CyberWire Daily

How the C2C market sustains ransomware gangs. In Russia’s war, intelligence services deploy wipers, and hacktivist auxiliaries handle the DDoS. And a look into other corners of the cyber underworld. Feb 01, 2023

Microsoft tallies more than a hundred ransomware gangs. Sandworm's NikoWiper hits Ukraine's energy sector. Mobilizing cybercriminals in a hybrid war. Firebrick Ostrich and business email compromise. Telegram is used for sharing stolen data and selling malware. Crypto scams find their way into app stores. Bryan Vorndran of the FBI Cyber Division outlines the services the FBI provides during an incident response. Ann Johnson from Afternoon Cyber Tea speaks with actor producer Tim Murck about the intersection of cyber awareness and storytelling. And we are shocked - shocked! - that there are fraudulent cyber professional credentials circulating online.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/21

Selected reading.

Microsoft: Over 100 threat actors deploy ransomware in attacks (BleepingComputer)

SocGholish: A Tale of FakeUpdates (Reliaquest)

ESET APT Activity Report T3 2022 (WeLiveSecurity)

Pro-Russian DDoS attacks raise alarm in Denmark, U.S. (The Record from Recorded Future News)

ChristianaCare's website restored after attack; pro-Russia 'hacktivist' group takes credit (Delaware News Journal)

Univ. of Iowa Hospitals website possibly hit by cyberattack (KCRG)

Cyber attack causes problems with UM Health websites (The Detroit News)

How the war in Ukraine has strengthened the Kremlin's ties with cybercriminals (The Record from Recorded Future News)

Dark Covenant 2.0: Cybercrime, the Russian State, and War in Ukraine (Recored Future)

Russia’s cyberwar against Ukraine offers vital lessons for the West (Atlantic Council)

BEC Group Uses Secondary Personas & Lookalike Domains in Third-Party… (Abnormal Intelligence)

Telegram's place in the cyber underworld. (CyberWire)

Crypto scams found in the App Store. (CyberWire)

Exposure to third-party risk. (CyberWire)

Cyber certification deceit. (CyberWire)

The cybercriminal labor market and the campaigns it’s supporting. Russia’s Killnet is running DDoS attacks against US hospitals, but Russia says, hey, it’s the real victim here. Jan 31, 2023

Some perspective on the cybercriminal labor market. DocuSign is impersonated in a credential-harvesting campaign. Social engineering pursues financial advisors. Killnet is active against the US healthcare sector. Mr. Security Answer Person John Pescatore has thoughts on cryptocurrency. Ben Yelin and I debate the limits of section 230. And, hey, who’s the real victim in cyberspace? A hint: probably not you, Mr. Putin.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/20

Selected reading.

Perspectives on the cybercriminal labor market. (CyberWire).

IT specialists search and recruitment on the dark web (Securelist)

Cybercrime job ads on the dark web pay up to $20k per month (BleepingComputer)

Report on hackers' salaries shows poor wages for developers (Register)

Cybercrime groups offer six-figure salaries, bonuses, paid time off to attract talent on dark web (CyberScoop)

Application security risks. (CyberWire)

Survey gives insight into new app security challenges (Cisco App Dynamics)

DocuSign impersonated in credential phishing attack. (CyberWIre)

Breaking the Impersonation: Armorblox Stops DocuSign Attack (Armorblox)

"Pig butchering" and financial advisor impersonation scams. (CyberWire)

No Blocking, No Issue: The Curious Ecosystem of Financial Advisor Impersonation Scams (Domain Tools)

Ukraine at D+341: Killnet hits US hospitals.(CyberWire)

HC3 TLP Clear Analyst Note: Pro-Russian Hacktivist Group Threat to HPH Sector (American Hospital Association)

HHS, AHA Warn of Surge in Russian DDoS Attacks on Hospitals (Gov Info Security)

Russian hackers allegedly take down Duke University Hospital’s website (Carolina Journal)

The Evolution of DDoS: Return of the Hacktivist (FSISAC)

Russia becomes target of West’s coordinated aggression in cyberspace — MFA (TASS)

Criminal evolutions, disgruntled insiders, and gangsta wannabes. New wiper attacks hit Ukrainian targets, with less effect than the first rounds early last year. And support your local hacktivist? Jan 30, 2023

Gootloader's evolution. Yandex source code leaked (and Yandex blames a rogue insider). New GRU wiper malware is active against Ukraine. Latvia reports cyberattacks by Gamaredon. Russia and the US trade accusations of malign cyber activity. A hacktivist auxiliary's social support system. Deepen Desai from Zscaler describes the Lilithbot malware. Rick Howard looks at chaotic simians. And wannabes can be a nuisance, too: LockBit impersonators are seen operating in northern Europe.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/19

Selected reading.

Welcome to Goot Camp: Tracking the Evolution of GOOTLOADER Operations (Mandiant)

Yandex denies hack, blames source code leak on former employee (BleepingComputer)

Hackers use new SwiftSlicer wiper to destroy Windows domains (BleepingComputer)

Sandworm APT targets Ukraine with new SwiftSlicer wiper (Security Affairs)

Ukraine: Sandworm hackers hit news agency with 5 data wipers (BleepingComputer)

Ukraine Links Media Center Attack to Russian Intelligence (BankInfoSecurity)

Latvia confirms phishing attack on Ministry of Defense, linking it to Russian hacking group (The Record from Recorded Future News)

Russia knows US recruits hackers, trains Ukrainian IT-army — Deputy Foreign Minister (TASS)

Taking down the Hive ransomware gang. (CyberWire)

US puts a $10m bounty on Hive while Russia shuts down access (Register)

Exploring Killnet’s Social Circles (Radware)

Copycat Criminals mimicking Lockbit gang in northern Europe (Security Affairs)

Charlie Moore: Pilot to head honcho in cyber. [Cyber Command] [Career Notes[ Jan 29, 2023

Our guest, Charlie Moore, is a recently retired USAF Lieutenant General who sits down to share his story from flying high in the air to becoming a bigwig in the cyber community. He was most recently the Deputy Commander of the United States Cyber Command, and also spent part of his career as a human factors engineer working on human interfaces for fighter aircraft. When he first began his Air Force career, he was a member of the last class entering into the Academy that was not issued desktop computers. Charlie discusses how this changed as the year went on and how that impacted his career both in and out of the military. Charlie worked for different companies over the years to further his career and his goals, and discusses how his flying career has helped him and says, "I was extremely passionate about the flying aspect of my career for 25 years and I became even more passionate about operating in this space." We thank Charlie for sharing his story with us.

Interview with the AI, part one. [Special Editions] Jan 29, 2023

Cybersecurity interview with ChatGPT.

In part one of CyberWire’s Interview with the AI, Brandon Karpf interviews ChatGPT about topics related to cybersecurity. Rick Howard joins Brandon to analyze the conversation and discuss potential use cases for the cybersecurity community.

ChatGPT is a chatbot launched by OpenAI and built on top of OpenAI’s GPT-3 family of large language models.

Cyber questions answered by ChatGPT in part one of the interview.

What were the most significant cybersecurity incidents up through 2021?
What leads you to characterize these specific events as significant?
What were the specific technical vulnerabilities associated with these incidents?
Who were the cyber actors involved in each of these attacks?
Do you think it's valuable to attribute cyber attacks to specific actors?

Flagging firmware vulnerabilities. [Research Saturday] Jan 28, 2023

Roya Gordon from Nozomi Networks sits down with Dave to discuss their research on "Vulnerabilities in BMC Firmware Affect OT/IoT Device Security." Researchers at Nozomi Networks has revealed that there are thirteen vulnerabilities that affect BMCs of Lanner devices based on the American Megatrends (AMI) MegaRAC SP-X.

The research states "By abusing these vulnerabilities, an unauthenticated attacker may achieve Remote Code Execution (RCE) with root privileges on the BMC, completely compromising it and gaining control of the managed host." As well as mentioning what patches could be in the future to help fix these vulnerabilities.

The research can be found here:

Vulnerabilities in BMC Firmware Affect OT/IoT Device Security – Part 1

An update on the Hive ransomware takedown. More DDoS from Killnet. Advisories from CISA, and an addition to the Known Exploited Vulnerabilties Catalog. Jan 27, 2023

An update on the takedown of the Hive ransomware gang, plus insights from CrowdStrike’s Adam Meyers. If you say you’re going to unleash the Leopards, expect a noisy call from Killnet. Our guest is ExtraHop CISO Jeff Costlow talking about nation-state attackers in light of ongoing Russian military operations. CISA has released eight ICS advisories, and the agency has also added an entry to its Known Exploited Vulnerabilities Catalog.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/18

Selected reading.

Cybercriminals stung as HIVE infrastructure shut down (Europol)

U.S. Department of Justice Disrupts Hive Ransomware Variant (U.S. Department of Justice)

Director Christopher Wray’s Remarks at Press Conference Announcing the Disruption of the Hive Ransomware Group (Federal Bureau of Investigation)

Taking down the Hive ransomware gang. (CyberWire)

US hacks back against Hive ransomware crew (BBC News)

Cyberattacks Target Websites of German Airports, Admin (SecurityWeek)

Delta Electronics CNCSoft ScreenEditor (CISA)

Econolite EOS (CISA)

Snap One Wattbox WB-300-IP-3 (CISA)

Sierra Wireless AirLink Router with ALEOS Software (CISA).

Mitsubishi Electric MELFA SD/SQ series and F-series Robot Controllers (CISA)

Rockwell Automation products using GoAhead Web Server (CISA)

Landis+Gyr E850 (CISA)

Mitsubishi Electric MELSEC iQ-F, iQ-R Series (CISA)

CISA Has Added One Known Exploited Vulnerability to Catalog (CISA)

Remote monitoring and management tools abused. Russian and Iranian cyberespionage reported. The world according to the CIO. And if volume is your secret, maybe look for a better secret. Jan 26, 2023

Joint advisory warns of remote monitoring and management software abuse. Iranian threat actors reported active against a range of targets. UK's NCSC warns of increased risk of Russian and Iranian social engineering attacks. A look at trends, as seen by CIOs. Carole Theriault ponders health versus privacy with former BBC guru Rory Cellan Jones. Kyle McNulty, host of the Secure Ventures podcast shares lessons from the cybersecurity startup community. And the DRAGONBRIDGE spam network is disrupted.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/17

Selected reading.

CISA, NSA, and MS-ISAC Release Advisory on the Malicious Use of RMM Software (CISA)

Protecting Against Malicious Use of Remote Monitoring and Management Software (CISA)

CISA: Federal agencies hacked using legitimate remote desktop tools (BleepingComputer)

'Malicious' cyber attacks launched by groups connected to Iran's regime (ABC)

Abraham's Ax Likely Linked to Moses Staff (Secureworks)

SEABORGIUM and TA453 continue their respective spear-phishing campaigns against targets of interest (NCSC)

NCSC: Russian and Iranian hackers targeting UK politicians, journalists (Computing)

State of the CIO Study 2023: CIOs cement leadership role (Foundry)

U.S. says it 'hacked the hackers' to bring down ransomware gang, helping 300 victims (Reuters)

Over 50,000 instances of DRAGONBRIDGE activity disrupted in 2022 (Google TAG)

CISA Alert AA23-025A – Protecting against malicious use of remote monitoring and management software Jan 26, 2023

CISA, NSA, and the MS-ISAC are releasing this alert to warn network defenders about malicious use of legitimate remote monitoring and management software.

AA23-025A Alert, Technical Details, and Mitigations

For a downloadable copy of IOCs, see AA23-025.stix

Silent Push uncovers a large trojan operation featuring Amazon, Microsoft, Geek Squad, McAfee, Norton, and Paypal domains

No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment.

See CISA Insights Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses for guidance on hardening MSP and customer infrastructure.

U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email dib_defense@cyber.nsa.gov

To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov, or call (888) 282-0870, or report incidents to your local FBI field office.

TA444 and crypto theft on behalf of the Dear Successor. CryptoAPI spoofing vulnerability described. New Python-based malware campaign. User headspace. Tanks vs. hacktivists. Jan 25, 2023

How do the North Koreans get away with it? They do run their cyber ops like a creepy start-up business. A spoofing vulnerability is discovered in Windows CryptoAPI. Python-based malware is distributed via phishing. MacOS may have a reputation for threat-resistance, but users shouldn't get cocky. DevSecOps survey results show tension between innovation and security. Russian hacktivist auxiliaries hit German targets. Tim Starks from the Washington Post Cyber 202 shares insights from his interview with Senator Warner. Our guest is Keith McCammon of Red Canary to discuss cyber accessibility. And Private sector support for Ukraine's cyber defense.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/16

Selected reading.

TA444: The APT Startup Aimed at Acquisition (of Your Funds) (Proofpoint)

Exploiting a Critical Spoofing Vulnerability in Windows CryptoAPI (Akamai)

Securonix Security Advisory: Python-Based PY#RATION Attack Campaign Leverages Fernet Encryption and Websockets to Avoid Detection (Securonix)

BlackBerry's Inaugural Quarterly Threat Intelligence Report Reveals Threat Actors Launch One Malicious Threat Every Minute (BlackBerry)

Global CIO Report Reveals Growing Urgency for Observability and Security to Converge (Dynatrace)

Russian 'hacktivists' briefly knock German websites offline (Reuters)

How Microsoft is helping Ukraine’s cyberwar against Russia (Computerworld)

CISA Releases Two Industrial Control Systems Advisories (CISA)

Cyber Marketing Con 2022: From the horse’s mouth: CISO Q&A on solving the cyber marketer’s dilemma. [Special Editions] Jan 25, 2023

At the 2022 Cyber Marketing Con, the CyberWire presented a CISO Q&A panel session on how to help cyber marketers reach CISOs and other security executives in the industry. The panel included Rick Howard, CSO of N2K Networks, Jaclyn Miller, Head of InfoSec and IT at DispatchHealth, Ted Wagner, CISO of SAP NS2, and was moderated by board director & and operating partner, Michelle Perry.

Listen in as the panel discusses:

What works and doesn’t work in getting a security executive’s attention.
Message trust, message fatigue, and what you can do about it.
Trusted information sources and how security executives use them.
Positioning and messaging that is actually meaningful to decision makers.
The security executive’s purchasing behavior and why skepticism is the driving force.

Stay tuned until the end to hear us answer some additional bonus questions submitted by attendees.

Disentangling cybercrime from cyberespionage. A threat to the IoT supply chain. What do you do with the hacktivists when they stop being hacktivists? A retired FBI Special Agent is indicted. Jan 24, 2023

DragonSpark conducts "opportunistic" cyberattacks in East Asia. ProxyNotShell and OWASSRF exploit chains target Microsoft Exchange servers. The IoT supply chain is threatened by exploitation of Realtek Jungle SDK vulnerability. CISA adds an entry to its Known Exploited Vulnerabilities Catalog. A Cisco study finds organizations see positive returns from investment in privacy. What's the hacktivist's postwar future? Joe Carrigan tracks a romance scam targeting seniors. Our guest is Pete Lund of OPSWAT to discuss the security of removable media devices. And a retired G-Man is indicted on multiple charges.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/15

Selected reading.

DragonSpark | Attacks Evade Detection with SparkRAT and Golang Source Code Interpretation (SentinelOne)

Technical Advisory: Proxy*Hell Exploit Chains in the Wild (Bitdefender)

Realtek SDK Vulnerability Attacks Highlight IoT Supply Chain Threats (Unit 42)

CISA Adds One Known Exploited Vulnerability to Catalog (CISA)

2023 Data Privacy Benchmark Study (Cicso)

Hacktivism Is a Risky Career Path (WIRED)

Retired FBI Executive Charged With Concealing $225,000 In Cash Received From An Outside Source (Department of Justice, U.S. Attorney’s Office, District of Columbia)

Former Special Agent In Charge Of The New York FBI Counterintelligence Division Charged With Violating U.S. Sanctions On Russia (Department of Justice, U.S. Attorney’s Office, Southern District of New York)

Former Senior F.B.I. Official in New York Charged With Aiding Oligarch (New York Times)

Contractor error behind FAA outage. OneNote malspam. Vastflux ad campaign disrupted. Ukraine moves closer to CCDCOE membership. Alerts for gamblers and gamers. Jan 23, 2023

The FAA attributes its January NOTAM outage. Malicious OneNote attachments are appearing in phishing campaigns. The Vastflux ad campaign has been disrupted. Ukraine moves toward closer cybersecurity collaboration with NATO. Rick Howard considers the best of 2022. Deepen Desai from Zscaler looks at VPN Risk. And, finally, we’re betting you want alerts for sports book customers and online gamers.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/14

Selected reading.

FAA Says Contractor Unintentionally Caused Outage That Disrupted Flights (Wall Street Journal)

Not a cyberattack, but an IT failure: the FAA's NOTAM outage. (CyberWire)

Hackers now use Microsoft OneNote attachments to spread malware (BleepingComputer)

Traffic signals: The VASTFLUX Takedown (HUMAN Security)

Ukraine signs agreement to join NATO cyber defense center (The Record from Recorded Future News)

FanDuels warns of data breach after customer info stolen in vendor hack (BleepingComputer)

Industry looks at the MailChimp data incident. (CyberWire)

PSA: Don’t play GTA Online on PC right now (Video Games)

You might not want to play GTA Online right now due to security vulnerabilities (RockPaperShotgun)

Riot Games hacked, delays game patches after security breach (BleepingComputer)

Riot hit by ‘social engineering attack’ that will affect patch cadence for multiple titles (Dot Esports)

Miriam Wugmeister: Technology's not as complicated as you think. [Data Security] [Career Notes] Jan 22, 2023

Miriam Wugmeister, co-chair of Morrison & Foerster’s Privacy and Data Security practice, sits down to share her in-depth experience and understanding of privacy and data security laws, obligations, and practices across a wide range of industries. She talks about how she grew up not knowing exactly what she wanted to get into as a profession, starting off as a chemical engineering major in college before switching to philosophy. She then got asked to work on a project relating to a company’s privacy and fell in love with the subject matter, deciding then to pursue it as a career. Miriam mentions how technology is not as complicated as tech people might have you think. She hopes she can advertise a tech degree for young women and men looking to get into the field, as well as making sure she "encourages women and diverse lawyers to, uh, come into this area to thrive." We thank Miriam for sharing her story with us.

The power of web data in cybersecurity. [CyberWire-X] Jan 22, 2023

The public web data domain is a fancy way to say that there is a lot of information sitting on websites around the world that is freely available to anybody who has the initiative to collect it and use it for some purpose. When you do that collection, intelligence groups typically refer to it as open source intelligence, or OSINT. Intelligence groups have been conducting OSINT operations for over a century if you consider books and newspapers to be one source of this kind of information. In the modern day, hackers conduct OSINT operations in order to recon their potential victims by collecting email addresses, personal information, IP addresses, software versions, network configurations, and, if they are lucky, login credentials for websites and social media platforms. The question is, how can the good guys use these techniques to improve their security posture or maybe help the business in some kind of material way?

On this episode of CyberWire-X, the CyberWire’s Rick Howard and Dave Bittner discuss OSINT operations to improve your security posture with guests Steve Winterfeld, Hash Table member and Advisory CISO for Akamai, and Or Lenchner, CEO at our episode sponsor Bright Data.

Billbug infests government agencies. [Research Saturday] Jan 21, 2023

Brigid O. Gorman from Symantec's Threat Hunter Team joins Dave to discuss their report "Billbug - State-sponsored Actor Targets Cert Authority and Government Agencies in Multiple Asian Countries." The team has discovered that state-sponsored actors compromised a digital certificate authority in an Asian country during a campaign in which multiple government agencies were also targeted.

The research states they believe Billbug, which is a long-established advanced persistent threat (APT) group has been active since about 2009. They say "In activity documented by Symantec in 2019, we detailed how the group was using a backdoor known as Hannotog (Backdoor.Hannotog) and another backdoor known as Sagerunex (Backdoor.Sagerunex). Both these tools were also seen in this more recent activity."

The research can be found here:

Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries

Ransomware in Costa Rica. Cyberespionage against unpatched FortiOS instances. Credential stuffing PayPal, breaching T-Mobile. Utility business systems hit. Hackathons and phishing in Russia. Jan 20, 2023

Ransomware hits Costa Rican government systems, again. A Chinese threat actor deploys the BOLDMOVE backdoor against unpatched FortiOS. Credential stuffing afflicts PayPal users. T-Mobile discloses a data breach. A cyberattack hits a remote Canadian utility. The Wagner Group sponsors a hackathon. Malek Ben Salem from Accenture describes prompt injection for chatbots. Our guest is Paul Martini of iboss with insights on Zero Trust. And the FSB’s Gamaredon APT runs a hands-on Telegraph phishing campaign against Ukrainian targets.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/13

Selected reading.

Bolster Your Company Defenses With Zero Trust Edge (Forrester)

MICITT detecta incidente informático en el MOPT, el cual ya se encuentra contenido (MICITT)

MOPT mantiene habilitados todos los servicios de manera presencial (MICITT)

Costa Rica’s Ministry of Public Works and Transport crippled by ransomware attack (Record)

Suspected Chinese Threat Actors Exploiting FortiOS Vulnerability (CVE-2022-42475) (Mandiant)

Attackers Crafted Custom Malware for Fortinet Zero-Day (Dark Reading)

Chinese hackers used recently patched FortiOS SSL-VPN flaw as a zero-day in October (Security Affairs)

PayPal accounts breached in large-scale credential stuffing attack (BleepingComputer)

PayPal Confirms Over 34,000 Customer Accounts Were Breached (EcommerceBytes)

35,000 PayPal accounts hacked, and users could've prevented it (PCWorld)

Thousands Of PayPal Accounts Hacked—Is Yours One Of Them? (Forbes)

Nearly 35,000 PayPal users had SSNs, tax info leaked during December cyberattack (The Record from Recorded Future News)

T-Mobile Says Hacker Stole Data for 37 Million Customers (Bloomberg)

T-Mobile Says Hackers Stole Data on About 37 Million Customers (Wall Street Journal)

T-Mobile Says Hackers Used API to Steal Data on 37 Million Accounts (SecurityWeek)

Cyberattack hits Nunavut's Qulliq Energy Corp. (CBC News)

Nunavut power utility’s servers hit by cyber attack | IT World Canada News (IT World Canada)

Russian War Report: Russian hacker wanted by the FBI reportedly wins Wagner hackathon prize (Atlantic Council)

Gamaredon (Ab)uses Telegram to Target Ukrainian Organizations (Blackberry)

Gamaredon Group Launches Cyberattacks Against Ukraine Using Telegram (The Hacker News)

Hitachi Energy PCU400 (CISA)

Bolster Your Company Defenses With Zero Trust Edge (iBoss)

Criminal-on-criminal action in the dark web. The cyber phases of the hybrid war heat up. ICS vulnerabilities. Codespaces and malware servers. Blank-image attacks. Social engineering. Jan 19, 2023

A hostile takeover of the Solaris contraband market. Ukraine warns that Russian cyberattacks continue. An overview of 2H 2022 ICS vulnerabilities. Codespaces accounts can act as malware servers. Blank-image attacks. Campaigns leveraging HR policy themes. Dinah Davis from Arctic Wolf has tips for pros for security at home. Our guest is Gerry Gebel from Strata Identity describes a new open source standard that aims to unify cloud identity platforms. And travel-themed phishing increases.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/12

Selected reading.

Friday the 13th on the Dark Web: $150 Million Russian Drug Market Solaris Hacked by Rival Market Kraken (Elliptic Connect)

Russia-linked drug marketplace Solaris hacked by its rival (The Record from Recorded Future News)

Cyber-attacks have tripled in past year, says Ukraine’s cybersecurity agency (the Guardian)

Ukraine: Russians Aim to Destroy Information Infrastructure (Gov Info Security)

Ukraine says Russia is coordinating missile strikes, cyberattacks and information operations (The Record by Recorded Future)

ICS Vulnerabilities and CVEs: Second Half of 2022 (SynSaber)

Abusing a GitHub Codespaces Feature For Malware Delivery (Trend Micro)

The Blank Image Attack (Avanan)

Phishing Attacks Pose as Updated 2023 HR Policy Announcements (Abnormal Security)

Spammers phish eager vacationers with travel-themed lures, Bitdefender Antispam Lab warns (Bitdefender)

ICS security–vulnerabilities, mitigations, and threats. A Chinese APT prospects Iranian targets. The persistence of nuisance-level hacktivism. And war takes a toll on the criminal economy. Jan 18, 2023

CISA adds to its Known Exploited Vulnerability Catalog. Attacks against industrial systems. DNV is recovering from ransomware. Chinese cyberespionage is reported against Iran. The persistence of nuisance-level hacktivism. Robert M. Lee from Dragos outlines pipeline security. Our guest is Yasmin Abdi from Snap on bringing her team up to speed with zero trust. And a side-effect of Russia's war: a drop in paycard fraud.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/11

Selected reading.

Bolster Your Company Defenses With Zero Trust Edge (iBoss)

CISA Adds One Known Exploited Vulnerability to Catalog (CISA)

GE Digital Proficy Historian (CISA)

Mitsubishi Electric MELSEC iQ-F, iQ-R Series (CISA)

Siemens SINEC INS (CISA)

Contec CONPROSYS HMI System (CHS) Update A (CISA)

Nozomi Networks Researchers Take a Deep Look into the ICS Threat Landscape (Nozomi Networks)

A look at IoT/ICS threats. (CyberWire)

DNV's fleet management software recovering from ransomware attack. (CyberWire)

DNV says up to 1,000 ships affected by ransomware attack (Computing)

Ransomware attack on maritime software impacts 1,000 ships (The Record from Recorded Future News)

Chinese Playful Taurus Activity in Iran (Unit 42)

Playful Taurus: a Chinese APT active against Iran. (CyberWire)

Russian hackers allegedly tried to disrupt a Ukrainian press briefing about cyberattacks (Axios)

Russia's Ukraine War Drives 62% Slump in Stolen Cards (Infosecurity Magazine)

Annual Payment Fraud Intelligence Report: 2022 (Recorded Future)

Phishing campaigns (one uses mobilization as phishbait). Credential-stuffing attack affects Norton LifeLock users. Trends in security. Azure SSRF issues fixed. Calls for a “digital UN.” Jan 17, 2023

A Phishing campaign impersonates DHL. Conscription and mobilization provide criminals with phishbait for Russian victims. Norton LifeLock advises customers that their accounts may have been compromised. Trends in data protection. Veracode's report on the state of software application security. Ben Yelin looks at NSO group’s attempt at state sovereignty. Ann Johnson from Afternoon Cyber Tea speaks with Microsoft’s Chris Young about the importance of the security ecosystem. And Ukraine calls for a "digital United Nations."

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/10

Selected reading.

Cloud 9: Top Cloud Penetration Testing Tools (Bishop Fox)

Our Top Favorite Fuzzer crowdsourcing pen testing tools (Bishop Fox)

DHL Phishing Attack. Simply Delivered. (ArmorBlox)

Credential phishing campaign impersonates DHL. (CyberWire)

Phishing scam invites Russian Telegram users to check ‘conscription lists’ to see if they’ll be drafted in February (Meduza)

NortonLifeLock warns that hackers breached Password Manager accounts (BleepingComputer)

Norton LifeLock says thousands of customer accounts breached (TechCrunch).

NortonLifeLock notifies thousands of users about compromised Password Manager accounts (Computing)

Data Protection Trends Report 2023 (Veeam)

Trends in data protection. (CyberWire)

How Orca Found Server-Side Request Forgery (SSRF) Vulnerabilities in Four Different Azure Services (Orca Security)

Orca describes four Azure vulnerabilities. (CyberWire)

State Of Software Security (Veracode)

A look at the state of software security. (CyberWire)

Ukraine calls for ‘Cyber United Nations’ amid Russian attacks (POLITICO)

Andy Greenberg Interview: Tracers in the Dark. [CSO Perspectives] Jan 16, 2023

Rick Howard, N2K’s CSO and the CyberWire’s Chief Analyst, and Senior Fellow, interviews Andy Greenberg, Senior Writer at WIRED, regarding his new book, “Tracers in the Dark.”

Gene Fay: Lead from the front. [CEO] [Career Notes] Jan 15, 2023

Gene Fay, CEO of ThreatX sits down to share his experience rising through the ranks to get to where he is today. He shares how even at a young age he wanted to work in an office and become a businessman, though at the time he did not understand what that entailed. After college he acquired a job that was revolutionizing video editing for post-production studios as well as TV stations, where he started to really learn about technology. Gene talks about leading from the front and how a good leader will always do so, even if he has to lead from two different fronts. He said "it's kind of the two fronts, sometimes you've gotta put on the leadership face, and believe it, that, that you can get, and we can get through any situation, cuz sometimes you're, your gut feelings are, might be wrong and, or it's a moment in time and if you can help the team grind through that situation, it does get better." We thank Gene for sharing his story with us.

DUCKTAIL waddles back again. [Research Saturday] Jan 14, 2023

Mohammad Kazem Hassan Nejad from WithSecure joins Dave to discuss the team’s research, “DUCKTAIL returns - Underneath the ruffled feathers.” DUCKTAIL is a financially motivated malware operation that targets individuals and businesses operating on the Facebook Ads and Business platform.

The research states “The malware is designed to steal browser cookies and take advantage of authenticated Facebook sessions to steal information from the victim's Facebook account.” WithSecure has found that after a short hiatus, DUCKTAIL has returned with slight changes in their mode of operation.

The research can be found here:

DUCKTAIL returns: Underneath the ruffled feathers

Updates on the hybrid war, and on the incidents at the Royal Mail, the FAA, and the Guardian. Royal ransomware exploits Citrix vulnerability. CISA’s annual report is out. Jan 13, 2023

GitHub disables NoName accounts. Russia dismisses reports of cyberespionage attempts against US National Laboratories. The Royal Mail cyber incident is now identified as ransomware attack. An update on the NOTAM issues that interfered with civil aviation. A Citrix vulnerability is exploited by ransomware group. CISA publishes its annual report. Bryan Vorndran of the FBI Cyber Division calibrates expectations with regard to the IC3. Our guest is Kayne McGladrey with insights on 2023 from the IEEE. And Positive Hack Days and the growing isolation of Russia's cyber sector.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/9

Selected reading.

Impact of Technology in 2023 and Beyond (IEEE)

Ukraine at D+323: Fighting in Soledar, and industrial mobilization. (CyberWire)

GitHub disables pro-Russian hacktivist DDoS pages (CyberScoop)

Russia criticises Reuters story on Russian hackers targeting U.S. nuclear scientists (Reuters)

Royal Mail cyber incident now identified as ransomware attack. (CyberWire)

Not a cyberattack, but an IT failure. (CyberWire)

The Guardian breach and news media as targets. (CyberWire)

Citrix vulnerability exploited by ransomware group. (CyberWire)

2022 Year In Review (CISA)

Russia’s largest hacking conference reflects isolated cyber ecosystem (Brookings)

Trojanized VPN installers circulate in Iran. A trip down the static expressway. Hacktivism-for-profit. IT incidents disrupt NOTAMs and Royal Mail. HR phishbait. Jan 12, 2023

Iranian VPN users are afflicted by Trojanized installation apps. Phishing on the static expressway. NoName057(16) hacktivist auxiliaries target NATO. Yesterday’s flight outage appears not to have been caused by a cyberattack. Royal Mail is disrupted by a "cyber incident." Carole Theriault thinks Meta needs to step up their game when blocking financial scams. Our guest is Mark Sasson from Pinpoint Search Group to discuss why cybersecurity may no longer be a candidate-driven market. And HR phishbait dangles raises, and some employees bite.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/8

Selected reading.

EyeSpy - Iranian Spyware Delivered in VPN Installers (Bitdefender Labs)

Phishing on the Static Expressway. (CyberWire)

NoName057(16) - The Pro-Russian Hacktivist Group Targeting NATO (SentinelOne)

Not a cyberattack, but an IT failure. (CyberWire)

FAA NOTAM Statement (FAA)

Canadian Pilot-Alert System Reports Outage Hours After U.S. Grounding Order (Wall Street Journal)

US air travel resumes but thousands of flights delayed after planes grounded - live updates (The Telegraph)

US Flights Latest: Departures Resume After FAA Lifts Ground Stop (Bloomberg)

Royal Mail suffers ‘severe service disruption’ after cyber incident (Glasgow Times)

Royal Mail issues major disruption warning after 'cyber incident' (Computing)

Parcels and letters stuck in limbo as Royal Mail is hit by a suspected hack (The Telegraph)

Cyber Incident Hits UK Postal Service, Halts Overseas Mail (SecurityWeek)

Notes on patches. Dark Pink industrial cyberespionage campaign in Asia. Kinsing cryptojacking. Hacktivist DDoS against Iran. Healthcare cyber risk management. Pokémon NFTs. Jan 11, 2023

Patch Tuesday. CISA releases two ICS Advisories and makes some additions to its Known Exploited Vulnerabilities Catalog. Dark Pink APT is active against Asian targets. Kinsing cryptojacking targets Kubernetes instances. Ukrainian hacktivists conduct DDoS against Iranian sites. Risk exposure and a hospital's experience with ransomware. The Health3PT initiative seeks to manage 3rd-party risk. Tim Starks from the Washington Post’s Cyber 202 on cyber rising to the level of war crime. Our guest is Connie Stack, CEO of Next DLP, on the path to leadership within cyber for women. And phishing with Pokémon NFTs.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/7

Selected reading.

The Daily 202 (Latest Cybersecurity 202)

Microsoft Releases January 2023 Security Updates (CISA) >

Adobe Releases Security Updates for Multiple Products (CISA)

Black Box KVM (CISA)

Delta Electronics InfraSuite Device Master (CISA)

Known Exploited Vulnerabilities Catalog (CISA)

Dark Pink (Group-IB)

New Dark Pink APT group targets govt and military with custom malware (BleepingComputer)

Kinsing cryptojacking. (CyberWire)

Ukraine at D+321: "Difficult in places." (CyberWire)

Iranian websites impacted by pro-Ukraine DDoS attacks (SC Media)

Ransomware attack against SickKids said to be unusual. (CyberWire)

Health3PT seeks a uniform approach to healthcare supply chain issues. (CyberWire)

Breaking the glass ceiling: My journey to close the leadership gap. (CyberWire, Creating Connections)

Pokémon NFTs used as malware vectors. (CyberWire)

Some trends in threats and defense. The possibility of cyber war crimes. RSAC innovation showcases are open for application. And common KEVs in the financial sector. Jan 10, 2023

A look back at ransomware in 2022. Lessons from Russia's war: crooks, hacktivists, and auxiliaries. Cyberattacks as war crimes. The state of SSE adoption. RSA Conference 2023 opens applications for the Launch Pad and the Innovation Sandbox. Joe Carrigan looks at online scams targeting military members. Our guest is Richard Caralli from Axio on the State of Ransomware Preparedness. And the most common known exploited vulnerabilities affecting the financial sector.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/6

Selected reading.

Ransomware trends: 2022. (CyberWire)

State of Ransomware Preparedness Research Study: 2022 (Axio)

Kyiv argues Russian cyberattacks could be war crimes (POLITICO)

Ukraine official says Russian cyberattacks on its energy network could equate to war crimes (Yahoo)

Ukraine war and geopolitics fuelling cybersecurity attacks - EU agency (EU Reporter)

Industry-first research from Axis Security finds 65% percent of organizations plan to adopt a Security Service Edge platform within next two years (Axis Security)

RSAC Launch Pad is Back! (RSA Conference 2023)

The Best in Innovation Programs Starts Here (RSA Conference 2023)

Top KEVs in the U.S. Financial Services Sector (LookingGlass)

Social engineering shenanigans, by both crooks and spies. Suing social media over alleged mental health damages. And how to earn an “F.” Jan 09, 2023

Telegram impersonation affects a cryptocurrency firm. Phishing with Facebook termination notices. Russian phishing continues to target Moldova. The IEEE on the impact of technology in 2023. Glass ceilings in tech leadership. Seattle Schools sue social media platforms. Malek Ben Salem from Accenture explains coding models. Our guest is Julie Smith, identity security leader and executive director at IDSA, with insights on identity and security strategies. And dealing with the implications of ChatGPT.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/5

Selected reading.

Impact of Technology in 2023 and Beyond (IEEE)

Telegram insider server access offered to Dark Web customers (SafetyDetectives)

Moldovaʼs government hit by flood of phishing attacks (The Record from Recorded Future News)

OPWNAI : Cybercriminals Starting to Use ChatGPT (Check Point Research)

Hackers exploiting ChatGPT to write malicious codes to steal your data (Business Standard)

Armed With ChatGPT, Cybercriminals Build Malware And Plot Fake Girl Bots (Forbes)

Hackers Exploiting OpenAI’s ChatGPT to Deploy Malware (HackRead)

Cybercriminals are already using ChatGPT to own you (SC Media)

Threat Report: Impersonation Detected in Telegram Chats to Deliver Malware (Safeguard Cyber)

Seattle schools sue tech giants over social media harm (ABC News)

Seattle Public Schools sues TikTok, YouTube, Instagram and others, seeking compensation for youth mental health crisis (GeekWire)

Ghost Writer: Microsoft Looks to Add OpenAI’s Chatbot Technology to Word, Email (The Information)

Microsoft plans to use ChatGPT in Bing. Here's why it could be a threat to Google. (Freethink)

ChatGPT Hits Ethical Roadblock; Blocked (Analytics India Magazine)

A College Kid Built an App That Sniffs Out Text Penned by AI (The Daily Beast)

A Princeton student built an app which can detect if ChatGPT wrote an essay to combat AI-based plagiarism (Business Insider)

Teresa Rothaar: Outwork the competition. [Analyst] [Career Notes] Jan 08, 2023

Teresa Rothaar, a governance, risk, and compliance (GRC) analyst at Keeper Security sits down to share her story, from performer to cyber. She fell in love with writing as a young girl, she experimented with writing fanfiction which made her want to grow up to be in the arts. After attending college she found that she was good at math, lighting the way for her to start her cyber career. Teresa moved to being a writer at Keeper, finding she wanted to spread out and try more, so she ended up becoming an analyst while still doing writing on the side. She quotes David Duchovny in an interview once, explaining how sometimes you need to keep your head down and outwork others. Teresa said this resonated with her, saying, "that's how I went from a foreclosure box on the porch to where I am now. I have a good job and, and I have a career and I have a really good career and I absolutely love it." We thank Teresa for sharing her story.

Stealer malware from Russia. [Research Saturday] Jan 07, 2023

Marisa Atkinson, an analyst from Flashpoint, joins Dave to discuss a new blog post from Flashpoint’s research team about “RisePro” Stealer, malware from Russia, and Pay-Per-Install Malware “PrivateLoader.” “RisePro” is written in C++ and appears to possess similar functionality to the stealer malware “Vidar.” It's also a newly identified stealer, that began appearing as a stealer source for log credentials on the illicit log shop Russian Market on December 13, 2022.

The research states, "Samples that Flashpoint analysts identified indicate that RisePro may have been dropped or downloaded by the pay-per-install malware downloader service “PrivateLoader” in the past year." Analysts identified several sets of logs uploaded to the illicit underground Russian Market, which listed their source as “RisePro.”

The research can be found here:

“RisePro” Stealer and Pay-Per-Install Malware “PrivateLoader”

CISA releases three ICS Advisories. Squealing cars. Rotate your secrets. Russian cyberespionage updates. Jan 06, 2023

Security vulnerabilities in automobiles. CircleCI customers should "rotate their secrets." CISA Director Easterly notes Russian failures, but warns that shields should stay up. Attempted cyberespionage against US National Laboratories. Turla effectively recycles some commodity malware infrastructure. Robert M. Lee from Dragos shares his outlook on ICS for the new year. Our CyberWire Space correspondent Maria Varmazis interviews Diane Janosek from NSA about her research on space-cyber. And the Guardian continues to recover from last month's ransomware attack.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/4

Selected reading.

Hitachi Energy UNEM (CISA)

Hitachi Energy FOXMAN-UN (CISA)

Hitachi Energy Lumada Asset Performance Management (CISA)

Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More (Sam Curry)

Toyota, Mercedes, BMW API flaws exposed owners’ personal info (BleepingComputer)

16 Car Makers and Their Vehicles Hacked via Telematics, APIs, Infrastructure (SecurityWeek)

Ferrari, BMW, Rolls Royce, Porsche and more fix vulnerabilities giving car takeover capabilities (The Record by Recorded Future)

CircleCI security alert: Rotate any secrets stored in CircleCI (CircleCI).

CircleCI warns of security breach — rotate your secrets! (BleepingComputer)

CircleCI Urges Customers to Rotate Secrets Following Security Incident (The Hacker News)

CISA director: US needs to be vigilant, ‘keep our shields up’ against Russia (The Hill)

Exclusive-Russian Hackers Targeted U.S. Nuclear Scientists (Reuters via US News)

Notorious Russian Spies Piggybacked on Other Hackers' USB Infections (WIRED)

Turla: A Galaxy of Opportunity | Mandiant (Mandiant)

Fallout from Guardian cyber attack to last at least a month (ComputerWeekly)

State of Ransomware Preparedness (Axio)

PurpleUrchin’s freejacking. Bluebottle versus the banks. A supply-chain attack on a machine-learning framework. The ransomware leaderboard. And cyber ops in a hybrid war. Jan 05, 2023

The PurpleUrchin freejacking campaign. Bluebottle activity against banks in Francophone Africa. The PyTorch framework sustains a supply-chain attack. 2022's ransomware leaderboard. Cellphone traffic as a source of combat information. FBI Cyber Division AD Bryan Vorndran on the interaction and collaboration of federal agencies in the cyber realm. Our guest Jerry Caponera from ThreatConnect wonders if we need more "Carrots" Than "Sticks" In Cybersecurity Regulation. And two incommensurable views of information security.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/3

Selected reading.

An analysis of the PurpleUrchin campaign. (CyberWire)

PurpleUrchin Bypasses CAPTCHA and Steals Cloud Platform Resources (Unit 42)

Bluebottle observed in the wild. (CyberWire)

Bluebottle: Campaign Hits Banks in French-speaking Countries in Africa (Symantec)

PyTorch incident disclosed, assessed. (CyberWire)

PyTorch dependency poisoned with malicious code (Register)

Compromised PyTorch-nightly dependency chain between December 25th and December 30th, 2022. (PyTorch)

Most active, impactful ransomware groups of 2022. (CyberWire)

2022 Year in Review: Ransomware (Trustwave)

Russia says phone use allowed Ukraine to target its troops (AP NEWS)

For Russian Troops, Cellphone Use Is a Persistent, Lethal Danger (New York Times)

Kremlin blames own soldiers for Himars barracks strike as official death toll rises (The Telegraph)

No Water’s Edge: Russia’s Information War and Regime Security (Carnegie Endowment for International Peace)

Terms of service and GDPR. LastPass breach update. GhostWriter resurfaces in action against Poland and its neighbors. Cellphones, opsec, and rocket strikes. Jan 04, 2023

Ad practices draw a large EU fine (and may set precedents for online advertising). Updates on the LastPass breach, and on Russian cyber activity against Poland. Malek Ben Salem from Accenture explains smart deepfakes. Our guest is Leslie Wiggins, Program Director for Data Security at IBM Security on the role of the security specialist. And cellphones, opsec, and the Makiivka strike.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/2

Selected reading.

