Airlines disclose data breaches affecting pilots (BleepingComputer)  American Airlines, Southwest Airlines Impacted by Data Breach at Third-Party Provider (SecurityWeek) Recruitment portal exposes data of US pilot candidates (Register)  Suncor Energy says it experienced a cybersecurity incident (Reuters) Suncor Energy cyberattack impacts Petro-Canada gas stations (BleepingComputer)  Canadian oil giant Suncor confirms cyberattack after countrywide outages (Record)  Wagner and the troll factories (POLITICO) Cyber risks to critical infrastructure are on the rise (CEE Multi-Country News Center) The lowly DDoS attack is showing signs of being anything but (Washington Post) Learn more about your ad choices. Visit megaphone.fm/adchoices
27/06/23·27m 46s

Updates on Russia’s hybrid war. Transparent Tribe is back, with cyberespionage. A Trojanized version of Super Mario is out, and law enforcement seizes BreachForum’s domain.

Russian ISPs blocked Google News as tension with the Wagner Group mounted Friday. Ukrainian hacktivist auxiliaries break into Russian radio broadcasts. New EU sanctions are directed against Russian IT firms. Transparent Tribe resurfaces against Indian military and academic targets. Unauthorized access is the leading cause of data breaches for the fifth year in a row. Trojanized Super Mario Brothers game spreads SupremeBot malware. Today, guests discuss the cybersecurity skills gap. Paul Rebasti of Lockheed Martin shares what they are doing to fill cybersecurity skills gap. Jenny Brinkley joins us from AWS Re:Inforce discusses opportunities from the cybersecurity skills gap. And law enforcement agencies seize BreachForums' web domain.  For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/121 Selected reading. Ukraine at D+487: After the march on Moscow. (CyberWire) Ukraine at D+486: The march on Moscow is over. (CyberWire) Ukraine at D+485: “We are dying for the Russian people.” (CyberWire) U.S. spies learned in mid-June Prigozhin was planning armed action in Russia (Washington Post)  Google News Blocked in Russia as Feud With Mercenary Leader Intensifies (New York Times) Air War: Pro-Ukraine Hackers Increasingly Breaking Into Russian Broadcasts With Anti-Kremlin Messages (RadioFreeEurope/RadioLiberty) Fresh EU sanctions hit Russian IT firms (Computing) Pakistan based hackers target Indian Army, education sector in new cyber attack (Telangana Today) Pakistan-based hackers target Indian Army, education sector in new cyber attack (PGURUS) ‘Transparent Tribe’ comes out of hiding (Pune Times Mirror)  2023 ForgeRock Identity Breach Report (ForgeRock) Trojanized Super Mario Game Installer Spreads SupremeBot Malware (Cyble) Trojanized Super Mario game used to install Windows malware (BleepingComputer) FBI seizes BreachForums after arresting its owner Pompompurin in March (BleepingComputer) Learn more about your ad choices. Visit megaphone.fm/adchoices
26/06/23·30m 53s

Slavik Markovich: Time is of the essence. [CEO] [Career Notes]

Slavik Markovich, CEO of Descope joins Dave to discuss his career as a serial entrepreneur. Before Descope, he co-founded and was the CEO of Demisto, a leader in the SOAR industry, which was acquired by Palo Alto Networks in 2019 for $560M, where he then served as SVP of Products. Before co-founding Demisto, Slavik was VP & CTO of database technologies at McAfee. He joined McAfee via the acquisition of Sentrigo, a database security startup he co-founded and served as CTO for. He goes into depth of his career changes throughout the years and how that has helped lead him to where he is now in his career. He shares that as a CEO and found of multiple companies he values time and hard workers. He says " I think we really stress the importance of, uh, of responsibility. So if, if you kinda take something, you, you make sure to finish it and on time, if you promise to do something, you do that. And so that's really important for us." We thank Slavik for sharing his story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices
25/06/23·7m 56s

Unleashing the crypto gold rush. [Research Saturday]

Ian Ahl from Permiso's PØ Labs joins Dave to discuss their research on "Unmasking GUI-Vil: Financially Motivated Cloud Threat Actor." First observing the group in 2021, they discovered GUI-vil is a financially motivated threat group primarily focused on unauthorized cryptocurrency mining activities. The research states "the group has been observed exploiting Amazon Web Services (AWS) EC2 instances to facilitate their illicit crypto mining operations." This group is dangerous because unlike many groups focused on crypto mining, GUI-Vil apply a personal touch when establishing a foothold in an environment. The research can be found here: Unmasking GUI-Vil: Financially Motivated Cloud Threat Actor Learn more about your ad choices. Visit megaphone.fm/adchoices
24/06/23·23m 39s

Two sets of China-linked cyberespionage activities. Mirai’s new vectors. A Cozy Bear sighting. Anonymous Sudan gets less anonymous.

An update on Barracuda ESG exploitation. Camaro Dragon’s current cyberespionage tools spread through infected USB drives. The Mirai botnet is spreading through new vectors. Midnight Blizzard is out and about . Ukraine is experiencing a "wave" of cyberattacks during its counteroffensive. Karen Worstell from VMware shares her experience with technical debt. Rick Howard speaks with CJ Moses, CISO of Amazon Web Services. And Anonymous Sudan turns out to be no more anonymous or Sudanese than your Uncle Louie. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/120 Selected reading. Barracuda ESG exploitation (Proofpoint) Beyond the Horizon: Traveling the World on Camaro Dragon’s USB Flash Drives (Check Point Research) Chinese malware accidentally infects networked storage (Register) Akamai SIRT Security Advisory: CVE-2023-26801 Exploited to Spread Mirai Botnet Malware (Akamai). Mirai botnet targets 22 flaws in D-Link, Zyxel, Netgear devices (BleepingComputer)  Neuberger: Ukraine experiencing a ‘surge’ in cyberattacks as it executes counteroffensive (Record)  Microsoft warns of rising NOBELIUM credential attacks on defense sector (HackRead). Anonymous Sudan: neither anonymous nor Sudanese (Cybernews) Learn more about your ad choices. Visit megaphone.fm/adchoices
23/06/23·34m 1s

Cyber spies and vulnerability goodbyes. RedLine Stealer and Vidar: the cryptkeepers. Social engineering TTPs.

North Korea's APT37 deploys FadeStealer to steal information from its targets. Apple patches vulnerabilities under active exploitation. Access to a US satellite is being hawked in a Russophone cybercrime forum. Russian hacktivist auxiliaries say they’ve disrupted IFC.org. Unmasking pig-butchering scams. Social engineering as a method of account takeover. Fraudsters seen abusing generative AI. Sergey Medved from Quest Software describes the “Great Cloud Repatriation”. Mark Ryland of AWS speaks with Rick Howard about software defined perimeters. And embedded URLs in malware. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/119 Selected reading. RedEyes Group Wiretapping Individuals (APT37) (Ahn Lab) Apple fixes iPhone software flaws used in widespread hacks of Russians (The Washington Post) Apple issues emergency patch to address alleged spyware vulnerability (Cyberscoop) Apple patch fixes zero-day kernel hole reported by Kaspersky – update now! (Sophos) Military Satellite Access Sold on Russian Hacker Forum for $15,000 (HackRead) Well done. Russian hackers shut down the IMF (Dzen.ru) Why Malware Crypting Services Deserve More Scrutiny (KrebsOnSecurity) Unmasking Pig-Butchering Scams And Protecting Your Financial Future (Trend Micro) Classic Account Takeover via the Direct Deposit Change (Avanan) Q2 2023 Digital Trust & Safety Index (Sift) Compromised Domains account for over 50% of Embedded URLs in Malware Phishing Campaigns (Cofense) Learn more about your ad choices. Visit megaphone.fm/adchoices
22/06/23·31m 49s

A “flea” on the wall conducts cyberespionage. Cl0p update. Astrology finds its way into your computer systems. Fancy Bear sighted, again.

The Flea APT sets its sights on diplomatic targets. An update on the Cl0p gang’s exploitation of a MOVEit vulnerability. Unpatched TP-Link Archer routers are meeting their match in the Condi botnet. The Muddled Libra threat group compromises companies in a variety of industries. A look into passwordless authentication. Derek Manky of Fortinet describes the Global Threat Landscape. Rick Howard speaks with Rod Wallace from AWS about data lakes. And Fancy Bear noses its way into Ukrainian servers. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/118 Selected reading. Graphican: Flea Uses New Backdoor in Attacks Targeting Foreign Ministries (Symantec) Ke3chang (MITRE) Third MOVEit vulnerability raises alarms as US Agriculture Department says it may be impacted (The Record) PwC and EY impacted by MOVEit cyber attack (Cybersecurity Hub) Norton Parent Says Employee Data Stolen in MOVEit Ransomware Attack (SecurityWeek) MOVEit hack: Gang claims not to have BBC, BA and Boots data (BBC) US govt offers $10 million bounty for info on Clop ransomware (BleepingComputer) Condi DDoS Botnet Spreads via TP-Link's CVE-2023-1389 (Fortinet) CVE-2023-1389 Detail (NIST) Download for Archer AX21 V3 (TP-Link) Threat Group Assessment: Muddled Libra (Unit 42) Axiad and ESG Survey: 82% of Respondents Indicate Passwordless Authentication is a Top Five Priority (PR Newswire) APT28 group used three Roundcube exploits (CVE-2020-35730, CVE-2021-44026, CVE-2020-12641) during another espionage campaign (CERT-UA#6805) (CERT-UA) BlueDelta Exploits Ukrainian Government Roundcube Mail Servers to Support Espionage Activities (The Record) CVE-2020-35730 Detail (NIST) CVE-2023-23397 Detail (NIST) Learn more about your ad choices. Visit megaphone.fm/adchoices
21/06/23·28m 22s

Reddit sees bad luck as a BlackCat attack crosses their path. The C2C market is more mystical nowadays. Hacktivist auxiliaries and false flags in the hybrid war.

The BlackCat gang crosses Reddit’s path, threatening to leak stolen data. Mystic Stealer malware evades and creates a feedback loop in the C2C market. RDStealer is a new cyberespionage tool, seen in the wild. The United States offers a reward for information on the Cl0p ransomware gang. KillNet, REvil, and Anonymous Sudan form a "DARKNET Parliament" and “sanction” the European banking system. The British Government commits £25 million in cybersecurity aid to Ukraine. Ben Yelin explains cyber disclosure rules proposed by the SEC. Rick Howard speaks with Nancy Wang of AWS about the importance of backups and restores. And what researchers are turning up in cloud honeypots. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/117 Selected reading. Reddit: Hackers demand $4.5 million and API policy changes (Computing) Mystic Stealer – Evolving “stealth” Malware (Cyfirma) Mystic Stealer: The New Kid on the Block (Zscaler) Unpacking RDStealer: An Exfiltration Malware Targeting RDP Workloads (Bitdefender) MOVEit Transfer and MOVEit Cloud Vulnerability (Progress Software) CVE-2023-35708 Detail (NIST) U.S. Energy Dept gets two ransom notices as MOVEit hack claims more victims (Reuters) US govt offers $10 million bounty for info on Clop ransomware (BleepingComputer) Ransomware Group Starts Naming Victims of MOVEit Zero-Day Attacks (SecurityWeek) A bear in wolf’s clothing: Insights into the infrastructure used by Anonymous Sudan to attack Australian organisations (CyberCX) Anonymous Sudan: Religious Hacktivists or Russian Front Group? (Trustwave) UK to give Ukraine major boost to mount counteroffensive (UK Government) 2023 Honeypotting in the Cloud Report: Attackers Discover and Weaponize Exposed Cloud Assets and Secrets in Minutes (Orca Security) Learn more about your ad choices. Visit megaphone.fm/adchoices
20/06/23·28m 57s

Lorna Mahlock: Build bridges. [Combat support] [Career Notes]

Major General Lorna Mahlock, Deputy Director for Combat Support from the National Security Agency (NSA) sits down with Dave to discuss her long and impressive career leading up to he working for one of the most prestigious security agencies. Originally born in Kingston, Jamaica, Lorna immigrated to Brooklyn, New York and enlisted in the United States Marine Corps as a field radio operator. She shares how eye opening the military was for her, moving through ranks, and eventually landing into working at the Pentagon for the Chairman of the Joint Chiefs of staff. She moved around widening her array of paths, landing in her current role. Lorna shares some wisdom, mentioning how she likes to talk about ladders and how useful creating ladders in life can be, she says "I think about ladders in terms of horizontal component, in that you can create bridges, right? And, um, ways over obstacles, uh, for, for not only, uh, for yourself, but for others and an entire organization." We thank Lorna for sharing her story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices
18/06/23·9m 30s

Managing machine learning risks. [Research Saturday]

Our guest, Johannes Ullrich from SANS Institute, joins Dave to discuss their research on "Machine Learning Risks: Attacks Against Apache NiFi." Using their honeypot network, researchers were able to collect some interesting data about a threat actor who is currently going after exposed Apache NiFi servers. Researchers state “On May 19th, our distributed sensor network detected a notable spike in requests for ‘/nifi.’” Investigating further, they instructed a subset of their sensors to forward requests to an actual Apache NiFi instance and within a couple of hours the honeypot was completely compromised. The research can be found here: Machine Learning Risks: Attacks Against Apache NiFi Learn more about your ad choices. Visit megaphone.fm/adchoices
17/06/23·18m 34s

The Cl0p gang moves its way into US government systems. It’ll take multiple showers to rinse out Shampoo malware. Hybrid war update. Arrests and indictments.

The US Government discloses exploitations of MOVEit vulnerabilities, and the Department of Energy is targeted by the Cl0p gang. CISA releases an updated advisory for Telerik vulnerabilities affecting Government servers. Shampoo malware emerges with multiple persistence mechanisms. How the IT Army of Ukraine can exemplify a cyber auxiliary. Russophone gamers are being targeted with ransomware. An alleged LockBit operator has been arrested. The FBI’s Deputy Assistant Director for cyber Cynthia Kaiser joins us with cybercriminal trends and recent successes. Our guest is Will Markow from Lightcast, speaking with Simone Petrella about data-driven strategic workforce decisions. And a federal grand jury indicts the alleged Discord Papers leaker. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/116 Selected reading. US government hit by Russia's Clop in MOVEit mass attack (The Register) Energy Department among ‘several’ federal agencies hit by MOVEit breach (Federal News Network) Threat Actors Exploit Progress Telerik Vulnerabilities in Multiple U.S. Government IIS Servers (CISA) CVE-2019-18935 Detail (NIST) CVE-2017-9248 Detail (NIST) Cryptographic Weakness (Telerik) Shampoo: A New ChromeLoader Campaign (HP) Cyber attacks on Rotterdam and Groningen websites (World Cargo News) The Dynamics of the Ukrainian IT Army’s Campaign in Russia (Lawfare) Watch: Why early failures in Ukraine's counter-offensive aren't Russian victories (The Telegraph) Russian War Report: Anti-Ukrainian counteroffensive narratives fail to go viral (Atlantic Council) Threat Actor Targets Russian Gaming Community With WannaCry-Imitator (Cyble) Hackers infect Russian-speaking gamers with fake WannaCry ransomware (The Record) Russian national arrested in Arizona, charged for alleged role in LockBit ransomware attacks (CyberScoop) Suspected LockBit ransomware affiliate arrested, charged in US (BleepingComputer) Russian national arrested in US for deploying LockBit ransomware (The Record) Guardsman indicted on charges of disclosing classified national defense information (AP News) Charges Against Alleged Pentagon Leaker Jack Teixeira Explained (Newsweek) Jack Teixeira, Pentagon leaks suspect, indicted by federal grand jury (The Guardian) Learn more about your ad choices. Visit megaphone.fm/adchoices
16/06/23·31m 25s

Chinese threat actors reel in Barracuda appliances. Diicot: the gang formerly known as Mexals, with Romanian ties. Recent Russian cyberespionage against Ukraine and its sympathizers.

A Chinese threat actor exploits a Barracuda vulnerability. The upgraded version of the Android GravityRAT can exfiltrate WhatsApp messages. Cybercriminals pose as security researchers to propagate malware. Updates on the Vidar threat operation. A new Romanian hacking group has emerged. Shuckworm collects intelligence, and may support targeting. The Washington Post’s Tim Starks explains the section 702 debate. Our guest is Rotem Iram from At-Bay with insights on email security. And Russia's Cadet Blizzard. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/115 Selected reading. Android GravityRAT goes after WhatsApp backups (ESET) Quarterly Adversarial Threat Report (Facebook) Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868) Exploited Globally by Aggressive and Skilled Actor, Suspected Links to China (Mandiant) GravityRAT - The Two-Year Evolution Of An APT Targeting India (Cisco Talos) Fake Security Researcher GitHub Repositories Deliver Malicious Implant (VulnCheck) Darth Vidar: The Aesir Strike Back (Team Cymru) Tracking Diicot: an emerging Romanian threat actor (Cado Security) Shuckworm: Inside Russia’s Relentless Cyber Campaign Against Ukraine (Symantec) Cadet Blizzard emerges as a novel and distinct Russian threat actor (Microsoft) Destructive malware targeting Ukrainian organizations (Microsoft) Learn more about your ad choices. Visit megaphone.fm/adchoices
15/06/23·28m 58s

CISA Alert AA23-165A – Understanding Ransomware Threat Actors: LockBit.

CISA, FBI, the MS-ISAC, and international partners are releasing this Cybersecurity Advisory to detail LockBit ransomware incidents and provide recommended mitigations to enable network defenders to proactively improve their organization’s defenses against this ransomware operation. AA23-165A Alert, Technical Details, and Mitigations Stopransomware.gov is a whole-of-government approach that gives one central location for ransomware resources and alerts. See the Center for Internet Security (CIS) Critical Security Controls (CIS Controls) https://www.cisecurity.org/insights/white-papers/cis-community-defense-model-2-0 for information on strengthening an organization’s cybersecurity posture through implementing a prescriptive, prioritized, and simplified set of best. See the CIS Community Defense Model 2.0 (CDM 2.0) for the effectiveness of the CIS Controls against the most prevalent types of attacks and how CDM 2.0 can be used to design, prioritize, implement, and improve an organization’s cybersecurity program. See Blueprint for Ransomware Defense for a clear, actionable framework for ransomware mitigation, response, and recovery built around the CIS Controls. No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment. U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email dib_defense@cyber.nsa.gov  To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov, or call (888) 282-0870, or report incidents to your local FBI field office. Learn more about your ad choices. Visit megaphone.fm/adchoices
15/06/23·2m 43s

A Joint Advisory on LockBit. AI chatbots: the grammarians of tomorrow. KillNet makes a deal with the Devil (Sec). The private-sector’s piece in the hybrid war puzzle.

The Five Eyes, alongside a couple of allies, issue a LockBit advisory. AI aids in proofreading phishing attacks. Anonymous Sudan mounts nuisance-level DDoS attacks against US companies. France alleges a disinformation campaign conducted by Russian actors. KillNet says it's partnered with the less-well-known Devil Sec. The private cybersecurity industry's effect on the war in Ukraine. Carole Theriault ponders oversharing on social media. Our guest is Duncan Jones from Quantinuum on the threats of Harvest Now, Decrypt Later tactics. And a note on this month’s Patch Tuesday. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/114 Selected reading. Understanding Ransomware Threat Actors: LockBit (Joint Cybersecurity Advisory) U.S. Measures in Response to the Crisis in Sudan (US Department of State) Generative AI Enables Threat Actors to Create More (and More Sophisticated) Email Attacks (Abnormal Security) France Accuses Russia of Online Disinformation Campaign (Bloomberg) The Private Sector’s Evolving Role in Conflict—From Cyber Assistance to Intelligence (R Street) Microsoft Patches Critical Windows Vulns, Warns of Code Execution Risks (SecurityWeek) Patch Tuesday: Critical Flaws in Adobe Commerce Software (SecurityWeek) Patch Tuesday fixes 4 critical RCE bugs, and a bunch of Office holes (Naked Security) Learn more about your ad choices. Visit megaphone.fm/adchoices
14/06/23·22m 46s

CISA's new Binding Operational Directive. “CosmicEnergy” tool doesn’t pose a cosmic threat. Hackers’ homage to fromage in attacks against the Swiss government. Industry advice for the White House.

CISA issues a new Binding Operational Directive. An update on CosmicEnergy. Hackers’ homage to fromage in attacks against the Swiss government. Ukraine's Cyber Police shut down a pro-Russian bot farm. Clothing and footwear retailers see impersonation and online fraud. A 2021 ransomware attack contributed to a hospital closing. A proof-of-concept exploit of a patched MOVEit vulnerability. An industry letter calls for a new framework on the White House cybersecurity strategy. Joe Carrigan examines a ChatGPT fueled phishing scam. Our guest is Neha Rungta, Applied Science Director at AWS Identity discussing Amazon Verified Permissions. And trends in cyber risks for small and medium businesses. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/113 Selected reading. Binding Operational Directive 23-02 (US Cybersecurity and Infrastructure Security Agency) COSMICENERGY: New OT Malware Possibly Related To Russian Emergency Response Exercises (Mandiant) Dragos Analysis Determines COSMICENERGY Is Not an Immediate Threat (Dragos) More than 4,000 bots to discredit the Defense Forces of Ukraine and spread propaganda in favor of Russia: the police of Vinnytsia eliminated a large-scale bot farm (Ukraine Cyber Police) Ukraine police raid social media bot farm accused of pro-Russia propaganda (The Record) Widespread Brand Impersonation Scam Campaign Targeting Hundreds of the Most Popular Apparel Brands (Bolster) An Illinois hospital is the first health care facility to link its closing to a ransomware attack (NBC News) Ransomware attack causes Illinois hospital to close (Becker’s Hospital Review) New BlackFog research: 61% of SMBs were victims of a cyberattack in the last year (BlackFog) Switzerland warns that a ransomware gang may have accessed government data (The Record) Swiss government warns of ongoing DDoS attacks, data leak (BleepingComputer) Swiss Government Targeted by Series of Cyber-Attacks (Infosecurity Magazine) DDoS attack on Federal Administration: various Federal Administration websites and applications unavailable (The Federal Council of the Swiss Government) Learn more about your ad choices. Visit megaphone.fm/adchoices
13/06/23·29m 31s

Unpatched instances and vulnerabilities rear their ugly heads. Russian telecom provider targeted in an act of “cyber anarchy.” Alleged crypto heist conspirators face charges.

