CyberWire Daily - CyberWire, Inc.

Updates on the continuing hybrid war in Ukraine. Julian Assange will get another chance to avoid extradition. And Russian privateers find that they’re expendable. Jan 24, 2022

Updates on the continuing hybrid war in Ukraine. The UK charges Russia with trying to install a puppet in Kyiv. Nominal hacktivists claim an attack against Belarusian railroads. Compromise of Greek parliamentary email accounts reported. Netherlands authorities warn against relaxing your guard against Log4j exploitation. Julian Assange will get another chance to avoid extradition. Rick Howard’s been pondering his reading list. Dinah Davis from Arctic Wolf on securing your smart speakers. And Russian privateers find that they’re expendable.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/15

Andrew Maloney: Never-ending thirst for knowledge. [COO] [Career Notes] Jan 23, 2022

COO and Co-Founder of Query. AI, Andrew Maloney, shares how the building blocks he learned in the military helped him get where he is today. Coming from a blue collar family with a minimal knowledge of computers, Andrew went into computer operations in the Air Force. While deployed to Oman just after the start of the Iraq War, Andrew said he got his break into security. That's where he learned the components that fit together in order to effectively secure an environment. Andrew's words of wisdom: You've got to keep pushing and you've got to believe in yourself and never sell yourself short. We thank Andrew for sharing his story with us.

A collaboration stumbles upon threat actor Lyceum. [Research Saturday] Jan 22, 2022

Guest Rob Boyce, Accenture's Global Lead for Cyber Incident Response and Transformation Services, joins Dave to discuss joint research done by Accenture’s Cyber Threat Intelligence (ACTI) group and Prevailion’s Adversarial Counterintelligence Team (PACT). The teams dug into recently publicized campaigns of the cyber espionage threat group Lyceum (aka HEXANE, Spirlin) to further analyze the operational infrastructure and victimology of this actor. The team’s findings corroborate and reinforce previous ClearSky and Kaspersky research indicating a primary focus on computer network intrusion events aimed at telecommunications providers in the Middle East. Additionally, the research expands on this victim set by identifying additional targets within internet service providers (ISPs) and government agencies. Although all victim-identifying information has been redacted, this report seeks to provide these targeted industry and geographic verticals with additional knowledge of the threat and mitigation opportunities.

The research can be found here:

Who are latest targets of cyber group Lyceum?

Ukrainian crisis continues, with attendant risk of hybrid warfare. MoonBounce malware in the wild. Pirate radio hacks a number station. Jan 22, 2022

US and Russian talks over Ukraine conclude with an agreement to further exchanges next week. Western governments continue to recommend vigilance against the threat of Russian cyberattacks against critical infrastructure. The US Treasury Department sanctions four Ukrainian nationals for their work on behalf of Russia’s FSB and its influence operations. A firmware bootkit is discovered in the wild. Security turnover at Twitter. Caleb Barlow looks at wifi hygiene. Our guest is Allan Liska on his latest ransomware book. And a number station gets hacked, in style.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/14

Looking toward tomorrow’s Russo-American talks about the Ukraine crisis. A memorandum gives NSA oversight authority for NSS. A look at the C2C markets. Jan 20, 2022

As Russian forces remain in assembly areas near the Ukrainian border, the US and Russia prepare for tomorrow’s high-level talks in Geneva. NATO members look to their cyber defenses. US President Biden issues a Memorandum on Improving the Cybersecurity of National Security, Department of Defense, and Intelligence Community Systems. Notes on C2C markets. Mirai is exploiting Log4j flaws. Verizon’s Chris Novak shares insights on Log4j challenges. Our guest is Ryan Kovar from Splunk with a look at the year ahead. And Olympic athletes heading to China? Better grab that burner phone.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/13

Updates on what Ukraine is now calling “BleedingBear.” CISA advises organizations to prepare for Russian cyberattacks. Other cyberespionage campaigns, and a new ransomware strain. Jan 19, 2022

Ukraine confirms that it was hit by wiper malware last week, as tension between Moscow and Kyiv remains high. It remains high as well between Russia and NATO, as Russia continues marshaling conventional forces around Ukraine. CISA advises organizations to prepare to withstand Russian cyberattacks. Other cyberespionage campaigns are reported, as is a new strain of ransomware. Microsoft’s Kevin Magee provides friendly counsel for CISOs and boards. Our guest is Clar Rosso from ISC2 on the communication gap between cybersecurity teams and executive leaders when it comes to ransomware. And the natural disaster in Tonga may offer lessons in resilience and recovery.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/12

A new member of the Winnti Cluster is described. Cobalt Strike used against unpatched VMware Horizon servers. Ukraine blames Russia for what seems to be a destructive supply chain attack. Jan 18, 2022

A new Chinese cyberespionage group is described. Cobalt Strike implants are observed hitting unpatched VMware Horizon servers. Ukraine attributes last week’s cyberattacks to Russia (with some possibility of Belarusian involvement as well). Microsoft doesn’t offer attribution, but it suggests that the incidents were more destructive than ransomware or simple defacements. The US warns of possible provocations. Ben Yelin looks at a bipartisan TLDR bill. Our guest is Lisa Plaggemier from the National Cybersecurity Alliance on the ongoing threat of phishing. And the REvil arrests in Russia may have been for “leverage.”

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/11

SOAR - a first principle idea. [CSO Perspectives} Jan 17, 2022

Rick explains the network defender evolution from defense-in-depth in the 1990s, to intrusion kill chains in 2010, to too many security tools and SOAR in 2015, and finally to devsecops somewhere in our future.

Resources:

“Cybersecurity First Principles: DevSecOps.” by Rick Howard, CSO Perspectives, The CyberWire, 8 June 2020.
“FAQ,” RSA Conference, 2020.
"Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains,” by Eric Hutchins, Michael Cloppert, Rohan Amin, Lockheed Martin Corporation, 2010, last visited 30 April 2020.
“Malware? Cyber-crime? Call the ICOPs!” by Jon Oltsik, CSO, Cybersecurity Snippets, 22 June 2015.
“Market Guide for Security Orchestration, Automation and Response Solutions,” by Gartner, ID G00727304, 21 September 2020.
“MITRE ATT&CK,” by Mitre.
“The Cybersecurity Canon: The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win,” book review by Rick Howard, Palo Alto Networks, 21 October 2016.
“The Cyber Kill Chain is making us dumber: A Rebuttal,” by Rick Howard, LinkedIn, 29 July 2017.
“The Evolution of SOAR Platforms,” by Stan Engelbrecht, SecurityWeek, 27 July 2018.
“What is SOAR (Security Orchestration, Automation, and Response)?” by Kevin Casey, The Enterprisers Project, 30 October 2020.

Marina Ciavatta: Going after the human error. [Social engineer] [Career Notes] Jan 16, 2022

Social engineer and CEO of Hekate, Marina Ciavatta, shares her story of how people think her job is a la Mission Impossible coming from the ceiling with a rope and stealing stuff in the dead of the night. Marina does physical pentesting. Starting with an unused degree in journalism, Marina turned her talent for writing into a job as a content producer for a technology company and this appealed to her self-proclaimed nerdism. She fell in love with hacking and got into pentesting thanks to a friend. Marina recommends those interested in physical pentesting "try to find other social engineers to mingle. It's in the name. We are social creatures." We thank Marina for sharing her story with us.

Keeping APIs on the radar: Evaluating the banking industry. [Research Saturday] Jan 15, 2022

This episode features guest Alissa Knight, former hacker and partner at Knight Ink, along with Karl Mattson, CISO from Noname Security, discussing findings on severe API vulnerabilities in U.S. banking applications research that was conducted by Alissa and funded by Noname Security. The research, “Scorched Earth: Hacking Bank APIs,” unveils a number of vulnerabilities in the banking, cryptocurrency exchange, and FinTech industries.

In her Money 20/20 keynote presentation entitled “Scorched Earth: Hacking Bank APIs”. In her presentation, Alissa revealed that she was able to gain access to 55 different banks and change PIN codes and move money in and out of accounts. Three lessons learned include: API security vulnerabilities affect all enterprises, API security needs to be operationalized across the enterprise, and API security requires posture management, runtime security, and active testing.

Details can be found here:

White paper: Hacking Banks and Cryptocurrency Exchanges Through Their APIs
Blog post: 3 API Security Lessons from “Scorched Earth: Hacking Bank APIs”
Press release: New Research Shows Vulnerabilities in Banking, Cryptocurrency Exchange, and FinTech APIs Allow Unauthorized Transactions and PIN Code Changes of Customers
Alissa's presentation at Money 20/20.

Influence operations in the grey zone. FSB raids REvil. Open Source Software Security Summit looks to public-private cooperation. Privateering and state-sponsored cybercrime. Jan 14, 2022

A large-scale cyberattack against Ukrainian websites looks like an influence operation, and Russian intelligence services are the prime suspects. The FSB raids REvil. The White House Open Source Software Security Summit looks toward software bills of materials. MuddyWater exploits Log4shell. The DPRK is working to steal cryptocurrency. Caleb Barlow shares the consequences of the 3G network shutdown. Our guest is John Lehmann from Intellectual Point with programs that help military veterans transition to the cybersecurity industry. Honor among thieves, and spies.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/10

A public-private conference takes up open source software security at the White House. MuddyWater attributed to Iran. Espionage and ransomware arrests. Jan 13, 2022

A White House government-industry summit today addresses open-source software security. The US officially makes its second attribution of the week to a nation-state: it calls out Iran as the operator of the MuddyWater threat group. Israel arrests five on charges related to spying for Iran (they’re thought to have been recruited through catphishing). Citizen Lab finds Pegasus in Salvadoran phones. Ukraine arrests a ransomware gang. Thomas Etheridge from CrowdStrike on the importance of threat hunting for zero days. Our guest is Dr. David Bader of New Jersey Institute of Technology discussing the challenges of securing massive-scale analytics. And ransomware hits US state and local governments.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/9

The US and EU seek to shore up cybersecurity as Russo-Ukraininan tensions run high. NIST updates secure system standards. Ransomware exploits Log4shell. Dog bites man: fraud in social media. Jan 12, 2022

The US issues an alert over the prospect of Russian cyberattacks, and the EU begins a series of stress tests, both in apparent response to concerns over the prospect of a Russian attack on Ukraine. NIST updates its guidance on Engineering Trustworthy Secure Systems. NIght Sky ransomware exploits Log4shell. Phishing afflicts a hotel chain. Carole Theriault examines international efforts to stop digital fraud. Ben Yelin fon Seattle Police Faking Radio Chatter. And we’re shocked, shocked, to learn of fraud and piracy on a social media platform.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/8

Software supply chains and the free-rider problem. An APT is bitten by its own RAT. Europol told to clean up its data. A leak investigation in Denmark. QR-code phishbait. Jan 11, 2022

Log4shell as an instance of a more general software supply chain issue. An APT apparently mistakenly infects itself with its own RAT. A new backdoor, SysJoker, is in use in the wild. A warning on commercial surveillance software. A leak investigation continues in Denmark. Joe Carrigan explains bogus QR codes. Our guest is Casey Allen of Concentric on cyber vulnerabilities in automobiles. And, Europol is told it has a year to clear its databases of information on people not involved in crime.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/7

CISA provides an account of progress toward Log4shell remediation. Other issues are reported in open-source libraries. Undersea cable security. FIN7’s BadUSB campaign. Security and Yealink. Jan 10, 2022

CISA describes progress toward remediating Log4shell. Other open-source libraries are found to have similar issues, in one case problems deliberately introduced by the developer. Concerns are expressed over undersea cable security. FIN7’s BadUSB campaign. Security questions about another Chinese-made phone. Our guest is Bob Maley from Black Kite on their report - The Government Called, Are You Ready to Answer? Chris Novak from Verizon on PCI 4.0. And Russo-American talks open in Geneva.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/6

Julian Waits: Find a way to help society. [Serial Entrepreneur] [Career Notes] Jan 09, 2022

Senior Vice President and Executive in Residence with Rapid7 and Chairman for Cyversity, Julian Waits, grew up in the era of the Justice League and Superman and it shaped his career. Julian always wanted to do something where he could find a way to help society to basically help others. Starting out as a Baptist minister with aspirations of being a professional musician, Julian found it more practical to take some technology classes and practice his saxophone when he had time. His first tech job was at Texaco where he worked on early networks and moved into systems engineering at Compaq. Julian notes his ADD made coding less attractive than talking with others to solve problems and Compaq provided him with opportunities to pivot. Searching out diversity, Julian moved to DC, and had his first taste of startups. He now describes himself as a serial entrepreneur. We thank Julian for sharing his story with us.

The rise of Karakurt Hacking Team. Jan 08, 2022

Guest Rob Boyce, Accenture's Global Lead for Cyber Incident Response and Transformation Services, joins Dave to discuss their research "Karakurt rises from its lair." Accenture Security has identified a new threat group, the self-proclaimed Karakurt Hacking Team, that has impacted over 40 victims across multiple geographies. The threat group is financially motivated, opportunistic in nature, and so far, appears to target smaller companies or corporate subsidiaries versus the alternative big game hunting approach. Based on intrusion analysis to date, the threat group focuses solely on data exfiltration and subsequent extortion, rather than the more destructive ransomware deployment. In addition, Accenture Security assesses with moderate-to-high confidence that the threat group’s extortion approach includes steps to avoid, as much as possible, drawing attention to its activities.

The research can be found here:

Karakurt rises from its lair

Kazakhstan shuts down its Internet as civil unrest continues (and one consequence is a disruption of alt-coin mining in that country). More on Log4j. Ransomware hits school website provider. Jan 07, 2022

Kazakhstan shuts down its Internet as civil unrest continues (and one consequence is a disruption of alt-coin mining in that country). The UK’s NHS warns of unknown threat actors exploiting Log4j bugs in unpatched VMware Horizon servers. In the US, CISA continues to assist Federal agencies with Log4j remediation, and observers call for more Government support of open-source software security. A major provider of school websites is hit with ransomware. Our guest is John Belizaire of Soluna Computing with a new approach to data center efficiency. Thomas Etheridge from CrowdStrike on supply chain risks. And the US extends the deadline to apply for grants in support of rip-and-replace.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/5

Log4j and industrial control systems. Regulators consider the software supply chain. Malsmoke hits an old vulnerability. Social engineering via Google Docs. Call spoofing and robocalls. Jan 06, 2022

ICS vendors address Log4j vulnerabilities. Regulators and legislators think about addressing issues in the software supply chain. Ransomware gangs were quick to exploit Log4shell. An old, and patched, Windows vulnerability is being exploited by the Malsmoke gang. Social engineering of Google Docs users is up. Mr. Klyshin pleads not guilty. Robert M. Lee from Dragos makes the case for salary transparency. Our guest is George Gerchow from Sumo Logic with new approaches for the modern threat landscape. And call spoofing is making robocalls moderately more plausible.

For links to all of today's stories check out our CyberWire daily news briefing:

https://thecyberwire.com/newsletters/daily-briefing/11/4

CISA reports progress on Log4j. The FTC warns US businesses about taking Log4j risk mitigation seriously. Gangland updates, and some notes on hybrid war. Jan 05, 2022

CISA says US Federal agencies are now largely in compliance with Log4j risk mitigation guidance. The FTC issues advice and a warning on Log4j to US businesses. A skimmer is installed through cloud-delivered video. The Vice Society’s ransomware is meddling with supermarket operations in the UK. The Atlantic Council offers advice on strategy for the grey zone. Hacktivists are expected to punish greenwashing in 2022. Caleb Barlow on recent FBI PIN about how ransomware operators are looking for material non-public information to improve their chances of being paid. Our guest is Helen Patton from Cisco on her book, Navigating the Cybersecurity Career Path. And James Pond is the CEO of hybrid war!

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/11/3

Log4j issues persist. Konni RAT found in New Year’s greetings. Hacktivism or state-directed cyber action? Moscow worries about Mr. Klyushin’s knowledge. The Show-Me-Too-Much State. Jan 04, 2022

It’s going to take time, vigilance, and attention to detail to manage the Log4j risks. A North Korean APT is trying to install the Konni RAT into Russian diplomats’ devices. More hacktivist-looking incidents follow the anniversary of Iranian General Soleimani’s death. Other, self-inflicted, software supply chain incidents. The Kremlin is said to be worried about what Mr. Klyushin might tell the Americans who’ve got him in jail. Ben Yelin on the tension between ephemeral messaging apps and the public’s right to know. Mr Security Answer Person John Pescatore joins our show. And the Show-Me state needs to rethink all that showin’.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/11/2

Log4j updates, including an Aquatic Panda sighting. Cyberattacks hit news services in Norway, Israel, and Portugal. Addressing Y2K22. Jan 03, 2022

Aquatic Panda has been found working Log4shell exploits against an academic institution. Apache fixes new Log4j issues reported last week, and Microsoft also updates Windows Defender to address Log4j risks. Cyberattacks, criminal or hacktivist in motivation, hit news outlets around the new year. Microsoft works on fixing a Y2K22 bug in on-premise Exchange Server. Andrea Little Limbago from Interos on technology spheres of influence. Our guest is Mark Dehus from Lumen’s Black Lotus Labs with DDoS insights. And CISA issues some ICS security advisories.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/11/1

Dr. Rois Ni Thuama: Get into the game. [Cyber governance] [Career Notes] Jan 02, 2022

Head of Cyber Governance with Red Sift, Dr. Rois Ni Thuama shares the circuitous route of her career into cyber governance. She notes the route "looks really clean, but actually it was a bit more Jeremy Bearimy." While at Trinity College, Rois was moved to be part of history unfolding in South Africa and pause her studies. While there, she began making music videos and wildlife documentaries. Upon her return to London, Rois started working in corporate governance and risk at a music technology startup. This ignited her enthusiasm for startups. She now works in a company with several coworkers from that tech startup doing cyber governance. Rois advises law students of many ways into the industry including doing coding, learning risk management, and understanding privacy legislation, and then "just get into the game." We thank Rois for sharing her story.

Cybersecurity predictions for 2022. [CyberWire-X] Jan 02, 2022

Industry experts discuss their cybersecurity predictions for 2022, what trends and attacks will be most prevalent in the year ahead, and how organizations should be preparing for the new year.

In this show, we cover what they think the industry might see in 2022 (and some we probably won't see). The CyberWire's Rick Howard speaks with Hash Table member Kevin Magee, Chief Security Officer at Microsoft Canada, and show sponsor Keeper Security's CTO & Co-Founder Craig Lurey joins The CyberWire's Dave Bittner on this CyberWire-X and shares his insights on the topic.

Encore: When big ransomware goes away, where should affiliates go? [Research Saturday] Jan 01, 2022

Our guest Doel Santos, Threat Research Analyst at Palo Alto Networks, joins Dave Bittner to talk about Unit 42's work on "Ransomware Groups to Watch: Emerging Threats." As part of Unit 42’s commitment to stop ransomware attacks, they monitor the activity of existing groups, search for dark web leak sites and fresh onion sites, identify up-and-coming players and study tactics, techniques and procedures. During their operations, Unit 42 observed four emerging ransomware groups that are currently affecting organizations and show signs of having the potential to become more prevalent in the future. Doel discusses these (AvosLocker, Hive Ransomware, HelloKitty, and LockBit 2.0) with Dave.

The research can be found here:

Ransomware Groups to Watch: Emerging Threats

CyberWire Pro Interview Selects: Jaclyn Miller from NTT, Ltd. Dec 31, 2021

During our winter break, our team thought you might like to try a sample of a CyberWire Pro podcast called Interview Selects. These podcasts are a series of extended interviews, exclusives, and a curated selection of our most engaging and informative interviews over the years, featuring cyber security professionals, journalists, authors and industry insiders. On this episode, the interview originally aired as a shortened version on the CyberWire Daily Podcast. In this extended interview, Dave Bittner speaks with Jaclyn Miller from NTT, Ltd. on diversity, inclusion and remote access security. Like what you hear? Consider subscribing to CyberWire Pro for $99/year. Learn more.

CyberWire Pro Interview Selects: Sir David Omand. Dec 30, 2021

During our winter break, our team thought you might like to try a sample of a CyberWire Pro podcast called Interview Selects. These podcasts are a series of extended interviews, exclusives, and a curated selection of our most engaging and informative interviews over the years, featuring cyber security professionals, journalists, authors and industry insiders. On this episode, the interview originally aired as a shortened version on the CyberWire Daily Podcast. In this extended interview, Dave Bittner speaks with Sir David Omand, former GCHQ Director, on his book, How Spies Think: Ten Lessons in Intelligence.. Like what you hear? Consider subscribing to CyberWire Pro for $99/year. Learn more.

CyberWire Pro Interview Selects: Zan Vautrinot on boards. Dec 29, 2021

During our winter break, our team thought you might like to try a sample of a CyberWire Pro podcast called Interview Selects. These podcasts are a series of extended interviews, exclusives, and a curated selection of our most engaging and informative interviews over the years, featuring cyber security professionals, journalists, authors and industry insiders. On this episode, the interview originally aired as a shortened version on the CyberWire Daily Podcast. In this extended interview, Rick Howard speaks with Zan Vautrinot about boards. Like what you hear? Consider subscribing to CyberWire Pro for $99/year. Learn more.

CyberWire Pro Interview Selects: Bill Wright of Splunk. Dec 28, 2021

During our winter break, our team thought you might like to try a sample of a CyberWire Pro podcast called Interview Selects. These podcasts are a series of extended interviews, exclusives, and a curated selection of our most engaging and informative interviews over the years, featuring cyber security professionals, journalists, authors and industry insiders. On this episode, the interview originally aired as a shortened version on the CyberWire Daily Podcast. In this extended interview, Dave Bittner speaks with Bill Wright of Splunk on the ongoing geopolitical ransomware trend. Like what you hear? Consider subscribing to CyberWire Pro for $99/year. Learn more.

CSO Perspectives: Pt 2 – Mitre ATT&CK: from the Rick the Toolman Series. Dec 27, 2021

In this “Rick the Toolman” episode, Rick interviews Steve Winterfeld, from Akamai, on the current state and future of the Mitre ATT&CK Framework.

For a complete reading list and even more information, check out Rick’s more detailed essay on the topic.

Encore: Andrew Hammond: Understanding the plot. [Historian and Curator] [Career Notes] Dec 26, 2021

Historian and Curator at the International Spy Museum. Dr. Andrew Hammond, shares how he came to share the history of espionage and intelligence as a career. Starting out in the Royal Air Force when 9/11 happened, Andrew found himself trying to understand what was going on in the world. Studying history and international relations gave him some perspective and led him on his career path which included an introduction to museum industry at the 9/11 Museum. After a stint in academia in the UK, Andrew found his way back to the US and eventually ended up at the International Spy Museum in Washington, DC. He said one of the "greatest parts of the job being able to engage with the artifacts" and share their stories. We thank Andrew for sharing his story with us.

CyberWire Pro Research Briefing from 12/21/2021. Dec 25, 2021

Enjoy a peek into CyberWire Pro's Research Briefing as the team is off taking our long winter's nap. This is the spoken edition of our weekly Research Briefing, focused on threats, vulnerabilities, and consequences, as they’re played out in cyberspace. This week's headlines: US Commission on International Religious Freedom reportedly hacked. Sophistication of NSO exploit on par with nation-state tooling. Conti ransomware actors exploit Log4Shell. Like what you hear? Consider subscribing to CyberWire Pro for $99/year. Learn more.

The CyberWire: The 12 Days of Malware. Dec 25, 2021

Merry Christmas and Happy Holidays from the CyberWire and our friends! Enjoy our rendition of the 12 Days of Malware created by Dave Bittner and performed by Dave and friends: Rachel Tobac, Jayson Street, Ron Eddings & Chris Cochran, Ray [Redacted], Dinah Davis, Camille Stewart, Rick Howard, Michelle Dennedy, Jack Rhysider, Johannes Ullrich, and Charity Wright. Ba dum bum bum. Sing along if you are game! Check out our video for the full effect!

The 12 Days of Malware lyrics

On the first day of Christmas, my malware gave to me:

A keylogger logging my keys.

On the second day of Christmas, my malware gave to me:

2 Trojan Apps...

And a keylogger logging my keys.

On the third day of Christmas, my malware gave to me:

3 Web shells...

2 Trojan Apps...

And a keylogger logging my keys.

On the fourth day of Christmas, my malware gave to me:

4 Crypto scams...

3 Web shells...

2 Trojan Apps...

And a keylogger logging my keys.

On the fifth day of Christmas, my malware gave to me:

5 Zero Days!

4 Crypto scams...

3 Web shells...

2 Trojan Apps...

And a keylogger logging my keys.

On the sixth day of Christmas, my malware gave to me:

6 Passwords spraying...

5 Zero Days!

4 Crypto scams...

3 Web shells...

2 Trojan Apps...

And a keylogger logging my keys.

On the seventh day of Christmas, my malware gave to me:

7 Scripts a scraping...

6 Passwords spraying...

5 Zero Days!

4 Crypto scams...

3 Web shells...

2 Trojan Apps...

And a keylogger logging my keys.

On the eighth day of Christmas, my malware gave to me:

8 Worms a wiping...

7 Scripts a scraping...

6 Passwords spraying...

5 Zero Days!

4 Crypto scams...

3 Web shells...

2 Trojan Apps...

And a keylogger logging my keys.

On the ninth day of Christmas, my malware gave to me:

9 Rootkits rooting...

8 Worms a wiping...

7 Scripts a scraping...

6 Passwords spraying...

5 Zero Days!

4 Crypto scams...

3 Web shells...

2 Trojan Apps...

And a keylogger logging my keys.

On the tenth day of Christmas, my malware gave to me:

10 Darknet markets...

9 Rootkits rooting...

8 Worms a wiping...

7 Scripts a scraping...

6 Passwords spraying...

5 Zero Days! (Bah-dum-dum-dum!)

4 Crypto scams...

3 Web shells...

2 Trojan Apps...

And a keylogger logging my keys.

On the eleventh day of Christmas, my malware gave to me:

11 Phishers phishing...

10 Darknet markets...

9 Rootkits rooting...

8 Worms a wiping...

7 Scripts a scraping...

6 Passwords spraying...

5 Zero Days! (Bah-dum-dum-dum!)

4 Crypto scams...

3 Web shells...

2 Trojan Apps...

And a keylogger logging my keys.

On the twelfth day of Christmas, my malware gave to me:

12 Hackers hacking...

11 Phishers phishing...

10 Darknet markets...

9 Rootkits rooting...

8 Worms a wiping...

7 Scripts a scraping...

6 Passwords spraying...

5 Zero Days!

4 Crypto scams...

3 Web shells...

2 Trojan Apps...

And a keylogger logging my keys.

CyberWire Pro Interview Selects: Hatem Naguib of Barracuda Networks. Dec 24, 2021

During our winter break, our team thought you might like to try a sample of a CyberWire Pro podcast called Interview Selects. These podcasts are a series of extended interviews, exclusives, and a curated selection of our most engaging and informative interviews over the years, featuring cyber security professionals, journalists, authors and industry insiders. On this episode, the interview originally aired as a shortened version on the CyberWire Daily Podcast. In this extended interview, Dave Bittner speaks with Hatem Naguib, new CEO of Barracuda Networks, to discuss his views on how cybersecurity trends have drastically changed over the past year, including the rise of ransomware. Like what you hear? Consider subscribing to CyberWire Pro for $99/year. Learn more.

Log4j updates, including one deadline. Other, non-Log4j, challenges. RSAC postpones itself until June. A German court awards pain-and-suffering damages in a breach case. Dec 23, 2021

An update of where things stand with respect to the Log4j vulnerabilities, and a reminder that there are other matters to attend to as well. RSAC postpones its annual security shindig to June, hoping to avoid the COVID. A German court awards pain-and-suffering damages for a data breach. Carole Theriault looks at hiring challenges in cyber. Robert M. Lee from Dragos with insights from his own entrepreneurial journey. And a new start-up seeks to take lemons and make them into lemonade.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/245

The Five Eyes have some joint advice on detecting, defending against, and responding to Log4j exploitation. Notes on ransomware, espionage, and cyber conflict. Dec 22, 2021

More criminals exploit vulnerabilities in Log4j. The Five Eyes issue a joint advisory on Log4j-related vulnerabilities, as other government organizations look into defending themselves against Log4shell. Ransomware updates. Russo-Ukrainian tensions rise, as does the likelihood of Russian cyberattacks against its neighbor. Uganda and NSO Group’s troubles. CISA issues six ICS advisories. Malek Ben Salem explains synthetic voices. Our guest is Dr. David Lanc from Ionburst on embracing Data Out protection. And some advice on how to be the family help desk and CISO during the holiday season.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/244

Belgium’s MoD suffers Log4shell attack. A man-in-the-middle concept. APT activity. Five Russians face US charges (one’s in custody). Fortunes of coin-mining. Holiday greetings from CISA and the FBI. Dec 21, 2021

Belgium’s Ministry of Defense comes under attack via Log4j vulnerabilities. A cellular handover, man-in-the-middle exploit is described by researchers. The FBI says an APT group is exploiting unpatched Zoho ManageEngine Desktop Central servers. The US charges five Russian nationals with a range of cybercrimes. Coin-miners in China feel some heat. Ben Yelin describes a Meta lawsuit targeting anonymous phishers. Our guest Todd Carroll of CybelAngel explains the shifting tactics of “troll farms”. And, Grinchbots aside, CISA and the FBI offer holiday greetings and advice.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/243

Log4j: new exploitation, new mitigations, new risk assessments. Service interruptions, Space Force’s capture-the-flag, and official interventions. Dec 20, 2021

Updates on Log4j vulnerabilities: new exploitation, new mitigations, new risk assessments, some good advice from the NCSC, and from Betsy Carmelite and Mike Saxton, analysts at Booz Allen Hamilton. Kronos interruptions continue into the holiday season. NCA shares compromised passwords with Have I Been Pwned. A power grid security exercise in Ukraine, AWS outage last week put down to congestion. Hack-A-Sat promises more transparency. Tis the season for charity scams, as Carole Theriault reports. And the SEC wants financial services companies to use proper channels, not, say, WhatsApp and personal email.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/242

Ed Amoroso: Security shouldn't be the main dish. [Computer Science] [Career Notes] Dec 19, 2021

Chief Executive Officer and Founder of TAG Cyber, Ed Amoroso, shares how he learned on the job and grew his career. In his words, Ed "went from my dad having an ARPANET connection and I'm learning Pascal, to Bell Labs, to CISO, to business, to quitting, to starting something new. And now I'm riding a new exponential up and it's a hell of a ride." Hear from Ed how he sees security as a side dish that you'll progress into naturally once you've paid your dues and mastered a skill like networking, software or databases. We thank Ed for sharing his story with us.

Discovering ChaosDB, a critical vulnerability in the CosmosDB. [Research Saturday] Dec 18, 2021

Guests Sagi Tzadik and Nir Ohfeld of cloud security company Wiz join Dave to discuss their research "ChaosDB: How we hacked thousands of Azure customers’ databases." Nearly everything we do online these days runs through applications and databases in the cloud. While leaky storage buckets get a lot of attention, database exposure is the bigger risk for most companies because each one can contain millions or even billions of sensitive records. Every CISO’s nightmare is someone getting their access keys and exfiltrating gigabytes of data in one fell swoop.

Database exposures have become alarmingly common in recent years as more companies move to the cloud, and the culprit is usually a misconfiguration in the customer’s environment. In this case, customers were not at fault.

The research can be found here:

Log4j updates, with a side of Fancy Bear. Roots of Huawei’s career as a security risk. Tropic Trooper is back. Meta boots “cyber mercenaries.” Other cyberespionage incidents. Dec 17, 2021

It seems that Fancy Bear may be interested in Log4shell after all. CISA issues Emergency Directive 22-02, which addressed Log4j. Huawei’s reputation as a security risk may be traceable to a 2012 incident in an Australian telco’s networks. Tropic Trooper is back, and interested in transportation. Meta kicks out seven “cyber mercenary” surveillance outfits. PseudoManusrypt looks curiously indiscriminate. Johannes Ullrich from SANS Technology Institute on making the great Chinese firewall work for you. Our guest is Terry Halvorsen from IBM on next-gen cybersecurity efforts to fix the cybersecurity inequity. And the US Commission on International Religious Freedom is reportedly hacked.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/241

Log4Shell exploited by criminals and intelligence services. Private sector offensive cyber capabilities. Noberus ransomware used in double-extortion attacks. Squid Game phishbait. Dec 16, 2021

Log4Shell is exploited by criminals and intelligence services. Private sector offensive cyber capabilities are on par with nation-states. Noberus ransomware is used in double-extortion attacks. Malek Ben Salem from Accenture looks at cyber twins. Our guest is Tom Kellermann from VMware with reaction to CISA’s Binding Operational Directive. And Squid Game phishbait.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/240

Log4j and Log4shell updates. Cyberespionage and C2C market developments. Patch Tuesday notes. And how do you pronounce that, anyway?. Dec 15, 2021

A second vulnerability is found and fixed in Log4j as both criminals and nation-state intelligence services increase their exploitation of Log4shell. Iranian intelligence services have been actively conducting cyberespionage against a range of targets in the Middle East and Asia. Andrea Little Limbago from Interos checks in on supply chain issues. Our guest is Suzy Greenberg from Intel with a look ahead toward the coming year. A quick look back at Patch Tuesday, and, finally, some musing on literacy, orality, and the way you pronounce stuff people tweet about...

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/239

Log4Shell updates. Payroll provider disrupted by ransomware. Companies supporting surveillance distance themselves from the business. Cybercrime and IRL punishment. Dec 14, 2021

An update on the Log4shell, and how it’s being exploited in the wild. A ransomware attack disrupts a cloud-based business service provider. NSO Group is said to be considering selling off its Pegasus unit. A marketing presentation suggests Huawei has been deeply implicated in providing tools for Chinese repression. Nigeria’s cyber gangs are actng like Murder, Inc. An arrest in Romania, sentences in Germany. Joe Carrigan looks at the language of cyber security. Our guest Brad Hawkins of SaferNet wonders if digital privacy even exists anymore. And news from Mars.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/238

Updates on Log4shell, now being exploited in the wild. India PM’s Twitter account is hijacked. Extortion at Brazil’s Ministry of Health and Volvo. Phishing sites’ lifespan. Sentence passed. Dec 13, 2021

The Log4shell vulnerability is trouble, and its remediation isn’t going to be quick or easy. In India, Prime Minister Modi’s Twitter account was hijacked. Official Brazilian COVID vaccination data bases are stolen and rendered unavailable. Extortionists claim to have taken sensitive, proprietary R&D information from Volvo. Phishing sites appear and vanish in a matter of hours. Rick the Toolman Howard expands his cast of characters. Robert M. Lee from Dragos shines a light on solar storms and risk management. And sentence is passed in a case related to the Kelihos botnet.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/237

Hannah Kenney: Focused on people. [Risk] [Career Notes] Dec 12, 2021

Manager in BARR Advisory's Cyber Risk Advisory Practice, Hannah Kenney, shares her journey from never considering technology as a career to having it click in an informations systems class in college. After noticing she was the only one in the room who enjoyed the lecture, Hannah knew she wanted to go down the technology route. In talking about her work, Hannah describes it as creative problem solving. She hopes "people see me as someone who viewed cybersecurity and risk as something that is focused on people first and foremost." We thank Hannah for sharing her story with us.

FIN7 repositioning focus into ransomware. [Research Saturday] Dec 11, 2021

Guest Ilya Volovik, Team Lead of Cyber Intelligence at Gemini Advisory, discusses his team's work on "FIN7 Recruits Talent For Push Into Ransomware." The cybercriminal group FIN7 gained notoriety in the mid-2010s for large-scale malware campaigns targeting the point-of-sale (POS) systems. In 2018, Gemini Advisory reported FIN7’s compromise of Saks Fifth Avenue and Lord & Taylor stores and the subsequent sale of over 5 million payment cards on the dark web. According to the US Department of Justice, the broader FIN7 carding campaigns have resulted in the theft of over 20 million payment card records and cost victims over $1 billion, making FIN7 one of the most infamous and prolific cybercriminal groups of the last decade. Now with ransomware proving to be cybercriminals’ preferred high-profit, jackpot venture, FIN7 has redeployed their expertise and capacity towards ransomware, with reports indicating that the group was involved in attempted ransomware attacks on US companies as early as 2020. Furthermore, despite focus from law enforcement and the arrest of four FIN7 members from 2018 to 2020, FIN7’s continued activity shows that the group remains a powerful, active threat.

The research can be found here:

FIN7 Recruits Talent For Push Into Ransomware

Cyberespionage in Southeast Asia. Two young extortion gangs make their bones. Bot-herders like MikroTik devices. Log4Shell zero-day exploited in the wild. Update on the Assange case. Dec 10, 2021

Cyberespionage in support of Belt and Road, and of Beijing’s claims in the South China Sea. Karakurt ransomware skips the encryption and goes right to the doxing. Black Cat ransomware is rising. Vulnerable MikroTik devices are bot-herders’ favorites. The Log4Shell zero-day is being exploited in the wild, and will be a tough one to remediate. Julian Assange moves closer to extradition. Johannes Ullrich on changing user behavior. Our guest is Oliver Rochford of Securonix on the affordability of good security. And shoulder-surfing as a threat to Snapchat users.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/236

Ransomware gangs, paycard skimmers, and Grinchbots. Russia blocks Tor, and the US Senate holds hearings on social media and its arguably malign influence on youth. Dec 09, 2021

Conti continues, undeterred. Magecart skimmers are infesting WooCommerce instances. Users are finding url redirection attacks difficult to detect. A quick look at the workings of the Hive ransomware gang. Russia blocks Tor. The US Senate holds hearings on social media and adolescent mental health. Dinah Davis from Arctic Wolf on assessing your security posture. Our guest Neal Dennis of Cyware discusses Automation And Unification. And Grinchbots are still prowling for presents.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/235

AWS resolves service issues. A summit stand-off. Dark web chatter, and arbitrage courts in the C2C world. Looking for stolen or lost alt-coin. Dec 08, 2021

Amazon resolves its Tuesday outage as observers wonder about cloud risks. A stand-off at the Russo-American summit, but chatter in the dark web suggests that the Russophone underworld is feeling uneasy. A look at the arbitrage process that governs the criminal-to-criminal market. Carole Theriault reads the fine print. Andrea Little Limbago looks at global regulatory regimes. A DeFi platform asks for its stolen money back, and a guy looks for his private key in a physical garbage dump.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/234

The Russo-US summit is expected to take up tension over Ukraine and tensions in cyberspace. Microsoft disrupts APT15. Google disrupts Glupteba. Satoshi Nakamoto is...out there still? Dec 07, 2021

Notes on today’s Russo-America summit. Microsoft seizes websites used by the Chinese threat actor Nickel. Google takes technical and legal action against a Russian botnet. Ben Yelin unpacks Australia’s aim to uncover online trolls. Our guest is Ed Amorosa from TAG Cyber. And the real Satoshi Nakamoto has yet to stand up--just ask a Florida jury.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/233

Hot wallets hacked. Pegasus found in US State Department personnel’s phones. Cozy Bear update. Cybersecurity on the Russo-US summit agenda. US Cyber Command says it’s imposing costs. Dec 06, 2021

Cryptocurrency exchange loses almost $200 million as two hot wallets are compromised. Phones belonging to US State Department personnel concerned with Uganda are found to have been infected with NSO Group’s Pegasus surveillance technology. Mandiant reports recent activity by the threat group thought responsible for the SolarWinds compromise. Cybersecurity will be on the agenda at tomorrow’s Russo-US summit. Caleb Barlow outlines threats to the Winter Olympics. Rick the-toolman Howard looks at the marketing hype-cycle. And US Cyber Command says it’s been imposing costs.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/232

Rediscover trust in cybersecurity: A women in cybersecurity podcast. [Special edition] Dec 05, 2021

It's important for employees to be brought into the fold as security's allies, rather than as its adversaries. For cybersecurity teams that operate with an adversarial mindset appropriate for external threats, it can be challenging to approach internal threats differently. You can't treat employees the same way you treat nation-state hackers. But employees play a pivotal role in preventing data leaks, making it important to create a company-wide culture of transparency. Transparency feeds trust, which builds a strong foundation for Security Awareness Training to be truly effective.

The CyberWire's Jennifer Eiben hosts this women in cybersecurity podcast. Kathleen Smith of ClearedJobs.Net moderates the panel. Panelists include Michelle Killian from Sponsor Code 42, Sam Humphries of Exabeam, and Masha Sedova of Elevate Security.

Ryan Kovar: Everyday, assume compromise. [Strategy] [Career Notes] Dec 05, 2021

Distinguished Security Strategist at Splunk, Ryan Kovar, shares his journey that started in the US Navy and how it contributed to his leadership in life after the military. Cutting his teeth as sysadmin on the USS Kitty Hawk, Ryan worked as a contractor following the Navy. At Splunk, he leads the SURGe research team to solve what he calls the "blue collar for the blue team problems". He works hard on incorporating diversity of thought. Ryan notes, "I've been doing cybersecurity or IT now for over 20 years and of that 20 years of knowledge, only about five years of that knowledge is really relevant. You can't sit on your laurels in this industry." We thank Ryan for sharing his story with us.

Getting in and getting out with SnapMC. [Research Saturday] Dec 04, 2021

Guest Christo Butcher of NCC Group's Research and Intelligence Fusion Team discusses their research into a cybercriminal group they dubbed SnapMC. Forget ransomware, too expensive and too much hassle. Randomly enter through a known vulnerability, take a look around, lock away data and leave again. And all that within half an hour: hit & run. An email is then sent to the affected organization: pay or else the stolen data will be published and/or sold.

This is the opportunistic approach of a new group of blackmailers who don't even bother to encrypt data. NCC Group has given them the name SnapMC: a combination of 'snap' (a sudden, sharp cracking sound or movement) and MC, from mc.exe, the primary tool they use to exfiltrate data. They have only seen SnapMC's attacks in the Netherlands for the time being. They do not target specific sectors and we have not (yet) been able to associate them with known attackers.