Meta’s Ad Practices Ruled Illegal Under E.U. Law (New York Times)

Meta Fined More Than $400 Million in EU for Serving Ads Based on Online Activity (Wall Street Journal)

Meta's New Year kicks off with $410M+ in fresh EU privacy fines (TechCrunch)

LastPass data breach: notes and actions to take. (CyberWire)

Poland warns of attacks by Russia-linked Ghostwriter hacking group (BleepingComputer)

Russia says phone use allowed Ukraine to target its troops (AP NEWS)

Russian soldier gave away his position with geotagged social media posts (Task & Purpose)

Russian commanders blamed for heavy losses in New Year’s Day strike (Washington Post)

DPRK cyber ops. Poland warns of Russian cyber activity. Twitter’s data incident. A crypto trading exchange is rifled. Ransomware shuts down the Port of Lisbon. Small business opportunities. Jan 03, 2023

Recent DPRK cyber operations: spying and theft. Twitter’s data incident. 3Commas breached. Poland warns of increased Russian offensive cyber activity. Port of Lisbon hit by ransomware. DHS announces SBIR topics. New additions to the Known Exploited Vulnerabilities Catalog. Ben Yelin on the legal conundrum of AI generated code. Our guest is Tanya Janca from She Hacks Purple with insights on API security. And, news flash! LockBit says they have a conscience. (Yeah, right.)

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/1

Selected reading.

Recent DPRK cyber operations: spying and theft. (CyberWire)

Twitter targeted in extortion hack. (CyberWire)

3Commas' API compromised. (CyberWire)

Russian cyberattacks (Special Services)

LockBit activity over the holidays. (CyberWire)

CISA Adds Two Known Exploited Vulnerabilities to Catalog (CISA)

DHS Small Business Innovation Research (SBIR) Program FY23 Solicitation (SAM.gov)

The SBIR and STTR Programs. (SBIR/STTR)

Software supply chain management: Lessons learned from SolarWinds. [CyberWire-X] Jan 03, 2023

Between the emergence of sophisticated nation-state actors, the rise of ransomware-as-a-service, the increasing attack surface remote work presents, and much more, organizations today contend with more complex risk than ever. A “Secure-by-Design” approach can secure software environments, development processes and products. That approach includes increasing training for employees, adopting zero trust, leveraging Red Teams, and creating a unique triple-build software development process. SolarWinds calls its version of this process the "Next-Generation Build System," and offers it as a model for secure software development that will make supply chain attacks more difficult.

On this episode of CyberWire-X, host Rick Howard, N2K’s CSO, and CyberWire’s Chief Analyst and Senior Fellow, discusses software supply chain lessons learned from the SolarWinds attack of 2020 with Hash Table members Rick Doten, the CISO for Healthcare Enterprises and Centene, Steve Winterfeld, Akamai's Advisory CISO, and Dawn Cappelli, Director of OT-CERT at Dragos, and in the second half of the show, Rick speaks with our episode sponsor, SolarWinds, CISO Tim Brown.

Women in Cybersecurity panel: A discussion on hidden figures of cyber skills gap. [Special Edition] Jan 02, 2023

On Thursday October 20, 2022, the CyberWire was pleased to host the annual Women in Cybersecurity Reception at the International Spy Museum in Washington, DC. This annual event brought together almost 300 people to highlight and celebrate the value and successes of women in the cybersecurity industry. The reception included an industry-led panel discussion called “The Hidden Impact of Cybersecurity’s Talent Gap on the Cyber-Enabled Community,” discussing cyber-enabled professionals who aren’t usually included in conversations around the cybersecurity skills gap. The panel, moderated by Simone Petrella of CyberVista, included perspectives from experts including Davida Gray of MindPoint Group, Jennifer Walsmith of Northrop Grumman, Kyla Guru of Bits N’ Bytes, and Amy Mushahwar from Alston & Bird.

Encore: LemonDucks evading detection. Dec 31, 2022

Scott Fanning from CrowdStrike's research team, joins Dave to discuss their work on "LemonDuck Targets Docker for Cryptomining Operations." LemonDuck is a well-known cryptomining botnet, and the research suggests attackers are attracted to the monetary gain from the recent boom in cryptocurrency.

LemonDuck was caught trying to disguise its attack against Docker by running an anonymous mining operation by the use of proxy pools. Scott shares how its unknown which organizations have been targeted and just how much cryptocurrency has been stolen.

The research can be found here:

LemonDuck Targets Docker for Cryptomining Operations

Interview Select: Nick Schneider of Arctic Wolf discusses why he believes 2023 will see a resurgence of ransomware and why the decline of crypto will not deter future ransomware actors. Dec 30, 2022

SHOW NOTES

This interview from October 28th, 2022 originally aired as a shortened version on the CyberWire Daily Podcast. In this extended interview, Dave Bittner sits down with Nick Schneider of Arctic Wolf to discuss why he believes 2023 will see a resurgence of ransomware and why the decline of crypto will not deter future ransomware actors.

Sisters, grifters, and shifters. [Hacking Humans Goes to the Movies] Dec 29, 2022

Thanks for joining us again for another episode of fun project brought to you by the team of Hacking Humans, the CyberWire's social engineering podcast. Hacking Humans co-host Dave Bittner is joined by Rick Howard in this series where they view clips from their favorite movies and television shows with examples of the social engineering scams and schemes you hear Dave and co-host Joe Carrigan talk about on Hacking Humans. In this episode, Dave and Rick watch each of the selected scenes, describe the on-screen action for you, and then they deconstruct what they saw. Grab your bowl of popcorn and join us for some fantastic scams and frauds.

On this episode, Dave and Rick are joined by guest contributor Amanda Fennell. You can find Amanda on Twitter at @Chi_from_afar.

Links to this episode's clips if you'd like to watch along:

Dave's clip from the movie Zombieland
Rick's clip from the movie Traveller
Amanda's clip from the movie The Girl with the Dragon Tattoo

Interview Select: Diana Kelley, CSO & Co-founder of Cybrize to discuss the need for innovation and entrepreneurship in cybersecurity. Dec 28, 2022

This interview from September 16th, 2022 originally aired as a shortened version on the CyberWire Daily Podcast. In this extended interview, Dave Bittner sits down with Diana Kelley, CSO & Co-founder of Cybrize to discuss the need for innovation and entrepreneurship in cybersecurity.

Interview Select: MK Palmore from Google Cloud talks about why collective cybersecurity ultimately depends on having a diverse, skilled workforce. Dec 27, 2022

This interview from September 30th, 2022 originally aired as a shortened version on the CyberWire Daily Podcast. In this extended interview, Dave Bittner sits down with MK Palmore from Google Cloud to talk about why collective cybersecurity ultimately depends on having a diverse, skilled workforce.

Research Briefing: Spearphishing against Japanese political entities. Trojanized Windows 10 installers target Ukraine. XLL files abused to deliver malware. Dec 26, 2022

Spearphishing against Japanese political entities. Trojanized Windows 10 installers target Ukraine. XLL files abused to deliver malware.

The CyberWire: The 12 Days of Malware.[Special Editions] Dec 25, 2022

Merry Christmas and Happy Holidays from the CyberWire and our friends! Enjoy our rendition of the 12 Days of Malware created by Dave Bittner and performed by Dave and friends: Rachel Tobac, Jayson Street, Ron Eddings & Chris Cochran, Ray [Redacted], Dinah Davis, Camille Stewart, Rick Howard, Michelle Dennedy, Jack Rhysider, Johannes Ullrich, and Charity Wright. Ba dum bum bum. Sing along if you are game! Check out our video for the full effect!

The 12 Days of Malware lyrics

On the first day of Christmas, my malware gave to me:

A keylogger logging my keys.

On the second day of Christmas, my malware gave to me:

2 Trojan Apps...

And a keylogger logging my keys.

On the third day of Christmas, my malware gave to me:

3 Web shells...

2 Trojan Apps...

And a keylogger logging my keys.

On the fourth day of Christmas, my malware gave to me:

4 Crypto scams...

3 Web shells...

2 Trojan Apps...

And a keylogger logging my keys.

On the fifth day of Christmas, my malware gave to me:

5 Zero Days!

4 Crypto scams...

3 Web shells...

2 Trojan Apps...

And a keylogger logging my keys.

On the sixth day of Christmas, my malware gave to me:

6 Passwords spraying...

5 Zero Days!

4 Crypto scams...

3 Web shells...

2 Trojan Apps...

And a keylogger logging my keys.

On the seventh day of Christmas, my malware gave to me:

7 Scripts a scraping...

6 Passwords spraying...

5 Zero Days!

4 Crypto scams...

3 Web shells...

2 Trojan Apps...

And a keylogger logging my keys.

On the eighth day of Christmas, my malware gave to me:

8 Worms a wiping...

7 Scripts a scraping...

6 Passwords spraying...

5 Zero Days!

4 Crypto scams...

3 Web shells...

2 Trojan Apps...

And a keylogger logging my keys.

On the ninth day of Christmas, my malware gave to me:

9 Rootkits rooting...

8 Worms a wiping...

7 Scripts a scraping...

6 Passwords spraying...

5 Zero Days!

4 Crypto scams...

3 Web shells...

2 Trojan Apps...

And a keylogger logging my keys.

On the tenth day of Christmas, my malware gave to me:

10 Darknet markets...

9 Rootkits rooting...

8 Worms a wiping...

7 Scripts a scraping...

6 Passwords spraying...

5 Zero Days! (Bah-dum-dum-dum!)

4 Crypto scams...

3 Web shells...

2 Trojan Apps...

And a keylogger logging my keys.

On the eleventh day of Christmas, my malware gave to me:

11 Phishers phishing...

10 Darknet markets...

9 Rootkits rooting...

8 Worms a wiping...

7 Scripts a scraping...

6 Passwords spraying...

5 Zero Days! (Bah-dum-dum-dum!)

4 Crypto scams...

3 Web shells...

2 Trojan Apps...

And a keylogger logging my keys.

On the twelfth day of Christmas, my malware gave to me:

12 Hackers hacking...

11 Phishers phishing...

10 Darknet markets...

9 Rootkits rooting...

8 Worms a wiping...

7 Scripts a scraping...

6 Passwords spraying...

5 Zero Days!

4 Crypto scams...

3 Web shells...

2 Trojan Apps...

And a keylogger logging my keys.

Encore: Vulnerabilities in IoT devices. Dec 24, 2022

Dr. May Wang, CTO of IoT Security at Palo Alto Networks, joins Dave Bittner to discuss their findings detailed in Unit 42's "Know Your Infusion Pump Vulnerabilities and Secure Your Healthcare Organization" research. Unit 42 recently set out to better understand how well hospitals and other healthcare providers are doing in securing smart infusion pumps, which are network-connected devices that deliver medications and fluids to patients. This topic is of critical concern because security lapses in these devices have the potential to put lives at risk or expose sensitive patient data.

Unit 42's discovery of security gaps in three out of four infusion pumps that they reviewed highlights the need for the healthcare industry to redouble efforts to protect against known vulnerabilities, while diligently following best practices for infusion pumps and hospital networks. May walks us through Unit 42's work.

The research can be found here:

Know Your Infusion Pump Vulnerabilities and Secure Your Healthcare Organization

PolyVice and Royal ransomware make nuisances of themselves. US warns that KillNet can be expected to go after the healthcare sector. CISA’s plans for stakeholder engagement. Dec 23, 2022

The Vice Society may be upping its marketing game. Royal ransomware may have a connection to Conti. Royal delivers ransom note by hacked printer. KillNet goes after healthcare. CISA's Stakeholder Engagement Strategic Plan. Adam Meyers from CrowdStrike looks at cyber espionage. Giulia Porter from RoboKiller does not want to talk to you about your car’s extended warranty. And holiday wishes to all.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/245

Selected reading.

Custom-Branded Ransomware: The Vice Society Group and the Threat of Outsourced Development (SentinelOne)

Vice Society ransomware gang switches to new custom encryptor (BleepingComputer)

Conti Team One Splinter Group Resurfaces as Royal Ransomware with Callback Phishing Attacks (Trend Micro)

Researchers Link Royal Ransomware to Conti Group (SecurityWeek)

Major Australian university dealing with suspected cybersecurity attack (7NEWS)

Printers at Queensland's second-largest university spit out ransomware messages after cyber attack (ABC)

Pro-Russian Hacktivist Group ‘KillNet’ Threat to HPH Sector (HC3)

HHS alert warns KillNet hacktivist group targeted US healthcare entity (SC Media)

HC3 Analyst Note TLP Clear Pro-Russian Hacktivist Group Killnet Threat to HPH Sector December 22, 2022 | AHA (American Hospital Association)

Strategic Plan for Stakeholder Engagement (CISA)

Online fraud, some targeting shoppers and investors, others going after e-commerce retailers. Updates on the cyber phases of Russia’s hybrid war. Dec 22, 2022

The FBI warns of malicious advertising. A new gang makes an unwelcome appearance in the holiday season. Ukraine will receive more Starlink terminals after all. Cyber phases of the hybrid war: a view from Kyiv–the bears and their adjuncts are opportunistic agents of chaos. Caleb Barlow thinks boards of directors need to up their cyber security game. Our guest is AJ Nash from ZeroFox with a look at legislative restrictions on TikTok. And reports say that US National Cyber Director Chris Inglis is preparing to retire. We wish him the best of luck.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/244

Selected reading.

Cyber Criminals Impersonating Brands Using Search Engine Advertisement Services to Defraud Users (FBI)

A sophisticated fraud ring is waging war on commerce, using rapidly changing tactics (Signifyd)

Ukraine to Get Thousands More Starlink Antennas, Minister Says (Bloomberg)

Ukraine’s Cyber Units Aim to Retain Staff, Keep Services Stable as War Enters Year Two (Wall Street Journal)

Top Biden cybersecurity adviser to step down (CNN)

Chris Inglis to resign as national cyber director (CyberScoop).

First-ever national cyber director Chris Inglis set to retire in coming months: sources (Axios).

White House cyber adviser to resign (The Hill)

Chris Inglis, Biden's top cyber adviser, plans to leave government in coming months (POLITICO).

White House Cyber Director Chris Inglis to Step Down (Bank Info Security)

Developing a banking Trojan into a newer, more effective form. Cyberattacks on media outlets. Abuse of AWS Elastic IP transfer. Notes on the hybrid war. And cybercrooks are inspired by Breaking Bad. Dec 21, 2022

The Godfather banking Trojan has deep roots in older code. FuboTV was disrupted around its World Cup coverage. The Guardian has been hit with an apparent ransomware attack. A threat actor abuses AWS Elastic IP transfer. Moldova may be receiving more Russian attention in cyberspace. CISA releases six industrial control system advisories. Ben Yelin looks at legislation addressing health care security. Our guest is Hugh Njemanze of Anomali with advice on preparing for the holiday break. And criminals are impersonating other criminals' underworld souks.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/243

Selected reading.

Godfather: A banking Trojan that is impossible to refuse (Group-IB)

FuboTV outage during World Cup semifinal was caused by cyberattack (Record)

Guardian hit by serious IT incident believed to be ransomware attack (the Guardian)

Elastic IP Hijacking — A New Attack Vector in AWS (Mitiga)

Telegram Hack Exposes Growing Russian Cyber Threat in Moldova (Balkan Insight)

Fuji Electric Tellus Lite V-Simulator (CISA)

Rockwell Automation GuardLogix and ControlLogix controllers (CISA)

ARC Informatique PcVue (CISA)

Rockwell Automation MicroLogix 1100 and 1400 (CISA)

Delta 4G Router DX-3021 (CISA)

Prosys OPC UA Simulation Server (CISA)

The scammers who scam scammers on cybercrime forums: Part 3 (Sophos News)

Warnings on SentinelSneak. The rise of malicious XLLs. Updates from Russia’s hybrid war. An unusually loathsome campaign targets children. Dec 20, 2022

SentinelSneak is out in the wild. XLLs for malware delivery. CERT-UA warns of attacks against the DELTA situational awareness system. FSB cyber operations against Ukraine. Trends in the cyber phases of Russia's hybrid war. Mr. Security Answer Person John Pescatore offers his sage wisdom. Microsoft’s Ann Johnson from Afternoon Cyber Tea speaks with Dr. Chenxi Wang from Rain Capital. And an unusually unpleasant sextortion campaign.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/242

Selected reading.

SentinelSneak is not a legitimate SDK. (CyberWire)

SentinelSneak: Malicious PyPI module poses as security software development kit (ReversingLabs)

Malicious Python Trojan Impersonates SentinelOne Security Client (Dark Reading)

Malicious ‘SentinelOne’ PyPI package steals data from developers (BleepingComputer)

Cisco research on XLL Abuse. (CyberWire)

Threat Spotlight: XLLing in Excel - threat actors using malicious add-ins (Cisco Talos Blog)

Ukraine at D+299: Cyber operations 300 days into the war. (CyberWire)

Cyber Dimensions of the Armed Conflict in Ukraine (CyberPeace Institute)

Ukraine's DELTA military system users targeted by info-stealing malware (BleepingComputer)

Ukraine's Delta Military Intel System Hit by Attacks (Infosecurity Magazine)

Russia’s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine (Unit 42)

FBI and Partners Issue National Public Safety Alert on Financial Sextortion Schemes | Federal Bureau of Investigation (Federal Bureau of Investigation)

HSI, federal partners issue national public safety alert on sextortion schemes (US Immigration and Customs Enforcement)

BEC gets into bulk food theft. BlackCat ransomware update. Epic Games’ settlement with FTC. InfraGard data taken down. More on the hybrid war. And Twitter asks for the voice of the people. Dec 19, 2022

BEC takes aim at physical goods (including food). BlackCat ransomware activity increases. Epic Games settles an FTC regulatory case. The InfraGard database was pulled from a dark web auction site. CISA releases forty-one ICS advisories. Rick Howard interviews author Andy Greenberg. Rob Boyce from Accenture examines holiday cyber threats. The growing value of open source intelligence. Twitter says vox populi, vox dei.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/241

Selected reading.

FBI, FDA OCI, and USDA Release Joint Cybersecurity Advisory Regarding Business Email Compromise Schemes Used to Steal Food (CISA)

Colombian energy supplier EPM hit by BlackCat ransomware attack (BleepingComputer)

Events D.C. data published online in apparent ransomware attack (Washington Post)

Fortnite Video Game Maker Epic Games to Pay More Than Half a Billion Dollars over FTC Allegations of Privacy Violations and Unwanted Charges (Federal Trade Commission)

Hacker Halts Sale of FBI's High-Profile InfraGard Database (HackRead)

CISA Releases Forty-One Industrial Control Systems Advisories (Cybersecurity and Infrastructure Security Agency)

Russia’s Wartime Cyber Operations in Ukraine: Military Impacts, Influences, and Implications (Carnegie Endowment for International Peace)

How open-source intelligence has shaped the Russia-Ukraine war (GOV.UK)

Front-line video makes Ukrainian combat some of history’s most watched (Washington Post)

Elon Musk Polls Twitter Users, Asking Whether He Should Step Down (Wall Street Journal)

Musk asks: Should I stay as CEO? (Computing)

Elon Musk’s Twitter Poll Shows Users Want Him to Step Down (Wall Street Journal)

Elon Musk’s Twitter poll: 10 million say he should step down (the Guardian)

Don Pezet: Stepping stones are the start of your career. [CTO] [Career Notes] Dec 18, 2022

Don Pezet, CTO of ACI Learning, sits down to share his over 25 years of experience in the industry. Don previously spent time as a field engineer in the financial and insurance industries supporting networks around the world. He co-founded ITProTV in 2012 to help create the IT training that he wished he had when he got started in his IT career. He also shares insights for anyone else wishing to pursue IT, no matter their age or past experience. Don explains how important stepping stones are as you get into this field, stating "know that that first job you get is probably not going to be the job you want to have your whole life, but it's a stepping stone that leads to where you want to get." Don started teaching on the side as well as working in the IT field and explains how much his teaching skills come in handy to help him with his leadership skills, which in turn helps him to be a better CTO, helping his customers. We thank Don for sharing his story.

Strategies to get the most out of your toolsets. [CyberWire-X] Dec 18, 2022

With a recession looming, many business leaders are looking for ways to cut spending wherever possible. And while tool bloat affects many security teams, it can be a challenging problem to tackle for a couple of reasons. First, there’s the fear that security will be lost if a tool is removed. Second, there’s the daunting task of unraveling complex systems. And finally, there’s the perennial talent shortage. Like all challenges in security, they’re made even worse by the fact that there’s not enough people able to tackle them.

During this CyberWire-X episode, host Rick Howard, the CyberWire’s CISO, Chief Analyst and Senior Fellow, speaks with Hash Table member Ted Wagner, the CSO of SAP National Security Services, and host Dave Bittner speaks with sponsor ExtraHop Senior Technical Marketing Manager Jamie Moles. They discuss solutions to help business and security leaders to not just address these challenges, but to get more out of their tooling as they do. They discuss strategies for how to determine which tools you actually need and which you can get rid of, as well as the step-change benefits that can be realized when you consolidate, automate, and integrate your security solutions.

Hijacking holiday spirit with phishing scams. [Research Saturday] Dec 17, 2022

Or Katz from Akamai sits down with Dave to discuss research on highly sophisticated phishing scams and how they are abusing holiday sentiment. This particular threat, most recently has focused on Halloween deals, enticing victims with the chance to win a free prize, including from Dick’s Sporting Goods or Tumi Backpacks. It then requests credit card details to cover the cost of shipment.

From mid-September to the end of October 2022, Akamai's research were able uncover and track this threat. This kit mimics well known retail stores in hopes to hijack credit card information, feeding off of people's holiday spirit.

The research can be found here:

Highly Sophisticated Phishing Scams Are Abusing Holiday Sentiment

Malicious apps do more than extort predatory loans. A Facebook account recovery scam. Notes from the hybrid war. Goodbye SHA-1, hello Leviathans. Dec 16, 2022

A predatory loan app is discovered embedded in mobile apps. Facebook phishing. GPS disruptions are reported in Russian cities. NSA warns against dismissing Russian offensive cyber capabilities. Farewell, SHA-1. Kevin Magee from Microsoft looks at cyber signals. Our guest is Jason Witty of USAA to discuss the growing risk from quantum computing. And welcome to the world, Leviathans.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/240

Selected reading.

Zimperium teams discover new malware in Flutter developed apps (SecurityBrief Asia)

Meta-Phish: Facebook Infrastructure Used in Phishing Attack Chain (Trustwave)

GPS Signals Are Being Disrupted in Russian Cities (WIRED)

NSA cyber director warns of Russian digital assaults on global energy sector (CyberScoop)

Russia's cyber war machine in Ukraine hasn't lived up to Western hype. Report analyses why (ThePrint)

NIST Retires SHA-1 Cryptographic Algorithm (NIST)

Historic activation of the U.S. Army’s 11th Cyber Battalion (DVIDS)

Updates on the cyber phases of a hybrid war. Alleged booters busted. Progress report from the US anti-ransomware task force. Suspicion in AIIMS hack turns toward China. Dec 15, 2022

Trojanized Windows 10 installers are deployed against Ukraine. Alleged booters have been collared, and their sites disabled. A progress report on US anti-ransomware efforts. Suspicion in a cyberattack against India turns toward China. Bryan Vorndran from the FBI’s Cyber Division talks about deep fakes. Our guest is Lisa Plaggemier from the National Cybersecurity Alliance (NCA) on the launch of their Historically Black Colleges and Universities Career Program. And hybrid war and fissures in the underworld.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/239

Selected reading.

Trojanized Windows 10 Operating System Installers Targeted Ukrainian Government (Mandiant)

Federal Prosecutors in Los Angeles and Alaska Charge 6 Defendants with Operating Websites that Offered Computer Attack Services (US Department of Justice)

Global crackdown against DDoS services shuts down most popular platforms | Europol (Europol)

Readout of Second Joint Ransomware Task Force Meeting (Cybersecurity and Infrastructure Security Agency)

US finds its ‘center of gravity’ in the fight against ransomware (The Record by Recorded Future)

AIIMS cyber attack may have originated in China, Hong Kong (The Times of India)

AIIMS Delhi Servers Were Hacked By Chinese, Damage Contained: Sources (NDTV.com)

Russia-Ukraine war reaches dark side of the internet (Al Jazeera)

InfraGard data for sale. Cyberespionage warnings. Data sharing practices. Malicious drivers with legitimate signatures. Patch Tuesday. Task Force KleptoCapture indicts five Russian nationals. Dec 14, 2022

The FBI’s InfraGard user data shows up for sale. An update on Iranian cyber operations. NSA warns of Chinese cyber threats. Challenges in sharing data for threat detection and prevention. Legitimately signed drivers are used in targeted attacks. Patch Tuesday addressed a lot of actively exploited issues. Tim Starks from the Washington Post Cybersecurity 202 shares his reporting on ICS vulnerabilities. Our guest is Mike Fey from Island with an introduction to the enterprise browser space. And the US indicts five Russian nationals on sanctions-evasion charges.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/238

Selected reading.

FBI’s Vetted Info Sharing Network ‘InfraGard’ Hacked (KrebsOnSecurity)

Would’ve, Could’ve, Should’ve…Did: TA453 Refuses to be Bound by Expectations (Proofpoint)

APT5: Citrix ADC Threat Hunting Guidance (NSA)

U.S. agency warns that hackers are going after Citrix networking gear (Reuters)

NSA Outs Chinese Hackers Exploiting Citrix Zero-Day (SecurityWeek)

Effect of data on Federal agencies' policies. (CyberWire)

I Solemnly Swear My Driver Is Up to No Good: Hunting for Attestation Signed Malware (Mandiant)

Driving Through Defenses | Targeted Attacks Leverage Signed Malicious Microsoft Drivers (SentinelOne)

SAP Security Patch Day December 2022 (Onapsis)

December 2022 Security Updates (Microsoft Security Response Center)

December Patch Tuesday Updates | 2022 - Syxsense Inc (Syxsense Inc)

Microsoft December 2022 Patch Tuesday fixes 2 zero-days, 49 flaws (BleepingComputer)

Microsoft Squashes Zero-Day, Actively Exploited Bugs in Dec. Update (Dark Reading)

Microsoft fixes exploited zero-day, revokes certificate used to sign malicious drivers (CVE-2022-44698) (Help Net Security)

Microsoft Releases December 2022 Security Updates (CISA)

Apple security updates (Apple Support)

We finally know why Apple pushed out that emergency 16.1.2 update (Macworld)

Why You Should Enable Apple’s New Security Feature in iOS 16.2 Right Now (Wirecutter)

Apple Releases Security Updates for Multiple Products (CISA)

Citrix ADC and Citrix Gateway Security Bulletin for CVE-2022-27518 (Citrix)

State-sponsored attackers actively exploiting RCE in Citrix devices, patch ASAP! (CVE-2022-27518) (Help Net Security)

Citrix Releases Security Updates for Citrix ADC, Citrix Gateway (CISA)

VMware Patches VM Escape Flaw Exploited at Geekpwn Event (SecurityWeek)

Experts detailed a previously undetected VMware ESXi backdoor (Security Affairs)

VMware Releases Security Updates for Multiple products (CISA)

Mozilla Releases Security Updates for Thunderbird and Firefox (CISA)

Adobe Patches 38 Flaws in Enterprise Software Products (SecurityWeek)

CISA Releases Three Industrial Control Systems Advisories (CISA)

Five Russian Nationals, Including Suspected FSB Officer, and Two U.S. Nationals Charged with Helping the Russian Military and Intelligence Agencies Evade Sanctions (US Department of Justice)

Russian Military and Intelligence Agencies Procurement Network Indicted in Brooklyn Federal Court (US Department of Justice)

Uber’s breach. Phishing in Ukraine’s in-boxes. What’s Russia been up to anyway? (Not the same thing, probably, NATO would be up to.) And the ransomware leader board. Dec 13, 2022

Uber sustains a third-party breach. A phishing campaign hits Ukrainian in-boxes. The enduring riddle of why Russian offensive cyber operations have failed in Ukraine. Joe Carrigan on credit card skimming. Carole Theriault describes a UK food store chain that uses facial recognition technology to track those with criminal or antisocial behavior. And 2023’s ransomware-as-a-service leader board.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/237

Selected reading.

Uber suffers new data breach after attack on vendor, info leaked online (BleepingComputer)

Uber has been hacked yet again with code and employee data released online (SiliconANGLE)

Uber hit by new data breach — what you need to know (Tom's Guide)

Uber’s data breach. (CyberWire)

Ukrainian railway, state agencies allegedly targeted by DolphinCape malware (The Record by Recorded Future)

Cyber Operations in Ukraine: Russia’s Unmet Expectations (Carnegie Endowment for International Peace)

The most prolific ransomware groups of 2022 (Searchlight Security)

Ransomware updates: TrueBot, Cl0p, and Royal. Iranian cyberattacks. An update on the cyberattack against the Met. Notes on the hybrid war, with a focus on allies and outside actors. Dec 12, 2022

TrueBot found in Cl0p ransomware attacks. Royal ransomware targets the healthcare sector. Recent Iranian cyber activity. A night at the opera: an update on the cyberattack against the Metropolitan Opera. New Cloud Atlas activity reported. Europe looks to the cybersecurity of its power grid. Rob Boyce from Accenture describes Dark web actors diversifying their toolsets. Rick Howard explains fractional CISOs. And international support for Ukrainian cyber defense continues, more extensively and increasingly overt.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/236

Selected reading.

Breaking the silence - Recent Truebot activity (Cisco Talos Blog)

New TrueBot Malware Variant Leveraging Netwrix Auditor Bug and Raspberry Robin Worm (The Hacker News)

TrueBot infections were observed in Clop ransomware attacks (Security Affairs)

Clop ransomware uses TrueBot malware for access to networks (BleepingComputer)

Royal Ransomware (US Department of Health and Human Services)

US Dept of Health warns of ‘increased’ Royal ransomware attacks on hospitals (The Record by Recorded Future)

Iran-Backed MuddyWater's Latest Campaign Abuses Syncro Admin Tool (Dark Reading)

MuddyWater Hackers Target Asian and Middle East Countries with Updated Tactics (The Hacker News)

New MuddyWater Campaign Uses Legitimate Remote Administration Tools to Deploy Malware (Cyber Security News)

Shows will go on at Met Opera despite cyber-attack that crashed network (ABC7 New York)

Cyberattack disrupts Metropolitan Opera (SC Media)

Cloud Atlas targets entities in Russia and Belarus amid the ongoing war in Ukraine (Check Point Research)

APT Cloud Atlas: Unbroken Threat (Positive Technologies)

European Electricity Sector Lacks Cyber Experts as Ukraine War Raises Hacking Risks (Wall Street Journal)

How the US has helped counter destructive Russian cyberattacks amid Ukraine war (The Hill)

The Australian company training Ukrainian veterans in cybersecurity (Australian Financial Review)

How Proton intends to thwart Russian cybercensorship with its VPN (HiTech Wiki)

Cyber Lessons Learned from the War in Ukraine (YouTube)

War in Ukraine Dominated Cybersecurity in 2022 (CNET)

Commercial threat intelligence proves invaluable for the public sector. [CyberWire-X] Dec 11, 2022

Historically, the U.S. government has relied almost solely on its own intelligence analysis to inform strategic decisions. This has been especially true surrounding geopolitical events and nation-level cybersecurity situations.

However, the explosion of assets being connected to the internet, along with the fact that most critical infrastructure is owned by private sector organizations, means that commercially developed cyber threat intelligence is being generated at a faster pace than ever before.

In the Russia/Ukraine conflict, we saw how commercially generated satellite intelligence played a critical role in alerting the public and ensuring our allies were ready for an invasion. At LookingGlass, we believe commercial threat intelligence can provide similar anticipatory insight – and that it can be shared more easily and quickly than intelligence generated solely by the U.S. government.

Ultimately, the public and private sectors need to work together to protect the interests of the American people. Currently, both private industry and academia are targeted by foreign adversaries, just as are government agencies. This means that commercial entities also have access to adversary tactics, techniques, and procedures (TTPs) and indicators of compromise, and they have that access from a different perspective, which is valuable intelligence for the government.

On this episode of CyberWire-X, host Rick Howard, the CyberWire’s CISO, Chief Analyst and Senior Fellow, speaks with Hash Table member Wayne Moore, CISO at Simply Business, and host Dave Bittner speaks with Bryan Ware, CEO at episode sponsor LookingGlass Cyber Solutions. They’ll discuss why the U.S. government needs commercial cyber threat intelligence now more than ever before and how both the public and private sectors will benefit from closer, trusted cyber partnerships.

Jameeka Aaron: Sometimes you just have to follow two paths. [CISO] [Career Notes] Dec 11, 2022

Jameeka Aaron, Chief Information Security Officer at Auth0, a product unit of Okta, sits down to share her story following two different paths that led her to where she is today. Jameeka has 20 years of IT and cybersecurity experience and has mitigated security risks at Nike, the U.S. Navy, and now Auth0. She joined the Navy not knowing what she wanted to do after high school and ended up becoming a Radioman, which is now titled IT. She shares her experiences of challenges she faced being the youngest, and the only woman, and the only woman of color in her group. She followed two different paths, getting an education as well as being in the Navy, and started her career at Lockheed Martin Mission Systems in San Diego. She eventually found her way to Auth0 in 2018. She says "I realized cybersecurity folks can do anything, everywhere. We're everywhere, we're in every industry and so I started to kind of say, I wanna work on programs that are fun for me." We thank Jameeka for sharing her story.

Cybersecurity during the World Cup. [Research Saturday] Dec 10, 2022

AJ Nash from ZeroFox sits down with Dave to discuss Cybersecurity threats including social engineering attacks planned surrounding the Qatar 2022 World Cup. The research shares some of the key threats we might see while the World Cup is happening this year.

Researchers say "During the World Cup, there will likely be threat actors aiming to acquire personal information or monetary value through phishing and scams." In the research we can find how the venue host is preparing for these claims of attacks.

The research can be found here:

Qatar 2022 World Cup Event Assessment

Cobalt Mirage deploys Drokbk malware. Zombinder in the C2C market. Impersonation scams. CISA releases three new ICS advisories. And criminals prey on other criminals. Dec 09, 2022

Cobalt Mirage deploys Drokbk malware. Zombinder in the C2C market. Impersonation scams: that's not Ukraine’s Ministry of Digital Transformation. On the cyber front, nothing new. CISA releases three new ICS advisories. Caleb Barlow on attack surface management. Mike Hamilton from Critical Insight explains how state and local governments apply for the $1 billion allocated by the feds for cybersecurity funding. And criminals prey on other criminals.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/235

Selected reading.

Drokbk Malware Uses GitHub as Dead Drop Resolver (Secureworks)

Zombinder: new obfuscation service used by Ermac, now distributed next to desktop stealers (ThreatFabric)

Crypto Winter: Fraudsters Impersonate Ukraine’s Government to Steal NFTs and Cryptocurrency (DomainTools)

Danish defence ministry says its websites hit by cyberattack (Reuters)

Kela website hit by DoS attack (Yle)

Advantech iView (CISA)

AVEVA InTouch Access Anywhere (CISA)

Rockwell Automation Logix controllers (CISA)

The scammers who scam scammers on cybercrime forums: Part 1 (Sophos News)

Cyber-criminals Scammed Each Other Out of Millions in 2022 (Infosecurity Magazine)

The IT Army of Ukraine claims VTB DDoS. DPRK exploits Internet Explorer vulnerability. New variant of Babuk ransomware reported. Blind spots in air-gapped networks. And, dog and cat hacking. Dec 08, 2022

The IT Army of Ukraine claims responsibility for DDoS against a Russian bank. North Korea exploits an Internet Explorer vulnerability. A new variant of Babuk ransomware has been reported. Blind spots in air-gapped networks. Rob Boyce from Accenture has insights on the most recent ransomware trends. Our guest is Nathan Howe from Zscaler with the latest on Zero Trust. And the hacking of cats and dogs.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/234

Selected reading.

IT Army of Ukraine Hit Russian Banking Giant with Crippling DDoS Attack (HackRead)

Internet Explorer 0-day exploited by North Korean actor APT37 (Google)

Morphisec Discovers Brand New Babuk Ransomware Variant in Major Attack (PRWeb)

Bypassing air-gapped networks via DNS (Pentera)

What to Know About an Unlikely Vector for Cyber Threats: Household Pets (Insurance Journal)

Ransomware, third-party risk, cyberespionage, social engineering, and a software supply-chain threat.. Dec 07, 2022

Rackspace reacts to ransomware. Third-party incidents in New Zealand and the Netherlands. Russian intelligence goes phishing. Mustang Panda uses Russia's war as phishbait. A Malicious package is found in PyPi. Kevin Magee from Microsoft Canada shares thoughts on cybersecurity startups in an economic downturn. Our guest is IDology's Christina Luttrell to discuss how consumers feel about digital identity, fraud, security and data privacy. And a French-speaking investment scam.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/233

Selected reading.

Rackspace Technology Hosted Exchange Environment Update (Rackspace Technology)

Multiple government departments in New Zealand affected by ransomware attack on IT provider (The Record by Recorded Future)

Antwerp's city services down after hackers attack digital partner (BleepingComputer)

Russian hacking group spoofed Microsoft login page of US military supplier: report (The Record by Recorded Future)

Mustang Panda Uses the Russian-Ukrainian War to Attack Europe and Asia Pacific Targets (BlackBerry)

Inside the Face-Off Between Russia and a Small Internet Access Firm (New York Times)

Apiiro’s AI engine detected a software supply chain attack in PyPI (Apiiro | Cloud-Native Application Security)

Anatomizing CryptosLabs: a scam syndicate targeting French-speaking Europe for years (Group-IB)

CISA Alert AA22-335A – #StopRansomware: Cuba Ransomware [CISA Cybersecurity Alerts] Dec 07, 2022

The FBI and CISA are releasing this alert to disseminate known Cuba Ransomware Group indicators of compromise and TTPs identified through FBI investigations.

FBI and CISA would like to thank BlackBerry, ESET, The National Cyber-Forensics and Training Alliance (NCFTA), and Palo Alto Networks for their contributions to this CSA.

AA22-335A Alert, Technical Details, and Mitigations

For a downloadable copy of IOCs, see AA22-335A.stix

Stopransomware.gov is a whole-of-government approach that gives one central location for ransomware resources and alerts.

Resource to mitigate a ransomware attack: CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide.

No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment.

U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email dib_defense@cyber.nsa.gov

To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov, or call (888) 282-0870, or report incidents to your local FBI field office.

Cyberespionage, privateering, hacktivism and influence operations, in Ukraine, Russia, the Middle East, and elsewhere. Criminals need quality control, too. A new entry in CISA’s KEV Catalog. Dec 06, 2022

A Chinese cyberespionage campaign is believed to be active in the Middle East. Poor quality control turns ransomware into a wiper, and a typo crashes a cryptojacker. A large DDoS attack is reported to have hit a Russian state-owned bank. Privateers compromise Western infrastructure to stage cyberattacks. Cyber operations against national morale. A look at the Vice Society. Ben Yelin on the growing concerns over TicTok. Ann Johnson from Afternoon Cyber Tea speaks with Charles Blauner about the evolution of the CISO role. And CISA has added an entry to its Known Exploited Vulnerabilities Catalog.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/232

Selected reading.

BackdoorDiplomacy Wields New Tools in Fresh Middle East Campaign (Bitdefender Labs)

The Story of a Ransomware Turning into an Accidental Wiper | FortiGuard Labs (Fortinet Blog)

Syntax errors are the doom of us all, including botnet authors (Ars Technica)

Russia's No. 2 bank VTB suffers largest DDoS in history (Computing)

Russia compromises major UK and US organisations to attack Ukraine (Lupovis)

Russia’s online attacks target Ukrainians’ feelings (POLITICO)

Vice Society: Profiling a Persistent Threat to the Education Sector (Unit 42)

CISA Adds One Known Exploited Vulnerability to Catalog (CISA)

Swapping cyberattacks in a hybrid war. Privateers or just a side-hustle? US CSRB will investigate Lapsu$ Group. Notes on the cyber underworld. Dec 05, 2022

Wiper malware hits Russian targets. Microsoft sees an intensification of Russian cyber operations against Ukraine. State policy, privateering, or an APT side-hustle? The US Cyber Safety Review Board will investigate the Lapsu$ Group. Rackspace works to remediate a security incident. The Schoolyard Bully Trojan harvests credentials. Grayson Milbourne of OpenText Security Solutions on attacks on common open source dev libraries. Rick Howard looks at CISO career paths. And trends in ransomware: cybercrime succeeds when the gang runs like a business.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/231

Selected reading.

CryWiper: fake ransomware (Kaspersky).

CryWiper data wiper targets Russian courts and mayors' offices (Computing)

Never-before-seen malware is nuking data in Russia’s courts and mayors’ offices (Ars Technica)

Russian regions attacked by new wiper posing as ransomware (Cybernews)

Preparing for a Russian cyber offensive against Ukraine this winter (Microsoft On the Issues)

Russia coordinating Ukraine hacks with missiles, could increasingly target European allies, Microsoft warns (POLITICO)

Russia Is Boosting Its Cyber Attacks on Ukraine, Allies, Microsoft Says (Bloomberg.com)

Hackers linked to Chinese government stole millions in Covid benefits (NBC News)

Cyber Safety Review Board to Conduct Second Review on Lapsus$ (US Department of Homeland Security)

Rackspace: Ongoing Exchange outage caused by security incident (BleepingComputer)

Schoolyard Bully Trojan Facebook Credential Stealer (Zimperium)

The Professionalization of Ransomware: How Gangs Are Becoming Like Businesses (LookingGlass Cyber Solutions Inc.)

Rohit Dhamankar: Never close doors prematurely. [Vice President] [Career Notes] Dec 04, 2022

Rohit Dhamankar from Fortra’s Alert Logic sits down with Dave Bittner to share his experiences as he navigates the industry. Rohit has over 15 years of security industry experience across product strategy, threat research, product management and development, and customer solutions. Before Alert Logic he served in Product roles for Live Oak Venture Capital at Infocyte and Razberi Technologies. He has previously worked in senior roles in several start-up companies in security analytics, intrusion detection/prevention, end-point protection, and security risk and compliance, including VP, Click Labs Solutions at Click Security, acquired by AlertLogic, and he was a Co-Founder of Jumpshot, acquired by Avast. Rohit shares the advise of never closing a door too prematurely, because you never know what could be behind the door waiting for you. We thank Rohit for sharing his story.