Attacks against unpatched versions of Visual Studio and win32k continue. Progress Software patches two MOVEit vulnerabilities. The Cyber Anarchy Squad claims to have taken down a Russian telecommunications provider's infrastructure. RomCom resumes its activity in the Russian interest. Deepen Desai of Zscaler describes Nevada ransomware. Our guest is Clarke Rodgers from Amazon Web services with insights on what CISOs say to each other when no one else is listening?. And the Mt. Gox hacking indictment has been unsealed. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/112 Selected reading. Online muggers make serious moves on unpatched Microsoft bugs (The Register) Analysis of CVE-2023-29336 Win32k Privilege Escalation Vulnerability (with POC) (Numen) MOVEit Transfer and MOVEit Cloud Vulnerability (Progress Software) MDE Affected by Global Data Breach (Minnesota Department of Education) Hackers Use Stolen Student Data Against Minneapolis Schools in Brazen New Threat (The 74) Ofcom statement on MOVEit cyber attack (Ofcom) Ukrainian hackers take down service provider for Russian banks (BleepingComputer) Pro-Ukraine hackers claim to take down Russian internet provider (The Record) Pro-Ukraine Cyber Anarchy Squad claims the hack of the Russian telecom provider Infotel JSC (Security Affairs) RomCom Resurfaces: Targeting Politicians in Ukraine and U.S.-Based Healthcare Providing Aid to Refugees from Ukraine (BlackBerry) Mt. Gox's Hackers Are 2 Russian Nationals, U.S. DOJ Alleges in Indictment (CoinDesk) Russian nationals accused of Mt. Gox bitcoin heist, shifting stolen funds to BTC-e (The Record) Russian Nationals Charged With Hacking One Cryptocurrency Exchange and Illicitly Operating Another (US Department of Justice) Learn more about your ad choices. Visit megaphone.fm/adchoices
12/06/23·28m 7s

Nadir Izrael: Play to your strengths. [CTO] [Career Notes]

Nadir Izrael, co-founder and CTO from Armis, sits down to share his story. Nadir started his love of cyber when he became a software developer at the age of 12. He always had a passion for making things work better and asking questions. Once he joined the 8200 unit in Israel, he was able to focus his interests on physics, which led him to making the discovery of wanting to start his own business. After he started building his company is when he learned to take smart and innovative risks at work and making it a way of life. Nadir shares advice, saying "Playing to your strengths, maximizes the odds of success and every other consideration lowers them inevitably, or at least, uh, um, kind of shrinks, I guess the, the probability space for success." He thinks playing to ones strengths is the best a leader can do to create the most success for their team. We thank Nadir for sharing his story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices
11/06/23·9m 42s

A new botnet takes a frosty bite out of the gaming industry. [Research Saturday]

Our guest, Allen West from Akamai's SIRT team, joins Dave to discuss their research on "The Dark Frost Enigma: An Unexpectedly Prevalent Botnet Author Profile." Akamai found this new botnet was targeting the gaming industry, modeled after Qbot, Mirai, and other malware strains. The botnet has expanded to encompass hundreds of compromised devices. The research states "through reverse engineering and patching the malware binary, our analysis determined the botnet's attack potential at approximately 629.28 Gbps with its UDP flood attacks." Akamai researchers do a deep dive into the motives behind the attacks, the effectiveness of the attack, and how the law has been handling similar cases. The research can be found here: The Dark Frost Enigma: An Unexpectedly Prevalent Botnet Author Profile Learn more about your ad choices. Visit megaphone.fm/adchoices
10/06/23·19m 28s

“Better Minecraft” improves gameplay, while also lifting your data. Hallucinations, defamation, and legal malpractice, oh my! Asylum Ambuscade and other wartime notes.

Barracuda Networks urges replacement of their gear. Fractureiser infects Minecraft mods. ChatGPT sees a court date over hallucinations and defamation. Asylum Ambuscade engages in both crime and espionage. The US delivers Ukraine Starlink connectivity. DDoS attacks hit the Swiss parliament's website. My conversation with Eric Goldstein, Executive Assistant Director for Cybersecurity at CISA. Our guest is Delilah Schwartz from Cybersixgill discussing how the Dark Web is evolving with new technologies like ChatGPT. And BEC crooks see their day in court. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/111 Selected reading. Barracuda Email Security Gateway Appliance (ESG) Vulnerability (Barracuda) CVE-2023-2868 (MITRE) ACT government falls victim to Barracuda’s ESG vulnerability (CSO Online) CVE-2023-2868: Total Compromise of Physical Barracuda ESG Appliances (Rapid7) CVE-2023-2868 Detail (National Institute of Standards and Technology) Infected Minecraft Mods Lead to Multi-Stage, Multi-Platform Infostealer Malware (Bitdefender) New Fractureiser malware used CurseForge Minecraft mods to infect Windows, Linux (BleepingComputer) IN THE SUPERIOR COURT OF FULTON COUNTY (Superior Court of Fulton County) OpenAI Hit With First Defamation Suit Over ChatGPT Hallucination (Bloomberg Law) Learn more about your ad choices. Visit megaphone.fm/adchoices
09/06/23·30m 10s

CISA Alert AA23-158A – #StopRansomware: CL0P Ransomware Gang Exploits CVE-2023-34362 MOVEit Vulnerability.

FBI and CISA are releasing this joint CSA to disseminate known CL0P ransomware IOCs and TTPs identified through FBI investigations as recently as June 2023. AA23-158A Alert, Technical Details, and Mitigations Stopransomware.gov is a whole-of-government approach that gives one central location for ransomware resources and alerts. Resource to mitigate a ransomware attack: CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide. Zero-Day Vulnerability in MOVEit Transfer Exploited for Data Theft | Mandiant MOVEit Transfer Critical Vulnerability (May 2023) - Progress Community MOVEit Transfer Critical Vulnerability CVE-2023-34362 Rapid Response (huntress.com) No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment. U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email dib_defense@cyber.nsa.gov  To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov, or call (888) 282-0870, or report incidents to your local FBI field office. Learn more about your ad choices. Visit megaphone.fm/adchoices
09/06/23·2m 41s

ChatGPT continues to become more human, this time through hallucinations. Following Cl0p. Instagram works against CSAM. And data protection advice from an expert in attacking it.

ChatGPT takes an unexpectedly human turn in having its own version of hallucinations. Updates on Cl0p’s ransom note, background, and recent promises. Researchers look at Instagram’s role in promoting CSAM. A look at KillNet's reboot. Andrea Little Limbago from Interos shares insight on cyber’s human element. Our guest is Aleksandr Yampolskiy from SecurityScorecard on how CISOs can effectively communicate cyber risk to their board. And a hacktivist auxiliary’s stellar advice for protecting your data. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/110 Selected reading. Can you trust ChatGPT’s package recommendations? (Vulcan) Ransomware group Clop issues extortion notice to ‘hundreds’ of victims (The Record) MOVEit cyber attack: Cl0p sparks speculation that it’s lost control of hack (ITpro) Responding to the Critical MOVEit Transfer Vulnerability (CVE-2023-34362) (Kroll) MOVEit Transfer Critical Vulnerability (May 2023) (Progress) Cybergang behind N.S. breach says it erased stolen data, but experts urge caution (CBC Canada) Most SMBs admit to paying ransomware demands - here's why (TechRadar) Instagram Connects Vast Pedophile Network (Wall Street Journal) Addressing the distribution of illicit sexual content by minors online (Stanford University) Rebooting Killnet, a New World Order and the End of the Tesla Botnet (Radware) Learn more about your ad choices. Visit megaphone.fm/adchoices
08/06/23·28m 11s

PowerDrop’s capabilities are up in the air. A Russian cyberespionage campaign channels their inner 007. A disconnect between law firms and cybersecurity protections.

A new PowerShell remote access tool targets a US defense contractor. Current Russian cyber operations against Ukraine are honing in on espionage. CISA and its partners have released a Joint Guide to Securing Remote Access Software. A bug has been reported in Visual Studio’s UI. Awais Rashid from University of Bristol discussing Privacy in health apps. Our guest is Jim Lippie of SaaS Alerts with insights on software as a service Application Security. And are there disconnects between cybersecurity and the legal profession? For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/109 Selected reading. PowerDrop: A New Insidious PowerShell Script for Command and Control Attacks Targets U.S. Aerospace Defense Industry (Adlumin) UAC-0099: cyberespionage against state organizations and media representatives of Ukraine (CERT-UA#6710) (CERT-UA) Guide to Securing Remote Access Software (Joint Guide) Imposter Syndrome: UI Bug in Visual Studio Lets Attackers Impersonate Publishers (Varonis) Press Release | ILTA and Conversant Group Release First Cybersecurity Benchmarking Survey of the Legal Industry (International Legal Technology Association) Learn more about your ad choices. Visit megaphone.fm/adchoices
07/06/23·26m 14s

Cl0p moves their way into the systems of major European companies. Notes from a highly active cyber underworld. And hybrid war updates.

The Cl0p gang claims responsibility for the MOVEit file transfer vulnerability. Verizon’s DBIR is out. Palo Alto Networks takes a snapshot of last year’s threat trends. A new criminal campaign targets Android users wishing to install modified apps. A smishing campaign is expanding into the Middle East. Cisco observes compromised vendor and contractor accounts as an access point for network penetration. Cyclops ransomware acts as a dual threat. Anonymous Sudan demands $1 million to stop attacks on Microsoft platforms. Ben Yelin explains a groundbreaking decision on border searches. Our guest is Matt Caulfield of Oort with insights on identity security. And a deepfaked martial law announcement airs on Russian provincial radio stations. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/108 Selected reading. Clop ransomware claims responsibility for MOVEit extortion attacks (BleepingComputer) CVE-2023-34362 Detail (National Institute of Standards and Technology) Microsoft links Clop ransomware gang to MOVEit data-theft attacks (BleepingComputer) BA, BBC and Boots hit by cyber security breach with contact and bank details exposed (Sky News) 2023 Data Breach Investigations Report (Verizon) 2023 Unit 42 Network Threat Trends Research Report (Unit 42) Tens of Thousands of Compromised Android Apps Found by Bitdefender Anomaly Detection Technology (Bitdefender) Chinese-speaking phishing ring behind latest fake fee scam targeting Middle East; another campaign exposed (Group-IB) Adversaries increasingly using vendor and contractor accounts to infiltrate networks (Cisco Talos) Cyclops Ransomware and Stealer Combo: Exploring a Dual Threat (Uptycs) U.S. Measures in Response to the Crisis in Sudan (US Department of State) Microsoft's Outlook.com is down again on mobile, web (BleepingComputer) Kremlin: fake Putin address broadcast on Russian radio stations after 'hack' (Reuters) Deep fake video of Putin declaring martial law is broadcast in parts of Russia (Semafor) Peskov called "Putin's emergency appeal" shown on some TV networks as a hack (TASS) Proceedings of the 2023 U.S.-Ukraine Cyber Dialogue (US Department of State) Learn more about your ad choices. Visit megaphone.fm/adchoices
06/06/23·30m 27s

Need a Lyft? Not if Anonymous Sudan has anything to say about it. Closing time, open all the doors and let KillNet into the world.

Anonymous Sudan responds to remarks from the US Secretary of State by targeting Lyft and American hospitals. NSA releases an advisory on North Korean spearphishing campaigns. The US government’s Moonlighter satellite will test cybersecurity in orbit. "Operation Triangulation" offers an occasion for Russia to move closer to IT independence. The SEC drops cases over improper access to Adjudication Memoranda. Executives and board members are easy targets for threat actors trolling for sensitive information. Rick Howard targets Zero Trust. The FBI’s Deputy Assistant Director for Cyber Cynthia Kaiser shares trends from the IC3 Annual Report. And KillNet seems to say it's disbanding…or is it? For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/107 Selected reading. U.S. Measures in Response to the Crisis in Sudan (US Department of State) U.S., ROK Agencies Alert: DPRK Cyber Actors Impersonating Targets to Collect Intelligence (US National Security Agency) North Korea Using Social Engineering to Enable Hacking of Think Tanks, Academia, and Media (Joint Cybersecurity Advisory) CISA Adds One Known Exploited Vulnerability to Catalog (Cybersecurity and Infrastructure Security Agency) CVE-2023-34362 Detail (National Institute of Standards and Technology) Zero-Day Vulnerability in MOVEit Transfer Exploited for Data Theft (Mandiant) SpaceX launch sends upgraded solar arrays to International Space Station (Spaceflight Now) Moonlighter Fact Sheet (The Aerospace Corporation) Uncle Sam wants DEF CON hackers to pwn this Moonlighter satellite in space (The Register) Russia wants 2 million phones with home-grown Aurora OS for use by officials (The Record) Russia accuses U.S. of hacking thousands of iPhones (Axios) Operation Triangulation: iOS devices targeted with previously unknown malware (Kaspersky) Operation Triangulation: Mysterious attack on iPhones (ComputerBild) Killnet hacktivists say they’re disbanding (Cybernews) Second Commission Statement Relating to Certain Administrative Adjudications (US Securities and Exchange Commission) Ponemon: Understanding the Serious Risks to Executives’ Personal Cybersecurity & Digital Lives (BlackCloak) Learn more about your ad choices. Visit megaphone.fm/adchoices
05/06/23·25m 27s

Galit Lubetzky Sharon: Doing your chores brings the best out in you. [CTO] [Career Notes]

Galit Lubetzky Sharon, Co-Founder and CTO of Wing Security sits down to share her story and how years in the business lead her to be where she is now. Galit shares her insights from her experiences co-founding her company and bringing it out of stealth mode in early 2022, including why she saw the need for Wing Security and what lessons she learned in the process of founding and launching the company. She started her career as a Colonel in the 8200 Unit gives her a unique perspective on the cyber industry. Galit also shares what she does when things get stressful to help calm her down in the moment and help her clear her head. She says "I think it's very important to do things that you love. It should be something that you come and you bring yourself and your passion and, uh, finding yourself the occupation, the chores, the, the tasks that you love to do brings the, the best out of you." We thank Galit for sharing her story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices
04/06/23·9m 17s

Lancefly screams bloody Merdoor.

Brigid O Gorman from Symantec joins Dave to discuss their research, “Lancefly: Group Uses Custom Backdoor to Target Orgs in Government, Aviation, Other Sectors." Researchers discovered in 2020 that Lancefly, an APT group, is using a custom-written backdoor in attacks targeting government, aviation, educations, and telecoms organizations in South and Southeast Asia. The research states "The backdoor is used very selectively, appearing on just a handful of networks and a small number of machines over the years, with its use appearing to be highly targeted." These targets, though observed in some activity in 2020 and 2021, started in 2022 and have continued into 2023. The research can be found here: Lancefly: Group Uses Custom Backdoor to Target Orgs in Government, Aviation, Other Sectors Learn more about your ad choices. Visit megaphone.fm/adchoices
03/06/23·16m 36s

Hackers like to move it, move it. Skimmers observed targeting Americas and Europe. Hybrid war activity.

MOVEit Transfer software sees exploitation. A website skimmer has been employed against targets in the Americas and Europe. A look into XeGroup's recent criminal activity. Apple denies the FSB’s allegations of collusion with NSA. Kaspersky investigates compromised devices. Johannes Ullrich from SANS describes phony YouTube "live streams". Our guest is Sherry Huang from William and Flora Hewlett Foundation to discuss their grants funding cyber policy studies. And the US Department of Defense provides Starlink services to Ukraine. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/106 Selected reading. MOVEit Transfer Critical Vulnerability (May 2023) (Progress Software) Rapid7 Observed Exploitation of Critical MOVEit Transfer Vulnerability (Rapid7) New MOVEit Transfer zero-day mass-exploited in data theft attacks (BleepingComputer) Hackers use flaw in popular file transfer tool to steal data, researchers say (Reuters) New Magecart-Style Campaign Abusing Legitimate Websites to Attack Others (Akamai) Not your average Joe: An analysis of the XeGroup’s attack techniques (Menlo Security) Unmasking XE Group: Experts Reveal Identity of Suspected Cybercrime Kingpin (The Hacker News) Apple denies surveillance claims made by Russia's FSB (Reuters) FSB uncovers US intelligence operation via malware on Apple mobile phones (TASS) Kaspersky Says New Zero-Day Malware Hit iPhones—Including Its Own (WIRED) Operation Triangulation: iOS devices targeted with previously unknown malware (Kaspersky) Lithuania becomes first to designate Russia as terrorist state (CSCE) Pentagon confirms SpaceX deal for Ukraine Starlink services (C4ISRNET) Learn more about your ad choices. Visit megaphone.fm/adchoices
02/06/23·30m 16s

Firmware comes in through the back door. Leveraging Adobe for credential harvesting. C2C market notes. Hybrid war updates.

A backdoor-like issue has been found in Gigabyte firmware. A credential harvesting campaign impersonates Adobe. The Dark Pink gang is active in southeastern Asia. Mitiga discovers a “significant forensic discrepancy” in Google Drive. "Spyboy" is for sale in the C2C market. A look at Cuba ransomware. Ukrainian hacktivists target the Skolkovo Foundation. The FSB says NSA breached iPhones in Russia. Carole Theriault examines Utah's social media bills aimed at kids online. Our guest is Tucker Callaway of Mezmo to discuss the rise of telemetry pipelines. And spoofing positions and evading sanctions. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/105 Selected reading. Supply Chain Risk from Gigabyte App Center backdoor (Eclypsium) Ado-be-gone: Armorblox Stops Adobe Impersonation Attack (Armorblox) Dark Pink back with a bang: 5 new organizations in 3 countries added to victim list (Group-IB) Southeast Asian hacking crew racks up victims, rapidly expands criminal campaign (CyberScoop) Suspected State-Backed Hackers Hit Series of New Targets in Europe, SE Asia (Insurance Journal) Mitiga Security Advisory: Lack of Forensic Visibility with the Basic License in Google Drive (Mitiga) 2023-05-31 // SITUATIONAL AWARENESS // Spyboy Defense Evasion Tool Advertised Online (Reddit) An In-Depth Look at Cuba Ransomware (Avertium) Russia’s ‘Silicon Valley’ hit by cyberattack; Ukrainian group claims deep access (The Record) Russia says U.S. accessed thousands of Apple phones in spy plot (Reuters) Fake Signals and American Insurance: How a Dark Fleet Moves Russian Oil (The New York Times Learn more about your ad choices. Visit megaphone.fm/adchoices
01/06/23·26m 15s

Two RAT infestations. Ghosts of sites past. Trends in identity security. Detecting deepfakes may prove more difficult than you think.

SeroXen is a new elusive evolution of the Quasar RAT that seems to live up to its hype, and DogeRAT is a cheap Trojan targeting Indian Android users. Salesforce ghost sites see abuse by malicious actors. A look into identity security trends. People may be overconfident in their ability to detect deepfakes. Deepen Desai from Zscaler describes a campaign targeting Facebook users. CW Walker from Spycloud outlines identity exposure in the Fortune 1000. And a blurring of the lines between criminal, hacktivist, and strategic motivations. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/104 Selected reading. SeroXen RAT for sale (AT&T Cybersecurity) Sneaky DogeRAT Trojan Poses as Popular Apps, Targets Indian Android Users (The Hacker News) DogeRAT: The Android Malware Campaign Targeting Users Across Multiple Industries (CloudSek) Ghost Sites: Stealing Data From Deactivated Salesforce Communities (Varonis) 2023 Trends in Securing Digital Identities (Identity Defined Security Alliance) Jumio 2023 Online Identity Consumer Study (Jumio) Void Rabisu’s Use of RomCom Backdoor Shows a Growing Shift in Threat Actors’ Goals (Trend Micro) Ukraine's DELTA Military System Users Under Attack from Info Stealing Malware (The Hacker News) Learn more about your ad choices. Visit megaphone.fm/adchoices
31/05/23·26m 16s

Mirai’s new variant targets IoT devices. Volt Typhoon investigation continues. Hacktivism in Senegal. Lessons learned from Ukraine.