The research can be found here:

Espionage phishbait in South and Southwest Asia. A utility recovers from a cyber incident. GAO tells the US Congress cyber strategy is wanting. Investigations, Moscow and Missouri style. Dec 03, 2021

SideCopy, a Pakistani APT, is phishing for information in both India and Afghanistan. A Colorado electrical utility continues to recover from a cyber incident it sustained early last month. The GAO tells the US Congress that the nation still lacks a comprehensive cybersecurity strategy. The Missouri Highway Patrol continues, for some reason, to investigate a responsible disclosure as a criminal hack. Dinah Davis from Arctic Wolf on hackers targeting Minecraft. Our guest is Blake Darché from Area 1 Security with research on phishing. And it appears Moscow thinks a Group-IB leader outed Fancy Bear to the US.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/231

More APT activity. Brigading, Mass Reporting, and Coordinated Inauthentic Behavior. CISA names the CSAC members. Cybercriminals sentenced. A whistleblower with an ulterior motive? Dec 02, 2021

An APT is exploiting Internet-facing instances of ServiceDesk Plus. Meta releases its end-of-year Adversarial Threat Report, and adds “Brigading” and “Mass Reporting” to “Coordinated Inauthentic Behavior” as activities that will get accounts shut down. CISA names the first members of its Cybersecurity Advisory Committee. Sentencing, American and Russian style. Malek Ben Salem has a look at cyber resilience. Our guest is PJ Kirner from Illumio with a look ahead to 2022. And an alleged false whistleblower is under indictment, and under arrest.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/230

Trends among the APTs. Imaginary times and imaginary places. Flubot in Finland. Emotet false alarms in Office. Smishing for Iranian Android users. CISA’s ICS advisories. Moscow on cybercrime. Dec 01, 2021

RTF template injection is newly favored by APTs. Malware hides in February 31st. Milords and miladies, the Principality of Sealand hath been hacked. Finland's National Cyber Security Center warns of a large-scale Flubot campaign in progress. False alarms are flagging Emotet where it isn’t found. Iranians victimized by a smishing campaign. CISA issues industrial control system advisories. Kevin Magee from Microsoft is really trying to rid the world of passwords. Our guest is Mike Hendrickson of Skillsoft to discuss turning the tide in this fight against cybercrime. And Mr. Putin says Russia’s in favor of international cooperation against cybercrime.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/229

Cybercrime and the criminal-to-criminal markets that support it during the holiday shopping season. Shaming as a pressure tactic. Living large, even when living on the lam. Nov 30, 2021

Today, it’s all crime all the time. Cybercrime, the C2C underground market, and the expansive holiday shopping season. Rebranding in gangland. How crooks exclude targets on the basis of language or geolocation. Shaming as a criminal pressure tactic. Bad apps in the Play Store. Andrea Little Limbago looks at internet blackouts. Carole Theriault wonders what the Metaverse really means. And living large while living on the lam.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/228

Reply-chain attacks. Intelligence services go phishing. Civilian targets hit in Israeli-Iranian cyber conflict. The Entity List expands. Russo-Ukrainian tensions rise. Nov 29, 2021

A reply-chain incident is reported at a major international furniture and housewares retailer. North Korean operators are phishing for South Korean marks using bogus Samsung recruiting emails as phishbait. Fancy Bear has been seen pawing at Gmail. A regional escalation to civilian targets in the cyber conflict between Iran and Israel. More organizations are added to the US Entity List. Johannes Ullrich looks at decrypting Cobalt Strike. Our own Rick Howard wonders if executive really need to know how to drive that tank. And tension between Russia and Ukraine continues to rise.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/227

Anisha Patel: Right along with them. [Program management] [Career Notes] Nov 28, 2021

Associate Director at Raytheon Intelligence and Space in the Cyber Protection Services Division Anisha Patel always loved math and it defined her career journey. As a first-generation American from an Asian household, Anisha said she was destined for a STEM-focused career and chose electrical engineering. She began her career and remains at Raytheon (formerly E-Systems) working in several areas of the business thanks to her skills and informal mentors. Starting a rotational assignment in program management (7 years ago), Anisha said she "went to the dark side and then the hole closed and there I ended up." Anisha talks about the need to bring diversity of thought into the industry and adds to her team with this in mind. We thank Anisha for sharing her story with us.

CyberWire Pro Research Briefing from 11/23/2021 Nov 27, 2021

Enjoy a peek into CyberWire Pro's Research Briefing as the team is off recovering from our Thanksgiving feasts. This is the spoken edition of our weekly Research Briefing, focused on threats, vulnerabilities, and consequences, as they’re played out in cyberspace. This week's headlines: Iranian threat actors target the IT supply chain. North Korean cyberespionage. More information on Emotet's return. Like what you hear? Consider subscribing to CyberWire Pro for $99/year. Learn more.

CyberWire Pro Interview Selects: Carolyn Crandall of Attivo Networks. Nov 26, 2021

Our team decided to extend our Thanksgiving holiday and thought you might like to try a sample of a CyberWire Pro podcast called Interview Selects. These podcasts are a series of extended interviews, exclusives, and a curated selection of our most engaging and informative interviews over the years, featuring cyber security professionals, journalists, authors and industry insiders. On this episode, the interview October 27th, 2021 originally aired as a shortened version on the CyberWire Daily Podcast. In this extended interview, Dave Bittner speaks with Carolyn Crandall of Attivo Networks on what organizations should be focused on to protect AD. Like what you hear? Consider subscribing to CyberWire Pro for $99/year. Learn more.

Misdirection and layering with a con in the middle. [Hacking Humans Goes to the Movies] Nov 25, 2021

Thanks for joining us for our fun project brought to you by the team of Hacking Humans, the CyberWire's social engineering podcast. Co-hosts Dave Bittner and Joe Carrigan are joined by Rick Howard in this series where they view clips from their favorite movies with examples of the social engineering scams and schemes you hear about on Hacking Humans. In this episode, Dave, Joe and Rick are watching Joe's and Rick's scene picks. They watch each of the selected scenes, describe the on-screen action for you, and then the team deconstructs what they saw. Grab your popcorn and join us for a trip to the movies.

Links to this episode's clips if you'd like to watch along:

Joe's clip from "The Simpsons: Father and Son Grifting" episode
Rick's pick from "Paper Moon"

Phishing in the Iranian diaspora. Not your grandma and grandpa’s crytper. Malware-as-a-service. Proofs-of-concept (one is a zero-day). Apple sues NSO Group. Nov 24, 2021

An apparent cyberespionage campaign targets the Iranian diaspora. Babadeda is an emerging crypter seeing use against alt-coin and NFt speculators. RATDispenser is out in the wild, a malware-as-a-service operation. Proofs-of-concept published for Microsoft exploits. Apple sues NSO Group. Group-IB’s founder asks President Putin for clemency. Caleb Barlow on the difference between working for a company that is funded by VCs, PEs, angels or is public. Our guest today is Karl Sigler from Trustwave on the results of the 2021 Trustwave SpiderLabs Telemetry Report. And there’s a guilty plea in the Wolf of Sophia case.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/226

Tardigrade malware infests the US biomanufacturing sector. GoDaddy suffers a significant data breach. Facebook Papers to be reviewed and released. NSO Group’s troubles. Nov 23, 2021

Tardigrade malware infests the US biomanufacturing sector. GoDaddy suffers a significant data breach. A Gizmodo-led consortium will review and release the Facebook Papers. Ben Yelin on our privacy rights during emergency situations. Our guest is Ric Longenecker of Open Systems to discuss how ransomware attacks represent the number one threat for universities. And NSO Group may not recover from current controversy over its Pegasus intercept tool.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/225

Stealing from the best? An enigma in the criminal-to-criminal market. CISA’s holiday caution. Someone’s impersonating the SEC. Three weekend cyberattacks. Nov 22, 2021

The Lazarus Group seems interested in learning from, by which they mean stealing from, some of the world’s leading state-sponsored cyber operators. Void Balaur remains an enigma, but it’s not the only player in the C2C market. CISA and the FBI warn all, but especially critical infrastructure operators, to remain alert during the holidays. Some scammers are impersonating the US SEC. Dinah Davis from Arctic Wolf on what security gifts to get your family this year. Our guest today is Carole Theriault on online gaming during the pandemic. And cyberattacks are reported on an airline, a utility, and a manufacturer of wind turbines.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/224

MK Palmore: Lead from where you stand. [CISO] [Career Notes] Nov 21, 2021

Director of Google Cloud's Office of the CISO, MK Palmore, dedicated much of his life to public service and now brings his experience working for the greater good to the private sector. A graduate of the US Naval Academy, including the Naval Academy Prep School that he calls the most impactful educational experience of his life, MK commissioned into the US Marine Corps following his service academy time. He joined the FBI and that is where he came into the cybersecurity realm. MK is passionate about getting more diversity, equity and inclusion into industry. We thank MK for sharing his story with us.

How ransomware impacts organizations. [CyberWire-X] Nov 21, 2021

As ransomware attacks rapidly rise in frequency, eye-popping ransom demands grab headlines, and consumers experience product shortages and difficulty accessing services as the organizations they do business with are knocked offline. However, little is reported about the impact of a ransomware attack inside an organization. However, little is reported about the impact of a ransomware attack inside an organization.

In this show, we cover what steps organizations are taking now to prepare for a ransomware attack and what happens to an organization on that especially bad day when ransomware comes calling. The CyberWire's Rick Howard speaks with Hash Table member Don Welch, Vice president for Information Technology and Global Chief Information Officer at New York University, and show sponsor Keeper Security's CEO & Co-Founder Darren Guccione joins The CyberWire's Dave Bittner on this CyberWire-X as they share their expertise on the topic.

Using bidirectionality override characters to obscure code. [Research Saturday] Nov 20, 2021

Guests Nicholas Boucher and Ross Anderson from the University of Cambridge join Dave Bittner to discuss their research, "Trojan Source: Invisible Vulnerabilities." The researchers present a new type of attack in which source code is maliciously encoded so that it appears different to a compiler and to the human eye. This attack exploits subtleties in text-encoding standards such as Unicode to produce source code whose tokens are logically encoded in a different order from the one in which they are displayed, leading to vulnerabilities that cannot be perceived directly by human code reviewers. ‘Trojan Source’ attacks, as they call them, pose an immediate threat both to first-party software and of supply-chain compromise across the industry. They present working examples of Trojan-Source attacks in C, C++, C#, JavaScript, Java, Rust, Go, and Python. They propose definitive compiler-level defenses, and describe other mitigating controls that can be deployed in editors, repositories, and build pipelines while compilers are upgraded to block this attack.

The project website and research can be found here:

Software supply chain threats. Recent Iranian cyber operations. Banking disclosure rules. ICS updates. UK, US announce closer cooperation in cyberops. A real, literal, evil maid? Nov 19, 2021

Software supply chain incidents: FatPipe, PyPi, and IT services generally. A look at recent Iranian operations. The US Federal Reserve publishes its disclosure rules for banks sustaining cyber incidents. CISA issues a set of ICS advisories. Two of the Five Eyes announce plans for continued, even closer cooperation in cyberspace. Johannes Ullrich on attackers abusing "PAM" (Plug Authentication Modules). Our guest is Hatem Naguib, CEO at Barracuda Networks. And a real evil maid seems to have been out and about in Tel Aviv.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/223

Developments in cyber gangland, and the increasingly complicated entanglement of crooks and spies. Selling confiscated alt-coin to compensate fraud victims. Nov 18, 2021

Red Curl is a Russophone gang with an unusual target list. North Korea’s TA406 is having a busy year, hacking for intelligence and for profit. Wicked Panda’s getting good at code-signing, and software supply chain attacks are in Beijing’s long-term plans. A spearphishing campaign abuses legitimate collaboration tools. Kevin Magee from Microsoft has an insider’s look at Windows 11 security. Our guest is Kevin Bocek of Venafi to discuss Security Software Build Environments. And selling confiscated cryptocurrency to compensate victims of scams.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/222

CISA and its partners warn of Iranian cyber ops. Cyberespionage in the Middle East with Candiru tools. Belarus connected to Ghostwriter. Facebook boots SideCopy. RAMP recruits members. Nov 17, 2021

CISA, the FBI, the ACSC, and the NCSC issue a joint advisory warning of an Iranian cyber campaign exploiting known vulnerabilities in Fortinet and Microsoft Exchange. A Belarusian connection to Ghostwriter. Candiru tools reported in watering holes. SideCopy’s interest in Afghanistan. RAMP shows an interest in attracting Chinese operators. Josh Ray from Accenture Security digs into the CONTI playbook leak. Our guest is Matt Keeley from Bishop Fox on fuzzing. And Pompompurin wants to sell you leaked Robinhood data.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/221

Threats and vulnerabilities, old and new, include Emotet and Mirai. CISA advises of DDS vulnerabilities. Arrest in a revenge porn case. Nov 16, 2021

Older threats, including Emotet and Mirai, are out and about, and an old vulnerability, Rowhammer, gets a fresh proof-of-concept. A new banking Trojan threatens Europe. Intel works on vulnerabilities. CISA advises awareness of recently reported DDS vulnerabilities. Joe Carrigan explains how spearphishers are using customer complaints as bait. Rick Howard epaks with Carlos Vega from Devo on Supply Chain issues. And an arrest is made in a Maryland revenge porn case.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/220

Official online channels hijacked in separate US, Philippine incidents. Update on MosesStaff, a ransomware group interested in politics, not profit. Costco breach. Ryuk money-laundering case. Nov 15, 2021

Exploitation of a configuration error in the FBI’s Law Enforcement Enterprise Portal enables hackers to send bogus warning emails. Philippine Office of Civil Defense Twitter account briefly hijacked. Update on Iranian politically motivated threat group MosesStaff. Discount retailer Costco discloses a point-of-sale skimmer incident. Dinah Davis from Arctic Wolf track zero days. Rick the Toolman Howard drops by the studio. And the US seeks extradition of a Russian alt-coin baron on charges of laundering Ryuk’s money.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/219

The real costs of ransomware in 2021, 2022, and beyond. [CyberWire-X] Nov 14, 2021

Ransomware: the problem that everyone is talking about, yet somehow continues to get worse with each passing year. In 2021, the cost of ransomware to global businesses is estimated to reach a whopping $20B. The problem has reached such a critical mass that it can no longer be cast away as some unknowable IT problem–everyone from cyber insurance providers to the federal government have taken note. The CyberWire's Rick Howard speaks with Hash Table member Kevin Ford of Environmental Systems Research Institute (ESRI), and ExtraHop's VP, GM of International and Global Security Programs, Mike Campfield, joins The CyberWire's Dave Bittner on this CyberWire-X for a retrospective on ransomware in 2021. Mike shares his predictions on how it will evolve in 2022 and beyond, and what controls enterprises can put into place to build their resilience to the growing threat.

Swati Shekhar: Challenges increase your risk appetite. [Engineering] [Career Notes] Nov 14, 2021

Ground Labs' Head of Engineering, Swati Shekhar, shares her circuitous route from and back to engineering. Always being interested in leveraging the tools available to solve problems, Swati talks about how she found her place in engineering. She mentions how she had her first real experience with a computer when she was 17 in her first year at college. Aside from being one of 30 young women in a sea of 500 young men there, Swati described it as a "good culture shock because anything that takes you out of your comfort zone actually makes you learn and grow." She notes that challenges experienced in life increase your risk appetite so significantly. Swati advises those looking to make a job change to be certain of what is attracting them and to be yourself. We thank Swati for sharing her story with us.

A glimpse into TeamTNT. [Research Saturday] Nov 13, 2021

Senior Intelligence Researcher at Anomali, Tara Gould, joins Dave to discuss their team's work on "Inside TeamTNT’s Impressive Arsenal: A Look Into A TeamTNT Server." Anomali Threat Research discovered an open server to a directory listing that they attribute with high confidence to the German-speaking threat group, TeamTNT.The server contains source code, scripts, binaries, and cryptominers targeting Cloud environments.Other server contents include Amazon Web Services (AWS) Credentials stolen from TeamTNT stealers are also hosted on the server.

This inside view of TeamTNT infrastructure and tools in use can help security operations teams to improve detection capabilities for related attacks, whether coming directly from TeamTNT or other cybercrime groups leveraging their tools.

The research can be found here:

Inside TeamTNT’s Impressive Arsenal: A Look Into A TeamTNT Server

Tension in Eastern Europe. A Hong Kong watering hole. US, EU join the Paris Call. Cybermercenaries. CISA’s plans for countering disinformation, and for forming a white-hat hacker advisory group. Nov 12, 2021

Notes on rising international tension in Eastern Europe. A watering-hole campaign in Hong Kong. The US and the EU have joined the Paris Call. NSO Group’s prospective CEO resigns his position before formally assuming it. Void Balaur, a cybermercenary group, is active in the Russophone cyber underground. Johannes Ullrich on leaked vaccination cards and Covid tests. Our guest is Carolyn Crandall of Attivo Networks on what organizations should be focused on to protect Active Directory. CISA intends to increase its capacity to work against misinformation and disinformation. CISA also intends to recruit white hat hackers to an advisory board.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/218

Let's go to the movies. [Hacking Humans Goes to the Movies] Nov 11, 2021

Welcome to a fun new project by the team who brings you Hacking Humans, the CyberWire's social engineering podcast. Co-hosts Dave Bittner and Joe Carrigan are joined by Rick Howard in this series. They view clips from their favorite movies with examples of the social engineering scams and schemes you hear about on Hacking Humans. In this first episode, Dave, Joe and Rick are watching Dave's and Joe's picks. They watch each of the selected scenes, describe the on-screen action for you, and then the team deconstructs what they saw. Grab your popcorn and join us for a trip to the movies.

Links to movie clips if you'd like to watch along:

Dave's pick from "The Grifters"
Joe's clip from "Matchstick Men"

Cyberespionage from Tehran. Clopp ransomware operators exploit vulnerable SolarWinds instances. Mercenaries and lawful intercept vendors. Patch Tuesday. Nov 10, 2021

Tehran’s Lyceum group expands its activities against ISPs and telcos in Israel, Morocco, Tunisia, and Saudi Arabia. Clopp is going after unpatched instances of SolarWinds. Cyber mercenaries are quietly competing with lawful intercept vendors. NSO Group receives a setback from the US 9th Circuit. Mexico makes an arrest in its Pegasus investigation. Carole Theriault shares her thoughts on the supply chain. Josh Ray from Accenture Security on Moving Left of the Ransomware Boom. And notes on Patch Tuesday.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/217

Ransomware hits an electronics retailer and a new-school financial services company. Updates on international action against REvil. Nov 09, 2021

Hive ransomware hits electronics retailer Media Markt. Robinhood Markets sustains a data breach it traces to social engineering. Ben Yelin looks at the law behind U.S. police demanding your phone passcode. Dave checks in with Rick Howard for his thoughts on the Trojan Source vulnerability. And more notes on the international action against REvil, including the US application of sanctions (with Baltic cooperation) to three companies involved in supporting the gang’s financial infrastructure.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/216

REvil operators arrested and indicted. China says a foreign intelligence service accessed passenger travel records. Suspected Emissary Panda campaign. Nov 08, 2021

REvil operators arrested and indicted. China says a foreign intelligence service accessed passenger travel records. Suspected Emissary Panda campaign. Conti (sort of) apologizes. Caleb Barlow thinks it’s time to re-think your security documentation. Our guest is Jessica Hetrick of Optiv Security on cyber fraud running rampant. And the FBI warns of ransomware attacks targeting casinos.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/215

Jamil Jaffer: You should run towards risk. [Strategy] [Career Notes] Nov 07, 2021

Senior Vice President for Strategy, Partnerships, and Corporate Development at IronNet Cybersecurity, Jamil Jaffer, shares how his interest in technology brought him full circle. Always a tech guy, Jamil paid he way through college doing computer support. Jamil went to law school and worked in various jobs in Washington DC including a stint in the newly-created National Security division of the Justice Department just after 9/11. When talking about adversity, Jamil notes, "Adversity has happened in life, but you gotta run at those things. To me, you know, I like risk. I think risk is something that a lot of people shy away from." We thank Jamil for sharing his story with us.

An incident response reveals itself as GhostShell tool, ShellClient. [Research Saturday] Nov 06, 2021

Guest Mor Levi, Vice President of Cyber Practices from Cybereason, joins Dave Bittner to discuss her team's work on "Operation GhostShell - Novel RAT Targets Global Aerospace and Telecoms Firms." In July 2021, the Cybereason Nocturnus and Incident Response Teams responded to Operation GhostShell, a highly-targeted cyber espionage campaign targeting the Aerospace and Telecommunications industries mainly in the Middle East, with additional victims in the U.S., Russia and Europe.

The Operation GhostShell campaign aims to steal sensitive information about critical assets, organizations’ infrastructure and technology. During the investigation, the Nocturnus Team uncovered a previously undocumented and stealthy RAT (Remote Access Trojan) dubbed ShellClient which was employed as the primary espionage tool. To learn more, listen to the episode.

The research can be found here:

Operation GhostShell - Novel RAT Targets Global Aerospace and Telecoms Firms

$10 million reward for DarkSide info. BlackMatter members expected to resurface. Ukraine outlines Russia’s FSB cyber ops. Persistent engagement as deterrence. Arrest in Crossfire Hurricane inquiry. Nov 05, 2021

The US offers a reward of up to ten million dollars for information leading to the identification or location of the leaders of the DarkSide ransomware gang. Researchers expect BlackMatter’s nominally retired operators to resurface in other criminal organizations. Ukraine outlines Russian FSB cyber operations during the hybrid war that’s been waged since 2014. Deterrence in cyberspace. Carole Theriault takes on high value targets. Our guest is Bill Mann of Styra on rising compliance regulations and security drift. An arrest is made in Special Counsel Durham’s investigation.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/214

Britain’s Labour Party sustains a “data incident.” CERT-FR describes a new affiliate gang, Lockean. US, Russian intelligence chiefs discuss cybersecurity. Gas is flowing in Iran again. Start-ups honored. Nov 04, 2021

Britain’s Labour Party is affected by a ransomware incident a third-party provider sustained. ANSSI identifies a new ransomware affiliate gang, “Lockean.” Notes on how and why BlackMatter and REvil went on the lam. Russo-American talks discussed cybercrime and cybersecurity. Iran’s gas stations are fully back in business, following the cyber sabotage they sustained. Kevin Magee from Microsoft has highlights from their 2021 Digital Defence Report. Our guest is Ofer Ben Noon of Talon Cyber Security addressing browser vulnerabilities. And DataTribe has announced the winners of its fourth annual Cybersecurity Start-up Challenge.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/213

Ransomware gangs talk about retiring, and about deception. High-level Russo-American talks. US sanctions four spyware vendors. CISA tells US agencies to patch known, exploited vulnerbalities. Nov 03, 2021

The BlackMatter ransomware gang says that it’s retiring under pressure from the authorities. The spokesman for the Groove group says his gang doesn’t exist--he was just playing the media. Quiet, high-level talks held between senior US and Russian officials. The US Commerce Department sanctions four spyware vendors. Carole Theriault wonders if you can train yourself free of social engineering. Josh Ray from Accenture Security with insights from their Cyber Investigations and Forensic Response team. CISA tells Federal agencies to get patching.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/212

Trojan Source--a threat to the software supply chain. Ransomware goes to influence operations school. Triple extortion? Criminal target selection. Nov 02, 2021

Researchers describe Trojan Source, a hard-to-detect threat to the software supply chain. A ransomware gang takes a page from the information operator’s book. From double extortion to triple extortion, as other ransomware gangs add distributed denial-of-service to encryption and doxing. Criminals are now hacking on material, non-public information, the FBI warns. Joe Carrigan looks at multifactor adoption at Twitter. Our guest is Steve Ragan from Akamai on API security. And criminals hit healthcare providers in Newfoundland.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/211

Iranian officials blame the US and Israel for gas station cyber sabotage. A new direction for NSO? Cyber extortion, Minecraft phishing, and sugar daddies looking for sugar babies (sez they). Nov 01, 2021

Iran hasn’t finished investigating its gas station cyber sabotage, but Tehran is pretty sure the Great and Lesser Satans are behind it. NSO Group says it’s going in a new, nicer direction. The Conti gang hits a luxury jewelry dealer, and another, unknown group hits an upscale art dealership. The Chaos gang is after Minecraft players (players who cheat). Caleb Barlow on pre-breach pre-approvals. Rick Howard introduces sand tables in cyber space. And sugar daddies come to the world of advance fee scams.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/210

Jadee Hanson: Cybersecurity is a team effort. [CISO] [Career Notes] Oct 31, 2021

Jadee Hanson, CIO and CISO at Code 42, started her technology journey thanks to the help of a teacher in high school. She began college studying computer science and ended with a degree in computer information systems as it had more of the business side. Working in the private sector for companies such as Deloitte, Target and Code 42, Jadee gained experience and specialized in insider risk. She notes "utopia for me and my team is to get to a spot where the team is just firing on all cylinders and being really proactive about what's coming and what's changing." Jadee mentions she tries hard to do things that might scare her every day. For those interested in the field, especially young women, Jadee recommends they get involved and then stay curious. We thank Jadee for sharing her story with us.

Malware sometimes changes its behavior. [Research Saturday] Oct 30, 2021

Dr. Tudor Dumitras from University of Maryland and joins Dave Bittner to share a research study conducted in collaboration with industry partners from Facebook, NortonLifeLock Research Group and EURECOM. The project is called: "When Malware Changed Its Mind: An Empirical Study of Variable Program Behaviors in the Real World." In the study, the team analyzed how malware samples change their behavior when executed on different hosts or at different times. Such “split personalities” may confound the current techniques for malware analysis and detection. Malware execution traces are typically collected by executing the samples in a controlled environment (a “sandbox”), and the techniques created and tested using such traces do not account for the broad range of behaviors observed in the wild. In the paper, the team shows how behavior variability can make those techniques appear more effective than they really are, and they make some recommendations for dealing with the variability.

The research and executive summary can be found here:

Iranian-Israeli cyber tensions rise. Decaf ransomware described. Philippine government phshbait. Unemployment due to cyberattack. Europol’s latest collars. Facebook rebrands as “Meta.” Oct 29, 2021

Tensions between Iran and Israel rise as sources in Tehran blame Israel for hacking gas stations, and as apparent Iranian hacktivists dox Israeli defense personnel. A new ransomware strain is discovered. A criminal group is spoofing emails from Philippine agencies. Europol and partners sweep up a cyber gang. Betsy Carmelite from BAH on convergence of 5G and healthcare. Our guest is Justin Wray from CoreBTS with a look at the security issues facing online gaming and casinos. And the company formerly known as Facebook rebrands as “Meta.”

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/209

The Malware Mash! Oct 29, 2021

Hacktivists or intelligence services in Iran? BOLO NIkolay K. Renouncing Conti, and all its empty promises. SEO poisoning. US cyber strategic intent. Oct 28, 2021

Iran continues its recovery from a cyberattack that disrupted subsidized fuel distribution. Wanted in Stuttgart (but living it up in Russia): ransomware kingpin Nikolay K. The Conti ransomware gang gets poor customer service notices. Food distribution is on the cybercriminals’ target lists. SolarMarker’s use of SEO poisoning. The US publishes a statement of strategic intent for its cybersecurity czar’s office. David Dufour from Webroot wonders if there’s any hope at slowing down malware. Our own Brandon Karpf describes the DoD’s Skillbridge program. And decryptors are made available for three ransomware strains.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/208

Coups and comms blackouts. Fuel sale sabotage in Iran. Wslink described. Operation Dark HunTor takes down a contraband market. FTC looks into Facebook. LockBit speaks. Oct 27, 2021

Sudan is under a blackout as a military junta consolidates control over the government. Iran says a cyberattack--unattributed so far--was responsible for disrupting fuel distribution in that country. A novel loader is discovered. Operation Dark HunTor takes down a darkweb contraband market. The US FTC is looking into Facebook’s privacy settlement. The LockBit gang talks, and it’s insufferable. Andrea Little Limbago from Interos on government internet interventions. Carole Theriault weighs in on Facebook glasses. And Halloween is another day closer.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/207

Ransomware and privateering, counteroffense and deterrence. The US State Department will reestablish its cyber office. And looking forward to Halloween. Oct 26, 2021

Notes on ransomware and privateering: Conti’s barking at its victims, someone’s exploiting billing software, and BlackMatter repeated some coding errors its DarkSide predecessor committed. GCHQ suggests that the UK will undertake a more assertive imposition of costs on cyber gangs. The US State Department will reestablish its cyber bureau. Software supply chain cyberespionage, and what can be done about it. Ben Yelin on school laptop privacy concerns. Our guest is David White of Axio to discuss Ransomware Preparedness. And some more scare-notes for Halloween.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/206

SolarMarket malware carried in some WordPress sites. Russian privateers don’t much like REvil’s takedown. The SVR in the supply chain. Malicious Squid Games app. Scary social media. Oct 25, 2021

SolarMarket infestations are up, and circulating through WordPress sites. More indications that REvil was taken down by a US-led but thoroughly international public-private partnership, and the other Russian privateers have their noses seriously out of joint. Russia’s SVR is getting busy in software supply chains. Criminals take advantage of the popularity of Squid Games. Dinah Davis from Arctic Wolf on how even hackers have internal politics. Rick Howard checks in with the Hash Table on compliance. And Halloween is coming: do you know what your apps are up to?

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/205

Mark Nunnikhoven: Providing clarity about security. [Cloud strategy] [Career Notes] Oct 24, 2021

Distinguished Cloud Strategist at Lacework, Mark Nunnikhoven, has gone from taking technology to its limits for his own understanding to providing clarity about security for others. Mark fell in love with his Commodore 128 and once he realized he could bend the machine to his will, it set him on the path to technology. While he had some bumps in the road, dropping out of high school and not following the traditional path in college, Mark did complete his masters in information security. His professional life took him from Canadian public service to the private sector where Mark noted the culture shift was an eye-opening experience. Mark always looks to learn something new and share that with others and that is evidenced as his includes teaching as a facet of his career. We thank Mark for sharing his story with us.

When big ransomware goes away, where should affiliates go? [Research Saturday] Oct 23, 2021

Our guest Doel Santos, Threat Research Analyst at Palo Alto Networks, joins Dave Bittner to talk about Unit 42's work on "Ransomware Groups to Watch: Emerging Threats." As part of Unit 42’s commitment to stop ransomware attacks, they monitor the activity of existing groups, search for dark web leak sites and fresh onion sites, identify up-and-coming players and study tactics, techniques and procedures. During their operations, Unit 42 observed four emerging ransomware groups that are currently affecting organizations and show signs of having the potential to become more prevalent in the future. Doel discusses these (AvosLocker, Hive Ransomware, HelloKitty, and LockBit 2.0) with Dave.

The research can be found here:

Ransomware Groups to Watch: Emerging Threats

Counting coup against REvil (and other gangs are taking note). Export controls and dual use. A timing bug will surface this weekend. Oct 22, 2021

REvil’s troubles appear to be the work of an international law enforcement operation. Other gangs have noticed, and they’re looking a little spooked, even as they evolve their tactics in a maturing criminal-to-criminal market. Questions are raised about the efficacy of surveillance tool export controls. Caleb Barlow has cyber security considerations for CEOs and boards. Our guest is Mickey Boodeai of Transmit Security on the movement to do away with passwords. And if you liked Y2K, you’re going to love ten-twenty-four.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/203

Evil Corp identified as the threat actor behind ransomware attacks on Sinclair and Olympus. Privateering. Fin7’s front company. Sentencing in a bulletproof hosting case. Oct 21, 2021

Evil Corp is identified as the operator behind the ransomware that hit the Sinclair Broadcast Group and Olympus. The US Defense Department complains of Russian toleration for ransomware gangs. The Fin7 gang has set up a front company to recruit talent. Betsy Carmelite from Booz Allen Hamilton on building mission-driven 5G security with zero trust. Our guest is Robert Carolina on ethics. And sentences are handed down in a bulletproof hosting case.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/203

Cyberespionage campaign looks a lot like SIGINT collection. Magnitude gets more capable. VPN exploits solicited. Ransomware trends. Seven years for UPMC hacker. Plenty of Candy Corn coming. Oct 20, 2021

The LightBasin “activity cluster” has been active indeed against telecom infrastructure in what looks like an espionage campaign. The Magnitude exploit kit adds capabilities for hitting Chromium browsers. An exploit broker is interested in cloud-based VPNs. Victims continue to pay in ransomware attacks. A hacker gets seven years for conspiracy to defraud and identity theft. David Dufour from Webroot looks at the coming threat landscape. Our guest is Paul Shread from eSecurity Planet on backup tools for ransomware. And a Candy Corn shortage is averted.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/202

TA505’s recent activity. Advice on defending organizations from BlackMatter. CISA RFI seeks EDR information. REvil’s halting attempts to return. Sinclair’s incident response. Oct 19, 2021

A look at TA505, familiar yet adaptable. A US joint cybersecurity advisory outlines the BlackMatter threat to critical infrastructure. CISA asks industry for technical information on endpoint detection and response capabilities. Is REvil trying to run on reputation? The Sinclair Broadcasting ransomware incident seems to provide a case study in rapid disclosure. Carole Theriault considers the fight for online anonymity. Joe Carrigan shares steps to protect the C-Suite. And there’s a decryptor out for BlackByte.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/201

A US broadcaster sustains a ransomware attack. North Korean catphis expelled from Twitter. REvil’s Tor sites are hijacked. Hacking back. Prosecution and responsible disclosure? Oct 18, 2021

The Sinclair Broadcast Group discloses that it sustained a ransomware attack over the weekend. Twitter kicks out two North Korean catphish deployed in a cyberespionage campaign. REvil goes offline, again, perhaps this time for good. Hacking back, at least insofar as you let the hoods know you can see them. Rick Howard previews the newest season of CSO Perspectives. Johannes Ullrich from SANS on Expired Domain Dumpster Diving. And an update on the Missouri disclosure and proposed hacking prosecution.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/200

Ell Marquez: It's okay to be new. [Linux] [Career Notes] Oct 17, 2021

Linux and Security Advocate at Intezer Ell Marquez shares her journey from the family ranch to security. Needing a life change due to a bunch of circumstances that had occurred that left her almost homeless, Ell found out about a six week Linux boot camp that took her down the path toward technology. She fell in love security at at BSides Conference and hasn't looked back. Ell says she recently started a campaign called "it's okay to be new" noting that no matter how long you've been in the industry, you need to be new because technology changes so quickly. She concludes by offering one final piece of advice to everybody is just "be unapologetically yourself." We thank Ell for sharing her story with us.

Groove Gang making a name for themselves. [Research Saturday] Oct 16, 2021

Guest Michael DeBolt, Chief Intelligence Officer from Intel471, joins Dave Bittner to discuss their work on "How Groove Gang is shaking up the Ransomware-as-a-Service market to empower affiliates." McAfee Enterprise ATR believes, with high confidence, that the Groove gang is associated with the Babuk gang, either as a former affiliate or subgroup. These cybercriminals are happy to put aside previous Ransomware-as-a-Service hierarchies to focus on the ill-gotten gains to be made from controlling victim’s networks, rather than the previous approach which prioritized control of the ransomware itself.

The research can be found here:

How Groove Gang is shaking up the Ransomware-as-a-Service market to empower affiliates

CISA and its partners warn of threats to water and wastewater treatment facilities. The curious case of Missouri teachers’ Social Security Numbers. Oct 15, 2021

A CISA-issued Joint Advisory warns of threats and vulnerabilities at water and wastewater treatment facilities. CISA issues twenty-two other industrial control system advisories. Andrea Little Limbago from Interos on trends in the human element of security. Our guest is Gidi Cohen from Skybox with Vulnerability and Threat Trends. And the Governor of Missouri intends to prosecute the Saint Louis Post-Dispatch to the fullest extent of whatever the law turns out to be.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/199

Notes from the underground: data breach extortion and a criminal market shuts down. International cooperation against ransomware. Cyber risk and higher education. Oct 14, 2021

Data breach extortion seems to be an emerging criminal trend. Notes on a darknet market’s retirement. Verizon advises Visible users to look to their credentials. Windows users’ attention is drawn to seven potentially serious vulnerabilities (all patchable). The Necro botnet is installing Monero cryptojackers. Organizing an international response to ransomware. Carole Theriault shares thoughts on social engineering. Dinah Davis from Arctic Wolf on the supply chain attack framework. And a quick look at the state of cyber risk in higher education.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/198

Cyber Espionage, again. Patched SolarWinds yet? Patch Tuesday. The international conference on ransomware has begun. Booter customers get a warning. A disgruntled insider alters aircraft records. Oct 13, 2021

A Chinese-speaking APT is distributing the MysterySnail RAT in what appears to be a cyberespionage campaign. Some users still haven’t patched vulnerable SolarWinds instances. Notes on yesterday’s Patch Tuesday. The US-convened international ransomware conference kicked off today, and Russia wasn’t invited. Former users of a criminal booter service get a stern warning letter from the Dutch police. Caleb Barlow reacts to a recent ransomware tragedy. Our guest is Rob Gurzeev of CyCognito on the security issues with subsidiaries. And a Florida woman is charged with altering aircraft records.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/197

Espionage by password spraying, and espionage via peanut butter sandwich. Ransomware and DDoS warnings. Two journalists get the Nobel Peace Prize Oct 12, 2021

Teheran is running password spraying attacks (especially on Thursdays and Sundays). More on the renewed popularity of DDoS attacks. NCSC warns British businesses against ransomware. Two journalists win the Nobel Peace Prize. Joe Carrigan shares his thoughts on GriftHorse. Our guest is Bindu Sundaresan from AT&T Cybersecurity football season and cyber risks. And watch out for small data cards in your peanut butter sandwiches, kids.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/196

Extra: Let's talk about Facebook's research. [Caveat] Oct 11, 2021

Our guest is author and journalist Steven Levy. He’s editor-at-large at Wired and his most recent book is "Facebook: The Inside Story. Steven offers his insights on Facebook’s internal research teams, Ben shares a newly-decided court case on whether Big Tech companies can be sued under the Anti-Terrorism statute, and Dave's got the story of some warrantless surveillance being declared unconstitutional in Colorado.

While this show covers legal topics, and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney.

Links to stories:

Got a question you'd like us to answer on our show? You can send your audio file to caveat@thecyberwire.com or simply leave us a message at (410) 618-3720. Hope to hear from you.

Brandon Karpf: A sailor of the 21st century. [Transitioning service member] [Career Notes] Oct 10, 2021

Lieutenant in the US Navy and Skillbridge Fellow at the CyberWire, Brandon Karpf, knew he wanted to join the military at a young age. He achieved that through the US Naval Academy where he was a member of the men's heavyweight rowing team. Commissioning into the cryptologic field as a naval cryptologic warfare officer, Brandon was sent to MIT for a graduate degree where he experienced the exact opposite end of the spectrum from USNA's structured life. Brandon's work with both NSA and US Cyber Command helped him gain experience and cyber operations skills. As he is transitions from active duty to civilian life, Brandon shares the difficulties that process brings about. Through Skillbridge Fellowship program, Brandon's transition has him sharing his skills with the CyberWire. We thank Brandon for sharing his skills and his story with us.

Taking a closer look at UNC1151. [Research Saturday] Oct 09, 2021

Matt Stafford, Senior Threat Intelligence Researcher, from Prevailion joins Dave to talk about their work on "Diving Deep into UNC1151’s Infrastructure: Ghostwriter and beyond." Prevailion’s Adversarial Counterintelligence Team (PACT) used advanced infrastructure hunting techniques and Prevailion’s visibility into threat actor infrastructure creation to uncover previously unknown domains associated with UNC1151 and the “Ghostwriter” influence campaign. UNC1151 is likely a state-backed threat actor waging an ongoing and far-reaching influence campaign that has targeted numerous countries across Europe. Their operations typically display messaging in general alignment with the security interests of the Russian Federation; their hallmarks include anti-NATO messaging, intimate knowledge of regional culture and politics, and strategic influence operations (such as hack-and-leak operations used in conjunction with fabricated messaging and/or forged documents). PACT assesses with varying degrees of confidence that there are 81 additional, unreported domains clustered with the activity that FireEye and ThreatConnect detailed in their respective reports. PACT also assesses with High Confidence that UNC1151 has targeted additional European entities outside of the Baltics, Poland, Ukraine and Germany, for which no previous public reporting exists.

The research can be found here:

Diving Deep into UNC1151’s Infrastructure: Ghostwriter and beyond

Fancy Bear’s snuffling at Gmail credentials. FIN12’s threat to healthcare, and BlackMatter’s threat to agriculture. REvil tries to reestablish itself in the underworld. Twitch update. Sachkov is charged. Oct 08, 2021

Google warns fourteen-thousand Gmail users that Fancy Bear has probably been after their passwords. FIN12, a fast-running ransomware group, is after hospitals’ and healthcare providers’ money. BlackMatter remains active against the agriculture sector. REvil is back and talking on the RAMP forum, but so far it’s getting a chilly reception. Twitch traces its vulnerability to a server misconfiguration. David Dufour from webroot wonders about cracking down on crypto. Our guest is Jeff Dileo of NCC on mastering container security. And Group-IB’s CEO is charged with treason.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/195

Espionage, mostly cyber but also physical. DDoS in the Philippines. TSA regulations for rail and airline cybersecurity are coming. US DoJ promises civil action for cyber failures. Twitch update. And NFTs. Oct 07, 2021

Cyberespionage seems undeterred by stern warnings. DDoS hits the Philippine Senate. The US Department of Homeland Security intends to issue cybersecurity regulations for passenger rail and airlines. The US Department of Justice intends to use the False Claims Act to bring civil actions against government contractors who fail to follow “recognized cybersecurity standards.” An update on the Twitch breach. Josh Ray from Accenture looks at what’s going on with Fancy Lazarus. Our guest is Sam Ingalls from eSecurity Planet on the state of Blockchain applications in cybersecurity. And what would it take to get you kids into a nice non-fungible token?

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/194

Twitch is breached. MalKamak: a newly described Iranian threat actor. Chinese cyberespionage against India. SafeMoon phishbait. The ransomware threat. What counts as compromise. Oct 06, 2021

Twitch is breached. A newly discovered Iranian threat group is described. A Chinese cyberespionage campaign in India proceeds by phishing. SafeMoon alt-coin is trendy phishbait in criminal circles. As the US prepares to convene an anti-ransomware conference, Russian gangs show no signs of slacking off. Betsy Carmelite from BAH on AI/ ML in cyber defensive operations. Our guest is Adam Flatley of Redacted with recommendations from the Ransomware Task Force. And observations on what counts as compromising material.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/193

Facebook’s back up, and the outage was due to an error, not an attack. A look at AvosLocker and Atom Silo ransomware. The case of the Kyiv ransomware gangsters. Thoughts on the Pandora Papers. Oct 05, 2021

Facebook restores service after dealing with an accidental BGP configuration issue. There’s now a data auction site for AvosLocker ransomware. Atom Silo ransomware is quiet, patient, and stealthy. The state of investigation into those two guys collared on a ransomware beef in Kyiv last week. Ben Yelin is skeptical of data privacy poll results. Our guest is Microsoft’s Ann Johnson, host of the newest show to join the CyberWire network, Afternoon Cyber Tea. And what would they have thought of the Pandora Papers in Deadwood, back in the day?

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/192

Privacy and the Pandora Papers. Flubot’s scare tactics. Exploiting an account recovery system. Conti warns victims not to talk to the press. An international meeting on cybercrime? A ransomware bust. Oct 04, 2021

The Pandora Papers leak erstwhile private financial transactions by the rich and well-connected (and it’s 150 mainstream news organizations who cooperated in bringing them to light). Flubot is using itself to scare victims into installing Flubot. Coinbase thieves exploited account recovery systems to obtain 2FA credentials. The US plans to convene an international conference on fighting cybercrime. Conti warns its victims not to talk to reporters. Andrea Little Limbago from Interos on modeling cyber risk. Carole Theriault has thoughts on facial recognition software. And a ransomware bust in Ukraine leads us to ask, why Capri Sun. (Think about it, kids.)

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/191

Pattie Dillon: Take the leap. [Anti-fraud] [Career Notes] Oct 03, 2021

Product Manager in Anti-Fraud Solutions at SpyCloud, Pattie Dillon shares her journey from raising her family to specializing in the anti-fraud space. Upon reentering the workforce, Pattie worked on identity verification and developed a system with privacy concerns in mind. She moved to work in gift cards and was exposed to money laundering. Traveling along the fraud spectrum, Pattie learned about underground data and feels that this data can be leveraged to actually prevent and fight online fraud. Pattie believes if you don't try, you'll never know. We know we appreciate Pattie sharing her story with us.