Old malware returns in a new way. [Research Saturday] Dec 03, 2022

Jeremy Kennelly and Sulian Lebegue from Mandiant sit down with Dave to discuss their research "From RM3 to LDR4: URSNIF Leaves Banking Fraud Behind? One of the oldest and most successful banking fraud malwares, URSNIF, which caused an estimated “tens of millions of dollars in losses”, has been discovered by researchers to have been re-tooled into a generic backdoor, dubbed “LDR4”.

This new varient was first observed in June 2022. Mandiant researchers believe that the same threat actors who operated the RM3 variant of URSNIF are likely behind LDR4. They say "given the success and sophistication RM3 previously had, LDR4 could be a significantly dangerous variant—capable of distributing ransomware—that should be watched closely."

The research can be found here:

From RM3 to LDR4: URSNIF Leaves Banking Fraud Behind

Cuba ransomware pulls in $60 million. CISA releases three ICS advisories. Google announces new support for Ukraine. DDoSing the Vatican. Google supports Ukrainian startups in wartime. Dec 02, 2022

Cuba ransomware pulls in $60 million. CISA releases three ICS advisories. DDoSing the Vatican. Andrea Little Limbago from Interos on the implications of Albania cutting off diplomatic ties with Iran. Our space correspondent Maria Varmazis speaks with Brandon Bailey about Space Attack Research and Tactic Analysis matrix. And how Google supports Ukrainian startups in wartime.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/230

Selected reading.

Alert (AA22-335A) #StopRansomware: Cuba Ransomware (CISA)

Novel News on Cuba Ransomware: Greetings From Tropical Scorpius (Palo Alto Networks Unit 42)

New ways we're supporting Ukraine (Google)

25 new startup recipients of the Ukraine Support Fund (Google)

Vatican shuts down its website amid hacking attempts (Cybernews)

Cyberespionage, cybercrime, and patriotic hacktivism. The Heliconia framework described. Cyber risk for the telecom and healthcare sectors. Notes on the hybrid war. Predictions for 2023. Dec 01, 2022

A new backdoor, courtesy of the DPRK. The Medibank breach is all over but the shouting (or, all over but the suing and the arresting). Risks and opportunities in telecom’s shift to cloud. Cyber risk in healthcare. An assessment of Russian cyber warfare. Robert M. Lee from Dragos assesses the growing value of the ICS security market. Our guest is Cecilia Seiden of TransUnion to discuss their 2022 Consumer Holiday Shopping Report. And it’s December, which means…predictions.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/229

Selected reading.

Who’s swimming in South Korean waters? Meet ScarCruft’s Dolphin (ESET)

Medibank hackers announce ‘case closed’ and dump huge data file on dark web (the Guardian)

New details on commercial spyware vendor Variston (Google)

Risks and opportunities in telecom’s shift to cloud. (CyberWire)

Moody’s discusses cyber risk in healthcare. (CyberWire)

'Do something:' Ukraine works to heal soldiers' mental scars (AP NEWS)

Reformed Russian Cybercriminal Warns That Hatred Spreads Hacktivism (Wall Street Journal)

Cybersecurity predictions for 2023. (CyberWire)

LockBit 3.0 and Punisher ransomware described. Leave that USB right in the parking lot where you found it. Killnet’s woofing. Lilac Wolverine’s big new BEC. And World Cup scams. Nov 30, 2022

Has LockBit 3.0 been reverse engineered? A COVID lure contains a Punisher hook. A Chinese cyberespionage campaign uses compromised USB drives. Lilac Wolverine exploits personal connections for BEC. Killnet claims to have counted coup against the White House. Tim Starks from the Washington Post has the FCC’s Huawei restrictions and ponders what congress might get done before the year end. Our guest is Tom Eston from Bishop Fox with a look Inside the Minds & Methods of Modern Adversaries. And, of course, scams, hacks, and other badness surrounding the World Cup.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/228

Selected reading.

LockBit 3.0 ‘Black’ attacks and leaks reveal wormable capabilities and tooling (Sophos News)

Punisher Ransomware Spreading Through Fake COVID Site (Cyble)

Always Another Secret: Lifting the Haze on China-nexus Espionage in Southeast Asia (Mandiant)

BEC Group Compromises Personal Accounts and Pulls Heartstrings to Launch Mass Gift Card Attacks (Abnormal Security)

Killnet Claims Attacks Against Starlink, Whitehouse.gov, and United Kingdom Websites (Trustwave)

Scammers on the pitch: Group-IB identifies online threats to fans at FIFA World Cup 2022 in Qatar (Group-IB)

DDoS as a holiday-season threat to e-commerce. TikTok challenge spreads malware. Meta's GDPR fine. US Cyber Command describes support for Ukraine's cyber defense. Nov 29, 2022

DDoS as a holiday-season threat to e-commerce. A TikTok challenge spreads malware. Meta's GDPR fine. Mr. Security Answer Person John Pescatore has thoughts on phishing resistant MFA. Joe Carrigan describes Intel’s latest efforts to thwart deepfakes. And US Cyber Command describes support for Ukraine's cyber defense.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/227

Selected reading.

Holiday DDoS Cyberattacks Can Hurt E-Commerce, Lack Legal Remedy (Bloomberg Law)

TikTok ‘Invisible Body’ challenge exploited to push malware (BleepingComputer)

$275M Fine for Meta After Facebook Data Scrape (Dark Reading)

Before the Invasion: Hunt Forward Operations in Ukraine (U.S. Cyber Command)

Keeping pentesting tools out of criminal hands. Updates from an intensified cyber phase in Russia’s hybrid war. Fars reports sustaining a cyber attack. The most common password remains “password.” Nov 28, 2022

Nighthawk’s at the diner (but maybe not on the crooks’ menu). Internet service in Ukraine and Moldova is interrupted by strikes against Ukraine's power grid. Sandworm renews ransomware activity against Ukrainian targets. Russian cyber-reconnaissance seen at a Netherlands LNG terminal. European Parliament votes to declare Russia a terrorist state (and Russia responds with cyberattacks and terroristic threats). Carole Theriault reports on where these kids today are getting their news. Malek Ben Salem from Accenture on digital identity in Web 3.0. And, hey, the new list of most commonly used passwords looks...depressingly familiar.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/226

Selected reading.

Sec firm MDSec slams Proofpoint for post on pen-testing framework (iTWire)

Nighthawk: With Great Power Comes Great Responsibility - MDSec

Cyberattack Hits Iran's Fars News Agency (RadioFreeEurope/RadioLiberty)

Iran’s Fars news agency is hit by cyberattacks, blames Israel (Times of Israel)

Ukraine and Moldova suffer internet disruptions after Russian missile strikes (The Record by Recorded Future)

New ransomware attacks in Ukraine linked to Russian Sandworm hackers (BleepingComputer)

Russian hackers targeting Dutch gas terminal: report (NL Times)

Russia labelled state sponsor of terrorism as missile strikes leave Ukraine without power (The Telegraph)

Killnet Group Claims Responsibility for European Parliament Cyber Attack (Digit)

European Parliament hit by 'sophisticated' cyberattack (Deutsche Welle)

European Parliament website suffers 'sophisticated' cyber attack after Russia terrorism vote (Computing)

Hackers Temporarily Take Down European Parliament Website (Wall Street Journal)

Guess the most common password. Hint: We just told you (Register)

Laura Whitt-Winyard: Securing the world. [CISO] [Career Notes] Nov 27, 2022

Laura Whitt-Winyard, CISO from Malwarebytes, sits down to share her story, beginning with a desire to be a pediatric oncologist that she later discovered was not the path for her. Laura was bouncing around from job to job until she bought her first computer, and a light bulb went off in her head. She set out to make it her goal to learn about this new, interesting field and grow within it. Now as a successful CISO, she wants to make the world more secure and goes from company to company to complete her goal. She considers herself a servant leader whose goal is the greater good. She compares her role to football, explaining that she is not the quarterback, but the center for the team. She believes she is the center that paves the path for the quarterbacks on her team to reduce the noise, to give the quarterback all the tools that they need to do their jobs and do their jobs well. We thank Laura for sharing her story.

Encore: The secrets behind Docker. Nov 26, 2022

Alon Zahavi from CyberArk, joins Dave Bittner on this episode to discuss CyberArk's work in conjunction with Patch Tuesday. CyberArk published about how Docker inadvertently created a new vulnerability and what happens when it's exploited.

CyberArk's research concluded that an attacker may execute files with capabilities or setuid files in order to escalate its privileges up to root level. CyberArk found the new vuln in some of Microsoft’s Docker images, caused by misuse of Linux capabilities, a powerful additional layer of security that gives admins the ability to assign capabilities and privileges to processes and files in the Linux system

The research can be found here:

How Docker Made Me More Capable and the Host Less Secure

Interview Select: Perry Carpenter on his new book "The Security Culture Playbook." [CW Pro] Nov 25, 2022

This interview is from June 3rd, 2022 originally aired as a shortened version on the CyberWire Daily Podcast. In this extended interview, Dave Bittner sits down Perry Carpenter, host of 8th Layer Insights to discuss his new book "The Security Culture Playbook: An Executive Guide To Reducing Risk and Developing Your Human Defense Layer."

Research Briefing: Emotet's return. LodaRAT improvements. Callback phishing leads to data theft extortion. [CW Pro] Nov 24, 2022

Emotet's return. LodaRAT improvements. Callback phishing leads to data theft extortion.

Watch out for abuse of pentesting tools. Cyber attack on Guadeloupe. Ducktail’s evolution. Cybersecurity for ports. ICS security advisories. And stay safe shopping during the holidays. Nov 23, 2022

Another pentesting tool may soon be abused by threat actors. Cyberattack disrupts Guadeloupe. Ducktail evolves and expands. Warning of the potential disruption cyberattacks might work against European ports. CISA releases eight industrial control system advisories. Patrick Tiquet, VP of Security and Architecture at Keeper Security, talks about the FedRAMP authorization process. Bryan Vorndran of the FBI Cyber Division with reflections on ransomware. And stay safe on Black Friday (and Cyber Monday, and Panic Saturday, and…you get the picture.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/225

Selected reading.

Nighthawk: An Up-and-Coming Pentest Tool Likely to Gain Threat Actor Notice (Proofpoint)

Making Cobalt Strike harder for threat actors to abuse (Google Cloud Blog)

Guadeloupe government fights 'large-scale' cyberattack (AP NEWS)

Vietnam-Based Ducktail Cybercrime Operation Evolving, Expanding (SecurityWeek)

Cyber as important as missile defences - ex-NATO general (Reuters)

CISA Releases Eight Industrial Control Systems Advisories (CISA)

Black Friday and Cyber Monday risks. (CyberWire)

Recent criminal activity–it’s as opportunistic as ever. Cyber risk to the pharma sector. Updates on the hybrid war. Returning Cobalt Strike to the legitimate red teams. Nov 22, 2022

Daixin Team claims ransomware attack against AirAsia. DraftKings users suffer credential harvesting and paycard theft. Assessing cyber risk in the US pharmaceutical industry. Killnet claims successes few others can discern. In Ukraine, kinetic attacks on IT infrastructure eclipse cyberattacks. Carole Theriault on digital echo chambers and what's in it for us. Nancy Wang from Forta's Alert Logic discusses how she is helping more young women get into the STEM field and leadership positions. Google seeks to render Cobalt Strike less useful to threat actors.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/224

Selected reading.

Daixin Team claims AirAsia ransomware attack with five million customer records leaked (Tech Monitor)

Daixin Ransomware Gang Steals 5 Million AirAsia Passengers' and Employees' Data (The Hacker News)

DraftKings Users Hacked, Money In Account "Cashed Out" (Action Network)

DraftKings says no evidence systems were breached following report of a hack (CNBC)

Assessing cyber risk in the US pharmaceutical industry. (CyberWire)

Killnet DDoS hacktivists target Royal Family and others (ComputerWeekly.com)

Ukraine Data Centers Became Physical Targets When Cyber Attacks Failed (Meritalk)

Making Cobalt Strike harder for threat actors to abuse (Google Cloud Blog)

Google seeks to make Cobalt Strike useless to attackers (Help Net Security)

Google Releases YARA Rules to Disrupt Cobalt Strike Abuse (Dark Reading)

Google releases 165 YARA rules to detect Cobalt Strike attacks (BleepingComputer)

Callback phishing offers to solve your problem (it won’t). Mustang Panda’s recent activities. DEV0569’s malvertising campaign. 10 indicted in BEC case. Developing a cyber auxiliary force. Nov 21, 2022

Luna Moth's callback phishing offers an unpleasant and less familiar form of social engineering. New activity by China's Mustang Panda is reported. DEV0569 is using malvertising to distribute Royal ransomware. US indicts 10 in a business email compromise case. Developing a cyber auxiliary. Dave Bittner sits down with AJ Nash from ZeroFox to discuss holiday scams. Our own Rick Howard speaks with us about cloud security. And beware of Black Friday scams.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/223

Selected reading.

Threat Assessment: Luna Moth Callback Phishing Campaign (Unit 42)

DEV-0569 finds new ways to deliver Royal ransomware, various payloads (Microsoft Security)

Earth Preta Spear-Phishing Governments Worldwide (Trend Micro)

EXCLUSIVE: Rounding up a cyber posse for Ukraine (The Record by Recorded Future)

Tech for good: How the IT industry is helping Ukraine (Computing)

10 Charged in Business Email Compromise and Money Laundering Schemes Targeting Medicare, Medicaid, and Other Victims (US Department of Justice)

Black Friday and Cyber Monday risks. (CyberWire)

Omer Singer: The offense and the defense of cybersecurity. [Strategy] [Career Notes] Nov 20, 2022

Omer Singer, Lead Cybersecurity Strategist from Snowflake, sits down to share his experience getting into the cybersecurity field. Growing up, he knew he wanted to work with computers, but he just didn't know what he wanted to do within the field. His college gave him great hands-on experience to then transition into the workforce. He's played both on the offense and defense of cybersecurity, and he says that experience showed him and he "kind of saw firsthand, uh, what a well funded and motivated, uh, team of cybersecurity experts can do and it's pretty scary." In addition, Omer is a big advocate for encouraging other security professionals to learn data skills, and strongly stands by the belief that the future of cybersecurity is in borrowing from modern data analytics tools and techniques that enable consistent risk reduction. He also makes it a priority to invest in his people, believing that this unlocks intrinsic motivation that enables a ton of personal growth and accomplishment, and is a big believer in the OKR system for enabling security operations and avoiding burnout. We thank Omer for sharing his story.

Another infection with new malware. [Research Saturday] Nov 19, 2022

Larry Cashdollar, Principal Security Intelligence Response Engineer from Akamai Technologies, joins Dave to talk about their research on "KmsdBot: The Attack and Mine Malware." Akamai's Security Research team has found a new malware that infected their honeypot, which they have dubbed KmsdBot.

The research states "The malware attacks using UDP, TCP, HTTP POST, and GET, along with a command and control infrastructure (C2), which communicates over TCP." The botnet targets weak login credentials and then infects systems via an SSH connection.

The research can be found here:

KmsdBot: The Attack and Mine Malware

Government security advisories, and the difficulty of recovering from ransomware attacks. Authority for offensive cyber under deliberation. Google wins Glupteba suit. Nov 18, 2022

CISA and its partners issue a Joint Advisory on the Hive ransomware-as-a-service operation. Ransomware continues to trouble governments, internationally and at all levels. The US Defense Department may see enhanced authority to conduct offensive cyber operations. Russian attacks on Ukrainian infrastructure remain kinetic, as missiles show up, but cyberattacks don’t. Kevin Magee from Microsoft about leveraging cybersecurity apprentices. Our guest is Paul Giorgi from XM Cyber describing creative attack path in enterprise networks.And, hey, glupost’ [GLUE-post]–don’t mess with Google’s lawyers.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/222

Selected reading.

CISA Alert AA22-321A – #StopRansomware: Hive Ransomware. (CyberWire)

#StopRansomware: Hive Ransomware (CISA)

Vanuatu: Hackers strand Pacific island government for over a week (BBC News)

Ransom attack cripples Vanuatu government systems, forces staff to use pen and paper (The Sydney Morning Herald)

Ransomware incidents now make up majority of British government’s crisis management COBRA meetings (The Record by Recorded Future)

Suffolk County, N.Y., Hack Shows Ransomware Threat to Municipalities (Wall Street Journal)

Biden set to approve expansive authorities for Pentagon to carry out cyber operations (CyberScoop)

Red Lion Crimson (CISA)

Cradlepoint IBR600 (CISA)

A ruling in our legal case against the Glupteba botnet (Google)

CISA Alert AA22-321A – #StopRansomware: Hive Ransomware. [CISA Cybersecurity Alerts] Nov 18, 2022

The FBI, CISA, and the Department of Health and Human Services are releasing this alert to disseminate known Hive Ransomware Group indicators of compromise and TTPs identified through FBI investigations.

AA22-321A Alert, Technical Details, and Mitigations

Stopransomware.gov is a whole-of-government approach that gives one central location for ransomware resources and alerts.

Resource to mitigate a ransomware attack: CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide.

No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment.

U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email dib_defense@cyber.nsa.gov

To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov, or call (888) 282-0870, or report incidents to your local FBI field office.

Privileged insiders and the abuse of “Oops.” Nemesis Kitten exploits Log4Shell. TrojanOrders in the holiday season. Emotet’s back. RapperBot notes. And an arrest in the Zeus cybercrime case. Nov 17, 2022

Meta employees, contractors compromised customer accounts. Nemesis Kitten found in US Government network. Unpatched Magento instances hit with "TrojanOrders." Emotet has returned after three quiet months. DDoS attacks in game servers by RapperBot. Carole Theriault looks at long term lessons learned from the 2019 Capital One breach. FBI Cyber Division AD Bryan Vorndran updates us on cyber threats. And an alleged "Zeus" cybercrime boss has been arrested in Switzerland.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/221

Selected reading.

Meta Employees, Security Guards Fired for Hijacking User Accounts (Wall Street Journal)

CISA Alert AA22-320A – Iranian government-sponsored APT actors compromise federal network, deploy crypto miner, credential harvester. (CyberWire)

Iranian Government-Sponsored APT Actors Compromise Federal Network, Deploy Crypto Miner, Credential Harvester (CISA)

Iranian government-linked hackers got into Merit Systems Protection Board’s network (Washington Post)

Iranian hackers compromise US government network in cryptocurrency generating scheme, officials say (CNN)

Magento stores targeted in massive surge of TrojanOrders attacks (BleepingComputer)

A Comprehensive Look at Emotet’s Fall 2022 Return (Proofpoint)

Notorious Emotet botnet returns after a few months off (Register)

Updated RapperBot malware targets game servers in DDoS attacks (BleepingComputer)

Russia’s cyber forces ‘underperformed expectations’ in Ukraine: senior US official (The Hill)

Suspected Zeus cybercrime ring leader ‘Tank’ arrested by Swiss police (BleepingComputer)

Getting tangled up in the blockchain. RDS vulnerabilities. The language of fraud. An offer of help to the G19.Draft Episode for Nov 16, 2022 Nov 16, 2022

Blockchains and cryptocurrency exchanges, and the risks they present. Vulnerabilities in Amazon RDS may expose PII. A study of the language of fraud. Tim Starks from Washington Post's Cybersecurity 202 on a lagging DHS cyber doomsday report. Our guest is Ashif Samnani of Cenovus Energy with insights from the world of OT cyber. And President Zelenskyy offers the benefit of Ukraine's experience with cyber warfare to the "G19”.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/220

Selected reading.

Cryptocurrency sector vulnerabilities. (CyberWire)

Oops, I Leaked It Again — How Mitiga Found PII in Exposed Amazon RDS Snapshots (Mitiga)

Amazon RDS may expose PII. (CyberWire)

The specious language of fraud. (CyberWire)

Zelensky offers G20 leaders to use Ukrainian experience in cyber defense (Ukrinform)

Ukraine at D+265: A missile campaign punctuates diplomacy. (CyberWire)

CISA Alert AA22-320A – Iranian government-sponsored APT actors compromise federal network, deploy crypto miner, credential harvester. [CISA Cybersecurity Alerts] Nov 16, 2022

From mid-June through mid-July 2022, CISA conducted an incident response engagement at a Federal Civilian Executive Branch organization where CISA observed suspected advanced persistent threat activity. In the course of incident response activities, CISA determined that cyber threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server, installed XMRig crypto mining software, moved laterally to the domain controller, compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence.

AA22-320A Alert, Technical Details, and Mitigations

Malware Analysis Report MAR 10387061-1.v1

For more information on Iranian government-sponsored Iranian malicious cyber activity, see CISA’s Iran Cyber Threat Overview and Advisories webpage and FBI’s Iran Threats webpage.

CISA offers several no-cost scanning and testing services to help organizations reduce their exposure to threats by taking a proactive approach to mitigating attack vectors. See www.cisa.gov/cyber-hygiene-services

U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email dib_defense@cyber.nsa.gov

To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov, or call (888) 282-0870, or report incidents to your local FBI field office.

An update on three threat actors: Fangxiao, Killnet, and Billbug, one of them in it for money, another for the glory, and a third for the intell. Twitter and SMS 2FA. Zendesk patches. CISA adds a KEV. Nov 15, 2022

Fangxiao works ad scams enroute to other compromises. Killnet claims to have defaced a US FBI site. CISA registers another Known Exploited Vulnerability. Difficulties with Twitter's SMS 2FA system. Zendesk vulnerability discovered. Joe Carrigan explains registration bombing for email addresses. Our guest is Miles Hutchinson from Jumio with insights on defense against sophisticated ransomware attackers. And Billbug romps through Asian government agencies.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/219

Selected reading.

Fangxiao: a Chinese threat actor (Cyjax)

Fangxiao: A Phishing Threat Actor (Tripwire)

Russian hackers claim cyber attack on FBI website (Newsweek)

CISA Has Added One Known Exploited Vulnerability to Catalog (CISA)

Twitter’s SMS Two-Factor Authentication Is Melting Down (WIRED)

Varonis Threat Labs Discovers SQLi and Access Flaws in Zendesk (Varonis)

Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries (Symantec)

Chinese hackers target government agencies and defense orgs (BleepingComputer)

Researchers Say China State-backed Hackers Breached a Digital Certificate Authority (The Hacker News)

Software supply chains, C2C markets, criminals, and cyber auxiliaries in a hybrid war. CISA releases its Stakeholder Specific Vulnerability Categorization (SSVC). Nov 14, 2022

Software supply chain risk. Cyber risk across sectors. CISA releases Stakeholder Specific Vulnerability Categorization (SSVC). Sandworm is back in Russia's hybrid war. Another wiper campaign from a Russian cyber auxiliary. Malek Ben Salem from Accenture shares thoughts on future-proofing cloud security. Rick Howard previews the latest CSO Perspectives show. And the Australian Federal Police say they know who hacked Medibank. (and the AFP says they have a good track record getting international criminals).

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/218

Selected reading.

Exclusive: Russian software disguised as American finds its way into U.S. Army, CDC apps (Reuters)

Industries boost cyber defenses against growing number of attacks (Moodys)

CISA Releases SSVC Methodology to Prioritize Vulnerabilities (CISA)

Transforming the Vulnerability Management Landscape (CISA)

Russian Sandworm hackers deployed malware in Ukraine and Poland (Washington Post)

New “Prestige” ransomware impacts organizations in Ukraine and Poland (Microsoft)

Microsoft links Russia’s military to cyberattacks in Poland and Ukraine (Ars Technica)

Microsoft attributes ‘Prestige’ ransomware attacks on Ukraine and Poland to Russian group (The Record by Recorded Future)

Wipe it or exfiltrate? How Russia exploits edge infrastructure to disrupt and spy during wartime (SC Media)

Russia’s New Cyberwarfare in Ukraine Is Fast, Dirty, and Relentless (WIRED)

Russian military hackers linked to ransomware attacks in Ukraine (BleepingComputer)

Information on cyberattacks of the group UAC-0118 (FRwL) using the Somnia malware (CERT-UA#5185) (CERT-UA)

Ukraine says Russian hacktivists use new Somnia ransomware (BleepingComputer)

Russian hacktivists hit Ukrainian orgs with ransomware - but no ransom demands (Help Net Security)

Development of the Ukrainian Cyber Counter-Offensive (Trustwave)

Australian Federal Police say cybercriminals in Russia behind Medibank hack (The Record by Recorded Future)

Australia tells Medibank hackers: 'We know who you are' (TechCrunch)

Lauren Campanara: Learn to forgive yourself. [SOC Analyst] [Career Notes] Nov 13, 2022

Lauren Campanara, a SOC Analyst from ThreatX shares her story as she made the decision to break into cybersecurity after spending twelve years in the cosmetology field. She worked her way through college in a job she did not enjoy and felt trapped in while competing her online degree. She found ThreatX and fell in love with the work she is doing now. Lauren hopes to inspire others, especially women, to consider a challenging and rewarding career in cybersecurity. She shares what it's like to be in a field she was not happy in and how she was the only one standing in her way to achieve her goals. She says "Another huge obstacle worth mentioning is learning to get out of my own way. You are your own worst critic. I learned to be more forgiving of myself." She hopes her story will inspire others to follow their dreams and stop holding themselves back.

An in-depth look on the Crytox ransomware family. [Research Saturday] Nov 12, 2022

Deepen Desai from Zscaler sits down with Dave to talk about the Crytox ransomware family. First observed in 2020, Crytox is a ransomware family consisting of several stages of encrypted code that has fallen under the radar compared to other ransomware families. While other groups normally use double extortion attacks where data is both encrypted and held for ransom, Crytox does not perform this way.

The research says "The modus operandi of the group is to encrypt files on connected drives along with network drives, drop the uTox messenger application and then display a ransom note to the victim." It also shares how you may be compromised with this ransomware and goes through each stage in depth.

The research can be found here:

Technical Analysis of Crytox Ransomware

CSO Perspectives Bonus: Veterans Day special. Nov 11, 2022

Rick Howard (The Cyberwire’s Chief Analyst, CSO, and Senior Fellow), and the cast of the entire Cyberwire team, honor our U.S. veterans on this special day.

US midterms conclude without cyber interference. NATO on cyber defense. New APT41 activity identified. Russia’s FSB and SVR continue cyberespionage. Trends in phishing and API risks. Nov 10, 2022

There’s no sign that cyberattacks affected US vote counts. NATO meets to discuss the Atlantic Alliance’s Cyber Defense Pledge. A new APT41 subgroup has been identified. FSB phishing impersonates Ukraine's SSCIP. A look at Cozy Bear's use of credential roaming. Caleb Barlow shares tips on removing implicit bias from your hiring process. Our guests are Valerie Abend and Lisa O'Connor from Accenture with a look at the difference in how women and men pursue the top cyber leadership roles. And an update on Phishing trends and API threats.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/217

Selected reading.

Statement from CISA Director Easterly on the Security of the 2022 Elections (Cybersecurity and Infrastructure Security Agency):

No ‘Specific or Credible’ Cyber Threats Affected Integrity of Midterms, CISA Says (Nextgov.com)

U.S. vote counting unaffected by cyberattacks, officials say (PBS NewsHour)

What's 'Putin's chef' cooking up with talk on US meddling? (AP NEWS)

NATO’s 2022 Cyber Defense Pledge Conference - United States Department of State (United States Department of State)

Japan joins NATO cyber defense centre (Telecoms Tech News)

China casts wary eye as Japan signs up for Nato cybersecurity platform (South China Morning Post)

Hack the Real Box: APT41’s New Subgroup Earth Longzhi (Trend Micro)

New hacking group uses custom 'Symatic' Cobalt Strike loaders (BleepingComputer)

They See Me Roaming: Following APT29 by Taking a Deeper Look at Windows Credential Roaming (Mandiant)

APT29 Exploited a Windows Feature to Compromise European Diplomatic Entity Network (The Hacker News)

CAUTION‼️ russian hackers are sending emails with malicious links from the SSSCIP (State Service of Special Communications and Information Protection of Ukraine)

Russian hackers send out emails under the name of Ukraine's State Service of Special Communications and Information Protection (Yahoo)

Research Report | The State of Email Security 2022 (Tessian)

DevOps Tools & Infrastructure Under Attack (Wallarm)

A look back at midterm cybersecurity. Communications security lessons learned in Ukraine. Known Exploited Vulnerabilities and Patch Tuesday. Off-boarding deserves some attention. Nov 09, 2022

US midterm elections proceed without cyber disruption. Communications security lessons learned. CISA publishes new entries to its Known Exploited Vulnerabilities Catalog. Patch Tuesday notes. Carole Theriault examines cross border money laundering. The FBI’s Bryan Vorndran offers guidance on how companies should think about their exposure in china. And a recent study finds reasons to be concerned about off-boarding.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/216

Selected reading.

Taking a look at election security on US midterm Election Day. (CyberWire)

Communications Security: Lessons Learned From Ukraine (BlackBerry)

CISA Adds Seven Known Exploited Vulnerabilities to Catalog (CISA)

Microsoft November 2022 Patch Tuesday (SANS Institute)

November Patch Tuesday Updates | 2022 (Syxsense Inc)

Microsoft Fixes Six Actively Exploited Flaws (Decipher)

Microsoft fixes ProxyNotShell Exchange zero-days exploited in attacks (BleepingComputer)

Microsoft Scrambles to Thwart New Zero-Day Attacks (SecurityWeek)

Infrastructure access and security. (CyberWire)

Cybersecurity on US Election Day. OPERA1ER threat activity. Insider threats. Hacktivist auxiliaries: influence operators in the hybrid war. And Mr. Hushpuppi is back in the news. Nov 08, 2022

Cybersecurity on US Election Day. Details on the OPERA1ER threat activity. Seasonal and secular trends in Insider threats. Hacktivist auxiliaries: influence operators in the hybrid war. Ben Yelin reviews election security and misinformation. Ann Johnson from Afternoon Cyber Tea speaks with Dr. Ryan Louie about the growing issue of mental illness among cybersecurity professionals. And, hey everybody, Mr. Hushpuppi is back in the news (and back in the slammer, the hoosgow, the big house…you get the picture…a sabbatical at Club Fed.)

Disclaimer: The content and views expressed do not constitute medical advice and are not a substitute for professional medical advice, diagnosis, or treatment. If you need help, please contact your medical provider.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/215

Selected reading.

Your Election Day cyber guide (Washington Post)

Putin-linked businessman admits to US election meddling (AP NEWS)

OPERA1OR: Playing god without permission (Group-IB)

DTEX i3 Team Insider Risk Stats for 2022 (DTEX Systems Inc)

Killnet targets Eastern Bloc government sites, but fails to keep them offline (The Record by Recorded Future)

Ukrainian hacktivists claim to leak trove of documents from Russia’s central bank (The Record by Recorded Future)

Notorious Nigerian influencer ‘Billionaire Gucci Master’ sentenced to 11 years in jail in the U.S. for fraud (Forbes)

Hushpuppi: Notorious Nigerian fraudster jailed for 11 years in US (BBC)

Election security on the eve of the US midterms. US FBI rates the hacktivist threat. Microsoft says China uses disclosure laws to develop zero-days. Remember SIlk Road? The Feds do. Nov 07, 2022

Election security on the eve of the US midterms. US FBI rates hacktivist contributions to Russia's war as unimportant. Microsoft accuses China of using vulnerability disclosure to develop zero-days. Andrea Little Limbago from Interos addresses accountability for breaches. Our guest is Michelle Amante from the Partnership for Public Service on their Cybersecurity Talent Initiative. And, finally, remember SIlk Road? The Feds do.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/214

Selected reading.

Hacktivists Use of DDoS Activity Causes Minor Impacts (FBI)

The government says it won’t flag election disinformation on Twitter and other social platforms (Washington Post)

What to Expect When You are Expecting an Election (CISA)

Hacktivists Use of DDoS Activity Causes Minor Impacts (FBI)

Nation-state cyberattacks become more brazen as authoritarian leaders ramp up aggression (Microsoft On the Issues)

U.S. Attorney Announces Historic $3.36 Billion Cryptocurrency Seizure And Conviction In Connection With Silk Road Dark Web Fraud (U.S. Attorney’s Office for the Southern District of New York)

Gary Brickhouse: Riding the wave of growth. [CISO] [Career Notes] Nov 06, 2022

Gary Brickhouse, CISO from GuidePoint Security, sits down to share his story, looking back over the last 25 years of his career working for Fortune 100 companies, including Disney. He shares that every role he has had, he’s had to grow into and how each one was a pivotal point in his technical career. Gary ended up transitioning to a different organization and says how it was really compliance that was the transitional sort of moment for him as he grew into different roles. He says, “What I found was sort of just, riding the wave of growth and opportunity and trying to take advantage of it along the way." He shares some advice for new people entering the industry, saying that he wants to help shatter the myth that you have to be technical to get into this field. We thank Gary for sharing his story.

Over-the-air 0-day vulnerabilities. [Research Saturday] Nov 05, 2022

Roya Gordon from Nozomi Networks sits down with Dave to discuss their work "UWB Real Time Locating Systems: How Secure Radio Communications May Fail in Practice." Ultra-wideband (UWB) is a rapidly-growing radio technology that, according to the UWB Alliance, is forecasted to drive sales volumes exceeding one billion devices annually by 2025.

In an effort to strengthen the security of devices utilizing UWB, Nozomi Networks Labs conducted a security assessment of two popular UWB RTLS solutions available on the market. Their research reveals 0-day vulnerabilities and other weaknesses that, if exploited, could allow an attacker to gain full access to all sensitive location data exchanged over-the-air.

The research can be found here:

UWB Real Time Locating Systems: How Secure Radio Communications May Fail in Practice

Flight-planning and rail services disrupted in separate incidents. BEC gang impersonates law firms. Effects of the hybrid war on action in cyberspace. And a farewell to Vitali Kremez, gone far too soon. Nov 04, 2022

Flight-planning services are affected by cyberattack, as are Danish rail service. A BEC gang impersonates international law firms. Effects of the hybrid war on action in cyberspace. Deepen Desai from Zscaler examines the evolution of the X-FILES Stealer. CyberWire Space Correspondent Maria Varmazis has an analysis of the Starlink situation in Ukraine. And a sad, final farewell to Vitali Kremez, gone far too soon.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/213

Selected reading.

Boeing subsidiary Jeppesen's services impacted by cyber incident (Reuters)

BREAKING: Boeing's Jeppesen Subsidiary Hit With Potential Ransomware Attack (Live and Let's Fly)

Danish train standstill on Saturday caused by cyber attack (Reuters)

Cyber incident at Boeing subsidiary causes flight planning disruptions (The Record by Recorded Future)

Crimson Kingsnake: BEC Group Impersonates International Law Firms in… (Abnormal Security)

New Crimson Kingsnake gang impersonates law firms in BEC attacks (BleepingComputer)

Ukraine war, geopolitics fuelling cybersecurity attacks -EU agency (Reuters)

Microsoft Extends Aid for Ukraine's Wartime Tech Innovation (SecurityWeek)

Evaluating the International Support to Ukrainian Cyber Defense (Carnegie Endowment for International Peace)

Cyber community mourns renowned researcher Vitali Kremez (The Record by Recorded Future)

Remembering Vitali Kremez, Threat Intelligence Researcher (Bank Info Security)

“Static expressway” tactics in credential harvesting. Emotet is back. Black Basta linked to Fin7. RomCom hits Ukrainian targets and warms up against the Anglo-Saxons. Cyber cooperation? Nov 03, 2022

Leveraging Microsoft Dynamics 365 Customer Voice for credential harvesting. Emotet is back. Black Basta ransomware linked to Fin7. A Russophone gang increases activity against Ukrainian targets. Betsy Carmelite from Booz Allen Hamilton on adversary-informed defense. Our guest is Tom Gorup of Alert Logic with a view on cybersecurity from a combat veteran. And Russia regrets that old US lack of cooperation in cyberspace–things would be so much better if the Anglo-Saxons didn’t think cyberspace was the property of the East India Company. Or something like that.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/212

Selected reading.

Abusing Microsoft Customer Voice to Send Phishing Links (Avanan)

Emotet botnet starts blasting malware again after 5 month break (BleepingComputer)

Black Basta Ransomware | Attacks Deploy Custom EDR Evasion Tools Tied to FIN7 Threat Actor (SentinelOne)

RomCom Threat Actor Abuses KeePass and SolarWinds to Target Ukraine and Potentially the United Kingdom (BlackBerry)

Russia cyber director warns no U.S. cooperation risks "mutual destruction" (Newsweek)

OpenSSL indeed patched. CISA is confident of election security. Killnet attempted DDoS against the US Treasury. XDR data reveals threat trends. BEC and gift cards. And that’s one sweet ride. Nov 02, 2022

OpenSSL patches two vulnerabilities. CISA and election security. Killnet attempted DDoS against the US Treasury. XDR data reveals threat trends. Business email compromise and gift cards. Tim Starks from the Washington Posts’ Cybersecurity 202 has the latest on election security. A visit to the CyberWire’s Women in Cyber Security event. And consequences for Raccoon Stealer from the war in Ukraine.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/211

Selected reading.

OpenSSL patched today. (CyberWire)

OpenSSL Releases Security Update (CISA)

OpenSSL releases fixes for two ‘high’ severity vulnerabilities (The Record by Recorded Future)

OpenSSL patches are out – CRITICAL bug downgraded to HIGH, but patch anyway! (Naked Security)

Threat Advisory: High Severity OpenSSL Vulnerabilities (Cisco Talos Blog)

OpenSSL Vulnerability Patch Released (Sectigo® Official)

Clearing the Fog Over the New OpenSSL Vulnerabilities (Rezilion)

OpenSSL vulnerability CVE-2022-3602 (Remote Code Execution) and CVE-2022-3786 (Denial of Service) Check Point Research Update (Check Point Software)

Undisclosed OpenSSL vulnerability: Free scripts for target scoping (Lightspin)

Discussions of CISA’s part in elections and the JCDC. (CyberWire)

U.S. Treasury thwarted attack by Russian hacker group last month-official (Reuters)

XDR data reveals threat trends. (CyberWire)

What happens to a gift card given to a scammer? (CyberWire)

How Russia’s war in Ukraine helped the FBI crack one of the biggest cybercrime cases in years (MarketWatch)

OpenSSL patched today. The risk of misconfiguration. Cyberespionage (and the risk of mixing the personal with the official). Assistance for Ukraine's cyber defense., And a quick look at DNS threats. Nov 01, 2022

OpenSSL is patched today. The misconfiguration risk to US government networks' security and compliance. Hacking Ms Truss's phone. Assistance for Ukraine's cyber defense. Joe Carrigan looks at the latest round of apps pulled from the Google Play Store. Our guest is Matias Madou of Secure Code Warrior on why cultivating a positive culture among security and developer teams continues to fall short. And a quick look at DNS threats.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/210

Selected reading.

Effectively Preparing for the OpenSSL 3.x Vulnerability (Akamai) O

How The OpenSSL 3 Vulnerability Will Really Affect Your Environment (Nucleus Security)

New Critical Flaw in OpenSSL: How to Know if You're at Risk (Rezilion)

Experts warn of critical security vulnerability discovered in OpenSSL (Application Security Blog)

The impact of exploitable misconfigurations on network security within US Federal organizations (Titania)

Liz Truss's personal phone hacked by Putin's spies (Mail Online) O

Truss phone was hacked by suspected Putin agents when she was foreign minister, the Daily Mail reports (Reuters)

Liz Truss phone hack claim prompts calls for investigation (BBC News)

Russian spies hacked Truss's personal phone (Computing)

Government urged to investigate report Liz Truss’s phone was hacked (the Guardian)

Ministers creating ‘wild west’ conditions with use of personal phones (the Guardian)

Suella Braverman admits sending official documents to personal email six times (The Telegraph)

Ukraine War: UK reveals £6m package for cyber defence (BBC News)

DNS Threat Report — Q3 2022 (Akamai)

Copper smelter hit with malware. Notes from the hybrid war. Disinformation, not direct manipulation of results, the principal threat to US elections. Ransomware in Australia’s ForceNet. Threat trends. Oct 31, 2022

Leading European metals producer is hit with malware. Cooperative defense in cyberspace. A Ukrainian ally describes its exposure to Russian cyberattacks. Former UK Prime Minister Truss's phone may have been compromised. CISA sees a complex threat environment, but no specific threat to US elections. The Australian Defence network sustains ransomware attack. The three finalists in the DataTribe Challenge share insights on the competition. Rick Howard previews the new season of CSO Perspectives. And a look at threat trends.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/209

Selected reading.

Aurubis says it was hit in wider cyberattack on metals industry (Reuters)

Copper Giant Aurubis Shuts Down Systems Due to Cyberattack (SecurityWeek)

Inside a US military cyber team’s defence of Ukraine (BBC News)

Ukraine's cyber power shows value of public-private partnership (Nikkei Asia)

Latvian President: Only the West’s Weakness Can Provoke Russia (Foreign Policy)

Latvia’s cyberspace faces new challenges amid war in Ukraine (The Record by Recorded Future)

Worries build about winter cyber threats in Ukraine (POLITICO)

Liz Truss's personal phone hacked by Putin's spies (Mail Online)

Truss phone was hacked by suspected Putin agents when she was foreign minister, the Daily Mail reports (Reuters)

Liz Truss phone hack claim prompts calls for investigation (BBC News)

Russian spies hacked Truss's personal phone (Computing)

Government urged to investigate report Liz Truss’s phone was hacked (the Guardian)

Ministers creating ‘wild west’ conditions with use of personal phones (the Guardian)

'Complex threat environment' ahead of midterm elections, top cybersecurity official says (Reuters)

CISA chief sees no "specific or credible threats" to election infrastructure (CBS News)

For cyber experts, disinformation overshadows cyberthreats in midterms (Washington Post)

Australian Defence Department caught up in ransomware attack (ABC)

Cyber-attack on Australian defence contractor may have exposed private communications between ADF members (the Guardian)

Cyber Threat Reports (Deep Instinct)

Deep Instinct releases its 2022 Interim Cyber Threat Study. (CyberWire)

Jenny Brinkley: A cybersecurity rollercoaster. [Security] [Career Notes] Oct 30, 2022

Jenny Brinkley, Director of AWS Security at Amazon Web Services (AWS), sits down to share her empowering story working through the ranks, and even co-founding her own company. While she did not have a typical upbringing in the industry, she credits her parents for ending up where she is now, as they told her that she could do anything and she decided as she was growing up that she could. She had the opportunity to co-found a small startup before selling it to AWS. She says that working in her position is like a rollercoaster, as no one thing is like the other, saying her highs are high and her lows are low. Being a woman in cybersecurity, she is working to empower more women in the field, Jenny says, "I think that we're living in such an interesting time where empathy, kindness, compassion, honesty, partnership in the security space, I mean, heck for any industry, but really for security and cyber security roles today, it's, it's the life blood and to be underestimated, especially as a female or because, you know, my background doesn't follow a cookie cutter pattern of what individuals think of when they think of individuals in security roles." We thank Jenny for sharing her story.