New Mirai malware uses low-complexity exploits to expand its botnet in IoT devices. The latest on Volt Typhoon. DDoS hits government sites in Senegal. The Pentagon's cyber strategy incorporates lessons from Russia's war, while the EU draws lessons from Ukraine's performance against Russia. Joe Carrigan explains Mandiant research on URL obfuscation. Mr. Security Answer Person John Pescatore plays security whack-a-mole. And NoName disrupts a British airport. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/103 Selected reading. Old Wine in the New Bottle: Mirai Variant Targets Multiple IoT Devices (Unit 42) US officials believe Chinese hackers may still have access to key US computer networks (CNN) Chinese state-sponsored hackers infiltrated U.S. naval infrastructure, secretary of the Navy says (CNBC) US military intelligence also targeted by Chinese hackers behind critical infrastructure compromise (SC Magazine) Senegalese government websites hit with cyber attack (Reuters) DOD Transmits 2023 Cyber Strategy (US Department of Defense) Fact Sheet: 2023 DOD Cyber Strategy (US Department of Defense) Lessons from the war in Ukraine for the future of EU defence (European Union External Action) Investigation Launched After London City Airport Website Hacked (Simple Flying) Maryland high school listed on Zillow for $42K in ‘creative’ senior prank (New York Post) Learn more about your ad choices. Visit megaphone.fm/adchoices
30/05/23·24m 33s

Stacy Dunn: My superpower and my kryptonite. [Engineer] [Career Notes]

Stacy Dunn, a Senior Solutions Engineer from the SANS Institute sits down and shares what it is like to work through her own adversity to get to be where she is today. Stacy shares some of her experiences as a woman with ADHD working in an IT career and explains her tips for other neurodiverse people in the field. After working in a wide array of positions in different fields, she wanted to go back to school to get her degree in management information systems and information assurance. Eventually she started working her way up the ladder, and became a very successful woman in the IT world. She shares her struggles with ADHD as she was making the climb and says "It's both a superpower and kryptonite because I think something that is a fundamental misunderstanding of most people, and maybe even some people that do have ADHD, is that it's not just the aspect of not being able to focus, it's also an aspect of focusing too much." We thank Stacy for sharing her story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices
28/05/23·9m 47s

8 GoAnywhere MFT breaches and counting. [Research Saturday]

This week, our guests are Emily Austin and Himaja Motheram from Censys and their sharing their research - "Months after first GoAnywhere MFT zero-day attacks, Censys still sees about 180 public admin panels." In early February 2023, Censys researchers discovered a zero-day RCE vulnerability in Fortra’s “GoAnywhere MFT” (Managed File Transfer) software. After finding this the Clop ransomware gang claimed that they exploited this vulnerability to breach the data of 130 organizations and Censys found other ransomware groups were jumping on the bandwagon. They said " A single vulnerable instance has the potential to serve as a gateway to a data breach that could potentially impact millions of individuals." The research can be found here: Months after first GoAnywhere MFT zero-day attacks, Censys still sees ~180 public admin panels Learn more about your ad choices. Visit megaphone.fm/adchoices
27/05/23·17m 43s

CosmicEnergy: OT and ICS malware from Russia, maybe for red teaming. Updates on Volt Typhoon. Legion malware upgraded for the cloud. Natural-disaster-themed online fraud.

CosmicEnergy is OT and ICS malware from Russia, maybe for red teaming, maybe for attack. Updates on Volt Typhoon, China’s battlespace preparation in Guam and elsewhere. In the criminal underworld, Legion malware has been upgraded for the cloud. Johannes Ullrich from SANS examines time gaps in logging. Our guest is Kevin Kirkwood from LogRhythm with a look at extortion attempts and ransomware. And Atlantic hurricane season officially opens next week: time to batten down those digital hatches.  For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/102 Selected reading. COSMICENERGY: New OT Malware Possibly Related To Russian Emergency Response Exercises (Mandiant) People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection (Joint Advisory) Volt Typhoon targets US critical infrastructure with living-off-the-land techniques (Microsoft)  China hits back at 'the empire of hacking' over Five Eyes US cyber attack claims (ABC) Updates to Legion: A Cloud Credential Harvester and SMTP Hijacker (Cado) Legion Malware Upgraded to Target SSH Servers and AWS Credentials (Hacker News) CISA Warns of Hurricane/Typhoon-Related Scams (Cybersecurity and Infrastructure Security Agency CISA) Learn more about your ad choices. Visit megaphone.fm/adchoices
26/05/23·26m 57s

Volt Typhoon goes undetected by living off the land. New gang, old ransomware. KillNet says no to slacker hackers.

China's Volt Typhoon snoops into US infrastructure, with special attention paid to Guam. Iranian cybercriminals are seen conducting ops against Israeli targets. A new ransomware gang uses recycled ransomware. A persistent Brazilian campaign targets Portuguese financial institutions. A new botnet targets the gaming industry. Phishing attempts impersonate OpenAI. Pro-Russian geolocation graffiti. Andrea Little Limbago from Interos addresses the policy implications of ChatGPT. Our guest is Jon Check from Raytheon Intelligence & Space, on cybersecurity and workforce strategy for the space community. And KillNet says no to slacker hackers. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/101 Selected reading. People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection (Joint Advisory) Volt Typhoon targets US critical infrastructure with living-off-the-land techniques (Microsoft) Chinese hackers spying on US critical infrastructure, Western intelligence says (Reuters) Agrius Deploys Moneybird in Targeted Attacks Against Israeli Organizations (Check Point) Iran-linked hackers Agrius deploying new ransomware against Israeli orgs (The Record) Iranian Hackers Set Sights On Israeli Shipping & Logistics Firms (Information Security Buzz) Fata Morgana: Watering hole attack on shipping and logistics websites (ClearSky Security) Iran suspect in cyberattack targeting Israeli shipping, financial firms (Al-Monitor) Buhti: New Ransomware Operation Relies on Repurposed Payloads (Symantec) Operation Magalenha | Long-Running Campaign Pursues Portuguese Credentials and PII (SentinelOne) The Dark Frost Enigma: An Unexpectedly Prevalent Botnet Author Profile (Akamai) Fresh Phish: ChatGPT Impersonation Fuels a Clever Phishing Scam (INKY) Learn more about your ad choices. Visit megaphone.fm/adchoices
25/05/23·32m 43s

CISA Alert AA23-144A – People's Republic of China state-sponsored cyber actor living off the land to evade detection. [CISA Cybersecurity Alerts]

Cybersecurity authorities are issuing this joint Cybersecurity Advisory to highlight a recent cluster of activity associated with a People’s Republic of China state-sponsored cyber actor, also known as Volt Typhoon.  AA23-144A Alert, Technical Details, and Mitigations Active Directory and domain controller hardening: Best Practices for Securing Active Directory | Microsoft Learn CISA regional cyber threats: China Cyber Threat Overview and Advisories Microsoft Threat Intelligence blog: Volt Typhoon targets US critical infrastructure with living-off-the-land techniques | Microsoft Security Blog No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment. U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email dib_defense@cyber.nsa.gov  To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov, or call (888) 282-0870, or report incidents to your local FBI field office. Learn more about your ad choices. Visit megaphone.fm/adchoices
25/05/23·2m 43s

Cybercriminals favor cyberespionage in North Korea, Russia, and parts unknown. Movements and activity in the cyber underworld.

Kimsuky's tailored reconnaissance tools. GoldenJackal is an APT quietly active since 2019. Criminals target Youtube viewers with free cracked software. Rheinmetall’s data was posted to BlackBasta's extortion site. The "Cuba" gang claims credit for the attack on the Philadelphia Inquirer. CERT-UA identifies a probable Russian cyberespionage campaign. Ireland views cyber assistance to Ukraine as a contribution to collective security. Ann Johnson from Afternoon Cyber Tea speaks with Tyrance Billingsley about Black Tech. Our guest is Oz Alashe from CybSafe on raising VC money amidst a down economy. And KillNet's underperforming hacktivists. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/100 Selected reading. Kimsuky | Ongoing Campaign Using Tailored Reconnaissance Toolkit (SentinelOne) North Korean Kimsuky Hackers Strike Again with Advanced Reconnaissance Malware (The Hacker News) Meet the GoldenJackal APT group. Don’t expect any howls (Kaspersky) Follina — a Microsoft Office code execution vulnerability (DoublePulsar) YouTube Pirated Software Videos Deliver Triple Threat: Vidar Stealer, Laplas Clipper, XMRig Miner (FortiGuard Labs) Arms maker Rheinmetall confirms BlackBasta ransomware attack (Bleeping Computer) Inquirer and forensics team investigating computer disruptions to publishing (Philadelphia Inquirer) Cuba ransomware claims cyberattack on Philadelphia Inquirer (Bleeping Computer) Espionage activity UAC-0063 in relation to Ukraine, Kazakhstan, Kyrgyzstan, Mongolia, Israel, India (CERT-UA#6549) (CERT-UA) Ukraine Identifies Central Asian Cyberespionage Campaign (BankInfoSecurity) Ireland’s cyber security agency has been providing ‘non-lethal aid’ to Ukraine (Irish Times) Learn more about your ad choices. Visit megaphone.fm/adchoices
24/05/23·26m 8s

BlackCat gang crosses your path and evades detection. You’re just too good to be true, can’t money launder for you. Commercial spyware cases.

AhRat exfiltrates files and records audio on Android devices. The BlackCat ransomware group uses a signed kernel driver to evade detection. GUI-Vil in the cloud. Unwitting money mules. Ben Yelin unpacks the Supreme Court’s section 230 rulings. Our guest is Mike DeNapoli from Cymulate with insights on cybersecurity effectiveness. And a trio of commercial spyware cases. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/99 Selected reading. Android app breaking bad: From legitimate screen recording to file exfiltration within a year (ESET) Love scam or espionage? Transparent Tribe lures Indian and Pakistani officials (ESET) BlackCat Ransomware Deploys New Signed Kernel Driver (Trend Micro) Unmasking GUI-Vil: Financially Motivated Cloud Threat Actor (Permiso) Uncle Sam strangles criminals' cashflow by reining in money mules (The Register) German prosecutors charge four over violating trade act to sell spyware to Turkey (Washington Post) Israel Torpedoed Morocco Spyware Deal - and NSO Competitor QuaDream Shut Down (Haaretz) He Was Investigating Mexico’s Military. Then the Spying Began. (New York Times) Learn more about your ad choices. Visit megaphone.fm/adchoices
23/05/23·29m 32s

Record GDPR fine. Movements in the cyber underworld. FBI found to have overstepped surveillance authorities.

The EU fines Meta for transatlantic data transfers. FIN7 returns, bearing Cl0p ransomware. Python Package Index temporarily suspends new registrations due to a spike in malicious activity. Typosquatting and TurkoRAT. UNC3944 uses SIM swapping to gain access to Azure admin accounts. A Turla retrospective. Rick Howard tackles workforce development. Our guest is Andrew Peterson of Fastly to discuss the intricate challenges of secure software development. And the FBI was found overstepping its surveillance authorities. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/98 Selected reading. Meta Fined $1.3 Billion Over Data Transfers to U.S. (Wall Street Journal) Meta fined record $1.3 billion and ordered to stop sending European user data to US (AP News) Notorious Cyber Gang FIN7 Returns With Cl0p Ransomware in New Wave of Attacks (The Hacker News) Researchers tie FIN7 cybercrime family to Clop ransomware (The Record) Cybercrime gang FIN7 returned and was spotted delivering Clop ransomware (Security Affairs) PyPI new user and new project registrations temporarily suspended. (Python) PyPI repository restored after temporarily suspending new activity (Computing) RATs found hiding in the NPM attic (ReversingLabs) Legitimate looking npm packages found hosting TurkoRat infostealer (CSO Online) SIM Swapping and Abuse of the Microsoft Azure Serial Console: Serial Is Part of a Well Balanced Attack (Mandiant) Mozilla Explains: SIM swapping (Mozilla) The Underground History of Russia’s Most Ingenious Hacker Group (WIRED) Justice Department Announces Court-Authorized Disruption of Snake Malware Network Controlled by Russia’s Federal Security Service (US Department of Justice) Hunting Russian Intelligence “Snake” Malware (CISA) FBI misused intelligence database in 278,000 searches, court says (Reuters) FBI misused controversial surveillance tool to investigate Jan. 6 protesters (The Record) FBI broke rules in scouring foreign intelligence on Jan. 6 riot, racial justice protests, court says (AP News) Learn more about your ad choices. Visit megaphone.fm/adchoices
22/05/23·27m 5s

Cybersecurity moneyball: First principles applied to the workforce gap. [CSO Perspectives]

Rick Howard, N2K’s CSO and The CyberWire’s Chief Analyst and Senior Fellow, the cybersecurity workforce skills gap with N2K’s President, Simone Petrella regarding how security professionals might learn from the movie “Moneyball” about how to train their team in the aggregate about first principles. Learn more about your ad choices. Visit megaphone.fm/adchoices
22/05/23·39m 52s

Dawn Cappelli: Becoming the cyber fairy godmother. [OT] [Career Notes]

Dawn Cappelli, OT CERT Director at Dragos, sits down to share what she has learned after her 25+ year career in the industry. She recalls wanting to have been a rockstar when she grew up, now she refers to herself as the fairy godmother of security. She shares some of the amazing things she got to work on throughout her career, including working with the Secret Service when the Olympics came to Salt Lake City, Utah in 2002. She shares how she was able to rise through the ranks to get to where she is now. Dawn talks about how she wasn't ready to retire quite yet because she loved the industry so much, saying "I retired, but I knew I still loved security. I have this passion for protection and so Dragos came along and they offered me this role of Director of OT CERT. I feel like I'm the security fairy godmother." She shares words of wisdom for all trying to get into the industry, saying that you need to always take the risk like she did when she first started her career. We thank Dawn for sharing her story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices
21/05/23·10m 2s

Dangerous vulnerabilities in H.264 decoders. [Research Saturday]

Willy R. Vasquez from The University of Texas at Austin discussing research on "The Most Dangerous Codec in the World - Finding and Exploiting Vulnerabilities in H.264 Decoders." Researchers are looking at the marvel that is modern video encoding standards such as H.264 for vulnerabilities and ultimately hidden security risks. The research states "We introduce and evaluate H26FORGE, domain-specific infrastructure for analyzing, generating, and manipulating syntactically correct but semantically spec-non-compliant video files." Using H26FORCE, they were able to uncover insecurities in depth across the video decoder ecosystem, including kernel memory corruption bugs in iOS and video accelerator and application processor kernel memory bugs in Android devices. The research can be found here: The Most Dangerous Codec in the World: Finding and Exploiting Vulnerabilities in H.264 Decoders Learn more about your ad choices. Visit megaphone.fm/adchoices
20/05/23·24m 19s

Section 230 survives court tests. Pre-infected devices. IRS cyber attachés. DraftKings hack indictment. Notes on the hybrid war.

Section 230 survives SCOTUS. Lemon Group's pre-infected devices. The IRS is sending cyber attachés to four countries in a new pilot program. A Wisconsin man is charged with stealing DraftKings credentials. Russian hacktivists conduct DDoS attacks against Polish news outlets. An update on RedStinger. Grayson Milbourne from OpenText Cybersecurity discusses IoT and the price we pay for convenience. Our guest is Matthew Keeley with info on an open source domain spoofing tool, Spoofy. And war principles and hacktivist auxiliaries. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/97 Selected reading. “Honey, I’m Hacked”: Ethical Questions Raised by Ukrainian Cyber Deception of Russian Military Wives (Just Security) A Mysterious Group Has Ties to 15 Years of Ukraine-Russia Hacks (Wired) CloudWizard APT: the bad magic story goes on (SecureList) Ukraine at D+441: Skirmishing along the line of contact, and in cyberspace. (The CyberWire) Russian dissident gets three years in prison colony for DDoS attacks on military website (Cybernews) Europe: The DDoS battlefield (Help Net Security) Russian hackers hit Polish news sites in DDoS attack (Cybernews) 18-year-old charged with hacking 60,000 DraftKings betting accounts (Bleeping Computer) Garrison Complaint (Department of Justice) IRS-CI deploys 4 cyber attachés to locations abroad to combat cybercrime (IRS) IRS deploys cyber attachés to fight cybercrime abroad (The Hill) Cybercrime gang pre-infects millions of Android devices with malware (Bleeping Computer) This Cybercrime Syndicate Pre-Infected Over 8.9 Million Android Phones Worldwide (The Hacker News) Lemon Group’s Cybercriminal Businesses Built on Preinfected Devices (Trend Micro) Learn more about your ad choices. Visit megaphone.fm/adchoices
19/05/23·27m 50s

BEC attack exploits Dropbox services. Ransomware in the name of charity. API protection trends. Hybrid war hacktivism. Executive digital protection.

Business email compromise (BEC) exploits legitimate services. A hacktivist ransomware group demands charity donations for encrypted files. Trends and threats in API protection. The effects of hacktivism on Russia's war against Ukraine. Executive digital protection. Deepen Desai of Zscaler explains security risks in OneNote. Our guest is Ajay Bhatia of Veritas Technologies with advice for onboarding new employees. And news organizations as attractive targets. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/96 Selected reading. Leveraging Dropbox to Soar Into Inbox (Avanan) MalasLocker ransomware targets Zimbra servers, demands charity donation (Bleeping Computer) Shadow API Usage Surges 900%, Revealing Alarming Lack of API Visibility Among Enterprises (Business Wire) APIs are Top Cybersecurity Priority for Most Organizations, Yet 40% Do Not Have an API Security Solution (PR Newswire) Evolving Cyber Operations and Capabilities (CSIS) Following the long-running Russian aggression against Ukraine. (The CyberWire) Executive Digital Protection whitepaper (Agency) The Philadelphia Inquirer’s operations continue to be disrupted by a cyber incident (The Philadelphia Inquirer) Cyberattack at the Philadelphia Inquirer. (The CyberWire) Learn more about your ad choices. Visit megaphone.fm/adchoices
18/05/23·25m 57s

CISA Alert AA23-136A – #StopRansomware: BianLian Ransomware Group. [CISA Cybersecurity Alerts]

FBI, CISA, and the Australian Cyber Security Centre are releasing this joint Cybersecurity Advisory to disseminate known BianLian ransomware and data extortion group IOCs and TTPs identified through FBI and ACSC investigations as of March 2023. AA23-136A Alert, Technical Details, and Mitigations AA23-136A.STIX_.xml Stopransomware.gov, a whole-of-government approach with one central location for U.S. ransomware resources and alerts. cyber.gov.au for the Australian Government’s central location to report cyber incidents, including ransomware, and to see advice and alerts. The site also provides ransomware advisories for businesses and organizations to help mitigate cyber threats. CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide for guidance on mitigating and responding to a ransomware attack No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment. See CISA Insights Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses for guidance on hardening MSP and customer infrastructure. U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email dib_defense@cyber.nsa.gov  To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov, or call (888) 282-0870, or report incidents to your local FBI field office. Learn more about your ad choices. Visit megaphone.fm/adchoices
18/05/23·2m 52s

A joint warning on BianLian ransomware. Fleeceware offers AI as bait for the gullible. Cyberespionage updates. And Ukraine formally joins NATO’s CCDCOE.

Cyber agencies warn of BianLian ransomware. There’s a new gang using leaked Baduk-based ransomware. Chinese government-linked threat actors target TP-link routers with custom malware. ChatGPT-themed fleeceware is showing up in online stores. Ukraine is now a member of NATO's Cyber Centre. Tim Starks from the Washington Post shares insights on section 702 renewal. Our guest is Ismael Valenzuela from BlackBerry sharing the findings from their Global Threat Intelligence Report. And the CIA's offer to Russian officials may have had some takers. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/95 Selected reading. #StopRansomware: BianLian Ransomware Group (Cybersecurity and Infrastructure Security Agency CISA)  Newly identified RA Group compromises companies in U.S. and South Korea with leaked Babuk source code (Cisco Talos Blog)  The Dragon Who Sold His Camaro: Analyzing Custom Router Implant (Check Point Research) Fake ChatGPT Apps Scam Users Out of Thousands of Dollars, Sophos Reports (GlobeNewswire News Room)  Ukraine joins NATO Cyber Centre (Computing)  Russian Officials Unnerved by Ukraine Bloodshed Are Contacting CIA, Agency Says (Wall Street Journal) Learn more about your ad choices. Visit megaphone.fm/adchoices
17/05/23·28m 22s

What is data centric security and why should anyone care? [CyberWire-X]

In today’s world, conventional cyber thinking remains largely focused on perimeter-centric security controls designed to govern how identities and endpoints utilize networks to access applications and data that organizations possess internally. Against this backdrop, a group of innovators and security thought leaders are exploring a new frontier and asking the question: shouldn’t there be a standard way to protect sensitive data regardless of where it resides or who it’s been shared with? It’s called “data-centric” security and it’s fundamentally different from “perimeter-centric” security models. Practicing it at scale requires a standard way to extend the value of “upstream” data governance (discovery, classification, tagging) into “downstream” collaborative workflows like email, file sharing, and SaaS apps. In this episode of CyberWire-X, the CyberWire’s Rick Howard and Dave Bittner explore modern approaches for applying and enforcing policy and access controls to sensitive data which inevitably leaves your possession but still deserves just as much security as the data that you possess internally. Rick and Dave are joined by guests Bill Newhouse, Cybersecurity Engineer at National Institute of Standards and Technology (NIST) National Cybersecurity Center of Excellence (NCCoE), and Dana Morris, Senior Vice President for Product and Engineering of our episode sponsor Virtru.  Learn more about your ad choices. Visit megaphone.fm/adchoices
17/05/23·33m 26s

DDoS trends. Asia sees a Lancefly infestation. Lessons from cyber actuaries. Infostealers in the C2C market. False flags.