Cloud configuration security: Breaking the endless cycle. [CyberWire-X] Oct 03, 2021

Moving to the cloud creates a tremendous opportunity to get security right and reduce the risk of data breach. But most cloud security initiatives get underway after services are deployed in the cloud. It’s frustrating when major breaches resulting from basic mistakes, like S3 buckets left unsecured or secrets exposed. Continually checking for risky configurations and unusual behavior in cloud logs is a requirement, but there is an opportunity to be proactive. What if you could configure your security and access controls as you set up cloud infrastructure? The CyberWire's Rick Howard speaks with Hash Table members Kevin Ford of North Dakota State government and Steve Winterfeld of Akamai, as well as sponsor Sysdig's Omer Azaria to discuss how security teams are adopting Infrastructure as Code (IaC) security as part of their overall cloud security strategy to reduce risk.

IoT security and the need for randomness. [Research Saturday] Oct 02, 2021

Dan Petro, Lead Researcher, and Allan Cecil, Security Consultant, from Bishop Fox join Dave to share their research "You're Doing IoT RNG," that they presented at DefCon 29. There’s a crack in the foundation of Internet of Things (IoT) security, one that affects 35 billion devices worldwide. Basically, every IoT device with a hardware random number generator (RNG) contains a serious vulnerability whereby it fails to properly generate random numbers, which undermines security for any upstream use. In order to perform most security-relevant operations, computers need to generate secrets via an RNG. These secrets then form the basis of cryptography, access controls, authentication, and more. The details of exactly how and why these secrets are generated varies for each use.

The research can be found here:

You're Doing IoT RNG

Phishing for those who fear Pegasus. ChamelGang APT active against multiple countries. Problems with a ransomware decryptor. Controversial proofs-of-concept. And a death blamed on ransomware. Oct 01, 2021

A malware campaign offers bogus protection against Pegasus surveillance. A new APT, ChamelGang, is found active against targets in at least ten countries. A ransomware gang can’t get its decryptor right. A proof-of-concept shows that charges can be made from a non-contact Visa card in an iPhone wallet. David Dufour from Webroot warns of potential perils in cyber insurance. Our guest is Shamla Naidoo from Netskope with advice for cyber innovators .And ransomware may be responsible for a child’s death in an Alabama hospital.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/190

GriftHorse’s premium service scams. Facebook open sources a static analysis tool. Update on the Group-IB affair. What the Familiar Four are up to. Counting ransomware strains. Sep 30, 2021

GriftHorse will subscribe afflicted Android users to premium services they never knew they’d signed up for (and wouldn’t want if they did). Facebook releases a static analysis tool it uses internally to check apps for security issues. Speculation about what put Group-IB’s CEO in hot water with the Kremlin. A look from NSA about where the major nation-state cyberthreats currently stand. Malek Ben Salem from Accenture has thoughts on quantum security. Our guest is author and Wired editor at large Steven Levy joins us with insights on Facebook’s internal research teams. And a short census of ransomware strains.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/189

DDoS is on an upward trend, and it’s being used for extortion. A payroll provider recovers from an unspecified cyberattack. Russia charges Group-IB CEO with treason. NSA, CISA, advise on using VPNs. Sep 29, 2021

Distributed denial-of-service attacks have been making a comeback, and many of them represent criminal extortion attempts. A major British payroll provider is recovering from a cyberattack, but it’s not providing much information on the nature of that attack. Russian authorities arrest the founder of Group-IB on treason charges. Johannes Ullrich from SANS on Out of Band Phishing Using SMS messages. Our UK correspondent Carole Theriault wonders how online trolling is still a thing. And NSA and CISA release guidelines on secure use of virtual private networks.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/188

Homecomings, happy and not so happy. A backdoor for espionage, a Trojan for cybercrime. DDoS techniques, those iPhone zero-days, and indictments. And one guilty plea. Sep 28, 2021

The triumphant homecoming of Huawei’s CFO. Microsoft describes the FoggyWeb backdoor, a significant cyberespionage tool. Kaspersky looks at the BloodyStealer Trojan and finds it especially risky to gamers. A novel approach to distributed denial-of-service. Apple looks into those iPhone zero-days. Joe Carrigan looks at the latest offerings in passwordless authentication. Our guest is Mathieu Gorge of VigiTrust on how law enforcement and executives can work together to fight cyber threats. And a look at doings in cybercrime: the US arrests more than thirty members of the Black Axe gang, a Russian convict is deported back to face Russian justice, and a blockchain maven pleads guilty to helping Pyongyang.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/187

The EU ask Russia to knock it off, and specifically to stop with the GhostWriter. Zoombombing in Cambodia. Conti is back; Colossus is a new entrant in the ransomware field. Meng returns to China. Sep 27, 2021

The EU publicly blames Russia for GhostWriter, and counsels Moscow to amend its ways. Finland’s security services warn of foreign cyberespionage and influence threats. Zoombombing at the highest levels in Cambodia. A ransomware operation, “Colossus,” is described. Conti is back, as predicted, and has hit a major European call center. Dinah Davis from Arctic Wolf on cybersecurity learning standards. Our guest is Otavio Freire from SafeGuard Cyber with insights on how to defend against nation-state actors and zero-day exploits. And Huawei’s CFO is back in China.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/186

Dave Bittner: From puppet shows to podcasts. [Media] [Career Notes] Sep 26, 2021

Host of the CyberWire Podcast, Dave Bittner, wanted to work with the Muppets, so naturally he landed in cybersecurity. Dave and his Cookie Monster puppet spent much of his childhood putting on shows for his parents friends. During one of those performances, he was discovered and got his start at the local PBS station. A radio, television and film major in college, Dave owned his own company and as the most tech-savvy member of the group, handled that side of things. Dave notes his cybersecurity challenges back then consisted of maybe a corrupt floppy disk. It wasn't until he joined the CyberWIre that cybersecurity became Dave's focus. A former boss showed him how to lead a team and treat everyone with kindness regardless of their role. We thank Dave for sharing his story with us.

Why it’s time for cybersecurity to go mainstream. [CyberWire-X] Sep 26, 2021

The commonly held, idealized picture of technology is that tech makes our lives easier, safer, and better in just about every respect. But an unintended consequence of that picture is an unjustified assumption that companies will sell more products if they serve the public interest, and that may not be so. On the consumer side, personal technology investments are often a race to the price bottom, with little attention paid to the security of the products we buy. Vendors may enjoy less scrutiny and accountability, but that's not necessarily in the consumers' interest. Good things almost always come when technology steps out of the shadows and into the light of the mainstream.

It’s time that happened in cybersecurity, where everyone, from suppliers to consumers, has a role to play. In this episode of CyberWire-X, knowledgeable representatives across that spectrum to learn what they have to say about risk, accountability, and, above all, transparency. Guest Dr. Georgianna Shea from the Foundation for Defense of Democracies shares her insights with the CyberWire's Rick Howard, and Sponsor Tanium's CISO for the Americas Chris Hallenbeck joins the CyberWire's Dave Bittner to discuss achievable steps the government, private sector, and the broader public can take to start moving the needle on cybersecurity.

Vulnerabilities in the public cloud. [Research Saturday] Sep 25, 2021

Guest Ariel Zelivansky, Senior Manager of Security Research at Palo Alto Networks, joins Dave to discuss Unit 42's work on the first cross-account container takeover in the public cloud. The Unit 42 Threat Intelligence team has identified the first known vulnerability that could enable one user of a public cloud service to break out of their environment and execute code on environments belonging to other users in the same public cloud service. This unprecedented cross-account takeover affected Microsoft's Azure Container-as-a-Service (CaaS) platform. Researchers named the finding Azurescape because the attack started from a container escape – a technique that enables privilege escalation out of container environments.

The research can be found here:

Note: Microsoft is a sponsor of the CyberWire, however, we cover them as we would any other company.

Cyberattacks against a Russian rocket shop and the Port of Houston. As ransomware gangs increase activity, the US considers defenses. Pegasus found in French Ministers’ phones. Meng heads home? Sep 24, 2021

Someone is phishing for Russian rocketeers. The Port of Houston discloses a cyberattack, which the Port says it deflected before it had operational consequences. Ransomware gangs are up and active, and the US is considering mandatory reporting by victims as a defensive policy. Pegasus spyware is said to have been found in the phones of five French government ministers. Johannes Ullrich from the SANS Technology Institute on Attackers Hunting for Environment Variables. Our guest is Graeme Bunton of DNS Abuse Institute. And Huawei’s Meng Wanzhou may soon be headed home from Vancouver.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/185

Ransomware hits another US farm co-op, as Russan gangs seem to continue attacks without interference from Moscow. A new APT is described. REvil was cheating? CISA warns about Conti. Sep 23, 2021

Ransomware hits a second US Midwestern farm co-op. The US House hears from the FBI that Russia seems not to have modified its toleration of privateering gangs (at least yet). A new APT, “FamousSparrow,” is described. REvil seems to have been--surprise!--cheating its criminal affiliates. Josh Ray from Accenture with an update on the Hades Threat Group. Our guest is Tim Eades of vArmour on the urgent need to update cyber strategies in healthcare. CISA issues a new warning, this one on the Conti ransomware operation.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/184

Ransomware is rising, and governments try to evolve an effective response. A look at the cyber underworld. Snooping smartphones. An advance fee scam is criminal business as usual. Sep 22, 2021

BlackMatter continues to make a nuisance of itself on a large scale. The US is woofing about taking action against ransomware, and Treasury has sanctioned a rogue cryptocurrency exchange, but some advocate stronger measures. Where did all those Ukrainian cybercriminal chat platforms go? A warning of the “censor mode” in some Chinese manufactured smartphones. Caleb Barlow shares thoughts on CMMC certification. Our guest is Kevin Jones of Virsec with reactions to the White House Cybersecurity Summit. And, hey, no, really, Apple is not celebrating the iPhone 13 by giving away a stash of Bitcoin.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/183

BlackMatter hits an Iowa agricultural cooperative. US Treasury Department moves against ransomware’s support system. FBI gave Kaseya the REvil decryptor. Camorra cybercriminals arrested. Sep 21, 2021

Ransomware hits an Iowa agricultural cooperative, which doesn’t meet, the criminals say, the standard for “critical infrastructure.” US Treasury Department announces steps against ransomware’s economic support system. Did Kaseya get its REvil decryptor from the FBI? Ben Yelin describes a major federal court victory for security researchers. Our guest is Dave Stapleton from CyberGRX on the rise of extortionware. And Europol, along with Spanish and Italian police, take down a Camorra cybercrime ring.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/182

Electioneering, domestic, but with international implications. The Mirai botnet is exploiting OMIGOD. Container shipper sustains data breach. Odd ads. Phishing with Mr. Musk’s name. Sep 20, 2021

Cyber electioneering, in Hungary and Russia, the latter with some international implications. The Mirai botnet is exploiting the OMIGOD vulnerability. A shipping company deals with data extortion. Government websites have been serving up some oddly adult-themed ads. Malek Ben Salem from Accenture has thoughts on quantum security in the automotive industry. Our guest is Padraic O'Reilly of CyberSaint to discuss concerns about the Defense Industrial Base. And no, there’s no such thing as the Elon Musk Mutual Aid Society.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/181

Limor Kessem: Be an upstander. [Security Advisor] [Career Notes] Sep 19, 2021

Executive Security Advisor at IBM Security Limor Kessem says she started her cybersecurity career by pure chance. Limor made a change from her childhood dream of being a doctor and came into cybersecurity with her passion, investment, discipline, and perseverance. Limor talks about how we must tighten our core security and at the same time we allow innovation to help us move forward with the times. She's been fortunate to have been able to stand up for others and has had others support her. She said that is very motivating and has allowed her to really explore every possible thing in her career that she can contribute without limiting herself to a certain role. We thank Limor for sharing her story with us.

An IoT educational exercise reveals a far-reaching vulnerability. [Research Saturday] Sep 18, 2021

Guest Jake Valletta, Director of Professional Services at Mandiant, joins Dave to talk about the critical vulnerability Mandiant disclosed that affects millions of IoT devices. Mandiant disclosed a critical risk vulnerability in coordination with the Cybersecurity and Infrastructure Security Agency (“CISA”) that affects millions of IoT devices that use the ThroughTek “Kalay” network. This vulnerability, discovered by researchers on Mandiant’s Red Team in late 2020, would enable adversaries to remotely compromise victim IoT devices, resulting in the ability to listen to live audio, watch real time video data, and compromise device credentials for further attacks based on exposed device functionality. These further attacks could include actions that would allow an adversary to remotely control affected devices.

The research can be found here:

Mandiant Discloses Critical Vulnerability Affecting Millions of IoT Devices

Patch that password manager. The hidden hand of the troll farm. Election meddling. Coin-mining’s costs, and a crackdown in China. If you really loved me, you’d speculate in Dogecoin....or something. Sep 17, 2021

Patch your Zoho software now--vulnerable instances are being actively exploited. Maximum engagement isn’t necessarily good engagement: the hidden hand of the trolls replaces the invisible hand of the marketplace of ideas. Politics ain’t beanbag, Russian edition. An indictment emerges from the US investigation into possible misconduct during the 2016 elections. The costs of coin-mining. Josh Ray from Accenture on protecting critical infrastructure. Our guest is Tony Pepper from Egress with a look at Insider Data Breaches. And don’t mix investment advice with matters of the heart.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/180

A CSO's 9/11 Story: CSO Perspectives Bonus. Sep 17, 2021

For the 20th anniversary of 9/11, Rick Howard, the Cyberwire’s CSO, Chief Analyst, and Senior Fellow, recounts his experience from inside the Pentagon running the communications systems for the Army Operations Center.

Election-season cyber incidents in Germany. South Africa works to recover from a ransomware attack on government networks. Cryptojacking botnet moves to Windows targets. Ransomware notes. Sep 16, 2021

Denial-of-service at a German election agency, as Federal prosecutors investigate GhostWriter. More nation-states get into election meddling. South Africa works to recover from a ransomware attack against government networks. A cryptojacking botnet moves from Linux to Windows. A ransomware gang threatens to burn your data if you bring in third-party help. Ransomware cyberinsurance claims rise. Rick Howard checks in with Tom Ayres from Lead Up Strategies on Cyber Piracy. Caleb Barlow shares insights on CMMC. And it’s a really good week to patch.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/179

No crackdown on ransomware from Moscow (at least so far). Cyber Partisans in Belarus. A long-running Chinese cyber campaign. Phishing and other cybercrime. Mercenaries. Sep 15, 2021

That Russian crackdown on ransomware gangs people thought they were seeing? Hasn’t happened, at least according to the FBI. The Cyber Partisans take a virtual whack at President Lukashenka’s government in Belarus. Operation Harvest is complicated and long-running. Phishing with a promise of infrastructure funding. The criminal market for bogus vaccine cards. Johannes Ullrich from SANS on dealing with image uploads - vulnerabilities in conversion libraries. Our UK correspondent Carole Theriault on Deepfakes - what you need to know now. And a deferred prosecution agreement in a “cyber mercenary” case.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/178

NSO Group’s Pegasus was installed in a zero-click exploit: iOS users should patch. Vermillion Strike hits Linux systems. Enforcing the law against cybercrime. Sep 14, 2021

Citizen Lab finds, and Apple patches, a zero-day used for zero-click installation of Pegasus spyware. A Cobalt Strike beacon has been turned to cyberespionage use against Linux targets. The Russian government could, it seems, take action against cybercrime, but its will-to-enforcement seems to be inconsistent. Ben Yelin from UMD CHHS with more on Apple's CSAM controversy, our guest is Mel Shakir from Dreamit Ventures on selling to CISOs, and their customer sprints. REvil makes nice with grumpy affiliates. And criminals’ commitment to the common good seems weak. That’s not a surprise, is it?

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/177

The continuing problem of Meris and its bot-driven DDoS. Mustang Panda visits Indonesia. DPRK’s social media battlespace prep. Al Qaeda marks 9/11’s anniversary. And REvil seems to be back. Sep 13, 2021

The Meris botnet continues to disrupt New Zealand banks, and has turned up elsewhere, too. Mustang Panda compromised Indonesian government networks. North Korean operators are using social media to soften up their prospective targets. Al Qaeda sympathizers marked the twentieth anniversary of 9/11 by calling for--what else?--more 9/11s. Malek Ben Salem from Accenture on deep unlearning, our own Rick Howard is in, talking about the latest episode of CSO Perspectives on adversary playbooks, and REvil seems to be back in business after taking what some of its hoods call “a break.”

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/176

Joe Bradley: A bit of a winding road. [Chief Scientist] [Career Notes] Sep 12, 2021

Chief Scientist at LivePerson Joe Bradley takes us down his circuitous career journey that led him back to math. Joe had many ambitions from opera singer to middle school teacher, spent some time at two national labs and went back to his first love of math and physics. He notes that many of the most mathematically intuitive people that he's met are people that also have a creative outlet and a lot of times it's music. Adding a business aspect to his technical work, Joe came to his current position. He recommends going deep into your preferred subject and hopes that it helps you to become something different because of all you put into the work. We thank Joe for sharing his story with us.

A Google Chrome update that just didn't feel right. [Research Saturday] Sep 11, 2021

Guest Jon Hencinski from Expel joins Dave Bittner to discuss his team's recent work on "Expel SOC Stops Ransomware Attack Aimed at WordPress CMS via Drive-By Download Disguised as Google Chrome Update."

In July, 2021, Expel's SOC stopped a ransomware attack at a large software and staffing company. The attackers compromised the company’s WordPress CMS and used the SocGholish framework to trigger a drive-by download of a Remote Access Tool (RAT) disguised as a Google Chrome update.

In total, four hosts downloaded a malicious Zipped JScript file that was configured to deploy a RAT, but we were able to stop the attack before ransomware deployment and help the organization remediate its WordPress CMS. Jons walk us through what happened, how they caught it, and provide recommendations on how to secure your WordPress CMS.

The research can be found here:

Expel SOC Stops Ransomware Attack Aimed at WordPress CMS via Drive-By Download Disguised as Google Chrome Update

Investigations--the SEC looks into Solarigate, German prosecutors inquire into GhostWriter. The Meris botnet is responsible for recent DDoS attacks. Implausible deniability. The SINET 16 are announced. Sep 10, 2021

The SEC’s inquiry into the SolarWinds incident may expose other, unrelated data breaches. Researchers identify an IoT botnet, Meris, as responsible for DDoS attacks against a number of banks. German prosecutors have opened an investigation into the GhostWriter campaign. Researchers look at the cozy, implausibly deniable relationship between Russia’s security services and cyber gangs. A money-launderer gets eleven years. David Dufour from Webroot has straight talk about paying the ransom. Our guest is Jeff Williams from Contrast Security with a look at AppSec Observability. Congratulations to the SINET 16 winners. And we remember 9/11: has it already been twenty years?

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/175

Credential theft at the UN? Intelligence services and privateers. DDoS hits a big multinational. A look at AlphaBay 2.0. Notes on the C2C marketplace. Sep 09, 2021

A cyberattack is reported at the UN, with agency data apparently lost to parties and parts unknown. The Bears are quieter, but the privateers are up and at ‘em. DDoS hits Yandex. Cyberespionage using the SideWalk backdoor. TeamTNT is getting tougher to detect. A SWOT analysis of the newly reconstituted AlphaBay contraband market. The Groove Gang is a new age criminal affiliate program. Caleb Barlow describes attackers leveraging US and European infrastructure to hide in plain sight. Our guest is Brad Thies of BARR Advisory on what the next 5 years may have in store for cloud security. And irritate your online chums for just 50 bucks a pop.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/174

BladeHawk Android cyberespionage campaign in progress. Labor Day was quiet, but the gangs are now back at it. REvil’s remnant stirs. Bulletproof hosting. Phishing keywords. Sep 08, 2021

BladeHawk cyberespionage campaign in progress. Microsoft warns of targeted attacks in progress. Hey--the hoods took a breather over Labor Day, but the straw hats are off now, and they’re back at work. Someone is rummaging in REvil’s unquiet grave. Bulletproof hosting services and the criminal marketplace. Mike Benjamin from Black Lotus Labs on ReverseRAT 2.0. Rick Howard checks in with Philip Reiner from the Ransomware Taskforce. And does a New Urgent Message Require Action? Maybe not.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/173

A threat from Ragnar Locker. GhostWriter in the Bundestag. BKA bought Pegasus. Taliban sifts data for potential opponents. France-Visas hacked. Modified apps. Privacy notes. A TrickBot arrest. Sep 07, 2021

No spectacular flurry of Labor Day ransomware, but Ragnar Locker threatens its victims. Berlin complains to Moscow about GhostWriter. Another Pegasus customer is disclosed. The Taliban is searching for data on potential domestic opponents. France-Visas hacked. Modified apps in circulation. Joe Carrigan unpacks a Covid based phishing scam. Carole Theriault weighs in on the ransomware pay-or-do-not-pay discussion. ProtonMail answers a warrant, Apple delays CSAM screening, and an alleged TrickBot coder is arrested.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/172

Security operations centers: a first principle idea. [CSO Perspectives] Sep 06, 2021

The idea of operations centers has been around as far back as 5,000 B.C. This show covers the history of how we got from general purpose operations centers to the security operations centers today, the limitations of those centers, and what we need to do as a community make them more useful in our infosec program.

Natali Tshuva: Impacting critical industries. [CEO] [Career Notes] Sep 05, 2021

CEO and co-founder of Sternum, Natali Tshuva shares how she took her interest in science and technology and made a career and company out of it. Beginning her computer science undergraduate degree at age 14 through a special program in Israel, Natali says it opened up a new world for her. Her required service in the IDF found Natali as a member of Unit 8200, the Israeli intelligence. In the Israeli corporate space following the IDF, Natali discovered how cybersecurity could actually create impact in the real world environment and found a way to combine her cybersecurity expertise with the passion to impact critical industries like the medical industry. Natali recommends that those entering the field get some hands-on experience and use your unique strengths to find a way to make the world a better place. We thank Natali for sharing her story.

Like a computer network but for physical objects. [Research Saturday] Sep 04, 2021

Guest Ben Seri, Armis' VP of Research, joins Dave to talk about a set of remote code execution (RCE) vulnerabilities in the pneumatic tube system of Swisslog. Nine vulnerabilities in critical infrastructure used by 80% of major hospitals in North America.

Swisslog’s Translogic Pneumatic Tube System (PTS), a solution that plays a crucial role in patient care, found vulnerable to devastating attack. Dubbed PwnedPiper, the vulnerabilities allow for complete take over of the Translogic Nexus Control Panel, which powers all current models of Translogic PTS stations. Older IP-connected Translogic stations are also impacted, but are no longer supported by Swisslog.

The research can be found here:

PwnedPiper

Watch out for cybercrime over holidays (like Labor Day). Ransomware warning for the food and agriculture sector. Gift card and loyalty program fraud. NIST draft IoT guidelines out for comment. Sep 03, 2021

Uncle Sam recommends cyber vigilance during your kinetic relaxation this Labor Day weekend. The ransomware threat to food and agriculture. “Low and slow” fraud from compromised email in-boxes. Israel promises an investigation of cyber export controls. Josh Ray from Accenture Security on giving back to the community and the Jenkins Attack Framework for red teaming. Our guest is Andy Ellis on the transparency in cybersecurity initiative. And NIST has draft consumer IoT guidelines out for comment.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/171

LockBit updates. The BrakTooth bugs infesting Bluetooth. Malicious cable proof-of-concept. EU fines WhatsApp over GDPR issues. Insider threats. Action against an alleged stalkerware vendor. Sep 02, 2021

The LockBit gang jumps the gun, and crows a bit higher than the facts seem to warrant. Ghostwriter seems to ride a much bigger infrastructure than previously believed. BrakTooth bugs afflict “billions” of Bluetooth devices. OMG cables include a keylogger that phones home. The EU fines WhatsApp over GDPR violations. Insider threats can be difficult to recognize. David Dufour from Webroot thinks it’s great that you haven’t been breached...yet. Our guest is Mark Nunnikhoven from Lacework with results from their Cloud Threat Report. And an alleged stalkerware vendor is sanctioned by the US Federal Trade Commission.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/170

A look at cyber gangland. Sino-Australian tension in cyberspace. Vulnerabilities reported (and disputed) in a home security system. Labor Day warnings. Sep 01, 2021

Ransomware continues to hold pride-of-place in cybercrime. A look inside the mind of cyber gangland, or at least that portion of their mind they’re willing to expose. Business email compromise operators look for communication skills, and the underworld seems to think university students make good money mules. Reports of vulnerabilities in a home security system. When Canberra angered Beijing. Caleb Barlow has thoughts on the FBI response to MS Exchange vulnerabilities. Our guest’s are Peter Singer and Lisa Guernsey on New America's Teaching Cyber Citizenship initiative. And CISA and the FBI advise being alert over Labor Day.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/169

Dangers of data collected in Afghanistan. Another cryptocurrency theft. Hardware backdoors? LockBit dumps airline’s data. CISA opens registration for the President’s Cup. Too much gaming, kids. Aug 31, 2021

Possible consequences of the Taliban’s seizure of Afghanistan’s APPS data. Another DeFi platform sustains a cryptocurrency theft. How would one handle a hardware backdoor? LockBit begins dumping data stolen from Bangkok Airways. Registration for CISA’s President’s Cup is now open. Joe Carrigan describes the superiority of AI generated phishing emails. Rick Howard speaks with Art Poghosyan from Britive on Software Defined Perimeters. And China moves to keep minors from wasting too much time in online gaming.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/168

Data breaches and ransomware. Another gang says it’s retiring. New warrants against cybercrime in Australia. Roles and missions in the US. Hoosier data? Aug 30, 2021

Data breach and ransomware affect an airline’s customers. The Phorpiex botnet operators say they’re going out of business, and everything must go. New warrants for the Australian Federal Police in cybercrime cases. US Federal cybersecurity roles and responsibilities. Rick Howard takes on adversary playbooks. Josh Ray from Accenture Security on The Biden Administration's cybersecurity executive order, what it means for product security. And Indiana warns of a COVID-19 contact tracking database exposure.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/167

Rich Hale: Understanding the data. [CTO] [Career Notes] Aug 29, 2021

Chief Technology Officer of ActiveNav Rich Hale takes us through his career aspirations of board game designer (one he has yet to realize), through his experience with the Royal Air Force to the commercial sector where his firm works to secure dark data. During his time in the Air Force, Rich was fortunate to serve on a wide range of different platforms from training aircraft to bombers, and all the way into procurement and policy. Transitioning to the commercial sector, Rich notes he was well prepared for some aspects, but lacking in some he's made up on his own. Rich likes to lead with vision and empower his teams. He counsels that you should not fear making a career change, but be sure to look twice before making the leap. We thank Rich for sharing his story with us.

Joker malware family: not a joke for Google Play. [Research Saturday] Aug 28, 2021

Guest Deepen Desai, Zscaler's Chief Information Security Officer and VP Security Research & Operations, joins Dave to discuss their ThreatLabz team's research "Joker Joking in Google Play: Joker malware targets Google Play store with new tactics." Joker is one of the most prominent malware families targeting Android devices. Despite public awareness of this particular malware, it keeps finding its way into Google’s official application market by employing changes in its code, execution methods, or payload-retrieving techniques. This spyware is designed to steal SMS messages, contact lists, and device information, and to sign the victim up for premium wireless application protocol (WAP) services.

Zscaler’s ThreatLabz research team has been constantly monitoring the Joker malware. Recently, they observed regular uploads of it onto the Google Play store. ThreatLabz notified the Google Android Security team, who have taken prompt action to remove the suspicious apps from the Google Play store.

This prompted them to evaluate how Joker is so successful at getting around the Google Play vetting process. The team saw 11 different samples regularly uploaded to Google Play recently clocking 30k installs.

The research can be found here:

Joker Joking in Google Play: Joker malware targets Google Play store with new tactics

The T-Mobile hacker speaks (we think). SparklingGoblin enters the cyberespionage ring. Is someone stealing data to train AI? Cellebrite’s availability. Ragnarok ransomware says it’s going out of business. Aug 27, 2021

A young man claiming responsibility for the T-Mobile breach talks to the Wall Street Journal. A new cyberespionage group, “SparklingGoblin,” seems particularly interested in educational institutions, especially in Southeast and East Asia. Are governments training AI with stolen data? Mitigations for Microsoft issues. Cellebrite tools may still be available to Chinese police. Kevin Magee from Microsoft wonders if leaders have over pivoted toward technical skill. Our guest is Bill Wright of Splunk on the ongoing geopolitical ransomware trend. And another ransomware gang says it’s going out of business...we’ll wait and see.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/166

A quick look back at yesterday’s White House industry meeting. Revolution, coup, or a bit of both? Storytelling for security. Lessons from Olympic scams. Notes from the underworld. Aug 26, 2021

Outcomes from the White House industry cybersecurity summit: standards, training, zero-trust, and multifactor authentication. The Cyber Partisans aim at the overthrow of Lukashenka’s rule in Minsk. A role for storytelling in security. Scams, sports, and streaming. Speculation about the ShinyHunters’ next moves. Verizon’s Chris Novak on Reducing false positives in threat intelligence. Bentsi Ben Atar from Sepio Systems on the risks of hardware-based attacks, internal abusers, corporate espionage, and Wi-Fi. And cybercriminals like their VPNs, too.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/165

Hacktivism in Belarus. The Taliban’s data grab. Four rising ransomware operations. The White House cybersecurity summit with industry leaders is in progress. Aug 25, 2021

Politically motivated hacktivism in Belarus. The Taliban’s data grab in Afghanistan. Four rising ransomware operations. Mike Benjamin from Black Lotus Labs on UDP reflectors. Our guest is Chris Grove of Nozomi Networks with insights on OT/IoT Security. And the White House says “concrete announcements” are expected after today’s meetings on cybersecurity with industry leaders, so we’ll be staying tuned.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/164

Apple CSAM: well-intentioned, slippery slope. [Caveat] Aug 25, 2021

Guest David Derigiotis, Corporate Senior Vice President at Burns & Wilcox, joins Dave and Ben for an in-depth discussion this episode. Departing from our usual format, we take a closer look at the implications of Apple’s recent announcements that they will be enabling scanning for Child Sexual Abuse Materials, CSAM, on iOS devices. We devote the entire episode to this topic and hope you will join us.

Apparent hacktivism exposes Iranian prison CCTV feeds. Misconfigured Power Apps expose data. FBI warns of the OnePercent Group. Mr. White Hat gives back. Dog bites man Aug 24, 2021

More hacktivism appears to have hit Iran. Misconfigured Power Apps portals expose data on millions. The FBI warns of the activities of a ransomware affiliate gang. Mr. White Hat really does seem to have given back all that stolen alt-coin. Ben Yelin checks in on Apple’s CSAM plans. Our guest is Charles DeBeck from IBM Security on the true cost Cost of a Data Breach. And, finally, dog bites man: criminals cheat other criminals.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/163

Notes on the fall of Afghanistan, with its cyber and kinetic implications. US State Department hack reported. ShinyHunters resurface. Further incentive to patch Microsoft Exchange Server. Aug 23, 2021

The Taliban consolidates control over Afghanistan, and it’s doing so online as well as on the ground. Reports say the US State Department has come under cyberattack; State says that any such incident was without significant effect. The ShinyHunters say they’ve obtained a great deal of PII from AT&T, but AT&T says that, whatever the crooks have, it didn’t come from AT&T. Rick Howard on orchestration. Carole Theriault on women in cybersecurity - are thing getting any better? And exploitation gives organizations even more incentive to patch Microsoft Exchange server instances.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/162

From board advisor to board member: evolution of the modern CISO. [CyberWire-X] Aug 22, 2021

The recent frequency of ransomware attacks and heightened visibility of supply chain risks has garnered the attention of executive teams and boards of directors for companies of all sizes, across all industries. For CISOs, these recent events have significantly amplified the importance of establishing and maintaining effective relationships and lines of communication with boards of directors. CISOs are now spending more time than ever engaging, reporting, and answering to boards regarding questions around where their organization is on the cyber risk spectrum. For CISOs, this heightened risk environment presents both a challenge and an opportunity.

In this episode of CyberWire-X, guest ret. Major General Zan Vautrinot and Sponsor JM Search's Jamey Cummings joins the CyberWire's Rick Howard to discuss how today’s CISOs are challenged to develop an ever-expanding skill set to effectively execute in their role while also satisfying concerns and areas of interest of their board of directors. Jamey will also discuss how the evolving role of the CISO is unlocking opportunities for CISOs to elevate their stature, and can open the door for them to serve in board roles as companies are increasingly prioritizing information security and technology risk management skills for their directors.

Jennifer Walsmith: Pioneering and defining possible. [Cyber Solutions] [Career Notes] Aug 22, 2021

Vice President for Cyber and Information Solutions within Mission Systems at Northrop Grumman, Jennifer Walsmith takes us on her pioneering career journey. Following in her father's footsteps at the National Security Agency, Jennifer began her career out of high school in computer systems analysis. Jennifer notes she saw the value of a college degree and at her parents' urging attended night school. She completed her bachelors in computer science at University of Maryland, Baltimore County with the support of the NSA. Jennifer talks about the support of her team at NSA where she was one of the first women to have a career and a family, raising two children while working. Upon retirement from government service, Jennifer chose an organization with values that closely matched her own and uses her position to help her team define possible where they sometimes think they can't. We thank Jennifer for sharing her story with us.

Exploring vulnerabilities of off-the-shelf software. [Research Saturday] Aug 21, 2021

Guest Tomislav Peričin, Reversing Labs' Chief Software Architect and Co-Founder, joins Dave to discuss his team's research that addresses the importance of validating third-party software components as a way to manage the risks that they can introduce. Developing software solutions is a complex task requiring a lot of time and resources. In order to accelerate time to market and reduce the cost, software developers create smaller pieces of functional code which can be reused across many projects. The concept of code reuse is one of the cornerstones of modern software engineering and it is universally accepted that everybody should strive towards it. However, in addition to the positives, organizations need to be aware of the security risks introduced by such third-party components.

The growing number of cyber incidents that target the software supply chain are focused on high-value target compromises. With the latest surge and public uproar, the US President Biden has issued the Executive Order on Improving the Nation’s Cybersecurity in order to create an institutional framework addressing these kinds of security risks.

The research can be found here:

Third-party code comes with some baggage

Warm wallet pilferage. Advice on reducing the ransomware risk. Regulatory action in the T-Mobile breach. China’s privacy law. FTC refiles monopoly complaint against Facebook. Better MICE traps? Aug 20, 2021

Pilferage reported from Liquid Global’s alt-coin warm wallets. CISA offers advice on reducing the risk of ransomware. The FCC is looking into the T-Mobile breach, and Moody’s raises questions about the telco’s risk management. China passes its own version of GDPR. The FTC refiles its monopoly complaint against Facebook. Caleb Barlow on 3rd Party Breach Notifications and finding out if your information is being traded on the dark web. Rick Howard speaks with hash table member Zan Vautrinot about serving on boards. And the FBI warns that insiders can be recruited for industrial espionage.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/161

T-Mobile outlines what it’s offering customers hit by its data breach. Taliban on good T&C behavior? Apple’s CSAM. OS bug may affect medical devices. A report on 2020’s US Census Bureau hack. Aug 19, 2021

T-Mobile describes what it intends to do for those who may have been affected by its big data breach. The Taliban is taking care not to get banned from social media. Apple defends its CSAM measures against a technical objection, but advocacy groups see a slippery policy slope. The US FDA warns of vulnerabilities in an OS used by medical devices. A report on a 2020 incident at the US Census Bureau. David Dufour shares a few surprises from Webroot’s 2021 Threat Report. Our guest is Brandon Hoffman from Intel 471 on cybercriminals creating turbulence for the transportation industry. And a Bitcoin tumbler cops a guilty plea.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/160

Taliban seizes HIIDE devices. T-Mobile customer data compromised. Ransomware attack against Brazil’s Treasury. Social engineering espionage. Ransomware vs. sewers. IoT bug disclosed. Aug 18, 2021

The Taliban now has, among other things, a lot of biometric devices. T-Mobile concludes that some customer data were compromised in last week’s incident. InkySquid’s in the watering hole. Brazil’s Treasury sustained, and says it contained, a ransomware attack. Siamese Kitten’s social engineering on behalf of Tehran. Sewage systems hacked in rural Maine. Josh Ray from Accenture Security on what nation state adversaries may have learned from observing the events surrounding Colonial pipeline. Our guest Manish Gupta from ShiftLeft looks at issues with the Software Bill of Materials. And an IoT vulnerability is disclosed, and mitigations are recommended.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/159

Consequence of the Taliban victory for influence operations and information security. Privateering gangs described. Data exposures, data compromises. Aug 17, 2021

Al Qaeda online sources cheer the Taliban’s ascendancy. The new rulers of Afghanistan are likely to have acquired a good deal of sensitive data along with political rule and a quantity of US-supplied military equipment. Terrorist watchlist data were found in an exposed server (now taken offline). Connections between gangland and Russian intelligence. T-Mobile was hacked, but it’s unclear what if any data were compromised. Joe Carrigan on FlyTrap Android Malware Compromising Thousands of Facebook Accounts. Our guest is Liam O’Murchu from Symantec on what keeps him up at night. And some personal information was exposed in the Colonial Pipeline incident.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/158

Possible consequences of Afghanistan’s fall to the Taliban. Non-state actors’ political motives. Poly Network rewards “Mr. White Hat.” C2C offering will check your alt-coin. Breach at T-Mobile? Aug 16, 2021

The Taliban has effectively taken control of Afghanistan, and the fall of Kabul is likely to have a quick, near-term effect on all forms of security. The Indra Group’s actions against Iranian interests suggest the potential of non-state, politically motivated actors. Crooks returned almost all the money rifled from DeFi provider Poly Network. A new C2C service tells hoods if their alt-coin is clean. DeepBlueMagic is a new strain of ransomware. Chris Novak of Verizon on advancing incident response. Rick Howard is taking on Orchestration in this week’s CSO Perspectives. And T-Mobile investigates claims of a data breach.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/157

Rick Howard: Give people resources. [CSO] [Career Notes] Aug 15, 2021

Chief Security Officer, Chief Analyst, and Senior Fellow at the CyberWire, Rick Howard, shares his travels through the cybersecurity job space. The son of a gold miner who began his career out of West Point in the US Army, Rick worked his way up to being the Commander of the Army's Computer Emergency Response Team. Rick moved to the commercial sector working for Bruce Schneier running Counterpane's global SOC. Rick's first CSO job was for Palo Alto Networks where he was afforded the opportunity to create the Cybersecurity Canon Hall of Fame and the Cyber Threat Alliance. Upon considering retirement, Rick called up on the CyberWire to ask about doing a podcast and he was hired on to the team. Rick shares a proud moment through a favorite story. We thank Rick for sharing his story with us.

You can add new features, just secure the old stuff first. [Research Saturday] Aug 14, 2021

Guests Will Schroeder and Lee Christensen from SpecterOps join Dave to share the research they recently presented at Black Hat USA on the security of Microsoft's Active Directory Certificate Services.

Their abstract:

Microsoft’s Active Directory Public Key Infrastructure (PKI) implementation, known as Active Directory Certificate Services (AD CS), has largely flown under the radar of both the offensive and defensive communities. AD CS is widely deployed, and provides attackers opportunities for credential theft, machine persistence, domain escalation, and subtle domain persistence. We present relevant background on certificates in Active Directory, detail the abuse of AD CS through certificate theft and active malicious enrollments for user and machine persistence, discuss a set of common misconfigurations that can result in domain escalation, and explain a method for stealing a Certificate Authority’s private key in order to forge new user/machine “golden” certificates. By bringing light to the security implications of AD CS, we hope to raise awareness for both attackers and defenders alike of the security issues surrounding this complex, widely deployed, and often misunderstood system.

The blog post and white paper can be found here:

Cyberespionage follows South Asian conflict. LockBit’s $50 million demand. Insider risk. Trend Micro warns unpatched Apex is under attack. PrintNightmare persists. Google and Apple on privacy. Aug 13, 2021

ReverseRat is back and better, and it’s sniffing at Afghanistan. LockBit wants $50 million from Accenture. When employees leave, do they take your data with them? (Survey, or rather, telemetry, says yes.) Unpatched Apex One instances are under active attack. PrintNightmare continues to resist patching. Google bans SafeGraph. Apple explains what’s up with iCloud privacy. Caleb Barlow wonders if ransomware payments financing criminal infrastructure in Russia. Our guest is Oliver Rochford from Securonix on the notion of cyberwar. And the SynAck ransomware gang rebrands.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/156

More stolen alt-coin is returned. Accenture reports minimal effects in the alleged LockBit attack. Home routers attacked. Source code for sale? PrintNightmare exploited in the wild. Extradition cases. Aug 12, 2021

More stolen coin is returned in the case of the Poly Network cross-chain hack. Accenture says the incident it sustained had no significant effect, and the LockBit ransomware gang who claimed responsibility release some relatively anodyne files. Home routers are under attack. Crooks are offering what they claim to be Bkav source code for sale on Raidforums. Magniber weaponizes a PrintNightmare flaw. Dinah Davis from Arctic Wolf shares stats on the state of women in cyber. Our guest is Peter Voss of Aigo.ai on what’s missing in artificial intelligence. Two extradition cases proceed. And the Solarium Commission reports.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/155

A $600 million alt-coin heist. LockBit claims it hit Accenture. A false-flag cyberespionage campaign. A REvil key is posted. AlphaBay is back. Facebook takes down vaccine disinfo campaign. Aug 11, 2021

Cross-chain attack steals millions in cryptocurrency. LockBit claims to have hit Accenture, but Accenture says with negligible consequences. Emissary Panda flies a false Iranian flag. Ekranoplan posts a key for the REvil strain used against Kaseya. AlphaBay has risen from the grave, sort of. Johannes Ullrich has thoughts on resetting 2FA. Our guest is Idan Plotnik from Apiiro on their win of the 2021 RSAC Innovation Sandbox Contest. And you can’t fool us, you bought-and-paid-for influencers you: no vaccine is going to turn us into monkeys.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/154

A threat to release stolen proprietary data. The C2C market: division of labor and loss-leading marketing ploys. Misconfigured Salesforce Communities. Sanctions-induced headwinds for Huawei. Aug 10, 2021

RansomEXX threatens to release stolen proprietary data. Some looks at the C2C market, the criminal division of labor, and a splashy carder marketing ploy. Misconfigured Salesforce Communities expose organizational data. Our guest is Ron Brash from Verve International on a CISA advisory regarding GE ICS equipment. Ben Yelin on the proposed U.S. Bureau of Cyber Statistics. Huawei faces sanctions-induced headwinds. Mexico’s investigation of Pegasus abuse continues, but so far without arrests or resignations.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/153

Home router vulnerabilities exploited in the wild. ACSC warns of a LockBit spike in LockBit. Flytrap Android Trojan is out. SCADA recon. Child protection. Wiretaps and social media. Aug 09, 2021

Home router vulnerabilities exploited in the wild. ACSC warns of a spike in LockBit ransomware attacks. The Flytrap Android Trojan is still concealed in malicious apps. An unidentified threat actor has been prospecting SCADA systems in Southeast Asia. Rick Howard checks in with the Hash Table about Backups. Mike Benjamin from Lotus Labs on watering hole attacks. Apple’s new child protection measures attract skepticism from privacy hawks. Wiretaps extended to social media. And using three random words for your password.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/152

Alyssa Miller: We have to elevate others. [BISO] [Career Notes] Aug 08, 2021

Business Information Security Officer at S&P Global Ratings, Alyssa Miller, joins us to talk about her journey to become a champion to create a welcoming nature and acceptance of diversity in the cybersecurity community. Starting her first full-time tech position while still in college, Alyssa noted the culture shock being in both worlds. Entering as a programmer and then moving to pen testing where she got her start in security, Alyssa grew into a leader who is committed to elevating those around her. Some stumbling blocks along the way gave her pause and helped point her in her current role where Alyssa works to bring more diverse views to improve the problem-solving in the space, something she sees as a key to success for the industry. We thank Alyssa for sharing her story with us.