Bugs and working from home. [Research Saturday] Oct 29, 2022

Fede Kirschbaum from Faraday Security sits down with Dave to discuss their research on "A vulnerability in Realtek's SDK for eCos OS: pwning thousands of routers." The team at Faraday found a vulnerability that made it to DEFCON 30, labeling it high severity. With more and more people working from home for their companies, the research team went looking for where there may be vulnerabilities as employees are working from home.

The research states that the team was "seeking and reporting security vulnerabilities in IoT devices, which led to the finding of an exploitable bug in a consumer-grade router popular in Argentina." They also stated in the research that it was escalating quickly and shares about how protecting home networks is important while working remotely.

The research can be found here:

A vulnerability in Realtek´s SDK for eCos OS: pwning thousands of routers

Another DDoS attack against NATO governments. The US 2022 National Defense Strategy is out. Notes on ICS security. Oct 28, 2022

Cyberattacks against Poland’s and Slovakia’s parliaments. The US 2022 National Defense Strategy is out. Insights from SecurityWeek’s ICS Cyber Security Conference. The importance of zero-trust in industrial environments. Malek Ben Salem from Accenture on machine language security and safety. Our guest is Nick Schneider of Arctic Wolf to discuss why he believes 2023 will see a resurgence of ransomware. And CISA issues four more ICS Advisories.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/208

Selected reading.

Computer networks of parliaments in Poland and Slovakia paralyzed by cyberattacks (Euro Weekly News)

Slovak, Polish Parliaments Hit By Cyber Attacks (Barron's)

Slovak parliament suspends voting due to suspected cyberattack (Reuters)

"Also from Russia" - cyber attack on parliaments in Poland and Slovakia - Today Times Live (Today Times Live)

2022 National Defense Strategy (US Department of Defense)

2022 NDS Fact Sheet | Integrated Deterrence (US Department of Defense)

Discussing cyberattacks vs system failures. (CyberWire)

Zero-trust in ICS environments. (CyberWire)

SANS 2022 Survey: The State of OT/ICS Cybersecurity in 2022 and Beyond | Nozomi Networks (Nozomi Networks)

CISA Releases Four Industrial Control Systems Advisories (CISA)

The Malware Mash! [Bonus] Oct 28, 2022

Enjoy this CyberWire classic.

They did the Mash...the did the Malware Mash...

CISA releases voluntary CPGs. Trojans and scanners. Cyber venture investing, and some insights into corporate culture. "Opportunistic" cyberops in a hybrid war. Oct 27, 2022

CISA releases cross-sector cybersecurity performance goals. Trojans are spreading through scanners. Cyber seed rounds are an exception to a general downtrend in venture investment. Whistleblowing and corporate culture. Storing enterprise secrets. Robert M. Lee from Dragos explains the TSA Pipeline Security Directive. Our guests are Jenny Brinkley from Amazon AWS and Lisa Plaggemier from the National Cybersecurity Alliance with a collaborative educational project. Cyberattacks seen as opportunistic and disconnected from strategy.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/207

Selected reading.

Cross-Sector Cybersecurity Performance Goals (CISA)

CISA unveils voluntary cybersecurity performance goals (Federal News Network)

Sending Trojans via Scanners (Avanan)

DataTribe Insights - Q2 2022: Economic Storm Makes Landfall (DataTribe)

Ukraine: Russian cyber attacks aimless and opportunistic (SearchSecurity)

Amid widespread unrest, Sudan shutters its Internet. A new PRC influence campaign targets US elections. Software supply chain security. And cybercrime in wartime. Oct 26, 2022

Sudan closes its Internet as the country sees protests on the first anniversary of a coup. A Chinese influence campaign targets US elections. A software supply chain security study, and a look at vulnerability scanning tools. Documenting cyber war crimes in Ukraine. CISA issues eight ICS Advisories. Andrea Little Limbago from Interos on the effects of water scarcity on data centers. And if you’ll indulge us, we’ve got some pretty exciting CyberWire news.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/206

Selected reading.

Internet is shut down in Sudan on anniversary of military coup (The Record by Recorded Future)

Pro-PRC DRAGONBRIDGE Influence Campaign Leverages New TTPs to Aggressively Target U.S. Interests, Including Midterm Elections (Mandiant)

Rezilion Vulnerability Scanner Benchmark Report Finds Top Scanners Only 73% Accurate (PR Newswire)

Four in Five Software Supply Chains Exposed to Cyberattack in the Last 12 Months (BlackBerry)

Ukraine Documenting Russian Hacks, Eyeing International Charges (Bloomberg)

CISA Releases Eight Industrial Control Systems Advisories (CISA)

US Department of Justice unseals three indictments in PRC spying cases. CERT-UA warns of Cuba ransomware phishing. Varonis discovers Windows vulnerabilities. CISA expands KEV Catalog. Oct 25, 2022

US Department of Justice unseals three indictments in PRC spying cases. CERT-UA warns of Cuba ransomware group phishing campaign. Varonis discovers two Windows vulnerabilities. Mr Security Answer Person John Pescatore on security through obscurity. Ben Yelin on the DOJ’s spying cases against China. CISA expands its Known Exploited Vulnerabilities Catalog with six new entries.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/205

Selected reading.

Two Arrested and 13 Charged in Three Separate Cases for Alleged Participation in Malign Schemes in the United States on Behalf of the Government of the People’s Republic of China (US Department of Justice)

U.S. Justice Department Fires Warning Shot at Chinese Spies (Foreign Policy)

Chinese spies charged with trying to thwart Huawei investigation (Quartz)

DOJ Charges 13 Over Chinese Interference In US Affairs (Law360)

U.S. Says Chinese Tried to Obstruct Huawei Prosecution (Wall Street Journal)

U.S. charges Chinese nationals with schemes to steal info, punish critics and recruit spies (CBS News)

Cuba ransomware affiliate targets Ukrainian govt agencies (BleepingComputer)

Unattributed RomCom Threat Actor Spoofing Popular Apps Now Hits Ukrainian Militaries (BlackBerry)

The Logging Dead: Two Event Log Vulnerabilities Haunting Windows (Varonis)

CISA Adds Six Known Exploited Vulnerabilities to Catalog (CISA)

US unseals cases against PRC intelligence officers. Daixin ransomware is an active threat. FBI warns of Iranian threat group. Iran’s nuclear agency discloses hack. Hybrid war and threats to infrastructure. Oct 24, 2022

Breaking: US unseals three cases against Chinese intelligence officers. CISA says Daixin Team ransomware is an active threat. The FBI warns of Iranian threat group's activity. Meanwhile the Iranian nuclear agency says its email was hacked. Norway is concerned about threats to oil and gas infrastructure. A drop in ransomware correlates with Russia's hybrid war. Ann Johnson from Afternoon Cyber Tea speaks with AJ Yawn from ByteChek about breaking into the cybersecurity industry. Josh Ray from Accenture describes threats to the satellite industry. And cyber offense may be proving harder than thought.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/204

Selected reading.

CISA Alert AA22-294A – #StopRansomware: Daixin Team. (CyberWire)

#StopRansomware: Daixin Team (CISA)

CISA Warns of Daixin Team Hackers Targeting Health Organizations With Ransomware (The Hacker News)

Iranian Cyber Group Emennet Pasargad Conducting Hack-and-Leak Operations Using False-Flag Personas (FBI)

FBI warns Iranian hackers active ahead of the U.S. midterms (NBC News)

FBI Warns of Attacks From Iranian Threat Group Emennet Pasargad (Decipher)

Iran Hackers Behind Attempt on US Election Are Still Active (Gov Info Security)

FBI warns of ‘hack-and-leak’ operations from group based in Iran (The Record by Recorded Future)

Iran's Atomic Energy Agency Says Its E-Mail Server Was Hacked (RadioFreeEurope/RadioLiberty)

Iran says ‘specific foreign country’ behind hacktivist leak of atomic energy emails (The Record by Recorded Future)

Iran’s Top Nuclear Agency Says Its Email Servers Were Hacked (Bloomberg)

Ukraine Could Still Face Cyberattacks, Experts Say (CNET)

Fears over Russian threat to Norway's energy infrastructure (AP NEWS)

Norway PM: Russia poses ‘real and serious’ cyber threat to oil and gas industry (The Record by Recorded Future)

Ukraine war cuts ransomware as Kremlin co-opts hackers (The Telegraph)

Q&A: Kenneth Geers on the cyber war between Ukraine and Russia (The Record by Recorded Future)

CISA Alert AA22-294A – #StopRansomware: Daixin Team. [CISA Cybersecurity Alerts] Oct 24, 2022

FBI, CISA, and Department of Health and Human Services are releasing this joint advisory to provide information on the Daixin Team, a cybercrime group that is actively targeting U.S. businesses, predominantly in the Healthcare and Public Health Sector.

AA22-294A Alert, Technical Details, and Mitigations

Stopransomware.gov is a whole-of-government approach that gives one central location for ransomware resources and alerts.

Resource to mitigate a ransomware attack: CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide.

Ongoing Threat Alerts and Sector alerts are produced by the Health Sector Cybersecurity Coordination Center (HC3) and can be found at hhs.gov/HC3

For additional best practices for Healthcare cybersecurity issues see the HHS 405(d) Aligning Health Care Industry Security Approaches at 405d.hhs.gov

CISA offers several no-cost scanning and testing services to help organizations reduce their exposure to threats by taking a proactive approach to mitigating attack vectors. See www.cisa.gov/cyber-hygiene-services

U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email dib_defense@cyber.nsa.gov

To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov, or call (888) 282-0870, or report incidents to your local FBI field office.

Megan Doherty: Conquer barriers in the workforce. [Technical Specialist] [Career Notes] Oct 23, 2022

Megan Doherty, a Technical Specialist from Microsoft Canada sits down to share her story of overcoming barriers in the workforce to get to where she is today in her career. Megan started out being a mechanical engineer before making the switch to do something with more creativity and problem solving. She shares about her passion of working with a group Microsoft created called "DigiGirlz." As well as just being able to work with her team who she says helps her face the world of adversity in her career. Megan said "There's so many barriers, just even mentally that we put on ourselves when it comes to looking for a career change or even thinking of cybersecurity as your next career path." She hopes that she leaves a legacy of kindness and compassion behind especially in the industry she is works in. We thank Megan for sharing her story with us.

New tools target governments in Middle East? [Research Saturday] Oct 22, 2022

Dick O'Brien from Symantec's Threat Hunter team sits down with Dave to discuss their work on "Witchetty - Group Uses Updated Toolset in Attacks on Governments in Middle East." Their research has found that the group known as Witchetty aka LookingFrog, has been progressively updating its toolset, including the new tool, backdoor Trojan (Backdoor.Stegmap) to launch malware attacks on targets in the Middle East and Africa.

The research states "The attackers exploited the ProxyShell and ProxyLogon vulnerabilities to install web shells on public-facing servers before stealing credentials, moving laterally across networks, and installing malware on other computers. The researchers describe more on the new tool being used and why this new group is a threat.

The research can be found here:

Witchetty: Group Uses Updated Toolset in Attacks on Governments in Middle East

Blackbyte's new exfiltration tool. Hijacking student accounts for BEC. Zhora calls Russia's cyber campaigns a failure. OldGremlin ransomware is an outlier. Oct 21, 2022

Blackbyte's new exfiltration tool. Hijacking student accounts for BEC. Zhora calls Russia's cyber campaigns a failure. Caleb Barlow explores new thinking for incident response. Our guest is Jon Hencinski of Expel, tracking the latest threat trends. OldGremlin ransomware is an outlier.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/203

Selected reading.

Exbyte: BlackByte Ransomware Attackers Deploy New Exfiltration Tool (Symantec)

Hijacking Student Accounts to Launch BEC-Style Attacks (Avanan)

This sneaky kind of cybercrime rules them all (Washington Post)

Russia Failing to Reach Cyber War Goals, Ukrainian Official Says (Meritalk)

EU supports cybersecurity in Ukraine with over €10 million - EU NEIGHBOURS east (EU NEIGHBOURS east)

Gremlins’ prey, secrets, and dirty tricks: the ransomware gang OldGremlin set new records (Group-IB)

OldGremlin hackers use Linux ransomware to attack Russian orgs (BleepingComputer)

OldGremlin, which targets Russia, debuts new Linux ransomware (Computing) It is one of the few ransomware groups in the world that prefer to target Russian organisations, but this may change experts advise

More Russian Organizations Feeling Ransomware Pain (Bank Info Security)

Notes and lessons on the hybrid war. Update on Zimbra exploitation. Microsoft fixes misconfigured storage. The state of the cyber workforce. Trends in phishing and ransomware. Oct 20, 2022

DDoS as misdirection. NSA shares lessons learned from cyber operations observed in Russia's war against Ukraine. Advice from CISA on Zimbra.. A misconfigured Microsoft storage endpoint has been secured. Notes from a study on the Cybersecurity Workforce . The cost to businesses of phishing. Betsy Carmelite from Booz Allen Hamilton on managing mental health in the cyber workforce. Our guest is Ismael Valenzuela of Blackberry with insights on "The Cyber Insurance Gap". And updates to the ransomware leaderboard.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/202

Selected reading.

Bulgarian cyberattack: Sabotage as a cover for spying? (Deutsche Welle)

Bulgarian websites impacted by Killnet DDoS attack (SC Media)

Lessons From Ukraine: NSA Cyber Chief Lauds Industry Intel (Meritalk)

NSA Cybersecurity Director's Six Takeaways From the War in Ukraine (Infosecurity Magazine)

NSA cyber chief says Ukraine war is compelling more intelligence sharing with industry (CyberScoop)

Investigation Regarding Misconfigured Microsoft Storage Location (Microsoft Security Response Center)

2019 Cybersecurity Workforce Study ((ISC)²)

The Business Cost of Phishing (Ironscales)

Leading Ransomware Variants Q3 2022 (Intel471)

Dispatches from the hybrid war, as auxiliaries on both sides skirmish in cyberspace. An Azure vulnerability patched. Trends in ransomware. And Social Security phishbait. Oct 19, 2022

Killnet explains its actions against Bulgaria's government. The National Republican Army claims successful attacks on Russian companies. The Director of Germany's BSI is out. A vulnerability in Azure, disclosed and patched. Trends in ransomware. Carole Theriault has a fresh look at the ransomware question - to pay or not to pay? Tim Eades from Cyber Mentor Fund considers cyber insurance for the small and medium sized businesses. Social Security phishing.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/201

Selected reading.

Cyberattack disrupts Bulgarian government websites over ‘betrayal to Russia’ (The Record by Recorded Future)

Russians Against Putin: NRA Claims Massive Hack of Russian Government Contractors’ Computers - Kyiv Post - Ukraine's Global Voice (Kyiv Post)

Germany fires cybersecurity chief after reports of possible Russia ties (Reuters)

German Cybersecurity Chief Sacked Over Alleged Russia Ties (SecurityWeek)

German cyber chief suspended following allegation he associated with Russian intelligence (The Record by Recorded Future)

FabriXss (CVE-2022-35829): How We Managed to Abuse a Custom Role User Using CSTI and Stored XSS in Azure Fabric Explorer (Orca Security)

Ransomware In Q3 2022 (Digital Shadows)

Fresh Phish: A New Social Security Phishing Scam Preys Upon Our Biggest Worries (INKY)

Mobilizing DDoS-as-a-service. Interpol takes down Black Axe gang members. Trends in phishing. Spyder Loader active in Hong Kong. Europol announces arrests in keyless car hacking case. Oct 18, 2022

Mobilizing DDoS-as-a-service. Interpol takes down the Black Axe gang members. A look at phishing trends. Spyder Loader is active in Hong Kong. Joe Carrigan looks at Google’s launch of passwordless authentication. Our guest is Dr. Eman El-Sheikh from University of West Florida's Center for Cybersecurity on NSA-funded National Cybersecurity Workforce Development Programs. And Europol announces arrests in a case of keyless car hacking.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/200

Selected reading.

Project DDOSIA Russia's answer to disBalancer (Radwaare)

Russian DDOSIA Project Pays Volunteers to Participate in DDOS Attacks on Western Companies (Gridinsoft Blogs)

International crackdown on West-African financial crime rings (Interpol)

Giant online scamming syndicate 'Black Axe' destroyed in Interpol-led operation (teiss)

INTERPOL-led Operation Takes Down 'Black Axe' Cyber Crime Organization (The Hacker News)

Operation Jackal: Interpol arrests Black Axe fraud suspects (Register)

When the Black Axe falls: cybercrime suspects detained in global bust (Cybernews)

International Police Action Blunts Black Axe Criminal Group - HS Today (Hstoday)

Q3 2022 Cofense Phishing Intelligence Trends Review (Cofense)

Spyder Loader: Malware Seen in Recent Campaign Targeting Organizations in Hong Kong (Symantec)

Operation CuckooBees: Cybereason Uncovers Massive Chinese Intellectual Property Theft Operation (Cybereason)

31 arrested for stealing cars by hacking keyless tech | Europol (Europol)

European gang that sold car hacking tools to thieves arrested (The Record by Recorded Future)

Tata Power sustains cyberattack. Influence operations and battlespace prep. Ransom Cartel looks a lot like REvil. Notes from Russia’s hybrid war. Oct 17, 2022

There’s been a Cyberattack against Tata Power. The FBI warns US state political parties of Chinese scanning. Russian influence ops play defense; China’s are on the offense. Ransom Cartel and a possible connection to REvil. "Prestige" ransomware is sighted in attacks on Polish and Ukrainian targets. Distributed denial-of-service attacks interfere with Bulgarian websites. Grayson Milbourne of OpenText Security Solutions on SBOMS. Our own Rick Howard checks in with Bryan Willett of Lexmark on implementation of Zero Trust. And Mr. Musk tweets his intention to continue to subsidize Starlink for Ukraine (probably).

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/199

Selected reading.

Hackers Attack Tata Power IT Systems: All You Need To Know (IndiaTimes)

Chinese hackers are scanning state political party headquarters, FBI says (Washington Post)

The Defender's Advantage Cyber Snapshot Issue 2 — More Insights From the Frontlines (Mandiant)

Ransom Cartel Ransomware: A Possible Connection With REvil (Unit 42)

New “Prestige” ransomware impacts organizations in Ukraine and Poland (Microsoft Security Threat Intelligence)

Bulgarian Government Hit By Cyberattack Blamed On Russian Hacking Group (RadioFreeEurope/RadioLiberty)

'The hell with it': Elon Musk tweets SpaceX will 'keep funding Ukraine govt for free' amid Starlink controversy (CNBC)

Starlink isn't a charity, but the Ukraine war isn't a business opportunity (TechCrunch)

Cyber confidence: Knowing what you have and where it is. [CyberWire-X] Oct 16, 2022

Between multi-cloud deployments, more employees working remotely, and increasing use of SaaS applications, the number of entry points for attackers to infiltrate your systems has exploded. But gaining visibility into all these possible attack vectors is time-consuming and often incomplete or just a snapshot in time.

If the first rule of cyber is to “know what you have,” how can cyber professionals get a comprehensive, current picture of their assets? How can they feel confident that they understand which assets may be more vulnerable and prioritize defenses accordingly?

In the first half of this episode of Cyberwire-X, the CyberWire's CSO, Chief Analyst, and Senior Fellow, Rick Howard, is joined by Hash Table member Jaclyn Miller, the Head of InfoSec & IT at DispatchHealth. In the second half of the episode, Cody Pierce, Chief Product Officer at episode sponsor LookingGlass Cyber Solutions, talks with Dave Bittner. Listen to the discussions about answering the foundational cyber questions (What do I have? Is it protected?), why context is critical, and how an adversarial perspective helps you be a better defender.

Amanda Adams: Pivoting into the tech world. [VP] [Career Notes] Oct 16, 2022

Amanda Adams, VP of Americas Alliances at CrowdStrike sits down to share her story as she pivoted into the tech field. She started her career by wanted to be involved with sports, after getting her masters degree Amanda was faced with a difficult choice between working for The Golden State Warriors and Cisco. She ultimately chose Cisco as her path to move forward and has been working in technology ever since. Now she works for a team where she gets to prove her social skills and is focused on partnerships. She say's that working in technology doesn't just have to be working with technology, there are many other ways you can get involved with the field. Amanda says "you can always pivot into the technology industry and support the broader mission by doing that job function." We thank Amanda for sharing her story.

Noberus ransomware: evolving tactics. [Research Saturday] Oct 15, 2022

Brigid O Gorman from Symantec's Threat Hunter team joins Dave to discuss their research on "Noberus Ransomware - Darkside and BlackMatter Successor Continues to Evolve its Tactics." The research states that Noberus ransomware (aka BlackCat, ALPHV) is more dangerous than ever because attackers have been using new tactics, tools, and procedures in recent months.

In the research, Symantec says, "Among some of the more notable developments has been the use of a new version of the Exmatter data exfiltration tool, and the use of Eamfo, information-stealing malware that is designed to steal credentials stored by Veeam backup software." They go over an in-depth look at how its affiliate program operates.

The research can be found here:

Noberus Ransomware: Darkside and BlackMatter Successor Continues to Evolve its Tactics

Phishing for poll watchers. Impersonating Intrusion Truth. Data breach at the LDS Church. SpaceX asks for help paying for Ukraine’s Starlink. Killnet’s potential. The gamer’s attack surface. Oct 14, 2022

County election workers find themselves targets of phishing. Impersonating Intrusion Truth. The LDS Church discloses data compromise. SpaceX asks for Starlink funding. Does Killnet have potential to do more damage than it so far has? Deepen Desai from Zscaler on Joker, Facestealer and Coper banking malwares on the Google Play store. Our guest is Maxime Lamothe-Brassard of LimaCharlie to discuss how the cybersecurity is following in the footsteps of software engineering. And the Gamers’ attack surface? It’s big, big, really big, Noobs.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/198

Selected reading.

2022 Election Phishing Attacks Target Election Workers (Trellix)

Suspicious Twitter accounts impersonating research group try to blame the NSA for Chinese hacks (The Daily Dot)

Statement and FAQ on Church Account Data Incident (Church of Jesus Christ of Latter Day Saints)

Exclusive: Musk's SpaceX says it can no longer pay for critical satellite services in Ukraine, asks Pentagon to pick up the tab (CNN)

Killnet: don't underestimate the “script kiddies,” experts say (Cybernews)

Gaming Is Booming. That’s Catnip for Cybercriminals. (New York Times)

What the cybercriminals are up to: improving their tools and carrying out the same old dreary social engineering. Budworm APT sightings. And the state of Russia’s hybrid war. Oct 13, 2022

Emotet ups its game. COVID-19 small business grants as phishbait. Google Translate is spoofed for credential harvesting. Research on the Budworm espionage group. Kevin Magee from Microsoft shares why cybersecurity professionals should join company boards. Our guest is Chris Niggel from Okta with a look at identity shortfalls. And Internet outages during missile strikes, and the prospects of Russia’s hybrid war.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/197

Selected reading.

Emotote’s evolution. (ESET)

Fresh Phish: Small Business COVID-19 Grants Designed for Disaster (INKY)

Spoofing Google Translate to Steal Credentials (Avanan)

Budworm: Espionage Group Returns to Targeting U.S. Organizations (Symantec Blog)

Internet outages hit Ukraine following Russian missile strikes (Bitdefender)

Starlink helped restore energy, communications infrastructure in parts of Ukraine - official (Reuters)

Ukraine’s Vice PM Thanks Starlink for Help to Restore Connections After Missile Attack from Russia (Tech Times)

We must tackle Europe’s winter cyber threats head-on (POLITICO)

The conflict in Ukraine makes us rethink cyberwar (The Japan Times)

Caffeine in the C2C market. Refund-fraud-as-a-service. Costs of a nuisance. Staying alert during a hybrid war. Renewed Polonium activity. The Uber case's impact on security professionals. Oct 12, 2022

Refund fraud as a service. Costs of a nuisance. Remaining on alert during a hybrid war. Renewed activity by Polonium. Andrea Little Limbago from Interos discussing quantum computing policy. CyberWire Space Correspondent Maria Varmazis speaks with Dr. Gregory Falco on lessons learned from Russia’s attack on Viasat. Reflections on the Uber case's impact on security professionals. And when it comes to phishing-as-a-service, we’ll take decaf.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/196

Selected reading.

The Fresh Phish Market: Behind the Scenes of the Caffeine Phishing-as-a-Service Platform (Mandiant)

Caffeine phishing. (CyberWire)

Refund Fraud as a Service (Netacea)

Amid reports of JP Morgan cyberattack, experts call Killnet unsophisticated, ‘media hungry’ (SC Media)

Hacktivists Force Companies to Respond to Low-Level Cyberattacks (Wall Street Journal)

Nato warns Russian sabotage on Western targets 'could trigger Article 5' (The Telegraph)

US Not Ruling Out Russian Cyber Offensive (VOA)

Ukraine at D+230: Escalation, but unlikely to be sustainable. (CyberWire)

POLONIUM targets Israel with Creepy malware (WeLiveSecurity)

Hacking group POLONIUM uses ‘Creepy’ malware against Israel (BleepingComputer)

Security chiefs fear ‘CISO scapegoating’ following Uber-Sullivan verdict (The Record)

Sullivan verdict sends shockwaves through the security industry (Security Info Watch)

Reflections on the Uber case's impact on security. (CyberWire)

An update on the hybrid war, where Russia turns to missile strikes, physical sabotage, and nuisance-level DDoS. Surveys look at the state of the SOC and the mind of the CISO. Oct 11, 2022

Russia's Killnet suspected in DDoS attack on major US airports. Starlink service interruptions reported. Bundesbahn communications network sabotaged in northern Germany. Germany's cybersecurity chief faces scrutiny over alleged ties to Russia. Ben Yelin on the FCC's crackdown on robocalls. Ann Johnson from Afternoon Cyber Tea talking with Sounil Yu from JupiterOne about the importance and evolution of cyber resilience. Overworked CISOs may be a security risk, but in an encouraging counterpoint, another study shows a record of CISO success during the pandemic.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/195

Selected reading.

US Airport Websites Hit by Suspected Pro-Russian Cyberattacks (SecurityWeek)

Hackers knock some U.S. airport websites offline (Washington Post)

Hackers took down U.S. airport web sites, Department of Homeland Security confirms (USA TODAY)

Pro-Russian hackers claim responsibility for taking down US airport websites (Computing)

US airports' sites taken down in DDoS attacks by pro-Russian hackers (BleepingComputer)

Pro-Putin goons target US airport websites with DDoS flood (Register)

Russian Sanctions Instigator Lloyd’s Possibly Hit by Cyber-Attack (Infosecurity Magazine)

Lloyd's of London reboots network after suspicious activity (Register)

Colorado.gov Back Online After Cyber Attack (GovTech)

Defending Ukraine: SecTor session probes a complex cyber war (IT World Canada)

Ukrainian officials reportedly say there have been 'catastrophic' Starlink outages in recent weeks (Business Insider)

Frontline Ukraine troops are reportedly enduring Starlink outages (Engadget).

Elon Musk’s foray into geopolitics has Ukraine worried (The Economist)

Elon Musk needs to clarify Ukraine's reported Starlink outages: Kinzinger (Newsweek)

Attack on German Rail Network ‘Targeted, Professional,’ Police Say (Bloomberg)

An act of sabotage shut down parts of Germany's rail system for hours this weekend (NPR.org)

Germany rail chaos could have been caused by Russia, says MP (The Telegraph)

Sabotage blamed for major disruption on Germany’s rail network (The Telegraph)

No sign that foreign state was behind German rail sabotage, police say (Reuters)

Germany Won’t Rule Out Foreign Country Role in Rail Sabotage (Bloomberg)

Germany's cybersecurity chief faces dismissal, reports say (Reuters)

German cybersecurity chief investigated over Russia ties (ABC News)

German Cybersecurity Chief to be Sacked Over Alleged Russia Ties: Sources (SecurityWeek)

„Wir müssen wachsam bleiben“ (Tagesspiegel)

1 in 5 Chief Information Security Officers (CISOs) Work More Than 25 Extra Hours Per Week (Tessian)

2022 Devo SOC Performance Report (Devo)

2022 Deloitte-NASCIO Cybersecurity Study (Deloitte Insights)

Cybersecurity Survey of State CISOs Identifies Many Positive Trends (PR Newswire)

CyberWire’s space correspondent, Maria Varmazis, interviews Anthony Colangelo. [Interview Selects] Oct 10, 2022

This interview from September 23rd, 2022 originally aired as a shortened version on the CyberWire Daily Podcast. In this extended interview, CyberWire’s space correspondent, Maria Varmazis, interviews host of spaceflight podcast “Main Engine Cutoff,” Anthony Colangelo about the upcoming Apple iPhone 14 “Emergency SOS via Satellite” feature & what it means for satellite communications in the consumer sector.

Moving Faster - Securely. Why Your Org Should Add Security to your DevOps Program [Security Sandbox] Oct 10, 2022

In today’s episode, our sandbox heads to the deployment pipeline for a conversation on the who/what/when/and why of a DevSecOps program and how it adds value to your business. And your main questions- – how you can encourage buy-in and adoption. Joining me today are Marcin Swiety, Relativity’s Senior Director of Global Security and IT, and Raphael Theberge - Director of Security Integrations. So, grab your DORA metrics, your source controls, and staging environments, and let’s dive in.

Payal Chakravarty: Overcoming bias in the workplace. [Security and Risk] [Career Notes] Oct 09, 2022

Payal Chakravarty, Head of Product for Security and Risk from Coalition, sits down to share her story of working at several different organizations, including interning for IBM and Microsoft. After obtaining her master's degree, she worked with IBM a bit more closely and fell in love with one of the projects she was working on. Payal had a very interesting career path going from physical to virtual, virtual to cloud now, cloud to containers. She says that there is still some bias she has dealt with as a woman in her field, she says, "I think the way you handle it is you negotiate or you kind of calmly handle the situation, there's no ego involved." Payal shares that in working in this field you need to be in love with it, giving the advice that don't just choose a job because of the money or because it's cool, but because you feel connected to it as a profession. We thank Payal for sharing her story.

Pentest reporting and the remediation cycle: Why aren’t we making progress? [CyberWire-X] Oct 09, 2022

The age-old battle between offensive and defensive security practitioners is most often played out in the penetration testing cycle. Pentesters ask, “Is it our fault if they don’t fix things?” While defenders drown in a sea of unprioritized findings and legacy issues wondering where to even start.

But the real battle shouldn’t be between the teams; it should be against the real adversaries. So why do pentesters routinely come back and find the same things they reported a year ago? Do the defenders just not care or does the onus fall on the report? Everyone really wants the same thing: better security. To get there, the primary communication tool between consultant and client, offensive and defensive teams — the pentest report — must be consumable and actionable and tailored to the audience who receives it.

In the first half of this episode of Cyberwire-X, the CyberWire's CSO, Chief Analyst, and Senior Fellow, Rick Howard, is joined by Hash Table members Amanda Fennell, the CIO and CSO of Relativity, and William MacMillan, the SVP of Security Product and Program Management at Salesforce. In the second half of the episode, Dan DeCloss, the Founder and CEO of episode sponsor PlexTrac, joins Dave Bittner discuss the politics around pentest reporting and how better reports can support real progress.

Google Drive used for malware? [Research Saturday] Oct 08, 2022

Jen Miller-Osborn from Palo Alto Networks' Unit 42 joins Dave to discuss their recent work on "Russian APT29 Hackers Use Online Storage Services, DropBox and Google Drive." The research shares the insight into an active campaign from Russia’s Foreign Intelligence Service, that is leveraging the use of trusted, legitimate cloud services including Google Drive as a staging platform to deliver malware.

The research states that when these tactics are used, it is extremely difficult for organizations to detect the malicious activity in connection with the campaign. These tactics are used to collect victim information, evade detection, and deliver Cobalt Strike.

The research can be found here:

Russian APT29 Hackers Use Online Storage Services, DropBox and Google Drive

A US EO addresses EU data privacy concerns. China’s favorite CVEs. Election security and credit risk. COVID phishbait. Notes from the hybrid war, including some really motivated draft evaders. Oct 07, 2022

A US Executive Order outlines US-EU data-sharing privacy safeguards. CISA, NSA, and the FBI list the top vulnerabilities currently being exploited by China. A look at election security and credit risk to US states. COVID-19-themed social engineering continues. Robert M. Lee from Dragos on securing the food and beverage industry. Carole Theriault interviews Joel Hollenbeck from Check Point Software on threat actors phishing school board meetings. Notes from the hybrid war: Killnet and US state government sites, the prospects of deterrence in cyberspace, and, finally, maybe the most motivated draft evaders in military history.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/194

Selected reading.

FACT SHEET: President Biden Signs Executive Order to Implement the European Union-U.S. Data Privacy Framework (The White House)

Top CVEs Actively Exploited By People’s Republic of China State-Sponsored Cyber Actors (CISA)

Government credit risk associated with election risk (CyberWire)

Exploiting COVID-19: how threat actors hijacked a pandemic (Proofpoint)

Ukraine at D+125: Abandoned tanks and discontented hawks. (CyberWire)

Department Press Briefing – October 6, 2022 - United States Department of State (United States Department of State)

2 Russians fleeing military service reach remote Alaska island (Military Times)

CISA Alert AA22-279A – Top CVEs actively exploited by People’s Republic of China state-sponsored cyber actors. Oct 07, 2022

This joint Cybersecurity Advisory provides the top CVEs used by the People’s Republic of China state-sponsored cyber actors. PRC cyber actors continue to exploit these known vulnerabilities and use publicly available tools to target networks of interest. PRC state-sponsored cyber actors have actively targeted U.S. and allied networks as well as software and hardware companies to steal intellectual property and develop access into sensitive networks.

AA22-279A Alert, Technical Details, and Mitigations

For more information on PRC state-sponsored malicious cyber activity, see CISA’s China Cyber Threat Overview and Advisories webpage, FBI’s Industry Alerts, and NSA’s Cybersecurity Advisories & Guidance.

People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices

CISA offers several no-cost scanning and testing services to help organizations reduce their exposure to threats by taking a proactive approach to mitigating attack vectors. See www.cisa.gov/cyber-hygiene-services

U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System (PDNS) services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email dib_defense@cyber.nsa.gov

To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov, or call (888) 282-0870, or report incidents to your local FBI field office.

Updated mitigations for ProxyNotShell. Lloyd’s investigates cyber incident. Killnet hits US state government sites. Election security. Credential theft. Verdict in Uber breach case. Oct 06, 2022

Microsoft updates mitigations for ProxyNotShell. Lloyd's of London investigates a suspected cyberattack. Killnet hits networks of US state governments. The FBI and CISA weigh in on election security. Credential theft in the name of Zoom. Tim Eades from Cyber Mentor Fund on the move to early-stage investing in times of war and recession. Our guest is Nick Lumsden of Tenacity Cloud on cloud infrastructure sprawl. The former security chief at Uber was found guilty in a case involving data breach cover-up.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/193

Selected reading.

Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server (Microsoft Security Response Center)

Microsoft updates guidance for ‘ProxyNotShell’ bugs after researchers get around mitigations (The Record by Recorded Future)

Microsoft Updates Mitigation for Exchange Server Zero-Days (Dark Reading)

Microsoft updates mitigation for ProxyNotShell Exchange zero days (BleepingComputer)

Lloyd's of London investigates possible cyber attack (Reuters)

Insurance giant Lloyd’s of London investigating cyberattack (The Record by Recorded Future)

Russian-speaking hackers knock US state government websites offline (CNN)

Malicious Cyber Activity Against Election Infrastructure Unlikely to Disrupt or Prevent Voting (FBI and CISA)

FBI: Cyberattacks targeting election systems unlikely to affect results (BleepingComputer)

Zoom: 1 Phish, 2 Phish Email Attack (Armorblox)

Former Uber Security Chief Found Guilty of Obstructing FTC Probe (Wall Street Journal)

Former Uber security chief convicted of covering up 2016 data breach (Washington Post)

Uber’s Former Security Chief Convicted of Data Hack Coverup (Bloomberg)

Former Uber Security Chief Found Guilty of Hiding Hack From Authorities (New York Times)

Former Uber CISO Joe Sullivan Found Guilty Over Breach Cover Up (SecurityWeek)

Sniffing at the DIB. Sideloading cryptojacking campaign. Nord Stream and threats to critical infrastructure. US Cyber Command describes hunting forward in Ukraine. Fraud meets romance. Oct 05, 2022

Data’s stolen from a US "Defense Industrial Base organization." Major sideloading cryptojacking campaign is in progress. Nord Stream and threats to critical infrastructure. US Cyber Command describes "hunt forward" missions in Ukraine. Andrew Hammond from SpyCast speaks with hacker Eric Escobar about the overlap of traditional intelligence and cybersecurity. Our guest is AJ Nash from ZeroFox with an update on the current threat landscape. Fraud meets romance.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/192

Selected reading.

Impacket and Exfiltration Tool Used to Steal Sensitive Information from Defense Industrial Base Organization (CISA)

CISA: Multiple government hacking groups had ‘long-term’ access to defense company (The Record by Recorded Future)

US Govt: Hackers stole data from US defense org using new malware (BleepingComputer)

Side-Loading OneDrive for profit – Cryptojacking campaign detected in the wild (Bitdefender Labs)

Drone-loaded seabed ship is latest weapon in Royal Navy's arsenal to counter Russian threat (The Telegraph)

Opinion Undersea pipeline sabotage demands the West prepare for more attacks (Washington Post)

Ukraine Hasn’t Won the Cyber War Against Russia Yet (World Politics Review)

USCYBERCOM Executive Director David Frederick Outlines Cyber Threats & Highlights Importance of Industry Partnerships (GovCon Wire)

Romance scammer and BEC fraudster sent to prison for 25 years (Naked Security)

CISA Alert AA22-277A – Impacket and exfiltration tool used to steal sensitive information from defense industrial base organization. Oct 04, 2022

From November 2021 through January 2022, the CISA responded to APT activity against a Defense Industrial Base organization’s enterprise network. During incident response activities, CISA discovered that multiple APT groups compromised the organization’s network, and some APT actors had long-term access to the environment. APT actors used an open-source toolkit called Impacket to gain their foothold within the environment and further compromise the network, and also used a custom data exfiltration tool, CovalentStealer, to steal the victim’s sensitive data.

AA22-277A Alert, Technical Details, and Mitigations

CISA Cyber Hygiene Services

Malware Analysis Report (MAR)-10365227-1.stix

MAR-10365227-2.stix

MAR-10365227-3.stix

CISA offers several no-cost scanning and testing services to help organizations reduce their exposure to threats by taking a proactive approach to mitigating attack vectors. See www.cisa.gov/cyber-hygiene-services

U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System (PDNS) services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email dib_defense@cyber.nsa.gov

To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov, or call (888) 282-0870, or report incidents to your local FBI field office.

CISA issues Binding Operational Directive 23-01. LAUSD says ransomware operators missed most sensitive PII. Trends in API protection SaaS security. Making a pest of oneself in a hybrid war. Oct 04, 2022

CISA issues a Binding Operational Directive. An LA school district says ransomware operators missed most sensitive PII. An API protection report describes malicious transactions. Analysis of cyber risk in relation to SaaS applications. Joe Carrigan describes underground groups using stolen identities and deepfakes. Our guest is Eve Maler from ForgeRock on consumer identity breaches. And someone is making a nuisance of themself in Russia.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/191

Selected reading.

Binding Operational Directive 23-01 (CISA)

CISA Directs Federal Agencies to Improve Cybersecurity Asset Visibility and Vulnerability Detection (Cybersecurity and Infrastructure Security Agency)

CISA aims to expand cyber defense service across fed agencies, potentially further (Federal News Network)

CISA directs federal agencies to track software and vulnerabilities (The Record by Recorded Future)

Student, Teacher Data Not Affected in Los Angeles School District Hack (Wall Street Journal)

‘No evidence of widespread impact,’ LAUSD says of data released by hackers (KTLA)

New API Threat Research Shows that Shadow APIs Are the Top Threat Vecto (Cequence Security)

Secureworks State of the Threat Report 2022: 52% of ransomware incidents over the past year started with compromise of unpatched remote services (Secureworks)

Russian Citizens Wage Cyberwar From Within (Kyiv Post)

Russian Hackers Take Aim at Kremlin Targets: Report (Infosecurity Magazine) Russian retail chain 'DNS' confirms hack after data leaked online (BleepingComputer)

Microsoft Exchange zero-days exploited. Supply chain attack reported. New Lazarus activity. Mexican government falls victim to hacktivism. Hacking partial mobilization. Former insider threat. Oct 03, 2022

Two Microsoft Exchange zero-days exploited in the wild. A supply chain attack, possibly from Chinese intelligence services. There’s new Lazarus activity: bring-your-own-vulnerable-driver. The Mexican government falls victim to apparent hacktivism. Flying under partial mobilization’s radar. Betsy Carmelite from Booz Allen Hamilton talks about addressing the cyber workforce skills gap. Our guest Rachel Tobac from SocialProof Security brings a musical approach to security awareness training. How’s your off-boarding program working out?

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/190

Selected reading.

Microsoft Releases Guidance on Zero-Day Vulnerabilities in Microsoft Exchange Server (CISA)

Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server (Microsoft Security Response Center)

Warning: New attack campaign utilized a new 0-day RCE vulnerability on Microsoft Exchange Server (GTSC)

URGENT! Microsoft Exchange double zero-day – “like ProxyShell, only different” (Naked Security)

Microsoft confirms two Exchange Server zero days are being used in cyberattacks (The Record by Recorded Future)Microsoft confirms new Exchange zero-days are used in attacks (BleepingComputer)

Two Microsoft Exchange zero-days exploited in the wild. (CyberWre)

CISA Adds Three Known Exploited Vulnerabilities to Catalog (CISA)

Suspected Chinese hackers tampered with widely used customer chat program, researchers say (Reuters)

Report: Commercial chat provider hijacked to spread malware in supply chain attack (The Record by Recorded Future)

CrowdStrike Falcon Platform Identifies Supply Chain Attack via a Trojanized Comm100 Chat Installer (crowdstrike.com)

Amazon‑themed campaigns of Lazarus in the Netherlands and Belgium (WeLiveSecurity)

Lazarus & BYOVD: evil to the Windows core (Virus Bulletin)

Lazarus hackers abuse Dell driver bug using new FudModule rootkit (BleepingComputer)

Mexican government suffers major data hack, president's health issues revealed (Reuters)

Mexican president confirms ‘Guacamaya’ hack targeting regional militaries (The Record by Recorded Future)

Analysis: Mexico data hack exposes government cybersecurity vulnerability (Reuters)

Russians dodging mobilization behind flourishing scam market (BleepingComputer)

Honolulu Man Pleads Guilty to Sabotaging Former Employer’s Computer Network (US Department of Justice)

The OSINT revolution: How cyber and physical security teams are leveraging open source intelligence. [CyberWire-X] Oct 02, 2022

On this episode of CyberWire-X, we dive into the essential role of open-source intelligence in identifying cyber and physical threats and reducing risk across your organization. The CyberWire's CSO, Chief Analyst, and Senior Fellow, Rick Howard, is joined in the first half by Hash Table members Dr. Georgianna Shea, CCTI and TCIL Chief Technologist at the Foundation for Defense of Democracies, and Bob Turner, Field CISO – Education at Fortinet. In the second half of the show, CyberWire podcast host Dave Bittner talks with our episode sponsor risk intelligence firm Flashpoint's Chief Intelligence Officer Tom Hofmann. They explore the foundational importance of open source intelligence, which includes social media platforms and geospatial data and insights. Plus, they explore real-life examples of how organizations, from governments to commercial enterprises, are leveraging open source intelligence and technology every day to protect their people, places, assets, and critical infrastructure.