DDoS "carpet bombing." Lancefly infests Asian targets. Cyber insurance trends. Infostealers in the C2C market. A Russian espionage service is masquerading as a criminal gang. KillNet’s running a psyop radio station of questionable quality. Joe Carrigan describes baiting fraudsters with fake crypto. Our guest is Gemma Moore of Cyberis talking about how red teaming can upskill detection and response teams. And geopolitical DDoS. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/94 Selected reading. 2023 DDoS Threat Intelligence Report (Corero) Lancefly: Group Uses Custom Backdoor to Target Orgs in Government, Aviation, Other Sectors (Symantec) 2023 Cyber Claims Report (Coalition) The Growing Threat from Infostealers (Secureworks) Cybercriminals who targeted Ukraine are actually Russian government hackers, researchers say (TechCrunch) DDoS Attacks Targeting NATO Members Increasing (Netscout) Following the long-running Russian aggression against Ukraine. (The CyberWire) Learn more about your ad choices. Visit megaphone.fm/adchoices
16/05/23·26m 5s

Ransomware, doxxing, and data breaches, oh my! State fronts and cyber offensives.

Discord sees a third-party data breach. Black Basta conducts a ransomware attack against technology company ABB. Intrusion Truth returns to dox APT41. Anonymous Sudan looks like a Russian front operation. Attribution and motivation of "RedStinger" remain murky. CISA summarizes Russian cyber offensives. Remote code execution exploits Ruckus in the wild. Our guest is Dave Russell from Veeam with insights on data protection. Matt O'Neill from the US Secret Service on their efforts to thwart email compromise and romance scams. And espionage by way of YouTube comments. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/93 Selected reading. Discord discloses data breach after support agent got hacked (Bleeping Computer) Discord suffered a data after third-party support agent was hacked (Security Affairs) Multinational tech firm ABB hit by Black Basta ransomware attack (Bleeping Computer) Breaking: ABB confirms cyberattack; work underway to restore operations (ET CISO) Black Basta conducts ransomware attack against Swiss technology company ABB (The CyberWire) They dox Chinese hackers. Now, they’re back. (Washington Post) What’s Cracking at the Kerui Cracking Academy? (Intrusion Truth) Posing as Islamists, Russian Hackers Take Aim at Sweden (Bloomberg) Anonymous Sudan: Threat Intelligence Report (TrueSec) Uncovering RedStinger - Undetected APT cyber operations in Eastern Europe since 2020 (Malwarebytes) Russian ‘Red Stealer’ cyberattacks target breakaway territories in Ukraine (Cybernews) Russia Cyber Threat Overview and Advisories (CISA) Known Exploited Vulnerabilities Catalog (CISA) CISA Adds Seven Known Exploited Vulnerabilities to Catalog (CISA) CISA warns of critical Ruckus bug used to infect Wi-Fi access points (Bleeping Computer) Security Bulletins (Ruckus) ROK union leaders charged with spying for North Korea in ‘movie-like’ scheme (NK News) Learn more about your ad choices. Visit megaphone.fm/adchoices
15/05/23·32m 14s

Steve Benton: Mixing like a DJ. [VP] [Career Notes]

Steve Benton, Vice President at Anomali Threat Research & GM Belfast, sits down to share his story as a cybersecurity expert with a surplus of strategic leadership experience across cyber and physical security rooted in substantial operational directorship and accountability. Steve shares his beginnings, where he wanted to grow up to be a rockstar, slowly moving into the world of tech with his first ever computer and falling in love with it. After graduating from Queens University with a degree in information technology, he joined British Telecommunications or BT, where he got to put his new found skills to use. Steve mentions how his job is kind of like being a DJ almost and says " a typical day for me is looking at the intelligence that we're bringing in, mixing it as it were to think of a slight, like DJs with a set of headphones on creating the right kind of mixes of intelligence for our clients." We thank Steve for sharing his story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices
14/05/23·9m 26s

Running away from operation Tainted Love. [Research Saturday]

Aleksandar Milenkoski and Juan Andres Guerrero-Saade from SentinelOne's SentinelLabs join Dave to discuss their research "Operation Tainted Love | Chinese APTs Target Telcos in New Attacks." Researchers found initial phases of attacks against telecommunication providers in the Middle East in Q1 in 2023. The research states "We assess that this activity represents an evolution of tooling associated with Operation Soft Cell." While the exact grouping is unclear, researchers think it is highly likely that the threat actor is a Chinese cyberespionage group in the nexus of Gallium and APT41. The research can be found here: Operation Tainted Love | Chinese APTs Target Telcos in New Attacks Learn more about your ad choices. Visit megaphone.fm/adchoices
13/05/23·22m 48s

CISA Alert AA23-131A – Malicious Actors Exploit CVE-2023-27350 in PaperCut MF and NG.

FBI and CISA are releasing this joint Cybersecurity Advisory in response to the active exploitation of CVE-2023-27350. This vulnerability occurs in certain versions of PaperCut NG and PaperCut MF, software applications that help organizations manage printing services, and enables an unauthenticated actor to execute malicious code remotely without credentials.  AA23-131A Alert, Technical Details, and Mitigations PaperCut: URGENT | PaperCut MF/NG vulnerability bulletin (March 2023) Huntress: Critical Vulnerabilities in PaperCut Print Management Software No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment. See CISA Insights Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses for guidance on hardening MSP and customer infrastructure. U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email dib_defense@cyber.nsa.gov  To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov, or call (888) 282-0870, or report incidents to your local FBI field office. Learn more about your ad choices. Visit megaphone.fm/adchoices
12/05/23·2m 36s

Babuk resurfaces for criminal inspiration. Alert on PaperCut vulnerability exploitation. Too many bad bots. Phishing-as-a-service in the C2C market. KillNet's PMHC regrets.

Babuk source code provides criminal inspiration. CISA and FBI release a joint report on PaperCut. There are more bad bots out there than anyone would like. Phishing-as-a-service tools in the C2C market. CISA’s Eric Goldstein advocates the adoption of strong controls, defensible networks and coordination of strategic cyber risks. Our cyberwire producer Liz Irvin speaks with Crystle-Day Villanueva, Learning and Development Specialist for Lumu Technologies. And KillNet’s short-lived venture, with a dash of regret. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/92 Selected reading. Babuk code used by 9 ransomware gangs to encrypt VMWare ESXi servers (Bleeping Computer) Ransomware actors adopt leaked Babuk code to hit Linux systems (Decipher) Hypervisor Ransomware | Multiple Threat Actor Groups Hop on Leaked Babuk Code to Build ESXi Lockers (SentinelOne) Malicious Actors Exploit CVE-2023-27350 in PaperCut MF and NG (CISA) CVE-2023-27350 Detail (NIST) Proofpoint Emerging Threats Rules (Proofpoint) 2023 Imperva Bad Bot Report (Imperva) New phishing-as-a-service tool “Greatness” already seen in the wild (Cisco Talos) Ukraine at D+442: Russians say the Ukrainian counteroffensive has begun. (CyberWire) Learn more about your ad choices. Visit megaphone.fm/adchoices
12/05/23·27m 30s

Ransomware and social engineering trends. Expired certificate addressed. Ransomware groups target schools. Cyber updates in the hybrid war.

A Ransomware report highlights targeting and classification. Phishing remains a major threat. Cisco addresses an expired certificate issue. LockBit and Medusa hit school districts with ransomware. US and Canadian cyber units wrap up a hunt-forward mission in Latvia. Ben Yelin on NYPD surveillance. Our CyberWire producer Liz Irvin interviews Damien Lewke, a graduate student at MIT. And an unknown threat actor is collecting against both Russia and Ukraine. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/91 Selected reading. GRIT Ransomware Report: April 2023 (GuidePoint Security) DNSFilter State of Internet Security - Q1 2023 (DNSFilter) Identify vEdge Certificate Expired on May 9th 2023 (Cisco) The State of Ransomware Attacks in Education 2023: Trends and Solutions (Veriti) US Cyber Command 'Hunts Forward' in Latvia (Voice of America) US cyber team unearths malware during ‘hunt-forward’ mission in Latvia (C4ISRNET) Uncovering RedStinger - Undetected APT cyber operations in Eastern Europe since 2020 (Malwarebytes) Bad magic: new APT found in the area of Russo-Ukrainian conflict (Kaspersky) Learn more about your ad choices. Visit megaphone.fm/adchoices
11/05/23·24m 44s

CISA Alert AA23-129A – Hunting Russian intelligence “Snake” malware.

The Snake implant is considered the most sophisticated cyber espionage tool designed and used by Center 16 of Russia’s Federal Security Service, or FSB, for long-term intelligence collection on sensitive targets. AA23-129A Alert, Technical Details, and Mitigations For more information on FSB and Russian state-sponsored cyber activity, please see the joint advisory Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure and CISA’s Russia Cyber Threat Overview and Advisories webpage. No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment. See CISA Insights Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses for guidance on hardening MSP and customer infrastructure. U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email dib_defense@cyber.nsa.gov  To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov, or call (888) 282-0870, or report incidents to your local FBI field office. Learn more about your ad choices. Visit megaphone.fm/adchoices
11/05/23·3m 19s

Five Eyes disrupt FSB’s Snake malware. From DDoS to cryptojacking. Ransomware trends. Yesterday’s Patch Tuesday is in the books.

The Five Eyes disrupt Russia’s FSB Snake cyberespionage infrastructure. Shifting gears: from DDoS to cryptojacking. Trends in ransomware. Our guest is Steve Benton from Anomali with insights on potential industry headwinds. Ann Johnson from Afternoon Cyber Tea speaks with Roland Cloutier about risk and resilience in the modern era. And yesterday’s Patch Tuesday is now in the books, including a work-around for a patch from this past March. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/90 Selected reading. Patch Tuesday notes. (The CyberWire) U.S. Agencies and Allies Partner to Identify Russian Snake Malware Infrastructure Worldwide (US National Security Agency) Hunting Russian Intelligence “Snake” Malware (Joint Cybersecurity Advisory) RapperBot DDoS Botnet Expands into Cryptojacking (Fortinet) The State of Ransomware 2023 (Sophos) From One Vulnerability to Another: Outlook Patch Analysis Reveals Important Flaw in Windows API (Akamai) Windows MSHTML Platform Security Feature Bypass Vulnerability (Microsoft) Learn more about your ad choices. Visit megaphone.fm/adchoices
10/05/23·27m 54s

State-sponsored and state-promoted cyber campaigns. A look at Royal ransomware. A new wave of BEC. Man-in-the-middle attacks rising.

An analysis of Royal ransomware. PaperCut vulnerability detection methods can be bypassed. Man-in-the-middle phishing attacks are on the rise. A new wave of BEC attacks from an unexpected source. Thomas Etheridge from CrowdStrike, has the latest threat landscape trends. Our guest is Dan Amiga of Island with insights on the enterprise browser category. And a look into recent Russian cyberattacks against Ukraine. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/89 Selected reading. Threat Assessment: Royal Ransomware (Unit 42) PaperCut Exploitation - A Different Path to Code Execution (VulnCheck) New PaperCut RCE exploit created that bypasses existing detections (Bleeping Computer) Man-in-the-Middle (MitM) attacks reaching inboxes increase 35% since 2022 (Cofense) Exploring the Rise of Israel-Based BEC Attacks (Abnormal Security) Russians launch mass cyber attack on online service for queueing to cross border by trucks (Ukrainska Pravda) Reverting UAC-0006: Mass distribution of SmokeLoader using the "accounts" theme (CERT-UA#6613) (CERT-UA) Learn more about your ad choices. Visit megaphone.fm/adchoices
09/05/23·25m 54s

Developments in the ransomware underworld: ALPHV, Akira, Cactus, and Royal. Some organizations remain vulnerable to problems with unpatched Go-Anywhere instances.

ALPHV claims responsibility for a cyberattack on Constellation Software. A new Akira ransomware campaign spreads. CACTUS is a new ransomware leveraging VPNs to infiltrate its target. Many organizations are still vulnerable to the Go-Anywhere MFT vulnerability. Russian hacktivists interfere with the French Senate's website. Keith Mularski from EY, details their "State of the Hack" report. Emily Austin from Censys discusses the State of the Internet. And ransomware gangs target local governments in Texas and California.  For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/88 Selected reading. ALPHV gang claims ransomware attack on Constellation Software (BleepingComputer)  Constellation Software hit by cyber attack, some personal information stolen (IT World Canada)  Press Release of Constellation Software Inc. (GlobeNewswire News Room) Meet Akira — A new ransomware operation targeting the enterprise (BleepingComputer) New Cactus ransomware encrypts itself to evade antivirus (BleepingComputer)  Pro-Russian Hackers Claim Downing of French Senate Website (SecurityWeek) Dallas cyberattack highlights ransomware’s risks to public safety, health (Washington Post)  Hacked: Dallas Ransomware Attack Disrupts City Services (Dallas Observer)  City of Dallas Continues Battling Ransomware Attack for Third Day (NBC 5 Dallas-Fort Worth)  San Bernardino County pays hackers $1.1 million ransom after cyber attack (Victorville Daily Press)  San Bernardino County pays $1.1M ransom after cyberattack disrupts Sheriff's Department systems (ABC7 Los Angeles) Atomic Data devastated by the unexpected death of CEO and co-owner Jim Wolford (Atomic Data) Learn more about your ad choices. Visit megaphone.fm/adchoices
08/05/23·26m 53s

Shelley Ma: The mystery behind cybersecurity. [Response Lead] [Career Notes]

Shelley Ma, Incident Response Lead at Coalition sits down to share her story, starting all the way back when she was a kid and fell in love with playing the game "NeoPets" that ended up paving the way for her future in cybersecurity. After starting this journey, she shares how she became intrigued with crime and mystery shows, which ultimately spawned an interest in forensic science. She ended up signing up for an internship program that she was able to get into, which she says was a pivotal change for her that provided her the chance to begin her career. She shares the advice that if anyone is looking to get into this career, she highly recommends looking into the career before beginning. Following some advise given to her by a professor and mentor, she says that telling the truth helps her deal with adversity in the workplace. Shelley says "In our industry, there are so many opportunities for our opinions and testimonies to be coerced and swayed. I refuse to do that and every time I come back to what my professor said, if you don't want to spend the rest of your life looking over your shoulders, just simply tell the truth." We thank Shelley for sharing her story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices
07/05/23·9m 58s

Phishing campaign takes the energy out of Chinese nuclear industry. [Research Saturday]

Ryan Robinson from Intezer to discuss his team's work on "Phishing Campaign Targets Chinese Nuclear Energy Industry." The research team discovered activity targeting the nuclear energy industry in China. Researchers attributed the activity to Bitter APT, a South Asian APT that is known to target the energy, manufacturing and government sectors, mainly in Pakistan, China, Bangladesh, and Saudi Arabia. The article states "We identified seven emails pretending to be from the Embassy of Kyrgyzstan, being sent to recipients in the nuclear energy industry in China. In some emails, people and entities in academia are also targeted, also related to nuclear energy." By luring recipients in, invites them to join conferences on subjects that are relevant to them, they are then able to social engineer the victims. The research can be found here: Phishing Campaign Targets Chinese Nuclear Energy Industry Learn more about your ad choices. Visit megaphone.fm/adchoices
06/05/23·20m 55s

DPRK's Kimsuki spearphishes. A standards strategy for AI. Ransomware Task Force retrospective. KillNet's new menu. Ex Uber CSO sentenced for data breach cover-up.

Kimsuki has a new reconnaissance tool. The Biden administration shares plans for AI. Reports on the ransomware taskforce report. KillNet recommits to turning a profit. Deepen Desai from Zscaler has the latest stats on Phishing. Our guest is Karen Worstell from VMware with a conversation about inclusivity. And the former CSO at Uber is sentenced. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/87 Selected reading. Kimsuky Evolves Reconnaissance Capabilities in New Global Campaign (SentinelOne) Ransomware Task Force Gaining Ground - May 2023 Progress Report (Ransomware Task Force) Influential task force takes stock of progress against ransomware (Washington Post) For Money and Attention: Killnet Apparently Reorganizes Again (Flashpoint) Killnet Ostracizes Leader of Anonymous Russia, Adding New Chapter to Pro-Kremlin Hacktivist Drama (Flashpoint) Former Uber CSO Joe Sullivan Avoids Prison Time Over Data Breach Cover-Up (Security Week) Former Uber security chief Sullivan avoids prison in data breach case (Washington Post) Learn more about your ad choices. Visit megaphone.fm/adchoices
05/05/23·37m 24s

Cyberespionage, straight out of Beijing, Teheran, and Moscow. Developments in the criminal underworld. Indictment in a dark web carder case.

An APT41 subgroup uses new techniques to bypass security products. Iranian cyberespionage group MuddyWater is using Managed Service Provider tools. Wipers reappear in Ukrainian networks. Meta observes and disrupts the new NodeStealer malware campaign. The City of Dallas is moderately affected by a ransomware attack. My conversation with Karin Voodla, part of the US State Department’s Cyber fellowship program. Lesley Carhart from Dragos shares Real World Stories of Incident Response and Threat Intelligence. And there’s been an indictment and a takedown in a major dark web carder case. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/86 Selected reading. Attack on Security Titans: Earth Longzhi Returns With New Tricks (Trend Micro) APT groups muddying the waters for MSPs (ESET) Russian hackers use WinRAR to wipe Ukraine state agency’s data (BleepingComputer) WinRAR as a "cyberweapon". Destructive cyberattack UAC-0165 (probably Sandworm) on the public sector of Ukraine using RoarBat (CERT-UA#6550) (CERT-UA)  The malware threat landscape: NodeStealer, DuckTail, and more (Engineering at Meta)  Facebook disrupts new NodeStealer information-stealing malware (BleepingComputer) NodeStealer Malware Targets Gmail, Outlook, Facebook Credentials (Decipher) City of Dallas likely targeted in ransomware attack, city official says (Dallas News)  Cybercriminal Network Fueling the Global Stolen Credit Card Trade is Dismantled (US Department of Justice) Secret Service, State Department Offer Up To $10 Million Dollar Reward For Information On Wanted International Fugitive (US Secret Service) Police dismantles Try2Check credit card verifier used by dark web markets (BleepingComputer) Learn more about your ad choices. Visit megaphone.fm/adchoices
04/05/23·30m 48s

Iran integrates influence and cyber operations. ChatGPT use and misuse. Trends in the cyber underworld. Hybrid warfare and cyber insurance war clauses.

Iran integrates influence and cyber operations. ChatGPT use and misuse. Phishing reports increased significantly so far in 2023, while HTML attacks double. An update on the Discord Papers. Cyberstrikes against civilian targets. My conversation with our own Simone Petrella on emerging cyber workforce strategies. Tim Starks from the Washington Post joins me with reflections on the RSA conference. And, turns out, a war clause cannot be invoked in denying damage claims in the NotPetya attacks (at least not in the Garden State). For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/85 Selected reading. Rinse and repeat: Iran accelerates its cyber influence operations worldwide (Microsoft On the Issues) ChatGPT Confirms Data Breach, Raising Security Concerns (Security Intelligence)  Samsung Bans Generative AI Use by Staff After ChatGPT Data Leak (Bloomberg)  Malicious email campaigns abusing Telegram bots rise tremendously in Q1 2023, surpassing all of 2022 by 310% (Cofense) Threat Spotlight: Proportion of malicious HTML attachments doubles within a year (Barracuda) Zelensky says White House told him nothing about Discord intelligence leaks (Washington Post) Russia attacks civilian infrastructure in cyberspace just as it does on ground - watchdog (Ukrinform) Merck’s Insurers On the Hook in $1.4 Billion NotPetya Attack, Court Says (Wall Street Journal) Merck entitled to $1.4B in cyberattack case after court rejects insurers' 'warlike action' claim (Fierce Pharma) Learn more about your ad choices. Visit megaphone.fm/adchoices
03/05/23·33m 15s

From cryptostealers to CCTV exploits, from Magecart enhancements to coronation phishbait, cybercriminals have been active. (But so have law enforcement agencies.)

LOBSHOT is a cryptowallet stealer abusing Google Ads. Coronation phishbait. A known CCTV vulnerability is currently being exploited. T-Mobile discloses another, smaller data breach. New Magecart exploits. Preliminary lessons from cyber operations during Russia's war. Rob Boyce from Accenture shares insights from RSA Conference. Our special guest is NSA Director of Cybersecurity Rob Joyce. And Europol announces a major dark web market takedown. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/84 Selected reading. New LOBSHOT malware gives hackers hidden VNC access to Windows devices (BleepingComputer) New 'Lobshot' hVNC Malware Used by Russian Cybercriminals (SecurityWeek) Elastic Security Labs discovers the LOBSHOT malware (Elastic Blog) Researchers see surge in scam websites linked to coronation (Computer Weekly)  TBK DVR Authentication Bypass Attack (FortiGuard)  T-Mobile discloses second data breach since the start of 2023 (BleepingComputer)  T-Mobile discloses 2nd data breach of 2023, this one leaking account PINs and more (Ars Technica)  T-Mobile Announces Another Data Breach (CNET) Magecart threat actor rolls out convincing modal forms (Malwarebytes) Cyber lessons from Ukraine: Prepare for prolonged conflict, not a knockout blow (Breaking Defense) 288 dark web vendors arrested in major marketplace seizure (Europol) Learn more about your ad choices. Visit megaphone.fm/adchoices
02/05/23·31m 15s

FDA warns of biomed device vulnerability. Ransomware's effects continue at US Marshals Service fugitive tracking. US DoJ shifts to disruption of cybercrime. GRU phishing. KillNet’s ask-me-anything.