SideCopy malware campaigns expand and evolve. [Research Saturday] Aug 07, 2021

Guest Asheer Malhotra, Threat Researcher of Cisco Talos Intelligence Group, joins Dave to discuss his team's research "InSideCopy: How this APT continues to evolve its arsenal." Cisco Talos has observed an expansion in the activity of SideCopy malware campaigns, targeting entities in India. In the past, the attackers have used malicious LNK files and documents to distribute their staple C#-based RAT. We are calling this malware "CetaRAT." SideCopy also relies heavily on the use of Allakore RAT, a publicly available Delphi-based RAT.

Recent activity from the group, however, signals a boost in their development operations. Talos has discovered multiple new RAT families and plugins currently used in SideCopy infection chains.

Targeting tactics and themes observed in SideCopy campaigns indicate a high degree of similarity to the Transparent Tribe APT (aka APT36) also targeting India. These include using decoys posing as operational documents belonging to the military and think tanks and honeytrap-based infections.

The research can be found here:

FTC warns of smishing targeting the unemployed. Initial access: buying it one way or another. Is the criminal gig economy vulnerable? Ransomware continues to hit healthcare. Aug 06, 2021

Smishing campaigns are seeking to exploit the unemployed. Initial access brokers seem not to have missed a beat, although some gangs are seeking to bypass them by trolling for rogue insiders. Are criminal enterprises vulnerable on the gig economy front? Criminal affiliates are disgruntled--good. Clearly, healthcare isn’t off the target list. Thomas Etheridge from CrowdStrike on eCrime Extortion. Chris Jacobs from ThreatQuotient joins us with a look back at BlackHat. Anup Gosh from Fidelis Cybersecurity, with insights on active defense.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/151

CISA’s new Joint Cyber Defense Collaborative. C2C market update: Prometheus TDS and Prophet Spider. And naiveté about a gang’s reform, or optimism over signs the gang is worried? Aug 05, 2021

CISA announces a new public-private cybersecurity initiative. Prometheus TDS and Prophet Spider take their places in the C2C market. The money points to BlackMatter being a rebranded DarkSide. Andrea Little Limbago from Interos on Divergent trends of federal data privacy laws and government surveillance. Tonia Dudley from CoFense checks in from the BlackHat show floor. Our guest is Simon Maple from Snyk with a look at Cloud Native Application Security. And where some see naiveté, others see cautious optimism about putting fear in the hearts of ransomware gangs.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/150

Espionage phishing in unfamiliar places. OT vulnerabilities. LemonDuck’s rising fortunes. Data exposure. Kubernetes advice from NSA and CISA. Meng Wanzhou’s extradition. Aug 04, 2021

APT31 casts its net into some waters that aren’t yet phished out. Vulnerabilities in the NicheStack TCP/IP stack are reported. LemonDuck may be outgrowing its beginnings as a cryptojacking botnet. A large marketing database is found exposed. NSA and CISA offer advice on securing Kubernetes clusters. Adam Darrah from ZeroFox checks in from the floor at BlackHat. Our guests are Nic Fillingham and Natalia Godyla from Microsoft’s Security Unlocked podcast. David Dufour from Webroot on the hidden costs of ransomware. And Huawei’s CFO returns to court as her extradition hearings enter their endgame.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/149

Apparent ransomware disrupts Italian vaccine scheduling system. Cyberespionage compromised Southeast Asian telcos. RAT and phishing in the wild. Cybercriminals explain themselves. Aug 03, 2021

An apparent ransomware attack hits Italy’s online vaccine-scheduling service. A Chinese cyberespionage campaign hits Southeast Asian telcos enroute to high-value targets. Some strategic context for Beijing’s espionage. FatalRAT is spreading by Telegram. Crafty phishing spoofs SharePoint. Joe Carrigan has thoughts on HP's latest Threat Insights Report. Our guest is Marc Gaffan of Hysolate who reveals the “Enterprise Security Paradox”. Plus, Conversations with BlackMatter, and a look at the inside of ransomware negotiations.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/148

SVR was reading the US Attorneys’ emails. Deliveries still lag as South African ports reopen. EA hackers dump game source code. Another look at criminal markets. And Mr. Hushpuppi cops a plea. Aug 02, 2021

SVR may have compromised twenty-seven US Attorneys’ offices. Ransomware disruptions of a physical supply chain continue as South African ports reopen. EA hackers give up, and dump the source code they stole. Double extortion may not be paying off. A look at initial access brokers. Operation Top Dog yields indictments in an international fraud case. Rick Howard tackles enterprise backup strategies. Kevin Magee from Microsoft with lessons learned hiring multiple team members during COVID. And a decryptor for Prometheus ransomware is released.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/147

Andrew Hammond: Understanding the plot. [Historian and Curator] [Career Notes] Aug 01, 2021

Historian and Curator at the International Spy Museum. Dr. Andrew Hammond, shares how he came to share the history of espionage and intelligence as a career. Starting out in the Royal Air Force when 9/11 happened, Andrew found himself trying to understand what was going on in the world. Studying history and international relations gave him some perspective and led him on his career path which included an introduction to museum industry at the 9/11 Museum. After a stint in academia in the UK, Andrew found his way back to the US and eventually ended up at the International Spy Museum in Washington, DC. He said one of the "greatest parts of the job being able to engage with the artifacts" and share their stories. We thank Andrew for sharing his story with us.

Behavioral transparency – the patterns within. [CyberWire-X] Aug 01, 2021

President Biden's Cyber Executive Order includes provision for a software bill of materials in government contracts. It's a critical and necessary first measure for protecting the software supply chain. To defend against cyber attacks like the ones that affected SolarWinds and Colonial Pipeline, organizations also need transparency about the way the software in their supply chain behaves–how, and with whom, that software engages in and outside of their networks.

In this episode of CyberWire-X, we explore how behavior transparency can give organizations an advantage by distinguishing between expected noise and indications of compromise..Guest and CyberWire Podcast Partner Caleb Barlow shares his insights with the CyberWire's Rick Howard, and Ben Higgins and Ted Driggs from sponsor ExtraHop offer their thoughts to the CyberWire's Dave Bittner.

China's influence grows through Digital Silk Road Initiative. [Research Saturday] Jul 31, 2021

Guest Charity Wright, Cyber Threat Intelligence Expert in Recorded Future's Insikt Group, joins Dave to discuss her research "China’s Digital Colonialism: Espionage and Repression Along the Digital Silk Road". Through the Digital Silk Road Initiative (DSR), announced in 2015, the People’s Republic of China (PRC) is building an expansive global data infrastructure and exporting surveillance technologies to dictators and illiberal regimes throughout the developing world, in some cases trading technology for access to sensitive user data and facial recognition intelligence. Domestically, China uses this type of technology to assert authority over its citizens, censor the media, quell protests, and systematically oppress religious minorities. Now, over 80 countries are enabled to do the same with Chinese surveillance technology.

The research can be found here:

China’s Digital Colonialism: Espionage and Repression Along the Digital Silk Road

Multiple Cozy Bear sightings (at least the bear tracks). Spyware in a Chinese employee benefits app. Phishing campaigns. DoppelPaymer rebrands. And ignore that bot--it hasn’t been watching you surf. Jul 30, 2021

Cozy Bear’s active command-and-control servers are found, and people conclude that Moscow’s not too worried about American retaliation after all. Spyware found in an app for companies doing business in China. What to make (and not make) of the Iranian documents Sky News received. Phishing with Crimean bait. HTML smuggling may be enjoying a moderate surge. DoppelPaymer rebrands. Andrea Little Limbago from Interos on growing the next-gen of cyber. Our guest is Jamil Jaffer from IronNet Cybersecurity protecting the BlackHat Network Operations Center. And good news--that blackmailing bot really doesn’t know what you did this summer.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/146

Public Wi-Fi advice from NSA. South African ports recover from ransomware. Iranian rail incident was a wiper attack. Developments in the criminal-to-criminal market. Intercept vendors under scrutiny. Jul 29, 2021

Advice on WiFi security from NSA. South African ports are recovering from their ransomware attack. The attack on Iranian railroads was a wiper, of unknown origin and uncertain purpose. Developments in the criminal-to-criminal market. Israel undertakes an investigation of NSO Group. Josh Ray from Accenture Security on the road back to the office. Our guest is Duncan Godfrey from Auth0 with insights on managing digital identities. And a bad password is revealed on an open mic during an Olympic broadcast.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/145

US ICS Cybersecurity Initiative formalized. Developments in the ransomware world. Addressing known vulnerabilities. Caucasus coinmining crackdown. A long-running IRGC catphishing campaign. Jul 28, 2021

US formally establishes its Industrial Control System Cybersecurity Initiative. Shooting wars in cyberspace. Developments in the ransomware criminal souks. This week’s iOS update may have closed the vulnerability exploited by NSO Group’s Pegasus intercept tool. The US, UK, and Australia issue a joint advisory on the most exploited vulnerabilities. Abkhazia’s crackdown on coinminers. Joe Carrigan looks at the Mespinoza ransomware gang. And meet Marcy Flores, the Robin Sage of Liverpool aerobics.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/144

South African ports invoke force majeure over cyberattack. Documents indicate Iranian interest in control systems attacks. Dark web wanted ads. Cyber diplomacy. Lousy cafeteria food? Jul 27, 2021

Transnet declares force majeure over cyberattack on South African port management. The IRGC apparently is Googling a bunch of stuff about gas stations and merchant ships. Kaseya’s denial of paying ransom has legs. Criminal coders like obscure languages. The AvosLocker gang is looking for pentesters, access brokers, and affiliates. The US and China hold “frank and open” conversations about, among other things, cyber tensions. Ben Yelin explains the tech implications of President Biden's recent executive order. Our guest is Eve Maler from ForgeRock on their 3rd annual Breach Report. And, hey NSA, what did you have for lunch today?

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/143

The source of Kaseya’s REvil key remains unknown. Cyber incident disrupts port operations at Cape Town and Durban. Updates on the Pegasus Project. And a guilty plea in a swatting case. Jul 26, 2021

Kaseya isn’t saying where it got its REvil decryptor. Transportation services disrupted at two major South African ports by an unspecified cyber incident. Another company is mentioned as an alleged source of abused intercept tools as the controversy over NSO Group’s Pegasus software continues. Johannes Ullrich from SANS on supply chains, development tools and insecure libraries. Our own Rick Howard looks at enterprise encryption. And a guilty plea gets a swatter five years: he got off easy.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/142

Is enhanced hardware security the answer to ransomware? [CyberWire-X] Jul 25, 2021

With the recent onslaught of ransomware attacks across healthcare institutions, critical infrastructure, and the public sector, it's clear that ransomware isn’t going anywhere. But given how common ransomware attacks have become, how is it that we've been unable to put a stop to them? Companies often overlook the role that hardware security plays in meeting this challenge, and that oversight has become a bad actor's dream. Michael Nordquist speaks about the recent surge in ransomware attacks, and how strong hardware security, combined with software securityandpersonnel security awareness, can be the answer to the industry’s prayers.

In this episode of CyberWire-X, guest Steve Winterfeld from Akamai shares his insights with the CyberWire's Rick Howard, and Michael Nordquist of sponsor Intel offers his thoughts to the CyberWire's Dave Bittner.

Ingrid Toppelberg: Knowing how to take risks will pay off. [Cybersecurity education] [Career Notes] Jul 25, 2021

Chief Product Officer at Cybint Solutions, Ingrid Toppelberg, shares her journey from consulting to bootcamp coach and cybersecurity education. As a young girl, Ingrid wanted to do everything from being a teacher to the head of the World Bank. After consulting for several years, Ingrid found cybersecurity. What she found fascinating about the cyber world is how important it is for absolutely everyone at all levels to know about cybersecurity. Ingrid also develops and conducts bootcamps to reskill displaced people into cybersecurity. Ingrid says to those interested in cyber, "just do it. We need different kinds of minds in cyber keeping us safe." We thank Ingrid for sharing her story with us.

Free malware with cracked software. [Research Saturday] Jul 24, 2021

Guest Christopher Budd, Senior Global Threat Communications Manager at Avast, joins Dave to talk about some research his team did when they looked into a Reddit report saying their Avast folder was empty and other reports like it. The team found a new malware they’re calling “Crackonosh” in part because of some possible indications that the malware author may be Czech. Crackonosh is distributed along with illegal, cracked copies of popular software and searches for and disables many popular antivirus programs as part of its anti-detection and anti-forensics tactics.

The research can be found here:

Crackonosh: A New Malware Distributed in Cracked Software

Cyber threats to, and around, the Olympic Games. Kaseya got a decryptor, from somewhere…. NSO says it’s not responsible for Pegasus misuse. US cyber policy toward China. Fraud Family busted. Jul 23, 2021

The Olympics are underway, and the authorities are on the alert for cyberattacks. Kaseya has a decryptor for the REvil ransomware, but it hasn’t said how it got the key. NSO Group says it’s not responsible for customer misuse of its Pegasus intercept tool. US policy toward Chinese cyber activities shows continuity, with some diplomatic intensification, but hawks would like to see more action. Our guest Jack Williams from Hexagon joins Dave to discuss the promises and challenges of smart cities. Podcast partner Chris Novak of Verizon talks about advancing incident response. And Dutch police make arrests in their investigation of the Fraud Family.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/141

Extortion is the motive in the Saudi Aramco incident. Updates on the Pegasus Project. Chinese cyberespionage and Beijing’s tu quoque. FIN7 resurfaces, and a post-mortem on Egregor. Jul 22, 2021

It’s extortion after all at Saudi Aramco. Controversy and investigation over alleged misuse of NSO Group’s Pegasus intercept tool continues. Warning of Chinese espionage from ANSSI, and China’s denunciation of all this kind of “baseless slander.” Phishing in Milanote. FIN7 resurfaces after the conviction of some key members. Dinah Davis from Arctic Wolf on the importance of identity management. Our guest Jenn Donahue shares key strategies for mentoring and supporting female engineers, scientists, and leaders of the future. And IBM sifts through the ashes of a ransomware gang for a look at the business of crime.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/140

Historical threats to industrial control systems inform current security practices. Ransomware privateering and side-hustling. Updates on the Pegasus Project. Jul 21, 2021

CISA warns of threats to industrial control systems, profusely illustrated with examples from recent history. Ransomware can be operated either in the course of privateering or as an APT side hustle. Security firms outline new and evolving threats and vulnerabilities. Reaction continues to the Pegasus Project’s reports on intercept tools. Joe Carrigan unpacks recent Facebook revelations and allegations. Our guest is Dave Humphrey from Bain Capital on his tech investment bets and predictions. And do you know what “military grade” means? Neither do we, but we think we have an idea.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/139

APT side hustles and evidence of espionage. NSO replies to the Pegasus Project, and AWS removes NSO from its CloudFront CDM. Other data breaches and ransomware incidents. Jul 20, 2021

The US says China contracted with criminals to carry out cyberespionage campaigns. Norway says China was behind an attack on its parliamentary email system. China denounces accusations of cyberespionage as slander, and says it’s the real victim, because the CIA is the one stealing IP from China. AWS expels NSO Group from its CloudFront CDM. NSO denies it permits its intercept tools to be abused. Saudi Aramco sustains a data breach. Ben Yelin describes calls for bans on government use of facial recognition software. Our guest is Tom Kellermann from VMware on the potential cybersecurity threats facing the Olympic Games. And an MSP struggles with ransomware.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/138

Microsoft Exchange Server hacks officially attributed to China. Indictment in industrial espionage case. Entities List expands. Abuse of NSO Group’s Pegasus tool reported. Jul 19, 2021

Allied governments formally attribute exploitation of Microsoft Exchange Server to China’s Ministry of State Security. A US Federal indictment names four MSS officers in conjunction with another, long-running cyberespionage campaign. The US Department of Commerce adds six Russian organizations to the Entities List. The Pegasus Project outlines alleged abuse of NSO Group’s intercept tool. Thomas Etheridge from CrowdStrike on the importance of real-time response, continuous monitoring and remediation. Our guest is Neha Joshi from Accenture on solving the cybersecurity staffing gap and how to stand up a successful, diverse security team. And there’s hacktivism in Southeast Asia.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/137

Peter Baumann: Adding value to data. [CEO] [Career Notes] Jul 18, 2021

CEO of ActiveNav, Peter Baumann, takes us on his career journey from minor home electrical experiments to the business of data discovery. He began his career as an electrical engineer, but felt an entrepreneurial spirit was part of his makeup. Following his return to college to study business and finance, Peter talks about being set on the path to shine the light on the data to provide discovery capability. To those interested in the field, he suggests having a broad familiarity of different approaches. We thank Peter for sharing his story with us.

Enabling connectivity enables exposures. [Research Saturday] Jul 17, 2021

Guest Nathan Howe, Vice President of Emerging Technology at Zscaler, joins Dave to discuss his team's work, "2021 “Exposed” Report Reveals Corporate and Cloud Infrastructures More at Risk Than Ever From Expanded Attack Surfaces." The modern workforce has resulted in an increase of users, devices, and applications existing outside of controlled networks, including corporate networks, the business emphasis on the “network” has decreased and the reliance on the internet as the connective tissue for businesses has increased.

Zscaler analyzes the attack surface of 1,500 organizations and identifies trends affecting businesses of all sizes and industries, across all geographies. Key findings include:

The attack surface impact based on company size
The countries with the greatest attack surface
The industries that are most exposed

The research can be found here:

“Exposed”: The world’s first report to reveal how exposed corporate networks really are.

DDoS at Russia’s MoD. Facebook disrupts Iranian catphishing operation. An intercept tool vendor’s activities are exposed. No signs of the US softening on Huawei bans. Jul 16, 2021

Russia’s Ministry of Defense says its website sustained a distributed denial-of-service attack this morning. Facebook disrupts a complex Iranian catphishing operation aimed at military personnel and employees of defense and aerospace companies. Microsoft and Citizen Lab describe the recent operations of an Israeli intercept tool vendor. The US shows no signs of relenting on Huawei. Johannes Ullrich from the SANS technology institute has been Hunting Phishing Sites with Shodan. Our guest is Rick Van Galen from 1Password with insights from their Hiding in Plain Sight report. And there’s nothing new on the REvil front--the gang is as much in the wind as it was early this week.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/136

Luminous Moth or Mustang Panda, it’s the same bad actor (probably). Updates on other cyberespionage and ransomware campaigns. Rewards for tips on cyberattacks. Jul 15, 2021

A Chinese APT is active against targets in Myanmar and, especially, the Philippines. Cyberespionage campaigns suggest that there’s a thriving market for zero-days. MI5 warns against spying, disinformation, and radicalization. REvil continues to lie low (and the Kremlin hasn’t seen anything). CISA offers ransomware mitigation advice. Bogus Coinbase sites steal credentials. Ransomware attacks on old SonicWall products expected. Daniel Prince from Lancaster University looks at Getting into the industry, and whether a degree is worth it. Our guest is Kurtis Minder from GroupSense, tracking 3 divergent ransomware trends. And Rewards for Justice offers a million dollars for tips on cyberattacks.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/135

Patch notes. What’s happening with REvil remains unclear, but it would be rash to count the gang out. Jul 14, 2021

SolarWinds patches a zero-day exploited by a Chinese threat group. Patch Tuesday notes. What’s up with REvil: takedown, retirement, rebranding, or glitch? (Don’t bet against rebranding.) Joe Carrigan from JHU ISI on cell phone carriers sneaking us ads via SMS. Our guest is Nicko van Someren of Absolute Software with a look at endpoint risk. And bots like futbol.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/134

SolarWinds patches a zero-day. Trickbot is back. Bogus Twitter accounts, now suspended, were verified by the social medium. DarkSide hits Guess. Updates on REvil and Kaseya. Jul 13, 2021

SolarWinds addresses a zero-day that was exploited in the wild. A watering hole campaign lures users of online gaming sites. Inauthentic accounts (now suspended) get a blue check mark. Trickbot is back, with new capabilities. The DarkSide hits fashion retailer Guess. Malek Ben Salem from Accenture on Remediation of Vulnerabilities using AI. Our guest is Jeff Williams from Contrast Security with a look at Application Security in Financial Services. And some updates on Kaseya, its customers, and the current state of REvil.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/133

Kaseya and REvil--the state of recovery. President Biden calls President Putin to ask for action on ransomware. Cyber incident in Iran. Ukraine says its naval website was hacked. Tracking ransom. Jul 12, 2021

Kaseya has patched the VSA on-premises and SaaS versions affected by REvil ransomware. The US tries some straight talk about privateering with Russia, but with what effect remains to be seen. Russia’s autarkic Internet poses some challenges for international security. Iranian rail and government sites were hit with a cyber incident over the weekend. Ukraine says Russian threat actors defaced its Naval website. Carole Theriault looks at ethics in phishing simulations. Josh Ray from Accenture tracks real world incident response trends. And tracking just how much the ransomware gangs are taking in.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/132

APTs transitioning to the cloud. [CyberWire-X] Jul 11, 2021

Cloud attacks have become so widespread that the Department of Homeland Security (DHS) has warned against an increase of nation states, criminal groups and hacktivists targeting cloud-based enterprise resources.

APTs such as Pacha Group, Rocke Group and TeamTNT have been rapidly modifying their existing tools to target Linux servers in the cloud. Modifying their existing code to create new malware variants which are easily bypassing traditional security solutions. The solution? In order to detect and respond to these attacks security teams need visibility into what code is running on their systems.

In this episode of CyberWire-X, guest Jonas Walker from Fortinet shares his insights with the CyberWire's Rick Howard, and Ell Marquez of sponsor Intezer offers her thoughts to the CyberWire's Dave Bittner.

Taree Reardon: A voice for women in cyber. [Threat Analyst] [Career Notes] Jul 11, 2021

Senior Threat Analyst and Shift Lead for VMware Taree Reardon shares her journey to becoming leader for women in the cybersecurity field. A big gamer who has always been interested in hacking and forensics, Taree found her passion while learning about cybersecurity. She's dedicated to diversity and inclusion and found her footing on a team made up of 50% women. Taree spends her days tracking and blocking attacks and as a champion for women. Trusting yourself is top on her list of advice. We thank Taree for sharing her story.

Dealing illicit goods on encrypted chat apps. [Research Saturday] Jul 10, 2021

Guest Daniel Kats, Senior Principal Research Engineer at NortonLifeLock, joins Dave to discuss his team's work, "Encrypted Chat Apps Doubling as Illegal Marketplaces." Encrypted chat apps are gaining popularity worldwide due to their central premise of not sending user data to tech giants. Some popular examples include WhatsApp, Telegram and Signal. These apps have also been adopted by businesses to securely communicate directly to their users. Additionally, these apps have been instrumental to subverting authoritarian regimes.

However, NortonLifeLock found that encrypted chat apps are also being used by criminals to sell illegal goods. Because content moderation is, by design, nearly impossible on these apps, they allow for an easy vector for dealers of illicit goods to communicate directly to customers without fear of law enforcement involvement.

The research can be found here:

Encrypted Chat Apps Doubling as Illegal Marketplaces

Kaseya continues to work through its REvil days, as does the US Administration. In other news, there’s cyberespionage in Asia, the PrintNightmare fix, and Black Widow as phishbait. Jul 09, 2021

Kaseya continues to work through remediation of the VSA vulnerability exploited by REvil, with completion expected Sunday afternoon. And while REvil has made a nuisance of itself, this time they may not have seen a big payday, or at least not yet. The US is still considering its retaliatory and other options in the big ransomware case. China’s MSS is active against targets in Asia. Andrea Little Limbago from Interos looks at Government access to data analysis. Our guest is Leon Gilbert from Unisys with data from their Digital Workplace Insights report. And scammers are baiting their hooks with Black Widow lures.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/131

Cyber conflict sputters in Ukraine? Kaseya delays VSA patch, offers assistance to REvil’s victims. US mulls retaliation for privateering. PrintNightmare patch. Another extradition run at Julian Assange. Jul 08, 2021

Ukrainian government websites may have come under an unspecified cyberattack early this week. Kaseya delays its VSA patch until Sunday, and offers assistance to victims of VSA exploitation by REvil. The US continues to mull its response to Russia over REvil and Cozy Bear. A small electric utility’s business systems go offline after a ransomware attack. Microsoft continues to grapple with PrintNightmare. Caleb Barlow from CynergisTek on the changing Cyber Insurance landscape. Our guest is Kwame Yamgnane from Qwasar on how he seeks to inspire minority kids to code. And the US will try again to get Julian Assange extradited.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/130

Kaseya works on patching VSA as Washington mulls retaliation and Moscow says it has nothing to do with it. Microsoft patches PrintNightmare. The Lazarus Group is back. Jul 07, 2021

Kaseya continues to work on patching its VSA products. The US mulls retaliation for the Kaseya ransomware campaign, as well as for Cozy Bear’s attempt on the Republican National Committee and Fancy Bear’s brute-forcing efforts. (Russia denies any wrongdoing.) Current events phishbait. Microsoft patches PrintNightmare. Joe Carrigan looks at recent updates to Google’s Scorecards tool. Our guest Umesh Sachdev of Uniphore describes his entrepreneurial journey. And the Lazarus Group is back, phishing for defense workers.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/129

The Kaseya ransomware incident. Ransomware threats to industrial firms. Malicious Android apps stole Facebook credentials. The Tokyo Olympics and cyber risk. Jul 06, 2021

Updates on the Kaseya ransomware incident, as REvil strikes again. Concerns about other ransomware attacks against industrial targets rise. Google expels credential-stealing apps from the Play Store. Online gamers draw various threat actors. Carole Theriault examines the elements that could put you in the crosshairs for ransomware. Ben Yelin has an update on the Facebook antitrust case. And the Tokyo Olympic Games will be on alert for cyberattacks.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/128

Dwayne Price: Sharing information. [Project Management] [Career Notes] Jul 04, 2021

Senior technical project manager Dwayne Price takes us on his career journey from databases to project management. Always fascinated with technology and one who appreciates the aspects of the business side of a computer implementations, Dwayne attended UMBC for both his undergraduate and graduate degrees in information systems management. A strong Unix administration background prepared him to understand the relationship between Unix administration and database security. He recommends those interested in cybersecurity check out the NICE Framework as it speaks to all the various different types of roles in cybersecurity, Dwayne prides himself on his communication skills and openness. We thank Dwayne for sharing his story with us.

Malware in pirated Windows installation files. [Research Saturday] Jul 03, 2021

Guest Tom Roter from Minera Labs joins Dave to discuss his team research: "Rigging a Windows Installation." It is common knowledge that pirated software might contain malware, yet millions still put themselves and their devices at risk and download from dubious sources. It is even more surprising to see the popularity of torrented operating system installations, which are ranked at the top of most torrent tracker ranking lists. Today we will prove conventional wisdom right and show off a devious, yet clever attack chain employed by an infected Windows 10 image, frequently shared and downloaded by tens of thousands of users.

Over the last year, numerous malicious PowerShell events popped up in our telemetry. The events caught our attention because a payload was being downloaded into the “C:\Windows” directory, which is usually well guarded under NTFS permissions, this implies that the attacker had very high privilege on the compromised system.

The research can be found here:

Rigging a Windows installation

Mitigating PrintNightmare. New ransomware strains in circulation. Router firmware patched. Russia denies brute-forcing anyone. What the reinsurance rates tell us. Jul 02, 2021

Mitigations for the PrintNightmare vulnerability are suggested. Wizard Spider has a new strain of ransomware in its toolkit. A new RagnarLocker strain is in circulation. NETGEAR patches router firmware. Russia reacts to US and US reports of a GRU brute-forcing campaign: Moscow says it didn’t do it. Kevin Magee from Microsoft shares some of the tools he uses to keep himself and his team up to date. Our guest is Andrew Patel from F-Secure on how to prepare security teams for AI-powered malware. And a quick look at the true costs of cybercrime.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/127

Large-scale GRU brute-forcing campaign in progress. IndigoZebra in Afghanistan. A ransomware gang scorecard. A cyber most-wanted list. Are the phone lines open? Jul 01, 2021

US and British authorities warn of a large-scale GRU campaign aimed at brute-forcing its way into European and American organizations. Reports of a major cyberattack on German critical infrastructure appear very much exaggerated. IndigoZebra uses Dropbox in ministry-to-ministry deception aimed at the Afghan government. Currently active ransomware groups are profiled, and REvil is now going after Linux systems in addition to Windows machines. A cyber most-wanted, and priorities in a US Treasury campaign against money laundering. Malek Ben Salem looks at supply chain security. Our guest is Brandon Hoffman of Intel471 with insights on China’s data underground. And, hey, it’s Dmitri from Yurga, long-time listener, first-time caller.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/126

A look at some threats to ICS endpoints. EternalBlue remains a problem. US preparing attribution of the Microsoft Exchange Server hack. DoubleVPN seized. An arrest in the Gozi case. Jun 30, 2021

A report on threats to industrial control systems is out, and it focuses on ransomware, coinjacking, and legacy malware. EternalBlue remains a problem. The US is preparing a formal attribution in the case of the Microsoft Exchange Server campaign. An international police operation has taken down DoubleVPN, and the authorities seem pretty pleased with their work. Joe Carrigan examines vulnerabilities in systems from Dell. Our guest is Vikram Thakur from Symantec on Multi-Factor Authentication evasion. And the guy who allegedly provided the Gozi banking malware with its bulletproof hosting has been collared in Bogota.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/125

A look at the cybercriminal underground, its commodity tools, its rising gangs, how it recruits talent and affiliates, and even how it raises investments. Jun 29, 2021

Legitimate tools are abused as commodity initial access payloads. Hades ransomware is circulating in some new sectors. Criminal markets are sharing more features with legitimate markets, including advertising, recruiting, and even funding rounds. Cybercrime uses cryptocurrency, but the key to success may be location more than technology. Ben Yelin describes insurance companies collaborating on cyber breach data collection. Our guest is Michael Osborn from Moody's on a recent rash of cyber attacks hitting higher education. And Denmark’s central bank is reported to have been a victim of the SolarWinds compromise.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/124

Nobelium is back. A signed driver is gamer-focused malware. Idle hands. Third-party cloud risk. Bad practices. A net assessment of national cyber power. Jun 28, 2021

The SVR’s Nobelium appears to be back, this time with a less-than-fully successful cyberespionage campaign. The Netfilter driver is assessed as malware. Idle hands seem to make for more attacks against online gaming. Mercedes-Benz USA reports a data exposure incident. CISA starts to keep track of bad practices. The International Institute for Strategic Studies publishes a net assessment of national cyber power. Carole Theriault looks at the security implications of frictionless online commerce. Our guest is Clar Rosso from (ISC)2 with insights on Building Resilient Cybersecurity Teams. And Loki is a trickster, and his name is a lousy password.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/123

Introducing Security Unlocked: CISO Series with Bret Arsenault–Leading an Inclusive Workforce: Emma Smith, Vodafone Jun 27, 2021

There’s truth in the sentiment, “teamwork makes the dream work.” When team members don’t feel included or heard in their environment, they’re not going to do their best work, so it’s up to managers, supervisors, and even global security directors to foster a workplace and culture that doesn’t allow anyone to be silenced.

On this episode, Microsoft’s CISO, Bret Arsenault, sits with his friend and peer, Emma Smith, Director of Global Cybersecurity for Vodafone. Throughout the conversation, they discuss returning to in-person work after over a year of being remote and some of the inherent difficulties that come with the change, especially as they relate to inclusivity.

In This Episode You Will Learn:

How focusing on digital society, inclusion for all, and the planet allows for practical actions.
Why 5G is so important for a hybrid workforce.
Why Emma and Bret support eliminating passwords.

Some Questions We Ask:

How does Emma look at inclusion initiatives from an industry perspective?
What is ‘withstander’ training and why is it crucial for effective leadership?
What are Emma’s three points of wisdom for security practitioners?

Subscribe:

https://SecurityUnlockedCISOSeries.com

Resources:

Emma Smith’s LinkedIn.

https://www.linkedin.com/in/emma-smith-0388aa4b/

Brett Arsenault’s LinkedIn:

https://www.linkedin.com/in/bret-arsenault-97593b60/

Related:

Security Unlocked: The Microsoft Security Podcast

https://SecurityUnlockedPodcast.com

Security Unlocked: CISO Series with Bret Arsenault is produced by Microsoft and distributed as part of The CyberWire Network.

Maria Thompson-Saeb: Be flexible and make it happen. [Program Management] [Career Notes] Jun 27, 2021

Senior Program Manager for Governance, Risk and Compliance at Illumio, Maria Thompson-Saeb shares experiences that led to her career in cybersecurity. Interested in computers and not a fan of math, Maria opted for information systems management rather than computer science. She started her career as a government contractor. Once in the private sector, Maria moved into the Unix and Linux environments where she says "something that would totally change everything." She gained an interest in security and took it upon herself to train up and move into that realm. Maria notes it was not without roadblocks, but that being flexible helped her address those challenges and make her career in security happen. We thank Maria for sharing her story.

Exhibiting advanced APT-like behavior. [Research Saturday] Jun 26, 2021

Guest Yonatan Striem-Amit joins Dave to talk about Cybereason's research "Prometei Botnet Exploiting Microsoft Exchange Vulnerabilities." The Cybereason Nocturnus Team responded to several incident response (IR) cases involving infections of the Prometei Botnet against companies in North America, observing that the attackers exploited recently published Microsoft Exchange vulnerabilities (CVE-2021-27065 and CVE-2021-26858) in order to penetrate the network and install malware. Yonatan shares his team's findings of the investigation of the attacks, including the initial foothold sequence of the attackers, the functionality of the different components of the malware, the threat actors’ origin and the bot’s infrastructure.

The research can be found here:

Prometei Botnet Exploiting Microsoft Exchange Vulnerabilities

REvil is back. Misconfiguration with major effect. Mining Monero. Judgments against market-rigging hackers. A FIN7 operator is sentenced. Jun 25, 2021

REvil hits a Brazilian medical diagnostics company and a British fashion retailer. A misconfigured cloud database exposes millions of WordPress user records. A new cryptojacker is deploying XMrig to mine Monero. A judgment is issued against a hacker and one of the traders he worked with to trade securities on non-public information. Johannes Ullrich from SANS on server site request forgery and errors in validating IP addresses. Our guest is Tom Patterson from Unisys reacts to the DOJ launching a ransomware taskforce. A FIN7 operator is sentenced to seven years.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/122

Notes on current cyber criminal campaigns. Will Exercise Cyber Flag show the way toward an expedition to the virtual shores of a metaphorical Tripoli? Jun 24, 2021

The ChaChi Trojan is out, about, and interested in educational institutions. Bogus free subscription cancellations figure in a social engineering campaign designed to get the victims to download BazarLoader. Ursnif is automating fraudulent bank transfers with Cerberus Android malware. The US Senate invites the Department of Defense to think of ransomware as analogous to piracy, and Defense says it’s thinking along those lines. And rest in peace, John McAfee.

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/121

Cyberespionage, in Central Europe and South Asia. Iranian state media sites seized. Sale of inspection and tracing tools leads to an indictment in France. Cooperation, foreign and domestic. Jun 23, 2021

ReverseRat looks like a state-run espionage tool active in South and Central Asia. The US Justice Department seizes thirty-three sites run by media aligned with the Iranian government. Poland offers more clarity on a cyberespionage campaign it attributes to Russia. An intercept and inspection company’s executives are indicted for complicity with torture. NSA opens a Cybersecurity Collaboration Center for industry. Joe Carrigan examines Apple’s push to replace passwords. Our guest is Shehzad Merchant of Gigamon with a breakdown on security guidelines for hybrid cloud programs. And the FSB says it hopes for “reciprocity.”

For links to all of today's stories check out our CyberWire daily news briefing:

https://www.thecyberwire.com/newsletters/daily-briefing/10/120

Malicious Google ads lead to spoofed Signal and Telegram pages, and then on to malware. LV’s REvil roots. Vulnerable defense contractors. And bogus AIS position reports in the Black Sea. Jun 22, 2021

Malicious Google ads for Signal and Telegram are being used to lure the unwary into downloading an info-stealer. LV ransomware looks like repurposed REvil. A study of the US Defense Industrial Base finds that many smaller firms, particularly ones that specialize in research and development, are vulnerable to ransomware attacks. Rick Howard ponders how we categorize state sponsored cybercrime. Our guest is Sudheer Koneru from Zenoti on how data privacy impacts salons and spas. And it’s high noon in the Black Sea. Do you know where your warships are?

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/119

South Korea’s nuclear research institute discloses cyberespionage incident. Norway attributes 2018 incident to China. Poland blames Russia for email hacking as NATO clarifies alliance cyber policy. Jun 21, 2021

The South Korean nuclear research organization sustained an apparent cyberespionage incident. Norway’s investigation of its 2018 breach of government networks concludes that China’s APT31 was behind it. Poland accuses Russia in a long-running email hacking case. Our guest is Mark Testoni from SAP NS2 on where the Justice Department should focus during its upcoming cyber review. Chris Novak of Verizon on financial vs. espionage breaches. NATO seeks to clarify its policies in cyberspace, including a recommitment to Article 5 and a revision of the Tallinn Manual.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/118

Avi Shua: Try to do things by yourself. [CEO] [Career Notes] Jun 20, 2021

CEO and co-founder of Orca Security Avi Shua shares his thoughts on ways to succeed in cybersecurity. Avi's excitement about cybersecurity began when he was 13 as he tried to think of ways to get around the school's network security. He joined the Israeli Army's Intelligence Unit 8200 and experienced some unique cybersecurity training programs that he would eventually come to teach. Learning to solve problems on your own is a skill Avi acquired and took into his professional career. In his current position, Avi works to advance Orca's mission. He loves that his company works to reduce friction and enables security people to do their jobs. Instead of becoming of plumbers connecting things, Avi says they can do their job and become real security practitioners. We thank Avi for sharing his story with us.

Primitive Bear spearphishes for Ukrainian entities. [Research Saturday] Jun 19, 2021

Guests Gage Mele and Yury Polozov join Dave to talk about Anomali's research "Primitive Bear (Gamaredon) Targets Ukraine with Timely Themes." Anomali Threat Research identified malicious samples that align with the Russia-sponsored cyberespionage group Primitive Bear’s (Gamaredon, Winterflounder) tactics, techniques, and procedures (TTPs). Primitive Bear, known primarily to focus on Ukraine, has been very active in 2021. However, the themes of the samples Anomali found, as well as those shared by the security community, could also be used to target multiple former Union of Soviet Socialist Republic (USSR) countries. Anomali Threat Research found malicious .docx files being distributed by Primitive Bear, likely through spearphishing, that attempted to download remote template .dot files through template injection.

The research can be found here:

Primitive Bear (Gamaredon) Targets Ukraine with Timely Themes

Notes from the underworld: phishing with hardware, DarkSide impersonation, and cyber vigilantes. Data incidents, and a conviction for a crypter. Jun 18, 2021

Phishing, with a bogus hardware wallet as bait. Empty threats from a DarkSide impersonator. Cyber vigilantes may be distributing anti-piracy malware. Data security incidents at a cruise line and a US grocery chain. Malek Ben Salem from Accenture looks at optimizing security scanning. Our guest is Edward Roberts of Imperva on their 2021 Bad Bots Report. And a conviction for a crypter, with sentencing to follow.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/117

The Russo-US summit ended in frank exchanges and the prospect of further discussions on cybersecurity. Ferocious Kitten tracked. Initial access brokers. Molerats return. Ransomware arrests. Jun 17, 2021

The US-Russian summit took up cyber conflict, cyber privateering, and cyber deterrence, ending with the prospect of further discussions. Ferocious Kitten’s domestic surveillance. Ransomware gangs are using a lot of initial access brokers. The Molerats are back. Troubleshooting a wave of intermittent Internet interruptions. NSA offers advice on securing business communication tools. Ukrainian police arrest six alleged Clop gangsters. Andrea Little Limbago from Interos on bringing the private sector back into the defense equation. Our guest is Charles Herring of WitFoo, with the case for cybersecurity as an extension of law enforcement. Nine alleged ransomware hoods collared in Seoul.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/116

Airline resolves IT issue. Paradise ransomware source code leaked. Unauthorized access to cameras possible. TSA pipeline cyber guidance under preparation. Russo-US summit. Anonymous extradition. Jun 16, 2021

Southwest flights are back in the air after an IT issue disrupted them yesterday. Paradise ransomware source code has been leaked online. Some networked camera feeds may be accessible to unauthorized viewers. TSA is preparing a second, more prescriptive pipeline cybersecurity directive. The Russo-US summit is underway. Our guest is Jay Paz from Cobalt on bad actors targeting hackers. Joe Carrigan looks at malware hosted on Steam. And the “face of Anonymous” has been extradited from Mexico to the US.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/115

Disruption of a major BEC campaign. Scope of cyberespionage expands in Pulse Secure exploitation. What the Hades? Russo-US summitry. A more secure workforce. Reality Winner is out, sort of. Jun 15, 2021

Microsoft disrupts a major BEC campaign. The scope of cyberespionage undertaken via exploitation of vulnerable Pulse Secure instances seems wider than previously believed. Secureworks offers an account of Hades ransomware, and differs with others on attribution. Final notes during the run-up to tomorrow’s US-Russia summit, where cyber will figure prominently. Helping employees stay secure. Carole Theriault wonders if the internet of things is becoming the internet of everything. Ben Yelin weighs in on the Supreme Court’s ruling affecting the Computer Fraud and Abuse Act. And Reality Winner has been released to a halfway house.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/114

Third-party data breach at Volkswagen. An anti-monopoly agenda with Big Tech in its crosshairs. Recovery ransom. How EA was hacked. Avaddon gives up its keys. Gamekeeper turned poacher? Jun 14, 2021

Volkswagen warns North American customers of a third-party data breach. An “anti-monopoly agenda” advances in the US House Judiciary Committee. Speculation about how the FBI recovered ransom from DarkSide. How EA was hacked. Is Avaddon going out of business? Craig Williams from Cisco Talos explains why they’re calling some cyber criminals “privateers”. Rick Howard shares thoughts on professional development. And a strange case of a gamekeeper turned poacher (allegedly).

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/113

Margaret Cunningham: A people scientist with a technology focus. [Behavioral science} [Career Notes] Jun 13, 2021

Principal Research Scientist for Human Behavior at Forcepoint, Margaret Cunningham shares her story of how she landed in cybersecurity. With a background in psychology and counseling and not feeling that one-on-one counseling was her thing, Margaret had a transformational moment in her PhD program in applied experimental technology when she realized she could "provide helping services and good work services at a broader scale." Margaret found her professional footing at DHS's Human Systems Integration Branch of Science and Technology Department as the person who figured out how to measure how new technologies impacted human performance. Margaret points out that making connections and reading whatever you can is important to stay up to date in the field. She notes that her statistical analysis skills are an asset. She hopes to create champions in human behavior and performance in the world of technology. We thank Margaret for sharing her story with us.