Kayla Williams: Not everything related to cybersecurity is a fire drill. [CISO] [Career Notes] Oct 02, 2022

Kayla Williams, CISO of Devo, sits down to share her story, from graduating with a finance degree to rising to where she is now. She quickly learned that finance was not for her and changed paths, working towards gaining an information security certificate. From there she was able to excel and was offered the opportunity to move to England which changed her life. Working in her new role, she really enjoys thriving with her team. She says "We really try to be the department of no problem versus the department of no." She mentions how her and her team work on a day to day basis together solving issues and yet she says not everything related to cybersecurity needs to be a fire drill. She would rather her and her team build bridges in the face of adversity and in the face of people who may be naysayers. We thank Kayla for sharing her story.

Targeting your browser bookmarks? [Research Saturday] Oct 01, 2022

David Prefer from SANS sits down with Dave to discuss how a new covert channel exfiltrates data via a browser's built-in bookmark sync. David goes on to describe how this research will "describe how the ability to synchronize bookmarks across devices introduces a novel vector for data exfiltration and other misuses."

In the research, he shares how he tested his said hypothesis and goes on to describe how the interesting find was tested on multiple browsers including Chrome, Edge, Brave and Opera. In his research, he found that bookmarks are able to keep data and synchronize it, making it easier to infiltrate and extract data from. David shares the rest of his findings, as well as what organizations and browser developers can do to work on this new threat.

The research can be found here:

Bookmark Bruggling: Novel Data Exfiltration with Brugglemark

Espionage, both online and in-person. Sabotage, both kinetic and (maybe eventually) cyber. Waterin holes, deepfakes, and the pushing of naughty words. Sep 30, 2022

North Korean operators "weaponize" open-source software. The SolarMarker info-stealer returns. A quick review of Fast Company's WordPress hijacking incident. Deepfakes, and their evolution into an underworld and influence ops tool. Kinetic sabotage in the Baltic raises concerns about threats to infrastructure in cyberspace. Chris Novak from Verizon with a mid-year check in. Our guest is MK Palmore of Google Cloud on why collective cybersecurity ultimately depends on having a diverse, skilled workforce. And the US arrests three in two alleged spying cases.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/189

Selected reading.

ZINC weaponizing open-source software (Microsoft Security Threat Intelligence | LinkedIn Threat Prevention and Defense)

Lazarus Group Affiliate Uses Trojanized Open Source Apps in New Campaigns (Decipher)

North Korea weaponizes open-source software. (CyberWire)

Info-Stealing Malware, SolarMarker, is Using Watering Hole Attacks… (eSentire)

Fast Company hack causes obscene Apple News notifications. (CyberWire)

The Future of Deepfakes. (CyberWire)

Fourth Nord Stream Leak Spotted, NATO Sees 'Sabotage' - The Moscow Times (The Moscow Times)

Russian spy chief: West was behind sabotage of Nord Stream (Reuters)

NATO Formally Blames Sabotage for Nord Stream Pipeline Damage (Wall Street Journal)

NATO: Nord Stream pipeline leaks result of "sabotage" (Axios)

Pentagon chief: Too soon to say who might be behind Nord Stream pipeline attack (www.euractiv.com)

First on CNN: European security officials observed Russian Navy ships in vicinity of Nord Stream pipeline leaks (CNN)

Mysterious Blasts and Gas Leaks: What We Know About the Pipeline Breaks in Europe (New York Times)

NATO issues 'sabotage' warning after gas pipeline explosions (NBC News)

Russia’s Purported Sabotage Of The Nord Stream Pipeline Marks A Point Of No Return (Forbes)

Nach Angriff auf Nord Stream 1 und 2: Ist Deutschland vor russischen Hackern sicher? (WirtschaftsWoche)

'We all have to be worried': War in Ukraine boosts energy cyberattack risks, says Petrobras executive (Upstream Online)

Finnish intelligence warns Russia ‘highly likely’ to turn to cyber in winter (The Record by Recorded Future)

Ukraine War Goes Hybrid (Energy Intelligence)

New Warnings from Ukraine About Looming Russian Cyberattacks (VOA)a

Russian Cyber Efforts in Ukraine See Muted Results, Says Panel (USNI News)

Ukraine-Russia Conflict: Ukraine Alerts Energy Enterprises to Possible Cyberattack Escalation (Security Boulevard)

Ukraine is Winning the Cyber War (CEPA)

Hitachi Energy MicroSCADA Pro X SYS600 (CISA)

Baxter Sigma Spectrum Infusion Pump (CISA)

ARC Informatique PcVue (Update A) (CISA)

Delta Electronics DOPSoft (CISA)

Delta Electronics DOPSoft (Update B) (CISA)

Former NSA Employee Arrested on Espionage-Related Charges (US Department of Justice)

Major in the United States Army and a Maryland Doctor Facing Federal Indictment for Allegedly Providing Confidential Health Information to a Purported Russian Representative to Assist Russia Related to the Conflict In Ukraine (US Department of Justice)

Hackers support Iranian dissidents. Notes on C2C markets. Cyberespionage campaigns. Intercepted mobile calls from Russian troops expose morale problems. Sep 29, 2022

Gray-hat support for Iranian dissidents. Selling access wholesale in the C2C market. Novel malware’s discovered targeting VMware hypervisors. The Witchetty espionage group uses an updated toolkit. Deepen Desai from Zscaler has a Technical Analysis of Industrial Spy Ransomware. Ann Johnson of Afternoon Cyber Tea speaks with Michal Braverman-Blumenstyk, CTO for Microsoft Security, about Israel's cyber innovation. And Russian troops phone call revelations.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/188

Selected reading.

Hacker Groups take to Telegram, Signal and Darkweb to assist Protestors in Iran (Check Point Software)

Hackers Use Telegram and Signal to Assist Protestors in Iran (Infosecurity Magazine)

Hackers Aid Protests Against Iranian Government with Proxies, Leaks and Hacks (The Hacker News)

Hackers seek to help — and profit from — Iran protests (The Record by Recorded Future)

Ransomware and Wholesale Access Markets: A $10 investment can lead to millions in profit (Cybersixgill)

Selling access wholesale in the C2C market. (CyberWire)

Bad VIB(E)s Part One: Investigating Novel Malware Persistence Within ESXi Hypervisors (Mandiant)

Bad VIB(E)s Part Two: Detection and Hardening within ESXi Hypervisors (Mandiant)

Mandiant has identified new malware that targets VMware ESXi, Linux vCenter servers, and Windows virtual machines. (CyberWire)

Securonix Threat Labs Security Advisory: Detecting STEEP#MAVERICK: New Covert Attack Campaign Targeting Military Contractors (Securonix)

Steep#Maverick cyberespionage campaign. (CyberWire)

Witchetty: Group Uses Updated Toolset in Attacks on Governments in Middle East (Symantec)

Witchetty espionage group uses updated toolkit. (CyberWire)

‘Putin Is a Fool’: Intercepted Calls Reveal Russian Army in Disarray (New York Times)

Cyber Warfare Rife in Ukraine, But Impact Stays in Shadows (SecurityWeek)

Russian hackers' lack of success against Ukraine shows that strong cyber defences work, says cybersecurity chief (ZDNET)

Failure of Russia’s cyber attacks on Ukraine is most important lesson for NCSC (ComputerWeekly)

DDoS remains commonplace in Russia's hybrid war. Leaked LockBit 3.0 builder used by new gang. Meta takes down Russian disinfo networks. Lazarus Group goes spearphishing. Cloudy complexity. Sep 28, 2022

DDoS remains the most characteristic mode of cyber ops in Russia's hybrid war against Ukraine. A leaked LockBit 3.0 builder is being used in ransomware attacks. Meta takes down Russian disinformation networks. Lazarus Group is spearphishing with bogus job offers. Joe Carrigan looks at SNAP benefit scams. Our guest is Crane Hassold of Abnormal Security with the latest in advanced email attack trends. And the cloud…is complicated.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/187

Selected reading.

Adversaries Continue Cyberattack Onslaught with Greater Precision and Innovative Attack Methods According to 1H2022 NETSCOUT DDoS Threat Intelligence Report (NETSCOUT)

Leaked LockBit 3.0 builder used by ‘Bl00dy’ ransomware gang in attacks (BleepingComputer)

Removing Coordinated Inauthentic Behavior From China and Russia (Meta)

Russia is spoofing mainstream media to smear Ukraine, Meta says (Protocol)

Operation In(ter)ception: social engineering by the Lazarus Group. (CyberWire)

How cloud complexity affects security. (CyberWire)

Ukraine's Defense Intelligence warns of coming Russian cyberattacks against infrastructure. Next moves for Lapsus$? Cashout scams and neglected wallets. Developments in the Optus breach. Sep 27, 2022

Ukraine's Defense Intelligence warns of coming Russian cyberattacks against infrastructure. Next moves for Lapsus$? We know it’s a bear market, but take a look at your wallet, crypto speculators, at least now and then. Mr Security Answer Person john Pescatore on next year's most over-hyped term. Ben Yelin explains a thirty five million dollar data privacy settlement. And, finally, developments in the Optus breach.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/186

Selected reading.

Invaders Preparing Mass Cyberattacks on Facilities of Critical Infrastructure of Ukraine and Its Allies (Defence Intelligence of the Ministry of Defence of Ukraine)

Ukraine Says Russia Planning 'Massive Cyberattacks' on Critical Infrastructure (SecurityWeek)

Ukraine warns of Russian cyber attacks targeting critical infrastructure (Computing)

Russia plans “massive cyberattacks” on critical infrastructure, Ukraine warns (Ars Technica)

Ukraine warns allies: Russia plans 'massive cyberattacks' (Register)

Hackers Working With Russia to Coordinate Cyberattacks, Google Says - Tech News Briefing - WSJ Podcasts (Wall Street Journal)

Viasat Hack "Did Not" Have Huge Impact on Ukrainian Military Communications, Official Says (Zero Day)

Who’s next in Lapsus$’ crosshairs? (Digital Shadows)

Report: Sift Uncovers New Cashout Scam Targeting Forgotten Crypto Accounts (GlobeNewswire News Room)

Optus hacker releases 10,000 customers' details and issues new threat (Sky News)

‘Last thing I need’: Optus customer scrambles to protect himself (Australian Financial Review)

An alleged hacker has offered their 'deepest apologies' to Optus. Here's the latest on the data breach (ABC)

Singtel's Optus under further fire for cyber breach; purported hackers claim data deleted (The Straits Times)

‘Not feasible’ to crack properly encrypted data (Australian Financial Review)

Optus hack not 'sophisticated' as claims 10,000 customers have data publicly released (9News)

Everything Happening in This Optus Cyberattack Shitstorm, I Promise (Vice)

Australian cybersecurity minister lambasts Optus for ‘unprecedented' hack (The Record by Recorded Future)

FBI Working With Australian Authorities on Optus Cyberattack (MarketScreener)

Unrest in Iran finds expression in cyberspace. Cyber conflict and diplomacy. Cybercrime in the hybrid war. And there seems to have been an arrest in the Uber and Rockstar breaches. Sep 26, 2022

Unrest in Iran finds expression in cyberspace. Albania explains its reasons for severing relations with Iran. Cybercrime in the hybrid war. Rick Howard on risk forecasting with data scientists. Dave Bittner sits down with Dr. Bilyana Lilly to discuss her new book: "Russian Information Warfare: Assault on Democracies in the Cyber Wild West."And there seems to have been an arrest in the Uber and Rockstar breaches.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/185

Selected reading.

Iran’s War Within (Foreign Affairs)

Iran’s Hijab Protests Have Lit a Fire the Regime Can’t Put Out (World Politics Review)

‘Something big is happening’: the Iranians risking everything to protest (the Guardian)

Dissident: 'Iranian women are furious' over headscarf death (AP NEWS)

OpIran: Anonymous declares war on Teheran amid Mahsa Amini’s death (Security Affairs)

IDF official says military foiled ‘dozens’ of Iran cyberattacks on civilian sites (Times of Israel)

Analysis | 'Our Conflict With Iran Is Unparalleled', Say Israel's Elite Cyber Unit Commanders (Haaretz)

US Issues License to Expand Internet Access for Iranians (VOA)

US Treasury carves out Iran sanctions exceptions for internet providers (The Record by Recorded Future)

Iran and Albania: diplomacy and cyber operations (CyberWire)

Ukraine dismantles hacker gang that stole 30 million accounts (BleepingComputer)

The SBU neutralized a hacker group that "hacked" almost 30 million accounts of Ukrainian and EU citizens (SSU)

Les détails personnels de stars, dont Sir David Attenborough et Sarah Ferguson, ont été divulgués après le piratage d'un magasin bio par des escrocs russes (News 24)

London Police Arrested 17-Year-Old Hacker Suspected of Uber and GTA 6 Breaches (The Hacker News)

UK teen suspected of Uber and Rockstar hacks arrested (Computing)

Adam Marrè: Learning to be a leader. [CISO] [Career Notes] Sep 25, 2022

Adam Marrè, CISO from Arctic Wolf sits down to share his story of rising through the ranks. After 9/11 he decided he wanted to make a difference in the world and so he chose to go into the FBI, there he learned the skills that got him to where he is today. In his time at the FBI, he was able to do what he loved which was working with computers while gaining more knowledge on cybersecurity and became computer forensic certified. Ultimately he needed a change in the end and decided to leave the FBI, He was able to learn the leadership skills he needed to move past that career path and follow a new dream. He is now able to share his passion with the world and help people understand security to help protect themselves as well as helping people finding success in their careers and in their lives. We thank Adam for sharing his story.

Keeping an eye on RDS vulnerabilities. [Research Saturday] Sep 24, 2022

Gafnit Amiga, Director of Security Research from Lightspin joins Dave to discuss her team's research "AWS RDS Vulnerability Leads to AWS Internal Service Credentials." The research describes how the vulnerability was caught and right after it was reported the AWS Security team applied an initial patch limited only to the recent Amazon Relational Database Service (RDS) and Aurora PostgreSQL engines, excluding older versions.

They followed by personally reaching out to the customers affected by the vulnerability and helped them through the update process. The research states "Lightspin's Research Team obtained credentials to an internal AWS service by exploiting a local file read vulnerability on the RDS EC2 instance using the log_fdw extension."

The research can be found here:

AWS RDS Vulnerability Leads to AWS Internal Service Credentials

Privateers seem to be evolving into front groups for the Russian organs. Unidentified threat actors engaging in cyberespionage. Catphishing from a South Carolina prison. Sep 23, 2022

The GRU's closely coordinating with cyber criminals. An unidentified threat actor deploys malicious NPM packets. Gootloader uses blogging and SEO poisoning to attract victims. Metador is a so-far unattributed threat actor. Johannes Ullrich from SANS on Resilient DNS Infrastructure. Maria Varmazis interviews Anthony Colangelo, host of spaceflight podcast Main Engine Cutoff, about the iPhone 14 “Emergency SOS via Satellite” feature. And having too much time on your hands while doing time is not a good thing.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/184

Selected reading.

GRU: Rise of the (Telegram) MinIOns (Mandiant)

Void Balaur | The Sprawling Infrastructure of a Careless Mercenary (SentinelOne)

An unidentified threat actor deploys malicious NPM packets (CyberWire)

Threat analysis: Malicious npm package mimics Material Tailwind CSS tool (ReversingLabs)

A Multimillion Dollar Global Online Credit Card Scam Uncovered (ReasonLabs)

Gootloader Poisoned Blogs Uncovered by Deepwatch’s ATI Team (Deepwatch)

The Mystery of Metador | An Unattributed Threat Hiding in Telcos, ISPs, and Universities (SentinelOne)

SC inmate sentenced for ‘sextortion’ scheme that targeted military (Stars and Stripes)

GRU operators masquerade as Ukrainian telecommunications providers. 2K Games Support compromised to spread malware. Developments in the cyber underworld. Sep 22, 2022

GRU operators masquerade as Ukrainian telecommunications providers. Another video game maker is compromised to spread malware. Noberus may be a successor to Darkside and BlackMatter ransomware. Robert M. Lee from Dragos explains Crown Jewel analysis. Our guest is Nathan Hunstad from Code42 with thoughts on insider risk events. Threat actors have their insider threats, too.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/183

Selected reading.

Russia-Nexus UAC-0113 Emulating Telecommunication Providers in Ukraine (Recorded Future)

Russian Cyberspies Targeting Ukraine Pose as Telecoms Providers (SecurityWeek)

Shadowy Russian Cell Phone Companies Are Cropping Up in Ukraine (WIRED)

CISA Alert AA22-264A – Iranian state actors conduct cyber operations against the government of Albania. (CyberWire)

Iranian State Actors Conduct Cyber Operations Against the Government of Albania (CISA)

2K Games says hacked help desk targeted players with malware (BleepingComputer)

2K Games helpdesk hacked to spread malware to players (TechRadar)

Rockstar parent company hacked again as 2K Support sends users malware (Dexerto)

‘Grand Theft Auto VI’ leak is Rockstar’s nightmare, YouTubers’ dream (Washington Post)

Noberus Ransomware: Darkside and BlackMatter Successor Continues to Evolve its Tactics (Symantec)

LockBit ransomware builder leaked online by “angry developer” (BleepingComputer)

CISA Alert AA22-265A – Control system defense: know the opponent. [CISA Cybersecurity Alerts] Sep 22, 2022

This alert builds on previous NSA and CISA guidance to stop malicious ICS activity and reduce OT exposure. The alert documentation linked in the show notes describes TTPs that malicious actors use to compromise OT/ICS assets. It also recommends mitigations that owners and operators can use to defend their systems from each of the listed TTPs. NSA and CISA encourage OT and ICS owners and operators to apply the recommendations in this documentation.

AA22-265A Alert, Technical Details, and Mitigations

NSA and CISA guidance to stop malicious ICS activity and reduce OT exposure

For NSA client requirements or general cybersecurity inquiries, contact Cybersecurity_Requests@nsa.gov. To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov.

To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov, or call (888) 282-0870, or report incidents to your local FBI field office.

CISA Alert AA22-264A – Iranian state actors conduct cyber operations against the government of Albania. [CISA Cybersecurity Alerts] Sep 22, 2022

In July 2022, Iranian state cyber actors—identifying as “HomeLand Justice”—launched a destructive cyber attack against the Government of Albania which rendered websites and services unavailable. An FBI investigation indicates Iranian state cyber actors acquired initial access to the victim’s network approximately 14 months before launching the destructive cyber attack, which included a ransomware-style file encryptor and disk wiping malware.

AA22-264A Alert, Technical Details, and Mitigations

CISA’s free Cyber Hygiene Services (CyHy)

CISA’s zero–trust principles and architecture.

Iran Cyber Threat Overview and Advisories.

All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.

A call-up of Russian reserves, and more notes on the IT Army's claimed hack of the Wagner Group. Netflix phishbait. The Rockstar Games and LastPass incidents. CISA releases eight ICS Advisories. Sep 21, 2022

It’s partial mobilization in Russia, and airline flights departing Russia are said to be sold out. Further notes on the IT Army's claimed hack of the Wagner Group. Leveraging Netflix for credential harvesting. Rockstar Games suffers a leak of new Grand Theft Auto footage. Ben Yelin has the latest on regulations targeting crypto. Our guest is Amy Williams from BlueVoyant discussing the value of feminine energy in the male dominated field of cybersecurity. CISA releases eight ICS Advisories.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/182

Selected reading.

Russia moves toward annexing Ukraine regions in a major escalation (Washington Post)

Four occupied Ukraine regions plan imminent ‘votes’ on joining Russia (the Guardian)

Putin sets partial military call-up, won’t ‘bluff’ on nukes (AP NEWS)

Putin announces partial military mobilization for Russian citizens (Axios)

Pro-Ukraine Hacktivists Claim to Have Hacked Notorious Russian Mercenary Group (Vice)

Fresh Phish: Netflix Bad Actors Go Behind the Scenes to Stage a Credential Harvesting Heist (INKY)

Leveraging Netflix for credential harvesting. (CyberWire)

Social Engineering: How A Teen Hacker Allegedly Managed To Breach Both Uber And Rockstar Games (Forbes)

Rockstar Games suffers leak of new Grand Theft Auto footage. (CyberWire)

LastPass source code breach – incident response report released (Naked Security)

Notice of Recent Security Incident (The LastPass Blog)

The LastPass incident. (CyberWire)

Medtronic NGP 600 Series Insulin Pumps (CISA)

Hitachi Energy PROMOD IV (CISA)

Hitachi Energy AFF660/665 Series (CISA)

Dataprobe iBoot-PDU (CISA)

Host Engineering Communications Module (CISA)

AutomationDirect DirectLOGIC with Ethernet (CISA)

AutomationDirect DirectLOGIC with Serial Communication (CISA)

MiCODUS MV720 GPS tracker (Update A) (CISA)

An overview of Russian cyber operations. The IT Army of Ukraine says it’s doxed the Wagner Group. Lapsus$ blamed for Uber hack. A look at the risk of stolen single sign-on credentials. Sep 20, 2022

An overview of Russian cyber operations. The IT Army of Ukraine claims to have doxed the Wagner Group. Who dunnit? Lapsus$ dunnit. Emily Mossburg from Deloitte and Shelley Zalis of the Female Quotient on why gender equality is essential to the success of the cyber industry. We’ve got a special preview of the International Spy Museum's SpyCast's latest episode with host Andrew Hammond interviewing Robert Gates on the 75th anniversary of the CIA. And a look at the risk of stolen single sign-on credentials.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/181

Selected reading.

Ukraine's IT Army hacks Russia's Wagner Group (Computing)

Untangling the Russian web: Spies, proxies, and spectrums of Russian cyber behavior (Atlantic Council)

Security update | Uber Newsroom (Uber Newsroom)

Tentative attribution in the Uber breach. (CyberWire)

Uber says Lapsus$-linked hacker responsible for breach (Reuters)

Uber blames security breach on Lapsus$, says it bought credentials on the dark web (ZDNET)

Uber's breach shows how hackers keep finding a way in (Protocol)

Uber attributes hack to Lapsus$, working with FBI and DOJ on investigation (The Record by Recorded Future)

Uber data breach spotlights need for enterprises to ‘get the basics right’, say experts (ITP.net)

"Keys to the Kingdom" at Risk: Analyzing Exposed SSO Credentials of Public Companies (Bitsight)

An update on the Uber breach. Emotet and other malware delivery systems. Belarusian Cyber Partisans work against the regime in Minsk. And risky piracy sites. Sep 19, 2022

An update on the Uber breach. Emotet and other malware delivery systems. Belarusian Cyber Partisans work against the regime in Minsk. Grayson Milbourne of OpenText Security Solutions on the arms race for vulnerabilities. Rick Howard continues his exploration of cyber risk. And risky piracy sites–that’s on the Internet, kids, not the high seas.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/180

Selected reading.

Developments in the case of the Uber breach. (CyberWire)

Preliminary lessons from the Uber breach. (CyberWire)

Uber says “no evidence” user accounts were compromised in hack (The Verge)

Uber Claims No Sensitive Data Exposed in Latest Breach… But There's More to This (The Hacker News)

Uber apparently hacked by teen, employees thought it was a joke (The Verge)

Uber hacker claims to have full control of company's cloud-based servers (9to5Mac)

The Uber Hack’s Devastation Is Just Starting to Reveal Itself (WIRED)

Uber was breached to its core, purportedly by an 18-year-old. Here’s what’s known (Ars Technica)

Uber hacked by teen who annoyed employee into logging them in - report (Jerusalem Post)

18-year-old allegedly hacks Uber and sends employees messages on Slack (Interesting Engineering)

Uber Investigating Massive Security Breach by Alleged Teen Hacker (Gizmodo)

Uber cyber attack: protecting against social engineering (Information Age)

Threat actor breaches many of Uber’s critical systems (Cybersecurity Dive)

Uber hacker claims to have full control of company's cloud-based servers (9to5Mac)

Uber confirms hack in the the latest access and identity nightmare for corporate America (SC Media)

Uber hacked, attacker tears through the company's systems (Help Net Security)

Uber confirms it is investigating cybersecurity incident (The Record by Recorded Future)

UBER HAS BEEN HACKED, boasts hacker – how to stop it happening to you (Naked Security)

Emotet and other malware delivery systems. (CyberWire)

Emotet botnet now pushes Quantum and BlackCat ransomware (BleepingComputer)

AdvIntel's State of Emotet aka "SpmTools" Displays Over Million Compromised Machines Through 2022 (AdvIntel)

August’s Top Malware: Emotet Knocked off Top Spot by FormBook while GuLoader and Joker Disrupt the Index (Check Point Software)

How Belarusian hacktivists are using digital tools to fight back (The Record by Recorded Future)

Malvertising on piracy sites. (CyberWire)

Unholy Triangle (Digital Citizens' Alliance)

Piracy Advertising Researchers Fall Victim to Ransomware Attacks (TorrentFreak)

Jaya Baloo: Don't be afraid to bounce ideas off your teammates. [CISO] [Career Notes] Sep 18, 2022

Jaya Baloo, a Chief Information Security Officer from Avast sits down to share her story, sharing how she got into the technology field at a younger age with being introduced to computers and games on her PS 24. She started off going to college for political science and after not knowing what to do after that, she got her first start in cybersecurity. After falling in love with cybersecurity she kept moving up the ranks in different organizations before finding herself at Avast. She shares that at Avast she leans on her team quite a bit and you should never be afraid to bounce ideas off of your teammates. She says "The best ideas come from like bouncing ideas off of each other, sharing within the group and then if I can't figure it out myself, that's why I hire these amazing individuals it's to help me figure it out." We thank Jaya for sharing her story.

An increase in bypassing bot management? [Research Saturday] Sep 17, 2022

Sam Crowther, CEO of Kasada join's Dave to discuss their work on "The New Way Fraudsters Bypass Bot Management." Kasada researchers recently discovered a new type of bot called Solver Services, which is used and created by bad actors to bypass the majority of bot management systems.

The research states "Now it’s easier than ever for mainstream bot operators to scrape content, take over accounts, hoard inventory, and commit other forms of automated fraud against organizations using legacy bot management solutions." Attackers are able to by these “Solver” bots, APIs, and services for less than $500 per month to make a profit.

The research can be found here:

The Emergence of Solver Services: The New Way Fraudsters Bypass Bot Management Vendors

Uber sustains a major data breach. Notes on the underworld. A large DDoS attack is stopped in Eastern Europe. An FBI alert and a brace of CISA advisories. Congress deliberates cyber policy. Sep 16, 2022

Uber suffers a data breach. Social media executives testify before Congress. A Large DDoS attack is thwarted in Eastern Europe. The FBI warns of increased cyberattacks against healthcare payment processors. Policy makers consider new OT security incentives. Malek Ben Salem from Accenture on future-proof cloud security. Our guest Diana Kelley from Cybrize discusses the need for innovation and entrepreneurship in cybersecurity. And if you’ve been hoping for a LockerGoga decryptor, you’re in luck.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/179

Selected reading.

Uber hacked, internal systems breached and vulnerability reports stolen (BleepingComputer)

Uber suffers computer system breach, alerts authorities (Washington Post)

Uber Investigating Data Breach After Hacker Claims Extensive Compromise (SecurityWeek)

Uber Investigating Breach of Its Computer Systems (New York Times)

Uber investigating "total compromise" of its internal systems (Computing)

There’s No Honor Among Thieves: Carding Forum Staff Defraud Users in an ESCROW Scam (Digital Shadows)

Social media hearings highlight lack of trust, transparency in sector (The Record by Recorded Future)

Breaking the Boycott (Cybersixgill)

Record-Breaking DDoS Attack in Europe (Akamai)

Cyber Criminals Targeting Healthcare Payment Processors, Costing Victims Millions in Losses (FBI)

Siemens Mobility CoreShield OWG Software (CISA)

Siemens Simcenter Femap and Parasolid (CISA)

Siemens RUGGEDCOM ROS (CISA)

Siemens Mendix SAML Module (CISA)

Siemens SINEC INS (CISA)

Siemens RUGGEDCOM ROS (Update A) (CISA)

Simcenter Femap and Parasolid (CISA)

Siemens Industrial Products Intel CPUs (Update A) (CISA)

Siemens OpenSSL Affected Industrial Products (CISA)

Siemens OpenSSL Vulnerability in Industrial Products (Update E) (CISA)

Siemens SCALANCE (CISA)

CISA Adds Six Known Exploited Vulnerabilities to Catalog (CISA)

Building on our Baseline: Securing Industrial Control Systems Against Cyberattacks (House Committee on Homeland Security)

Bitdefender Releases Universal LockerGoga Decryptor in Cooperation with Law Enforcement (Bitdefender Labs)

CISA Alert AA22-257A – Iranian Islamic Revolutionary Guard Corps-Affiliated Cyber Actors Exploiting Vulnerabilities for Data Extortion and Disk Encryption for Ransom Operations. [CISA Cybersecurity Alerts] Sep 15, 2022

This joint Cybersecurity Advisory highlights continued malicious cyber activity by advanced persistent threat actors affiliated with the Iranian Government’s Islamic Revolutionary Guard Corps. The IRGC-affiliated actors are actively targeting a broad range of entities, including entities across multiple U.S. critical infrastructure sectors as well as Australian, Canadian, and United Kingdom organizations.

AA22-257A Alert, Technical Details, and Mitigations

AA22-257A.stix

CISA’s Iran Cyber Threat Overview and Advisories

FBI’s Iran Threat webpage.

Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities

Technical Approaches to Uncovering and Remediating Malicious Activity

All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.

Notes from the hybrid war: nuisance-level DDoS, cyberespionage, and the possibility of financially motivated hacking. US policy on the software supply chain, and notes from the underworld. Sep 15, 2022

Nuisance-level DDoS and cyberespionage continue to mark Russia's cyber campaign in the hybrid war. There’s a US Presidential memorandum on software supply chain security. Webworm repurposes older RATs. Trends in cyber insurance claims. OriginLogger may be the new Agent Tesla. The SparklingGoblin APT described. Mathieu Gorge of VigiTrust describes cyber vulnerabilities in the hospitality industry. Dinah Davis from Arctic Wolf explains a PayPal phishing attack. And Royal funeral phishbait.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/178

Selected reading.

Pro-Russia hackers claim to have temporarily brought down Japanese govt websites (Asia News Network)

Gamaredon APT targets Ukrainian government agencies in new campaign (Cisco Talos)

Russia-linked Gamaredon APT target Ukraine with a new info-stealer (Security Affairs)

Fears grow of Russian spies turning to industrial espionage (The Record by Recorded Future)

Enhancing the Security of the Software Supply Chain through Secure Software Development Practices (The White House)

Enhancing the Security of the Software Supply Chain to Deliver a Secure Government Experience (The White House)

White House releases post-SolarWinds federal software security requirements (Federal News Network)

Webworm: Espionage Attackers Testing and Using Older Modified RATs (Threat Hunter Team Symantec)

Coalition Releases 2022 Cyber Claims Report: Mid-year Update (GlobeNewswire News Room)

OriginLogger: A Look at Agent Tesla’s Successor (Unit 42)

You never walk alone: The SideWalk backdoor gets a Linux variant (WeLiveSecurity)

[Scam site harvests credentials] (Proofpoint)

Current, former social media execs address national security issues at Senate hearing (Fox Business)

Senators Have Stopped Embarrassing Themselves at Tech Hearings (Slate Magazine)

Patch Tuesday notes. Mr. Mudge goes to Washington. Joint warning of IRGC cyber activity. No major developments in the cyber phases of Russia’s hybrid war (but Ukraine is sounding confident). Sep 14, 2022

Patch Tuesday notes. The US Senate Judiciary Committee hears from the Twitter whistleblower. Joint warning of IRGC cyber activity. Rob Boyce from Accenture on cybercriminals weaponizing leaked ransomware data. Chris Novak from Verizon describes his participation in the CISA Advisory Board. And Ukraine reiterates confidence in its resiliency.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/177

Selected reading.

Adobe Patches 63 Security Flaws in Patch Tuesday Bundle (SecurityWeek)

Microsoft Releases September 2022 Security Updates (CISA)

Microsoft's September Patch Tuesday fixes five critical bugs (Computing)

Microsoft Raises Alert for Under-Attack Windows Flaw (SecurityWeek)

SAP Security Patch Day September 2022 (Onapsis)

Apple Releases Security Updates for Multiple Products (CISA)

Apple fixes eighth zero-day used to hack iPhones and Macs this year (BleepingComputer)

Apple Will Let You Remove Rapid Security Response Updates in iOS 16 (Mac Rumors)

Data Security at Risk: Testimony from a Twitter Whistleblower (United States Senate Committee on the Judiciary)

Twitter Employees Have Too Much Access to Data, Whistleblower Says (Wall Street Journal)

Twitter whistleblower reveals employees concerned China agent could collect user data (Reuters)

Security failures cause ‘real harm to real people’ (Washington Post)

Twitter whistleblower testifies to Congress, calls for tech regulation reforms (The Record by Recorded Future)

The Search for Dirt on the Twitter Whistle-Blower (The New Yorker)

Whistle-Blower Says Twitter ‘Chose to Mislead’ on Security Flaws (New York Times)

Twitter whistleblower says site put growth over security (Computing)

Written Statement of Peiter (“Mudge”) Zatko United States Senate Judiciary Committee September 13, 2022 (Katz Banks Kumin)

What we learned when Twitter whistleblower Mudge testified to Congress (TechCrunch)

How China became big business for Twitter (Reuters)

Twitter whistleblower exposes limits of FTC’s power (Washington Post)

Twitter Whistle-Blower Testimony Spurs Calls for Tech Regulator (Bloomberg)

Iranian Islamic Revolutionary Guard Corps-Affiliated Cyber Actors Exploiting Vulnerabilities for Data Extortion and Disk Encryption for Ransom Operations (CISA)

Ukraine’s Cyberwar Chief Sounds Like He’s Winning (WIRED)

DDoS attacks on financial sector surge during war in Ukraine, new FCA data reveals (PR Newswire)

A conversation with members of Baltimore FBI: Special Agent in Charge, Tom Sobocinski, and Supervisory Special Agent for Cyber, Tom Breeden. [Special Editions] Sep 13, 2022

In this extended interview, CyberWire Daily Podcast host Dave Bittner sits down with members of the FBI's Baltimore field office: Special Agent in Charge, Tom Sobocinski, and Supervisory Special Agent for Cyber, Tom Breeden. As part of the FBI's cybersecurity awareness campaign, they discuss what the FBI can do to enhance and amplify cyber efforts in ways unlike any other public or private organization. This interview from August 30, 2022 originally aired as a shortened version on the CyberWire Daily Podcast.

Apple patches. Reviewing the cyber phase of a hybrid war. ShadowPad’s return. Phishing from the Static Expressway. Medical device threats. Security trends. Charming Kitten’s social engineering. Sep 13, 2022

Apple patches its software. Reviewing the cyber phase of a hybrid war. The return of the (ShadowPad) alumni. Phishing from the Static Expressway. The state of cloud security. Overconfidence comes at a cost. Ann Johnson of Afternoon Cyber Tea speaks with Dr. Josephine Wolff from the Fletcher School about cyber insurance past. My conversation with FBI special agents Tom Sobocinski and Tom Breeden. And Charming Kitten and group-think in social engineering.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/176

Selected reading.

Apple security updates (Apple Support)

Ukraine Cyber War Update September 2022 (CyberCube)

New Wave of Espionage Activity Targets Asian Governments (Broadcom Software Blogs)

Chinese gov’t hackers using ‘diverse’ toolset to target Asian prime ministers, telecoms (The Record by Recorded Future)

Leveraging Facebook Ads to Send Credential Harvesting Links (Avanan)

Unpatched and Outdated Medical Devices Provide Cyber Attack Opportunities (FBI)

CFO Cyber Security Survey: Over-Confidence is Costly (Kroll)

Snyk’s State of Cloud Security Report Reveals 80% of Organizations Have Experienced a Severe Cloud Security Incident in Past Year (Snyk)

Look What You Made Me Do: TA453 Uses Multi-Persona Impersonation to Capitalize on FOMO (Proofpoint)

Iranian military using spoofed personas to target nuclear security researchers (The Record by Recorded Future)

Alleged cyber commander of Iran’s Revolutionary Guard named by opposition outlet (Times of Israel)

Albania reports more Iranian cyberattacks. RaidForums has a new successor. A look at threat actor reconnaissance in the contemporary Internet. Sep 12, 2022

Albania reports additional cyberattacks from Iran over the weekend. RaidForums has a new successor. A look at threat actor reconnaissance in the contemporary Internet. Kinetic strikes hit Ukraine’s infrastructure. Rick Howard calculates risk with classic mathematical theorems. Tim Eades from Cyber Mentor Fund on the dynamic nature of the attack surface. And a look into the cyber phase of the hybrid war.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/175

Selected reading.

Albania blames Iran for second cyberattack since July (CNN)

Treasury Sanctions Iranian Ministry of Intelligence and Minister for Malign Cyber Activities (US Department of the Treasury)

Iran strongly condemns US sanctions over Albania hacking (Al Arabiya)

Six months into Breached: The legacy of RaidForums? (KELA)

2022 State of the Internet Report (Censys)

Ukraine hails snowballing offensive, blames Russia for blackouts (Reuters)

Ukraine says Russia is retaliating by hitting critical infrastructure, causing blackouts. (New York Times)

Last reactor at Ukraine’s Zaporizhzhia nuclear plant stopped (Associated Press)

Ukraine Warns Russian Cyber Onslaught Is Coming (Voice of America)

Montenegro wrestles with massive cyberattack, Russia blamed (ABC News)

CyberCube: Russia’s Sovereign Internet Creates Security Risks With Implications for Cyber (Re)Insurance While War in Ukraine Develops (Associated Press)

Mark Logan: March towards your goals. [CEO] [Career Notes] Sep 11, 2022

Mark Logan, CEO of One Identity, sits down to share his story, explaining how he fit into different roles growing up in different companies. Mark has nearly two decades of C-Suite experience at an array of different organizations, finally landing on his current position as the CEO at One Identity. Sharing his different roles, he also gives a quote from Steve Jobs, saying "it's not what I say yes to, it's what I say no to." He believes that's a key area for his workers because when he is able to make up his mind, his team and his customers have someone they can rely on. Mark says that as a CEO he wants to share the advice of always marching towards your goals, and identifying that different people have different goals because they work in different fields, but that's what makes a company work best. He says "I've found that the more you can delegate, provided you've got the right folks in place the better." We thank Mark for sharing his story.

A CSO's 9/11 Story: CSO Perspectives Bonus. Sep 11, 2022

From the 20th anniversary of 9/11 in 2021, Rick Howard, the CyberWire’s CSO, Chief Analyst, and Senior Fellow, recounts his experience from inside the Pentagon running the communications systems for the Army Operations Center.

CyberWire Pro subscribers also get exclusive access to Rick's original 2001 essay with notes from the day of the attack. If you would like to check that out, you can subscribe today.

Evilnum APT returns with new targets. [Research Saturday] Sep 10, 2022

Deepen Desai from Zscaler ThreatLabz joins Dave to discuss their work on "Return of the Evilnum APT with updated TTPs and new targets." Zscaler’s ThreatLabz team recently caught a new Evilnum APT attack campaign that uses the document template on MS Office Word to inject malicious payload to the victim's machine. There are three new instances used of the campaign, including updated tactics, techniques, and procedures.

Researchers have been closely monitoring Evilnum APT’s activity. They ssay ThreatLabz identified several domains associated with the Evilnum APT group. Which has led them to discover that the "group has been successful at flying under the radar and has remained undetected for a long time."

The research can be found here:

Return of the Evilnum APT with updated TTPs and new targets

Threats to US elections. Lazarus Group targeting energy companies. Gaming-related threats. Sep 09, 2022

Nation-states are expected to target the US midterm elections. North Korea’s Lazarus Group is targeting energy companies. The Ukraine’s Ministry of Digital Transformation on cyber lessons learned from Russia’s hybrid war against Ukraine. CISA flags twelve known exploited vulnerabilities for attention and remediation. Vulnerable anti-cheat engines used for malicious purposes. Steve Carter from Nucleus Security has thoughts on AI in cybersecurity. Roland Cloutier, former CSO of TikTok, discusses working around the changing career field, needs, and how enterprise executives are developing and finding talent. And a look at top gaming-related malware lures.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/174

Selected reading.

Mandiant ‘highly confident’ foreign cyberspies will target US midterm elections (The Register)

What to Expect When You’re Electing: Preparing for Cyber Threats to the 2022 U.S. Midterm Elections (Mandiant)

North Korea’s Lazarus hackers are exploiting Log4j flaw to hack US energy companies (TechCrunch)

Lazarus and the tale of three RATs (Cisco Talos)

How Gaming Cheats Are Cashing in Below the Operating System (Eclypsium)

Good game, well played: an overview of gaming-related cyberthreats in 2022 (Securelist)

Cybercriminals target games popular with kids to distribute malware (The Register)

CISA Adds Twelve Known Exploited Vulnerabilities to Catalog  (CISA)

Bronze President shows both enduring interests and adaptability. Iranian threat actor activity reported. Cybersecurity and small-to-medium businesses. Sep 08, 2022

Bronze President shows both enduring interests and adaptability. Iranian threat actor activity is reported. Cybersecurity and small-to-medium businesses. An initial access broker repurposes Conti's old playbook for use against Ukraine. Johannes Ullrich from SANS on Scanning for VoIP Servers. Our guest is Ian Smith from Chronosphere on observability. And Kyivstar as a case study in telco resiliency.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/173

Selected reading.

BRONZE PRESIDENT Targets Government Officials (Secureworks)

APT42: Crooked Charms, Cons, and Compromises (Mandiant)

Profiling DEV-0270: PHOSPHORUS’ ransomware operations (Microsoft)

Albania cuts diplomatic ties with Iran over July cyberattack (The Washington Post)

Initial access broker repurposing techniques in targeted attacks against Ukraine (Google)

Unprecedented Shift: The Trickbot Group is Systematically Attacking Ukraine (IBM SecurityIntelligence)

Ransomware gang's Cobalt Strike servers DDoSed with anti-Russia messages (BleepingComputer)

Ukraine’s largest telecom stands against Russian cyberattacks (POLITICO)

Albania attributes major cyberattack to Iran. TikTok denies breach. New Linux malware. Sep 07, 2022

The Albanian government attributes a disruptive cyber attack to Iran. TikTok says it’s found no evidence of a data breach. Researchers have discovered a new strain of Linux malware. US agencies warn of ransomware targeting the education sector. Finland prepares to increase its cybersecurity capacity. Deepen Desai from Zscaler on the latest updates to Raccoon Stealer. Our guest is Lance Spitzner from the SANS Institute with results of their recent Security Awareness Report. And a fond farewell to the father of Let’s Encrypt.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/172

Selected reading.