The FDA warns of a vulnerability affecting biomedical devices. Ransomware's effects continue to trouble the US Marshals Service. The US Justice Department shifts how it deals with large scale cybercrime. Fresh phish from the GRU. Caleb Barlow looks at unicorns and zombiecorns. Our guest Manoj Sharma from Symantec explains the differences between Zero Trust and SASE. And KillNet runs an ask-me-anything session. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/83 Selected reading. Illumina cyber vulnerability may present risks for patient results (U.S. Food and Drug Administration) CISA, FDA warn of new Illumina DNA device vulnerability (Record Key law enforcement computers still down 10 weeks after breach (Washington Post) Feds Prioritizing Disruptions Over Arrests in Cyberattack Cases (PCMAG)  "Ashamed" LockBit ransomware gang apologises to hacked school, offers free decryption tool (Hot for Security)  APT28 cyberattack: distribution of emails with "instructions" on "updating the operating system" (CERT-UA#6562) (CERT-UA) Hackers use fake ‘Windows Update’ guides to target Ukrainian govt (BleepingComputer)  Ukraine at D+431: Drone strikes and phishing expeditions. (CyberWire) Learn more about your ad choices. Visit megaphone.fm/adchoices
01/05/23·34m 31s

Perry Carpenter: Turning composition into computing. [Strategy] [Career Notes]

Perry Carpenter, Chief Evangelist and Strategy Officer at KnowBe4 and host of the 8th Layer Insights podcast, sits down to share his story trying different paths, before ultimately switching over to the cyber industry. After trying to go down the paths of music and law and finding neither were what he wanted to do, he decided to take an internship to get more into computer programming. That led him to getting his first job. After his first job, he moved onto other big name companies like Walmart, Alltel, and Gartner, and landing finally with KnowBe4. He compares his work to working with music, when he initially wanted to begin making music early in his career. He says "I think for me, when it was the kind of the connection between music and computing is that whenever you're kind of joining things together or at a, a musical scale to make chords, or whenever you're adding different, um, instruments and octaves together or timbers together to get some kind of bigger result." We thank Perry for sharing his story. Learn more about your ad choices. Visit megaphone.fm/adchoices
30/04/23·10m 37s

HinataBot focuses on DDoS attack. [Research Saturday]

This week our guests are, Larry Cashdollar, Chad Seaman and Allen West from Akamai Technologies, and they are discussing their research on "Uncovering HinataBot: A Deep Dive into a Go-Based Threat." The team discovered a new Go-based, DDoS-focused botnet. They found it was named after the popular anime show "Naruto," they are calling it "HinataBot" In the research it says "HinataBot was seen being distributed during the first three months of 2023 and is actively being updated by the authors/operators." Akamai was able to get a deep look into the malware works by using a combination of reverse engineering the malware and imitating the command and control (C2) server. The research can be found here: Uncovering HinataBot: A Deep Dive into a Go-Based Threat Learn more about your ad choices. Visit megaphone.fm/adchoices
29/04/23·27m 26s

What’s now being traded in the C2C markets. CISA would like comments on its software self-attestation form. And in Russia’s hybrid war, are there cyber war crimes, or real hacktivists?

Cl0p and LockBit exploit PaperCut vulnerability in ransomware campaigns. Infostealer traded in the C2C market. All ads are trying to get your money, but some just take it. CISA requests comment on software self-attestation form. Our guest is Marcin Kleczynski, CEO of Malwarebytes, sharing thoughts on the current threat landscape, attacks on students and academic institutions. Betsy Carmelite from Booz Allen, discussing themes from the RSAC tied into critical infrastructure resilience. Ukraine argues that cyberattacks against civilian infrastructure should be classified as war crimes. And are there any genuine disinterested hacktivists on Russia's side, or are they all fronts? For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/82 Selected reading. Microsoft Confirms PaperCut Servers Used to Deliver LockBit and Cl0p Ransomware (The Hacker News) Microsoft: Clop and LockBit ransomware behind PaperCut server hacks (BleepingComputer) ​ New 'Atomic macOS Stealer' Malware Offered for $1,000 Per Month (SecurityWeek)  “Malverposting” — With Over 500K Estimated Infections, Facebook Ads Fuel This Evolving Stealer… (Guardio) Request for Comment on Secure Software Self-Attestation Common Form (CISA) OMB, CISA set to release common form for software self-attestation (FCW) Pro-Russian hacktivism isn’t real, top Ukrainian cyber official says (CyberScoop) Pro-Russian hacktivism isn't real, top Ukrainian cyber official says (CyberScoop)  Learn more about your ad choices. Visit megaphone.fm/adchoices
28/04/23·28m 53s

Waging lawfare against criminal infrastructure. Notes from the cyber underworld. Hybrid war, and cyber ops across the spectrum of conflict. And what do the bots want? (Hint: kicks.)

Google targets CryptBot malware infrastructure. FIN7 attacked Veeam servers to steal credentials. Ransomware-as-a-service offering threatens Linux systems. Evasive Panda targets NGOs in China. Anonymous Sudan is active against targets in Israel. Russian ransomware operations aim at disrupting supply chains into Ukraine. Our guest is Stuart McClure, CEO of Qwiet AI. Microsoft’s Ann Johnson stops by with her take on the RSA conference. And bots want new kicks. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/81 Selected reading. Continuing our work to hold cybercriminal ecosystems accountable (Google) Google Disrupts Massive CryptBot Malware Operation (Decipher) Google disrupts malware that steals sensitive data from Chrome users (TechCrunch)  FIN7 Hackers Caught Exploiting Recent Veeam Vulnerability (SecurityWeek) RTM Locker Ransomware as a Service (RaaS) Now on Linux (Uptycs)  Evasive Panda APT group delivers malware via updates for popular Chinese software (WeLiveSecurity)  NSA sees 'significant' Russian intel gathering on European, U.S. supply chain entities (CyberScoop)  Ukraine at D+427: Russian cyberattacks and disinformation before Ukraine's spring offensive. (CyberWire) Releasing leak suspect a national security risk, feds say (AP NEWS) Pentagon leak suspect may still have access to classified info, court filings allege (the Guardian)  Netacea Quarterly Index: Top 5 Scalper Bot Targets of Q1 2023 (Netacea) Learn more about your ad choices. Visit megaphone.fm/adchoices
27/04/23·28m 36s

BellaCiao from Tehran; PingPull from Beijing: two cyberespionage tools. SLP exploitation. Ransomware as an international threat. The state of hacktivism. Digital evidence or war crimes.

BellaCiao is malware from Iran's IRGC, while PingPull is malware used by the Chinese government affiliated Tarus Group. Ransomware continues to be a pervasive international threat. An overview of hacktivism. Our guest is CyberMindz founder Peter Coroneos, discussing the importance of mental health in cybersecurity. Johannes Ullrich shares insights from his RSAC panel discussions. And Ukraine continues to collect evidence of Russian war crimes. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/80 Selected reading. Unpacking BellaCiao: A Closer Look at Iran’s Latest Malware (Bitdefender Blog) Chinese Alloy Taurus Updates PingPull Malware (Unit 42) Abuse of the Service Location Protocol May Lead to DoS Attacks (Cybersecurity and Infrastructure Security Agency CISA) #RSAC: Ransomware Poses Growing Threat to Five Eyes Nations (Infosecurity Magazine) Hacktivism Unveiled, April 2023 Insights into the footprints of hacktivists (Radware) FBI aiding Ukraine in collection of digital and physical war crime evidence (CyberScoop) Learn more about your ad choices. Visit megaphone.fm/adchoices
26/04/23·29m 13s

BlackCat follows Cl0p to GoAnywhere. Mirai gets an upgrade. Deterring cyber war. Homeland Secrity’s cyber priorities. Action against DPRK cryptocrooks. What KillNet’s up to.

BlackCat (ALPHV) follows Cl0p, exploiting the GoAnywhere MFA vulnerability. The Mirai botnet exploits a vulnerability disclosed at Pwn2Own. An RSAC presentation describes US response to Russian prewar and wartime cyber operations. The US Department of Homeland Security outlines cyber priorities. Andrea Little Limbago from Interos shares insights from her RSAC 2023 panels. US indicts, sanctions DPRK operators in crypto-laundering campaign. Our guest is Marc van Zadelhoff, CEO of Devo, with insights from the conference. And the latest on KillNet. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/79 Selected reading. BlackCat Ransomware Group Exploits GoAnywhere Vulnerability (At-Bay)  Zero Day Initiative — TP-Link WAN-side Vulnerability CVE-2023-1389 Added to the Mirai Botnet Arsenal (Zero Day Initiative) Years after discovery of SolarWinds breach, Russian hackers could be struggling (Washington Post)  U.S. deploys more cyber forces abroad to help fight hackers (Reuters) DHS Outlines Cyber Priorities in Release of Delayed Review (Nextgov.com)  US sanctions supporters of North Korean hackers, Iranian cyberspace head (Record)  North Korean Foreign Trade Bank Rep Charged for Role in Two Crypto Laundering Conspiracies (Department of Justice. U.S. Attorney's Office District of Columbia)  Treasury Targets Actors Facilitating Illicit DPRK Financial Activity in Support of Weapons Programs (U.S. Department of the Treasury) Learn more about your ad choices. Visit megaphone.fm/adchoices
25/04/23·31m 24s

Supply-chain attack's effects spread. CISA makes new KEV entries. Bumblebee malware loader describes. Decoy Dog toolset discovered. Discord Papers were shared earlier and more widely.

3CX is not the only victim in the recent supply chain attack. The PaperCut critical vulnerability is under active exploitation. The Bumblebee malware loader is buzzing around in the wild. A new unique malware toolkit called Decoy Dog. Rick Howard, CSO from N2K Networks, shares RSA Conference predictions and talks about his new book, "Cybersecurity First Principles." Our guest Theresa Lanowitz from AT&T Cybersecurity shares insights on Securing the Edge. And the alleged Discord Papers leaker shared earlier and more widely than previously known. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/78 Selected reading. 3CX Hackers Also Compromised Critical Infrastructure Firms (Infosecurity Magazine) That 3CX supply chain attack keeps getting worse (Register) Energy sector orgs in US, Europe hit by same supply chain attack as 3CX (Record)  Even more victims found in complex 3CX supply chain attack (CybersecurityConnect)  X_Trader Supply Chain Attack Affects Critical Infrastructure Organizations in U.S. and Europe (Symantec Enterprise Blogs)  URGENT | PaperCut MF/NG vulnerability bulletin (March 2023) (PaperCut) PaperCut CVE-2023-27350 Deep Dive and Indicators of Compromise (Horizon3.ai)  Russian Hackers Suspected in Ongoing Exploitation of Unpatched PaperCut Servers (The Hacker News)  CISA KEV Breakdown | April 21, 2023 (Nucleus Security) CISA Adds Three Known Exploited Vulnerabilities to Catalog (Cybersecurity and Infrastructure Security Agency CISA) CISA Adds 3 Actively Exploited Flaws to KEV Catalog, including Critical PaperCut Bug (The Hacker News)  CISA adds printer bug, Chrome zero-day and ChatGPT issue to exploited vulnerabilities catalog (Record) Bumblebee Malware Distributed Via Trojanized Installer Downloads (Secureworks). Google ads push BumbleBee malware used by ransomware gangs (BleepingComputer)  Bumblebee malware infects victims via fake Zoom, Cisco and ChatGPT software installers (Record)  Decoy Dog malware toolkit found after analyzing 70 billion DNS queries (BleepingComputer)  Analyzing DNS Traffic for Anomalous Domains and Threat Detection (Infoblox Blog)  Airman Shared Sensitive Intelligence More Widely and for Longer Than Previously Known (New York Times)  FBI leak investigators home in on members of private Discord server (Washington Post) From Discord to 4chan: The Improbable Journey of a US Intelligence Leak (bellingcat)  Europe’s Planes Keep Flying Despite Cyberattack (Wall Street Journal) Learn more about your ad choices. Visit megaphone.fm/adchoices
24/04/23·27m 8s

Master Gunnery Sergeant Scott Stalker from US Space Command: goals and risks in the digital space operating environment.

T-Minus Deep Space Guest Scott Stalker, Command Senior Enlisted Leader at US Space Command, shares how the combatant command is adapting to new challenges in the digital era of space operations, new operational concepts, and building the force to deter aggression. You can follow US Space Command on LinkedIn and Twitter, and you can follow MGySgt Scott Stalker on LinkedIn. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our weekly intelligence briefing, Signals and Space, and you’ll never miss a beat. Audience Survey We want to hear from you! Please complete our wicked fast 4 question survey. It’ll help us get better and deliver you the most mission-critical space intel every day. Want to hear your company in the show? You too can reach the most influential leaders in the industry. Here’s a link to our media kit. Contact us at space@n2k.com to request more info about sponsoring T-Minus. Want to join us for an interview? Please send your interview pitch to space-editor@n2k.com and include your name, affiliation, and topic proposal, and our editor will get back to you for scheduling. T-Minus is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
23/04/23·22m 38s

Maria Varmazis: Combining cyber and space. [Space] [Career Notes]

Maria Varmazis, N2K's Space Correspondent and host of N2K's newest podcast T-Minus, sits down to share her journey on combining her two passions of space and cyber. Maria grew up wanting to be an astronomer, in school she focused on joining anything with technology and enjoyed the classes that made her think. After transferring to a new college, she went into journalism, absolutely falling in love with the new career path she had made for herself. She got herself a job at Sophos and that's where she learned about cybersecurity. Now she discusses cyber and space in her new podcast, combining her two passions into one for all to understand. Maria discusses some of the setbacks she overcame in this industry and shares the wise advice of "I would never pretend that failure isn't painful, but it is an incredible teaching tool. So if you feel like you've had a huge career fail or a really big misstep, you can still pivot from that and you can make that into something." We thank Maria for sharing her story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices
23/04/23·9m 1s

Don't let the Elon Musk crypto giveaway scam swindle you. [Research Saturday]

Shiran Guez from Akamai sits down with Dave to discuss their research on "Chatbots, Celebrities, and Victim Retargeting and Why Crypto Giveaway Scams Are Still So Successful." Researchers at Akamai have been on the lookout for crypto giveaway scams. These scams have been impersonating celebrities and brands, most notably Elon Musk and his associated companies. The research states "the scams are delivered through various social media platforms as well as direct messaging apps such as WhatsApp or Telegram." These scams have helped add to the existing damages that exceed $1 billion caused by crypto fraud. The research can be found here: Chatbots, Celebrities, and Victim Retargeting: Why Crypto Giveaway Scams Are Still So Successful Learn more about your ad choices. Visit megaphone.fm/adchoices
22/04/23·19m 22s

Daggerfly swarms African telco. EvilExtractor described. Patriotic hacktivism in East Asia. Updates on Russia's hybrid war suggest that cyber warfare has some distinctive challenges.

Daggerfly APT targets an African telecommunications provider. EvilExtractor is an alleged teaching tool apparently gone bad. A Chinese speaking threat group is active against Taiwan and South Korea. Europe’s air traffic control is under attack. Cecilia Marinier from RSAC and Barmak Meftah, a judge of ISB, discuss the RSA innovation sandbox. Awais Rashid from University of Bristol on the cybersecurity of smart farming. Forget about those evil maids. What about these evil sys admins?  For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/77 Selected reading. Daggerfly: APT Actor Targets Telecoms Company in Africa (Symantec) EvilExtractor – All-in-One Stealer (Fortinet Blog) Chinese-language threat group targeted a dozen South Korean institutions (Record)  Xiaoqiying/Genesis Day Threat Actor Group Targets South Korea, Taiwan (Recorded Future)  WSJ News Exclusive | Europe’s Air-Traffic Agency Under Attack From Pro-Russian Hackers (Wall Street Journal)  Intelligence Leaks Cast Spotlight on a Recurring Insider Threat: Tech Support (Wall Street Journal) Russia’s invasion of Ukraine is also being fought in cyberspace (Atlantic Council)  CFP European Cybersecurity Seminar 2023-2024 (European Cyber Conflict Research Initiative) #CYBERUK23: Russian Cyber Offensive Exhibits ‘Unprecedented’ Speed and Agility (Infosecurity Magazine) Learn more about your ad choices. Visit megaphone.fm/adchoices
21/04/23·30m 17s

Two-step supply-chain attack. Plugging leaks, in both Mother Russia and the Land of the Free and the Home of the Brave. Belarus remains a player in the cyber war.

The 3CX compromise involved a two-stage supply-chain attack. Impersonating ChatGPT. Russia's security organs say they're cracking down on leaks. Updates on the Discord Papers case. Belarus arrests a pro-Russian hacktivist. Rob Boyce from Accenture Security on Dark Web cyber criminals targeting CRM systems. Our guest is Mike Loewy from the Tide Foundation, with an innovative approach to distributed key security. And, is Minsk going wobbly on Moscow? For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/76 Selected reading. 3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise; Suspected North Korean Actor Responsible (Mandiant) ChatGPT-Themed Scam Attacks Are on the Rise (Palo Alto Networks Unit 42) Russian Offensive Campaign Assessment, April 19, 2023 (Institute for the Study of War) Belarus-linked hacking group targets Poland with new disinformation campaign (Record) Killnet Ostracizes Leader of Anonymous Russia, Adding New Chapter to Pro-Kremlin Hacktivist Drama (Flashpoint) Belarus-linked hacking group targets Poland with new disinformation campaign (Record) Learn more about your ad choices. Visit megaphone.fm/adchoices
20/04/23·28m 6s

CISA Alert AA23-108A – APT28 exploits known vulnerability to carry out reconnaissance and deploy malware on Cisco routers.

The UK National Cyber Security Centre (NCSC), NSA, CISA, and FBI are releasing this joint advisory to provide TTPs associated with APT28’s exploitation of Cisco routers in 2021. AA23-108A Alert, Technical Details, and Mitigations Malware Analysis Report Resource to mitigate a ransomware attack: CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide. No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment. See CISA Insights Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses for guidance on hardening MSP and customer infrastructure. U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email dib_defense@cyber.nsa.gov  To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov, or call (888) 282-0870, or report incidents to your local FBI field office. Learn more about your ad choices. Visit megaphone.fm/adchoices
20/04/23·2m 45s

Play ransomware's new tools. A look at what the GRU’s been up to. US Air Force opens investigation into alleged leaker's Air National Guard wing. KillNet’s new hacker course: “Dark School.”

Play ransomware's new tools. Fancy Bear is out and about. Updates on Sandworm. Ransomware in Russia's war against Ukraine. The US Air Force opens an investigation into the alleged leaker's Air National Guard wing. The Washington Post’s Tim Starks joins us with insights on the Biden administration's attempts to better secure the water supply. Carole Theriault chats with Cisco Talos' Vanja Svacjer about the threat landscape, now and tomorrow. And KillNet’s in the education business with a new hacker course: “Dark School.”  For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/75 Selected reading. Play Ransomware Group Using New Custom Data-Gathering Tools (Symantec) NCSC-UK, NSA, and Partners Advise about APT28 Exploitation of Cisco Routers (National Security Agency/Central Security Service) APT28 exploits known vulnerability to carry out reconnaissance and deploy malware on Cisco routers (NCSC) State-sponsored campaigns target global network infrastructure (Cisco Talos Blog)  Ukraine remains Russia’s biggest cyber focus in 2023 (Google) Fog of War: How the Ukraine Conflict Transformed the Cyber Threat Landscape (Google Threat Analysis Group) M-Trends 2023: Cybersecurity Insights From the Frontlines (Mandiant) Faltering against Ukraine, Russian hackers resort to ransomware: Researchers (Breaking Defense)  Air Force unit in document leaks case loses intel mission (AP NEWS) Pentagon Details Review of Policies for Handling Classified Information (New York Times)  Ukraine at D+419: GRU cyber ops scrutinized. (CyberWire) Learn more about your ad choices. Visit megaphone.fm/adchoices
19/04/23·29m 18s

A Symposium, a wet dress, a new fund, and it’s only Monday. [T-Minus Space Daily]

Brace yourselves, it’s Space Symposium week! Wet dress rehearsal for Starship. UK launches the International Bilateral Fund. Orbit Fab gets a series A round. Boeing announces their anti-jam payload for WGS. The FAA wants to balance air travel and space travel. Our interview with Steve Luczynski, Board Chair of the Aerospace Village, on their mission, programs, and upcoming activities at the RSA Conference next week. All this and more. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our weekly intelligence briefing, Signals and Space, and you’ll never miss a beat. T-Minus Guest Our featured guest is Steve Luczynski, Board Chair of the Aerospace Village, on the Aerospace Village nonprofit, their mission, their programs, and their upcoming activities at the RSA Conference next week. You can follow Steve on LinkedIn and Twitter. Selected Reading SpaceX's launch of Starship could remake space exploration | Washington Post  UK Space Agency funding for international space partnerships | GOV.UK.  SpaceX launches seventh Transporter rideshare mission | SpaceNews Exolaunch’s 21 rideshare smallsats deployed during the SpaceX Transporter-7 mission | SatNews HawkEye 360’s nexgen Cluster 7 smallsats are successfully launched | SatNews    TrustPoint Announces Launch of First Commercially-Funded, Purpose-Built PNT Microsatellite | Business Wire  China claims its Space Station has achieved 100% oxygen regeneration in orbit | Interesting Engineering  Boeing Unveils Anti-Jam Payload For Next Space Force Wideband Global SATCOM Satellite | Via Satellite As counterspace weapons ‘proliferate,’ the new cold war for space races forward: studies | Breaking Defense The Moon is the Best Place to Transport Rocket Fuel | Universe Today  US aviation authorities may delay some space launches to avoid air traffic disruption | Reuters  NASA launches stadium-sized balloon from New Zealand | SpaceConnect   Audience Survey We want to hear from you! Please complete our wicked fast 4 question survey. It’ll help us get better and deliver you the most mission-critical space intel every day. Want to hear your company in the show? You too can reach the most influential leaders in the industry. Here’s a link to our media kit. Contact us at space@n2k.com to request more info about sponsoring T-Minus. Want to join us for an interview? Please send your interview pitch to space-editor@n2k.com and include your name, affiliation, and topic proposal, and our editor will get back to you for scheduling. T-Minus is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
19/04/23·25m 41s

Iranian threat actor exploits N-day vulnerabilities. Subdomain hijacking vulnerabilities. The Discord Papers. An update on Russia’s NTC Vulkan. And weather reports, not a Periodic Table.