Taking a look behind the Science of Security. [Research Saturday] Jun 12, 2021

Guest Adam Tagert is a Science of Security (SoS) Researcher in the National Security Agency Research Directorate. The National Security Agency (NSA) sponsors the Science of Security (SoS) Initiative for the promotion of a foundational cybersecurity science that is needed to mature the cybersecurity discipline and to underpin advances in cyberdefense. Adam works in all aspects of SoS particularly in the promotion of collaboration and use of foundational cybersecurity research. He promotes rigorous research methods by leading the Annual Best Scientific Cybersecurity Paper Competition. Adam joins Dave Bittner to discuss the NSA's SoS Initiative and their Science of Security and Privacy 2021 Annual Report.

Information on the SoS Initiative and the report can be found here:

Diplomatic Backdoor targets charities, embassies, and telcos in Europe, Africa, and Southwest Asia. Fancy Lazarus and DDoS extortion. Slilpp credential market takedown. A data gap? Cyber regulation. Jun 11, 2021

Diplomatic Backdoor afflicts Africa, Europe, and Southwest Asia. Electronic Arts source code stolen. “Fancy Lazarus” is back: despite the name, it’s an extortion gang, not an espionage service. An international law enforcement action takes down a credential market. Making good data available for AI research. There’s a growing appetite for cyber regulation in Washington. Thomas Etheridge from CrowdStrike looks at protecting cloud data, and Matt Chiodi of Palo Alto Networks' Unit 42 has highlights from their Cloud Threat report. And hold that side order of fries - a McBreach is disclosed.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/112

Deciding to pay ransom - the cases of JBS and Colonial Pipeline. Gangland branding. Constituent management system hit. Notes on the FBI’s partial recovery of DarkSide’s ransom take. Jun 10, 2021

JBS discloses that it paid REvil roughly eleven-million dollars in ransom. REvil not only had a good haul, but the gang made a few points about its brand, too. Colonial Pipeline explains, and defends, its decision to pay ransom. The US Congress has a third-party problem that constituents may or may not notice. Dan Prince from Lancaster University on the science of cybersecurity. Our guest is Kris McConkey from PwC on their Cyber Threats 2020 - Report on the Global Threat Landscape. The FBI’s recovery of some of the ransom Colonial Pipeline paid to the DarkSide was good, but it doesn’t necessarily represent a new normal.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/111

Chinese cyberespionage in Russia? US Executive Order rescinds TikTok, WeChat bans. Operation Trojan Shield. Privateering. NATO’s Article 5 in cyberspace. Patch Tuesday notes. Jun 09, 2021

SentinelOne attributes the cyberespionage campaign against Russia’s FSB to Chinese services. President Biden replaces his predecessor’s bans on TikTok and WeChat with a process of engagement, security reviews, and data protection. More on the FBI-led Operation Trojan Shield. Privateering, again. NATO’s Article 5 in cyberspace. Joe Carrigan weighs in on recent high profile cyber incidents. Our guest is Shashi Kiran from Aryaka on their 2021 State of the WAN report. And notes on Patch Tuesday.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/110

FBI claws back a lot of the ransom DarkSide collected. An international dragnet uses an encrypted chat app to pull in more than 800 suspects. Navistar discloses a cyber incident. Jun 08, 2021

The FBI seized a large portion of the funds DarkSide obtained from its extortion of Colonial Pipeline. An international sweep stings more than eight-hundred suspected criminals who were caught while using an encrypted chat app law enforcement was listening in on. CISA advises users to update their VMware instances. A new phishing campaign distributes Agent Tesla. Ben Yelin examines renewed controversy surrounding Clearview AI. Our guest is Aimee George Leery from Booz Allen on the challenging intersection of secure spaces and work from home. And a major truck maker discloses a cyber incident.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/109

Dark Side’s way into Colonial Pipeline networks may have been an old VPN. Summit agenda. DDoS hits German banks. Anonymous angry with Elon Musk? Alleged Trickbot coder arraigned. Jun 07, 2021

Dark Side seems to have attacked Colonial Pipeline through an old VPN account. Washington and Moscow prepare for this month’s summit, with cyber on the agenda. DDoS affects German banks. Anonymous may be back, and out to bring to book those who would troll Bitcoiners. Rick Howard looks at process management in security. David Dufour from Webroot on lessons learned from Exchange Server vulnerabilities. And one of Trickbot’s alleged authors has been arrested and arraigned on multiple charges in a US Federal court.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/108

Dave Farrow: The guy that enabled the business. [Security leadership] [Career Notes] Jun 06, 2021

VP of Information Security at Barracuda Dave Farrow shares how a teenage surfer fell in love with software development and made his way in the cybersecurity field. Dave chose to study electrical engineering in college because he wanted to learn something that didn't make sense to him. He says he's done things in his career that he said he'd never do: for example, he went into and fell in love with software development. Taking on leadership of a bug bounty program at Barracuda blossomed into the creation of an internal security team. Dave wants to be the guy who enables the business and not the one who prevented it. He hopes all will come to recognize that there are other threats besides cybersecurity threats to business. We thank Dave for sharing his story with us.

Bad building blocks: a new and unusual phishing campaign. [Research Saturday] Jun 05, 2021

Guest Karl Sigler of Trustwave's SpiderLabs joins Dave Bittner to talk about their research: "Hidden Phishing at Free JavaScript Site". The research describes an interesting phishing campaign SpiderLabs encountered recently. In this campaign, the email subject pertains to a price revision, followed by some numbers. There is no email body, but there is an attachment about an ”investment.” The attachment’s convoluted filename contains characters the file-naming convention doesn’t allow, notably the vertical stroke, “|.” Even though "xlsx" is in the filename, double-clicking the attachment will prompt the user to open it with the default web browser. Thus, the file indeed appears to be an HTML document. Of course, it’s malicious.

The research can be found here:

HTML Lego: Hidden Phishing at Free JavaScript Site

Advice on ransomware from the US National Security Council. JBS announces its recovery from the REvil attack. Cyber diplomacy (and maybe retaliation). Ransomware-themed phishbait. Jun 04, 2021

JBS recovers from its REvil ransomware attack, and this and other apparent instances of privateering will figure among the agenda at the upcoming US-Russia summit. (The US is said to be mulling retaliation.) The White House issues general advice on preparing for ransomware attacks. The Tokyo Olympic committee suffers a data breach. Ransomware may have interrupted some media livestreaming yesterday. Attribution in the MTA attack. Dinah Davis from arctic wolf helps prevent your SOC from becoming ineffective. Carole Theriault warns of data privacy leaks in online home tours. And ransomware-themed phishbait.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/107

FBI fingers REvil as the gang behind the JBS ransomware. Privateering may come up at the US-Russian summit. Ransomware at regional transportation operations. Cyberespionage in Southeast Asia. Jun 03, 2021

Evil, your name is REvil, except when it’s Sodinokibi. That’s what the Bureau says about the JBS ransomware attack, anyway. The US is expected to make strong objections to Russian cyber privateering at the upcoming summit. Other ransomware incidents are disclosed by regional transportation operators. A possible Mustang Panda sighting. Andrea Little Limbago from Interos on cyber related executive orders. Our guest is Terry Halvorsen from IBM on the need for investment, research and collaboration in preventing quantum cyberattacks. And mommas, don’t let your babies grow up to be DDoS jockeys.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/106

The big ransomware incident in the food-processing sector. US authorities seize domains used in Nobelium’s USAID impersonation campaign. Siemens addresses PLC vulnerabilities. Jun 02, 2021

Food processing is also vulnerable to ransomware: the case of multi-national meat-provider JBS. The US and Russia are in communication about the possibility that the criminals responsible for the JBS incident might be harbored in Russia. Domains used in the USAID impersonation campaign have been seized by the US Justice Department. Our guest is Melissa Gaddis from TransUnion with results from their Global Consumer Pulse study. Joe Carrigan looks at criminals abusing online search ads. Siemens addresses a critical issue in its PLCs.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/105

Saboteurs trying to look like crooks? CISA on the USAID phishing incident. US receives criticism for alleged surveillance of allies. Epsilon Red is out. No weed, just alt-coin. Jun 01, 2021

Iran’s wiper attacks may have been posing as criminal gang capers. CISA issues an alert on the USAID Constant Contact credential compromise. European governments express concern over reports of US surveillance (enabled, allegedly, by Danish organizations). Epsilon Red ransomware is out and active. Ben Yelin looks at Florida Governor DeSantis’ bill aimed at Social Media companies. Our guest is Giovanni Vigna from VMware with highlights from their 2020 Threat Landscape Report. And police come looking for cannabis farming and find coin-mining rigs instead.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/104

Zero trust: a change in mindset. [Special Edition] May 31, 2021

Guest Lenny Zeltser, CISO of Axonius, sits down with the CyberWire's CSO and Chief Analyst Rick Howard to discuss one of Rick's favorite topics, zero trust. Lenny shares his views on this cybersecurity first principle, taking into account changes in mindsets during the COVID-19 pandemic that have necessitated many to move toward zero trust.

Baan Alsinawi: Trust ourselves and be courageous. [Compliance] [Career Notes] May 30, 2021

Managing Director at Cerberus Sentinel, Chief Compliance Officer and the President of TalaTek, Baan Alsinawi shares her cybersecurity journey from a teenager who wanted to understand computers and held several positions in IT from help desk to systems engineering and cybersecurity. Founding her own business focusing on compliance, Baan says she spends maybe only 20% of her day on technical tasks and that there is always so more to do. Finding the right people for her team is a marker of success for Baan. She talks of the importance of sharing the sense of community of women in technology and nurturing women in the field. We thank Baan for sharing her story with us.

Big data, big payoff for China's cybercrime underground. [Research Saturday] May 29, 2021

Guest Brandon Hoffman of Intel 471 joins Dave Bittner to share his team's research "How China’s cybercrime underground is making money off big data". Through Intel 471’s observation and analysis of open source information and behavior on multiple closed forums, they found actors adopting the use of legitimate big data technology for cybercrime and monetizing the data they obtain on the Chinese-language underground.

The behavior Intel 471 analyzed points to a cycle that involves several different layers of cybercriminals, the use of insider information, and unwitting victims in order to earn ill-gotten gains. The schemes themselves proliferate partly due to China’s desire to be a global epicenter in big data analytics, especially as it pushes to become synonymous with new technology sectors like the Internet of Things (IoT). With China injecting big data into every economic sector, the environment has become ripe for criminals to create and execute schemes that hide in the noise brought on by the amount of data at hand.

The research can be found here:

How China’s cybercrime underground is making money off big data

A phishing campaign poses as USAID. APTs exploit unpatched Pulse Secure and Fortinet instances. Healthcare organizations continue recovery from ransomware. A look at Criminal2Criminal markets. May 28, 2021

A phishing campaign this week appears to be the work of Russia’s SVR. Chinese government threat actors continue to exploit unpatched Pulse Secure instances. FBI renews warnings about unpatched Fortinet appliances. Healthcare organizations still work to recover from ransomware. Rick Howard speaks with author Andy Greenberg on his book Sandworm. Ben Yelin weighs in on questions Senator Wyden has for the Pentagon. And a look at the criminal ransomware market, including the consultants who serve the extortionists.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/103

Impersonation campaign targets China’s Uyghur minority. US DHS issues pipeline cybersecurity requirements. Recovering from ransomware. Notes on privateering. May 27, 2021

Chinese-speaking operators are reported to be phishing to compromise devices belonging to Uyghurs. The US Department of Homeland Security issues pipeline cybersecurity regulations. Security companies take various approaches to offering decryptors against ransomware. Huawei would like to chat with President Biden. Rick Howard speaks with authors Peter Singer and Emerson Brooking on their book "LikeWar - The Weaponization of Social Media". Our guest is Darren Shou of NortonLifeLock on the findings of the 6th annual Norton Cyber Safety Insights Report. And a few notes on privateers, then and now, whether on High Barbaree or the dark net.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/102

Cybersespionage reported in Belgium. Low-sophistication attacks on OT networks. Healthcare ransomware attacks. Privateering defined. Advice for boards. And news of crime. May 26, 2021

Hafnium visits Belgium. “Low-sophistication” attacks on operational technology. Updates on healthcare sector ransomware attacks in New Zealand and Ireland. Wipers masquerading as ransomware. “Privateers” are defined as a new category of threat actor. TSA’s new standards for pipeline security. The World Economic Forum has advice for Boards in the oil and gas sector. Rick Howard interviews Liza Mundy on her book "Code Girls - The Untold Story of the American Women Code Breakers Who Helped Win World War II". Joe Carrigan describes fraudulent search engine ad buys. And as one criminal is sentenced, eight more are arrested.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/101

CryptoCore traced to Pyongyang. Ransomware and risk management. Gangs regroup. A would-be hacker-by-bribery is sentenced in Nevada. May 25, 2021

The CryptoCore campaign that looted cryptocurrency exchanges is said to have been the work of North Korea’s Lazarus Group. Insurers are taking a hard look at ransomware and the cyber insurance policies that might cover it. Managing ransomware risk, and a role for standards bodies. Can there be such a thing as responsible disclosure of decryptors and other remediation tools? Ransomware gangs regroup. Perry Carpenter previews the new 8th Layer Insights podcast. Rick Howard speaks with authors Doug Barth and Evan Gilman. And it’s time served plus deportation in the case of an unsuccessful hacker.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/100

Ransomware warnings in Ireland, New Zealand, Germany, and the US. Belgium’s new cybersecurity strategy. A tipline to dime out cryptominers. Air India passenger data breach. May 24, 2021

Ransomware warnings in the US, Ireland, New Zealand, and Germany--healthcare organizations are said to be at particular risk. Belgium adopts a new cybersecurity strategy. China isn’t happy with freelance cryptominers. Air India sustains a third-party breach of passenger personal data. An FBI analyst is indicted for mishandling classified material. Rick Howard previews this week’s CSO Perspective podcast and kicks off cybersecurity canon week with author Perry Carpenter. And happy birthday, US Cyber Command.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/99

Michael Bishop Jr.: Good, bad or indifferent. [Security] [Career Notes] May 23, 2021

Senior Security Officer at Centers for Medicare and Medicaid Services Michael Bishop Jr. shares his journey from Army infantryman deployed to Iraq to working in cybersecurity. After 12 years in the U.S. Army, Mike found himself in a rough spot. Looking for work and having some personal challenges, Mike's mentor, an Army officer he met while enlisted, recognized Mike's struggles and helped to nudge him toward cybersecurity. Mike credits his mentor with helping him transition to where he is today. Undergoing training for cybersecurity, he was tested in many areas and found the route he wanted to go. We thank Michael for sharing his story with us.

Leveraging COVID-19 themes for malicious purposes. [Research Saturday] May 22, 2021

Guest Joe Slowik joins us from DomainTools to discuss his team's research "COVID-19 Phishing With a Side of Cobalt Strike." Multiple adversaries, from criminal groups to state-directed entities, engaged in malicious cyber activity using COVID-19 pandemic themes since March 2020. Adversaries continue to leverage the pandemic, arguably the most significant issue globally as of this writing, in various ways. Yet the most persistent avenue remains using COVID-19 themes for building malicious document files. Examples include lures associated with Cloud Atlas-linked activity and broader targeting of health authorities.

Given the continued significance of the pandemic and persistent use of pandemic themes by adversaries, DomainTools researchers continuously monitor for items leveraging COVID-19 content for malicious purposes. While conducting this research, DomainTools analysts identified an interesting malicious document with what appeared to be unique staging and execution mechanisms.

Research can be found here:

COVID-19 Phishing With a Side of Cobalt Strike

DarkSide still more-or-less dark. Updates on Colonial Pipeline and HSE ransomware attacks. CNA said to have paid $40 million in ransom. Cyber privateers and cyber mercenaries. May 21, 2021

The US remains officially mum on whether it took down DarkSide, but it still looks as if the ransomware gang absconded on its own. Colonial Pipeline now faces legal fallout from its ransomware incident. Speculation about how states might handle cyber privateering. Conti’s attack on HSE is described as “catastrophic.” Russia says it was hit by foreign cyber mercenaries last year. Craig Williams from Cisco Talos explains Discord abuses. Our guest is Jon Ford from Mandiant on their M-Trends 2021 report. And CNA pays cyber extortionists $40 million.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/98

DarkSide: absconding, rebranding, or retiring to a life of penitence? (Probably the first two.) Israeli airstrikes said to target Hamas cyber ops centers. Apps behaving badly. Notes on phishbait. May 20, 2021

Did DarkSide really see the light and shut down, with a sincere promise of reform and restitution, or is the gang just rebranding? Researchers look at DarkSide ransomware and find complexity and sophistication. Israel says airstrikes in Gaza were intended to take out Hamas cyber ops facilities. Poor practices seem to have exposed data of millions of Android app users. Phishing from call centers and cloud services. David Dufour from Webroot looks at hacker psychology. Our guest is Rob Price from Snow Software on Shadow IT. And who dunnit to SolarWinds? Not the intern.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/97

Updates on the Colonial Pipeline incident, and other ransomware incidents. A watering hole for water utilities. Credential harvesting, cryptojacking, and banking Trojans. May 19, 2021

Colonial Pipeline corrected yesterday’s IT glitch, and its CEO explains the decision to pay the ransom. A rundown of recent ransomware activity. A watering hole for water utilities? Credential harvesting and cryptojacking in the cloud. A banking Trojan spreads from Brazil to Europe. Joe Carrigan looks at keyboard biometrics. Our guest Dotan Nahum from Spectral on shifting left in security development. And the metaphysics of attribution.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/96

WastedLocker being distributed in RIG campaign. Investigation of the DarkSide attack on Colonial Pipeline. More ransomware gangs go offline. Double encryption. Third-party stalkerware risk. May 18, 2021

A new RIG campaign is distributing WastedLocker. The US Congress considers two bills informed by the Colonial Pipeline incident, and Congressional committees are looking at the company’s response to the attack. More ransomware gangs go offline, but Conti is still trying to collect from the Irish government. Double encryption appears to be an emerging trend in ransomware. Ben Yelin looks at insurance companies clamping down on ransomware payments. Our guest is Nick Gregory of Capsule8 with thoughts on the Linux security landscape. And there’s another problem with stalkerware: third-party risk.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/95

Japan calls out China for cyberespionage. Colonial Pipeline restores service. Wither the DarkSide? Conti hits Irish health organizations, and Avaddon strikes AXA. May 17, 2021

Japan calls out China for cyberespionage. Colonial Pipeline restores service, as organizations look to their own vulnerability to ransomware. The DarkSide gang may have said it’s going out of business, but it’s at least as likely, probably likelier, that they’re either rebranding or absconding. Two other gangs are in business: Conti is hitting Irish health organizations, and Avaddon says it compromised insurer AXA. (AXE-uh) Rick Howard looks at new responsibilities for CISOs. Our guest is Samantha Madrid of Juniper Networks on establishing automation and security integrations seamlessly. And a spy gets fifteen years in a US prison.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/94

Zeroing in on zero trust. [CyberWire-X] May 16, 2021

The Zero Trust security model asserts that organizations should not trust anything within its perimeters and instead must inspect every traffic and verify anything connecting to its systems before granting access. While Zero Trust is generating a lot of buzz in the cyber world, it’s often hard to determine the implications of this security model.

In this episode of CyberWire-X, guests will discuss the origins of the model, cut through the hype, and discuss what you really need to know to design, implement, and monitor an effective Zero Trust approach. John Kindervag of ON2IT Cybersecurity, also known as the "Creator of Zero Trust," shares his insights with the CyberWire's Rick Howard, and Tom Clavel of sponsor ExtraHop joins Kapil Raina from their partner CrowdStrike to offer their thoughts to the CyberWire's Dave Bittner.

Dominique West: Security found me. [Strategy] [Career Notes] May 16, 2021

Technical account manager Dominique West takes us on her career journey from engineering to cybersecurity. Even though her undergraduate degree was in information systems, Dominique did not learn about cybersecurity until she personally experienced credit card fraud. She had a range of positions from working the help desk in an art museum to vulnerability management and cloud security. Dominique mentions remembering feeling isolated as the only black person and one of few women in many situations. These experiences spurred her into action to create Security in Color to help others navigate their way into cybersecurity and share resources are available to them. Dominique recommends those interested in cybersecurity to go ahead and get your hands dirty out there; figure out what you like and what you don't like and do community. We thank Dominique for sharing her story with us.

Jack Voltaic: Army Cyber Institute's critical infrastructure resiliency project, not a person. [Research Saturday] May 15, 2021

Guest LTC Erica Mitchell from Army Cyber Institute joins us to talk about their infrastructure resiliency research project called Jack Voltaic. The Army Cyber Institute’s (ACI’s) Jack Voltaic (JV) project enables the institute to study incident response gaps alongside assembled partners to identify interdependencies among critical infrastructure and provide recommendations. JV provides an innovative, bottom‐up approach to critical infrastructure resilience in two unique ways. Whereas most federal efforts to improve resiliency focus on regional or multistate emergency response, JV focuses on cities and municipalities where critical infrastructure and populations are most heavily populated. Furthermore, JV deviates from other cybersecurity and national preparedness exercises in that it builds around areas of interest nominated by the participants. Although JV events include national-level capabilities and resources, they are conceptually driven by the concerns of the cities and their infrastructure partners. Through this approach, the ACI, the Army, and the Department of Defense (DoD) are able to harvest insights about potential roles, dependencies, partners, and support requests, while cities are able to discover potential capability gaps and expand their critical infrastructure information-sharing networks before a potential disaster strikes.

Research links:

Ransomware hoods and their enablers may be feeling some heat. Supply chain compromise and third-party risk. Colonial Pipeline resumes deliveries (but paid ransom to no avail). May 14, 2021

DarkSide says it’s feeling the heat and is going out of business, but some of its affiliates are still out and active, for now at least. A popular hackers’ forum says it will no longer accept ransomware ads. The Bash Loader supply chain compromise afflicts another known victim. Colonial Pipeline resumes delivery of fuel. Irresponsible disclosure of vulnerabilities hands attackers a big advantage. Carole Theriault looks at NFTs. Joe Carrigan wonders about the return on your ransomware payment investment. And there’s a lot of Amazon-themed vishing going on out there.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/93

The US Executive Order on cybersecurity is out. Colonial Pipeline, its security and response under scrutiny, resumes deliveries. Verizon’s DBIR is out. May 13, 2021

The US Executive Order on Improving the Nation’s Cybersecurity is out. Colonial Pipeline partially resumed delivery of fuel yesterday evening, as its preparation for and response to the cyberattack it sustained receive scrutiny. The DarkSide’s extortion of the US pipeline company seems likely to prompt regulatory revision. DarkSide operators say they’ve gotten busy against other targets. Our own Rick Howard speaks with Aaron Sant-Miller, Chief Scientist at BAH, on developments in artificial intelligence. And Verizon’s Database Investigations Report is out. I check in with Verizon’s Chris Novak for highlights from the DBIR.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/92

The security industry looks at DarkSide ransomware. CISA offers advice on defense and recovery. A new banking Trojan is out. Deprecated protocols remain in use. A quick look at Patch Tuesday. May 12, 2021

FireEye provides an overview of the DarkSide ransomware-as-a-service operation. Forcepoint suggests a connection between DarkSide and other ransomware gangs, notably REvil. Colonial Pipeline continues its recovery efforts from the cyber attack it sustained. As ransomware grows more common, CISA offers advice on how to prepare defenses. A new Android banking Trojan is in circulation. Cecelia Marinier from RSA on the RSAC Innovation Sandbox. Bret Arsenault from Microsoft previews his new Microsoft CISO podcast. And yesterday, of course, was Patch Tuesday.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/91

Ransomware: DarkSide, Avaddon, and Baduk. 5G threat vectors. Crytpojacking unpatched Exchange Servers. Bogus Chrome app. An espionage trial approaches sentencing. May 11, 2021

Updates on the DarkSide ransomware attack on Colonial Pipeline. Other ransomware strains, including Avaddon and Babuk are out, and dangerous. Guidelines on 5G threat vectors. Lemon Duck cryptojackers are looking for vulnerable Exchange Server instances. A bogus, malicious Chrome app is circulating by smishing. Ben Yelin examines an online facial recognition platform. Our guest is Mathieu Gorge of VigiTrust on the privacy risks of video and audio recordings. And an update on an espionage trial.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/90

Ransomware disrupts pipeline operations in the Eastern US. Other ransomware attacks reported by US municipal and Tribal governments. UK-US advisory on SVR TTPs. SolarWinds update. May 10, 2021

Colonial Pipeline shuts down some systems after a ransomware attack, disrupting refined petroleum product delivery in the Eastern US. We’ll check in with Sergio Caltagirone from Dragos for his analysis. Other ransomware attacks hit city and Tribal governments. Joint UK-US alert on SVR tactics issued, and the SVR may have changed its methods accordingly. SolarWinds revised downward its estimate of the number of customers affected by its compromise. Rick Howard previews his CSO Perspectives podcasts on risk metrics. Four guilty pleas in “bulletproof hosting” RICO case.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/89

Yatia (Tia) Hopkins: Grit and right place, right time. [Solutions Architecture] [Career Notes] May 09, 2021

VP of Global Solutions Architecture at eSentire Tia Hopkins shares her career journey and talks about its beginnings in engineering and pivots into cybersecurity leadership. Tia shares how she liked to take things apart when she was young, including the brand new computer her mother bought her and how she was fascinated by all the pieces of it spread all across her bedroom floor. As she started studying engineering, Tia learned she was more of a technologist than an engineer. Tia got her start in technology without completing her formal education by what she says is "grit and right place, right time." Once she was in a management role, Tia wanted to validate her knowledge, experience, and ability and not only completed her bachelor's degree, but also two master's degrees. Tia recently started an organization to encourage and grow interest, confidence, and leaders of women of color in the field of cybersecurity. We thank Tia for sharing her story with us.

Street cred: increasing trust in passwordless authentication. [CyberWire-X] May 09, 2021

Good security gets out of the way of users while getting in the way of adversaries. Passwords fail on both accounts. Users feel the pain of adhering to complex password policies. Adversaries simply copy, break, or brute-force their way in. Why, then, have we spent decades with passwords as the primary factor for authentication?From the very first theft of cleartext passwords to the very latest bypass of a second-factor, time and again improvements in defenses are met with improved attacks. The industry needs to trust passwordless authentication.What holds us back from getting rid of passwords? Trust.

In this episode of CyberWire-X, guests will discuss a framework of technical controls to ensure only trusted sessions authenticate, regardless of faults or failures in any one factor. We will share a path forward for increasing trust in passwordless authentication. Nikk Gilbert of CISO of Cherokee Nation Businesses and retired CSO Gary McAlum share their insights with Rick Howard, and Advisory CISO of Duo Security at Cisco Wolfgang Goerlich from sponsor Duo Security offers his thoughts with Dave Bittner.

SUPERNOVA activity and its possible connection to SPIRAL threat group. [Research Saturday] May 08, 2021

Guest Mike McLellan from Secureworks joins us to share his team's insights about SUPERNOVA and threat group attribution. Similarities between the SUPERNOVA activity and a previous compromise of the network suggest that SPIRAL was responsible for both intrusions and reveal information about the threat group.

In late 2020, Secureworks® Counter Threat Unit™ (CTU) researchers observed a threat actor exploiting an internet-facing SolarWinds server to deploy the SUPERNOVA web shell. Additional analysis revealed similarities to intrusion activity identified on the same network earlier in 2020, suggesting the two intrusions are linked. CTU™ researchers attribute the intrusions to the SPIRAL threat group. Characteristics of the activity suggest the group is based in China.

The research can be found here:

SUPERNOVA Web Shell Deployment Linked to SPIRAL Threat Group

CISA on FiveHands. Connections among cybergangs, Russian intelligence services? Software supply chain security. Scripps Health incident update. Home routers. Ryuk hits research institute. May 07, 2021

CISA outlines the FiveHands ransomware campaign. Circumstantial evidence suggests that some cybergangs are either controlled by or are doing contract work for Russian intelligence services. US Federal agencies turn their attention to software supply chain security. Scripps Health continues its recovery from cyberattack. Insecure home routers in the UK. Daniel Prince from Lancaster University has thoughts on cybersecurity education. Our guest Rupesh Chokshi from AT&T has suggestions for organizations who want to get SASE, but don’t know where to begin. And Ryuk ransomware throws a wrench in research at a European biomedical institute.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/88

Some possible insight into what a Chinese cyberespionage unit is up to. Hackathons, from Beijing to Washington. Panda Stealer is after crypto wallets. And Peloton deals with a leaky API. May 06, 2021

Some possible insight into what a Chinese cyberespionage unit is up to. Hackathons, from Beijing to Washington (the one sponsored by Beijing developed an iPhone zero-day used against China’s Uyghurs). Panda Stealer is after crypto wallets. Microsoft's Kevin Magee reflects on lessons learned in the last year. Our own Rick Howard speaks with Todd Neilson from World Wide Technology on Zero Trust. And Peloton deals with a leaky API.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/87

DDoS interrupts Belgium’s parliament. New malware in the wild. Spies and crooks work around MFA, OAuth. COVID-19 scam site takedown. Online election fraud (in a homecoming queen election). May 05, 2021

Belgium sustains a DDoS attack that knocks parliamentary sessions offline. New malware strains identified in phishing campaign. Threat actors look for ways of working around multi-factor authentication and open authentication. COVID-19 scams continue online, and attract law enforcement attention. Joe Carrigan describes a compromised password manager. Our guests are Linda Gray Martin & Britta Glade from RSA with a preview of this year’s RSAC conference. And how secure was your high school’s election for homecoming court.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/86

VPN vulnerability exploited for cyberespionage closed. “IT security incident” at medical system. Android banking Trojans and cryptocurrency. Cyber threats to the Tokyo Olympics. May 04, 2021

Pulse Secure patches its VPN, and CISA for one thinks you ought to apply those fixes. Apple has also patched two zero-days in its Webkit engine. Scripps Health recovers from what’s said to be a ransomware attack. Researchers describe Genesis, a criminal market for digital fingerprints. Ben Yelin described a grand jury subpoena for Signal user data. Our guest is Ryan Weeks from Datto on the need for cyber resilience in the MSP community. And Japan works on cybersecurity for this summer’s upcoming Olympic Games.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/85

Data exposure reported in the Philippines. FISA targets down during the pandemic. Babuk changes its focus. New variant of the Buer loader in the wild. US Justice Department reviews its cyber strategy. May 03, 2021

Possible data exposure at the Philippines’ Office of the Solicitor General. In the US, FISA surveillance targets dropped during 2020’s pandemic. The Babuk gang says it’s giving up encryption to concentrate on doxing. A new version of the Buer loader is out in the wild. Rick Howard looks at security in the energy sector. Betsy Carmelite from Booz Allen Hamilton on telemedicine security concerns. The US Justice Department undertakes a review of its cybersecurity policies and strategy.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/84

Jim Zufoletti: Building your experience portfolio. [Entrepreneur] [Career Notes] May 02, 2021

CEO and co-founder of SafeGuard Cyber Jim Zufoletti shares his journey starting out as an intrepreneur and transformation into a serial entrepreneur in cybersecurity. Jim shares how he got his feet wet working for others as an intrepreneur and catching the entrepreneurial bug in the mid-90s. He has co-founded a number of companies starting with FreeMarkets, a B2B ecommerce company. After that went public and Jim moved on, he went to business school at the University of Virginia and crossed paths with his future co-founder of SafeGuard Cyber. At UVA, Jim was inspired by a professor who exposed him to the effectuation approach to entrepreneurship, Along those lines, Jim recommends those looking to start a business in cyber build their experience portfolio. Jim took what he learned to help build where he is today. His company helps protect the humans in this new digital world with the current work from home environment. And, we thank Jim for sharing his story with us.

A snapshot of the ransomware threat landscape. [Research Saturday} May 01, 2021

Guest Jen Miller-Osborn from Palo Alto Networks' Unit 42 joins Dave to discuss their 2021 Unit 42 Ransomware Threat Report, which highlights a surge in ransomware demands based on a global analysis of the threat landscape in 2020. To evaluate the current state of the ransomware threat landscape, the Unit 42 threat intelligence team and the Crypsis incident response team collaborated to analyze the ransomware threat landscape in 2020, with global data from Unit 42 as well as US, Canada, and Europe data from Crypsis. The report details the top ransomware variants, average ransomware payments, ransomware predictions, and actionable next steps to immediately reduce ransomware risk.

The report can be found here:

2021 Unit 42 Ransomware Threat Report

Investigating VPN exploits, and the crooks and spies who use them. BadAlloc afflicts OT. Notes on cyberespionage. The criminal market for deepfakes. Apr 30, 2021

The US Government expands its investigation into Pulse Secure VPN compromises. Microsoft discloses its discovery of BadAlloc IoT and OT vulnerabilities. Someone’s distributing Purple Lambert spyware. Chinese intelligence services seem to be backdooring the Russian defense sector. Financially motivated criminals are exploiting SonicWall VPN vulnerabilities. A look at the emerging criminal market for deepfakes. Josh Ray from Accenture Security on Why Cybersecurity Community Service Matters. Our guest Manish Gupta of ShiftLeft looks at cyber attacks on the CI/CD pipeline. And the World Health Organization attracted impersonators early this month. Again.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/83

Buggy APIs may expose credit scores. Dealing with ransomware. Iran-Israeli tensions are up. Russia says it will always see the Americans coming. Surge cyber capacity. NSA’s advice on OT security. Apr 29, 2021

An API bug may have exposed credit ratings. A study offers advice for the new anti-ransomware task forces emerging in the US and elsewhere. Israelis warned to keep their cyber-guard up on Quds Day next week. Russia says it would spot any US cyberattack before it hit. The US Congress considers establishing surge cyber response capacity. Dinah Davis from Arctic Wolf has tips on preventing RDP attacks. Rick Howard speaks with Rehan Jalil from Securiti on GDPR. NSA offers advice for security OT networks.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/82

More intelligence on Ghostwriter, and a convergence of hacking and influence operations. Naikon APT has a new backdoor. FluBot returns. MAPP reconsidered. Defense counsel on Cellebrite. Apr 28, 2021

Ghostwriter is back, and has moved its “chaos troops” against fresh targets in Poland and Germany. The Naikon APT has a new secondary backdoor. FluBot, temporarily inhibited by police raids, is back, and expanding its infection of Android devices across Europe. Microsoft is rethinking how much, and with whom, it wants to share vulnerability information. Joe Carrigan examines a phone scam targeting Amazon Prime customers. Our guest is Tzury Bar Yochay of Reblaze on open-source software and scalability. And Signal’s discovery of Cellebrite issues is finding its way into court.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/81

The FBI and CISA take a look at the SVR, and offer advice for potential targets. Openness and information warfare. OPSEC and privacy. Babuk hits DC police. Social engineering notes. Apr 27, 2021

FBI, CISA, detail SVR cyber activities. Nine US Combatant Commands see declassification as an important tool in information warfare. A convergence of OPSEC and privacy? Apple fixes a significant Gatekeeper bypass flaw. Babuk ransomware hits DC police. A new twist in credential harvesting. Ben Yelin considers the FTCs stance on racially biased algorithms. Our guest Tony Howlett from SecureLink tracks the evolution of threat hunting. And that was no hack; it was just a careless tweet.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/80

Prankers on Zoom, with convincing video. Emotet takedown. US response to SolarWinds reviewed. Cancer therapy disrupted by attack on cloud provider. Oscar phishing. Apr 26, 2021

Zoom prankers deceive European members of parliament with a deepfake video call. A password manager is compromised. Europol took a good whack at Emotet yesterday, removing the botnet’s malware from infected machines. US response to the Holiday Bear campaign receives cautious good reviews. A cyberattack interferes with cancer treatments. Caleb Barlow from CynergisTek on emergency notification systems. Rick Howard previews the latest CSO Perspectives podcast focused on the healthcare vertical. And movie-themed phishbait chummed the waters around yesterday’s Oscars.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/79

Marcelle Lee: Cyber sleuth detecting emerging threats. [Research] [Career Notes] Apr 25, 2021

Senior security researcher from Secureworks Marcelle Lee shares her career journey into cybersecurity and how she helps solve hard problems in her daily work. Marcelle came into cybersecurity not through any traditional path. She describes her route from a different field and starting in cyber at her local community college through a grant program. Marcelle took full advantage of the opportunities she had and grew her career from there. She recommends finding your specialty, but continue to build other skills. As a woman in the field, she is a strong proponent of diversity and encouraging others to find what excites them. And, we thank Marcelle for sharing her story with us.

Channeling the data avalanche. [CyberWire-X] Apr 25, 2021

Proliferation of data continues to outstrip our ability to manage and secure data. The gap is growing and alarming,especially given the explosion of non-traditional smart devices generating, storing, and sharing information. As edge computing grows, more devices are generating and transmitting data than there are human beings walking the planet.

High-speed generation of data is here to stay. Are we equipped as people, as organizations, and as a global community to handle all this information? Current evidence suggests not. The International Data Corporation (IDC) predicted in its study, Data Age 2025, that enterprises will need to rely on machine learning, automation and machine-to-machine technologies to stay ahead of the information tsunami, while efficiently determining and iterating on high-value data from the source in order to drive sound business decisions.

That sounds reasonable, but many well-known names in the industry are trying - and failing - to solve this problem. The struggle lies in the pivot from “big data,” to “fast data,” the ability to extract meaningful, actionable intelligence from a sea of information, and do it quickly. Most of the solutions available are either prohibitively expensive, not scalable, or both.

In this episode of CyberWire-X, guests will discuss present and future threats posed by an unmanageable data avalanche, as well as emerging technologies that may lead public and private sector efforts through the developing crisis. Don Welch of Penn State University and Steve Winterfeld of Akamai share their insights with Rick Howard, and Egon Rinderer from sponsor Tanium offers his thoughts with Dave Bittner.

Bulletproof hosting (BPH) and how it powers cybercrime. [Research Saturday] Apr 24, 2021

Guest Jason Passwaters of Intel 471 joins us to discuss his team's research into bulletproof hosting (BPH). The research team at Intel 471 defined what a typical BPH service offers and how these services can be stopped in order to limit the damage they have on enterprises, businesses and digital society itself. They examined some popular malware families that actors host or leverage via BPH services. While much more goes into a cybercriminal’s full operation, it would be vastly more difficult to pull off without the ability to host malware and be free from impunity. Finally, they listed of some of the BPH providers that are firmly entrenched in the cybercrime underground and how they give support to other cybercriminal enterprises. By recognizing their behaviors, security teams can begin to take measures to figure out who the actors are, how they operate and what their infrastructure looks like. By doing so, organizations can begin to uncover ways to proactively counter maliciously-used infrastructure before criminals have a chance to launch their attacks.

The blog posts can be found here:

Three ransomware gangs up their game. The US Postal Inspection Service’s “Internet Covert Operations Program.” GCHQ warns of dependence on Chinese tech. Undersea cable security. Apr 23, 2021

Ransomware operators begin timing their releases for more reputational damage. Another gang is equipping its ransomware with scripts to disable defenses, and yet another is now into stock shorting. The US Postal Inspection Service is apparently monitoring social media. GCHQ’s head warns of the dangers of becoming dependent on China’s technology. Johannes Ullrich from SANS on Commodity Malware Targeting Enterprises. Our guest is Etay Maor from Cato with some of the clever ways criminals avoid detection. And it’s not just sharks interested in undersea cables.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/78

VPN users remediate systems. New Supernova infection. Cryptojacking botnet afflicts vulnerable Exchange Servers. Facebook takes down spyware groups. Ransomware. Cellebrite bug found. Apr 22, 2021

Agencies continue to respond to the Pulse Secure VPN vulnerabilities. Updates on the SolarWinds compromise show that it remains a threat, and that it was designed to escape detection and, especially, attribution. A cryptojacking botnet is exploiting vulnerable Microsoft Exchange Server instances. Facebook takes down two Palestinian groups distributing spyware. Ransomware draws more attention. Craig Williams from Cisco Talos looks at cheating the cheater. Our guest is Bruno Kurtic from Sumo Logic on their Continuous Intelligence Report. And a Cellebrite vulnerability is exposed.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/77

SonicWall, Pulse Secure products under exploitation (mitigations are available). Power grid security. Cyber conflict in the Near Abroad. ISIS worries about Bitcoin. Bad passwords. Apr 21, 2021

SonicWall zero-days are under active exploitation; mitigations are available. Pulse Secure VPN is also undergoing exploitation, probably by China, and mitigations are available here, too. The US begins work on shoring up power grid cybersecurity. Cyber ops rise with Russo-Ukrainian tension. The help desk at ISIS tells jihadists to stay away from Bitcoin. Joe Carrigan looks at cryptocurrency anonymity. Our guest is Bert Kashyap from SecureW2 on what needs to be done before devices used for learning from home return to schools. And is your password inspired by cinema?

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/76

Codecov supply chain attack update. Babuk’s victim service. Catphishing in LinkedIn. Sanctioned company responds. SolarWinds, Exchange compromise TFs stand down. 5 Eyes notes. IoT risk. Apr 20, 2021

Update on the Codecov supply chain attack. The Babuk gang says they’ve debugged their decryptor. MI5 warns of “industrial scale” catphishing in LinkedIn. Positive Technologies responds to US sanctions. The US stands down the two Unified Coordination Groups it established to deal with the SolarWinds and Exchange Server compromises. Are all Five Eyes seeing eye-to-eye on China? Ben Yelin explains the legal side of the FBI removing webshells following the Microsoft Exchange Server hack. Our guest is May Habib from Writer on how the AI is helping the security industry with outdated and problematic terminology. And, psst: your kitchen appliances are a bunch of sellouts...or something.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/75

Codecov may have sustained a supply chain attack. Natanz sabotage update. Big data gangs. Protecting ransomware gangs. Counterretaliation in the SolarWinds affair. Apr 19, 2021

Another supply chain incident surfaces. The Natanz sabotage seems to have landed a punch, but not a knock-out blow against Iran’s nuclear program (and it appears to have been a bomb). China’s “big data” gangs and their place in the criminal economy. Tolerating (and protecting?) ransomware gangs in Russia? Betsy Carmelite looks at the intersection of 5G and zero trust. Rick Howard is focusing on finance and fraud in the latest season of CSO Perspectives. Russia’s counterretaliation for US sanctions in the SolarWinds affair.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/74

Aviv Grafi: There needs to be fundamental changes in security. [CEO] [Career Notes] Apr 18, 2021

CEO and Founder of Votiro Aviv Grafi shares his story from serving as a member of the IDF's intelligence forces to leading his own venture. Aviv says his service in the IDF shaped a lot of his thinking and problem solving. Following his military service, Aviv worked to gain more real world and business experience. Starting his own business as a pentester was where the seeds for what would become Votiro would form. Aviv talks about the roller coaster that you experience when starting your own venture and offers some advice. And, we thank Aviv for sharing his story with us.

Social engineering: MINEBRIDGE RAT embedded to look like job résumés. [Research Saturday] Apr 17, 2021

Guest Deepen Desai joins Dave to talk about Zsaler's research "Return of the MINEBRIDGE RAT With New TTPs and Social Engineering Lures." In Jan 2021, Zscaler ThreatLabZ discovered new instances of the MINEBRIDGE remote-access Trojan (RAT) embedded in macro-based Word document files crafted to look like valid job resumes (CVs). Such lures are often used as social engineering schemes by threat actors.