Albania cuts Iran ties over cyberattack, U.S. vows further action (Reuters)

Statement by NSC Spokesperson Adrienne Watson on Iran’s Cyberattack against Albania (The White House)

TikTok Data Breach Exposing 2B Records And Source Code May Not Have Happened After All (Hot Hardware)

TikTok Denies Data Breach Reportedly Exposing Over 2 Billion Users' Information (The Hacker News)

Shikitega - New stealthy malware targeting Linux (AT&T Alien Labs)

#StopRansomware: Vice Society (CISA)

Peter Eckersley, tech activist and founder of Let's Encrypt, dies at 43 (Techspot)

Honoring Peter Eckersley, Who Made the Internet a Safer Place for Everyone (Electronic Frontier Foundation)

CISA Alert AA22-249A – #StopRansomware: Vice Society.” [CISA Cybersecurity Alerts] Sep 06, 2022

CISA, the FBI, and the Multi-State Information Sharing and Analysis Center, or MS ISAC, are releasing this advisory to disseminate indicators of compromise and TTPs associated with Vice Society actors and their ransomware campaigns. The FBI, CISA, and the MS-ISAC have recently observed Vice Society actors disproportionately targeting the education sector with ransomware attacks.

AA22-249A Alert, Technical Details, and Mitigations

Stopransomware.gov is a whole-of-government approach that gives one central location for ransomware resources and alerts.

Resource to mitigate a ransomware attack: CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide.

No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment.

All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.

Notes on the C2C market. A new cyberespionage threat actor has surfaced. Sharkbot made a brief return to Google Play. Privateering and catphishing in the hybrid war. Sep 06, 2022

A Phishing-as-a-service offering on the dark web bypasses MFA. The Worok cyberespionage group is active in Central Asia and the Middle East. Prynt Stealer and the evolution of commodity malware. Sharkbot malware reemerged in Google Play. BlackCat/ALPHV claims credit for attack on the Italian energy sector. Joe Carrigan shares stats on social engineering. Our guest is Angela Redmond from BARR Advisory with six cybersecurity KPIs. And the Los Angeles Unified School District was hit with ransomware.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/171

Selected reading.

EvilProxy Phishing-As-A-Service With MFA Bypass Emerged In Dark Web (Resecurity)

Worok: The big picture (WeLiveSecurity)

Dev backdoors own malware to steal data from other hackers (BleepingComputer)

The Prynt Stealer malware contains a secret backdoor. Crooks steal data from other cybercriminals (Security Affairs)

Fake Antivirus and Cleaner Apps Caught Installing SharkBot Android Banking Trojan (The Hacker News)

SharkBot malware sneaks back on Google Play to steal your logins (BleepingComputer)

BlackCat ransomware claims attack on Italian energy agency (BleepingComputer)

11.84GB of United States Military Contractor and Military Reserve data has been leaked. (vx-underground)

Hackers honeytrap Russian troops into sharing location, base bombed: Report (Newsweek)

LAUSD hit by hackers in apparent cyber attack (FOX 11 Los Angeles)

Los Angeles Unified Targeted by Ransomware Atta (Los Angeles Unified School District)

New CISO responsibilities: supply chain. [CSO Perspectives] Sep 05, 2022

Rick Howard, the Cyberwire’s CSO and Chief Analyst, is joined by Hash Table members Ann Johnson, Microsoft’s Corporate VP on Security, Compliance, & Identity, and Ted Wagner, the SAP National Security Services CISO, t0 discuss supply chain as a new CISO responsibility.

Anjali Hansen: Cross team collaboration works best. [Privacy Counsel] [Career Notes] Sep 04, 2022

Anjali Hansen, a senior privacy counselor from Noname Security shares her story as she climbed through the ranks to get to where she is toady. When Anjali started she wanted to do international law. She started working for the International Trade Commission after law school which is where she was able to gain most of her experience and gain real world abilities. Working with online fraud and abuse, she shares, concerned her because it felt like governments could not protect organizations from threats occurring, which is how she got interested in cyber crime. From there, she moved to Noname Security and working there she found that she is working with every group in the organization, creating a cross team collaboration and how much she admires that type of model. She says "We have to help other departments protect the data because the data's throughout an organization, it's in HR, it's in sales and marketing, it's in IT, it's in finance. So you have to be able to work with all these teams." We thank Anjali for sharing her story.

LockBit's contradiction on encryption speed. [Research Saturday] Sep 03, 2022

Ryan Kovar from Splunk sits down with Dave to discuss their findings in "Truth in Malvertising?" that contradict the LockBit group's encryption speed claims. Splunk's SURGe team recently released a whitepaper, blog, and video that outlined the encryption speeds of 10 different ransomware families. During their research they cam across Lockbit doing the same thing. After completing the research, the researchers came back to test the veracity of LockBit’s findings.

The research showed three interesting finds. The first find showed that LockBit’s fastest and slowest samples were closely aligned between the tests, but the other results were very different. They also found that LockBit continues to be the fastest ransomware, but LockBit 2.0 was more efficient yet slower than its previous counterpart, LockBit 1.0. Lastly, once ransomware gets to the point of encrypting your systems, it’s too late.

The research can be found here:

Truth in Malvertising?

Ransomware groups continue to shift identities and targets. Assessments of the cyber phases of a hybrid war. Is wartime tough for criminals? Anonymous counts coup…against Moscow’s taxis. Sep 02, 2022

REvil (or an impostor, or successor) may be back. A Paris-area medical center continues to work to recover from cyber extortion. An assessment of Russian failure (or disinclination) to mount effective cyber campaigns. Cyber criminals find wartime to be a tough time. Josh Ray from Accenture looks at cyber threats to the rail industry. Our guest is Dan Murphy of Invicti making the case that not all vulnerabilities are created equal. And Yandex Taxi’s app was hacked in a nuisance attack.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/170

Selected reading.

REvil says they breached electronics giant Midea Group (Cybernews)

Paralysed French hospital fights cyber attack as hackers lower ransom demand (RFI)

French hospital hit by $10M ransomware attack, sends patients elsewhere (BleepingComputer)

Hacks tied to Russia and Ukraine war have had minor impact, researchers say (The Record by Recorded Future)

Getting Bored of Cyberwar: Exploring the Role of the Cybercrime Underground in the Russia-Ukraine Conflict (arXiv:2208.10629v2)

Why Russia's cyber war in Ukraine hasn't played out as predicted (New Atlas)

Cyber key in Ukraine war, says spy chief (The Canberra Times)

Montenegro Sent Back to Analog by Unprecedented Cyber Attacks (Balkan Insight)

Montenegro blames criminal gang for cyber attacks on government (EU Reporter)

Ransomware Attack Sends Montenegro Reaching Out to NATO Partners (Bloomberg)

“I’m tired of living in poverty” – Russian-Speaking Cyber Criminals Feeling the Economic Pinch (Digital Shadows)

Yandex Taxi hack creates huge traffic jam in Moscow (Cybernews)

Anonymous hacked Russia's largest taxi firm and caused a massive traffic jam (Daily Star)

News on three ransomware operations: BianLian, Cuba, and Ragnar Locker. How the gangs are recruiting. Mobile app supply chain blues. Happy Insider Threat Month. Sep 01, 2022

The BianLian ransomware gang is better at coding than at the business of crime. The Attack on Montenegro seems to be ransomware. A look at Ragnar Locker's current interests. Recruiting for gangland gets allusive, but those who know, well, they know. Our guest is Dan Lanir of OPSWAT with insights on recent federal legislation supporting cyber jobs. Ben Yelin lexamines a lawsuit filed by the FTC against an online data broker. And it’s Insider Threat Month, so keep an eye on yourself.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/169

Selected reading.

BianLian Ransomware Gang Gives It a Go! ([redacted])

Montenegro blames criminal gang for cyber attacks on government (Reuters)

FBI's team to investigate massive cyberattack in Montenegro (AP NEWS)

US issues rare security alert as Montenegro battles ransomware (TechCrunch)

Cuba ransomware group claims attack on Montenegro government (IT PRO)

Cuba Ransomware Team claims credit for attack on Montenegro (Databreaches.net)

Montenegro blames Cuba ransomware for cyberattack (Cybernews)

Cybercriminals Apparently Involved in Russia-Linked Attack on Montenegro Government (SecurityWeek)

THREAT ANALYSIS REPORT: Ragnar Locker Ransomware Targeting the Energy Sector (Cybereason)

Behind the News: The Ragnar Locker Attack on Greek Natural Gas Supplier DESFA - Radiflow (Radiflow)

Mobile App Supply Chain Vulnerabilities Could Endanger Sensitive Business Information (Broadcom Software Blogs / Threat Intelligence)

“Looking for pentesters”: How Forum Life Has Conformed to the Ransomware Ban (Digital Shadows)

NCSC and Federal Partners Focus on Countering Risk in Digital Spaces during National Insider Threat Awareness Month 2022 (ODNI)

Securing multi-cloud identity with orchestration. [CyberWire-X] Sep 01, 2022

While multi-cloud brings significant benefits, it also poses serious security risks. And identity is the reason. Each cloud platform, such as Azure, Google, and AWS, uses proprietary identity systems, and the lack of interoperability makes it unruly to manage. These disparate systems can’t talk to each other resulting in a fragmented environment full of identity silos — the perfect way for an attacker to get in and cause destruction.

In this episode of CyberWire-X, the CyberWire's CSO, Chief Analyst, and Senior Fellow, Rick Howard, is joined in the first half by Hash Table member Rick Doten, the CISO for Healthcare Enterprises and Centene. In the second half of the show, CyberWire podcast host Dave Bittner talks with our episode sponsor Strata Identity's CEO and Co-founder Eric Olden. Both sets of discussions center around the challenges to identity management caused by the rapid shift to multi-cloud.

Malicious Chrome extensions. BEC in Kentucky. Dispatches from a hybrid war, including state-directed, partisan, and criminal action. ICS advisories. “Cosplaying” hardware. Aug 31, 2022

Chrome extensions steal browser data. A business email compromise attack is under investigation in Kentucky. Belarusian Cyber Partisans claim to have a complete Belarusian passport database. Organizing a cyber militia. CISA releases twelve ICS security advisories. Our guest is Asaf Kochan of Sentra on overemphasizing “the big one.” Carole Theriault cautions against getting ahead of yourself in the cryptocurrency supply chain. Cosplaying" hardware. And Canada welcomes a new SIGINT boss.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/168

Selected reading.

Chrome extensions with 1.4 million installs steal browsing data (BleepingComputer)

Malicious Cookie Stuffing Chrome Extensions with 1.4 Million Users (McAfee Blog)

Police investigate electronic theft of federal funds (City of Lexington)

FBI, Secret Service join Kentucky investigation into $4 million cybercrime theft (The Record by Recorded Future)

Russian hackers blamed for ongoing Montenegro cyberattack (Tech Monitor)

“For the 1st time in human history a #hacktivist collective obtained passport info of the ALL country's citizens.” (Cyber Partisans)

Inside the IT Army of Ukraine, ‘A Hub for Digital Resistance’ (The Record by Recorded Future)

Ukraine takes down cybercrime group hitting crypto fraud victims (BleepingComputer)

Hitachi Energy FACTS Control Platform (FCP) Product (CISA)

Hitachi Energy Gateway Station (GWS) Product (CISA)

Hitachi Energy MSM Product (CISA).

Hitachi Energy RTU500 series (CISA)

Fuji Electric D300win (CISA)

Honeywell ControlEdge (CISA)

Honeywell Experion LX (CISA)

Honeywell Trend Controls Inter-Controller Protocol (CISA)

Omron CX-Programmer (CISA)

PTC Kepware KEPServerEX (CISA)

Sensormatic Electronics iSTAR (CISA)

Mitsubishi Electric GT SoftGOT2000 (CISA)

Walmart Sells Fake 30TB Hard Drive That’s Actually Two Small SD Cards in a Trench Coat (Vice)

Cyberespionage around the South China Sea. Oktapus and the Twilio compromise. Notes from Russia’s hybrid war. And the LockBit gang looks beyond double extortion. Aug 30, 2022

Cyberespionage around the South China Sea. Oktapus and the Twilio compromise. Montenegro works to recover from a Russian cyber offensive. A big Russian streaming platform sustains a data leak. Ann Johnson of the Afternoon Cyber Tea podcast speaks with Dave DeWalt of NightDragon and Jay Leek of both Syn Ventures and Clear Sky Security about cyber capital investment. Mr. Security Answer Person John Pescatore examines the allure of the healthcare industry for ransomware operators. And the LockBit gang looks beyond double extortion.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/167

Selected reading.

Rising Tide: Chasing the Currents of Espionage in the South China Sea (Proofpoint)

Why the Twilio Breach Cuts So Deep (WIRED)

Tentacles of ‘0ktapus’ Threat Group Victimize 130 Firms (Threatpost)

Hackers used Twilio breach to intercept Okta onetime passwords (SiliconANGLE)

Okta Impersonation Technique Could be Utilized by Attackers (SecurityWeek)

Ukraine launches counter-offensive to retake Kherson from Russia (The Telegraph)

Russia-Ukraine war: Kremlin insists invasion going to plan despite counterattacks; first grain ship docks in Africa – live (the Guardian)

Montenegro says Russian cyberattacks threaten key state functions (BleepingComputer)

Montenegro struggles to recover from cyberattack that officials blame on Russia (The Record by Recorded Future)

Leading Russian streaming platform suffers data leak allegedly impacting 44 million users (The Record by Recorded Future)

LockBit ransomware mulls triple extortion following DDoS attack (SC Media)

How a hybrid war spreads its cyber effects. Russian and Chinese cyber ops in Latin America. Greenwashing influence. Iranian threat actor exploits Log4j vulnerabilities against Israeli targets. Aug 29, 2022

Russian cyber operations in Southeastern Europe. The challenge of containing the cyber phases of a hybrid war. Russian and Chinese cyber activity in Latin America. Greenwashing influence operations. Rick Howard looks at risk probabilities. Dinah Davis from Arctic Wolf looks at ransomware payment myths. And an Iranian threat actor exploits Log4j vulnerabilities against Israeli targets.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/166

Selected reading.

Russia blamed for wave of hacker attacks in Southeast Europe (BNE)

Montenegro declares it is in 'hybrid war' with Russia after massive cyber attack (Metro)

Montenegro reports massive Russian cyberattack against govt (ABC News)

Montenegro Reports Massive Russian Cyberattack Against Govt (AP via SecurityWeek)

Montenegro's state infrastructure hit by cyber attack -officials (Reuters)

Cyber Element in the Russia-Ukraine War & its Global Implications (Modern Diplomacy)

Swiss secret service worried about Russian cyber operations (SWI swissinfo.ch)

China and Russia Step Up Cyber Presence in Latin America (Diálogo Américas)

Dominican Republic refuses to pay ransom after attack on agrarian institute (The Record by Recorded Future)

China-Linked Bots Attacking Rare Earths Producer ‘Every Day’ (Bloomberg)

Iranian Hackers Exploiting Unpatched Log4j 2 Bugs to Target Israeli Organizations (The Hacker News)

MERCURY leveraging Log4j 2 vulnerabilities in unpatched systems to target Israeli organizations (Microsoft Threat Intelligence Center)

Iran exploiting Log4j 2 weakness to attack Israel, says Microsoft (Israel Defense)

David Nosibor: Taking calculated risks. [Product Lead] [Career Notes] Aug 28, 2022

David Nosibor, Product Lead for SafeCyber at UL Solutions, started his career in a unique way by not letting himself be pigeonholed. Within his company, David was able to grow to the position he is in now and says that his position feels like a lot of roles tied into one. He says that on any given day he is tackling all sorts of elements, such as marketing, operations, working with the engineering team, figuring out ways to acquire customers, retain them, and also working on sales and business development capabilities. He also says that constantly learning and getting new opportunities was how he ended up being where he is today. David states that staying focused and being on the lookout for ways to accomplish the mission is the best way for him in his company to democratize product security. He quotes the famous singer Sean Carter in saying that he firmly believes in taking calculated risks to get where you need to be going. We thank David for sharing his story.

How a wide scale Facebook campaign stole 1 million credentials. [Research Saturday] Aug 27, 2022

Nick Ascoli from ForeTrace in a partnership with PIXM sits down with Dave to provide insight on their team's work on "Phishing tactics: how a threat actor stole 1 million credentials in 4 months." During routine analysis, researchers discovered the connection between the pages using PIXM’s deep html analysis feature, which enabled them to view and analyze the underlying code on the pages after they were flagged as phishing. This led to the ensuing investigation, which was led by PIXM’s threat research team with assistance from Nick Ascoli.

The research states "we uncovered a campaign whose scale has potentially impacted hundreds of millions of facebook users, and whose complexity offer insight into the evolving nature of phishing operations, especially from a technical perspective."

The research can be found here:

Phishing tactics: how a threat actor stole 1M credentials in 4 months

A Black Basta update. Okta talks Scatter Swine. Nobelium's MagicWeb. Wartime stress in the cyber underworld. LastPass security incident. CISA adds to its Known Exploited Vulnerabilities Catalog. Aug 26, 2022

Palo Alto describes the Black Basta ransomware-as-a-service operation. Okta on Scatter Swine, the threat actor that compromised Twilio. Microsoft describes Nobelium's new approach to establishing persistence. Russia's war against Ukraine has induced stresses in the cyber underworld. LastPass discloses a security incident. Josh Ray from Accenture on cyber crime and the cost-of-living crisis. Our own Dave Bittner sits down with Chris Handman from TerraTrue to discuss how he works to transform legal teams into advocates and collaborators that can ensure privacy is baked in every step of the way. And CISA adds ten entries to its Known Exploited Vulnerabilities Catalog.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/165

Selected reading.

Threat Assessment: Black Basta Ransomware (Palo Alto Networks Unit 42)

MagicWeb: NOBELIUM’s post-compromise trick to authenticate as anyone (Microsoft Threat Intelligence Center)

Microsoft Uncovers New Post-Compromise Malware Used by Nobelium Hackers (The Hacker News)

Microsoft: Russian hackers gain powerful 'MagicWeb' authentication bypass (ZDNET)

Detecting Scatter Swine: Insights into a relentless phishing campaign (Okta Security)

Twilio hackers hit over 130 orgs in massive Okta phishing attack (BleepingComputer)

Twilio says breach also compromised Authy two-factor app users (TechCrunch)

How the war in Ukraine is reshaping the dark web (New Statesman)

Notice of Recent Security Incident (The LastPass Blog)

LastPass Says Source Code Stolen in Data Breach (SecurityWeek)

LastPass developer systems hacked to steal source code (BleepingComputer)

Notes from six months of hybrid war. Oktapus criminal campaign. Exotic Lily and Bumblebee Loader. Insights derived from DNS traffic. US DHS shutters its Disinformation Governance Board. Aug 25, 2022

Ukrainian and Russian cyber operations at six months. Oktapus criminal campaign compromises 9931 accounts in more than 130 organizations. Exotic Lily and Bumblebee Loader. Insights derived from DNS traffic. Chris Novak from Verizon on DHS Cyber Safety Review Board's report on the Log4j investigation that Verizon conducted. Dave Bittner sits down with our guest Dr. Scott Crowder, CTO and VP, Quantum Computing, Technical Strategy and Transformation for IBM Systems to discuss the increasingly urgent need for industries to prepare for security threats that quantum could unleash. And the US Department of Homeland Security shutters its Disinformation Governance Board.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/164

Selected reading.

How Ukraine used Russia’s digital playbook against the Kremlin (POLITICO)

Ukraine's volunteer 'IT army' responds to Russian hackers, minister says (ABC News)

Overview of the Cyber Weapons Used in the Ukraine - Russia War (Trustwave)

How Russia-Ukraine cyberwar is impacting orgs: Two-thirds say they have been targeted (VentureBeat)

Twilio hackers breached over 130 organizations during months-long hacking spree (TechCrunch)

Roasting 0ktapus: The phishing campaign going after Okta identity credentials (Group-IB)

Bumblebee Malware Loader: Deep Instinct Prevents Attack Pre-Execution (Deep Instinct)

Akamai’s Insights on DNS in Q2 2022 (Akamai)

Following HSAC Recommendation, DHS terminates Disinformation Governance Board (US Department of Homeland Security)

Homeland Security Scraps Disinformation Board Attacked by GOP (Bloomberg)

Ransomware attack hits a French hospital. Lessons for the fifth domain from six months of hybrid war. Deepfake scams have arrived. Threat actors prepare to exploit Hikvision camera vulnerability. Aug 24, 2022

A medical center near Paris comes under ransomware attack, and refuses to pay up. Lessons for the fifth domain from six months of hybrid war. Deepfake scams appear to have arrived. Deepen Desai from Zscaler with introduction to our audience. Dave Bittner sits down with Gil Hoffer, CTO and Co-founder of Salto to discuss “Who Hacked Slack?.” And Threat actors prepare to exploit Hikvision camera vulnerability.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/163

Selected reading.

Cyber attackers disrupt services at French hospital, demand $10 million ransom (France 24)

French hospital hit by $10M ransomware attack, sends patients elsewhere (BleepingComputer)

DECLENCHEMENT DU PLAN BLANC DIMANCHE 21 AOUT 2022 (CHSF - Centre Hospitalier Sud Francilien)

Ukraine at D+181: Independence Day and six months of war. (CyberWire)

Six months, twenty-three lessons: What the world has learned from Russia’s war in Ukraine (Atlantic Council)

Hackers Used Deepfake of Binance CCO to Perform Exchange Listing Scams (Bitcoin News)

Hackers Use Deepfakes of Binance Exec to Scam Multiple Crypto Projects (Gizmodo)

Binance's CEO said thousands of people are falsely claiming to be his employees on LinkedIn. Experts warn it's an example of the platform's growing problem with fake accounts. (Business Insider)

Twitter’s Ex-Security Head Files Whistleblower Complaint (Wall Street Journal)

Twitter is vulnerable to Russian and Chinese influence, whistleblower says (CNN)

Over 80,000 exploitable Hikvision cameras exposed online (BleepingComputer)

Experts warn of widespread exploitation involving Hikvision cameras (The Record by Recorded Future)

Hikvision Surveillance Cameras Vulnerabilities (CYFIRMA)

Iranian APT data extraction tool described. LockBit gang comes under DDoS. Twitter whistleblower security claims made public. Greek natural gas supplier under cyberattack. Updates on a hybrid war. Aug 23, 2022

Iranian APT data extraction tool described. LockBit gang comes under DDoS. Twitter whistleblower security claims made public. Poland and Ukraine conclude cybersecurity agreement. Greek national natural gas supplier under criminal cyberattack. Update to the Joint Alert on Zimbra exploitation. Addition to CISA's Known Exploited Vulnerabilities Catalog. Johannes Ullrich from SANS on Control Plane vs. Data Plane vulnerabilities. Our guest is David Nosibor, Platform Solutions Lead for UL to discuss SafeCyber Phase II. And, finally, targeting and trolling, with an excursus on Speedos. Really.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/162

Selected reading.

New Iranian APT data extraction tool (Google)

LockBit gang hit by DDoS attack after Entrust leaks (Register)

Former security chief claims Twitter buried ‘egregious deficiencies’ (Washington Post)

Ex-Twitter exec blows the whistle, alleging reckless and negligent cybersecurity policies (CNN)

Twitter’s Ex-Security Head Files Whistleblower Complaint (Wall Street Journal)

Deception, Bots, and Foreign Agents: The Twitter Whistleblower’s Biggest Allegations (Time)

The Ministry of Digital Transformation, State Service of Special Communication and Information Protection and the Council of Ministers of the Republic of Poland signed Memorandum of understanding in the cybersecurity field. (State Service of Special Communication and Information Protection)

Greek natural gas operator suffers ransomware-related data breach (BleepingComputer)

Greek gas operator refuses to negotiate with ransomware group after attack (The Record by Recorded Future)

Announcement | (DESF)

Threat Actors Exploiting Multiple CVEs Against Zimbra Collaboration Suite (CISA)

US government really hopes you've patched your Zimbra server (Register)

CISA Adds One Known Exploited Vulnerabilities to Catalog (CISA)

Speedo-wearing Russian tourists leak defence secrets on Twitter (The Telegraph)

Bogus DDoS protection pages distribute malware. Estonia deals with DDoS attacks. Roskomnadzor's Internet panopticon.And data-tampering attacks are regarded as a growing risk. Aug 22, 2022

Bogus DDoS protection pages distribute malware. Estonia deals with DDoS attacks. Roskomnadzor's Internet panopticon. Rick Howard on the RSA Security Breach of 2011 and the Equifax breach of 2017. Caleb Barlow on what does a recession mean for cyber security venture capital and what is the impact of this on the industry? And data-tampering attacks are regarded as a growing risk.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/161

Selected reading.

WordPress sites hacked with fake Cloudflare DDoS alerts pushing malware (BleepingComputer)

Fake DDoS Pages On WordPress Sites Lead to Drive-By-Downloads (Sucuri Blog)

Car blast kills daughter of Russian known as 'Putin's brain' (AP NEWS)

Russia blames Kyiv for killing daughter of ‘Putin’s Rasputin’, but the truth may be closer to home (The Telegraph)

Alexander Dugin's daughter killed by anti-war Russians: Former state deputy (Newsweek)

Estonia Repels Biggest Cyber-Attack Since 2007 (Infosecurity Magazine)

Estonia's Battle Against a Deluge of DDoS Attacks (Infosecurity Magazine)

Latvia Starts Removing Soviet Monument in Challenge to Russia (Bloomberg)

Data-tampering attacks are a 'nightmare' threat that's hard to detect (Protocol)

Roya Gordon: Becoming a trailblazer. [Research] [Career Notes] Aug 21, 2022

Roya Gordon, a Security Research Evangelist at ICS cybersecurity firm Nozomi Networks, started her career as an intelligence specialist in the U.S. Navy. After her time serving, Roya spent time as a Control Systems Cybersecurity Analyst at the Idaho National Laboratory and then took the role of Cyber Threat Intelligence Manager at Accenture. She shares her story after the NSA accepted her and then quickly diverted, creating a new path for Roya to follow. She shares the jobs she went after along the way, leading up to Nozomi Networks and how she wishes to be a trailblazer for young black women everywhere. She hopes to shape young women's minds on what the cybersecurity industry is actually like, in hopes that she can be a figure people look up to. We thank Roya for sharing her story.

Clipminer: Making millions off of malware. [Research Saturday] Aug 20, 2022

Dick O'Brien from Symantec, a part of Broadcom Software, joins Dave to discuss how the cyber-criminal operation, Clipminer Botnet, makes operators behind it at least $1.7 million. Symantec's research says "The malware being used, tracked as Trojan.Clipminer, has a number of similarities to another crypto-mining Trojan called KryptoCibule, suggesting it may be a copycat or evolution of that threat."

Symantec determined that the malware has the ability to mine for cryptocurrency using compromised computers’ resources. They also share a way to protect against the cyber-criminal operation, as well as sharing some indicators you could be compromised.

The research can be found here:

Clipminer Botnet Makes Operators at Least $1.7 Million

Notes on the hybrid war. Criminal gang hits travel and hospitality sectors. Additions to CISA's Known Exploited Vulnerabilities Catalog. CISA issues five ICS security advisories. Aug 19, 2022

Killnet claims a DDoS campaign against Estonia. The head of GCHQ calls Russian cyber operations a failure. US Cyber Command concludes its "hunt forward" mission in cooperation with Croatia. A criminal gang targets the travel and hospitality sectors. Thomas Pace of NetRise shares insights on firmware vulnerabilities. Daniel Floyd from BlackCloak on Quantifying the Business Need for Digital Executive Protection. CISA issues five ICS security advisories.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/160

Selected reading.

Estonia says it repelled major cyber attack after removing Soviet monuments (Reuters)

There’s a chance regular people didn’t even notice: expert on Russian cyber attack (TVP World)

Estonia says it repelled a major cyberattack claimed by Russian hackers. (New York Times)

The head of GCHQ says Vladimir Putin is losing the information war in Ukraine (The Economist)

Cyber Command deployed 'hunt forward' defenders to Croatia to help secure systems (The Record by Recorded Future)

U.S. Cyber Command completes defensive cyber mission in Croatia (CyberScoop)

You Can’t Audit Me: APT29 Continues Targeting Microsoft 365 (Mandiant)

Reservations Requested: TA558 Targets Hospitality and Travel (Proofpoint)

Cybercrime Group TA558 Ramps Up Email Attacks Against Hotels (Decipher)

CISA Adds Seven Known Exploited Vulnerabilities to Catalog (CISA)

Siemens Linux-based Products (Update G) (CISA)

Siemens Industrial Products LLDP (Update B) (CISA)

Siemens OpenSSL Affected Industrial Products (CISA)

Mitsubishi Electric MELSEC Q and L Series (CISA)

Mitsubishi Electric GT SoftGOT2000 (CISA)

BlackByte’s back, as BlackByte 2.0. Iranian cyber ops against Israel. Wipers and cyberespionage as tools in Russia’s hybrid war. Cyber war clauses coming to cyber insurance policies. Aug 18, 2022

BlackByte is back. Iran suspected of cyber operations against four Israeli sectors. A look at wipers as a tool in hybrid war. A Russian cyber ops scorecard. Josh Ray from Accenture on how dark web actors are focusing on VPNs. Our guest is Corey Nachreiner from WatchGuard with findings of their latest Internet Security Report. Cyber war clauses coming to cyber insurance policies.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/159

Selected reading.

BlackByte ransomware gang is back with new extortion tactics (BleepingComputer)

Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors | Mandiant (Mandiant)

Russia-Ukraine cyberwar creates new malware threats (VentureBeat)

Global Threat Landscape Report: A Semiannual Report by FortiGuard Labs (Fortinet)

Overview of the Cyber Weapons Used in the Ukraine - Russia War (Trustwave SpiderLabs)

Lloyd’s sets requirements for state-backed cyber attack exclusions (Insurance Day)

Cyber incidents and lessons from Russia's hybrid war. Zimbra vulnerabilities exploited. New Lazarus Group activity reported. ICS security advisories .Insider trading charges from 2017 Equifax breach. Aug 17, 2022

A DDoS attack against a Ukrainian nuclear power provider. The US Army draws some lessons from the cyber phases of Russia's hybrid war. Vulnerabilities in Zimbra are undergoing widespread exploitation.Reports of new Lazarus Group activity. CISA releases eight ICS security advisories. Carole Theriault looks at scammers and cryptocurrencies. Our guest is Jennifer Reed from Aviatrix on the changing landscape of cloud security. And the SEC charges three with insider trading during the 2017 Equifax breach.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/158

Selected reading.

Ukrainian Nuclear Operator Accuses Russians Hackers Of Attacking Its Website (RadioFreeEurope/RadioLiberty)

Ukraine nuclear power company says Russia attacked website (Al Jazeera)

Ukraine Nuclear Operator Reports Cyberattack on Its Website (The Defense Post)

How electronic warfare is reshaping the war between Russia and Ukraine (The Record by Recorded Future)

Army lesson from Ukraine war: cyber, EW capabilities not decisive on their own (FedScoop)

Learning from Ukraine, Army cyber schoolhouse focuses on electromagnetic spectrum (Breaking Defense)

Cyber and full-spectrum operations push the Great Power conflict left of boom (Breaking Defense)

Microsoft Exchange alternative Zimbra is getting widely exploited, 1000s hit (The Stack)

CISA Alert AA22-228A – Threat actors exploiting multiple CVEs against Zimbra Collaboration suit (CyberWire)

Threat Actors Exploiting Multiple CVEs Against Zimbra Collaboration Suite (CISA)

A signed Mac executable… (ESET)

Yokogawa CENTUM Controller FCS (CISA)

LS ELECTRIC PLC and XG5000 (CISA)

Delta Industrial Automation DRAS (CISA)

Softing Secure Integration Server (CISA)

B&R Industrial Automation Automation Studio 4 (CISA)

Emerson Proficy Machine Edition (CISA)

Sequi PortBloque S (CISA)

Siemens Industrial Products with OPC UA (CISA)

U.S. SEC charges 3 people with insider trading tied to Equifax hack (Reuters)

SEC Charges Three Chicago-Area Residents with Insider Trading Around Equifax Data Breach Announcement (US Securities and Exchange Commission)

CISA Alert AA22-228A – Threat actors exploiting multiple CVEs against Zimbra Collaboration suite. [CISA Cybersecurity Alerts} Aug 17, 2022

CISA and the Multi-State Information Sharing & Analysis Center, or MS-ISAC are publishing this joint Cybersecurity Advisory in response to active exploitation of multiple Common Vulnerabilities and Exposures against Zimbra Collaboration Suite, an enterprise cloud-hosted collaboration software and email platform.

AA22-228A Alert, Technical Details, and Mitigations

Volexity’s Mass Exploitation of (Un)authenticated Zimbra RCE: CVE-2022-27925

Hackers are actively exploiting password-stealing flaw in Zimbra

CISA adds Zimbra email vulnerability to its exploited vulnerabilities catal…

CVE-2022-27925 detail

Mass exploitation of (un)authenticated Zimbra RCE: CVE-2022-27925

CVE-2022-37042 detail

Authentication bypass in MailboxImportServlet vulnerability

CVE-2022-30333 detail

UnRAR vulnerability exploited in the wild, likely against Zimbra servers

Zimbra Collaboration Kepler 9.0.0 patch 25 GA release

Zimbra UnRAR path traversal

Operation EmailThief: Active exploitation of zero-day XSS vulnerability in…

Hotfix available 5 Feb for zero-day exploit vulnerability in Zimbra 8.8.15

All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.

Russian cyberespionage and influence op disrupted. RedAlpha versus Chinese minorities and (of course) Taiwan. Evil PLC proof-of-concept. Cl0p takes a poke at a water utility. Aug 16, 2022

Microsoft identifies and disrupts Russian cyberespionage activity. An update on RedAlpha. An evil PLC proof-of-concept shows how programmable logic controllers could be "weaponized." Ben Yelin has an update on right to repair. Our guest is Arthur Lozinski of Oomnitza with a look at attack surface management maturity. And the Cl0p gang hits an English water utility (but tries to extort the wrong one–stuff happens, y’know?).

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/157

Selected reading.

Disrupting SEABORGIUM’s ongoing phishing operations (Microsoft Security

Microsoft disrupts Russian-linked hackers targeting NATO countries (Breaking Defense)

Microsoft Announces Disruption of Russian Espionage APT (SecurityWeek)

Microsoft disrupts Russia-linked hacking group targeting defense and intelligence orgs (The Record by Recorded Future)

Microsoft shuts down accounts linked to Russian spies (Register)

RedAlpha Conducts Multi-Year Credential Theft Campaign Targeting Global Humanitarian, Think Tank, and Government Organizations (Recorded Future)

Hackers linked to China have been targeting human rights groups for years (MIT Technology Review)

Evil PLC Attack: Using a Controller as Predator Rather than Prey (Claroty)

Hackers attack UK water supplier but extort wrong victim (BleepingComputer)

South Staffordshire Water victim of cyber attack, customers not at risk (Computing)

South Staffordshire Water says it was target of cyber attack as criminals bungle extortion attempt (Sky News)

Shuckworm and Killnet continue to hack in the interest of Russia. Iron Tiger's supply chain campaign. TikTok and national security. And an arrest in the case of the Tornado Cash crypto mixer. Aug 15, 2022

Shuckworm maintains its focus on Ukrainian targets. Killnet's DDoS and dubious proof-of-work. Iron Tiger's supply chain campaign. TikTok and national security. Dinah Davis from Arctic Wolf shares insights on Dark Utilities. Rick Howard digs into identity management. And an arrest in the case of the Tornado Cash crypto mixer.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/156

Selected reading.

Shuckworm: Russia-Linked Group Maintains Ukraine Focus (Symantec)

Killnet Releases 'Proof' of its Attack Against Lockheed Martin (SecurityWeek)

Killnet greift lettisches Parlament an (Tagesspiegel)

Iron Tiger Compromises Chat Application Mimi, Targets Windows, Mac, and Linux Users (Trend Micro)

How Frustration Over TikTok Has Mounted in Washington (New York Times)

3 ways China's access to TikTok data is a security risk (CSO Online)

Arrest of suspected developer of Tornado Cash (FIOD)

Tornado Cash Developer Arrested After U.S. Sanctions the Cryptocurrency Mixer (The Hacker News)

Arrested Tornado Cash developer is Alexey Pertsev, his wife confirms (The Block)

Red teamer's perspective on demotivating attackers. [CyberWire-X] Aug 14, 2022

Cybercriminals are motivated by one simple incentive - money. Their favorite tools are bots to leverage sophistication, scalability, and ease of use. The effect is the creation of the underground bot ecosystem. This community allows threat actors to work together and continually improve their tactics. They sell bypasses for rule-based anti-bot solutions to other less technical fraudsters.

In this episode of CyberWire-X, the CyberWire's CSO, Chief Analyst, and Senior Fellow, Rick Howard, is joined in the first half by Hash Table member Etay Maor. Cato Networks’ Senior Director Security Strategy. They discuss this reality that has put defenders at a serious disadvantage and the mitigation steps to consider for future attacks.. In the second half of the show, CyberWire podcast host Dave Bittner talks with our episode sponsor Kasada's founder Sam Crowther talking about what he saw first-hand as a red teamer at a major Australian bank and what inspired him to reimagine bot mitigation with the founding principle of undermining the attacker’s ROI.

Christian Lees: it's not always textbook. [CTO] [Career Notes] Aug 14, 2022

Christian Lees, CTO at Resecurity, shares his story and insight on coming into the cybersecurity world. He considers himself a late bloomer because he did not go to college until he was 23. He wasn’t sure of what he wanted to do, and a family friend gave him a computer and the rest was history, he says. He fell in love with computers and started working at different companies trying to get ahead. He says it's not always textbook, and sometimes you just need to cut your teeth on something to get where you're going. Throughout his journey, he was constantly questioning whether he made the right decision, and in the end he says you have to be willing to "define friction points in it, you may join security field, not knowing what you're gonna do, but by being that curious person and breaking things and putting it back together, you'll find the right way and just never stop being curious." We thank Christian for sharing his story.

Fake job ads and how to spot them. [Research Saturday] Aug 13, 2022

Ashley Taylor from SANS.edu, joins Dave to discuss fake job ads and methods to proactively detect these scams. The research shares how job seekers are under attack, with scammers posing as fake job recruiters to steal information from people who are interested in the job posting. The brands being impersonated as are at risk of losing credibility to their brand identity.

The research shares exactly how these doppelgängers are posing a threat to job seekers and the best practices to detect these scams. It also shares how one company that works in medical device manufacturing industry has been a target for these scams. It concludes with sharing some of the ways to proactively spot these scams before they happen.

The research can be found here:

Doppelgängers: Finding Job Scammers Who Steal Brand Identities

The optempo of a hybrid war's cyber phase. Hacktivists as cyber partisans. Zeppelin ransomware alert. DoNot Team update. Rewards for Justice offers $10 million for info on Russian bad actors. Aug 12, 2022

The optempo of the war's cyber phase, and Ukraine’s response. Organizing and equipping hacktivists. Joint warning on Zeppelin ransomware. Update on the DoNot Team, APT-C-35. Rewards for Justice offers $10 million for information on Conti operators. Rob Boyce from Accenture shares insights from BlackHat. Caleb Barlow ponders closing the skills gap while shifting to remote work. And, hey, Mr. Target: pick one, OK?

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/155

Selected reading.

Black Hat 2022‑ Cyberdefense in a global threats era (WeLiveSecurity)

How one Ukrainian ethical hacker is training 'cyber warriors' in the fight against Russia (The Record by Recorded Future)

#StopRansomware: Zeppelin Ransomware (CISA)

APT-C-35: New Windows Framework Revealed (Morphisec)

The US Offers a $10M Bounty for Intel on Conti Ransomware Gang (Wired)

CISA Alert AA22-223A – #StopRansomware: Zeppelin Ransomware. [CISA Cybersecurity Alerts} Aug 11, 2022

Zeppelin ransomware functions as a ransomware-as-a-service (RaaS), and since 2019, actors have used this malware to target a wide range of businesses and critical infrastructure organizations. Actors use remote desktop protocol (RDP), SonicWall firewall vulnerabilities, and phishing campaigns to gain initial access to victim networks and then deploy Zeppelin ransomware to encrypt victims’ files.

AA22-223A Alert, Technical Details, and Mitigations

Zeppelin malware YARA signature

What is Zeppelin Ransomware? Steps to Prepare, Respond, and Prevent Infection

Stopransomware.gov is a whole-of-government approach that gives one central location for ransomware resources and alerts.

No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment.

This joint Cybersecurity Advisory is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed TTPs and IOCs to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.

All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.

Dispatches from a hybrid war. CISA releases its election cybersecurity toolkit. Post-incident disruption at NHS is expected to last at least three weeks. Cisco discloses a security incident. Aug 11, 2022

KillMilk says his crew downed Lockheed Martin's website. Industroyer2, and what became of it. CISA releases its election cybersecurity toolkit. Post-incident disruption at Britain’s NHS. Carl Wright of AttackIQ shares strategies for CISOs to successfully prepare for the next attack. Dr. Christopher Pierson from Blackcloak joins us from Black Hat. And Cisco seems to have thwarted a security incident.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/154

Selected reading.

Russian hacking group claims attack on Lockheed Martin (SiliconANGLE

HIMARS-Maker Lockheed Martin "confident" against Russian hackers (Newsweek)

Industroyer2: How Ukraine avoided another blackout attack (SearchSecurity)

Researchers Look Inside Russian Malware Targeting Ukrainian Power Grid (PCMAG)

CISA Releases Toolkit of Free Cybersecurity Resources for Election Community (CISA)

Cybersecurity Toolkit to Protect Elections (CISA)

NHS staff told to plan for three weeks of disruption following cyberattack (Computing)

Major NHS IT outage to last for three weeks (The Independent)

Exclusive: NHS chiefs fear cyber attackers have accessed patient data (Health Service Journal)

Cisco Event Response: Corporate Network Security Incident (Cisco)

Cisco Talos shares insights related to recent cyber attack on Cisco (Cisco Talos)

Cisco confirms May attack by Yanluowang ransomware group (The Record by Recorded Future)

Cisco Hit by Cyberattack From Hacker Linked to Lapsus$ Gang (Bloomberg)

Cisco's own network compromised by gang with Lapsus$ links (Register)

Cisco hacked by Yanluowang ransomware gang, 2.8GB allegedly stolen (BleepingComputer)

Patches, and some incentive to apply them. Hacktivism, privateering, and patriotic banditry in Russia’s hybrid war. Aug 10, 2022

Patch notes, and the risks associated with failure to patch. Finland's parliament comes under cyberattack. Killnet says there will be blood, but they may just be grandstanding for the home crowd. Cyberattacks against a UK firm that's criticized Russia's war. We’re joined by FBI Cyber Division AD Bryan Vorndran and Adam Hickey, deputy assistant attorney general for the National Security Division with an introduction to Watchguard. Our guest is Matthew Warner from Blumira with tips on avoiding burnout. And not all criminal organizations are working for Russia.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/153

Selected reading.