An Iranian threat actor exploits N-day vulnerabilities. CSC exposes subdomain hijacking vulnerabilities. More on the Discord Papers. An update on Russia’s NTC Vulkan. Joe Carrigan on the aftermath of a $98M online investment fraud. Our guest is Blake Sobczak from Synack , host of the podcast WE'RE IN! And threat actor nomenclature: a scorecard, and a Periodic Table no more. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/74 Selected reading. Nation-state threat actor Mint Sandstorm refines tradecraft to attack high-value targets (Microsoft Security) An Iranian hacking group went on the offensive against U.S. targets, Microsoft says (Washington Post)  New CSC Research Finds One in Five DNS Records are Susceptible to Subdomain Hijacking Due to Insufficient Cyber Hygiene | CSC (CSC) DOD Assessing Document Disclosures and Implementing Mitigation Measures (U.S. Department of Defense) After leak, Pentagon purges some users' access to classified programs, launches security review (Breaking Defense) Why Did a 21-Year-Old Guardsman Have Access to State Secrets? (Vice) U.S. officials have examined whether alleged doc leaker had foreign links (POLITICO)  The Air Force Loves War Gamers Like Alleged Leaker Teixeira (Military.com)  FBI Investigating Ex-Navy Noncommissioned Officer Linked to Pro-Russia Social-Media Account (Wall Street Journal) Pentagon leak suggests Russia honing disinformation drive – report (the Guardian) Dragos Analyzes Russian Programs Threatening Critical Civilian Infrastructure (Dragos)  Microsoft shifts to a new threat actor naming taxonomy (Microsoft) Learn more about your ad choices. Visit megaphone.fm/adchoices
18/04/23·28m 27s

Developments in the Discord Papers, including notes on influencers and why they seek influence. Tax season scams. KillNet’s selling, but is anyone buying?

The alleged Discord Papers leaker has been charged. We look at how the Papers spread online. A life lived online as a security risk. US tax season scams, at the 11th filing hour. Caleb Barlow from Cylete on the layoffs in security that many thought would never happen. Maria Varmazis and Brandon Karpf share the launch of the new space podcast, T-Minus. And KillNet says it’s open for business. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/73 Selected reading. Inside the furious week-long scramble to hunt down a massive Pentagon leak (CNN Politics)  Massachusetts Air National Guard’s Intelligence Mission in the Spotlight (New York Times)  Leaker of U.S. secret documents worked on military base, friend says (Washington Post)  WSJ News Exclusive | Social-Media Account Overseen by Former Navy Noncommissioned Officer Helped Spread Secrets (Wall Street Journal). A Russian Disinformation Empire in Oak Harbor, Washington (Malcontent News)  Pro-Russia propagandist unmasked as New Jersey tropical fish seller (The Telegraph)  Suspect charged in case involving leaked classified military documents (Washington Post)  Jack Teixeira, suspect in Pentagon leaks, charged under Espionage Act (the Guardian) Leak suspect appears in court as US spells out its case (AP NEWS)  Airman in Pentagon intel leak charged (Military Times)  Airman charged in Pentagon intel leak regretted joining the military (Military Times)  He’s from a military family — and allegedly leaked U.S. secrets (Washington Post) Jack Teixeira's alleged Discord leaks show why the US should stop showering Top Secret clearances on 21-year-old keyboard warriors (Business Insider). The military loved Discord for Gen Z recruiting. Then the leaks began. (Washington Post)  A new kind of leaker: Spilling state secrets to impress online buddies (Washington Post)  Was the Gen-Z Pentagon leaker motivated by social media clout? (the Guardian)  Microsoft president claims Russian intelligence is trying to "penetrate gaming communities" (GamesIndustry.biz) How Gamers Eclipsed Spies as an Intelligence Threat (Foreign Policy) Crafty PDF link is part of another tax-season malware campaign (Record) Tax season scams. (CyberWire) Ukraine at D+414: Discord Papers arrest, cyberespionage, and hacktivist DDoS. (CyberWire) Learn more about your ad choices. Visit megaphone.fm/adchoices
17/04/23·30m 25s

Jack Chapman: Shielding against the bad guys. [Threat Intelligence] [Career Notes]

Jack Chapman, VP of Threat Intelligence at Egress sits down to share his story on how he found his way into the cybersecurity field as well as his journey creating a cybersecurity company that was successfully acquired. Jack previously co-founded anti-phishing company Aquilai and served as its Chief Technology Officer, working closely with the UK’s intelligence and cyber agency GCHQ to develop cutting-edge product capabilities. Aquilai was acquired by Egress in 2021. Now he is working with Egress as what he calls their "chief bad guy," helping to shield his team from threats. He says "I'm probably what you call a servant leader, my mission is to enable and shield my teams from things that will prevent them from succeeding in their missions, whatever that might look like." Jack hopes to be remembered for making a meaningful impact to help drive the field forward. We thank Jack for sharing his story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices
16/04/23·10m 25s

New Dero cryptojacking operation concentrates on locating Kubernetes. [Research Saturday]

Scott Fanning, Senior Director of Product Management, Cloud Security at CrowdStrike, sits down to talk about the first-ever Dero cryptojacking operation targeting Kubernetes infrastructure. The research defines Dero as "a cryptocurrency that claims to offer improved privacy, anonymity and higher and faster monetary rewards compared to Monero, which is a commonly used cryptocurrency in cryptojacking operations." CrowdStrike was the first organization to discover Dero, and has been observing the cryptojacking operation since the beginning of February 2023. The operation focuses mainly on locating Kubernetes clusters with anonymous access enabled on a Kubernetes API and listening on non-standard ports accessible from the internet. The research can be found here: CrowdStrike Discovers First-Ever Dero Cryptojacking Campaign Targeting Kubernetes Learn more about your ad choices. Visit megaphone.fm/adchoices
15/04/23·14m 28s

"Read the Manual" and the ransomware-as-a-service market. Bitter APT against energy companies. Cozy Bear sighting. Hacktivist auxiliaries hit Canadian targets. Aan arrest in the Discord Papers case.

"Read the Manual" and the ransomware-as-a-service market. Bitter APT may be targeting Asia-Pacific energy companies. A Cozy Bear sighting. Hacktivist auxiliaries hit Canadian targets. Deepen Desai of Zscaler describes job scams following tech layoffs. Our guest is Kelly Shortridge from Fastly with insights on the risks from bots. And there’s been an arrest in the Discord Papers case. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/72 Selected reading. Read The Manual Locker: A Private RaaS Provider (Trellix) Phishing Campaign Targets Chinese Nuclear Energy Industry (Intezer) Espionage campaign linked to Russian intelligence services (Baza wiedzy) Russian cyberspies hit NATO and EU organizations with new malware toolset (CSO Online) Pro-Russia hackers say they were behind Hydro-Quebec cyberattack (Montreal CTV News - 04-13-2023) Cyberattack knocks out website and mobile app for Quebec’s hydro utility (Toronto Star) F.B.I. Arrests National Guardsman in Leak of Classified Document (New York Times) DOD Calls Document Leak 'a Criminal Act' (U.S. Department of Defense) Learn more about your ad choices. Visit megaphone.fm/adchoices
14/04/23·29m 13s

Transparent Tribe seems to want people’s lab notes, and other stories of cyberespionage. The FBI warns of juicejacking. And the Discord leaker seems to have been a 20-something influencer.

Transparent Tribe expands its activity against India's education sector. A Lazarus sub-group is after defense sector targets. The FBI's Denver office warns of potential juicejacking. Legion: a Python-based credential harvester. The source of leaked US intelligence may be closer to identification. Johannes Ullrich from SANS explains upwork scams. Our guest is Charlie "Tuna" Moore of Vanderbilt University on the cyber lessons from Russia’s war on Ukraine. Canada responds to claims of Russian cyberattacks. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/71 Selected reading. Transparent Tribe (APT36) | Pakistan-Aligned Threat Actor Expands Interest in Indian Education Sector (SentinelOne) Following the Lazarus group by tracking DeathNote campaign (Securelist) DPRK threat actors target C3X and defense sector at large. (CyberWire) FBI office warns against using public phone charging stations at airports or malls, citing malware risk (CBS News) The FBI warns of juicejacking and other risks of public tech. (CyberWire) Legion: an AWS Credential Harvester and SMTP Hijacker (Cado Security)  The Legion credential harvester. (CyberWire) Leaker of U.S. secret documents worked on military base, friend says (Washington Post) U.S. may change how it monitors the web after missing leaked documents for weeks (NBC News) Cyberattacks on Canada’s gas infrastructure left ‘no physical damage,’ Trudeau says (Global News) Russian attacks on Ukrainian infrastructure cause internet outages, cutting off a valuable wartime tool (CyberScoop) US Warns Russia Getting Creative in Cyberspace (VOA) APT Winter Vivern Resurfaces (Avertium) Learn more about your ad choices. Visit megaphone.fm/adchoices
13/04/23·30m 36s

Patch Tuesday notes. Cyber mercenaries described. Voice security and fraud. CISA’s update to its Zero Trust Maturity Model. Updates on Russia’s hybrid war against Ukraine.

Patch Tuesday update. Another commercial surveillance company is outed. Voice security and the challenge of fraud. CISA updates its Zero Trust Maturity Model. Effects of the US intelligence leaks. Our guest Eric Goldstein, Executive Assistant Director for Cybersecurity at CISA, outlines CISA's role in the cybersecurity community. André Keartland of Netsurit makes the case for DevSecOps. Russian cyber auxiliaries believed responsible for disrupting the Canadian PM's website. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/70 Selected reading. Patch Tuesday overview. (CyberWire) DEV-0196: QuaDream’s “KingsPawn” malware used to target civil society in Europe, North America, the Middle East, and Southeast Asia (Microsoft Threat Intelligence)  Threat Report on the Surveillance-for-Hire Industry (Meta) Sweet QuaDreams: A First Look at Spyware Vendor QuaDream’s Exploits, Victims, and Customers (The Citizen Lab) Voice Intelligence and Security Report (Pindrop) CISA Releases updated Zero Trust Maturity Model (Cybersecurity and Infrastructure Security Agency) CISA Releases Zero Trust Maturity Model Version 2 (Cybersecurity and Infrastructure Security Agency CISA) A leak of files could be America’s worst intelligence breach in a decade (The Economist) Interagency Effort Assessing Impact of Leaked Documents, Strategizing Way Forward (U.S. Department of Defense) What we know about the Pentagon document leak (Axios) The ongoing scandal over leaked US intel documents, explained (Vox) Pentagon leak threatens Biden's foreign policy doctrine ahead of overseas trip (Axios) Schumer calls for all-senator briefing on leaked Ukraine documents (The Hill) The key countries and revelations from the Pentagon document leak (Washington Post)  Exclusive: Leaked U.S. intel document claims Serbia agreed to arm Ukraine (Reuters)  Up to 50 UK special forces present in Ukraine this year, US leak suggests (the Guardian) Egypt denies leak about supplying Russia with 40,000 rockets (Al Jazeera) DDoS attacks block PM Trudeau’s web site (IT World Canada) Learn more about your ad choices. Visit megaphone.fm/adchoices
12/04/23·29m 20s

IAM trends. RagnarLocker as a critical infrastructure threat. AI hype as phishbait. Updates on the hybrid war: leaks and hacks.

Key trends in Identity Access Management. RagnarLocker and critical infrastructure. Cyber criminals capitalize on the AI hype. Updates on the leaked US classified documents, and speculation of whether Russian hackers compromised a Canadian gas pipeline. Ben Yelin describes a multimillion dollar settlement over biometric data. Microsoft’s Ann Johnson from Afternoon Cyber Tea talking about cyber paradigm shifts with Samir Kapuria. And a welcome to GCHQ's new boss. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/69 Selected reading. 4 key trends from the Gartner IAM Summit 2023 (Venture Beat) Threat Actor Spotlight: Ragnarlocker Ransomware (Sygnia) From Chatgpt To Redline Stealer: The Dark Side Of Openai And Google Bard (Veriti) Biden administration doesn't know extent of classified Pentagon document leak (CBS News)  Ukraine ‘alters counter-offensive plans’ after Pentagon leak (The Telegraph)  Ukraine had to change military plans because of US Pentagon leak, source says (CNN)  Leaked Pentagon documents claim that hackers breached a Canadian gas network. Here’s what to know. (Washington Post) Pro-Russia Hackers Say They Breached Canadian Pipeline, but Experts Are Skeptical (Wall Street Journal) Leaked US intel: Russia operatives claimed new ties with UAE (AP NEWS) Egypt secretly planned to supply rockets to Russia, leaked U.S. document says (Washington Post) How the Latest Leaked Documents Are Different From Past Breaches (New York Times) How U.S. friends and foes have responded to leaked Pentagon documents (Washington Post)  Pentagon leaks: US seeks to mend ties after claims Washington spied on key allies (the Guardian) Pentagon Probe Under Way in Leaks Case (Wall Street Journal) Pentagon assessing damage after 'highly classified' US secrets leaked online (Breaking Defense)  The Pentagon’s Purported Classified-Document Leak: The Biggest Takeaways and Questions So Far (Wall Street Journal) The ongoing scandal over leaked US intel documents, explained (Vox) Leaked documents a 'very serious' risk to security: Pentagon (AP NEWS) The Discord servers at the center of a massive US intelligence leak (CyberScoop)  Social-Media Platform Discord Emerges at Center of Classified U.S. Documents Leak (Wall Street Journal) Why Leaked Pentagon Documents Are Still Circulating on Social Media (New York Times) Clues Left Online Might Aid Leak Investigation, Officials Say (New York Times Ukraine at D+411: US leaks remain under investigation. (CyberWire) New Director GCHQ announced (GCHQ) Learn more about your ad choices. Visit megaphone.fm/adchoices
11/04/23·28m 7s

A look at Iran’s MERCURY APT. Updates on Russia's hybrid war, including some apparent leaks and some apparent doxing. And notes on cloud security trends.

An Iranian APT MERCURY exploits known vulnerabilities. The US investigates apparent leaks of classified information about Russia's war against Ukraine. KillNet claims it has paralyzed NATO websites. More apparent doxing of the GRU. Britta Glade and Monica Koshgarian of RSA Conference talking about content curation. Grayson Milbourne from OpenText Cybersecurity hopes to remove shame from cyber attacks. And, finally, some notes on cloud security trends. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/68 Selected reading. MERCURY and DEV-1084: Destructive attack on hybrid environment (Microsoft Threat Intelligence) Leaked US battlefield intelligence on Ukraine is fake, says Kyiv (The Telegraph)  Russia Claims Leaked Pentagon Intelligence on Ukraine is U.S. Disinformation (US News and World Report)  Leaked US secret NATO-Ukraine war docs likely altered, say experts (SC Media)  Ukraine’s air defences could soon run out of missiles, apparent Pentagon leak suggests (the Guardian)  Russia nearly shot down British spy plane near Ukraine, leaked document says (Washington Post)  Justice Dept. will investigate leak of classified Pentagon documents (Washington Post)  US investigating whether Ukraine war documents were leaked (Military Times) U.S. Reviewing Online Appearance Of Sensitive Documents Related To Ukraine, Pentagon Says (RadioFreeEurope/RadioLiberty)  WSJ News Exclusive | Pentagon Investigates More Social-Media Posts Purporting to Include Secret U.S. Documents (Wall Street Journal)  New Details on Intelligence Leak Show It Circulated for Weeks Before Raising Alarm (Wall Street Journal)  Intelligence leak exposes U.S. spying on adversaries and allies (Washington Post)  Secret US Documents on Ukraine War Plan Spill Onto Internet: Report (SecurityWeek)  US hit by ‘worst leak of secret documents since Edward Snowden’ (The Telegraph) Ukraine at D+410: Static, sanguinary lines. (CyberWire) Report Finds 90% of IT Professionals Have Experienced a Cybersecurity Breach (Skyhigh Security) Learn more about your ad choices. Visit megaphone.fm/adchoices
10/04/23·28m 1s

Karen Worstell: Keep your feet planted. [Strategy] [Career Notes]

Karen Worstell, Senior Cybersecurity Strategist from VMware sits down to share her journey and discusses her experience as a woman in cyber. Starting her career off as a chemist, after graduating with a bachelor's degree in chemistry and a bachelor's degree in molecular biology, she took some time off to be with her family, she came back to a science field that was far more advanced than before she had left. She decided to go in another direction which led her to cyber. She started teaching herself programming and found she was very good at it. Now that she works in cyber, she says "You, you have to know yourself, know what you want, and know where you're, know where you plant your feet. I used to use a phrase a lot that said, uh, don't be afraid to take a stand but know where your feet are planted." We thank Karen for sharing her story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices
09/04/23·11m 1s

A dark side to LLMs. [Research Saturday]

Sahar Abdelnabi from CISPA Helmholtz Center for Information Security sits down with Dave to discuss their work on "A Comprehensive Analysis of Novel Prompt Injection Threats to Application-Integrated Large Language Models." There is currently a large advance in the capabilities of Large Language Models or LLMs, as well as being integrated into many systems, including integrated development environments (IDEs) and search engines. The research states, "The functionalities of current LLMs can be modulated via natural language prompts, while their exact internal functionality remains implicit and unassessable." This could lead them to be susceptible to targeted adversarial prompting, as well as making them adaptable to even unseen tasks. Researchers demonstrated these said attacks to see if the LLMs needed new techniques for more defense. The research can be found here: More than you've asked for: A Comprehensive Analysis of Novel Prompt Injection Threats to Application-Integrated Large Language Models Learn more about your ad choices. Visit megaphone.fm/adchoices
08/04/23·17m 46s

Stopping Cobalt Strike abuse. Leaks are mingled with disinformation. Google offers advice for board members. Securing cars and their garages. CISA releases ICS advisories.

Preventing abuse of the Cobalt Strike pentesting tool. US investigates a leak of sensitive documents related to the war in Ukraine. Hacktivist activity continues. Google's advice for boards. Electronic lockpicks for electronic locks. Nexx security devices may have security flaws. Tesla employees reportedly shared images and videos from Teslas in the wild. Matt O'Neill from US Secret Service discussing investment crypto scams. Our guest is James Campbell of Cado Security on the challenges of a cloud transition. And CISA releases seven ICS advisories. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/67 Selected reading. Stopping cybercriminals from abusing security tools (Microsoft On the Issues)  Microsoft leads effort to disrupt illicit use of Cobalt Strike, a dangerous hacking tool in the wrong hands (CyberScoop) Ukraine War Plans Leak Prompts Pentagon Investigation (New York Times) DDoS attacks rise as pro-Russia groups attack Finland, Israel (TechRepublic) Perspectives on Security for the Board (Google Cloud) Thieves Use CAN Injection Hack to Steal Cars (SecurityWeek) How thieves steal cars using vehicle CAN bus (Register)  Own a Nexx “smart” alarm or garage door opener? Get rid of it, or regret it (Graham Cluley). Hack and enter! The “secure” garage doors that anyone can open from anywhere – what you need to know (Naked Security) Special Report: Tesla workers shared sensitive images recorded by customer cars (Reuters) CISA Releases Seven Industrial Control Systems Advisories (Cybersecurity and Infrastructure Security Agency CISA) Learn more about your ad choices. Visit megaphone.fm/adchoices
07/04/23·30m 20s

New phishing techniques. Arrests in the Genesis Market case. APT43’s Archipelago. Disinformation at the UN, and drop-shipping for Mother Russia.