MINEBRIDGE buries itself into the vulnerable remote desktop software TeamViewer, enabling the threat actor to take a wide array of remote follow-on actions such as spying on users or deploying additional malware.The use of social engineering tactics targeting security teams appears to be on an upward trend.

The research can be found here:

Return of the MINEBRIDGE RAT With New TTPs and Social Engineering Lures

International reactions to US sanctions against Russia (positively reviewed in Europe and the UK, but panned by Russia). Continuing threats to the cold chain. Natanz back in business? Data breach notes. Apr 16, 2021

The European Union expresses solidarity with the US over the SolarWinds incident. The UK joins the US in attributing the incident to Russia. Russia objects to US sanctions and hints strongly that it intends to retaliate. IBM discloses new cyber threats to the COVID-19 vaccine cold chain. Iran says Natanz is back in business. Kevin Magee from Microsoft looks at the security of startups. Our guest is Brad Ree of ioXt Alliance with results from their Mobile IoT Benchmark report. And data breaches hit people who park and people who read.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/73

Imposing costs and sending signals (and prominently naming Cozy Bear). More speculation about the Natanz explosion. And a shift in the criminal-to-criminal economy. Apr 15, 2021

The US announces a broad range of retaliatory actions designed to “impose costs” on Russia for its recent actions in cyberspace, prominently including both the SolarWinds supply chain compromise and attempts to influence elections. More reports on the Natanz incident suggest that a buried bomb was remotely detonated. David Dufour from Webroot has a wakeup call on digital privacy. Our guest is Ganesh Pai from Uptycs on Mitre ATT&CK Evaluations. And IcedID is taking Emotet’s place in the criminal ecosystem.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/72

The IAEA investigates the Natanz incident (amid conflicting reports on the nature of the sabotage). Mopping up the SolarWinds Exchange Server hacks. Apr 14, 2021

Updates on Natanz, where the nature of the sabotage remains unclear--it happened, but there are conflicting explanations of how. Electrical utilities on alert for cyberattack, especially after the SolarWinds incident. The US Government takes extraordinary steps to fix the Microsoft Exchange Server compromise. Joe Carrigan analyses effective phishing campaigns. Our guest is the FBI’s Herb Stapleton on their recent IC3 report. And the US Intelligence Community’s Annual Threat Assessment points, in order of diminishing rsk, to China, Russia, Iran, and North Korea.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/71

Natanz pre-emptive sabotage updates. NAME:WRECK DNS vulnerabilities. Tax phishing. ATM cards and advance-fee scams. Ransomware-induced cheese shortage. Apr 13, 2021

Updates on the sabotage at Natanz--whether it was cyber or kinetic, Iran has vowed to take its revenge against Israel. NAME:WRECK vulnerabilities affect DNS implementations. Tax season scammers are phishing for credentials. If you liked the investment opportunities those Nigerian princes used to offer, you’re going to love their loaded ATM cards. Ben Yelin looks at data protection and interoperability. Our guest is Jules Martin from Mimecast on the importance of security integration. And in the Netherlands ransomware is inducing a shortage of cheese.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/70

Apparent cyber sabotage at Natanz. Arrest made in alleged plot to blow up AWS facility. Scraped data for sale in criminal fora. US senior cyber appointments expected soon. Apr 12, 2021

Iran says Israel was responsible for sabotaging the Natanz nuclear facility yesterday, and Tehran promises revenge. Online plotting results in the arrest of a Texas man alleged to have planned an attack on an Amazon Web Services center. Scraped, not hacked, data from LinkedIn and Clubhouse are being hawked online. Andrea Little Limbago from Interos addresses asymmetric power within cyberspace and how that plays out in warfare. Our guest is Giovanni Vigna from VMware on the takedown of the Emotet infrastructure. And the US moves to fill senior cybersecurity positions.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/69

Debra Danielson: Be fearless. [CTO] [Career Notes] Apr 11, 2021

Chief Technology Officer and Senior Vice President, Engineering for Digital Guardian Debra Danielson shares her career journey. From aspirations of becoming an astronaut studying mechanical and aerospace engineering, Finding her first job at a local software company that turned into a long term commitment after it was acquired by another firm. Debra mentions that when she was heads-down programming, there were many women in the field and when she emerged from the cube to take on management and leadership positions, the ratio of women had dropped dramatically. She noted at this time that it took a lot of energy to be different. Debra shared that each time she had challenges in her career, she learned from them. She offers advice of taking risks earlier in your career as you don't know what it could lead to. And, we thank Debra for sharing her story with us.

Strategic titles point to something more than a commodity campaign. [Research Saturday] Apr 10, 2021

Guests Gage Mele, Winston Marydasan, and Yury Polozov from Anomali join Dave to discuss their research into Static Kitten targeting government agencies in the UAE and Kuwait. Anomali Threat Research uncovered malicious activity very likely attributed to the Iran-nexus cyberespionage group, Static Kitten (Seedworm, MERCURY, Temp.Zagros, POWERSTATS, NTSTATS, MuddyWater), which is known to target numerous sectors primarily located in the Middle East This new campaign, which uses tactics, techniques, and procedures (TTPs) consistent with previous Static Kitten activity, uses ScreenConnect launch parameters designed to target any MOFA with mfa[.]gov as part of the custom field. Anomali's team found samples specifically masquerading as the Kuwaiti government and the UAE National Council respectively, based on references in the malicious samples.

The research can be found here:

Probable Iranian Cyber Actors, Static Kitten, Conducting Cyberespionage Campaign Targeting UAE and Kuwait Government Agencies

A new Lazarus backdoor. Malvertising for a bogus Clubhouse app. Cryptojacking the academy. When is a cartel not a cartel? Strategic competition between the US and China. Choking Twitter. Apr 09, 2021

Lazarus Group has a new backdoor. Bogus Clubhouse app advertised on Facebook. Cryptojacking goes to school. A ransomware cartel is forming, but so far apparently without much profit-sharing. The US Senate is preparing to make strategic competition with China the law of the land. Dinah Davis from Arctic Wolf looks at phony COVID sites. Our guest is Jaclyn Miller from NTT on the importance of mentoring the next generation. And Russia remains displeased with a lot of Twitter’s content.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/68

Cring ransomware hits manufacturing plants. Distance learning difficulties. Hafnium’s patient approach to vulnerable Exchange Servers. The Entity List grows. 5G security standards. Apr 08, 2021

Cring ransomware afflicts vulnerable Fortigate VPN servers. Distance learning in France stumbles due to sudden high demand, and possibly also because of cyberattacks. Hafnium’s attack on Microsoft Exchange Servers may have been long in preparation, and may have used data obtained in earlier breaches. Commerce Department adds seven Chinese organizations to its Entity List. 5G security standards in the US are said likely to emphasize zero trust. Atlantic Media discloses a breach of employee data. Caleb Barlow from CynergisTek with a clever way of thinking about ransomware preparedness. Our guest is Amit Kanfer from build.security on authorization, a problem he says remains mostly unsolved. And emissions testing stations in some US states remain down.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/67

A Chinese cyberespionage campaign is active against Vietnamese targets. The European Commission acknowledges cyberattacks are under investigation. Data scraping. Bogus apps. Molerats are dudes. Apr 07, 2021

Goblin Panda’s upped its game in recent attacks on Vietnamese government targets. The EU is investigating cyberattacks against a number of its organizations. Scraped LinkedIn data is being sold in a hackers’ forum. Facebook talks about the causes of its recent data incident. New Android malware poses as a Netflix app. Joe Carrigan shares comments from the new head of the NCSC. Our guest is Fang Yu from Datavisor with highlights from their Digital Fraud Trends Report. And the Molerats are using voice-changers to phish for IDF personnel.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/66

Watering holes, from Kiev to Canada. File transfer blues. What’s up in the criminal-to-criminal market. And an update on the old Facebook breach. Apr 06, 2021

A watering hole campaign compromised several Ukrainian sites (and one Canadian one). File transfer blues. A couple of looks into the criminal-to-criminal marketplace: establishing a brand and selling malicious document building tools. Ben Yelin has details on a privacy suit against Intel. Our guest is Steve Ginty from RiskIQ on the threat actors behind LogoKit. And notes on the big and apparently old Facebook breach, including why people care about it.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/65

An old Facebook database handed over to skids (and it’s a big database). APTs look for vulnerable FortiOS instances. Cryptojacking in GitHub infrastructure. Risk and water utilities. Apr 05, 2021

An old leaked database has been delivered into the hands of skids. (The news isn’t that the data are out there; it’s that the skids now have it. For free.) CISA and the FBI warn that APTs are scanning for vulnerable Fortinet instances. Cryptojackers pan for alt-coin in GitHub’s infrastructure. Holiday Bear may have looked for network defenders. Threats to water utilities. Johannes Ullrich explains why dynamic data exchange is back. Our guest is Mark Lance from GuidePoint Security tracking parallels between the SolarWinds attack and the RSA hack a decade ago. And a cyberattack snarls vehicle emission testing.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/64

Greg Bell: Answer the question of "why?" [Open Source] [Career Notes] Apr 04, 2021

Co-founder and Chief Strategy Officer for Corelight Greg Bell describes the twists and turns of his career bringing him back to his childhood joy of computers. Working in a myriad of fields from human rights to Hollywood to writing a history of conspiracy belief before pivoting back to technology. Focusing on the relationships within the open source community, Greg works to change and improve the world through his mission-based organization. For those looking to begin their career in cyber, Greg offers that great mentorship and working for great organizations where you can soak in the culture are really important. And, we thank Greg for sharing his story with us.

Ezuri: Regenerating a different kind of target. [Research Saturday] Apr 03, 2021

Guests Fernando Martinez and Tom Hegel from AT&T Alien Labs join Dave to discuss their team's research "Malware using new Ezuri memory loader." Multiple threat actors have recently started using a Go language (Golang) tool to act as a packer and avoid Antivirus detection. Additionally, the Ezuri memory loader tool acts as a malware loader and executes its payload in memory, without writing the file to disk. While this technique is known and commonly used by Windows malware, it is less popular in Linux environments.

The research can be found here:

Malware using new Ezuri memory loader

Goblin Panda sighting? The attempt on Ubiquiti. More universities feel the effects of the Accellion compromise. National Supply Chain Integrity Awareness Month. Down-market phishing. Apr 02, 2021

Goblin Panda might be out and about. Ubiquiti confirms that an extortion attempt was made, but says the attempted attack on data and source code was unsuccessful. The Accellion compromise claims more university victims. It’s National Supply Chain Integrity Awareness Month in the US. BOLO Mr. Korhsunov. Andrea Little Limbago from Interos on supply chain resilience in a time of tectonic geopolitical shifts. Our guest is Paul Nicholson from A10 Networks on their State of DDoS Weapons report. And some down-market phishing attempts.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/63

Holiday Bear’s tricks. Phishing for security experts. Industrial cyberespionage. Human error and failure to patch. EO on breach disclosure discussed. Malware found in game cheat codes. Apr 01, 2021

US Cyber Command and CISA plan to publish an analysis of the malware Holiday Bear used against SolarWinds. The DPRK is again phishing for security researchers. Exchange Server exploitation continues. Stone Panda goes after industrial data in Japan. Human error remains the principal source of cyber risk. A US Executive Order on cyber hygiene and breach disclosure nears the President’s desk. David Dufour from Webroot on the 3 types of hackers and where you’ve seen them recently. Rick Howard checks in with our guest Sharon Rosenman from Cyberbit on SOC Evolution. And gamers? Don’t cheat.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/62

Cyberespionage and influence operations. Reading the US State Department’s mail. Risk management and strategic complacency. Volumetric attacks. Keeping suspect hardware out. Mar 31, 2021

Charming Kitten is back, and interested in medical researchers’ credentials. Russian services appear to have been reading some US State Department emails (it’s thought their access was confined to unclassified systems). Risk management practices and questions about the risks of growing too blasé about “management.” Recognizing the approach of an intelligence officer. Volumetric attacks are up. Joe Carrigan examines a sophisticated Microsoft spoof. Our guest is Donna Grindle from Kardon on updates to the HITECH ACT. More concerns, in India and the US, about Chinese telecom hardware.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/61

US considers how to settle accounts with Holiday Bear. International norms in cyberspace. Ransomware continues to surge against vulnerable Exchange Servers, and other criminal trends. Mar 30, 2021

The US Administration continues to prepare its response to Holiday Bear’s romp through the SolarWinds supply chain. Congress is asking for details on what was compromised in the incident, and why the Department of Homeland Security failed to detect the intrusion. The UN offers some recommendations on norms of conduct in cyberspace. Ben Yelin on a New Jersey Supreme Court ruling that phone passcodes are not protected by 5th amendment. Our guest is Frank Kettenstock from FoxIT on the security of PDF files. Developments in ransomware, including Exchange Server exploitation, credible extortion, and attempts to enlist customers against victims.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/60

Cyberespionage in Germany. Australian network knocked off the air by a cyberattack. PHP shuts backdoor. Apple fixes a browser bug. FatFace pays up. Criminal charges: espionage and fraud. Mar 29, 2021

German politicians’ emails are under attack, and the GRU is the prime suspect. Australia’s Nine Network was knocked off the air by a cyberattack, and a nation-state operation is suspected. PHP takes steps to protect itself from an attempt to insert a backdoor in its source code. Apple fixes browser engine bugs. FatFace pays the ransom. Project Zero caught a Western counterterror operation. Betsy Carmelite from Booz Allen Hamilton on Zero Trust. Our guest is Tal Zamir of Hysolate on CISA's new ransomware guidelines. And a guilty plea for one, and almost five-hundred indictments for others.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/59

Teresa Shea: The challenge of adapting new technologies. [Intelligence] [Career Notes] Mar 28, 2021

Vice President of Raytheon's Cyber Offense, Defense Experts Teresa Shea speaks of her journey from math to adapting new technologies on the cutting edge, With a love of math, Teresa was offered a scholarship by the Society of Women Engineering and decided to pursue a degree in electrical engineering. Unsurprisingly, there were few other women in her program, Teresa interned with and then proceeded to work for the National Security Agency becoming their SIGINT director. Following her government career, Teresa worked to help bring new technologies to government through her work at Raytheon. We thank Teresa for sharing her story with us.

How are we doing in the industrial sector? [Research Saturday] Mar 27, 2021

Guest Sergio Caltagirone from Dragos joins us to take us through their 2020 ICS Cybersecurity Year in Review report. Dragos's annual ICS Year in Review provides an overview and analysis of ICS vulnerabilities, global threat activity targeting industrial environments, and industry trends and observations gathered from customer engagements worldwide. The goal of the report is to give asset owners and operators proactive, actionable information and defensive recommendations in order to prepare for and combat the world’s most significant industrial cybersecurity adversaries.

The report can be found here:

2020 ICS CYBERSECURITY YEAR IN REVIEW

Carding Mafia hacked by other criminals. Gangland extortion. Section 230 reform. Director NSA talks about cyber defense, especially foreign attacks staged domestically. Propaganda. Hacktivism. Mar 26, 2021

Criminal-on-criminal cyber crime. Ransomware hits European and North American businesses. Big Tech goes (virtually) to Capitol Hill to talk disinformation and Section 230. The head or NSA and US Cyber Command discusses election security and cyber defense with the Senate Armed Services Committee. Russia complains of a US assault on Russia’s “civilizational pillars.” Accenture’s Josh Ray shares his thoughts on securing the supply chain. Our guest is Sergio Caltagirone from Dragos on their 2020 ICS/OT Cybersecurity Year in Review. And there appears to be a minor resurgence of hacktivism.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/58

Mamba ransomware’s evolution. Facebook acts against Evil Eye. Huawei is invited into OIC-CERT. Slack Connect gets poor security and privacy reviews. An excursus on fleeceware. Mar 25, 2021

The FBI warns organizations that Mamba ransomware is out and about in a newly evolved form. Facebook takes down a Chinese cyberespionage operation targeting Uyghurs. Huawei joins the Organization of Islamic Cooperation. Slack thinks it might have made a security and privacy misstep. Caleb Barlow from CynergisTek on Healthcare Interoperability. Our guest is Roei Amit from Deep Instinct on their 2020 Cyber Threat Landscape Report. And a look at fleeceware.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/57

Trends in phishbait. Ransomware exploits vulnerable Exchange Servers. Purple Fox develops worm capabilities. Attacks on industrial production. Third-party risk. What’s on your mind, crooks? Mar 24, 2021

COVID-themed phishbait has shifted to vaccines. Notes on the ransomware exploiting vulnerable Exchange Servers. Purple Fox gets wormy. Sierra Wireless halts operations to remediate a ransomware incident. Notes on ICS vulnerabilities. More victims of third-party risk. Joe Carrigan looks at SMS security issues. Our guest is Ron Brash from Verve Industrial with takeaways from their 2020 ICS Vulnerabilities report. And what are the cybercriminals thinking?

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/56

Bonus Recorded Future Podcast: Correlating the COVID-19 Opportunist Money Trail Mar 24, 2021

The CyberWire partners with Recorded Future's threat intelligence podcast and our Dave Bittner is the host. It's a weekly show that comes out each Monday afternoon. We thought you might want to check it out and are adding it to our feed today. We hope you like it and consider subscribing in your favorite podcast app.

The COVID-19 global pandemic has, predictably, attracted bad actors intent on using fear and uncertainty as a framework for a variety of actions, from run-of-the-mill money scams to targeting phishing, business email compromise, and even espionage.

Recorded Future’s Insikt Group has been following these money trails and correlating them with a spectrum of bad actors around the globe. They recently published their findings in a blog post titled, “Follow the Money: Qualifying Opportunism Behind Cyberattacks During the COVID-19 Pandemic.”

On today’s episode we’ve got a pair of Insikt Group analysts joining us to share their expertise. Lindsay Kaye is Director of Operational Outcomes and Charity Wright is a Cyber Threat Intelligence Analyst.

Updates on the state of Microsoft Exchange Server vulnerability, patching, and exploitation. Third-party breaches affect Shell and AFCEA. TikTok’s privacy. A manga site goes down. Mar 23, 2021

Exchange Server patching is going well, they say, but they also say that patching isn’t enough. Crooks are continuing to look for unpatched instances, and even in the patched systems, you’ve got to check to make sure the bad actors have been found and ejected. AFCEA and Shell both disclose being affected by third-party breaches. Citizen Lab sees no particular problem with TikTok. Ben Yelin ponders possible US response to the Microsoft Exchange Server attacks. Our guest is Alex Gizis from Connectify using VPNs to thwart government internet restrictions in Myanmar. And a major manga fan site is down.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/55

Transportation as an espionage target. Expensive, elaborate cyber campaigns by unidentified threat actors. Infraud operators sentenced in Nevada. Mar 22, 2021

Indian authorities warn the country’s transportation sector that it may be a target for cyberespionage. Google’s Project Zero describes an elaborate and expensive campaign that exploited zero-day vulnerabilities. The SilverFish threat group is elaborate, well-resourced, and well-organized. Threat actors are quietly altering mailbox permissions. REvil is back. Some say “yes” to Moscow; others say “nyet.” Dinah Davis from Arctic Wolf on Security Metrics. Our guest is Graeme Bunton from the DNS Abuse Institute. And two Infraud operators are sentenced.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/54

Kevin Magee: Focus on the archer. (CSO) [Career Notes] Mar 21, 2021

Chief Security Officer of Microsoft Canada Kevin Magee shares his background as a historian and how it applies to his work in cybersecurity. Likening himself to a dashing Indiana Jones, Kevin talks about how he sees history unfolding and the most interesting things right now are happening in security. Spending time tinkering with things in the university's computer room under the stairs gave way to Kevin's love affair with technology. As Chief Security Officer, Kevin says he uses an analogy: "I think we focus on the arrows, not the the archer" meaning there's too much focus on the attacks rather than the ones mounting them. As a historian and witness to our current history, Kevin sees the changes all affecting cybersecurity. We thank Kevin for sharing his story with us.

BendyBear: difficult to detect and downloader of malicious payloads. [Research Saturday] Mar 20, 2021

Guest Jen Miller-Osborn from Palo Alto Networks' Unit 42 joins us to discuss their research into BendyBear. Highly malleable, highly sophisticated and over 10,000 bytes of machine code. The code behavior and features strongly correlate with that of the WaterBear malware family, which has been active since as early as 2009. The malware is associated with the cyber espionage group BlackTech, which many in the broader threat research community have assessed to have ties to the Chinese government, and is believed to be responsible for recent attacks against several East Asian government organizations. Due to the similarities with WaterBear, and the polymorphic nature of the code, Unit 42 named this novel Chinese shellcode “BendyBear.” It stands in a class of its own in terms of being one of the most sophisticated, well-engineered and difficult-to-detect samples of shellcode employed by an Advanced Persistent Threat (APT).

The research can be found here:

BendyBear: Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech

Cyberespionage against Finland. Moscow’s displeasure. ICS security. Two indictments and why the PLA should stick to Buicks. Mar 19, 2021

Helsinki blames Beijing’s APT31 for cyberespionage against Finland’s parliament. Russia withdraws its ambassador to the US, calling him home for consultation, post the US IC’s report on election influence ops. Risk management for industrial control systems, and especially for an often overlooked part of the power grid. Johannes Ullrich from SANS on Evading Anti-Malware Sandboxes with New CPU Architectures. Our guest is Tony Cole from Attivo on dealing with adversaries already inside your network. A guilty plea in an odd extortion attempt, why China’s wary of Teslas, and the indictment of a hacktivist.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/53

Radiation disinformation. CISA warns that Trickbot is surging. FBI releases Internet Crime Report, Crytpers get commodified. And notes from the underworld. Mar 18, 2021

Disinformation about a radiation leak that wasn’t. Another warning about Trickbot. The FBI says cybercrime cost victims more than $4.2 billion last year. Investigation and remediation of the SolarWinds and Exchange Server compromises continue. Crypters become a commodity for malware developers. Robert M. Lee from Dragos on lessons from the recent Texas power outages. Our guest is Bob Shaker from Norton Lifelock looking at baddies targeting online gamers. And some people are looking for jobs in all the wrong places.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/52

US report on 2020 foreign election meddling is out, and Russian and Iran are prominently mentioned in dispatches. Recovering from the Hafnium and Holiday Bear campaigns. Mar 17, 2021

The US Intelligence Community has released its report on 2020 foreign election meddling. It found no successful hacking, but a lot of clever influence operations. Ukraine says it stopped a significant Russian cyberespionage campaign. Recovery from the SolarWinds and Exchange Server compromises continues. Joe Carrigan shares thoughts on the Verkada hack. Our guest is Oscar Pedroso from Thimble on getting kids hooked on technology. And no, that celebrity tweeter isn’t really going to send you $2000 for every $1000 you give back to the community.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/51

Cyberespionage prospects telecom companies: Operation Diànxùn. Working against exploitation of Exchange Server. And rerouting SMS messages (it cost only $16). Mar 16, 2021

McAfee describes Operation Diànxùn, a probable Chinese collection effort directed against telecoms and 5G technology. Organizations around the world continue to work to thwart exploitation of Exchange Server vulnerabilities. What’s a webshell, and what can it do? Ben Yelin looks at cell phone data gathered from the US Capitol riot. Our guest is Ross Rustici from ZeroFOX on the evolution of ransomware. And how much does it cost to redirect all your SMS messages to some goon? Said goon needs only sixteen bucks.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/50

Looking for leaks in the Microsoft Exchange Server exploitation. International cyber conflict. Sky Global executives indicted in the US. Scammer demands £1000 pounds to go on do-not-call list. Mar 15, 2021

Microsoft is looking for a possible leak behind the spread of Exchange Server exploits, and hackers piggyback on webshells placed by other threat actors. The US Government continues to mull how to respond to Holiday Bear and Hafnium. Britain’s PM calls for greater offensive cyber capabilities. India looks for ways of countering China in cyberspace. Sky Global executives indicted for alleged racketeering. Accenture’s Josh Ray takes on defending against nation states. Rick Howard aims the hash table at third party cloud security. And what does it cost to be on a do-not-call list? Nothing. Really.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/49

Dinah Davis: Building your network. [R&D] [Career Notes] Mar 14, 2021

Coming from her love of math, VP of R&D at Arctic Wolf Networks Dinah Davis shares how she arrived in the cybersecurity industry after finding her niche. Dinah recalls how at a time of indecision, a computer course at university and a job with the Canadian government helped to solidify her career direction. Dinah mentions how "security and cryptography specifically was this perfect mix of real world problem solving and mathematics and computer science all combined into one ball of happiness." Networking played a key role in Dinah's journey. She recommends that those interested in joining the field to go for what they believe in. And, we thank Dinah for sharing her story with us.

SolarWinds, SUNBURST, and supply chain security. [CyberWire-X] Mar 14, 2021

The SolarWinds Orion SUNBURST exploit forced organizations to determine whether and to what extent they’d been compromised. It’s not enough to eject the intruders and their malware from the networks. Affected organizations also need to know what systems and data had been breached, and for how long. The adversary behind SUNBURST is advanced, quietly breaching the perimeter and moving freely to access, steal, or destroy business-critical data, and to disrupt operations.

Joining us to share their expertise on the subject are Ryan Olson of Palo Alto Networks' Unit 42, Bill Yurek of Inspired Hacking Solutions, and we close out the show with Matt Cauthorn, from our sponsor ExtraHop, who joins CyberWire-X to discuss the challenges of detecting such advanced threats, and to share insights from behavioral analysis on what the new breed of threat actor is doing inside our networks.

Keeping data confidential with fully homomorphic encryption. [Research Saturday] Mar 13, 2021

Guest Dr. Rosario Cammarota from Intel Labs joins us to discuss confidential computing. Confidential computing provides a secure platform for multiple parties to combine, analyze and learn from sensitive data without exposing their data or machine learning algorithms to the other party. This technique goes by several names — multiparty computing, federated learning and privacy-preserving analytics, among them. Confidential computing can enable this type of collaboration while preserving privacy and regulatory compliance.

The research and supporting documents can be found here:

Ransomware enters vulnerable Exchange Servers through the backdoor. REvil is out and active. SolarWinds and control systems. Molson Coors responds to a cyber incident. Mar 12, 2021

Microsoft warns that ransomware operators are exploiting vulnerable Exchange Servers. Threat actors continue to look for unpatched instances of Exchange Server. Johannes Ullrich joins us with his thoughts on the incident. REvil ransomware hits a range of fresh targets. Concerns are raised about the effects of the SolarWinds compromise on embedded devices. Our guest is Sally Carson from Cisco making the case that good design can save cybersecurity. And an unspecified cyber incident shuts down Coors Molson.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/48

More Exchange Server exploitation, and security advice. Updates on the SolarWinds compromise, criminal TTPs, and the Verkada hack. And news not you, but your friends might be able to use. Mar 11, 2021

Norway’s parliament is hit with Exchange Server exploitation. CISA and the FBI issue more advice on how to clean up an Exchange Server compromise. CISA hints at more detailed attribution of the SolarWinds compromise “soon,” and US Cyber Command says military networks were successfully defended. Microsoft’s Kevin Magee of exporting cyber talent. Our guest is Hanan Hibshi from Carnegie Mellon University on their picoCTF online hacking competition. Notes on some evolving criminal techniques, an update on the security camera hacktivist incident, and some news you won’t need, but your friends might.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/47

Patching, with special attention to Hafnium and the rest. Responding to the SolarWinds incident. Hactivists don’t like cameras. Dragnet in the Low Countries. Mar 10, 2021

Patch Tuesday was a big one this month. Microsoft Exchange Server remains under active attack in the wild, with new threat actors hopping on the opportunity. Russia denies it had anything to do with the SolarWinds incident and says the kinds of US response that the word on the street tells them are under consideration would be nothing more than international crime. Hacktivists strike a blow against cameras and stuff. Joe Carrigan has thoughts on Google’s plans for third party cookies. Our guest is Kelvin Coleman from the National Cyber Security Alliance (NCSA) on how educators can better protect students’ privacy during distance learning sessions. And police in the low countries sweep up more than a hundred cybercrooks.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/46

Dealing with Hafnium’s work against Microsoft Exchange Server and Holiday Bear’s visit to the SolarWinds supply chain. A plea for OSINT, and some wins for the cyber cops. Mar 09, 2021

CISA urges everyone to take the Microsoft Exchange Server vulnerabilities seriously. The SolarWinds compromise is also going to prove difficult to mop up. The US is said to be preparing a response to Holiday Bear’s SolarWinds compromise (some of that response will be visible, but some will not). A plea for more OSINT. Ben Yelin from UMD CHHS ponders face scanning algorithms in the job application process. Our guest is Sam Crowther from Kasada, asking why are we still talking about bots? And dragnets haul in some cybercrooks.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/45

Exploitation of Exchange Server spreads rapidly across the globe. The US mulls its response to Russia over the SolarWinds compromise (and to China over Exchange Server hacks). Mar 08, 2021

Threat actors rush to exploit Exchange Server vulnerabilities before victims get around to patching--it’s like a worldwide fire sale. Rick Howard digs into third party platforms and cloud security. Robert M. Lee from Dragos shares insights on the recent Florida water plant event. The US mulls some form of retaliation against Russia for the SolarWinds supply chain campaign, and it will also need to consider how to respond to China’s operations against Exchange Server. (And another Chinese threat actor may have been exploiting SolarWinds late last year.)

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/44

Stephen Hamilton: Getting the mission to the next level. [Military] [Career Notes] Mar 07, 2021

Army Cyber Institute Technical Director and Chief of Staff Colonel Stephen Hamilton takes us on his computer science journey. Fascinated with computers since the second grade, Stephen chose West Point after high school to study computer science. Following graduation he moved into the signal branch as it most closely matched his interest in ham radio as no branch related directly to computing. He was pulled from the motor pool to help with another area's computing needs and then worked his way to teaching computer science at. West Point and US Cyber Command. Stephen recommends coding it first to help realize the nuances, and then code it again. We thank Stephen for sharing his story with us.

Diving deep into North Korea's APT37 tool kit. [Research Saturday] Mar 06, 2021

Guest Hossein Jazi of Malwarebytes joins us to take a deep dive into North Korea's APT37 (aka ScarCruft, Reaper and Group123) toolkit. On December 7 2020 the Malwarebytes Labs threat team identified a malicious document uploaded to Virus Total which was purporting to be a meeting request likely used to target the government of South Korea. The meeting date mentioned in the document was 23 Jan 2020, which aligns with the document compilation time of 27 Jan 2020, indicating that this attack took place almost a year ago.

The file contains an embedded macro that uses a VBA self decoding technique to decode itself within the memory spaces of Microsoft Office without writing to the disk. It then embeds a variant of the RokRat into Notepad.

Based on the injected payload, the Malwarebytes team believes that this sample is associated with APT37. This North Korean group is also known as ScarCruft, Reaper and Group123 and has been active since at least 2012, primarily targeting victims in South Korea.

The research can be found here:

Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat

SUNSHUTTLE backdoor described. What the Exchange Server campaign was after. Misconfigured clouds. Airline IT service provided attacked. Criminal-on-criminal crime. Mar 05, 2021

A new second-stage backdoor has been found in a SolarWinds compromise victim. Those exploiting the now-patched Exchange Server zero days seem to have done so to establish a foothold in the targeted systems. India continues to investigate a Chinese cyber threat to its infrastructure. Misconfigured clouds leak mobile app data. A major airline IT provider sustains a cyber attack. Dinah David helps us prevent account takeover attacks. Our guest is Troy Hunt from NordVPN. And criminals hack other criminals.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/43

Happy Slam the Scam Day. Indian authorities continue to investigate grid incidents. CISA tells US Federal agencies to clean up Exchange bugs by noon tomorrow. Supply chain compromise. Mar 04, 2021

Indian authorities say October’s Mumbai blackout was “human error,” not cybersabotage. CISA directs US civilian agencies to clean up Microsoft Exchange on-premise vulnerabilities. More effects of the Accellion FTA supply chain compromise. Some trends in social engineering. Andrea Little Limbago brings us up to date on the RSA supply chain sandbox. Our guest is Brittany Allen from Sift on a new Telegram fraud ring. And happy National Slam the Scam Day.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/42

RedEcho under investigation (amid reassurances). Stopping Operation Exchange Marauder. Containing Ursnif. Cyber proliferation. And another round in the Crypto Wars. Mar 03, 2021

India continues to investigate the possibility of RedEcho cybersabotage of its power distribution system, but says any hack was stopped and contained. Microsoft issues an out-of-band patch against a Chinese-run “Operation Exchange Marauder.” The financial sector works to contain an Ursnif outbreak. CISA issues ICS security advisories. Myanmar and the difficulty of stopping cyber proliferation. Joe Carrigan looks at CNAME cloaking. Our guest is author Neil Daswani from Stanford University’s Advanced Security Certification Program, on his upcoming book Big Breaches - Cybersecurity Lessons for Everyone. And another round in the Crypto Wars seems ready to start.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/41

India investigates the possibility of cybersabotage. Walls are opaque to defenders, too. Recommendations for cyber nonproliferation. SolarWinds updates (with an SEC appearance). Mar 02, 2021

Indian authorities continue to investigate the possibility that Mumbai’s power grid was hacked last October. Apple’s walled garden’s security can inhibit detection of threats that manage to get inside. An Atlantic Council report recommends international action against access-as-a-service brokers to stall proliferation of cyber offensive tools. Ben Yelin has the story of legislators asking the military why they’re so interested in apps serving Muslims. Our guest is John Grange from OppsCompass with insights on the top cloud security mistakes organizations make. Updates on the SolarWinds incident (including an SEC probe into who knew what when).

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/40

“RedEcho’s”activity in India’s power grid is described. US report on Khashoggi murder declassified SolarWinds compromise inquiry updates. Ill-intentioned SEO. President’s Cup winner announced. Mar 01, 2021

Chinese cyber engagement with Indian critical infrastructure is reported: the objective isn’t benign from India’s point of view, but exactly what the objective is, specifically, remains a matter of speculation. The US Governemnt declassifies its report on the murder of Saudi journalist Jamal Khashoggi. The SolarWinds supply chain compromise remains under investigation, with an intern making a special appearance. Maligh search engine optimizations. Rick Howard shares hash table opinions on Google Cloud. Josh Ray from Accenture on Cybercrime and the Cloud. And congratulations to the winner’s of CISA’s President’s Cup.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/39

Aarti Borkar: Make your own choices. [Product} [Career Notes] Feb 28, 2021

Head of Product for IBM Security Aarti Borkar shares her journey which included going after her lifelong love of math rather than following in her parents' footsteps in the medical field. In following her passions, Aarti found herself studying computer engineering and computer science, and upon taking a pause from her studies, she found a niche working at IBM in a mix of databases and networking. In her current position, Aarti describes her favorite discussion topics very often involve being around the use of AI for converting security into predictive domains. Aarti reminds us that you should pause and see if you are on the right path. Staying on a path just because you started there can be a bad idea. And, we thank Aarti for sharing her story.

Shining a light on China's cyber underground. [Research Saturday] Feb 27, 2021

Guest Maurits Lucas from Intel471 joins us to discuss his team's research into cybercrime in China. Data from Intel 471 show that the Chinese cybercrime underground proliferates through use of common methods or platforms, but behaves differently in large part due to the caution that actors take with regard to their identity. While the average citizen must follow the heavy handed nature of the government’s surveillance of cyberspace, Chinese threat actors take special precautions to protect their forums, TTPs and themselves. This leads to the Chinese cybercrime underground being disorderly when compared to others, particularly Russia, which tend to be much more organized.

The research can be found here:

No pandas, just people: The current state of China’s cybercrime underground

Oxford lab studying the COVID-19 virus is hacked. Zoom impersonation campaign. Senators would’ve liked to have heard from Amazon about Solorigate. NSA likes zero trust. NIST IoT guidelines. Feb 26, 2021

Oxford biology lab hacked. A Zoom impersonation phishing campaign afflicts targets in the EU. Senators disappointed in Amazon’s decision not to appear at this week’s SolarWinds hearing. NSA advocates adopting zero trust principles. CISA issues alerts on industrial control systems. The US Department of Homeland Security describes increases to its cybersecurity grant programs. Dinah Davis examines how healthcare is being targeted by ransomware. Our guest is Michael Hamilton from CI Security on the Public Infrastructure Security Cyber Education System. And NIST’s draft IoT security standards are still open for comment.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/38

PLA spyware keeps Tibetans under surveillance. Cyber conflict between Ukraine and Russia, some conventionally criminal, other state-directed. US Executive Order addresses supply chain resilience. Feb 25, 2021

FriarFox is a bad browser extension, and it’s interested in Tibet. Ukraine accuses Russia of a software supply chain compromise (maybe Moscow hired Gamaredon to do the work). Egregor hoods who escaped recent Franco-Ukrainian sweeps are thought responsible for DDoS against Kiev security agencies over the weekend. A look at Babuk, a new ransomware-as-a-service entry. VMware servers are patched. Verizon’s Chris Novak looks at the 2021 threat landscape. Our guest is Andrew Hammond from the International Spy Museum. And a US Executive Order on supply chain security.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/37

Accellion FTA compromise spreads. Ocean Lotus is back. LazyScripter seems to represent a new threat group. Notes from the SolarWinds hearings. New ICS threat actors. Feb 24, 2021

As more organizations are affected by the Accellion FTA compromise, authorities issue some recommendations for risk mitigation. Ocean Lotus is back, and active against Vietnamese domestic targets. LazyScripter is phishing with COVID and air travel lures. SolarWinds hearings include threat information, exculpation, and calls for more liability protection. Turkey Dog is after bank accounts. Joe Carrigan ponders the ease with which new security flaws are discovered. Rick Howard speaks with our guest Michael Dick from C2A Security on Automotive Security. And some new ICS threat groups are identified.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/36

DDoS in hybrid war. Accellion compromise attributed. Initial access brokers. Agile C2 for botnets. US Senate’s SolarWinds hearing. US DHS cyber strategy. Shiny new phishbait. Feb 23, 2021

Ukrainian security services complain of DDoS from Russia. The Accellion compromise is attributed to an extortion gang. Digital Shadow tracks the rise of initial access brokers, new middlemen in the criminal-to-criminal market. A botmaster uses an agile C2 infrastructure to avoid takedowns. IT executives to appear at US Senate hearings on Solorigate. US DHS talks up its cyber strategies. Ben Yelin comments on the latest court ruling on device searches at the border. Rick Howard speaks with Ariel Assaraf from Coralogix on SOAR and SIEM. And don’t be deceived by bogus FedEx and DHL phishbait.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/35

Facebook takes down Myanmar military page. Chinese cyberespionage and cloned Equation Group tools. Supply chain compromises. Threat trends. Feb 22, 2021

Facebook takes down Myanmar junta’s main page. APT31 clones Equation Group tools. Silver Sparrow’s up to...something or other. Bogus Flash Player update serves fake news and malware. Effects of supply chain compromises spread. Clubhouse’s privacy issues. VC firm breached. CrowdStrike releases its annual threat report. We welcome Josh Ray from Accenture security to our show. Rick Howard examines Google’s cloud services. And a Maryland school concludes its annual cyber challenge.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/34

Billy Wilson: Translating language skills to technical skills. [HPC] [Career Notes] Feb 21, 2021

High Performance Computing Systems Administrator at Brigham Young University Billy Wilson tells his cybersecurity career story translating language skills to technical skills. According to Billy's employer, moving to a technical position at his alma mater occurred because Billy showed this potential and a thirst for learning. He is currently pursuing his master's degree from SANS Technology Institute for Information Security Engineering while working to secure BYU's data for their computationally-intensive research. Billy notes that not everyone has one overarching passion which gives him variety in his work. And, we thank Billy for sharing his story with us.

Attackers (ab)using Google Chrome. [Research Saturday] Feb 20, 2021

Guest Bojan Zdrnja of Infigo IS and a certified instructor at SANS Institute shares an incident he discovered where attackers were using a pretty novel way of exfiltrating data and using that channel for C&C communication. The code that was acquired was only partially recovered, but enough to indicate powerful features that the attackers were (ab)using in Google Chrome. The basis for this attack were malicious extensions that the attacker dropped on the compromised system.

The research can be found here:

Abusing Google Chrome extension syncing for data exfiltration and C&C

Mopping up Solorigate. Tehran’s Lightning and Thunder in Amsterdam. The view from Talinn. Malware designed for Apple’s new chips. Lessons from the ice, and how hackers broke bad. Feb 19, 2021

Microsoft wraps up its internal investigation of Solorigate, which the US Government continues to grapple with, and which has had some effect in Norway. An apparent Iranian APT has been hosting its command-and-control in two Netherlands data centers. Estonia’s annual intelligence report describes Russian and Chinese ambitions in cyberspace. Threat actors are hard at work against Apple’s new processors. Kevin Magee on the Canadian National Cyber Threat Assessment for 2020. Our guest is Mark Testoni from SAP National Security Services on the Biden administration’s first 100 days. Plus, lessons from the ice, and how hackers became cybercriminals.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/33

The WatchDog Monero cryptojacking operation. “A criminal syndicate with a flag.” US Senator asks FBI, EPA for a report on water system cybersecurity. Cybercrooks placed on notice. Feb 18, 2021

Watch out for the WatchDog Monero cryptojacking operation. The US Justice Department describes North Korea as “a criminal syndicate with a flag.” CISA outlines the DPRK malware that figures in the AppleJeus toolkit. The Chair of the US Senate Intelligence Committee asks the FBI and EPA for a report on the Oldsmar water system cybersabotage incident. Egregor takes a hit from French and Ukrainian police. Dinah Davis has advice on getting buy-in from the board. Our guest is Bentsi Ben Atar from Sepio Systems on hardware attacks. And the Netherlands Police advise cybercriminals to just move on.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/32

US warns of DPRK threat to cryptocurrency holders, and indicts four on conspiracy charges. Centreon says Sandworm affected unsupported open-source tools. Big Hack skepticism. Patch notes. Feb 17, 2021

High Bitcoin valuation draws the attention of cybercriminals, and a number of those criminals work for Mr. Kim, of Pyongyang. Alleged criminals, we should say. Centreon offers an update of its investigation of the Sandworm incident ANSSI uncovered. Reports of the Big Hack are received with caution. Patches applied, pulled, and replaced. Joe Carrigan describes a legal dustup between Proofpoint and Facebook over lookalike domains. Our guest is Sinan Eren from Barracuda Networks on their state of cloud networking report. And Florida’s water system cybersabotage provides a good reminder to stay away from unsupported software.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/30

France’s ANSII warns of a longrunning Sandworm campaign. DPRK tried to steal COVID-19 vaccine data. Supermicro is exasperated. Static Kitten phishes in the UAE Feb 16, 2021

France finds Sandworm’s trail in a software supply chain. Microsoft is impressed by the amount of effort Russian intelligence services put into the SolarWinds campaign. Pyongyang is reported to have attempted to steal COVID-19 vaccine information. Supermicro reiterates objections to Bloomberg's report on alleged hardware supply chain compromises. Static Kitten is phishing in the UAE. Updates on the Florida water utility cybersabotage. Ben Yelin examines to what degree the FBI can access Signal app messages. Rick Howard gathers the hash table to discuss AWS. And a new executive director arrives at our state cybersecurity association.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/30

Hank Thomas and Mike Doniger, getting the specs on the cyber SPAC. [update] Feb 16, 2021

In this special edition, our extended conversation with Hank Thomas and Mike Doniger from their new company SCVX. Both experienced investors, their plan is to bring a new funding mechanism known as a SPAC to cyber security which, they say, is new to the space.