Already Exploited Zero-Day Headlines Microsoft Patch Tuesday (SecurityWeek)

Microsoft August 2022 Patch Tuesday fixes exploited zero-day, 121 flaws (BleepingComputer).

IBM Patches High-Severity Vulnerabilities in Cloud, Voice, Security Products (SecurityWeek)

Adobe Patch Tuesday: Code Execution Flaws in Acrobat, Reader (SecurityWeek)

ICS Patch Tuesday: Siemens, Schneider Electric Fix Only 11 Vulnerabilities (SecurityWeek)

VMSA-2022-0022 (VMware)

Emerson OpenBSI (CISA)

Emerson ControlWave (CISA)

Mitsubishi Electric GT SoftGOT2000 (CISA)

Multiple attackers increase pressure on victims, complicate incident response (Sophos News)

Life After Death—SmokeLoader Continues to Haunt Using Old Vulnerabilities (Fortinet Blog)

NBI launches probe into attack on Finnish Parliament site (Yle)

Russian hacker warns cyberwarfare will turn deadly (Newsweek)

Suspected Russian cyber attack on British soil as firm subjected to ‘daily’ hacks (The Telegraph)

Meet DUMPS Forum: A pro-Ukraine, anti-Russia cybercriminal forum | Digital Shadows (Digital Shadows)

Cyberespionage against belligerents' industry. Tornado Cash sanctions. Data breaches at Twilio and Klayvio. Intercept tools and policies in Canada. Aug 09, 2022

Tracking apparent Chinese industrial cyberespionage. Tornado Cash sanctions. Twilio discloses a breach. Social engineering exposes data at Klaviyo. Microsoft’s Ann Johnson previews the latest season of Afternoon Cyber Tea. Joe Carrigan tracks the growth in cryptojacking. And what might the Mounties be monitoring?

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/152

Selected reading.

Cyberspying Aimed at Industrial Enterprises in Russia and Ukraine Linked to China (SecurityWeek)

China-linked spies used six backdoors to steal defense info (Register)

U.S. Treasury Sanctions Notorious Virtual Currency Mixer Tornado Cash (U.S. Department of the Treasury)

Twilio hacked by phishing campaign (TechCrunch)

Twilio, a texting platform popular with political campaigns, reports breach (CyberScoop)

Incident Report: Employee and Customer Account Compromise - August 4, 2022 (Twilio Blog)

Email marketing firm hacked to steal crypto-focused mailing lists (BleepingComputer)

RCMP has used spyware to access targets’ communications as far back as 2002: Senior Mountie (Global News)

RCMP says it has not used Pegasus spyware (POLITICO)

Cybersecurity is a team sport. [CyberWire-X] Aug 09, 2022

In order to run a successful SOC, security leaders rely on tools with different strengths to create layers of defense. This has led to a highly siloed industry with over 2,000 vendors, each with their own specific function and who very seldom work together. To gain an advantage on attackers, we need to start seeing cybersecurity as a team sport–united for a shared mission.

In this episode of CyberWire-X, the CyberWire's CSO, Chief Analyst, and Senior Fellow, Rick Howard, is joined in the first half by two Hash Table members, Ted Wagner, CISO at SAP National Security Services, and Jenn Reed, CISO at Aviatrix. In the second half of the show, CyberWire podcast host Dave Bittner talks with our episode sponsor ExtraHop's Senior Product Marketing Manager, Chase Snyder, and CrowdStrike's Head of Product Marketing, Janani Nagarajan .They discuss why and how vendors should work together to enable better integrated security for their customers. They’ll answer questions like “what is XDR?” and “how do I get my vendors to work together?”.

Wipers, tak; grid takedown, nyet. Twitter 0-day exploited before patching. NHS 111 recovering from cyberattack. Notes on the C2C underworld. Aug 08, 2022

Shifting cyber threats during Russia's war against Ukraine. A Twitter exploit may have compromised more than 5 million accounts. A Cyberattack disrupts NHS 111. Developments in the C2C market. An alleged Russian cryptocurrency exchange operator is extradited to the US. Rick Howard looks at FinTech. Andrea Little Limbago from Interos on Industrial policy and the tech divide. And a Crypto mixing service has been sanctioned by the US Treasury Department.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/151

Selected reading.

ESET Threat Report T 1 2022 (WeLiveSecurity)

Twitter confirms zero-day used to expose data of 5.4 million accounts (BleepingComputer)

NHS 111 software outage confirmed as cyber-attack (BBC News)

Ministers coordinate response after cyber-attack hits NHS 111 (the Guardian)

Thousands of hackers flock to 'Dark Utilities' C2-as-a-Service (BleepingComputer)

Attackers leveraging Dark Utilities "C2aaS" platform in malware campaigns (Cisco Talos)

Genesis Brings Polish to Stolen-Credential Marketplaces (Sophos)

Cyber-related Designation (U.S. Department of the Treasury)

U.S. imposes sanctions on virtual currency mixer Tornado Cash (Reuters)

Crypto Mixing Service Tornado Cash Blacklisted by US Treasury (CoinDesk)

Alleged Russian Cryptocurrency Money Launderer Extradited to United States (US Department of Justice)

Russian accused of money laundering and running $4B bitcoin exchange extradited to US | CNN Politics (CNN)

Anna Belak: Acquiring skills to make you into a unicorn. [Thought Leadership] [Career Notes] Aug 07, 2022

Anna Belak, Director of Thought Leadership at Sysdig, shares her story from physics to cyber. Anna explains how she went into college with the thinking of getting a physics degree and then for her PhD decided to switch to material science and engineering. Both were not something she enjoyed and ultimately decided to go into cyber. She shares some advice on how you should never limit yourself to your degree, as well as always learning new skills and honing in on skills you already have. She say's by doing these things it will make you into a unicorn, meaning if you are good at one thing and teach yourself to be good at something else, you will become that much more valuable. Anna hopes she makes an impact with the people she works with, she hopes they will want to work with her even long after she leaves a company. We thank Anna for sharing her story.

Iran-linked Lyceum Group adds a new weapon to its arsenal. [Research Saturday] Aug 06, 2022

Deepen Desai from Zscaler's ThreatLabz joins Dave to discuss how APTs, like Lyceum Group, create tactics and malware to carry out attacks against their targets. The Lyceum group has been active since 2017 and is a state-sponsored Iranian APT group. This group targets Middle Eastern organizations most notably in the energy and telecommunication sectors, and they rely heavily on .NET based malwares.

Zscaler said in their research they "recently observed a new campaign where the Lyceum Group was utilizing a newly developed and customized .NET based malware targeting the Middle East by copying the underlying code from an open source tool." They go on to give an analysis explaining why the .NET based DNS backdoor is causing problems.

The research can be found here:

Lyceum .NET DNS Backdoor

CyberFront Z's failed influence operation. Iranian operators target Albanian government networks. CISA issues two ICS security advisories. CISA and ACSC issue a joint advisory on top malware strains. Aug 05, 2022

CyberFront Z's failed influence operation. Iranian operators target Albanian government networks. CISA issues two ICS security advisories. Andy Robbins of SpecterOps to discuss Attack Paths in Azure. Denis O'Shea of Mobile Mentor talking on the intersection of endpoint security and employee experience. CISA and ACSC issue a joint advisory on top malware strains.

for links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/150

Selected reading.

Quarterly Adversarial Threat Report (Meta)

Meta took down Russian troll farm that supported country’s invasion of Ukraine (The Hill)

Russia's Infamous Troll Farm Is Back -- and Sh*tting the Bed (Rolling Stone)

Meta’s threat report highlights clumsy attempt to manipulate Ukraine discourse (TechCrunch)

Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations (Mandiant)

CISA Alert AA22-216A – 2021 top malware strains. (The CyberWire)

2021 Top Malware Strains (CISA)

Digi ConnectPort X2D (CISA)

Cisco Releases Security Updates for RV Series Routers (CISA)

Ukraine claims to have taken down a massive Russian bot farm. Were Russian cyber operations premature? Report: Emergency Alert System vulnerable to hijacking. And more crypto looting. Aug 04, 2022

Ukraine claims to have taken down a massive Russian bot farm. Russian cyber operations may have been premature. A report says Emergency Alert Systems might be vulnerable to hijacking. The Mirai botnet may have a descendant. Adam Flatley from Redacted with a look back at NotPetya. Ryan Windham from Imperva takes on Bad Bots. Attacks on a cryptocurrency exchange attempt to bypass 2FA. Solana cryptocurrency wallets looted.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/149

Selected reading.

Ukraine takes down 1,000,000 bots used for disinformation (BleepingComputer)

Did Russia mess up its cyberwar with Ukraine before it even invaded? (Washington Post)

So RapperBot, What Ya Bruting For? (Fortinet Blog)

Gaming Respawned (Akamai)

Coinbase Attacks Bypass 2FA (Pixm Anti-Phishing)

Thousands of Solana wallets drained in multimillion-dollar exploit (TechCrunch)

Thousands of Solana Wallets Hacked in Crypto Cyberattack (Wall Street Journal)

Solana, USDC Drained From Wallets in Attack (Decrypt)

Ongoing solana attack targets thousands of crypto wallets, costing users more than $5 million so far (CNBC)

Solana and Slope Confirm Wallet Security Breach (Crypto Briefing)

How Hackers Target Bridges Between Blockchains for Crypto Heists (Wall Street Journal)

CISA Alert AA22-216A – 2021 top malware strains. [CISA Cybersecurity Alerts] Aug 04, 2022

This joint Cybersecurity Advisory was coauthored by CISA and the Australian Cyber Security Centre, or ACSC. This advisory provides details on the top malware strains observed in 2021.

AA22-216A Alert, Technical Details, and Mitigations

For alerts on malicious and criminal cyber activity, see the FBI Internet Crime Complaint Center webpage.

For more information and resources on protecting against and responding to ransomware, refer to StopRansomware.gov, a centralized, U.S. Government webpage providing ransomware resources and alerts.

The ACSC recommends organizations implement eight essential mitigation strategies from the ACSC’s Strategies to Mitigate Cyber Security Incidents as a cybersecurity baseline. These strategies, known as the “Essential Eight,” make it much harder for adversaries to compromise systems.

Refer to the ACSC’s practical guides on how to protect yourself against ransomware attacks and what to do if you are held at ransom at cyber.gov.au.

All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.

Tories delay leadership vote over security concerns. Cyber phases of Russia’s hybrid war. CHinese patriotic hacktivism vs. Taiwan. Malware designed to abuse trust. Putting a price on your privacy. Aug 03, 2022

Tories delay a leadership vote over security concerns. A summary of the cyber phases of the hybrid war. Cyberattacks affect three official sites in Taiwan. Malware designed to abuse trust. Gunter Ollmann of Devo to discuss how Cybercriminals are Winning the AI Race. Renuka Nadkarni of Aryaka explains enterprises can recession proof security architecture. Plus, putting a price on your privacy.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/148

Selected reading.

Tory leadership vote delayed after GCHQ hacking alert (The Telegraph)

Nozomi Networks Labs Report: Wipers and IoT Botnets Dominate the Threat Landscape – Manufacturing and Energy at Highest Risk (Nozomi Networks)

Those Pelosi-inspired cyberattacks in Taiwan probably weren't all they were cracked up to be (Washington Post)

Increase in Chinese "Hacktivism" Attacks (SANS Internet Storm Center)

Cyberattacks crashed several Taiwanese government websites hours before Pelosi’s visit. (New York Times)

Taiwan presidential office website hit by cyberattack ahead of Pelosi visit (POLITICO)

Taiwanese government sites disrupted by hackers ahead of Pelosi trip (The Record by Recorded Future)

Deception at a scale (VirusTotal)

The Price Cybercriminals Charge for Stolen Data (SpiderLabs Blog)

Nomad cryptocurrency bridge looted. BlackCat ransomware hits Europenan energy company. DSIRF disputes Microsoft's report on cyber mercenaries. Are there spies under Mr. Putin’s long table? Aug 02, 2022

Nomad cryptocurrency bridge is looted. The BlackCat ransomware gang hits a Luxembourgeois energy company. DSIRF disputes Microsoft's characterization of the Austrian firm as cyber mercenaries. Ben Yelin looks at privacy concerns in the education software market. Our guest is PJ Kirner from Illumio to discuss Zero Trust Segmentation. And, finally, are there spies under Mr. Putin’s very very long table?

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/147

Selected reading.

Crypto Firm Nomad Loses Nearly $200 Million in Bridge Hack (Bloomberg)

Crypto Bridge Nomad Drained of Nearly $200M in Exploit (CoinDesk)

Nomad token bridge drained of $190M in funds in security exploit (Cointelegraph)

Nomad token bridge hacked in nearly $200 million exploit (mint)

BlackCat ransomware gang hits Luxembourg energy supplier Creos (Computing)

Luxembourg energy provider Encevo Group battles ransomware attack by BlackCat (Tech Monitor)

BlackCat ransomware claims attack on European gas pipeline (BleepingComputer)

Luxembourg energy companies struggling with alleged ransomware attack, data breach (The Record by Recorded Future)

Austrian spy firm accused by Microsoft says hacking tool was for EU states (Reuters)

Dilyana Gaytandzhieva: Putin’s Elite Inner Circle Infiltrated By Nato Informants (SouthFront)

GEC Special Report: Pillars of Russia’s Disinformation and Propaganda Ecosystem (US Department of State)

KillNet threatens hack-and-leak op against HIMARS maker. Online investment scams hit Europe. Microsoft associates Raspberry Robin with EvilCorp. Aug 01, 2022

KillNet threatens hack-and-leak op against HIMARS maker. Online investment scams hit Europe. Microsoft associates Raspberry Robin with EvilCorp. Rick Howard previews season ten of the CSO Perspectives podcast. Our guest is Nate Kharrl of SpecTrust on deploying fraud detection at the gateway. And a heartfelt farewell to a woman who’s inspiration lives on.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/146

Selected reading.

Cyberactivist Group Killnet Declares War on Lockheed Martin (Sputnik)

Russian Hackers Target U.S. HIMARS Maker in 'New Type of Attack': Report (Newsweek)

Founder of pro-Russian hacktivist Killnet quitting group (SC Magazine)

Huge network of 11,000 fake investment sites targets Europe (BleepingComputer)

Microsoft links Raspberry Robin malware to Evil Corp attacks (BleepingComputer)

Microsoft ties novel ‘Raspberry Robin’ malware to Evil Corp cybercrime syndicate (The Record by Recorded Future)

FakeUpdates malware delivered via Raspberry Robin has possible ties to EvilCorp (SC Magazine)

Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself (Microsoft Security)

Australia charges dev of Imminent Monitor RAT used by domestic abusers (BleepingComputer)

Brisbane teenager built spyware used by domestic violence perpetrators across world, police allege (the Guardian)

Larry Cashdollar: Always learning new technology. [Intelligence response engineer] [Career Notes] Jul 31, 2022

Larry Cashdollar, Principal Security Intelligence Response Engineer at Akamai Technologies, sits down with Dave Bittner to discuss his life leading up to working at Akamai. He shares his story from his beginnings to now, describing what college life was like as a young computer enthusiast. He says "If you look at my 1986 yearbook, I think it was my sixth grade class, it says computer scientist for my career path. So I had a love of computers when I was really young. I guess I knew what field I wanted to get into right off the bat." He describes different career paths that all led him to his current position. He also shares his love for computers and technology through the decades of his youth, and how he is learning, even now. We thank Larry for sharing his story.

What malicious campaign is lurking under the surface? [Research Saturday] Jul 30, 2022

Israel Barak, CISO from Cybereason, sits down with Dave to discuss their research, "Operation CuckooBees: Cybereason Uncovers Massive Chinese Intellectual Property Theft Operation." Cybereason researchers recently found an attack lurking beneath the surface which was assessed to be the work of Chinese APT Winnti. Cybereason briefed the FBI and the DOJ on the investigation into the malicious campaign.

The research states, "For years, the campaign had operated undetected, siphoning intellectual property and sensitive data." The team quickly made two reports on the campaign, one sharing an examination on the tactics and techniques. The second gives a detailed analysis of the malware and exploits used.

The research can be found here:

Operation CuckooBees: Cybereason Uncovers Massive Chinese Intellectual Property Theft Operation

Hacktivism in a hybrid war. Pyongyang's [un]H0lyGh0st. Notes on the C2C market. Rewards for Justice seeks some righteous snitches. Jul 29, 2022

Anonymous's hacktivism in a hybrid war. Pyongyang's [un]H0lyGh0st. Phishing in the IPFS. Update on the initial access criminal-to-criminal market and its effect on MSPs. Cyber gangs move away from malicious macros. Thomas Etheridge from CrowdStrike on managed detection and response. Rick Howard sits down with Art Poghosyan from Britive to discuss DevSecOps and Identity Management. And Rewards for Justice seeks some righteous snitches.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/145

Selected reading.

Putin 'embarrassed' as hackers launch cyber war on Russian President over Ukraine invasion (Express.co.uk)

Is Anonymous Rewriting the Rules of Cyberwarfare? Timeline of Their Attacks Against the Russian Government (Website Planet)

HolyGhost’s Bargain Basement Approach To Ransomware (Digital Shadows)

IPFS: The New Hotbed of Phishing (Trustwave)

Threat Advisory: Hackers Are Selling Access to MSPs (Huntress) We’re currently monitoring a situation that entails a hacker selling access to an MSP with access to 50+ customers, totaling 1,000+ servers.

Experts warn of hacker claiming access to 50 U.S. companies through breached MSP (The Record by Recorded Future)

How Threat Actors Are Adapting to a Post-Macro World (Proofpoint)

Rewards for Justice – Reward Offer for Information on Russian Interference in U.S. Elections (United States Department of State)

SSSCIP and CISA sign memorandum of cooperation. Tailored security services, or just hired guns? Bringing PSOAs to heel. More credential-harvesting. Jul 28, 2022

SSSCIP and CISA sign a memorandum of cooperation. Are private-sector offensive actors tailored security services, or are they just hired guns? Bringing cyber mercenaries to heel. Malek Ben Salem from Accenture on why crisis management is at the heart of ransomware resilience. Our guest is Derek Manky from Fortinet on the World Economic Forum Partnership Against Cybercrime. And more credential-harvesting scams are out in the wild.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/144

Selected reading.

United States and Ukraine Expand Cooperation on Cybersecurity (CISA)

US, Ukraine sign pact to expand cooperation in cyberspace (The Hill)

Untangling KNOTWEED: European private-sector offensive actor using 0-day exploits (Microsoft Security)

Continuing the fight against private sector cyberweapons (Microsoft On the Issues)

Experts Urge Congress to Pressure Commercial Spyware Vendors (Decipher)

Mirroring Actual Landing Pages for Convincing Credential Harvesting (Avanan)

The cost of a data breach as an economic drag. Personal apps as a potential business risk. Why so little ransomware in Ukraine? Employee engagement study reaches predictably glum conclusions. Jul 27, 2022

IBM reports on the cost of a data breach. Personal apps as a potential business risk. Over on the dark side, there’s help wanted in the C2C labor market. An employee engagement study reaches predictably glum conclusions. Betsy Carmelite from Booz Allen Hamilton on reducing software supply chain risks with SBOMs. Our guest is Elaine Lee from Mimecast discussing the pros and cons of AI in cybersecurity. And Why so much attempted DDoS, but not so much ransomware?

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/143

Selected reading.

IBM Report: Consumers Pay the Price as Data Breach Costs Reach All-Time High (IBM Newsroom)

Cost of a Data Breach Report 2022 (IBM Security)

Netskope Threat Research: Data Sprawl Creating Risk for Organizations Worldwide as Personal App Use in Business Continues to Rise (PR Newswire)

Financial Incentives May Explain the Perceived Lack of Ransomware in Russia’s Latest Assault on Ukraine (Council on Foreign Relations)

Tessian | 1 in 3 Employees Do Not Understand the Importance of Cybersecurity at Work, According to New Report (RealWire)

LockBit gets an upgrade. CosmicStrand UEFI firmware rootkit. Treating thieves like white hats? Most-impersonated brands. AV-Test's Twitter account is hijacked. The cyber phase of a hybrid war. Jul 26, 2022

LockBit gets an upgrade. CosmicStrand firmware rootkit is out in a new and improved version. Are thieves being treated like white hats? AV-Test's Twitter account is hijacked. Joe Carrigan considers the mental health effects of the online scam economy. Mr. Security Answer Person John Pescatore ponders the cybersecurity talent gap. And ongoing speculation on the cyber phase of the hybrid war.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/142

Selected reading.

LockBit Ransomware Group Augments Its Latest Variant, LockBit 3.0, With BlackMatter Capabilities (Trend Micro)

CosmicStrand: the discovery of a sophisticated UEFI firmware rootkit (Securelist)

Crypto Firms Make Thieving Hackers an Offer: Keep a Little, Give Back the Rest (Wall Street Journal)

Phishers’ Favorites Top 25, H1 2022: Microsoft Is the Most Impersonated Brand in Phishing Attacks (Vade Secure)

Testing times for AV-Test as Twitter account hijacked by NFT spammers (Graham Cluley)

Ukraine fall-out and new ransomware tactics elevate cyber risks (Strategic Risk Europe)

Ed’s note: The Ukrainian-Russian cyber war no one speaks about (Smart Energy)

The minor mystery of GPS-jamming. Twitter investigates apparent data breach. Ransomware C2 staging discovered. A C2C offering restricted to potential privateers. Jul 25, 2022

The minor mystery of GPS-jamming. Twitter investigates an apparent data breach. Ransomware command and control staging is discovered. Andrea Little Limbago from Interos looks at the intersection of social sciences and cyber. Our guest is Nelly Porter from Google Cloud on the emerging idea of confidential computing. A C2C offering restricted to potential privateers.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/141

Selected reading.

Why Isn’t Russia jamming GPS harder in Ukraine? (C4ISRNet)

Twitter data breach exposes contact details for 5.4M accounts; on sale for $30k (9to5Mac)

Twitter investigating authenticity of 5.4 million accounts for sale on hacking forum (The Record by Recorded Future)

Russian Ransomware C2 Network Discovered in Censys Data (Censys)

Researcher finds Russia-based ransomware network with foothold in U.S. (The Record by Recorded Future)

New Cross-Platform 'Luna' Ransomware Only Offered to Russian Affiliates (SecurityWeek)

The great overcorrection: shifting left probably left you vulnerable. Here’s how you can make it right. [CyberWire-X] Jul 24, 2022

Shifting left has been a buzzword in the application security space for several years now, and with good reason – making security an integral part of development is the only practical approach for modern agile workflows. But in their drive to build security testing into development as early as possible, many organizations are neglecting application security in later phases and losing sight of the big picture. In this episode of CyberWire-X, the CyberWire's CSO, Chief Analyst, and Senior Fellow, Rick Howard, talks with two Hash Table members, Centene’s VP and CISO for Healthcare Enterprises, Rick Doten, and Akamai’s Advisory CISO, Steve Winterfeld. In the second half of the show, CyberWire podcast host Dave Bittner talks with our episode sponsor Invicti’s Chief Product Officer, Sonali Shah. They discuss the challenges and misunderstandings around shifting left, and provide tips on how organizations can implement web application security program without tradeoffs throughout the whole application security lifecycle.

Mary Writz: Take a negative and make it into a positive. [VP Product Strategy] [Career Notes] Jul 24, 2022

Mary Writz, Vice President of Product Strategy at ForgeRock, shares how each career path she has taken has led her to where she is now. Mary describes how she has been a woman working in a male dominated field for most of her career and how she had to take charge, and she had to get the men to take charge with her. She says "I was often leading people, mostly men older than me, potentially smarter than me, more well paid than me. So I had to learn how to think about galvanizing this group to charge forward with me, even though I was a bit of a minority in that way." She also states that she tells herself to always make a positive out of a negative by showing people how you can respond to what's happening with a lot of energy, focus, and care and that's what got her to where she is today.

Has GOLD SOUTHFIELD resumed operations? [Research Saturday] Jul 23, 2022

Rob Pantazopoulos from Secureworks, joins Dave to discuss their work on "REvil Development Adds Confidence About GOLD SOUTHFIELD Reemergence." Secureworks researchers published a new analysis on what can be considered the ‘first’ set of ransomware samples associated with the reemergence. These updated samples indicate that GOLD SOUTHFIELD has resumed operations.

The research states "The identification of multiple samples containing different modifications and the lack of an official new version indicate that REvil is under active development." Researchers identified two samples, one in October of 2021, and the other in March of 2022. The March sample has modifications that lead researchers to distinguish the two samples from one another.

The research can be found here:

REvil Development Adds Confidence About GOLD SOUTHFIELD Reemergence

Espionage and counterespionage during the hybrid war. Assessing Russian cyberops. Conti's fate. Investigating cut Internet cables in France. Trends in “pig-butchering.” Jul 22, 2022

Traditional espionage and counterespionage during the hybrid war. Assessing Russian cyberattacks. Conti's fate and effects. Investigating cut Internet cables in France. My conversation with AD Bryan Vorndran of the FBI Cyber Division on reverse webshell operation and Hafnium. Our guest is Tom Kellermann of VMware to discuss the findings of their Modern Bank Heists report. And, finally the dark online world of “pig-butchering.”

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/140

Selected reading.

UK Spy Chief Sees Russia’s Military Running ‘Out of Steam’ Soon (Bloomberg)

Exhausted Russian army gives Ukraine chance to strike back, says British spy chief (The Telegraph)

'Cut by half' Putin's masterplan backfires as 400 Russian spies thrown out of Europe (Express)

Half of Russian spies in Europe expelled since Ukraine invasion, says MI6 chief (the Guardian)

MI6 chief: Russia’s spies ‘not having a great war’ in Ukraine (The Record by Recorded Future)

CIA chief says 15,000 Russians killed in war, dismisses Putin health rumors (Washington Post)

CIA Chief Says Russia’s Iran Drone Deal Shows Military Weakness (Bloomberg)

Ukraine confronts Kremlin infiltration threat at unreformed state bodies (Atlantic Council)

US seeking to understand Russia’s failure to project cyber power in Ukraine (Defense News)

Battling Moscow's hackers prior to invasion gave Kyiv 'full dress rehearsal' for today's cyber warfare (CyberScoop)

How Conti ransomware hacked and encrypted the Costa Rican government (BleepingComputer)

Anatomy of Attack: Truth Behind the Costa Rica Government Ransomware 5-Day Intrusion (AdvIntel)

Conti Criminals Resurface as Splinter RaaS Groups (Security Boulevard)

The Unsolved Mystery Attack on Internet Cables in Paris (Wired)

Massive Losses Define Epidemic of ‘Pig Butchering’ (KrebsOnSecurity)

Notes on the underworld: emerging, enduring, and vanishing gangs, and their C2C markets. More spearphishing of Ukrainian targets. US CYBERCOM releases IOCs obtained from Ukrainian networks. Jul 21, 2022

A criminal talent broker emerges. Developing threats to financial institutions. Phishing through PayPal. Lessons to be learned from LAPSUS$, post-flameout. More spearphishing of Ukrainian targets. US Cyber Command releases IOCs obtained from Ukrainian networks. Johannes Ullrich from SANS on the value of keeping technology simple. Our guests are Carla Plummer and Akilah Tunsill from the organization Black Girls in Cyber. And not really honor, but honor’s self-interested first cousin.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/139

Selected reading.

Atlas Intelligence Group (A.I.G) – The Wrath of a Titan (Cyberint)

'AIG' Threat Group Launches With Unique Business Model (Dark Reading)

Buy, Sell, Steal, EvilNum Targets Cryptocurrency, Forex, Commodities (Proofpoint)

Sending Phishing Emails From PayPal (Avanan)

Brazen, Unsophisticated and Illogical: Understanding the LAPSUS$ Extortion Group (Tenable®)

Evacuation and Humanitarian Documents used to Spear Phish Ukrainian Entities (Mandiant)

Cyber National Mission Force discloses IOCs from Ukrainian networks (U.S. Cyber Command)

The Evolution of Cybercrime: Why the Dark Web is Supercharging the Threat Landscape and How to Fight Back (HP Wolf Security)

Cyber phases of Russia’s hybrid war seem mostly espionage. Belgium accuses China of spying. LockBit ransomware spreads. And Micodus GPS tracker vulnerabilities are real and unpatched. Jul 20, 2022

What’s Russia up to in cyberspace, nowadays? Belgium accuses China of cyberespionage. LockBit ransomware spreading through compromised servers. Malek Ben Salem from Accenture explains the Privacy Enhancing Technologies of Federated Learning with Differential Privacy guarantees. Rick Howard speaks with Rob Gurzeev from Cycognito on Data Exploitation. And Micodus GPS tracker vulnerabilities should motivate the user to turn the thing off.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/138

Selected reading.

Continued cyber activity in Eastern Europe observed by TAG (Google)

Declaration by the High Representative on behalf of the European Union on malicious cyber activities conducted by hackers and hacker groups in the context of Russia’s aggression against Ukraine (European Council)

China: Declaration by the Minister for Foreign Affairs on behalf of the Belgian Government urging Chinese authorities to take action against malicious cyber activities undertaken by Chinese actors (Federal Public Service Foreign Affairs)

Déclaration du porte-parole de l'Ambassade de Chine en Belgique au sujet de la déclaration du gouvernement belge sur les cyberattaques (Embassy of the People's Republic of China in the Kingdom of Belgium)

LockBit: Ransomware Puts Servers in the Crosshairs (Broadcom Software Blogs | Threat Intelligence)

Critical Vulnerabilities Discovered in Popular Automotive GPS Tracking Device (MiCODUS MV720) (BitSight)

CISA released Security Advisory on MiCODUS MV720 Global Positioning System (GPS) Tracker (CISA)

Espionage and cyberespionage. Albania's national IT networks work toward recovery. Malicious apps ejected from Google Play. White House summit addresses the cyber workforce. Notes on cybercrime. Jul 19, 2022

A Cozy Bear sighting. Shaking up Ukraine's intelligence services. Albania's national IT networks continue to work toward recovery. US Justice Department seizes $500k from DPRK threat actors. The FBI warns of apps designed to defraud cryptocurrency speculators. A White House meeting today addresses the cyber workforce. Ben Yelin looks at our right to record police. Our guest is Tim Knudsen, Director of Product Management for Zero Trust at Google Cloud, speaking with Rick Howard. And another trend we’d like to be included out of.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/137

Selected reading.

Russian APT29 Hackers Use Online Storage Services, DropBox and Google Drive (Unit 42)

Russian hacking unit Cozy Bear adds Google Drive to its arsenal, researchers say (CyberScoop)

Russian SVR hackers use Google Drive, Dropbox to evade detection (BleepingComputer)

Ukraine’s spy problem runs deeper than Volodymyr Zelensky’s childhood friend (The Telegraph)

Albanian government websites go dark after cyberattack (Register)

On Google Play, Joker, Facestealer, & Coper Banking Malware (Zscaler)

Justice Department seizes $500K from North Korean hackers who targeted US medical organizations (CNN)

Cyber Criminals Create Fraudulent Cryptocurrency Investment Applications to Defraud US Investors (US Federal Bureau of Investigation)

Announcement of White House National Cyber Workforce and Education Summit | The White House (The White House)

Fortinet Announces Free Training Offering for Schools at White House Cyber Workforce and Education Summit (Fortinet)

Not your average side hustle: the women making thousands from 'pay pigs' who enjoy being financially dominated (Business Insider)

Ukraine’s security chief and head prosecutor are out. Cyberattacks hit Albania. APTs prospect journalists. The GRU trolls researchers. CISA to open an attaché office in London. Jul 18, 2022

Ukraine shakes up its security and prosecutorial services. Cyberattacks hit Albania. Advanced persistent threat actors prospect journalists. The GRU is said to be trolling researchers who look into Sandworm. Thomas Etheridge from CrowdStrike on identity management. Our guest is Robin Bell from Egress discussing their Human Activated Risk Report. And CISA opens a liaison office in London.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/136

Selected reading.

Ukraine's Zelenskyy fires top security chief and prosecutor (AP NEWS)

Zelenskiy Ousts Ukraine’s Security Chief and Top Prosecutor (Bloomberg)

Volodymyr Zelensky sacks top aides over 'Russian collaboration' (The Telegraph)

A massive cyberattack hit Albania (Security Affairs)

Information Systems Are Intact, Says Albanian Government after Cyber Attack (Exit - Explaining Albania)

Albania closes down online gov't systems after cyber attack (ANI News).

Albania Shuts Down Digital Services and Government Websites after Cyber Attack (Exit - Explaining Albania)

Hackers pose as journalists to breach news media org’s networks (BleepingComputer)

Cybersecurity Firm: What US Journalists Need To Know About The Foreign Hackers Targeting Them Forbes)

Sandworm APT Trolls Researchers on Its Trail as It Targets Ukraine (Dark Reading)

Cybercriminals shift tactics from disruption to data leaks. [CyberWire-X] Jul 17, 2022

On this episode of CyberWire-X, we examine double extortion ransomware. The large-scale cyber events of yesterday – Stuxnet, the Ukraine Power Grid Attack – were primarily focused on disruption. Cybercriminals soon shifted to ransomware with disruption still the key focus – and then took things to the next level with Double Extortion Ransomware.

When ransomware first started to take off as the attack method of choice around 2015, the hacker playbook was focused on encrypting data, requesting payment and then handing over the encryption keys. Their methods escalated with Double Extortion, stealing data as well as encrypting it - and threatening to leak data if they don’t receive payment. We’ve seen with ransomware groups like Maze that they will follow through with publishing private information if not paid.

In the first part of the show, Rick Howard, the CyberWire’s CSO, Chief Analyst, and Senior Fellow, talks with Wayne Moore, Simply Business' CISO and CyberWire Hash Table member, and, in the second half of the show, the CyberWire's podcast host Dave Bittner talks with Nathan Hunstad, episode sponsor Code42’s Deputy CISO. They discuss how classic ransomware protection such as offsite backups are no longer enough. They explain that Double Extortion means that you need to understand what data has been stolen and weigh the cost of paying with the cost of your data going public.

Mike Arrowsmith: Facing adversity in the workplace. [CTrO] [Career Notes] Jul 17, 2022

Mike Arrowsmith, Chief Trust Officer at NinjaOne, leads the organization’s IT, security, and support infrastructure to ensure they meet customers’ security and data privacy demands as it scales. Mike discusses how his career path has led him to the position he currently holds and how exciting the world of cybersecurity can be. He mentioned how he mentored students in college thinking of going into the field, and he used a metaphor to help describe the industry, saying "We are working against adversaries that are always typically one step ahead. Figuratively, if you could imagine, you're trying to chase a ball, but you never can quite get your hands on it." He shares how he loves the evolving field and that he thrives in a situation where things are constantly changing. We thank Mike for sharing his story.

A record breaking DDoS attack. [Research Saturday] Jul 16, 2022

Chad Seaman, Team Lead at Akamai SIRT joins Dave to discuss their research about a record-breaking DDoS Attack. The research says "A new reflection/amplification distributed denial-of-service (DDoS) vector with a record-breaking potential amplification ratio of 4,294,967,296:1 has been abused by attackers in the wild to launch multiple high-impact DDoS attacks."

Starting in mid-February 2022, security researchers, network operators, and security vendors noticed a spike in DDoS attacks. Researchers started to investigate the spike and determined that the devices that were being abused to launch these attacks are MiCollab and MiVoice Business Express collaboration systems. The research goes into how you can help mitigate the attacks and how Mitel has now released patched software.

The research can be found here:

CVE-2022-26143: TP240PhoneHome Reflection/Amplification DDoS Attack Vector

A conversation with Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly. [Special Edition] Jul 15, 2022

In this extended interview, CyberWire Daily Podcast host Dave Bittner sits down with Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly to discuss her time at CISA and the work of her team. This interview from July 15, 2022 originally aired as a shortened version on the CyberWire Daily Podcast.

Criminal gangs at war. A "cyber world war?" A new DPRK ransomware operation. Media organizations targeted by state actors. NSA guidance on characterizing threats and risks to microelectronics. Jul 15, 2022

Gangland goes to war. Is there a "cyber world war" in progress? Ukraine thinks so. A new North Korean ransomware operation is described, but it’s not yet clear if it’s a state operation or some moonlighting by Pyongyang’s operators. Media organizations remain attractive targets for state actors. NSA releases guidance on characterizing threats and risks to microelectronics. Betsy Carmelite from Booz Allen talks about why now is the time to plan for post-quantum cryptography. Our guest is Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly discussing her time at CISA and the work of her team.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/135

Selected reading.

Inside The Russian Cybergang Thought To Be Attacking Ukraine—The Trickbot Leaks (Forbes)

Who is Trickbot? (Cyjax)

NATO and the European Union work together to counter cyber threats (NATO)

The Man at the Center of the New Cyber World War (POLITICO)

Russian cyber threat to Canada worse than previously reported: CSE (National Post)

North Korean threat actor targets small and midsize businesses with H0lyGh0st ransomware (Microsoft Security)

Above the Fold and in Your Inbox: Tracing State-Aligned Activity Targeting Journalists, Media (Proofpoint)

NSA Publishes Guidance on Characterizing Threats, Risks to DoD Microelectronics (National Security Agency/Central Security Service)

Ukraine evaluates Russia’s cyber ops. Smartphones go to war. Lilith ransomware. ChromeLoader evolves. Rolling-PWN looks real after all. Schulte guilty in Vault 7 case. Jul 14, 2022

An overview of the cyber phase of Russia's hybrid war. Smartphones as sources of targeting information. Lilith enters the ransomware game. ChromeLoader makes a fresh appearance. Honda acknowledges that Rolling-PWN is real (but says it's not as serious as some think). Part two of Carole Theriault’s conversation with Jen Caltrider from Mozilla's Privacy Not Included initiative. Our guest is Josh Yavor of Tessian to discuss Accidental Data Loss Over Email. A guilty verdict in the Vault 7 case.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/134

Selected reading.

Ukraine's Cyber Agency Reports Q2 Cyber-Attack Surge (Infosecurity Magazine)

2022 Q2 (SSSCIP)

The weaponizing of smartphone location data on the battlefield (Help Net Security)

New Lilith ransomware emerges with extortion site, lists first victim (BleepingComputer) A new ransomware operation has been launched under the name 'Lilith,' and it has already posted its first victim on a data leak site created to support double-extortion attacks.

New Ransomware Groups on the Rise (Cyble) Cyble analyzes new ransomware families spotted in the wild led by notable examples such as LILITH, RedAlert, and 0Mega.

New Lilith ransomware emerges with extortion site, lists first victim (BleepingComputer)

New Ransomware Groups on the Rise (Cyble)

Researchers Uncover New Variants of the ChromeLoader Browser Hijacking Malware (The Hacker News)

ChromeLoader: New Stubborn Malware Campaign (Unit 42)

Honda Admits Hackers Could Unlock Car Doors, Start Engines (SecurityWeek) Honda redesigning latest vehicles to address key fob vulnerabilities (The Record by Recorded Future)

Statement Of U.S. Attorney Damian Williams On The Espionage Conviction Of Ex-CIA Programmer Joshua Adam Schulte (US Department of Justice)

Ex-C.I.A. Engineer Convicted in Biggest Theft Ever of Agency Secrets (New York Times)

Former CIA Staffer Convicted For Massive Data Breach To WikiLeaks (Forbes)

AiTM sets up BEC. Silent validation bots. Smishing attempt at the European Central Bank. Shields up in Berlin. Hacktivism in a hybrid war. Patch notes. Jul 13, 2022

Adversary-in-the-middle sites support business email compromise. Silent validation carding bot discovered. Attempted social engineering at the European Central Bank. Germany puts its shields up. Carole Theriault speaks with Jen Caltrider about Mozilla's *Privacy Not Included initiative. Our guest is Lucia Milica on Proofpoint’s Voice of the CISO report. And Hacktivism in a hybrid war.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/133

Selected reading.

From cookie theft to BEC: Attackers use AiTM phishing sites as entry point to further financial fraud (Microsoft Security Blog)

PerimeterX Discovers New Silent Validation Carding Bot (PerimeterX)

Hackers posing as Merkel target ECB's Lagarde - German source (Reuters)

European Central Bank head targeted in hacking attempt (AP NEWS)

Cyberangriff auf Spitzenpolitiker: Hacker nutzten Merkels Handynummer, um das Whatsapp-Konto von Lagarde zu knacken (Business Insider)

Germany bolsters defenses against Russian cyber threats (Deutsche Welle)

Ukraine's cyber army hits Russian cinemas (CyberNews)

DDoS attacks surge in popularity in Ukraine — but are they more than a cheap thrill? (The Record by Recorded Future)

Microsoft Releases July 2022 Security Updates (CISA)

CISA orders agencies to patch new Windows zero-day used in attacks (BleepingComputer)

SAP Releases July 2022 Security Updates (CISA)

Schneider Electric Easergy P5 and P3 (CISA)

Dahua ASI7213X-T1 (CISA)

High-end and low-end extortion. Push to start–wait, not you… Social media and open-source intelligence. Russian cyberattacks spread internationally. Preparing for cyber combat. Jul 12, 2022

High-end and low-end extortion. Vehicles from Honda may soon be rolling off the lot. Social media and open-source intelligence. Russian cyberattacks spread internationally. Joe Carrigan surveys items for sale in dark web markets. Our guest is Jonathan Wilson of AU10TIX to discuss consumer sentiment around data privacy. Preparing for cyber combat.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/132

Selected reading.

BlackCat (Aka ALPHV) Ransomware Is Increasing Stakes Up To $2,5M In Demands (Resecurity)

Ransomware gang now lets you search their stolen data (BleepingComputer)

Luna Moth: The Actors Behind the Recent False Subscription Scams (Sygnia)

'Luna Moth' Group Ransoms Data Without the Ransomware (Dark Reading)

Hackers can unlock Honda cars remotely in Rolling-PWN attacks (BleepingComputer)

Hackers Say They Can Unlock and Start Honda Cars Remotely (Vice)

Rolling PWN (PWN)

Russia launches attack on Poland as hackers declare war on 10 countries, including UK (Express)

Vice Minister: cyber attacks are aimed at seeking publicity and raising tensions (DELFI)

How one Ukrainian ethical hacker is training 'cyber warriors' in the fight against Russia (The Record by Recorded Future)

The Biggest Threat to the Military May Not Be What You Think (ClearanceJobs)

DDoS attacks strike countries friendly to Ukraine. Predatory Sparrow's assault on Iran's steel industry. Callback phishing impersonates security companies. Anubis is back. BlackCat ups the ante. Jul 11, 2022

More deniable DDoS attacks strike countries friendly to Ukraine. Predatory Sparrow's assault on Iran's steel industry. A callback phishing campaign impersonates security companies. The Anubis Network is back. Thomas Etheridge from CrowdStrike on the importance of outside threat hunting. Rick Howard weighs in on sentient AI. And a ransomware gang ups the ante.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/131

Selected reading.