New phishing techniques. Arrests in the Genesis Market case. APT43’s Archipelago. Russia's turn in the Security Council chair immediately becomes an occasion for disinformation. Our guest is Nick Tausek from Swimlane to discuss supply chain attack trends. Tim Starks from the Washington Post has the latest on the DOJ’s attempts to disrupt cyber crime. And, make robo-love, not robo-war: nuisance-level hacktivism in the interest of Ukraine. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/66 Selected reading. New Phishing Campaign Exploits YouTube Attribution Links, Cloudflare Captcha (Vade Security) Criminal Marketplace Disrupted in International Cyber Operation (U.S. Department of Justice) Takedown of notorious hacker marketplace selling your identity to criminals | Europol (Europol) Notorious criminal marketplace selling victim identities taken down in international operation (National Crime Agency) Check your hack (Politie) Carr Announces Investigation into Suspected Users of Genesis Dark Web Marketplace Following FBI Takedown of Illicit Site (Office of Attorney General of Georgia Chris Carr) U.S., European Police Shut Down Hacker Marketplace, Make 119 Arrests (Wall Street Journal) 120 Arrested as Cybercrime Website Genesis Market Seized by FBI (SecurityWeek)  International cops put the squeeze on Genesis Market users (Register)  FBI obtained detailed database exposing 60,000 users of the cybercrime bazaar Genesis Market (CyberScoop) Genesis Black Market Dismantled, But Experts Warn of Potential Vacuum (Nextgov.com) How we’re protecting users from government-backed attacks from North Korea (Google)  Google TAG Warns of North Korean-linked ARCHIPELAGO Cyberattacks (The Hacker News) ‘Outrageous’: Russia Accused of Spreading Disinformation at U.N. Event (New York Times) Des hackers ont acheté 23.000 euros de sex-toys avec de l’argent russe (20 minutes) Thanks to Ukrainian hackers, war freak orders £20,000 worth drones for Russian soldiers, gets sex toys instead (First Post) Ukrainian hackers exchange Russian fighter’s drone order for dildos (New York Post) ‘It’s bullshit’: Inside the weird, get-rich-quick world of dropshipping (WIRED) Learn more about your ad choices. Visit megaphone.fm/adchoices
06/04/23·28m 3s

Genesis Market taken down. Proxyjackers exploit Log4j. Fast-encrypting Rorschach ransomware. More Killnet DDoS. Patch Zimbra now. Soft power and Russia’s hybrid war.

Genesis Market gets taken down. Proxyjackers exploit Log4j vulnerabilities. Fast-encrypting Rorschach ransomware uses DLL sideloading. Killnet attempts DDoS attacks against the German ministry. Carole Theriault ponders AI assisted cheating. Johannes Ullrich tracks malware injected in a popular tax filing website. Soft power and Russia’s hybrid war. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/65 Selected reading. 'Operation Cookie Monster': International police action seizes dark web market (Reuters)  Stolen credential warehouse Genesis Market seized by FBI (Register) FBI Seizes Bot Shop ‘Genesis Market’ Amid Arrests Targeting Operators, Suppliers (KrebsOnSecurity) Genesis Market, one of world’s largest platforms for cyber fraud, seized by police (Record) 'Operation Cookie Monster': FBI seizes popular cybercrime forum used for large-scale identity theft (CNN) Cybercrime marketplace Genesis Market shut by FBI, international law enforcement (CNBC) FBI seizes stolen credentials market Genesis in Operation Cookie Monster (BleepingComputer) Notorious Genesis Market cybercrime forum seized in international law enforcement operation (CyberScoop) Proxyjacking has Entered the Chat (Sysdig) Rorschach – A New Sophisticated and Fast Ransomware (Check Point Research) Russian hackers attack German ministry’s website (TVP World) Zimbra Flaw Exploited by Russia Against NATO Countries Added to CISA 'Must Patch' List (SecurityWeek) Zimbra vulnerability exploited by Russian hackers targeting Nato countries - CISA (Tech Monitor)  CISA Adds One Known Exploited Vulnerability to Catalog (Cybersecurity and Infrastructure Security Agency CISA) NVD - CVE-2022-27926 (National Vulnerability Database) The Interview - Russian cyber weapons 'could do a lot of damage' in the US: Former counterterrorism czar (France 24) Biden cybersecurity chief 'surprised' Russia has not hit US targets amid Ukraine war (Washington Examiner) Ukrainian Cyber War Confirms the Lesson: Cyber Power Requires Soft Power (Council on Foreign Relations) Learn more about your ad choices. Visit megaphone.fm/adchoices
05/04/23·25m 24s

Cyber appeasement? Western Digital discloses cyberattack. Rilide malware is in active use. Mantis has new mandibles. Challenges of threat hunting. Small, medium, and large criminal enterprises.

Did "appeasement" embolden Russia's cyber operators? Western Digital discloses a cyberattack. Rilide is a new strain of malware in active use. The Mantis cyberespionage group uses new, robust tools and tactics. The challenges of threat hunting. Joe Carrigan has thoughts on public school systems making cyber security part of the curriculum. Our guest May Mitchell of Open Systems addresses closing the talent gap. And when it comes to criminal enterprise, size matters. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/64 Selected reading. Russia's shadow war: Vulkan files leak show how Putin's regime weaponises cyberspace (The Conversation) Russia's Invasion of Ukraine Heralds New Era of Warfare (VOA) West’s Cyber Appeasement Gave Putin Green Light: James Stavridis (Bloomberg Law) Western Digital Provides Information on Network Security Incident (Business Wire)  Western Digital confirms breach, shuts down systems (Computing) Western Digital discloses network breach, My Cloud service down (BleepingComputer) WD says law enforcement probing breach of internal systems (Register) Western Digital investigating MyCloud data breach affecting Mac desktop drives (Macworld) Users fume after My Cloud network breach locks them out of their data (Ars Technica) Typhon Reborn V2: Updated stealer features enhanced anti-analysis and evasion capabilities (Cisco Talos Blog) Mantis: New Tooling Used in Attacks Against Palestinian Targets (Symantec)  Inside the Mind of a Threat Hunter: Team Cymru's Latest Report Sheds Light on Challenges Faced by Cybersecurity Analysts (Accesswire) Wages Dominate Cybercrime Groups' Operating Expenses (PR Newswire) Inside the Halls of a Cybercrime Business (Trend Micro) Size Matters: Unraveling the Structure of Modern Cybercrime Organizations (Trend Micro) Learn more about your ad choices. Visit megaphone.fm/adchoices
04/04/23·28m 52s

"Cylance" ransomware (no relation to Cylance). Update on the 3CX incident. The FSB's arrest of Evan Gershkovich. Ukrainian hacktivist social engineering in the hybrid war.

"Cylance" the ransomware (with no relation to Cylance, the security company). An update on the 3CX incident. The FSB's arrest of a Wall Street Journal reporter. Simone Petrella from N2K Networks unpacks 2023 cybersecurity training trends. Deepen Desai from Zscaler has the latest on cloud security. And Hacktivists claim to have tricked wives of Russian combat pilots into revealing personal information. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/63 Selected reading. "Cylance" ransomware (no relation to Cylance). (CyberWire Pro) New Cylance Ransomware Targets Linux and Windows, Warn Researchers (HackRead) New Cylance Ransomware strain emerges, experts speculate about its notorious members (IT PRO)  More evidence links 3CX supply-chain attack to North Korean hacking group (Record) 3CX supply chain attack: the unanswered questions (Computing) 3CX Desktop App Compromised (CVE-2023-29059) (Fortinet Blog)  Evan Gershkovich Loved Russia, the Country That Turned on Him (Wall Street Journal) The Ukrainian hoax that revealed the Russian pilots who bombed Mariupol theatre (The Telegraph) Ukrainian Hacktivists Trick Russian Military Wives for Personal Info (HackRead) Learn more about your ad choices. Visit megaphone.fm/adchoices
03/04/23·30m 30s

Alon Jackson: Sometimes you feel like an octopus. [CEO] [Career Notes]

Alon Jackson, chief executive and Co-founder of Astrix Security, sits down to share his story to rising success. Before being on the vendor side of things, Jackson served in various strategic roles in the Cyber Security Division of the Israeli Military Intel Unit 8200 for more than 8 years, including leading the Cloud Security division and serving as the Head of the Cyber Security R&D Department. His experience in the military inspired him to learn more about the industry and jump to the private sector. Fast forward years later, he co-founded his company to help address security gaps seen in the industry. He mentions how being a start up CEO can be difficult sometimes, and how it may feel as though you're an octopus with all the multitasking that comes with the job. Alon says that one of his main goals as a contributor in this industry is making sure people remember him and his company for years to come, saying he wants to help by " building a company that people kind of know about, remember, and is important in the world." We thank Alon for sharing his story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices
02/04/23·8m 31s

Blackfly flies back again. [Research Saturday]

Dick O'Brien from Symantec’s Threat Hunter team discusses their research on "Blackfly - Espionage Group Targets Materials Technology." Researchers say the Blackfly espionage group (aka APT41), has been mounting attacks against Asian materials and composite organizations in attempts to steal intellectual property. This group has been known as one of the longest known Chinese advanced persistent threat (APT) groups since at least 2010. The research shares that "early attacks were distinguished by the use of the PlugX/Fast (Backdoor.Korplug), Winnti/Pasteboy (Backdoor.Winnti), and Shadowpad (Backdoor.Shadowpad) malware families." The research can be found here:  Blackfly: Espionage Group Targets Materials Technology Learn more about your ad choices. Visit megaphone.fm/adchoices
01/04/23·13m 34s

A glimpse into Mr. Putin’s cyber war room. 3CXDesktopAppsupply chain risk. XSS flaw in Azure SFX can lead to remote code execution. AlienFox targets misconfigured servers.

The Vulkan papers offer a glimpse into Mr. Putin’s cyber war room. The 3CXDesktopApp vulnerability and supply chain risk. A cross site scripting flaw in Azure Service Fabric Explorer can lead to remote code execution. Rob Boyce from Accenture Security on threats toEV charging stations. Our guest is Steve Benton from Anomali Threat Research, sharing a ‘less is more’ approach to cybersecurity. And AlienFox targets misconfigured servers. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/62 Selected reading. A Look Inside Putin's Secret Plans for Cyber-Warfare (Spiegel) Secret trove offers rare look into Russian cyberwar ambitions (Washington Post)  7 takeaways from the Vulkan Files investigation (Washington Post) ‘Vulkan files’ leak reveals Putin’s global and domestic cyberwarfare tactics (the Guardian) Contracts Identify Cyber Operations Projects from Russian Company NTC Vulkan (Mandiant) 3CX DesktopApp Security Alert - Mandiant Appointed to Investigate (3CX) Information on Attacks Involving 3CX Desktop App (Trend Micro) 3CX Confirms Supply Chain Attack as Researchers Uncover Mac Component  (SecurityWeek) There’s a new supply chain attack targeting customers of a phone system with 12 million users (TechCrunch) Super FabriXss: From XSS to an RCE in Azure Service Fabric Explorer by Abusing an Event Tab Cluster Toggle (CVE-2023-23383) (Orca Security) Dissecting AlienFox | The Cloud Spammer’s Swiss Army Knife (SentinelOne) Learn more about your ad choices. Visit megaphone.fm/adchoices
31/03/23·28m 21s

A major supply chain attack is underway. Ms Connor, call your office. Combosquatting. False positives fixed. Tanks don’t work, so Russia tries more cyber. And, sadly. some official hostage-taking.

The 3CXDesktopApp is under exploitation in a supply chain campaign. An open letter asks for a pause in advanced AI development. All your grammar and usage are belong us. Combosquatting might fool even the wary. Defender had flagged Zoom and other safe sites as dangerous. Recognizing the importance of OSINT. Matt O'Neill from US Secret Service discussing his agency’s cybersecurity mission. Our guest is Ping Li from Signifydwith a look at online fraud. And the FSB arrests a US journalist. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/61 Selected reading. 3CX DesktopApp Security Alert (3CX) Supply Chain Attack Against 3CXDesktopApp (CISA) Pause Giant AI Experiments: An Open Letter (Future of Life Institute) In Sudden Alarm, Tech Doyens Call for a Pause on ChatGPT (WIRED AI chatbots making it harder to spot phishing emails, say experts (the Guardian) The Most Common Combosquatting Keyword Is “Support” (Akamai) False positives in Microsoft Defender. (CyberWire) Exploitation is a Dish Best Served Cold: Winter Vivern Uses Known Zimbra Vulnerability to Target Webmail Portals of NATO-Aligned Governments in Europe (Proofpoint)  ESET Research Podcast: A year of fighting rockets, soldiers, and wipers in Ukraine (WeLiveSecurity)  Russia Ramping Up Cyberattacks Against Ukraine (VOA)  A new age of spying gives Kyiv the upper hand (The Telegraph)  Russia arrests Wall Street Journal reporter on spying charge (AP NEWS) Russia detains a Wall Street Journal reporter, accusing him of espionage. (New York Times) Learn more about your ad choices. Visit megaphone.fm/adchoices
30/03/23·28m 16s

Traffers and the threat to credentials. WiFi protocol flaw. Cross-chain bridge attacks. A shift in Russian cyber operations. Piracy is patriotic.

Traffers and the threat to credentials. A newly discovered WiFi protocol flaw. Cross-chain bridge attacks. A shift in Russian cyber operations. Ann Johnson from Afternoon Cyber Tea chats with EY principal Adam Malone. Our guest is Toni Buhrke from Mimecast with a look at the State of Email Security. And is piracy patriotic? For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/60 Selected reading. Traffers and the growing threat against credentials (Outpost24 blog)  WiFi protocol flaw allows attackers to hijack network traffic (BleepingComputer)  Cross-chain bridge attacks. (CyberWire)  2023 Annual State of Email Security Report (Cofense) From Ukraine to the whole of Europe:cyber conflict reaches a turning point (Thales Group)  Russia Ramps Up Cyberattacks On Ukraine Allies: Analysts (Barron's)  Pro-Russian hackers shift focus from Ukraine to EU countries (Radio Sweden)  Russian hackers attack Slovak governmental websites after country supplies Mig-29s to Ukraine (Ukrainska Pravda) Ukraine's Defense Ministry says Russia is encouraging online piracy (The Jerusalem Post) Learn more about your ad choices. Visit megaphone.fm/adchoices
29/03/23·23m 39s

Twitter looks for a leaker. Insider risks. The state of resilience. Russian auxiliaries briefly disrupt a French National Assembly website. Cyber trends in the hybrid war. DPRK hacking, as it is.

Twitter gets a subpoena for a source-code leaker’s information. The insider risk to data. Russian hacktivist auxiliaries target the French National Assembly. Recent trends in cyberattacks sustained by Ukraine. Ben Yelin unpacks the White House executive order on spyware. Mr. Security Answer Person John Pescatore ponders the permanence of ransomware. And Cyberespionage and cybercrime in the interest of Pyongyang’s weapons programs. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/59 Selected reading. GitHub Suspends Repository Containing Leaked Twitter Source Code (SecurityWeek) Twitter takes down source code leaked online, hunts for downloaders (BleepingComputer) Annual Data Exposure Report 2023 (Code 42) Russian Hackers Target French National Assembly Website (Privacy Affairs) Pro-Russian Hacktivists: A Reaction to a Western Response to a Russian Aggression (Radware Blog) Ukraine at D+397: Cyberespionage and battlespace preparation. (CyberWire) APT43: North Korean Group Uses Cybercrime to Fund Espionage Operations (Mandiant) Learn more about your ad choices. Visit megaphone.fm/adchoices
28/03/23·23m 45s

Evolution of criminal scams (especially BEC). Law enforcement honeypots. ChatGPT data leak. Hybrid war updates.

IcedID is evolving away from its banking malware roots. An Emotet phishing campaign spoofs IRS W9s. The FBI warns of BEC scams. A Fake booter service as a law enforcement honeypot. Phishing in China's nuclear energy sector. Reports of an OpenAI and a ChatGPT data leak. Does Iran receive Russian support in cyberattacks against Albania? My conversation with Linda Gray Martin and Britta Glade from RSAC with a preview of this year's conference. Our own Rick Howard takes a field trip to the National Cryptologic Museum. And De-anonymizing Telegram. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/58 Selected reading. Fork in the Ice: The New Era of IcedID (Proofpoint) Emotet malware distributed as fake W-9 tax forms from the IRS (BleepingComputer) Internet Crime Complaint Center (IC3) | Business Email Compromise Tactics Used to Facilitate the Acquisition of Commodities and Defrauding Vendors (IC3) Phishing Campaign Targets Chinese Nuclear Energy Industry (Intezer)  'Bitter' espionage hackers target Chinese nuclear energy orgs (BleepingComputer) UK Sets Up Fake DDoS-for-Hire Sites to Trap Hackers (PCMag Middle East) UK National Crime Agency reveals it ran fake DDoS-for-hire sites to collect users’ data (Record) OpenAI: ChatGPT payment data leak caused by open-source bug (BleepingComputer) OpenAI says a bug leaked sensitive ChatGPT user data (Engadget) March 20 ChatGPT outage: Here’s what happened (OpenAI) How Albania Became a Target for Cyberattacks (Foreign Policy)  Russia’s Rostec allegedly can de-anonymize Telegram users (BleepingComputer) Learn more about your ad choices. Visit megaphone.fm/adchoices
27/03/23·30m 13s

An introduction to the National Cryptologic Museum. [Special Edition]

Rick Howard, N2K’s CSO and The CyberWire’s Chief Analyst and Senior Fellow, sits down with Director of the National Cryptologic Museum, Dr. Vince Houghton. The National Cryptologic Museum is the NSA's affiliated museum sharing the nation's best cryptologic secrets with the public. In this special episode, Rick interviews Dr. Houghton from within the walls of the National Cryptologic Museum, discussing the new and improved museum along with the new exhibits they uncovered during the pandemic. Learn more about your ad choices. Visit megaphone.fm/adchoices
27/03/23·27m 27s

Two viewpoints on the National Cybersecurity Strategy. [Special Edition]

Earlier this month, the White House released the National Cybersecurity Strategy, the first issued since 2018. The strategy refocuses roles, responsibilities, and resource allocations in the digital ecosystem, with a five pillar approach. Those pillars are: defending critical infrastructure, disrupting threat actors, shaping market forces to drive security and resilience, investing in a resilient future, and forging international partnerships. We wanted to delve into the strategy and its intended effects further, so Dave Bittner spoke with representatives from industry and inside government. Dave first speaks with Adam Isles, Principal and Head of Cybersecurity Practice at The Chertoff Group, sharing industry's take on the strategy. Following that conversation, Dave had a discussion with Steve Kelly, Special Assistant to the President and Senior Director for Cybersecurity and Emerging Technology at the National Security Council, for a look at the strategy from inside the White House. Links to resources: Point of View: 2023 National Cybersecurity Strategy The Chertoff Group's blog National Cybersecurity Strategy 2023 Learn more about your ad choices. Visit megaphone.fm/adchoices
26/03/23·35m 3s

Tanya Janca: Find a community who supports you. [CEO] [Career Notes]

Tanya Janca, CEO and Founder of We Hack Purple, sits down to talk about her exciting path into the field of cybersecurity. Trying several different paths in high school, she soon found she was good at computer science. When it came to picking a college, she knew that was the field she wanted to get into. After college, she was able to use her skills to work at a couple of different organizations, eventually getting into the Canadian government. While there, she held the position of CISO for the Canadian election in 2015 when Justin Trudeau was elected, but she knew she wanted to try something new. She switched from programming to security and after working at Microsoft as a presenter, she eventually found that she wanted to start her own company, saying "at first it was just me presenting, but now we have community members present to each other and it's just been really beautiful to see that grow." She hopes that with her and her community's help, nobody is left feeling unsafe when it comes to being online. Learn more about your ad choices. Visit megaphone.fm/adchoices
26/03/23·9m 56s

Popunders are not the good kind of ads. [Research Saturday]

On this episode, Jérôme Segura, senior threat researcher at Malwarebytes, shares his team's work, "WordPress sites backdoored with ad fraud plugin." WordPress is an immensely popular content management system (CMS) powering over 43% of all websites. Many webmasters will monetize their sites by running ads and need to draw particular attention to search engine optimization (SEO) techniques to maximize their revenues. The Malwarebytes team discovered a few dozen WordPress blogs using the same plugin that mimics human activity by automatically scrolling a page and following links within it, all the while a number of ads were being loaded and refreshed. The blogs would only exhibit this invalid traffic behavior when launched from a specific URL created by this plugin, otherwise they appeared completely legitimate. The research can be found here: WordPress sites backdoored with ad fraud plugin Learn more about your ad choices. Visit megaphone.fm/adchoices
25/03/23·24m 37s

Tools, alerts, and advisories from CISA. Reply phishing scams. Cl0p goes everywhere with GoAnywhere. EW in the hybrid war, and shields stay up.