February 2021 Update: we revisit the topic with guest Hank Thomas to hear the latest on SPACs.

Hank Thomas and Mike Doniger, getting the specs on the cyber SPAC. [Special Edition Update] Feb 15, 2021

In this special edition, our extended conversation with Hank Thomas and Mike Doniger from their new company SCVX. Both experienced investors, their plan is to bring a new funding mechanism known as a SPAC to cyber security which, they say, is new to the space.

February 2021 Update: we revisit the topic with guest Hank Thomas to hear the latest on SPACs.

Dr. Jessica Barker: Cybersecurity has a huge people element to it. [Socio-technical] [Career Notes] Feb 14, 2021

Co-founder and socio-technical lead at Cygenta, Dr. Jessica Barker, shares her story from childhood career aspirations of becoming a farmer to her accidental pivot to working in cybersecurity. With a PhD in civic design, Jessica looked at the creation of social and civic places until she was approached by a cybersecurity consultancy interested in the human side of cybersecurity. She jumped in and the rest is history. Having experienced some negativity as a woman in cybersecurity, Jessica is a strong proponent of diversity in the field. She suggests that newcomers to the industry follow what interests them and jump in. And, we thank Jessica for sharing her story with us.

Using the human body as a wire-like communication channel. [Research Saturday] Feb 13, 2021

Guest Dr. Shreyas Sen, a Perdue University associate professor of electrical and computer engineering, joins us to discuss the following scenario:. Instead of inserting a card or scanning a smartphone to make a payment, what if you could simply touch the machine with your finger? A prototype developed by Purdue University engineers would essentially let your body act as the link between your card or smartphone and the reader or scanner, making it possible for you to transmit information just by touching a surface.

The research can be found here:

Alleged hardware backdoors, again. Selling game source code. ICS security, especially with respect to water utility cybersabotage. Don’t be the hacker’s valentine. Feb 12, 2021

Bloomberg revives its reporting on hardware backdoors on chipsets. Has someone bought the source code for the Witcher and Cyberpunk? CISA issues ICS alerts. The FBI and CISA offer advice about water system cybersabotage as state and local utilities seek to learn from the Oldsmar attack. Verizon’s Chris Novak ponders if you should get your Cybersecurity DIY, managed, or co-managed? Our guest is David Barzilai from Karamba Security on the growing importance of IoT security. And, looking for love on Valentine’s Day? Look carefully...and don’t give that intriguing online stranger money, We know, we know, they seem nice, but still...

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/29

Spyware in the Subcontinent. Notes on cyber fraud, cyber theft, and ransomware. The US gets a chief to lead response to Solorigate. Updates on the Florida water system cybersabotage. Feb 11, 2021

Spyware in the Subcontinent. Some crooks auction stolen game source code while others bilk food delivery services. Emotet survived its takedown. Ransomware developments. The US now has a point person for Solorigate investigation and response. Andrea Little Limbago from Interos on her participation in the National Security Institute at George Mason University. Our guest is Chris Cochran from Hacker Valley Studio with a preview of their Black Excellence in Cyber podcast.And there’s no attribution yet in the Oldsmar, Florida, water system cybersabotage, but it’s increasingly clear that the utility wasn’t a hard target.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/28

Paying for the bomb the 21st century way. Domestic Kitten’s international romp. Malware versus gamers. Patch Tuesday notes. An update on the Oldsmar water system cyber sabotage. Feb 10, 2021

What’s North Korea doing with all that money the Lazarus Group steals? Buying atom bombs, apparently. Iran’s Domestic Kitten is scratching at some international surveillance targets. Not everyone who says they’re a Bear really is one. Parking malware in Discord. Notes on Patch Tuesday. Joe Carrigan details a gift card scam that hit a little close to home. Our guest is Saket Modi, CEO of Safe Security with thoughts on quantifying risk. And the latest on the water system cyber sabotage down in Florida.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/27

Almost too much lye in the water, down Florida-way. BlackTech’s new malware strain. Huawei says it’s OK if the White House calls. Feb 09, 2021

Florida water treatment plant sustains cyberattack: the hack was successful, the sabotage wasn’t. A new malware strain is associated with Chinese intelligence services. Ben Yelin tracks a surveillance plane who’s funding has fallen. Our guest is Col. Stephen Hamilton from Army Cyber Institute at West Point. And Huawei’s CEO says, sure, he’d take a call from President Biden.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/26

A junta shuts down a nation’s data networks. Lessons from multi-domain ops against ISIS? SilentFade returns. Iran’s surveillance actors. Data breaches large and small. Company towns returning? Feb 08, 2021

Myanmar blocks data networks. Notes on offensive cyber operations, from present and former Five Eyes officials. SilentFade seems to be back, with more ad fraud. Iranian cyber operators up their surveillance game. Brazil’s big data breach remains under investigation. Company towns may make a return in Nevada. Rick Howard casts his gaze on the AWS cloud. We welcome Dinah Davis from Arctic Wolf as our newest industry partner. And why in the world are hackers interested in other people’s colonoscopies?

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/25

Jason Clark: Challenge the way things are done. [Strategy] [Career Notes] Feb 07, 2021

Chief strategy officer and chief security officer for Netskope, Jason Clark, shares his journey as he challenges the status quo and works to expand diversity in cybersecurity. Jason started his career by breaking the mold and heading to the Air Force rather than his family legacy of Army service. Following his military service, he became a CISO for the New York Times at age 26 and kept building from there. Jason advises, "You should always be seeking out jobs you're actually not qualified for. I think that's how you grow. If you know you could do the job, and you've got half the skills, go for it." Jason aspires to a legacy of increasing diversity in the cybersecurity industry and founded a non-profit to do just that. And, we thank Jason for sharing his story with us.

In the clear: what it's like working as a woman in the cleared community. [Special Edition] Feb 07, 2021

This special edition podcast highlights three women, Priyanka, Ashley and Lauren, who chose to focus their careers in cybersecurity for the mission-based organization Northrop Grumman. Kathleen Smith from ClearedJobs.Net joins us as our panel moderator. The CyberWire's Jennifer Eiben hosts the event. We are excited to share this look into the world of women in cybersecurity.

"Follow the money" the cybersecurity way. [Research Saturday] Feb 06, 2021

Guest Joe Slowik joins us from Domain Tools to share their research "Current Events to Widespread Campaigns: Pivoting from Samples to Identify Activity" where they examined technical artifacts emerging around the 2020 conflict between Armenia and Azerbaijan in the Caucasus region.

Cyber Threat Intelligence (CTI) practitioners can gain insight into adversary operations by tracking conflicts or geopolitical tensions. Similar to a “follow the money” approach in criminal investigations, looking at conflict zones can reveal cyber capabilities deployed as part of events —either by the parties to the conflict itself, or third parties interested in monitoring events for their own purposes.

Based on precedent, analysts can identify developments in adversary operations and technical capabilities by tracking identifiers related to major events and conflict zones. Identifying capabilities deployed to take advantage of such items can yield insights into fundamental attacker tradecraft and behaviors, and enable defense and response for incidents which may strike far closer to home at a later date.

The research can be found here:

Current Events to Widespread Campaigns: Pivoting from Samples to Identify Activity

Lazarus Group seems to have deployed an IE zero day. Electrobras discloses ransomware attack. TrickBot returns. Breaches at security companies. Russo-American get-to-know-you talks. Feb 05, 2021

Lazarus Group seems to have had an IE zero day. Brazilian power utility discloses a ransomware attack on business systems. TrickBot’s back. Automated attacks are going after web applications. Two security firms report breaches. Patching notes. A look at life in the cleared community. Caleb Barlow from CynergisTek with handling disinformation in our runbooks. And Washington and Moscow hold the usual frank discussions--the Americans, at least, talked about cybersecurity.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/24

Kubernetes clusters attacked. Home insecurity devices. Update on the supply chain incidents. Incomplete patches. Marque and reprisal? Ransomware notes. Class clowns and zoom-bombing. Feb 04, 2021

Hildegard malware is targeting Kubernetes clusters. Remote access flaws found in consumer security devices. A brief update on the spreading software supply chain incidents. Project Zero sees incomplete patches at the root of most successful zero-day attacks. Recruiting a privateer’s crew. The current mood among ransomware victims. We’ll search for the truth about 5G with Rob Lee and Rick Howard. And who’s behind zoom-bombing remote learning? A hint: the kids aren’t alright.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/23

China gets in on the SolarWinds act. More SolarWinds vulnerabilities disclosed and patched. Abuse of lawful intercept tech in South Sudan. BEC phishes for gift cards. Parasitic card skimmer found. Feb 03, 2021

It appears Chinese intelligence services have been exploiting a vulnerability in SolarWinds to steal data from a US Government payroll system. The presumed Russian intrusion into SolarWinds may have been going on for nine months or more. Three new SolarWinds vulnerabilities are disclosed and patched. Amnesty accuses South Sudan of abusing intercept tools. BEC compromise is involved in gift card scams. Joe Carrigan has thoughts on opt-in privacy policies. Our guest is Dale Ludwig from CHERRY on USB attacks and hardware security. And carders steal from other carders.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/22

Coups d’état and Internet disruption. Cyberespionage in the supply chain, again. SonicWall zero day exploited in the wild. Tracking criminal infrastructure-as-a-service. Data breach in Washington State. Feb 02, 2021

Myanmar’s junta jams the Internet. Operation NightScout looks like a highly targeted cyberespionage campaign delivered through a compromised supply chain. SonicWall zero day is being actively exploited in the wild. StrangeU and RandomU are filling a niche in the criminal-to-criminal market. Ben Yelin ponders whether the Solarwinds attack can be considered an act of war. Our guest Jamie Brown from Tenable on the National Cyber Director position and what it means for the Biden administration. Another data breach is associated with Accellion FTA. And it’s Groundhog Day, campers.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/21

Solorigate: targeting, collateral damage, or staging? The Cyberspace Solarium has some advice for US President Biden. URKI breach. British Mensa thinks over a data exposure. Feb 01, 2021

Untangling Solorigate, and distinguishing primary targets from collateral damage (or maybe side benefits, or maybe battlespace preparation). Congress asks NSA for background on an earlier supply chain incident. The Cyberspace Solarium Commission offers the new US Administration some transition advice. Rick Howard hears from the hash table on Microsoft Azure. Andrea Little Limbago from Interos on the intersection of COVID and cyber vulnerabilities. And the week gets off to a rough start for smart Britons.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/20

Kyla Guru: You are a key piece to our national security. [Education] [Career Notes] Jan 31, 2021

Founder and CEO of nonprofit Bits N' Bytes Cybersecurity Education and undergraduate student at Stanford University, Kyla Guru shares her journey from GenCyber Camp to becoming a cybersecurity thought leader. Seeing the need. for cybersecurity education in her own community spurred Kyla into action engaging our civilian population in understanding their role in the cybersecurity space. Kyla recommends putting yourself out there: taking courses, getting more knowledge, getting internships, meeting people and going to conferences. Kyla thinks her generation has an inquisitive mind and feels that is where advocacy and education come in with cybersecurity. She shares for any young person "thinking about maybe starting something in security, this is definitely the time to do so." And, we thank Kyla for sharing her story with us.

Security platforms vs best of breed point products: What should you deploy? [CyberWire-X] Jan 31, 2021

For 20 years, the cybersecurity practitioner’s goto move when confronted with a new risk or compliance requirement has been to install a technical tool somewhere in the security stack to cover it. Over time, the number of tools that the infosec team has to manage has slowly grown. With the advent of bring-your-own device to the workplace, CIOs choosing SaaS applications to do work that has been traditionally handled in the data center, and organizations rushing to deploy their services into hybrid cloud environments, the number of individual data islands where company material information is routinely stored and must be covered by the security stack has increased. The complexity of this situation is immense. Two strategies have emerged to address this problem. The first is to continue down the path of installing more technical tools in each data island to cover the risk and having the infosec team manually process the telemetry of all the security devices with bigger teams and helper-automation-tools like SOAR platforms and SIEM databases. The second strategy is to choose a security vendor's platform that performs most of the security tasks on all the data islands but now makes the organization reliant on a single point of failure.

Joining Rick Howard from the CyberWire's Hash Table's group of experts to consider the matter are Mike Higgins from Haven Health and Greg Notch from the National Hockey League, and later in the show, Rick speaks with Lior Div of Cybereason, who gives their point of view on this debate.

The Kimsuky group from North Korea expands spyware, malware and infrastructure. [Research Saturday] Jan 30, 2021

Guest Yonatan Striem-Amit joins us from Cybereason to share their Nocturnus Team research into Kimsuky. The Cybereason Nocturnus Team has been tracking various North Korean threat actors, among them the cyber espionage group known as Kimsuky, (aka: Velvet Chollima, Black Banshee and Thallium), which has been active since at least 2012 and is believed to be operating on behalf of the North Korean regime. The group has a rich and notorious history of offensive cyber operations around the world, including operations targeting South Korean think tanks, but over the past few years they have expanded their targeting to countries including the United States, Russia and various nations in Europe.

The research can be found here:

Back to the Future: Inside the Kimsuky KGH Spyware Suite

Lebanon Cedar’s wide-ranging cyberespionage campaign. Lazarus Group said to be behind the social engineering of vulnerability researchers. Solorigate spreads. Social media and the short squeeze. Jan 29, 2021

Lebanon Cedar is quietly back, and running a cyberespionage campaign through vulnerable servers. Social engineering of vulnerability researchers is now attributed to the Lazarus Group. That “SolarWinds” incident is a lot bigger than SolarWinds. Notes on social media and the short squeeze. Verizon’s Chris Novak looks at the changing landscape of ransomware payments. Our guest Professor Brian Gant from Maryville University examines cybersecurity threats of the new U.S. administration. And the GAO thinks the US State Department should use “data and evidence.”

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/19

Advice on Supernova and encouragement to patch Sudo. NetWalker taken down. Influencers tighten a big short squeeze. And charges are brought in a 2016 case of alleged US voter suppression. Jan 28, 2021

Updates from CISA on Supernova. US Cyber Command recommends patching Sudo quickly. US and Bulgarian authorities take down the NetWalker ransomware-as-a-service operation. Influencers drive a big short-squeeze in the stock market. Thomas Etheridge from CrowdStrike on Recovering from a ransomware event. Our guest Zack Schuler from Ninjio examines the security challenges of Work From Anywhere. And another influencer is charged with conspiracy to deprive people of their right to vote.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/18

Emotet takedown. Solorigate updates (and President Biden tells President Putin he’d like him to knock it off). Vulnerabilities and threats discovered and described. Jan 27, 2021

Europol leads an international, public-private, takedown of Emotet. Four security companies describe their brushes with the compromised SolarWinds Orion supply chain. Solorigate is one of the issues US President Biden raised in his first phone call with Russian President Putin. New vulnerabilities and threats described. Our guest Michael Hamilton of CI Security questions how realistic CISA's latest guidance on agency forensics may be. Joe Carrigan looks at bad guys taking advantage of Google Forms. And the Internet is back in business on the US East Coast.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/17

Pyongyang’s social engineering campaign to compromise vulnerability researchers. Anonymous is back? Workforce development. Cyber Force? Why not? Jan 26, 2021

Google reports North Korean social engineering of vulnerability researchers. Anonymous resurfaces, maybe, and tells Malaysia’s government it’s not happy with them. Notes on false credentialism and workforce development from the National Governors Association cyber summit. Kevin Magee from Microsoft Canada on the launch of the Rogers Cybersecurity Catalyst at Ryerson University to support Canadian Cybersecurity Startups. Our guest is James Stanger from CompTIA on their ultimate DDoS guide. And does America need a Cyber Force? Some think so.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/16

The FSB warns Russian businesses to up their security game--the Americans are coming. SonicWall’s investigation of a possible cyberattack. DIA and commercial data brokers. OPC issues. Robota. Jan 25, 2021

Russia’s FSB warns businesses to be on the lookout for American cyberattacks after the White House says it’s reserving its right to respond to the Solorigate cyberespionage campaign. SonicWall investigates an apparent compromise of its systems. Senator asks the US DNI for an explanation of DIA purchases of geolocation data from commercial vendors. OPC issues described. Andrea Little Limbago from Interos on the tech "naughty list" of restricted or sanctioned companies. Rick Howard previews his first principles analysis of Microsoft Azure. And a happy birthday to the word “robot,” now one-hundred years young.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/15

Ben Yelin: A detour could be a sliding door moment. [Policy] [Career Notes] Jan 24, 2021

Program Director for Public Policy and External Affairs at the University of Maryland's Center for Health and Homeland Security Ben Yelin shares his journey from political junkie to Fourth Amendment specialist. Several significant life defining political developments like the disputed 2000 election, 9/11, and the Iraqi war occurred during his formative years that shaped Ben's interest in public policy and his desire to pursue a degree in law. An opportunity to be a teaching assistant turned out to be one of those sliding door scenarios that led Ben to where he is now, a lawyer in the academic and consulting worlds specializing in cybersecurity and digital privacy issues. Through his work, Ben hopes to elevate the course of the debate on these very important issues. And, we thank Ben for sharing his story with us.

Trickbot may be down, but can we count it out? [Research Saturday] Jan 23, 2021

Guest Mark Arena from Intel471 joins us to discuss his team's research into Trickbot and its evolution from a banking trojan to a long-standing, most likely well-resourced operation that was taken down last year. Mark shares some insight into Trickbot's order of operations and what went on behind the scenes that his team working with Brian Krebs were able to discover.

Since the separate and independent actions taken against Trickbot, Intel471 has observed successful disruption of its command and control infrastructure. However, the actors linked to Trickbot have not ceased their criminal activities. These actors have continued engaging in ransomware activity, using BazarLoader instead of Trickbot. Intel471 is unable to assess the long-term impact of the Trickbot disruption activity or whether Trickbot will continue to be used by cybercrime groups. This analysis covers the period from Sept. 22, 2020 until Nov. 6, 2020.

The research can be found here:

Trickbot down, but is it out?

Implications of Solorigate’s circumspection. RBNZ cleans data sources. Gamarue in student laptops. Dodgy apps. Ransom DDoS surges. Securing the President’s Peloton. Jan 22, 2021

Twice, it’s maybe an indicator. Once, it’s nuthin’ at all...to the machines. The Reserve Bank of New Zealand works to clean up its data sources. Wormy student laptops. Daily Food Diary is a glutton for your data. Ransom DDoS. Caleb Barlow examines how we handle disinformation in our runbooks and response plans. Our guest Ron Gula from Gula Tech Adventures shares his thoughts on proper public cyber response to the SolarWinds attack. And should we worry about that White House Peloton?

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/14

Solorigate’s stealthy, careful operators. LuckyBoy malvertising. BEC as reconnaissance? Remote work and leaky sites. And good riddance to the Joker’s Stash. Jan 21, 2021

Microsoft researchers detail the lengths to which the Solorigate threat actor went to stay undetected and establish persistence. LuckyBoy malvertising is described. Business email compromise as a reconnaissance technique? More reminders about the risks that accompany remote work. Ben Yelin looks at cyber policy issues facing the Biden administration. Rick Howard speaks with Frank Duff from Mitre on their ATT&CK Evaluation Program. And good riddance to the Joker’s Stash (we hope).

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/13

More on that Solorigate threat actor, especially its non-SolarWinds activity. Chimera’s new target list. Executive Order on reducing IaaS exploitation. The case of the stolen laptop. Jan 20, 2021

Another security company discloses a brush with the threat actor behind Solorigate. Advice on hardening Microsoft 365 against that same threat actor. Chimera turns out to be interested in airlines as well as semiconductor manufacturing intellectual property. Former President Trump’s last Executive Order addresses foreign exploitation of Infrastructure-as-a-Service products. Joe Carrigan looks at a hardware key vulnerability. Our guest is Chris Eng from Veracode with insights from their State of Software Security report. And investigation of that laptop stolen from the Capitol continues.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/12

EMA emails altered before release in apparent disinformation effort. Vishing rising. Another backdoor found in SolarWinds supply chain campaign. An arrest and a stolen laptop. Jan 19, 2021

The European Medicines Agency says stolen emails about vaccine development were altered before being dumped online. Another backdoor is found associated with the SolarWinds supply chain campaign. DNS cache poisoning vulnerabilities are described. FBI renews warnings about vishing. Iran’s “Enemies of the People” disinformation campaign. Vishing is up. Rick Howard previews his hashtable discussion on Solarigate. Verizon’s Chris Novak looks at cyber espionage. And the FBI makes an arrest in connection with a laptop taken during the Capitol Hill riot.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/11

Encore: You will pay for that one way or another. [Caveat] Jan 18, 2021

Dave's got the story of a landlord who may run afoul of the Computer Fraud and Abuse Act, Ben wonders if the big tech CEOs could be held liable for contact tracking apps, and later in the show my conversation with Joseph Cox. He is a Senior Staff Writer at Motherboard and will be discussing his recent article How Big Companies Spy on Your Emails.

While this show covers legal topics, and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney.

Links to stories:

Got a question you'd like us to answer on our show? You can send your audio file to caveat@thecyberwire.com or simply leave us a message at (410) 618-3720. Hope to hear from you.

Ann Johnson: Trying to make the world safer. [Business Development] [Career Notes] Jan 17, 2021

Microsoft's Corporate Vice President of Cybersecurity Business Development Ann Johnson brings us on her career journey from aspiring lawyer to cybersecurity executive. After pivoting from studying law, Ann started working with computers and found she had a deep technical aptitude for technology and started earning certifications landing in cybersecurity because she found an interest in PKI. At Microsoft, Ann says she solves some of the hardest problems every day. She recommends getting a mentor and finding your area of expertise. She leaves us with three dimensions she hopes to be her legacy: 1. diversity in more than just gender, 2. bringing a human aspect to the industry, and 3. being empathetic to the user experience. We thank Ann for sharing her story with us.

Manufacturing sector is increasingly a target for adversaries. [Research Saturday] Jan 16, 2021

Guest Selena Larson, senior cyber threat analyst at Dragos, Inc., joins us to discuss their research into recent observations of ICS-targeting threats to manufacturing organizations.

Cyber risk to the manufacturing sector is increasing, led by disruptive cyberattacks impacting industrial processes, intrusions enabling information gathering and process information theft, and new activity from Industrial Control Systems (ICS)-targeting adversaries. Dragos currently publicly tracks five ICS-focused activity groups targeting manufacturing: CHRYSENE, PARISITE, MAGNALLIUM, WASSONITE, and XENOTIME in addition to various ransomware activities capable of disrupting operations.

Manufacturing relies on ICS to scale, function, and ensure consistent quality control and product safety. It provides crucial materials, products, and medicine and is classified as critical infrastructure. Due to the interconnected nature of facilities and operations, an attack on a manufacturing entity can have ripple effects across the supply chain that relies on timely and precise production to support product fulfillment, health and safety, and national security objectives.

Ransomware adversaries are adopting ICS-aware functionality with the ability to stop industrial related processes and cause disruptive – and potentially destructive – impacts. Dragos has not observed ICS-specific malware targeting manufacturing operations on the same scale or sophistication as that used in the disruptive TRISIS and CRASHOVERRIDE malware attacks that targeted energy operations in Saudi Arabia and Ukraine, respectively. However, known and ongoing threats to manufacturing can have direct and indirect impact to operations. This report provides a snapshot of the threat landscape as of October 2020 and is expected to change in the future as adversaries and their behaviors evolve.

The research can be found here:

ICS Threat Activity on the Rise in Manufacturing Sector

Charming Kitten’s smishing and phishing. Solorigate updates. Supply chain attacks and the convergence of espionage and crime. Greed-bait. Ring patches bug. Best practices from NSA, CISA. Jan 15, 2021

Well-constructed phishing and smishing are reported out of Tehran. Estimates of SolarWinds compromise insurance payouts. Notes from industry on the convergence of criminal and espionage TTPs. Social engineering hooks baited with greed. Ring patches a bug that could have exposed users’ geolocation (and their reports of crime). Advice on cyber best practices from CISA and NSA. Robert M. Lee has thoughts for the incoming Biden administration. Our guest is Sir David Omand, former Director of GCHQ, on his book, How Spies Think: Ten Lessons in Intelligence. And an ethics officer is accused of cyberstalking.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/10

SideWinder and South Asian cyberespionage. Project Zero and motivation to patch. CISA’s advice for cloud security. Classiscam in the criminal-to-criminal market. SolarLeaks misdirection? Jan 14, 2021

There are other things going on besides Solorigate and deplatforming. There’s news about the SideWinder threat actor and its interest in South Asian cyberespionage targets. Google’s Project Zero describes a complex and expensive criminal effort. CISA discusses threats to cloud users, and offers some security recommendations. A scam-as-a-service affiliate network spreads from Russia to Europe and North America. Awais Rashid looks at shadow security. Our own Rick Howard speaks with Christopher Ahlberg from Recorded Future on Cyber Threat Intelligence. And SolarLeaks looks more like misdirection, Guccifer 2.0-style.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/9

Looking for that threat actor “likely based in Russia.” SolarLeaks and a probably bogus offer of stolen files. Notes on Patch Tuesday. Jan 13, 2021

Speculation grows that the Solarigate threat actors were also behind the Mimecast compromise. SolarLeaks says it has the goods taken from FireEye and SolarWinds, but caveat emptor. Notes on Patch Tuesday. Joe Carrigan has thoughts on a WhatsApp ultimatum. Our guest is Andrew Cheung of 01 Communique with an update on quantum computing. And farewell to an infosec good guy.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/8

Cyberespionage campaign hits Colombia. New malware found in the SolarWinds incident. Mimecast certificates compromised. Ubiquiti tells users to reset passwords. Two wins for the good guys. Jan 12, 2021

A cyberespionage campaign, so far not attributed to any threat actor, continues to prospect government and industry targets in Colombia. A new bit of malware is found in the SolarWinds backdoor compromise. Mimecast certificates are compromised in another apparent software supply chain incident. Ubiquiti tells users to reset their passwords. A brief Capitol Hill riot update. Bidefender releases a free DarkSide ransomware decryptor. Ben Yelin revisits racial bias in facial recognition software. Our guest is Jessi Marcoff from Privitar on trend toward Chief People Officers. And Europol announces the takedown of the DarkMarket.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/7

More (ambiguous) evidence for attribution of Solorigate. CISA expands incident response advice. Inspiration, investigation, and deplatforming: notes from the Capitol Hill riot. Jan 11, 2021

Similarities are found between Sunburst backdoor code and malware used by Turla. CISA expands advice on dealing with Solorigate. Courts revert to paper...and USB drives. More members of the US Congress report devices stolen during last week’s riot. Online inspiration for violence seems distributed, not centralized. Caleb Barlow examines protocols for handling inbound intel. Rick Howard looks at Solorigate through the lens of first principles. And platforms as publishers?

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/6

Tom Gorup: Fail fast and fail forward. [Operations] [Career Notes] Jan 10, 2021

Vice President of Security and Support Operations of Alert Logic Tom Gorup shares how his career path led him from tactics learned in Army infantry using machine guns and claymores to cybersecurity replacing the artillery with antivirus and firewalls. Tom built a security automation solution called the Grunt (in recollection of his role in the Army) that automated firewall blocks. He credits his experience in battle-planning for his expertise in applying strategic thinking to work in cybersecurity, noting that communication is key in both scenarios. Tom advises that those looking into a new career shouldn't shy away from failure as failure is just another opportunity to learn. We thank Tom for sharing his story with us.

Emotet reemerges and becomes one of most prolific threat groups out there. [Research Saturday] Jan 09, 2021

Deep Instinct's Shimon Oren joins us to talk about his team's research on "Why Emotet's latest wave is harder to catch than ever before - Part 2." Emotet appears to have reemerged more evasive than before, this time with a payload delivered from a loader that security tools aren’t equipped to handle.

Emotet, the largest malware botnet today, started in 2014 and continues to be one of the most challenging threats in today’s landscape. This botnet causes huge damage by spreading ransomware and info stealers to its infected systems. Recently, a rise in the number of Emotet infections was observed in France, Japan, and New Zealand. The high number of infections shows the effectiveness of the Emotet malware at staying undetected.

Shimon joins us to discuss how Deep Instinct investigated the payload that was encrypted inside the loader, analyzes the next steps in the infection process, and discovers the techniques used to make this malware difficult to analyze.

The original blog post and updated post on the research can be found here:

The Solorigate cyberespionage campaign and sensitive corporate data. The cybersecurity implications of physical access during the Capitol Hill riot. Ransomware’s successful business model. Jan 08, 2021

Solorigate and its effect on sensitive corporate information. The DC riots show the cybersecurity consequences of brute physical access to systems. A North Korean APT resurfaces with the RokRat Trojan. Ransomware remains very lucrative, and why? Because people continue to pay up. Thomas Etheridge from CrowdStrike on The Role of Outside Counsel in the IR Process.Our guest is Larry Lunetta from Aruba HPE on how enterprises can bolster security in the era of hybrid work environments. And a criminal hacker gets twelve years in US Federal prison.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/8

CISA updates its alerts and directives concerning Solorigate as the investigation expands. Rioting, social media, and cybersecurity. Jan 07, 2021

CISA updates its guidance on Solorigate, and issues an alert that the threat actor may have used attack vectors other than the much-discussed SolarWinds backdoor. Some reports suggest that a widely used development tool produced by a Czech firm may have been compromised. The cyberespionage campaign is now known to have extended to the Department of Justice and the US Federal Courts. Robert M. Lee shares lessons learned from a recent power grid incident in Mumbai. Our guest is Yassir Abousselham from Splunk on how attackers find new ways to exploit emerging technologies. Cyber implications of the Capitol Hill riot.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/4

Who worked through SolarWinds? An APT “likely Russian in origin,” says the US. Rattling backdoors, rifling cryptowallets, and asking victims if they’re ensured. No bail for Mr. Assange. Jan 06, 2021

The US Cyber Unified Coordination Group says the Solorigate APT is “likely Russian in origin.” Threat actors are scanning for systems potentially vulnerable to exploitation through a Zyxel backdoor. ElectroRAT targets crypto wallets. Babuk Locker is called the first new ransomware strain of 2021. The New York Stock Exchange re-reconsiders delisting three Chinese telcos. Joe Carrigan from Johns Hopkins joins us with the latest clever exploits from Ben Gurion University. Our guest is Jens Bothe from OTRS Group the importance of the US establishing standardized data privacy regulations. And Julain Assange is denied bail.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/3

It’s not Kates and Vals over Ford Island, but it’s not just a tourist under diplomatic cover taking pictures of Battleship Row, either. Another APT side hustle? To delist or not to delist. Jan 05, 2021

More assessments of the Solorigate affair, with an excursus on Pearl Harbor. Shareholders open a class action suit against SolarWinds, but no signs of an enforcement action for speculated insider trading. Emissary Panda seems to be working an APT side hustle. Kevin Magee has insights from the Microsoft Digital Defense Report. Our guest is Jason Passwaters from Intel 471 with a look at the growing range of ransomware as a service offerings. And to-ing and fro-ing on Chinese telecoms at the New York Stock Exchange.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/2

Threat actors were able to see Microsoft source code repositories. Zyxel closes a backdoor. Kawasaki discloses data exposure. Slack’s troubles. Julian Assange escapes extradition to the US. Jan 04, 2021

Updates on the spreading consequences of Solorigate, including Microsoft’s disclosure that threat actors gained access to source code repositories. A hard-coded backdoor is found in Zyxel firewalls and VPNs. Kawasaki Heavy Industries says parties unknown accessed sensitive corporate information. Slack has been having troubles today. Andrea Little Limbago from Interos on democracies aligning against global techno-dictators. Our guest is Drew Daniels from Druva with a look at the true value of data. And a British court declines to extradite WikiLeaks’ Julian Assange to the United States.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/10/1

Ellen Sundra: Actions speak louder than words. [Engineering] [Career Notes] Jan 03, 2021

Vice President of Global Systems Engineering Ellen Sundra shares her career path from life as a college grad who found her niche by creating a training program to a leader in cybersecurity. She realized that training and educating people was her passion. Ellen sees her value in providing soft skills as a natural balance to her technical team at Forescout Technologies. Being a woman in a male-dominated world proved to be a challenge and gaining her confidence to share her unique point of view helped her excel in it. Ellen recommends keeping your eyes open for how your skill set fits into cybersecurity. Find your perspective and really embrace it! We thank Ellen for sharing her story with us.

Encore: Unpacking the Malvertising Ecosystem. [Research Saturday] Jan 02, 2021

Researchers at Cisco's Talos Unit recently published research exploring the tactics, technics and procedures of the global malvertising ecosystem. Craig Williams is head of Talos Outreach at Cisco, and he guides us through the life cycle of malicious online ads, along with tips for protecting yourself and your organization.

The research can be found here:

https://blog.talosintelligence.com/2019/07/malvertising-deepdive.html

Andy Greenberg on the Sandworm Indictments. Jan 01, 2021

This interview from November 6th, 2020 originally aired as a shortened version on the CyberWire Daily Podcast. In this extended interview, Rick Howard speaks with Andy Greenberg on the Sandworm Indictments.

Encore: Selena Larson: The Green Goldfish and cyber threat intelligence. [Analyst] (Career Notes] Dec 27, 2020

Cyber threat intelligence analyst Selena Larson takes us on her career journey from being a journalist to making the switch to industrial security. As a child who wrote a book about a green goldfish who dealt with bullying, Selena always liked investigating and researching things. Specializing in cybersecurity journalism led to the realization of how closely aligned or similar skills are required from an investigative journalist and a cyber threat intelligence analyst. Our thanks to Selena for sharing her story with us.

Encore: Seedworm digs Middle East intelligence. [Research Saturday] Dec 26, 2020

Researchers at Symantec have been tracking Seedworm, a cyber espionage group targeting the Middle East as well as Europe and North America. The threat group targets government agencies, oil & gas facilities, NGOs, telecoms and IT firms.

Al Cooley is director of product management at Symantec, and he joins us to share their findings.

The original research can be found here:

https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group

Encore: Separating fools from money. [Hacking Humans] Dec 25, 2020

Dave shares a story of airport penetration testing with high degree of yuck-factor. Joe explores research on protecting passwords from social engineering. The catch-of-the-day comes courtesy of Graham Cluley's email spam box. Dave interviews Wired's Security Staff Writer Lily Hay Newman on her article tracking Nigerian email scammers.

Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.

Encore: Technology that allows cops to track your phone. [Caveat] Dec 24, 2020

Dave has an update on Baltimore’s spyplane, Ben describes concerns over violations by the FBI, CIA, NSA of FISA court rules, and later in the show our conversation with Kim Zetter on her recent article in The Intercept, titled “How Cops Can Secretly Track Your Phone.” It’s all about stingrays and dirtboxes, so stick around for that.

While this show covers legal topics, and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney.

Links to stories:

Elizabeth Goitein on Twitter

In appeals court, Baltimore surveillance plane suit gets a mixed reaction

Got a question you'd like us to answer on our show? You can send your audio file to caveat@thecyberwire.com or simply leave us a message at (410) 618-3720. Hope to hear from you.

Thanks to our sponsor, KnowBe4.

Cozy Bear: quiet and patient. Counting the costs of cyberespionage. Iranian influence campaign sought to inspire post-US-election violence. Dec 23, 2020

Cozy Bear lived up to its reputation for quiet patience. Counting the cost of the SVR cyberespionage campaign. What do intelligence services do with all the data they collect? An Iranian influence campaign sought to foment US post-election violence. Joe Carrigan looks at social engineering aimed at domain registrars. Our guest is John Worrall from ZeroNorth on the importance of security champions. And a last look ahead at 2021.

Bear tracks all over the US Government’s networks. Pandas and Kittens and Bears, oh my... Emotet’s back. Spyware litigation. A few predictions. Dec 22, 2020

The US continues to count the cost of the SVR’s successful cyberespionage campaign. Attribution, and why it’s the TTPs and not the org chart that matters. Emotet makes an unhappy holiday return. It seems unlikely that NSA and US Cyber Command will be separated in the immediate future. Big Tech objects, in court, to NSO Group and its Pegasus spyware (or lawful intercept product, depending on whether you’re in the plaintiff’s or the respondent’s corner). Ben Yelin looks at hyper realistic masks designed to thwart facial recognition software. Our guest Neal Dennis from Cyware wonders if there really isn't a cybersecurity skills gap. And a quick look at some more predictions.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/9/245

Sunburst looks worse: bad Bears in US networks, and that’s not just right at all. “Evil mobile emulator farm.” Report: Pegasus used against journalists. Dec 21, 2020

Cozy Bear’s big sweep through US networks gets bigger, longer, more carefully prepared, and worse in every way. IBM uncovers a big, conventionally criminal “evil mobile emulator farm,” and that’s no good, either. Citizen Lab finds more to complain about with respect to alleged abuse of NSO Group’s Pegasus tools. Awais Rashid from Bristol University on taking a risk-based approach to security. Rick Howard speaks with Cyral CEO Manav Mital on infrastructure as code. And tech executives are worried about Pandas and Bears and Kittens, oh my.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/9/244

Robert Lee: Keeping the lights on. [ICS] [Word Notes] Dec 20, 2020

CEO and co-founder of Dragos Robert Lee talks about how he came to cybersecurity through industrial control systems. Growing up with parents in the Air Force, Robert's father tried to steer him away from military service. Still Rob chose to attend the Air Force Academy where he had greater exposure to computers through ICS. Robert finds his interest lies in things that impact the physical world around us. In his work, Dragos focuses on identifying what people are doing bad and helping people understand how to defend against that. Rob describes the possibility of making a jump to control system security from another area recommending you bring something to the table. Rob talks about the world he would like to leave to his son and his hopes for the future. We thank Rob for sharing his story with us.

Advertising Software Development Kit (SDK): serving up more than just in-app ads and logging sensitive data. [Research Saturday] Dec 19, 2020

On August 24, 2020, Snyk announced the discovery of suspicious behaviors in the iOS version of a popular advertising SDK known as Mintegral. At that time, they had confirmed with partners in the advertising attribution space that at minimum, Mintegral appeared to be using this functionality to gather large amounts of data and commit ad attribution fraud. Their research showed that Mintegral was using code obfuscation and method swizzling to modify the functionality of base iOS SDK methods without the application owner’s knowledge. Further, their research proved that Mintegral was logging all HTTP requests including its headers which could even contain authorization tokens or other sensitive data.

Since that time Mintegral announced that they were opening the source of their SDK to the market. While the SDK can only be downloaded by registered partners, a major game publisher shared the source code with Snyk for further analysis. They also continued their research by digging deeper into the Android versions of the SDK in which they hadn’t found similar behaviors at the time of the initial disclosure.

This has resulted in some significant discoveries that necessitate an update to the previous disclosure. Additionally, Mintegral and the community at large have responded to the situation, and Snyk felt a summary of the events was a good way to finalize their research into this SDK.

Joining us on Research Saturday to discuss their research is Snyk's Alyssa Miller.

The original blog and Snyk's update can be found here:

Cozy Bear has been very successful at being very bad. Advice on dealing with the supply chain compromise. Joker’s Stash has its problems. And a few thoughts on the near future. Dec 18, 2020

Cozy Bear’s software supply chain compromise and its massive cyberespionage effort against the US Government and the associated private sector, is still being untangled. But it’s very extensive, very bad, and very tough to remediate. Both CISA and NSA have advice about the incident, and we check in with Robert M. Lee from Dragos for his thoughts. John Pescatore from SANS advocates renewing our focus on information security. Iran may be running a ransomware campaign for influence purposes. The Joker’s Stash criminal souk appears to have taken a hit. And don’t let your guard down during the holidays.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/9/243

The SVR’s exploitation of the SolarWinds software supply chain proves a very damaging cyberespionage campaign. HPE zero-day. Report on China’s influence ops delayed. Dec 17, 2020

The SolarWinds supply chain compromise may not have been an act of war, but it was certainly a very damaging espionage effort. The FBI, CISA, and ODNI are leading a whole-of-government response to the incident. Three companies have collaborated on a killswitch for the Sunburst backdoor’s initial command and control. HPE discloses a zero day in its SIM software. ODNI will delay its report on Chinese election influence ops. Thomas Etheridge from CrowdStrike on their Services Front Lines report. Our guest is Derek Manky from Fortinet with 2021 threat insights. And, of course, some predictions.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/9/242

SolarWinds breach updates. Microsoft sinkholes Sunburst's C&C domain. Facebook takes down inauthentic networks. Dec 16, 2020

SolarWinds breach reportedly affected parts of the Pentagon. Microsoft and partners seize and sinkhole command-and-control domain used by Sunburst malware. The threat actor behind the breach used a novel technique to bypass multi factor authentication at a think tank. Facebook takes down competing inauthentic networks focused on Africa. Joe Carrigan has insights on Amnesia 33. Our guest, Greg Edwards from CryptoStopper, shares his experience getting back online after a Derecho. And the execution of the FCC’s rip-and-replace plan will likely fall to the next US administration.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/9/241

SolarWinds compromise scope grows clearer. DPRK’s Earth Kitsune. Google’s authentication issue. A look at the near future of cybersecurity. Dec 15, 2020

SolarWinds’ 8-K suggests the possible scope of the Sunburst incident. CISA leads the US Federal post-attack mopping up as more agencies are known to have been affected. How FireEye found the SolarWinds backdoor. GCHQ is looking for possible signs of Sunburst in the UK. Operation Earth Kitsune is attributed to North Korea. Google explains yesterday’s outage. Ben Yelin looks at retail privacy issues. Our guest is Jasson Casey from Beyond Identity on going passwordless. And if you have trouble getting things done while working from home, maybe blame it on the dogs.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/9/240

A few predictions, but today’s news is dominated by Cozy Bear’s supply chain attack on Solar Winds’ Orion Platform. Dec 14, 2020

FireEye traces its breach to a compromised SolarWinds update to its Orion Platform. CISA issues an Emergency Directive to get control of an attack that is known to have affected at least two Federal Departments. Rick Howard shares lessons from season three of CSO Perspectives. Betsy Carmelite from Booz Allen continues her analysis of their 2021 Cyber Threat Trends Report. And while reports attribute the supply chain attack to Russia’s SVR, Moscow says Cozy Bear didn’t do nuthin’.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/9/239

Can public/private partnerships prevent a Cyber Pearl Harbor? [CyberWire-X] Dec 14, 2020

For many years, public and private sector cybersecurity experts have warned of a large-scale, massively impactful cyber attack on critical infrastructure (CI). Whether you call it a cyber doomsday, a cyber extinction, or as former Defense Secretary Leon Panetta termed it, a “Cyber Pearl Harbor,” the message is clear: it's not a matter of if, it's a matter of when, and it's not just critical infrastructure that's vulnerable. More recently, experts have started to raise the alarm around not just CI, but other systems as well, notably position, navigation and timing (PNT) services. PNT includes things like GPS devices -- extensions of IT systems which are widely used by both private and public sector organizations, and particularly vulnerable to attack thanks to their open source origins and lack of native security controls. While there is no magic bullet to solve the cybersecurity challenge, there's growing consensus that an effective strategy is going to require large-scale cooperation and coordination between the public and private sectors. While the government is uniquely equipped to source and promulgate guidelines and standards like the Federal Information Processing Standards (FIPS) and NIST Special Publication 800 Series, private sector partners have the expertise to implement these standards across industries. The private sector is also a major driver of innovation in security, making use of sophisticated analytics, AI, and other tools to improve not only native security controls but also hygiene, threat detection, and response. In this episode of Cyberwire-X, guests will discuss the benefits of public/private partnership for cybersecurity, the roles of each, and how the threat of a "Cyber Pearl Harbor" informs the priorities of both.