Pro-Russian cybercriminals briefly DDoS Congress.gov (CyberScoop)

Lithuania's state-owned energy group hit by 'biggest cyber attack in a decade' (lrt.lt)

Ignitis Group hit by DDoS attack as Killnet continues Lithuania campaign (Tech Monitor)

Russian ‘Hacktivists’ Are Causing Trouble Far Beyond Ukraine (Wired - 07-11-2022)

Predatory Sparrow: Who are the hackers who say they started a fire in Iran? (BBC News)

Hacktivists claiming attack on Iranian steel facilities dump tranche of 'top secret documents' (CyberScoop)

Callback Phishing Campaigns Impersonate CrowdStrike, Other Cybersecurity Companies (CrowdStrike)

Anubis Networks is back with new C2 server (Security Affairs)

BlackCat (aka ALPHV) ransomware is increasing stakes up to $2.5 million in demands(Help Net Security)

Resecurity - BlackCat (aka ALPHV) Ransomware is Increasing Stakes up to $2,5M in Demands (Resecurity)

Simone Petrella: Fake it, until you make it. [CEO] [Career Notes] Jul 10, 2022

Simone Petrella, CEO of cybersecurity training workforce firm CyberVista, spent her career in the Department of Defense as a threat intelligence analyst before founding CyberVista. She says that running a company has a new set of challenges each day thrown at you. She explains that the way she finds the most success is by letting her team contribute to each matter, and having a say in the decisions made as they pertain to each department. Simone says "I would say is I am a firm firm believer in the idea of empowering people to really own and kind of run with the things that they're passionate about." She notes that people will do amazing things when they are passionate and that faking it until you make it is true, because you will get where you're going by having that passion and that inspiration. We thank Simone for sharing her story.

Information operations during a war. [Research Saturday] Jul 09, 2022

Alden Wahlstrom, senior analyst on Mandiant's Information Operations Team, shares a comprehensive overview and analysis of the various information operations activities they’ve seen while responding to the Russian invasion. While the full extent of the Russia-Ukraine war has yet to come to light, more than two months after the start of the invasion, Mandiant has identified activity that they believed to be information operations campaigns conducted by actors possibly in support of the political interests of nation-states such as Russia, Belarus, China, and Iran.

The research shares a chart with all of the known information operations events that have taken place so far dating back to January of 2022. It also states that following the beginning of the Russian attack they have seen concerning signs, including "incidents involving the deployment of wiper malware disguised as ransomware."

The research can be found here:

The IO Offensive: Information Operations Surrounding the Russian Invasion of Ukraine

An update on cyber operations in Russia’s hybrid war. NPM compromise updates. CISA releases ICS security advisories. Free ransomware decryptors released. Disneyland's Instagram account hijacked. Jul 08, 2022

An update on cyber operations in the hybrid war. NPM compromise updates. Free decryptors for AstraLocker and Yashma ransomware. Johannes Ullrich from SANS on attacks against Perimeter Security Devices. Our guest is Sonali Shah from Invicti Security with a look at DevSecOps anxiety. And who’s the villain who hijacked the Instagram account of Disneyland?

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/130

Selected reading.

Russia-Ukraine war: List of key events, day 135 (Al Jazeera)

Russia-Ukraine war: Putin warns Moscow has 'barely started' its campaign (The Telegraph)

Russian Cybercrime Trickbot Group is systematically attacking Ukraine (Security Affairs)

US finance sector encouraged to stay vigilant against retaliatory Russian cyberattacks (SC Magazine)

Someone may be prepping an NPM crypto-mining spree (Register)

ICS CERT Advisories (CISA)

Free decryptor released for AstraLocker, Yashma ransomware victims (BleepingComputer)

Disneyland’s Instagram Account Hacked With a Series of Profane, Racist Posts (Wall Street Journal)

Chinese industrial espionage warning. Trickbot's privateering. Russian influence ops target NATO resolve. Cozy Bear sighting. Chinese APTs target Russia. NFT scams are pestering Ukraine. Jul 07, 2022

The FBI and MI-5 warn of Chinese industrial espionage. Revelations of Trickbot's privateering role. Russian influence operations target France, Germany, Poland, and Turkey. Chinese APTs target Russian organizations in a cyberespionage effort. Robert M. Lee from Dragos on CISA expanding the Joint Cyber Defense Collaborative. Ben Yelin speaks with Matt Kent from Public Citizen about the American Innovation and Online Choice Act. And who would guess it, but NFT scams are pestering Ukraine.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/129

Selected reading.

Heads of FBI, MI5 Issue Joint Warning on Chinese Spying (Wall Street Journal)

FBI and MI5 leaders give unprecedented joint warning on Chinese spying (the Guardian)

FBI and MI5 bosses: China cheats and steals at massive scale (Register)

FBI director suggests China bracing for sanctions if it invades Taiwan (Washington Post)

Unprecedented Shift: The Trickbot Group is Systematically Attacking Ukraine (Security Intelligence)

Trickbot may be carrying water for Russia (Washington Post)

Russia Info Ops Home In on Perceived Weak Links (VOA)

Targets of Interest | Russian Organizations Increasingly Under Attack By Chinese APTs (SentinelOne)

Chinese hackers targeting Russian government, telecoms: report (The Record by Recorded Future)

Near-undetectable malware linked to Russia's Cozy Bear (Register)

Russia's Cozy Bear linked to nearly undetectable malware (Computing)

When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors (Unit 42)

NFT scammers see an opportunity in Ukraine donations (The Record by Recorded Future)

CISA Alert AA22-187A – North Korean state-sponsored cyber actors use Maui ransomware to target the healthcare and public health sector. [CISA Cybersecurity Alerts] Jul 06, 2022

The FBI, CISA, and the Department of the Treasury are releasing this joint Cybersecurity Advisory to provide information on Maui ransomware, which has been used by North Korean state-sponsored cyber actors since at least May 2021 to target Healthcare and Public Health Sector organizations.

AA22-187A Alert, Technical Details, and Mitigations

Stairwell Threat Report: Maui Ransomware

North Korea Cyber Threat Overview and Advisories

Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments

National Conference of State Legislatures: Security Breach Notification Laws

Health Breach Notification Rule

Protecting Sensitive and Personal Information from Ransomware-Caused Data Breaches

StopRansomware.gov

CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide

All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.

Quantum computing and security standards. Cyber war, and the persistence of cybercrime. DPRK ransomware versus healthcare. Cyber incidents and credit, in Shanghai and elsewhere. Jul 06, 2022

Quantum computing and security standards. Notes on the cyber phases of a hybrid war, and how depressingly conventional cybercrime persists in wartime. Pyongyang operators are using Maui ransomware against healthcare targets. Malek Ben Salem from Accenture looks at the security risks of GPS. Our guest is Brian Kenyon of Island to discuss enterprise browser security. Shanghai's big data exposure.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/128

Selected reading.

NIST Announces First Four Quantum-Resistant Cryptographic Algorithms (NIST)

Winners of NIST's post-quantum cryptography competition announced (Computing)

NIST unveils four algorithms that will underpin new 'quantum-proof' cryptography standards (SC magazine)

NIST Identifies 4 Quantum-Resistant Encryption Algorithms (Nextgov.com)

Prepare for a New Cryptographic Standard to Protect Against Future Quantum-Based Threats (CISA)

Quantum-resistant encryption recommended for standardization (Register)

Keeping Phones Running in Wartime Pushes Kyivstar to the Limit (Bloomberg)

The Ukraine war could provide a cyberwarfare manual for Chinese generals eyeing Taiwan (CyberScoop)

Ukrainian police takes down phishing gang behind payments scam (ZDNet)

Cyber Police of Ukraine arrested 9 men behind phishing attacks on Ukrainians attempting to capitalize on the ongoing conflict (Security Affairs)

North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector (CISA)

Reports (Moody’s)

Clarion Housing ‘cyber incident’ affects thousands of tenants (Cambs Times)

In a big potential breach, a hacker offers to sell a Chinese police database. (New York Times)

Nearly one billion people in China had their personal data leaked, and it's been online for more than a year (CNN)

China data breach likely to fuel identity fraud, smishing attacks (ZDNet)

China Tries to Censor What Could Be Biggest Data Hack in History (Gizmodo)

Here are four big questions about the massive Shanghai police leak (Washington Post)

Shanghai Data Breach Exposes Dangers of China’s Trove (Bloomberg)

Cyberattack hits Ukrainian energy provider. NCSC updates its guidance on preparing for a long-term Russian cyber campaign. Hacktivists, scammers, misconfigurations, and rogue insiders. Jul 05, 2022

Cyberattack hits a Ukrainian energy provider. NCSC updates its guidance on preparing for a long-term Russian cyber campaign. Royal Army accounts are hijacked. A hacktivist group claims to have hit Iranian sites. A very very large database of PII is for sale on the dark web. Chase Snyder from ExtraHop has a look back at WannaCry, 5 years on. Ben Yelin examines the constitutionality of keyword search warrants. And a rogue employee makes off with bug reports.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/127

Selected reading.

Russian hackers allegedly target Ukraine's biggest private energy firm (CNN)

Proruskí hackeri opäť útočili. Ďalšia významná spoločnosť hlási, že čelila kybernetickým útokom (Vosveteit.sk)

Preparing for the long haul: the cyber threat from Russia (NCSC)

Official British Army Twitter and YouTube accounts hijacked by NFT scammers (Hot for Security)

British army confirms breach of its Twitter and YouTube accounts (the Guardian)

British Army hit by cyberattack as Twitter and YouTube accounts hacked (The Telegraph)

Iranians' Remote Access to Banking Services Cut Off Over 'Cyber Attacks' (IranWire)

(Video) Iranian regime’s Islamic Culture and Communications Organization targeted in massive cyber offensive (EIN News)

Hackers Claim Theft of Police Info in China’s Largest Data Leak (Bloomberg)

Hacker Selling Shanghai Police Database with Billions of Chinese Citizens Data (HackRead)

Giant data breach? Leaked personal data of one billion people has been spotted for sale on the dark web (ZDNet)

Hacker claims to have stolen 1 bln records of Chinese citizens from police (Reuters)

HackerOne disclosed on HackerOne: June 2022 Incident Report (HackerOne)

HackerOne Employee Caught Stealing Vulnerability Reports for Personal Gains (The Hacker News)

Rogue HackerOne employee steals bug reports to sell on the side (BleepingComputer)

Patrick Morley: Former Carbon Black CEO [Cyber CEOs Decoded] Jul 04, 2022

In this episode, Marc and Patrick Morley, former CEO of Carbon Black, get nostalgic as they discuss Patrick's journey of coming up through the start up scene in the 90s—from working with VCs to taking companies public—and compare it to running cyber companies today. Along with the early career experience that helped form Patrick's leadership philosophy, he shares his experience of becoming CEO of Bit9, seeing the company through a breach, acquiring Carbon Black, bring the company public and later getting acquired by VMWare—this episode is filled to the brim.

You'll also learn about:

How build a criteria for joining a start up
Why cyber is the most mission-driven area of tech
What it's like to call 600 customers in 2 days after a breach and not lose a single one
Seven philosophies for running a cyber company

Could REvil have a copycat? [Research Saturday] Jul 02, 2022

Larry Cashdollar from Akamai, joins Dave to discuss their research on a DDoS campaign claiming to be REvil. The research shares that Akamai's team was notified last week of an attack on one of their hospitality customers that they called "Layer 7" by a group claiming to be associated with REvil. In the research, they dive into the attack, as well as comparing it to other similar attacks that have been made by the group.

The research states "The attacks so far target a site by sending a wave of HTTP/2 GET requests with some cache-busting techniques to overwhelm the website." It also stated that this is a smaller attack than they have seen by the group before, and notes that there seems to be more of a political agenda behind the attack, whereas in the past, REvil has been less political.

The research can be found here:

REvil Resurgence? Or a Copycat?

Notes on cyber conflict. Lazarus Group blamed for the Harmony cryptocurrency heist. MedusaLocker warning. Observation of the C2C market. The Crypto Queen cracks the FBI’s Ten Most Wanted. Jul 01, 2022

An update on the DDoS attack against Norway. NATO's resolutions on cyber security. North Korea seems to be behind the Harmony cryptocurrency heist. MedusaLocker warninga. Microsoft sees improvements in a gang's technique. Google blocks underworld domains. The Israeli-Iranian conflict in cyberspace. Chris Novak from Verizon with his take on this year’s DBIR. Our guest is Jason Clark of Netskope on the dynamic challenges of a remote workforce.And Now among the FBI’s Ten Most Wanted: one Crypto Queen.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/126

Selected reading.

Pro-Russian hackers launched a massive DDoS attack against Norway (Security Affairs)

NATO establishes program to coordinate rapid response to cyberattacks (POLITICO)

NATO to create cyber rapid response force, increase cyber defense aid to Ukraine (CyberScoop)

FACT SHEET: The 2022 NATO Summit in Madrid | The White House (The White House)

North Korean Lazarus hackers linked to Harmony bridge thef (TechCrunch)

North Korea Suspected of Plundering Crypto to Fund Weapons Programs (Wall Street Journal)

Crypto crash threatens North Korea's stolen funds as it ramps up weapons tests (Reuters)

CISA Alert AA22-181A – #StopRansomware: MedusaLocker. (CISA Cybersecurity Alerts with the CyberWire)

#StopRansomware: MedusaLocker (CISA)

Microsoft warning: This malware that targets Linux just got a big update (ZDNet)

Microsoft Warns of Cryptomining Malware Campaign Targeting Linux Servers (The Hacker News)

Google blocked dozens of domains used by hack-for-hire groups (BleepingComputer)

Countering hack-for-hire groups (Google)

Gantz orders probe after TV reports hint IDF behind Iran steel plant cyberattack (Times of Israel)

Proofpoint: Zionist covert operation? (PressTV)

Zionist intelligence company cyberattacked by Iraqi hackers (Mehr)

FBI Offers $100,000 Reward for Capture of Ten Most Wanted Fugitive ‘Cryptoqueen’ (FBI)

CISA Alert AA22-181A – #StopRansomware: MedusaLocker. [CISA Cybersecurity Alerts] Jun 30, 2022

CISA, the FBI, the Department of the Treasury, and the Financial Crimes Enforcement Network are releasing this alert to provide information on MedusaLocker ransomware. Observed as recently as May 2022, MedusaLocker actors predominantly rely on vulnerabilities in Remote Desktop Protocol to access victims’ networks.

AA22-181A Alert, Technical Details, and Mitigations

Stop Ransomware

CISA Ransomware Guide

CISA No-cost Ransomware Services

All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.

Killnet hits Norwegian websites. Hacktivists tied to Russia's government. Looking ahead to new cyber phases of Russia's hybrid war. C2C market differentiation. Gennady Bukin, call your shoe store. Jun 30, 2022

Killnet hits Norwegian websites. Hacktivists are tied to Russia's government. Amunet as a case study in C2C market differentiation. C2C commodification extends to script kiddies. Andrea Little Limbago from Interos examines borderless data. Rick Howard speaks with Cody Chamberlain from NetSPI on Breach Communication. Roscosmos publishes locations of Western defense facilities…and subsequently says it sustained a DDoS attack.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/125

Selected reading.

Pro-Russian hacker group says it attacked Norway (The Independent Barents Observer)

Cyberattack hits Norway, pro-Russian hacker group fingered (AP NEWS)

Norway blames "pro-Russian group" for cyber attack (Reuters)

Mandiant Finds Possible Link Between Kremlin, Pro-Russian ‘Hacktivists’ (Bloomberg)

Market Differentiation: Cybercriminal Forums’ Unusual Features Designed To Attract Users (Digital Shadows)

Minors Use Discord Servers to Earn Extra Pocket Money Through Spreading Malware (PR Newswire)

Russia publishes Pentagon coordinates, says Western satellites 'work for our enemy' (Reuters)

Russian Space Agency Targeted in Cyberattack (Wall Street Journal)

Cyberattack hits Russian space agency site after sharing NATO photos (Jerusalem Post)

Article 5? It’s complicated. Influence ops for economic advantage. SOHO routers under attack. YTStealer described. RansomHouse hits AMD. A NetWalker affiliate cops a plea. Jun 29, 2022

NATO's response to Killnet's cyberattacks on Lithuania. Influence operations in the interest of national market share. SOHO routers are under attack. YTStealer is out and active in the wild. RansomHouse hits AMD. CISA releases six ICS security advisories. The most dangerous software weaknesses. Betsy Carmelite from Booz Allen Hamilton takes a look back at Biden’s executive order on cyber. Our guest is Philippe Humeau of CrowdSec on taking a collaborative approach to security. And a guilty plea in the case of the NetWalker affiliate.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/124

Selected reading.

Could the Russian cyber attack on Lithuania draw a military response from NATO? (Sky News)

Pro-PRC DRAGONBRIDGE Influence Campaign Targets Rare Earths Mining Companies in Attempt to Thwart Rivalry to PRC Market Dominance (Mandiant)

ZuoRAT Hijacks SOHO Routers to Silently Stalk Networks (Lumen)

New YTStealer Malware Aims to Hijack Accounts of YouTube Content Creators (Hacker News)

RansomHouse Extortion Group Claims AMD as Latest Victim (RestorePrivacy)

RansomHouse gang claims to have some stolen AMD data (Register)

CISA releases 6 Industrial Control Systems Advisories (Cybersecurity and Infrastructure Security Agency)

2022 CWE Top 25 Most Dangerous Software Weaknesses (CISA)

Netwalker ransomware affiliate agrees to plead guilty to hacking charges (The Record by Recorded Future)

DDoS threat to Lithuania continues. Hacktivists hit Iranian steel mill. Bumblebee loader takes C2C markteshare. CISA adds Known Exploited Vulnerabilities. Music piracy. Where do spies go? Jun 28, 2022

Distributed denial-of-service attacks against Lithuania. Dark Crystal RAT described. Iranian steel mill suspends production due to cyberattack. Bumblebee rising. CISA adds to its Known Exploited Vulnerabilities Catalog. Music pirate sites brought down by US and Brazilian authorities. Joe Carrigan looks at Apple’s private access tokens. Mister Security Answer Person John Pescatore drops some sboms. And where do Russian intelligence officers go after they’ve been PNGed?

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/123

Selected reading.

Lithuania targeted by massive Russian cyberattack over transit blockade (Newsweek)

Russia's Killnet hacker group says it attacked Lithuania (Reuters)

Killnet, Kaliningrad, and Lithuania’s Transport Standoff With Russia (Flashpoint)

Ukraine Targeted by Dark Crystal RAT (DCRat) | FortiGuard Labs (Fortinet Blog)

Cyberattack Forces Iran Steel Company to Halt Production (SecurityWeek)

Iran’s steel industry halted by cyberattack (Jerusalem Post)

Bumblebee: New Loader Rapidly Assuming Central Position in Cyber-crime Ecosystem (Broadcom Software Blogs)

CISA Adds Eight Known Exploited Vulnerabilities to Catalog (CISA)

US, Brazil seize 272 websites used to illegally download music (BleepingComputer)

Swiss intel service: Watch out for redeployed Russian spies (AP News)

Notes from the cyber phases of the hybrid war against Ukraine. Conti retires its brand, and LockBit 2.0 is now tops in ransomware. Extortion skips the encryption. Cyber exercise in the financial sector. Jun 27, 2022

Lithuania sustains a major DDoS attack. Lessons from NotPetya. Conti's brand appears to have gone into hiding. Online extortion now tends to skip the ransomware proper. Josh Ray from Accenture on how social engineering is evolving for underground threat actors. Rick Howard looks at Chaos Engineering. US financial institutions conduct a coordinated cybersecurity exercise.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/122

Selected reading.

Russia's Killnet hacker group says it attacked Lithuania (Reuters)

The hacker group KillNet has published an ultimatum to the Lithuanian authorities (TDPel Media)

5 years after NotPetya: Lessons learned (CSO Online)

The cyber security impact of Operation Russia by Anonymous (ComputerWeekly)

Conti ransomware finally shuts down data leak, negotiation sites (BleepingComputer)

The Conti Enterprise: ransomware gang that published data belonging to 850 companies (Group-IB)

Fake copyright infringement emails install LockBit ransomware (BleepingComputer)

NCC Group Monthly Threat Pulse – May 2022 (NCC Group)

We're now truly in the era of ransomware as pure extortion without the encryption (Register)

Wall Street Banks Quietly Test Cyber Defenses at Treasury’s Direction (Bloomberg)

Richard Melick: Finding the right pattern to solve the problem. [Threat reporting] [Career Notes] Jun 26, 2022

Richard Melick, Director of Threat Reporting for Zimperium, talks about his journey, from working in the military to moving up to the big screens. He shares that he's been in the business of solving unique cybersecurity problems for so long that he has found his own path that works very well for him. He says, "if I go to a unique problem and try to solve it, I find that I'm solving it the same way that I would've solved it five years ago, because I found my pattern." Richard reflects on his time working in the industry, from moving away from the military and into different roles over the years. He notes that giving credit where credit is due, to those who deserve it, is how you keep the audience engaged as a storyteller. We thank Richard for sharing his story.

Lazarus Targets Chemical Sector With 'Dream Job.' [Research Saturday] Jun 25, 2022

Alan Neville, a Threat Intelligence Analyst from Symantec Broadcom, joins Dave to discuss their research "Lazarus Targets Chemical Sector." Symantec has observed the North Korea-linked threat group known as Lazarus conducting an espionage campaign targeting organizations operating within the chemical sector.

The campaign appears to be a continuation of the group's activity called Operation Dream Job, which Symantec first came across in August of 2020. The research states "evidence includes file hashes, file names, and tools that were observed in previous Dream Job campaigns."

The research can be found here:

Lazarus Targets Chemical Sector

Lithuania warns of DDoS. Some limited Russian success in cyber phases of its hybrid war. Spyware infestations in Italy and Kazakstan. Tabletop exercises. Ransomware as misdirection Jun 24, 2022

Lithuania's NKSC warns of increased DDoS threat. Limited Russian success in the cyber phases of its hybrid war. Another warning of spyware in use against targets in Italy and Kazakhstan. Hey, critical infrastructure operators: CISA’s got tabletop exercises for you. Kevin Magee from Microsoft has advice for recent grads. A look back the year since Colonial Pipeline with Padraic O'Reilly of CyberSaint. And sometimes ransomware is just a spy’s way of saying, “nothing up my sleeve…”

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/121

Selected reading.

Lithuania warns of rise in DDoS attacks against government sites (BleepingComputer)

Defending Ukraine: Early Lessons from the Cyber War (Microsoft)

Why think tanks are such juicy targets for cyberspies (The Record by Recorded Future)

The war in Ukraine is showing the limits of cyberattacks (Tech Monitor)

Spyware vendor targets users in Italy and Kazakhstan (Google Threat Analysis Group)

BRONZE STARLIGHT Ransomware Operations Use HUI Loader (SecureWorks)

CISA Tabletop Exercises Packages (CTEP) (CISA)

CISA Tabletop Exercise Package (CTEP) Workshop (Government Technology)

CISA Alert AA22-174A – Malicious cyber actors continue to exploit Log4Shell in VMware Horizon systems. [CISA Cybersecurity Alerts] Jun 24, 2022

CISA and the US Coast Guard Cyber Command are releasing this joint Cybersecurity Advisory to warn network defenders that cyber threat actors, including state-sponsored APT actors, have continued to exploit CVE-2021-44228 (Log4Shell) in VMware Horizon and Unified Access Gateway servers to obtain initial access to organizations that did not apply available patches or workarounds.

AA22-174A Alert, Technical Details, and Mitigations

Malware Analysis Report 10382254-1 stix

Malware Analysis Report 10382580-1 stix

CISA’s Apache Log4j Vulnerability Guidance webpage

Joint CSA Mitigating Log4Shell and Other Log4j-Related Vulnerabilities

CISA’s database of known vulnerable services on the CISA GitHub page

See National Security Agency (NSA) and Australian Signals Directorate (ASD) guidance Block and Defend Web Shell Malware for additional guidance on hardening internet-facing systems.

All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.

Reviewing Russian cyber campaigns in the war against Ukraine. Ukraine's IT Army is a complex phenomenon. Take ICEFALL seriously. CISA has updated its cloud security guidance. Jun 23, 2022

Reviewing Russian cyber campaigns in the war against Ukraine, and the complexity of Ukraine's IT Army. ICEFALL advice and reactions. Carole Theriault looks at Hollywood’s relationship with VPNs. Podcast partner Robert M. Lee from Dragos provides a rundown on Pipedream. And CISA updates its Cloud Security Technical Reference Architecture.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/120

Selected reading.

[Blog] Defending Ukraine: Early Lessons from the Cyber War (Microsoft On the Issues)

[Report] Defending Ukraine: Early Lessons from the Cyber War (Microsoft)

Russian cyber spies attack Ukraine's allies, Microsoft says (Reuters)

Research questions potentially dangerous implications of Ukraine's IT Army (CyberScoop)

The IT Army of Ukraine Structure, Tasking, and Ecosystem (Center for Security Studies)

CISA Releases Security Advisories Related to OT:ICEFALL (Insecure by Design) Report (CISA)

Industry Reactions to 'OT:Icefall' Vulnerabilities Found in ICS Products (SecurityWeek)

Cloud Security Technical Reference Architecture (CISA)

A Fancy Bear sighting. Why Russian cyberattacks against Ukraine have fallen short of expectations. ToddyCat APT discovered. ICEFALL ICS issues described. Europol collars 9. Say it ain’t so, Dmitry. Jun 22, 2022

Fancy Bear sighted in Ukrainian in-boxes. Why Russian cyberattacks against Ukraine have fallen short of expectations. ToddyCat APT is active in European and Asian networks. ICEFALL ICS vulnerabilities described. CISA issues ICS vulnerability advisories. Europol makes nine collars. Andrea Little Limbago from Interos on The global state of data protection and sharing. Rick Howard speaks with Michelangelo Sidagni from NopSec on the Future of Vulnerability Management. We are shocked, shocked, to hear of corruption in the FSB

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/119

Selected reading.

Ukrainian cybersecurity officials disclose two new hacking campaigns (CyberScoop)

Ukraine Warns of New Malware Campaign Tied to Russian Hackers (Bloomberg Law)

Russian govt hackers hit Ukraine with Cobalt Strike, CredoMap malware (BleepingComputer)

Opinion How Russia’s vaunted cyber capabilities were frustrated in Ukraine (Washington Post)

New Toddycat APT Targets MS Exchange Servers in Europe and Asia (Infosecurity Magazine)

Microsoft Exchange servers hacked by new ToddyCat APT gang (BleepingComputer)

OT:ICEFALL: 56 Vulnerabilities Caused by Insecure-by-Design Practices in OT (Forescout)

From Basecamp to Icefall: Secure by Design OT Makes Little Headway (SecurityWeek)

Dozens of vulnerabilities threaten major OT device makers (Cybersecurity Dive)

CISA releases 6 Industrial Control Systems Advisories (Cybersecurity and Infrastructure Security Agency)

Phishing gang behind several million euros worth of losses busted in Belgium and the Netherlands (Europol)

Подполковника УФСБ по Самарской области арестовали за кражу криптовалюты у хакера (TASS)

Cyberattack suspected in Israeli false alarms. Risk surface assessments. Fitness app geolocation as a security risk. Cyber phases of Russia’ hybrid war. A conviction in the Capital One hacking case. Jun 21, 2022

A Cyberattack is suspected of causing false alarms in Israel. Risk surface assessments. Renewed warning of the potential security risks of fitness apps. Cyber options may grow more attractive to Russia as kinetic operations stall. DDoS in St. Petersburg. Ben Yeling details a Senate bill restricting the sale of location data. Our guest is Jon Check from Raytheon's Intelligence and Space Division discussing the National Collegiate Cyber Defense Competition. A conviction in the Capital One hacking case.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/118

Selected reading.

Suspected cyberattack triggers sirens in Jerusalem, Eilat (Israel Hayom)

Suspected Iranian Cyberattack on Israel Triggers Sirens (Haaretz)

Iranian cyberattack may be behind false rocket warning sirens in Jerusalem (Jerusalem Post)

Israel suspects Iranian cyber-attack behind false siren alerts (Middle East Monitor)

Strava fitness app used to spy on Israeli military officials (Computing)

Treasury's Adeyemo sees elevated cyber threats in wake of Russia's war in Ukraine (Reuters)

More cyber warfare with Russia lies on the horizon (Interesting Engineering)

Prolonged war may make Russia more cyber aggressive, US official says (C4ISRNet)

What the Russia-Ukraine war means for the future of cyber warfare (The Hill)

Complex Russian cyber threat requires we go back to basics (ComputerWeekly.com)

Vladimir Putin speech delayed 'because of cyber-attack' as he hits out at 'economic blitzkrieg' against Russia (Scotsman)

UPDATE 1-Putin's St Petersburg speech postponed by an hour after cyberattack (Yahoo)

Think of the Russia-Ukraine conflict as a microcosm of the cyber war (SC Magazine)

The link between cyberattacks and war: Gartner (CRN Australia)

Ex-Amazon Worker Convicted in Capital One Hacking (New York Times)

Jury Convicts Seattle Woman in Massive Capital One Hack (SecurityWeek)

Former Seattle tech worker convicted of wire fraud and computer intrusions (US Attorney’s Office, Western District of Washington)

Interview select: David Ring at RSAC discussing FBI cyber strategy/role in the cyber ecosystem and private sector engagement. Jun 20, 2022

As we break to observe the Juneteenth holiday, our team thought you might like to try a sample of a CyberWire Pro podcast called Interview Selects. These podcasts are a series of extended interviews, exclusives, and a curated selection of our most engaging and informative interviews over the years, featuring cyber security professionals, journalists, authors and industry insiders. In this extended interview, Dave Bittner speaks with FBI Cyber Section Chief David Ring at RSAC discussing FBI cyber strategy/role in the cyber ecosystem and private sector engagement. Like what you hear? Consider subscribing to CyberWire Pro for $99/year. Learn more.

Lauren Van Wazer: You have to be your own North Star. [CISSP] [Career Notes] Jun 19, 2022

Lauren Van Wazer, Vice President, Global Public Policy and Regulatory Affairs for Akamai Technologies, shares her story as she followed her own North Star and landed where she is today. She describes her career path, highlighting how she went from working at AT&T to being able to work in the White House. She shares how she is a coach and a leader to the team she works with now, saying "my view is I've got their back, if they make a mistake, it's my mistake, and if they do well, they've done well." Lauren hopes she's made an impact in the world by making it a little bit better than before, and discusses how she doesn't let anyone stop her from her goals. Lauren shares her outlook on her experiences, calling attention to different roles in her life that made her journey all the better. We thank Lauren for sharing.

Dissecting the Spring4Shell vulnerability. [Research Saturday] Jun 18, 2022

Edward Wu, senior principal data scientist at ExtraHop, joins Dave to discuss the company's research, "A Technical Analysis of How Spring4Shell Works." ExtraHop first noticed chatter from social media in March of 2022 on a new remote code execution (RCE) vulnerability and immediately started tracking the issue.

In the research, it describes how the exploit works and breaks down how the ExtraHop team came to identify the Spring4Shell vulnerability. The research describes the severity of the vulnerability, saying, "The impact of an RCE in this framework could have a serious impact similar to Log4Shell."

The research can be found here:

How the Spring4Shell Zero-Day Vulnerability Works

Malibot info stealer is no coin miner. "Hermit" spyware. Fabricated evidence in Indian computers. FBI takes down botnet. Assange extradition update. Putting the Service into service learning. Jun 17, 2022

Malibot is an info stealer masquerading as a coin miner. "Hermit" spyware is being used by nation-state security services. Fabricated evidence is planted in Indian computers. The US takes down a criminal botnet. The British Home Secretary signs the Assange extradition order. We wind up our series of RSA Conference interviews with David London from the Chertoff group and Hugh Njemanze from Anomali. And putting the Service into service learning.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/117

Selected reading.

'MaliBot' Android Malware Steals Financial, Personal Information (SecurityWeek)

F5 Labs Investigates MaliBot (F5 Labs)

Sophisticated Android Spyware 'Hermit' Used by Governments (SecurityWeek)

Lookout Uncovers Android Spyware Deployed in Kazakhstan (Lookout)

Police Linked to Hacking Campaign to Frame Indian Activists (Wired)

U.S., partners dismantle Russian hacking 'botnet,' Justice Dept says (Reuters)

Russian Botnet Disrupted in International Cyber Operation (US Attorney's Office, Southern District of California)

Julian Assange: Priti Patel signs US extradition order (The Telegraph)

AIVD disrupts activities of Russian intelligence officer targeting the International Criminal Court (AIVD)

Alleged Russian spy studied at Johns Hopkins, won ICC internship (Washington Post)

Interpol scores against BEC, online fraud, and money laundering. Developments in C2C markets. Versioning vulnerability. Cyber war and cyber escalation. Jun 16, 2022

Interpol coordinates international enforcement action against scammers. A new version of IceXLoader is observed. Exploiting versioning limits to render files inaccessible. Reflections on the first large-scale hybrid war. Kelly Shortridge from Fastly on why behavioral science and economics matters for InfoSec. Patrick Orzechowski from DeepWatch on Russian IoCs and critical infrastructure. And the possibility of cyber escalation in Russia’s hybrid war against Ukraine.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/116

Selected reading.

Hundreds arrested and millions seized in global INTERPOL operation against social engineering scams (Interpol)

New IceXLoader 3.0 – Developers Warm Up to Nim (Fortinet Blog)

Proofpoint Discovers Potentially Dangerous Microsoft Office 365 Functionality that can Ransom Files Stored on SharePoint and OneDrive (Proofpoint)

Russia’s cyber fog in the Ukraine war (GIS Reports)

Russia Might Try Reckless Cyber Attacks as Ukraine War Drags On, US Warns (Defense One)

Cyber Attacks in Times of Conflict (CyberPeace Institute)

Vladimir Putin’s Ukraine invasion is the world’s first full-scale cyberwar (Atlantic Council)

Why Russia has refrained from a major cyber-attack against the West (Cyber Security Hub)

In modern war, we have as much to fear from cyber weapons as kinetics (Computing)

Hertzbleed, a troublesome feature of processors. Cyberespionage and hybrid war. Patch Tuesday notes. Software bills of materials. Wannabe cybercrooks and criminal publicity stunts. Jun 15, 2022

The Hertzbleed side-channel issue affects Intel and AMD processors. An Iranian spearphishing campaign prospected former Israeli officials. Patch Tuesday notes. A look at software bills of materials. Russia routes occupied Ukraine's Internet traffic through Russia. Intercepts in the hybrid war: the odd and the ugly. Deepen Desai from ZScaler joins us with the latest numbers on ransomware. Rob Boyce from Accenture Security looks at cyber invisibility. And, finally, criminal wannabes and criminal publicity stunts.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/115

Selected reading.

A new vulnerability in Intel and AMD CPUs lets hackers steal encryption keys (Ars Technica)

Iranian Spear-Phishing Operation Targets Former Israeli and US High-Ranking Officials (Check Point Research)

Microsoft June 2022 Patch Tuesday fixes 1 zero-day, 55 flaws (BleepingComputer)

Microsoft Releases June 2022 Security Updates (CISA)

Windows Updates Patch Actively Exploited 'Follina' Vulnerability (SecurityWeek)

Adobe Plugs 46 Security Flaws on Patch Tuesday (SecurityWeek)

Citrix Releases Security Updates for Application Delivery Management (CISA)

SAP Releases June 2022 Security Updates (CISA)

So long, Internet Explorer. The browser retires today (AP NEWS)

SBOM in Action: finding vulnerabilities with a Software Bill of Materials (Google Online Security Blog)

Russia Is Taking Over Ukraine’s Internet (Wired)

Belarusian hacktivist group releases purported Belarusian wiretapped audio of Russian embassy (CyberScoop)

Intercepted call: Russian plan to send PoWs out into minefields (The Telegraph)

Hacker Advertises ‘Crappy’ Ransomware on Instagram (Vice)

LockBit Ransomware Compromise of Mandiant Not Supported by Any Evidence, May Be a PR Move by Cybercrime Gang (CPO Magazine)

Dealing with Follina. SeaFlower steals cryptocurrencies. Cyber phases of a hybrid war, with some skeptical notes on Anonymous. And the war’s effect on the underworld. Jun 14, 2022

Dealing with the GRU's exploitation of the Follina vulnerabilities. SeaFlower uses stolen seed phrases to rifle cryptocurrency wallets. Ukraine moves sensitive data abroad. Anonymous claims to have hacked Russia's drone suppliers and to have hit sensitive targets in Belarus. Rick Howard reports on an NSA briefing at the RSA Conference. Our guest is Ricardo Amper from Incode with a look at biometrics in sports stadiums. And the effects of war on the cyber underworld.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/114

Selected reading.

Follina flaw being exploited by Russian hackers, info stealers (Computing)

Chinese Hackers Adding Backdoor to iOS, Android Web3 Wallets in 'SeaFlower' Campaign (SecurityWeek)

How SeaFlower...installs backdoors in iOS/Android web3 wallets to steal your seed phrase (Medium)

Ukraine Has Begun Moving Sensitive Data Outside Its Borders (Wall Street Journal)

Anonymous claims hack on Russian drones (Computing)

How the Cybercrime Landscape has been Changed following the Russia-Ukraine War (Kela)

A new RAT from Beijing. Muslim hacktivism in India. Ukraine reports a GRU spam campaign against media outlets. A Moscow court fines Wikimedia. And that UK cyber disaster was just a promo. Jun 13, 2022

A Chinese APT deploys a new cyberespionage tool. Hacktivism roils India after a politician's remarks about the Prophet. Ukraine reports a "massive" spam campaign against the country's media organizations. A Russian court fines Wikimedia for "disinformation." From the NSA’s Cybersecurity Collaboration Center our guests are Morgan Adamski and Josh Zaritsky. Rick Howard sets the cyber sand table on Colonial Pipeline. And the Martians haven’t landed, and the Right Honorable Mr. Johnson is still PM.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/113

Selected reading.

CERT-UA warns of cyberattack on Ukrainian media (Interfax-Ukraine)

Russian hackers start targeting Ukraine with Follina exploits (BleepingComputer)

Massive cyber attack on media organizations of Ukraine using the malicious program CrescentImp (CERT-UA # 4797) (CERT-UA)

Wikimedia Foundation appeals Russian fine over Ukraine war articles (The Verge)

GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool (Unit42)

Prophet remark: Slew of cyber attacks on Indian govt, private sites (The Times of India)

70 Indian government, private websites face international cyber attacks over Prophet row (The Times of India)

Channel 4 faces Ofcom probe over ’emergency news’ stunt to promote cyber attack drama The Undeclared War (INews)

Deepen Desai: A doctor in computer viruses. [CISO] [Career Notes] Jun 12, 2022

Deepen Desai, Global Chief Information Security Officer at Zscaler, shares his story as a doctor that treats computer viruses. He describes how he got into the security field and his work with Zscaler. He says what it's like learning and growing in this field and shares great advice for people who are up and coming in the field. Deepen describes working with an incredible team and how much joy it brings him to see his team learning and growing beyond their roles working with him. He says he want's to be remembered as a mentor among his colleagues. He says "I still remember my first team that I built, 15 years ago. Most of those guys are leading key technologies at many of the major security vendors, and some of them are still with me." We thank Deepen for sharing his story.

New developments in the WSL attack. [Research Saturday] Jun 11, 2022

Danny Adamitis from Lumen's Black Lotus Labs, joins Dave to discuss new developments in the WSL attack surface. Since September 2021, Black Lotus Labs have been monitoring malware repositories as a part of their proactive threat hunting process. Danny shares how researchers discovered a series of suspicious ELF files compiled for Debian Linux .

The research states how the team identified a series of samples that target the WSL environment, were uploaded every two to three weeks and that they started as early as May 3, 2021 and go until August 22, 20221.

The research can be found here:

The cautionary example of a hybrid war. SentinelOne finds a Chinese APT operating quietly since 2012. A hardware vulnerability in Apple M1 chips. And go, Tigers. Jun 10, 2022

Looking at Russia's hybrid war as a cautionary example. Russia warns, again, that it will meet cyberattacks with appropriate retaliation. (China says "us too.") NSA and FBI warn of nation-state cyber threats. SentinelOne finds a Chinese APT that's been operating, quietly, for a decade. "Unpatchable" vulnerability in Apple chips reported. We’ve got more interviews from RSA Conference, including the FBI’s Cyber Section Chief David Ring, ExtraHop’s CEO, Patrick Dennis. And the overhead projector said, “Go Tigers.”

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/112

Selected reading.

Top Senate Democrats sound the alarm about Russian interference in the 2022 midterms (Business Insider)

Russia says West risks ‘direct military clash’ over cyberattacks (NBC News)

Russia, China, oppose US cyber support of Ukraine (Register)

#RSAC: NSA Outlines Threats from Russia, China and Ransomware (Infosecurity Magazine)

FBI official: Chinese hackers boost recon efforts (The Record by Recorded Future)

Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years (SentinelOne)

Our TOPPODCAST Picks

Follow Us

Stay Connected

Selected reading.

Selected reading.

Selected reading.

Cybersecurity interview with ChatGPT.

Cyber questions answered by ChatGPT in part one of the interview.

Selected reading.

Selected reading.

Selected reading.

Selected reading.

Selected reading.

Selected reading.

Selected reading.

Selected reading.

Selected reading.

Selected reading.

Selected reading.

Selected reading.

Selected reading.

Selected reading.

Selected reading.

Selected reading.

Selected reading.

Selected reading.

Selected reading.

Selected reading.

Selected reading.

Selected reading.

Selected reading.

Selected reading.

Selected reading.

Selected reading.

Selected reading.

Selected reading.

Selected reading.

Selected reading.

Selected reading.

Selected reading.

Selected reading.

Selected reading.

Selected reading.

Selected reading.

Selected reading.

Selected reading.

Selected reading.

Selected reading.

Selected reading.

Selected reading.

Selected reading.

Selected reading.

Selected reading.

Selected reading.

Selected reading.

Selected reading.

Selected reading.

Selected reading.

Selected reading.

Selected reading.

Selected reading.

Selected reading.

Selected reading.

Selected reading.

Selected reading.

Selected reading.

Selected reading.

Selected reading.

Selected reading.

Selected reading.

Selected reading.

Selected reading.

Selected reading.

Selected reading.

Selected reading.

Selected reading.

Selected reading.

Selected reading.

Selected reading.