A CISA tool helps secure Microsoft clouds.JCDC and pre-ransomware notification. CISA releases six ICS advisories. Reply phishing. Cl0p goes everywhere exploiting GoAnywhere. Russian electronic warfare units show the ability to locate Starlink terminals. Betsy Carmelite from Booz Allen Hamilton on the DoD's zero trust journey. Analysis of the National Cybersecurity strategy from our special guests, Adam Isles, Principal at the Chertoff Group and Steve Kelly, Special Assistant to the President and Senior Director for Cybersecurity and Emerging Technology with the National Security Council. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/57 Selected reading. JCDC Cultivates Pre-Ransomware Notification Capability (Cybersecurity and Infrastructure Security Agency CISA) US cyber officials make urgent push to warn businesses about vulnerabilities to hackers (CNN) Untitled Goose Tool Aids Hunt and Incident Response in Azure, Azure Active Directory, and Microsoft 365 Environments | CISA (Cybersecurity and Infrastructure Security Agency CISA) New CISA tool detects hacking activity in Microsoft cloud services (BleepingComputer) CISA Releases Six Industrial Control Systems Advisories (Cybersecurity and Infrastructure Security Agency CISA) The Microsoft Reply Attack (Avanan) More victims emerge from Fortra GoAnywhere zero-day attacks (Security |  More Clop GoAnywhere attack victims emerge (SC Media)  Mass-Ransomware Attack on GoAnywhere File Transfer Tool Exposes Companies Worldwide (Medium)  City of Toronto confirms data theft, Clop claims responsibility (BleepingComputer)  Canadian movie chain Cineplex among the victims of GoAnywhere MFT hack (Financial Post)  Personal data of Rio Tinto's Aussie staff may have been hacked - memo (Reuters)  Another GoAnywhere Attack Affects Japanese Giant Hitachi Energy (Heimdal Security Blog)  Using Starlink Paints a Target on Ukrainian Troops (Defense One) As CISA chief notes lack of Russian cyberattacks against US, experts focus on enhancing nuclear reactor security (Utility Dive) Using Deception to Learn About Russian Threat Actors (Security Boulevard) Learn more about your ad choices. Visit megaphone.fm/adchoices
24/03/23·28m 13s

Pyongyang’s intelligence services have been busy in cyberspace. Hacktivists exaggerate the effects of their attacks on OT. Ghostwriter is back. A twice-told tale: ineffective cyberwar campaigns.

DPRK threat actor Kimsuky uses a Chrome extension to exfiltrate emails, while ScarCruft prospects South Korean organizations. Hacktivists' claims of attacks on OT networks may be overstated. Ghostwriter remains active in social engineering attempts to target Ukrainian refugees. Joe Carrigan has cyber crime by the numbers. Our guest is Christian Sorensen from SightGain with analysis of the cyber effects of Russia’s war. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/56 Selected reading. North Korean hackers using Chrome extensions to steal Gmail emails (BleepingComputer) Joint Cyber Security Advisory (Korean) (BundesamtfuerVerfassungsschutz) North Korean APT group ‘Kimsuky’ targeting experts with new spearphishing campaign (Record) ScarCruft's Evolving Arsenal: Researchers Reveal New Malware Distribution Techniques (The Hacker News) The Unintentional Leak: A glimpse into the attack vectors of APT37 (Zscaler) CHM Malware Disguised as Security Email from a Korean Financial Company: Redeyes (Scarcruft) (ASEC BLOG)  A Propaganda Group is Using Fake Emails to Target Ukrainian Refugees (Bloomberg)  We (Did!) Start the Fire: Hacktivists Increasingly Claim Targeting of OT Systems | Mandiant (Mandiant) Fact or fiction, hacktivists' claims of industrial sabotage in Russia or Ukraine get attention online (CyberScoop) The 5×5—Conflict in Ukraine's information environment (Atlantic Council) How the Russia-Ukraine conflict has impacted cyber-warfare (teiss) CommonMagic APT gang attacking organisations in Ukraine (Tech Monitor) Learn more about your ad choices. Visit megaphone.fm/adchoices
23/03/23·26m 24s

Detecting sandbox emulations. VEC supply chain attacks. Updates from the hybrid war. CISA and NSA offer IAM guidance. Other CISA advisories. Baphomet gets cold feet after all.

Malware could detect sandbox emulations. A VEC supply chain attack. A new APT is active in Russian-occupied sections of Ukraine. An alleged Russian patriot claims responsibility for the D.C. Health Link attack. CISA and NSA offer guidance on identity and access management (IAM). Tim Starks from the Washington Post has analysis on the BreachForums takedown. Our guest is Ryan Heidorn from C3 Integrated Solutions with a look at the CMMC compliance timeline. And Baphomet backs out. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/55 Selected reading. ZenGo uncovers security vulnerabilities in popular Web3 Transaction Simulation solutions: The red pill attack (ZenGo) Stopping a $36 Million Vendor Fraud Attack (Abnormal Intelligence)  Bad magic: new APT found in the area of Russo-Ukrainian conflict (Securelist) Unknown actors target orgs in Russia-occupied Ukraine (Register) New 'Bad Magic' Cyber Threat Disrupt Ukraine's Key Sectors Amid War (The Hacker News) Partisan suspects turn on the cyber-magic in Ukraine (Cybernews) Hacker tied to D.C. Health Link breach says attack 'born out of Russian patriotism' (CyberScoop)  CISA and NSA Release Enduring Security Framework Guidance on Identity and Access Management | CISA (Cybersecurity and Infrastructure Security Agency CISA)  ESF Partners, NSA, and CISA Release Identity and Access Management Recommended Best Practi (National Security Agency/Central Security Service) Identity and Access Management: Recommended Best Practices for Administrators (NSA and CISA)  CISA Releases Updated Cybersecurity Performance Goals (Cybersecurity and Infrastructure Security Agency CISA)  CISA Releases Eight Industrial Control Systems Advisories | CISA (Cybersecurity and Infrastructure Security Agency CISA) End of BreachForums could take a bite out of cybercrime (Washington Post) BreachForums says it is closing after suspected law enforcement access to backend (Record) Learn more about your ad choices. Visit megaphone.fm/adchoices
22/03/23·27m 20s

Threat group with novel malware operates in SE Asia. Data theft extortion rises. Key findings of Cisco's Cybersecurity Readiness Index. iPhones no longer welcome in Kremlin. Russian cyber auxiliaries & privateers devote increased attention to healthcare.

Threat group with novel malware operates in Southeast Asia. Data theft extortion on the rise. Key findings of Cisco's Cybersecurity Readiness Index. iPhones are no longer welcome in the Kremlin. Russian cyber auxiliaries and privateers devote increased attention to the healthcare sector. Chris Eng from Veracode shares findings of their Annual Report on the State of Application Security. Johannes Ullrich from SANS Institute discusses scams after the failure of Silicon Valley Bank. And BreachForums seems to be under new management.  For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/54 Selected reading. NAPLISTENER: more bad dreams from developers of SIESTAGRAPH (Elastic Blog)  Unit 42 Ransomware and Extortion Report Highlights: Multi-Extortion Tactics Continue to Rise (Palo Alto Network) Ransomware and extortion trends. (CyberWire) Cisco Cybersecurity Readiness Index (Cisco) A look at resilience: companies' ability to fight off cyberattacks. (CyberWire) Putin to staffers: throw out your iPhones over security (Register) Black Basta, Killnet, LockBit groups targeting healthcare in force (SC Media) After BreachForums arrest, new site administrator says the platform will live on (Record)  Learn more about your ad choices. Visit megaphone.fm/adchoices
21/03/23·27m 10s

Cl0p ransomware at Hitachi Energy. Alleged TikTok surveillance of journalists. Hacktivist auxiliary hits Indian healthcare records. Cyberattack on Latitude: update. BreachForums arrest.

Cl0p ransomware hits Hitachi Energy. The US Department of Justice investigates ByteDance in alleged surveillance of journalists. A Hacktivist auxiliary hits Indian healthcare records. Pirated software is used to carry malware. The Effects of cyberattack on Latitude persist. Adam Meyers from CrowdStrike shares findings from the 2023 CrowdStrike Global Threat Report. Rick Howard has the latest preview of CSO Perspectives. And Pompompurin is arrested for an alleged role in BreachForums. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/53 Selected reading. Hitachi Energy confirms data breach after Clop GoAnywhere attacks (BleepingComputer) Hitachi Energy Group hit by cyber-attack, says network operations not compromised (cnbctv18.com)  Justice Department Probes TikTok’s Tracking of U.S. Journalists (Wall Street Journal)  The FBI And DOJ Are Investigating ByteDance’s Use Of TikTok To Spy On Journalists (Forbes) KillNet and affiliate hacktivist groups targeting healthcare with DDoS attacks (Azure Network Security Team) Pro-Russia hackers are increasingly targeting hospitals, researchers warns (Record)  Russian hacktivist group targets India’s health ministry (CSO Online) Russian Hacktivist group Phoenix targets India’s Health Ministry Website (Threat Intelligence | CloudSEK)  Ukraine warns that hacked software can be infected with Russian viruses (Kyiv Independent) Russian hackers spread infected software through torrents (SSSCIP) Australia's Latitude takes systems offline, Federal Police investigate cyberattack (Reuters) FBI targets notorious cybercrime market with teen’s arrest (Washington Post)  Dark Web ‘BreachForums’ Operator Charged With Computer Crime (Bloomberg)  Feds arrest alleged BreachForums owner linked to FBI hacks (The Verge)  NY Man Charged as 'Pompompurin,' the Boss of BreachForums (KrebsOnSecurity)  Breach Forums Admin 'Pompompurin' Arrested in New York (Cyber Kendra)  Pompompurin Unmasked: Infamous BreachForums Mastermind Arrested in New York (The Hacker News) Learn more about your ad choices. Visit megaphone.fm/adchoices
20/03/23·27m 9s

Kathleen Smith: Translating the cyber world. [CMO] [Career Notes]

Kathleen Smith, CMO from ClearedJobs.Net, sits down to share her story as she remembers having big shoes to fill in her childhood. She strived for greatness at an early age, as her parents told her she would be going to college and would follow strong guidelines to become successful. Kathleen can remember being into the hard sciences when she was in school, which sparked an interest in becoming a biochemist and law student. Eventually she found her passion as a translator, saying that "doing the translator role, I wanted to get into international marketing and I was going on to get my degree on that." She found her way to ClearedJobs.Net and fell in love with it. She had sought to find a workplace that wouldn't burn her out, where she can also be a part of the team. Kathleen found what she was passionate about and made it a reality for herself, and now she just wants young women starting in the field to know the importance of finding something they are passionate about. We thank Kathleen for sharing her story. Learn more about your ad choices. Visit megaphone.fm/adchoices
19/03/23·9m 40s

CISA Alert AA23-075A – #StopRansomware: LockBit 3.0.

CISA, FBI, and the Multi-State Information Sharing and Analysis Center are releasing this joint advisory to share known LockBit 3.0 ransomware IOCs and TTPs identified through FBI investigations as recently as March 2023. AA23-075A Alert, Technical Details, and Mitigations Stopransomware.gov is a whole-of-government approach that gives one central location for ransomware resources and alerts. Resource to mitigate a ransomware attack: CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide. No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment. See CISA Insights Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses for guidance on hardening MSP and customer infrastructure. U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email dib_defense@cyber.nsa.gov  To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov, or call (888) 282-0870, or report incidents to your local FBI field office. Learn more about your ad choices. Visit megaphone.fm/adchoices
18/03/23·2m 39s

ChatGPT grants malicious wishes? [Research Saturday]

Bar Block, Threat Intelligence Researcher at Deep Instinct, joins Dave to discuss their work on "ChatGPT and Malware - Making Your Malicious Wishes Come True." Deep Instinct goes into depth on just how dangerous ChatGPT can be in the wrong hands as well as how artificial intelligence is better at creating malware than providing ways to detect it. Researchers go on to explain how the AI app can be used in the wrong hands saying "Examples of malicious content created by the AI tool, such as phishing messages, information stealers, and encryption software, have all been shared online." The research can be found here: ChatGPT and Malware: Making Your Malicious Wishes Come True Learn more about your ad choices. Visit megaphone.fm/adchoices
18/03/23·16m 13s

Some movement in the cyber underworld. Vishing impersonates the US Social Security Administration. More SVB-themed phishing. And compromise without user interaction.

BianLian gang’s pivot. HinataBot is a Go-based threat. The US Social Security Administration is impersonated in attempted vishing attacks. BlackSnake in the RaaS criminal market. More Silicon Valley Bank-themed phishing. Caleb Barlow from Cylete on security implications you need to consider now about Chat GPT. Our guest is Isaac Roth from LeakSignal with advice on securing the microservices application layer. And Russian operators exploit an Outlook vulnerability. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/52 Selected reading. BianLian Ransomware Gang Continues to Evolve ([redacted]) Uncovering HinataBot: A Deep Dive into a Go-Based Threat (Akamai) Social InSecurity: Armorblox Stops Attack Impersonating Social Security Administration (Armorblox) Netskope Threat Coverage: BlackSnake Ransomware (Netskope)  Fresh Phish: Silicon Valley Bank Phishing Scams in High Gear (INKY) Outlook zero day linked to critical infrastructure attacks (Cybersecurity Dive) CVE-2023-23397: Exploitations in the Wild – What You Need to Know (Deep Instinct)  Everything We Know About CVE-2023-23397 (Huntress) Microsoft Mitigates Outlook Elevation of Privilege Vulnerability (Microsoft Security Response Center) Learn more about your ad choices. Visit megaphone.fm/adchoices
17/03/23·30m 0s

CISA warns of Telerik vulnerability exploitation. Cloud storage re-up attacks. Phishing tackle so convincing it will deceive the many. Cyber developments in Russia's hybrid war.

Telerik exploited, for carding (probably) and other purposes. Cloud storage re-up attacks. Cybercriminals use new measures to avoid detection of phishing campaigns. "Winter Vivern" seems aligned with Russian objectives. Microsoft warns of a possible surge in Russian cyber operations. Boss Sandworm. Johannes Ullrich from SANS talking about malware spread through Google Ads. Our guest is David Anteliz from Skybox Security with thoughts on federal government cybersecurity directives. And don't fear the Reaper. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/51 Selected reading. Threat Actors Exploited Progress Telerik Vulnerability in U.S. Government IIS Server (Cybersecurity and Infrastructure Security Agency CISA) Threat Actors Exploit Progress Telerik Vulnerability in U.S. Government IIS Server | CISA (Cybersecurity and Infrastructure Security Agency CISA) CISA: Federal civilian agency hacked by nation-state and criminal hacking groups (CyberScoop)  US govt web server attacked by 'multiple' criminal gangs (Register) The Cloud Storage Re-Up Attack (Avanan) Threat Spotlight: 3 novel phishing tactics (Barracuda) Winter Vivern | Uncovering a Wave of Global Espionage (SentinelOne) Is Russia regrouping for renewed cyberwar? (Microsoft On the Issues)  A year of Russian hybrid warfare in Ukraine (Microsoft Threat Intelligence) Russian hackers preparing new cyber assault against Ukraine - Microsoft report (Reuters) Microsoft Warns Russia May Plan More Ransomware Attacks Beyond Ukraine (Bloomberg) This Is the New Leader of Russia's Infamous Sandworm Hacking Unit (WIRED)  What's known and not about US drone-Russian jet encounter (AP NEWS) Russia tries to retrieve downed US drone in Black Sea (The Telegraph) Downed U.S. drone points to cyber vulnerabilities (Washington Post) Learn more about your ad choices. Visit megaphone.fm/adchoices
16/03/23·29m 6s

CISA Alert AA23-074A – Threat actors exploit progress telerik vulnerability in U.S. government IIS server. [CISA Cybersecurity Alerts]

CISA, FBI, and the Multi-State Information Sharing and Analysis Center are releasing this joint Cybersecurity Advisory to provide IT infrastructure defenders with TTPs, IOCs, and methods to detect and protect against recent exploitation against Microsoft Internet Information Services web servers. AA23-074A Alert, Technical Details, and Mitigations AA23-074A STIX XML MAR-10413062-1.v1 Telerik Vulnerability in U.S. Government IIS Server Telerik: Exploiting .NET JavaScriptSerializer Deserialization (CVE-2019-18935) ACSC Advisory 2020-004 Bishop Fox CVE-2019-18935: Remote Code Execution via Insecure Deserialization in Telerik UI Volexity Threat Research: XE Group GitHub: Proof-of-Concept Exploit for CVE-2019-18935 Microsoft: Configure Logging in IIS GitHub: CVE-2019-18935 No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment. See CISA Insights Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses for guidance on hardening MSP and customer infrastructure. U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email dib_defense@cyber.nsa.gov  To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov, or call (888) 282-0870, or report incidents to your local FBI field office. Learn more about your ad choices. Visit megaphone.fm/adchoices
16/03/23·2m 48s

Patch Tuesday notes. SVB's and the cybersecurity sector. SVR's APT29 is phishing for access to information. Trends in the Russo-Ukraine cyberwar. LockBit counts coup (says LockBit).

Patch Tuesday notes. Silicon Valley Bank's collapse and its effects on the cybersecurity sector. SVR's APT29 used a Polish state visit to the US as phishbait. Regularizing hacktivist auxiliaries. Our guest is Crane Hassold from Abnormal Security with a look at threats to email. Grayson Milbourne from OpenText Cybersecurity addresses chaos within the supply chain. And LockBit claims to have compromised an aerospace supply chain. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/50 Selected reading. March 2023 Patch Tuesday: Updates and Analysis (CrowdStrike) Microsoft Releases March 2023 Security Updates (Cybersecurity and Infrastructure Security Agency CISA) Adobe Releases Security Updates for Multiple Products (Cybersecurity and Infrastructure Security Agency CISA) Mozilla Releases Security Updates for Firefox 111 and Firefox ESR 102.9 (Cybersecurity and Infrastructure Security Agency CISA) SAP Security Patch Day for March 2023 (Onapsis) March Patch Tuesday review. (CyberWire) What the collapse of Silicon Valley Bank means for cyber and the tech startup ecosystem. (CyberWire) NOBELIUM Uses Poland's Ambassador’s Visit to the U.S. to Target EU Governments Assisting Ukraine (BlackBerry) Ukraine Tracks Increased Russian Focus on Cyberespionage (Bank Info Security) Ukraine scrambles to draft cyber law, legalizing its volunteer hacker army (Newsweek)  Ransomware Group Claims Theft of Valuable SpaceX Data From Contractor (SecurityWeek) Learn more about your ad choices. Visit megaphone.fm/adchoices
15/03/23·26m 34s

Silicon Valley Bank as phishbait. An “attack superhighway.” Unauthorized software in the workplace. YoroTrooper, a new cyberespionage threat actor. Hacktivists game, too. How crime pays.

Expect phishing, BEC scams, and other social engineering to use Silicon Valley Bank lures. An "attack superhighway." Unauthorized software in the workplace. A new cyberespionage group emerges. Squad up (but not IRL). Ben Yelin unpacks the FBI director’s recent admission of purchasing location data. Ann Johnson from Afternoon Cyber Tea speaks with Jason Barnett from HCA Healthcare about cyber resilience. And, not that you’d consider a life of crime, but what are the gangs paying cyber criminals, nowadays? For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/49 Selected reading. SVB's collapse and the potential for fraud. (CyberWire) State-of-the-Internet: malicious DNS traffic. (CyberWire) Unauthorized software in the workplace. (CyberWire) Talos uncovers espionage campaigns targeting CIS countries, including embassies and EU health care agency (Cisco Talos Blog) STALKER 2 game developer hacked by Russian hacktivists, data stolen (BleepingComputer) GSC Game World suffers Stalker 2 leak after latest cyber attack (GamesIndustry.biz) Threat Groups Offer $240k Salary to Tech Jobseekers (Security Intelligence) Learn more about your ad choices. Visit megaphone.fm/adchoices
14/03/23·25m 47s

Coping with Silicon Valley Bank's collapse. BatLoader's abuse of Google Search Ads. More on Emotet’s re-emergence. Medusa rising. NetWire collared. More-or-less quiet on the cyber front.

Coping with Silicon Valley Bank's collapse. BatLoader's abusing Google Search Ads. More on Emotet’s re-emergence. Reflections on Medusa rising. An international law enforcement action against NetWire. Rob Shapland from Falanx Cyber on ethical hacking and red teaming. Bryan Ware from LookingGlass looks at exploited vulnerabilities in the US financial sector. And in Ukraine, it’s more-or-less quiet on the cyber front (but in Estonia and Georgia, not so much). For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/48 Selected reading. One of Silicon Valley's top banks fails; assets are seized (AP NEWS) US, UK try to stem fallout from Silicon Valley Bank collapse (AP NEWS) In abrupt reversal, regulators to cover Silicon Valley Bank, Signature uninsured deposits (American Banker) Silicon Valley Bank collapse will not trigger new financial crisis, insists Sunak (The Telegraph) ‘Banking system is safe’: Joe Biden reassures markets in address on Silicon Valley Bank collapse – live updates (the Guardian)  BatLoader Continues to Abuse Google Search Ads to Deliver Vidar Stealer and Ursnif (eSentire)  BATLOADER Malware Uses Google Ads to Deliver Vidar Stealer and Ursnif Payloads (The Hacker News)  Emotet Again! The First Malspam Wave of 2023 (Deep Instinct)  Emotet attempts to sell access after infiltrating high-value networks (SC Media)  Medusa ransomware gang picks up steam as it targets companies worldwide (BleepingComputer) Alleged seller of NetWire RAT arrested in Croatia (Help Net Security) FBI and international cops catch a NetWire RAT (Register) How the FBI proved a remote admin tool was actually malware (TechCrunch) Estonia’s Election Was More Than Just a Win for Kallas (World Politics Review)  Estonian official says parliamentary elections were targeted by cyberattacks (Record) Learn more about your ad choices. Visit megaphone.fm/adchoices
13/03/23·28m 43s