Joining us today are Keith Mularski from EY, Rob Lee from Dragos, and Egon Rinderer from Tanium.

Andrea Little Limbago: Look at the intersection of the of humans and technology. [Social Science] [Career Notes] Dec 13, 2020

Computational Social Scientist Andrea Little Limbago shares her journey as a social scientist in cybersecurity. Andrea laments that she wishes she'd known there is no straight line between what you think you want to do and then where you end up going. Beginning her career in international relations and courted by the Department of Defense's Joint Warfare Analysis Center while teaching at New York University, Andrea began her work in cybersecurity. Her team was one of the first to start thinking about the intersection of cybersecurity and geopolitics and quantitative modeling. Andrea reminds us there are many paths and skills needed in cybersecurity and hopes she opened some doors for others. We thank Andrea for sharing her story with us.

Following DOJ indictment, a look back on NotPetya and Olympic Destroyer research. [Research Saturday] Dec 12, 2020

From US Department of Justice: "On Oct. 15, 2020, a federal grand jury in Pittsburgh returned an indictment charging six computer hackers, all of whom were residents and nationals of the Russian Federation (Russia) and officers in Unit 74455 of the Russian Main Intelligence Directorate (GRU), a military intelligence agency of the General Staff of the Armed Forces.

These GRU hackers and their co-conspirators engaged in computer intrusions and attacks intended to support Russian government efforts to undermine, retaliate against, or otherwise destabilize: (1) Ukraine; (2) Georgia; (3) elections in France; (4) efforts to hold Russia accountable for its use of a weapons-grade nerve agent, Novichok, on foreign soil; and (5) the 2018 PyeongChang Winter Olympic Games after Russian athletes were banned from participating under their nation’s flag, as a consequence of Russian government-sponsored doping effort.

Their computer attacks used some of the world’s most destructive malware to date, including: KillDisk and Industroyer, which each caused blackouts in Ukraine; NotPetya, which caused nearly $1 billion in losses to the three victims identified in the indictment alone; and Olympic Destroyer, which disrupted thousands of computers used to support the 2018 PyeongChang Winter Olympics. The indictment charges the defendants with conspiracy, computer hacking, wire fraud, aggravated identity theft, and false registration of a domain name."

Returning to Research Saturday this week to discuss their research of NotPetya and Olympic Destroyer are Cisco Talos' Craig Williams and Matt Olney.

The indictment and Cisco's research can be found here:

OceanLotus tracked. Threats to K-12 distance education. Adrozek is credential-harvesting adware. MountLocker gains criminal affiliates. FCC acts against Chinese companies. CISA internships. Dec 11, 2020

Tracking OceanLotus. US advisory warns of cyberthreats active against schools trying to deliver distance learning. Adrozek joins credential harvesting and adware. MountLocker’s criminal affiliate program. The FCC takes action against Chinese companies deemed security risks. Predictions, and holiday advice. Johannes Ullrich from the SANS technology institute wonders what’s in your clipboard? Our guest is Nina Jankowicz from Wilson Center on her new book - How to Lose the Information War - Russia, Fake News, and the Future of Conflict. And internship opportunities at CISA.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/9/238

Facebook faces anti-trust suit. COVID-19 vaccine cyberespionage. Emissary Panda spotting. SQL databases for sale. Notes on the FireEye breach, the end of Flash, and the Mirai botnet. Dec 10, 2020

Facebook faces a US antitrust suit. Cyberespionage hits the European Medicines Agency, apparently looking for COVID-19 vaccine information. Emissary Panda is out and about. A simple ransomware campaign goes for success through volume. Stolen SQL databases are offered for sale back to their owners. React to the FireEye breach, but don’t over-react. We welcome Kevin McGee from Microsoft Canada to the show. Our guest is Liviu Arsene from Bitdefender with insights Business Threat Landscape report for 2020. Flash nears its end-of-life. Predictions for 2020, and another guilty plea in the Mirai case.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/9/237

Bear prints in Oslo and Silicon Valley. Deepfakes may be finally coming... maybe... CISA issues ICS alerts, some having to do with AMNESIA:30. A quick trip through Patch Tuesday. Dec 09, 2020

Norway calls out the GRU for espionage against the Storting. The SVR (probably) hacks FireEye. Huawei tested recognition software designed to spot Uighurs. 2021 predictions from Avast hold that next year might be the year deepfakes come into their own. CISA issues a long list of industrial control system alerts. Joe Carrigan looks at the iOS zero-click radio proximity vulnerability. Our guest is Matt Drake, director of cyber intelligence at SAIC on what the recents elections can tell us about threat intelligence. And yesterday was Patch Tuesday--do you know where your vulnerabilities are?

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/9/236

IoT supply chain vulnerabilities described. Spyware in the hands of drug cartels. National security and telecom equipment. US NDAA includes many cyber provisions. Fraud as a side hustle. Dec 08, 2020

AMNESIA:33 vulnerabilities infest the IoT supply chain. Lawful intercept spyware allegedly finds its way from Mexican police into the hands of drug cartels. Finland’s parliament approves exclusion of telecom equipment on security grounds. The US National Defense Authorization Act’s cyber provisions. Online fraud seems to have become a side hustle. Ben Yelin responds to Supreme Court arguments in a Computer Fraud and Abuse Act case. Our guest is Darren Mar-Elia from Semperis on group policy security. And Moscow police are looking for the crooks who hacked secure delivery lockers.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/9/235

NSA warns that Russia is actively exploiting patched VMware vulnerabilities. CISA alert also a warning to Iran. DeathStalker update. Market pressures in the Darknet. Greetings from Pyongyang. Dec 07, 2020

NSA warns that Russian state-sponsored actors are actively exploiting patched VMware vulnerabilities in the wild. A CISA alert puts Iran on notice. DeathStalker hired guns are now active in North America. Darknet contraband markets are experiencing the sort of pressure and consolidation legitimate markets undergo. Rick Howard checks in with the hash table on CSO and CISO roles. My continued conversation with Betsy Carmelite from Booz Allen on their 2021 Cyber Threat Trends Report. And a weird shift in North Korean propaganda...is Pyongyang having a Hallmark moment?

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/9/234

Ron Brash: Problem fixer in critical infrastructure. [OT] [Career Notes] Dec 06, 2020

Director of Cyber Security Insights at Verve Industrial aka self-proclaimed industrial cybersecurity geek Ron Brash shares his journey through the industrial cybersecurity space. From taking his parents 286s and 386s to task to working for the "OG of industrial cybersecurity," Ron has pushed limits. Starting off in technical testing, racing through university at 2x speed, and taking a detour through neuroscience with machine learning, Ron decided to return to critical infrastructure working with devices that keep the lights on and the water flowing. Ron hopes his work makes an impact and his life is memorable for those he cares about. We thank Ron for sharing his story with us.

SSL-based threats remain prevalent and are becoming increasingly sophisticated. [Research Saturday] Dec 05, 2020

While SSL/TLS encryption is the industry standard for protecting data in transit from prying eyes, encryption has, itself, become a threat. It is often leveraged by attackers to sneak malware past security tools that do not fully inspect encrypted traffic. As the percentage of traffic that is encrypted continues to grow, so do the opportunities for attackers to deliver threats through encrypted channels.

To better understand the use of encryption and the volume of encrypted traffic that is inspected, Zscaler's research team, ThreatLabZ, analyzed encrypted traffic across the Zscaler cloud for the first nine months of 2020, assessing its use within specific industries. The study also set out to analyze the types of attacks that use encryption and the extent of the current risk.

Returning to Research Saturday this week to discuss the report is Zscaler's CISO and VP of Security Research, Deepen Desai.

The research can be found here:

2020: The State of Encrypted Attacks Blog
2020: The State of Encrypted Attacks Report

2021 may look a lot like 2020 in cyberspace, only moreso. Cold chain cyberespionage. Cybercriminals are also interested in COVID-19 vaccines. And beware of online dog fraud. Dec 04, 2020

Predictions for 2021 focus on ransomware: it’ll be better, more aggressive, bigger, and a greater problem in every way. Cyberespionage and the cold chain. Cybercriminal interest in COVID-19 vaccines extends to both theft and fraud. Johannes Ullrich on the .well-known Directory. Our guest is Michael Magrath from OneSpan on what the financial sector needs to consider now that we’re post-election season. And what’s one effect of the pandemic? Dog fraud. Ask the Better Business Bureau.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/9/233

Cyberespionage and influence operations against prospective members of the incoming US Administration. Cold chain attacks. TrickBoot. Vasya, what do you do for a living? Dec 03, 2020

Chinese intelligence services are prospecting think tanks and prospective members of the next US Administration. Spearphishing the vaccine cold chain. Expect vaccine-themed phishing. After a temporary, pre-US election suppression, TrickBot’s back. Holiday shopping season is bot-season. Consumers are thought likely to get upset about smart device privacy in 2021. Awais Rashid from Bristol University on privacy at scale. Our guest is JP Perez-Etchegoyen from Onapsis on the risk associated with interconnected cloud and SaaS apps. And suppose you’re a cybercriminal...we know, but suppose. What do you tell your sweetie you do for a living?

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/9/232

The Shadow Academy schools anglophone universities. Turla’s Crutch. Cryptojacking as misdirection. Cyberespionage against think tanks. DPRK tries to steal COVID-19 treatment data. Dec 02, 2020

The Shadow Academy prospects universities in a domain shadowing campaign. Notes on Turla’s Crutch, an information-stealing backdoor. Bismuth was using crytpojacking as misdirection. CISA and the FBI warn think tanks that cyberspies are after them. North Korean cyberespionage is interested in COVID-19 treatments. Our guest is Carey O’Connor Kolaja from AU10TIX on combating fraud in the financial services and payment industry. David Dufour from Webroot has 2021 predictions. And a member of the Apophis Group gets eight years in prison.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/9/231

Cryptojacking cyberspies sighted. Crooks mix banking Trojans and ransomware. Conti ransomware hits industrial IoT company. SCOTUS reviews CFAA. And predictions. Dec 01, 2020

Cryptojacking from Hanoi. Dormant networks rise again, for no easily discernible reason (but it doesn’t look good). A gang is hitting German victims with the Gootkit banking Trojan, and sometimes mixing it up with a REvil ransomware payload. Conti ransomware hits IoT chipmaker. SCOTUS reviews the Computer Fraud and Abuse Act. A few predictions for 2021. Ben Yelin on Congress passing an IoT security bill. Our guest is Stephen Harvey from BitSight, who’s tracking the correlation between companies with strong cybersecurity and financial success. And it may be back to school tomorrow in Baltimore County.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/9/230

Phishing for COVID-19 vaccine data. Bandook is back, and mercenaries have it. School’s out for ransomware. Skepticism about foreign election manipulation. The forever sales. Nov 30, 2020

North Korean operators phish a major pharma company. The Bandook backdoor is back, and probably being distributed by mercenaries. A school district cancels classes after a ransomware attack. Man U continues to work on recovering its systems. Former CISA Director says there are no signs of foreign manipulation of US elections. Rick Howard wonders what exactly all those CISOs do. Betsy Carmelite from Booz Allen with insights from their 2021 Cyber Threat Trends Report. And Cyber shopping and the forever sales.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/9/229

Camille Stewart: Technology becomes more of an equalizer. [Legal] [Career Notes] Nov 29, 2020

Cybersecurity attorney Camille Stewart shares how her childhood affinity for making contracts pointed to her eventual career as an attorney. Having a computer scientist father contributed to Camille's technical acumen and desire to include technology in her life's work. Camille has worked various facets of cybersecurity law from the private sector, federal government, on the Hill and in the Executive Branch, and now as part of Big Tech as Head of Security Policy and Election Integrity for Google Play and Android where she creates policy geared towards making sure users are safe on their platform and equipped to make informed decisions.. We thank Camille for sharing her story with us.

Encore: Using global events as lures for malicious activity. Nov 28, 2020

The goal of malicious activity is to compromise the system to install some unauthorized software. Increasingly that goal is tied to one thing: the user. Over the past several years, we as an industry improved exploit mitigation and the value of working exploits has increased accordingly. Together, these changes have had an impact on the threat landscape. We still see large amounts of active exploitation, but enterprises are getting better at defending against them.

This has left adversaries with a couple of options, develop or buy a working exploit that will defeat today's protections, which can be costly, or pivot to enticing a user to help you. In today's threat landscape, adversaries are always trying to develop and implement the most effective lures to try and draw users into their infection path. They've tried a multitude of different tactics in this space, but one always stands out — current events.

Joining us on this week's Research Saturday from Craig Williams from Cisco's Talos Outreach team to walk us through how current events are used as lures.

The research and blog post can be found here:

Adversarial use of current events as lures

Influence the gullible, and maybe others will follow. Event site sustains a data breach. Contact tracing and privacy protection. Ransomware, again. Social media used to intimidate witnesses. Nov 25, 2020

Observers see a shift in Russia’s influence tactics, but prank calls are (probably) not among those tactics. An event site suffers a data breach, and warns customers to be alert for spoofing. COVID-19 contact tracing continues to arouse privacy concerns. Joe Carrigan has tips for safe online shopping during the holidays. Our guest is Dmitry Volkov from Group-IB with insights from their latest Hi-Tech Crime Trends report. Ransomware hits another US school district, and social media are being used to intimidate cooperating witnesses.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/9/228

Mustang Panda needs to repent. Not the FBI. Dodgy consumer routers and smart doorbells. Prospective Presidential appointees and cyber. Crime and investigation. Nov 24, 2020

Mustang Panda goes to church, but not in a good way. Hoods are trying to spoof the FBI with Bureau-themed domains. Dodgy routers and suspect smart doorbells. A quick look at the incoming US Administration, from a cybersecurity point of view. Someone’s allegedly swapping iPads for concealed carry permits--say it ain’t so, Santa Clara County. DHS investigates Windows help desk scammers. Ben Yelin on a Massachusetts ballot initiative involving connected cars. Our guest is Larry Roshfeld from AffirmLogic on the pros and cons of a Treasury Dept advisory that could put companies who facilitate ransomware payments in legal jeopardy.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/9/227

Ups and downs in the cyber underworld. Enduring effects of COVID-19 in cyberspace. Safer online shopping. “Take me home, United Road, to the place I belong, to Old Trafford, to see United…” Nov 23, 2020

Qbot is dropping Egregor ransomware, and RagnarLocker continues its recent rampage. Cryptocurrency platforms troubled by social engineering at a third party. TrickBot reaches version 100. Stuffed credentials exposed in the cloud. COVID-19 practices may endure beyond the pandemic. Advice for safer online shopping over the course of the week. Malek Ben Salem from Accenture Labs has methods for preserving privacy when using machine learning. Rick Howard digs deeper into SOAR. And someone’s hacking a Premier League side.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/9/226

James Hadley: Spend time on what interests you. [CEO] [Career Notes] Nov 22, 2020

Founder and CEO of Immersive Labs James Hadley takes us through his career path from university to cybersecurity startup. James tells us about his first computer and how he liked to push it to its limits and then some. He joined GCHQ after college and consulted across government departments. Teaching in GCHQ's cyber summer school was where James felt a shift in his career. As a company founder, he shares that he is very driven, very fast and also very caring. James offers advice to those looking to get into the industry recommending they chase what interests them rather than certifications. We thank James for sharing his story with us.

Misconfigured identity and access management (IAM) is much more widespread. [Research Saturday] Nov 21, 2020

Identity and access are intrinsically connected when providing security to cloud platforms. But security is only effective when environments are properly configured and maintained. In the 2H 2020 edition of the biannual Unit 42 Cloud Threat Report, researchers conducted Red Team exercises, scanned public cloud data and pulled proprietary Palo Alto Networks data to explore the threat landscape of identity and access management (IAM) and identify where organizations can improve their IAM configurations.

During a Red Team exercise, Unit 42 researchers were able to discover and leverage IAM misconfigurations to obtain admin access to a customer’s entire Amazon Web Services (AWS) cloud environment – a potentially multi-million dollar data breach in the real-world. These examples highlight just how serious the failure to secure IAM can be for an organization.

Joining us in this week's Research Saturday to discuss the report for Palo Alto Networks' Unit 42 is CSO of Public Cloud, Matt Chiodi.

The research can be found here:

Highlights from the Unit 42 Cloud Threat Report, 2H 2020

Prime Minister Johnson tells Parliament about the National Cyber Force. Vietnam squeezes Facebook. Chinese cyberespionage. SEO poisoning. Printing ransom notes. CISA leadership. Nov 20, 2020

Her Majesty’s Government discloses the existence of a National Cyber Force. Hanoi tells Facebook to crack down on posts critical of Vietnam’s government. Chinese cyberespionage campaign targets Japanese companies. Egregor ransomware prints its extortion notes in hard copy. SEO poisoning with bad reviews. Mike Benjamin from Lumen on credential stuffing and password spraying. Our guest is Mark Forman from SAIC with a look at government agencies' COVID-19 response. And CISA may have a permanent director inbound.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/9/225

Haunted virtual meetings. AWS APIs share vulnerabilities. US Intelligence Community conducts a post mortem on 2020 foreign election interference. Meet the future (a lot like the present, only moreso). Nov 19, 2020

Ghosts in the virtual machines. Cloudbursts in the forecast. The US Intelligence Community is preparing a report on foreign election interference. CISA has a new interim director. A view of the threat landscape from Canada. Caleb Barlow from Cynergistek on reclassifying the internet as critical infrastructure. Our guests are Shai Cohen and Brooke Snelling from TransUnion on building trust in a digital consumer landscape. And a look into the near future.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/9/224

Dream a FunnyDream of me. US CISA Director dismissed. Facebook, Twitter CEOs virtually visit the US Senate. Huawei CFO extradition update. Bad passwords. Nov 18, 2020

FunnyDream? No, it’s real: a cyberespionage crew operating against Southeast Asian governments. President Trump fires US CISA Director Krebs. Twitter and Facebook CEOs testify before the Senate as legislators consider Section 230. The extradition hearing for Huawei’s CFO continues in Vancouver. Joe Carrigan looks at fleeceware on the Google Play store. Rick Howard speaks with Tenable’s Steve Vintz on communication between C-Suites and security teams. And the most common passwords in 2020 are now out, and “password” only comes in at Number 4. We’re not sure that really represents progress, because wait ‘til you hear Number 1.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/9/223

Hidden Cobra’s new tricks. Notes from the criminal underground. Draft EU data transfer regulations. And the coming ape-man disinformation. Nov 17, 2020

Hidden Cobra inserts Lazarus malware into security management chains. Malsmoke malvertizing doesn’t need exploit kits, anymore. Ransomware operators shift toward social engineering as the ransomware-as-a-service criminal market flourishes. Draft EU data transfer regulations implement the Schrems II decision. Robert M. Lee from Dragos shares a little love for the lesser-known areas of ICS security. Our guest is Greg Smith from CAMI with insights on promoting cyber capabilities at the state level. And the next thing in disinformation? No surprises here: it’s COVID-19 vaccines.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/9/222

Cyberespionage and international norms of conduct in cyberspace. DarkSide establishes storage options for its affiliates. TroubleGrabber in Discord. Unapplied patches. Nov 16, 2020

Nation-states continue to probe COVID-19 vaccine researchers. The Global Commission on the Stability of Cyberspace proposes international norms for promoting stability in cyberspace. DarkSide ransomware-as-a-service operators sweeten their offer with storage options. TroubleGrabber is stealing credentials via Discord. SAD DNS code pulled from GitHub. Betsy Carmelite from Booz Allen with a forward-looking view of 5G. Rick Howard takes a look at SOAR. Many patches remain unapplied, and CMMS wants US Defense contractors to move toward positive security.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/9/221

Malek Ben Salem: Taking those challenges. [R&D] [Career Notes] Nov 15, 2020

Americas Security R&D Lead for Accenture Malek Ben Salem shares how she pivoted from her love of math and background in electrical engineering to a career in cybersecurity R&D. Malek talks about her interest in astrophysics as a young girl, and how her affinity for math and taking on challenges lead her to a degree in electrical engineering. She grew her career using math for data mining and forecasting eventually pursuing a masters and PhD in computer science where she shifted her focus to cybersecurity. Malek now develops and applies new AI techniques to solve security problems at Accenture. We thank Malek for sharing her story with us.

That first CVE was a fun find, for sure. [Research Saturday] Nov 14, 2020

In the late 90s, hackers who discovered vulnerabilities would sometimes send an email to Bugtraq with details. Bugtraq was a notification system used by people with an interest in network security. It was also a place that might have been monitored by employees of software companies looking for reports of vulnerabilities pertaining to their software. The problem was - there wasn't an easy way to track specific vulnerabilities in specific products.

It was May 1999. Larry Cashdollar was working as a system administrator for Bath Iron Works under contract by Computer Sciences Corporation. Specifically, he was a UNIX Systems Administrator, level one. His team managed over 3,000 UNIX systems across BIW's campuses. Most of these were CAD systems used for designing AEGIS class destroyers. This position gave me access to over 3,000 various flavors of UNIX ranging from Sun Solaris to IBM AIX.

Joining us in this week's Research Saturday to discuss his journey from finding that first CVE through the next 20 years and hundreds of CVEs is Akamai Senior Response Engineer Larry Cashdollar.

The research can be found here:

MUSIC TO HACK TO: MY FIRST CVE AND 20 YEARS OF VULNERABILITY RESEARCH

CISA offers its assessment (high) of US election security. An alleged GRU front media group is fingered. Notes on cybercrime, and one cheap proof-of-concept. Nov 13, 2020

CISA says US elections were secure, that recounts are to be expected in tight races. (But election-themed malspam continues, of course.) A news platform is flagged as a GRU front. A new ransomware strain takes payment through an Iranian Bitcoin exchange. The Jupyter information-stealer is out and active. David Dufour on detecting deepfakes and misinformation. Dr. Jessica Barker on her new book Confident Cyber Security - How to Get Started in Cyber Security and Futureproof Your Career. And PlunderVolt is a $30 proof-of-concept.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/9/220

An overview of threat actors, two proofs of concept, and an IoT botnet bothers the cloud. Patch Tuesday notes. And control yourself, sir. Nov 12, 2020

BlackBerry tracks a mercenary group providing cyberespionage services. A rundown from Dragos on threat actors engaging with industrial targets. An Iot botnet is active in the cloud. A research team offers a new proof-of-concept for DNS cache poisoning, and another group of researchers demonstrates a novel power side-channel attack. Patch Tuesday notes. Joe Carrigan wonders if you’re likely to get your money’s worth when paying baddies. Our guest is Michael Daniel from the CTA on the merging fields of cybersecurity and information operations. And a pro-tip: you do know that they can usually see you on Zoom, right?

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/9/219

remote access Trojan or RAT (noun) [Word Notes] Nov 11, 2020

As we are not publishing in observance of Veterans Day, we thought you might like to check out a couple of episodes of our weekly Word Notes short form podcast that comes out on Tuesdays. Check it out and subscribe today!

From the intrusion kill chain model, a program that provides command and control services for an attack campaign. While the first ever deployed RAT is unknown, one early example is Back Orifice made famous by the notorious hacktivist group called “The Cult of the Dead Cow,” or cDc, Back Orifice was written by the hacker, Sir Dystic AKA Josh Bookbinder and released to the public at DEFCON in 1998.

shadow IT (noun) [Word Notes] Nov 11, 2020

As we are not publishing in observance of Veterans Day, we thought you might like to check out a couple of episodes of our weekly Word Notes short form podcast that comes out on Tuesdays. Check it out and subscribe today!

Technology, software and hardware deployed without explicit organizational approval. In the early days of the computer era from the 1980s through the 2000s security and information system practitioners considered shadow IT as completely negative. Those unauthorized systems were nothing more than a hindrance that created more technical debt in organizations that were already swimming in it with the known and authorized systems.

A look at what’s up in some of the criminal markets. The continued resilience of TrickBot. What you can buy for $155,000. Nov 10, 2020

Criminals get the news like everyone else, and online crime continues to follow current events. It’s up, it’s down, it’s up again--forget it: it’s TrickBot. A cyber incident affects computer maker Compal. Zoom settles an FTC complaint. Price check in the criminal markets. Ben Yelin on a Canadian shopping mall's collection of over 5 million shopper's images. Our guest is Ben Brook from Transcend with best practices in privacy and data protections.And spare a thought for a veteran tomorrow.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/9/218

Supply chain security. New cyberespionage from OceanLotus. Data breaches expose customer information. And GCHQ has had quite enough of this vaccine nonsense, thank you very much. Nov 09, 2020

Alerts and guidelines on securing the software supply chain (and the hardware supply chain, too). OceanLotus is back with its watering holes. Two significant breaches are disclosed. Malek Ben Salem from Accenture Labs explains privacy attacks on machine learning. Rick Howard brings the Hash Table in on containers. And, hey, we hear there’s weird stuff out there about vaccines, but GCHQ is on the case.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/9/217

Richard Clarke: From presidential inspiration to cybersecurity policy pioneer. [Policy] [Career Notes] Nov 08, 2020

CEO and consultant Richard Clarke took his inspiration from President John F Kennedy and turned it into the first cybersecurity position in federal government. Determined to help change the mindset of war, Richard went to work for the Department of Defense at the Pentagon following college during the Vietnam War. From Assistant Secretary of the State Department, he moved to the White House to work for President George W. Bush's administration where he kept an eye on Al-Qaeda and was tasked to take on cybersecurity. Lacking any books or courses to give him a basic understanding of cybersecurity, Richard made it his mission to raise the level of cybersecurity knowledge. Currently as Chairman and CEO at Good Harbor Security Risk Management, Richard advises CISOs. We thank Richard for sharing his story with us.

PoetRAT: a complete lack of operational security. [Research Saturday] Nov 07, 2020

Cisco Talos discovered PoetRAT earlier this year. Since then, they observed multiple new campaigns indicating a change in the actor's capabilities and showing their maturity toward better operational security. They assess with medium confidence this actor continues to use spear-phishing attacks to lure a user to download a malicious document from temporary hosting providers. They currently believe the malware comes from malicious URLs included in the email, resulting in the user clicking and downloading a malicious document. These Word documents continue to contain malicious macros, which in turn download additional payloads once the attacker sets their sites on a particular victim. As the geopolitical tensions grow in Azerbaijan with neighboring countries, this is no doubt a stage of espionage with national security implications being deployed by a malicious actor with a specific interest in various Azerbajiani government departments.

Joining us in this week's Research Saturday to discuss the research from Cisco's Talos Outreach is Craig Williams.

The research can be found here:

PoetRAT: Malware targeting public and private sector in Azerbaijan evolves

IRGC domains taken down. A look at 2021’s threatscape. Russia says its didn’t do anything (others see Bears.) Forfeiture of Silk Road’s hitherto unaccounted for billion-plus dollars. Nov 06, 2020

The US Justice Department takes down twenty-seven domains being used by Iran’s Islamic Revolutionary Guard Corps. Booz Allen offers its take on the 2021 threatscape. Russia declares itself innocent of bad behavior in cyberspace, but many remain skeptical. Johannes Ullrich from SANS looks at Supply Chain Risks and Managed Service Providers. Our own Rick Howard speaks with Wired’s Andy Greenberg about the recent Sandworm indictments. Silk Road’s mission billion dollars appear to have been found, and the US Government is working on a forfeiture action.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/9/216

CISA’s happy but still wary. Election-themed criminal malspam. New ransomware goes after VMs. Why it makes no sense to trust extortionists. Nov 05, 2020

CISA declares a modest but satisfying victory for election security, but cautions that it’s not over yet. Criminal gangs are using election-themed phishbait in malspam campaigns. A new strain of ransomware attacks virtual machines. Robert M. Lee from Dragos on the impact climate change could have on ICS security. Our guest is Kelly White of RiskRecon on healthcare organizations managing risk across extensive third party relationships. And if you wondered if the criminals who offered to securely destroy the data they stole if the victims paid the ransom, well, signs point to “no.”

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/9/215

US elections: CISA calls security success, but reminds all that it’s not over yet. Notes from the cyber underground. Two more indictments in cyberstalking case. Nov 04, 2020

Election security, hunting forward, rumor control, and the value of preparation. Maze may be gone (so its proprietors say) but its affiliate market has moved on to Egregor ransomware-as-a-service. An illicit forum has leaked large repositories of personal information online. Joe Carrigan shares thoughts on hospital systems getting hit by ransomware. Our guest is Alan Radford from One Identity who wonders whether robots should have identities. And two more ex-eBayers are indicted in the Massachusetts cyberstalking case.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/9/214

Election security updates from CISA. Maze says it’s out of business (and never really existed). Edward Snowden wants dual Russian-US citizenship. A botmaster goes up river. Nov 03, 2020

Notes on Election Day security, from CISA. The Maze gang finally releases its press release announcing that it’s going out of business. Mr. Snowden applies for dual Russian-American citizenship. Ben Yelin shares his thoughts on Mark Zuckerberg’s recent Senate testimony. Our guest is Karlo Zanki from Reversing Labs on Hidden Cobra. And a botmaster gets eight years after copping a US Federal guilty plea to conspiracy.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/9/213

Another look at North Korean cyberespionage. Phishing with Google Docs. How Iran obtained US voter information. Election security enters its endgame. Nov 02, 2020

Another look at Pyongyang’s Kimsuky campaign. Phishing with bogus Google Docs. How Tehran got its hands on voter information. Rick Howard looks at containers and serverless functions. Malek Ben Salem shares the results of Accenture’s 2020 Cyber Threatscape report. And looking ahead to the election influence endgame.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/9/212

Carole Theriault: Constantly learning new things. [Media] [Career Notes] Nov 01, 2020

Communications consultant and podcaster Carole Theriault always loved radio and through her career dabbled in many areas .She landed in a communications and podcasting role where she helps technical firms create audio and digital content. In fact, Carole is the CyberWire's UK Correspondent. She says cybersecurity is good place to go because of the many different avenues available and "you don't even have to be a tech head" (though Carole has quite a technical pedigree). Our thanks to Carole for sharing her story with us.

David Sanger on the HBO documentary based off his book, "The Perfect Weapon". [Special Edition] Nov 01, 2020

On this Special Edition, our extended conversation with author and New York Times national security correspondent David E. Sanger. The Perfect Weapon explores the rise of cyber conflict as the primary way nations now compete with and sabotage one another. ‌

Leveraging for a bigger objective. [Research Saturday] Oct 31, 2020

The U.S. government has charged seven men in relation to hundreds of cyber attacks against organizations in the U.S. and multiple other countries in Asia and Europe. Two of the men, who were based in Malaysia, were arrested and their extradition to the U.S. has been requested. The other five are based in China and remain at large.

The attacks were attributed to a China-linked organization dubbed APT41 and involved a combination of intellectual property theft and financially motivated cyber crime. While some of our peers monitor APT41 as a single operation, Symantec regards it as two distinct actors: Grayfly and Blackfly.

Joining us in this week's Research Saturday to discuss the research from Symantec's Threat Hunter Team is Jon DiMaggio.

The research can be found here:

APT41: Indictments Put Chinese Espionage Group in the Spotlight

Ransomware epidemic during the pandemic. Cyber insurance and state actors. Cyberstalking. Don’t exaggerate election meddling. Reflections on National Cybersecurity Awareness Month. Oct 30, 2020

Ransomware becomes endemic in the healthcare sector. Cyber metaphors--we read a good one this morning. Does your cyber insurance indemnify you against state-sponsored attacks? More guilty pleas in the ex-eBayers’ cyberstalking case. US Cyber Command and others advise everyone not to see foreign election meddling where it isn’t. David Defour looks at the spookiest malware of 2020. Our guest is Travis Leblanc from Cooley on the European court Invalidating the EU-US Privacy Shield. And what do we make of National Cybersecurity Awareness Month as it recedes into our collective rearview mirror?

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/9/211

The Malware Mash! Oct 30, 2020

Familiar threat actors are back in the news. Big Tech’s testimony on Capitol Hill had less to do with Section 230 than many had foreseen. Oct 29, 2020

Some familiar threat actors--both nation-states and criminal gangs--return to the news: Venomous Bear, Charming Kitten, Wizard Spider, and Maze. Mike Benjamin from Lumen looks at the Mozi malware family. Our guest is Neal Dennis from Cyware on why it's time for organizations to step up their data sharing. And Big Tech’s day on Capitol Hill involved more discussion of censorship and bias than it did Section 230 of the Communications Decency Act.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/9/210

Warnings about the DPRK’s Kimsuky Group. Election security in the US during the endgame. Section 220 and Big Tech. Another guilty plea in the eBay-related cyberstalking case. Oct 28, 2020

US authorities warn that North Korea’s Kimsuky APT is out and about and bent on espionage, with a little cryptojacking on the side. As the US elections enter their endgame, observers point out that the appearance of hacking can be just as effective for foreign influence operations as the reality. CISA continues to tweet rumor control and election reassurance. Joe Carirgan share developments in end-to-end encryption. Our guest is Bilyana Lilly from RAND on Russia’s strategic messaging on social media (and the disinformation that may be a part of it). Big Tech returns to Capitol Hill. And another guilty plea in the strange case of eBay-related cyberstalking.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/9/209

Election phishing, without hook, but with line and sinker? Data breaches, and the importance of prompt disclosure. Misplaced hacktivist sympathy. Oct 27, 2020

EI-ISAC reports a curious election-related phishing campaign, widespread, but indifferently coordinated and without an obvious motive. Nitro discloses a “low impact security incident.” A breach at a law firm affects current and former Googlers. Finnish psychological clinic Vastaamo dismisses its CEO for not disclosing a breach promptly. Ben Yelin looks at a controversial White House to divvy up 5G spectrum. Carole Theriault shares results from Panaseer’s 2020 GRC Peer Report. And a terrorist murder finds support online.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/9/208

Russian research institute sanctioned for its role in Triton/Trisis. Coordinated inauthenticity in Myanmar. Clean Network program update. Major data breach in Finland. Oct 26, 2020

The US Treasury Department sanctions a Russian research institute for its role in the Triton/Trisis ICS malware attacks. Coordinated inauthenticity with a commercial as well as a political purpose. The Clean Network project gains ground in Central and Eastern Europe. Rob Lee from Dragos on insights on the recent DOJ indictments of Russians allegedly responsible for the Sandworm campaign. Rick Howard explores SD-WANs. Data breaches afflict a large Finnish psychiatric institute.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/9/207

Sal Aurigemma: How things work. [Education] [Career Notes] Oct 25, 2020

Associate Professor of Computer Information Systems at the University of Tulsa Sal Aurigemma shares how his interest in how things worked shaped his career path in nuclear power and computers, Being introduced to computers in high school and learning about the Chernobyl event led Sal to study nuclear engineering followed by time in the Navy as a submarine officer. On the submarine, Sal had to understand how systems worked from soup to nuts and that let him back to IT. As a computer engineer, Sal spent a lot of time on network troubleshooting and was eventually introduced to cybersecurity. Following 9/11, cybersecurity took on greater importance. Sal's research focuses on behavioral cybersecurity. To newcomers, he suggests heading into things with an open mind and doesn't recommend giving users 24-character passwords that have two upper, two lower, and two special characters that cannot be written down. We thank Sal for sharing his story with us.

Just saying there are attacks is not enough. [Research Saturday] Oct 24, 2020

Ben-Gurion University researchers have developed a new artificial intelligence technique that will protect medical devices from malicious operating instructions in a cyberattack as well as other human and system errors. Complex medical devices such as CT (computed tomography), MRI (magnetic resonance imaging) and ultrasound machines are controlled by instructions sent from a host PC. Abnormal or anomalous instructions introduce many potentially harmful threats to patients, such as radiation overexposure, manipulation of device components or functional manipulation of medical images. Threats can occur due to cyberattacks, human errors such as a technician's configuration mistake or host PC software bugs.

As part of his Ph.D. research, Tom Mahler has developed a technique using artificial intelligence that analyzes the instructions sent from the PC to the physical components using a new architecture for the detection of anomalous instructions.

Joining us in this week's Research Saturday to discuss his research is CBG - Cyber@Ben Gurion University's Tom Mahler.

The research can be found here:

A Dual-Layer Architecture for the Protection of Medical Devices from Anomalous Instructions

Energetic Bear’s battlespace preparation. Selling voter and consumer personal data. GRU, Qods Force sanctioned. How they knew that Iran dunnit. Oct 23, 2020

Energetic Bear is back, and maybe getting ready to go berserk in a network near you, Mr. and Mrs. United States. Someone’s selling publicly available voter and consumer information on the dark web. Sanctions against the GRU for the Bundestag hack. The US sanctions Qods Force and associated organizations for disinformation efforts. Johannes Ullrich has tips for preventing burnout. Our Rick Howard speaks with author David Sanger about his new HBO documentary The Perfect Weapon. How Iran was caught in the emailed voter threat campaign.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/9/205

Recent email threats to US voters appear to be an Iranian operation. Notes on cyberespionage and influence operations. Hold the “blatant Russophobia,” TASS? Oct 22, 2020

Emailed election threats to US voters are identified as an Iranian influence operation, disruptive, and so more in the Russian style. Both Iran and Russia appear to be preparing direct marketing influence campaigns. Cyber criminals are also exploiting US election news as phishbait. Seedworm is said to be ‘retooling.” Caleb Barlow from Cynergistek on contact tracing and privacy as students head back to school. Our guest is Jadee Hanson from Code 42 on juggling priorities and protecting her organization as external and internal threats constantly take aim. And TASS deplores the “blatant Russophobia” of recent Five Eyes’ official remarks.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/9/205

TrickBot’s return is interrupted. Election rumor control. Supply chain security. Securing the Olympics. NSS Labs closes down. Oct 21, 2020

TrickBot came back, but so did its nemesis from Redmond--Microsoft and its partners have taken down most of the new infrastructure the gang reestablished. CISA publishes election rumor control. The Cyberspace Solarium Commission has a white paper on supply chain security. Japan says it will take steps to secure next summer’s Olympics. Joe Carrigan takes issue with Twitter and Facebook limiting the spread of published news stories. Our guest is Carolyn Crandall from Attivo with a look at the market for cyber deception tools. And a familiar name exits the industry.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/9/204

International cyberespionage: China and Russia versus the Five Eyes and others. Google faces an anti-trust suit. Abandonware. Oct 20, 2020

America’s NSA reviews twenty-five vulnerabilities under active exploitation by Chinese intelligence services. The UK’s NCSC accuses the GRU of more international cyberattacks. The US Justice Department brings its long-expected anti-trust suit against Google. Ben Yelin examines overly invasive company Zoom policies. Our guest is Jessica Gulick from Katczy with a visit to the Cyber Carnival Games. And a warning on “abandonware.”

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/9/203

Influence operations and cyber probes of presidential campaigns. TrickBot’s recovery. Remote learning woes. Port facilities in Iran reported to have been targeted in cyberattacks. Oct 19, 2020

Updates on influence ops and campaign hacking show that the opposition has its troubles, too. TrickBot operators seem to have returned to business. Schools’ remote learning programs are providing attractive targets for cybercriminals. Iranian news outlets say ports were the targets of last week’s cyberattacks. David Dufour explains how phishing campaigns capitalized on a global crisis. And Charlie Tibor says, “hello world” (we paraphrase).

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/9/202

Rosa Smothers: Secure the planet. [Career Notes] Oct 18, 2020

Senior VP of Cyber Operations at KnowBe4, Rosa Smothers, talks about her career as an early cybersecurity professional in what she describes as the Wild, Wild West to her path through government intelligence work. Rosa shares how she always knew she wanted to be involved with computers and how being a big Star Trek nerd and fan particularly of Spock and Uhura helped shape her direction. Following 9/11, Rosa wanted to work for the government and pursue the bad guys and she did just that completing her bachelor's degree and starting in the Defense Intelligence Agency as a cyber threat analyst focusing on extremist groups. She joined the CIA and worked on things you see in the movies, things that are science fictionesque. Rosa recommends talking with people to get your feet wet to find your passion. We thank Rosa for sharing her story with us.

Intentionally not drawing attention. [Research Saturday] Oct 17, 2020

Bitdefender researchers recently uncovered a sophisticated APT-style attack targeting an international architectural and video production company. The attack shows signs of industrial espionage, similar to another of Bitdefender’s recent investigations of the StrongPity APT group. The real-estate industry is highly competitive, and information exfiltrated by APT mercenary group can give negotiation advantages to other players in high-profile real-estate contracts.

While APT groups traditionally could only be afforded by governments or were financially motivated purely out of self-interest, they recently appear to have become a commodity.

Joining us in this week's Research Saturday to discuss the research is Global Cybersecurity Researcher Liviu Arsene from Bitdefender.

The research can be found here:

APT Hackers for Hire Used for Industrial Espionage

Misdirection and redirection. Content moderation, influence operations, and Section 230. Money-laundering gang taken down. And no wolves in Nova Scotia. Oct 16, 2020

Phishing through redirector domains. Content moderation, influence operations, and Section 230. A Twitter outage is due to an error, not an attack. QQAAZZ money-laundering gang members indicted. Johannes Ullrich tracks Mirai Bots going after Amanda backups. Our guest is Richard Hummel from Netscout with research on cybersecurity trends and forecasts. And some ruminations about range safety for cyber exercises.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/9/201

Disinformation, foreign and domestic. Content moderation, always harder than it seems. US Cyber Command’s defend forward doctrine. Oct 15, 2020

Tehran says this week’s cyberattacks are under investigation. Silent Librarian returns to campus for academic year 2020-2021. Crooks are posing as nation-state hackers. Domestic disinformation reported in Guinea and Ghana. Disinformation, content moderation, and the difficulties presented by both. US Cyber Command’s forward engagement campaign. Mike Benjamin from Lumen on how bad actors reuse infrastructure. Our guest is Ralph Sita from Cybrary with a look at their "Skills Gap" research report. And an extended meditation on the Scunthorpe Problem.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/9/200

Cyber conflict and cyberespionage. Social engineering as a turnstile business. Inside a social engineering campaign. A warning about fraudulent unemployment claims. Oct 14, 2020

Reports of cyberattacks against Iranian government and, possibly, economic targets, are circulating, but details are sparse. Norway accuses Russia of hacking parliamentary emails. A cybercriminal gang’s secret is volume. A social engineering campaign singles out victims with US IP addresses. Joe Carrigan on a million dollar REvil recruitment offer. Our guest is Paul Nicholson from A10 Networks with a look at the "State of DDoS Weapons". And the US Treasury Department warns banks to be on the lookout for signs of unemployment fraud.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/9/199

Suppressing Trickbot: cyber warfare and cyber lawfare. Chaining vulnerabilities. An intergovernmental call for backdoors in the aid of law enforcement. Oct 13, 2020

Trickbot gets hit by both US Cyber Command and an industry team led by Microsoft. CISA and the FBI warn that an unnamed threat actor is chaining vulnerabilities, including Zerologon, to gain access to infrastructure and government targets. Ben Yelin shares his thoughts on the US House’s report on monopoly status for some of tech's biggest players. Our guest is David Higgins from CyberArk on how work from home has put a light on privilege access security. And the Five Eyes plus two call for legal access to encrypted communications.

For links to all of today's stories check out our CyberWire daily news brief:

https://www.thecyberwire.com/newsletters/daily-briefing/9/198

Our TOPPODCAST Picks

Follow Us

Stay Connected

CyberWire Daily – CyberWire, Inc.