CyberWire Daily

By CyberWire, Inc.

Listen to a podcast, please open Podcast Republic app. Available on Google Play Store.


Category: Technology

Open in Apple Podcasts


Open RSS feed


Open Website


Rate for this podcast

Subscribers: 1367
Reviews: 5

CyberGirl
 Oct 28, 2020
An excellent resource for the cyber news of the day, without the extra "fluff". NOTE: this is NOT an educational podcast, it is strictly distilled news.

Matt Aguirre
 Mar 10, 2019


 Jan 16, 2019

Average Joe
 Dec 12, 2018
This is a great source for a daily overview of what happened in Cyber Security and IT!

Mikey
 Nov 11, 2018
Although I enjoy listening, it's like a new language which I'm slowly learning. I wish some more time was given to background regarding malware.

Description

The daily cybersecurity news and analysis industry leaders depend on. Published each weekday, the program also includes interviews with a wide spectrum of experts from industry, academia, and research organizations all over the world.

Episode Date
A new loader variant for wiper campaigns. Sanctions, hacktivism, and disinformation. Conti’s toxic branding. Happy birthday, US Cyber Command.
1465
There’s a new loader identified in wiper campaigns. President Putin complains of sanctions and cyberattacks, and vows to increase Russia's cybersecurity. Coordinated inauthenticity at scale. Killnet crows large over Italian operations. Conti's dissolution doesn't mean its operators' disappearance. Rick Howard looks at software defined perimeters. Dinah Davis from Arctic Wolf on how ransomware groups are upping their game to nation state levels. And happy birthday, US Cyber Command...but we're not necessarily wishing you a moonshot for your birthday present. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/98 Selected reading. Sandworm uses a new version of ArguePatch to attack targets in Ukraine (WeLiveSecurity)  Putin complains about barrage of cyberattacks (Military Times) Putin promises to bolster Russia's IT security in face of cyber attacks (Reuters) Russia keeps getting hacked (Mashable)  Putin is bringing his disinformation war to Ukraine (Newsweek)  Putin is bringing his disinformation war to Ukraine (Newsweek) Russian government procured powerful botnet to shift social media trending topics (The Record by Recorded Future) Fronton: Russian IoT Botnet Designed to Run Social Media Disinformation Campaigns (The Hacker News)  Russian Hackers Claim Responsibility for Attacks on Italian Government Websites (Wall Street Journal) Anonymous Declares Cyber-War on Pro-Russian Hacker Gang Killnet (Infosecurity Magazine)  DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape (AdvIntel)  Notorious cybercrime gang Conti 'shuts down,' but its influence and talent are still out there (The Record by Recorded Future) Could a Cyber Attack Overthrow a Government? Conti Ransomware Group Now Threatening To Topple Costa Rican Government if Ransom Not Paid (CPO Magazine)  Fears grow after ransomware attack on Costa Rica escalates (TechCrunch)  US Cyber Command’s birthday (US Cyber Command) U.S. Needs New 'Manhattan Project' to Avoid Cyber Catastrophe | Opinion (Newsweek) Cyber pros are fed up with talk about a cyber-Manhattan Project (Washington Post)
May 23, 2022
Charity Wright: Pursue what you love [Threat intelligence] [Career Notes]
560
Threat intelligence analyst at Recorded Future, Charity Wright, shares her story from the army to her career today. Transitioning from the army to cybersecurity was an exciting change for her. During college she was recruited by the U.S army where she started her journey and learned new skills paving her pathway to threat intelligence where she is now. She shares that she works with a great team of junior analysts who are constantly checking each others biases which helps keep Charity grounded in her work. Charity spends her days keeping an eye on threats around the world where she says there is never a dull day in her line of work. We thank Charity for sharing her story with us.
May 22, 2022
AutoWarp bug leads to Automation headaches. [Research Saturday]
1166
Yanir Tsarimi from Orca Security, joins Dave to discuss how researchers have discovered a critical Azure Automation service vulnerability called AutoWarp. The security flaw was discovered this past March causing Yanir to leap into action announcing the issue to Microsoft who helped to swiftly resolve the cross-account vulnerability. The research shows how this serious flaw would allow attackers unauthorized access to other customer accounts and potentially full control over resources and data belonging to those accounts, as well as put multiple Fortune 500 companies and billions of dollars at risk. The research shares the crucial time line that the vulnerability was discovered as well as Microsofts response to the vulnerability. The research can be found here: AutoWarp: Critical Cross-Account Vulnerability in Microsoft Azure Automation Service
May 21, 2022
Is Conti rebranding? Commercial spyware scrutinized. Notes from the cyber phases of a hybrid war. Notes on the underworld. Software supply chain attack. Canada will exclude Huawei from 5G.
1859
Was Conti’s digital insurrection in Costa Rica misdirection? Google assesses a commercial spyware threat “with high confidence.” Continuing expectations of escalation in cyberspace. The limitations of an alliance of convenience. Fronton botnet shows versatility. Russian hacktivists hit Italian targets, again. Lazarus Group undertakes new SolarWinds exploitation. Crypters in the C2C market. CrateDepression supply chain attack. Johannes Ullrich describes an advance fee scam hitting crypto markets. Our guest is Marty Roesch, CEO of Netography and inventor of Snort. Canada to exclude Huawei from 5G networks on security grounds. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/97 Selected reading. Conti ransomware shuts down operation, rebrands into smaller units (BleepingComputer)  Protecting Android users from 0-Day attacks (Google)  Microsoft President: Cyber Space Has Become the New Domain of Warfare (Infosecurity Magazine) Twisted Panda: Chinese APT espionage operation against Russian’s state-owned defense institutes (Check Point Research)  Chinese Hackers Tried to Steal Russian Defense Data, Report Says (New York Times)  China-linked Space Pirates APT targets the Russian aerospace industry (Security Affairs)  This Russian botnet does far more than DDoS attacks - and on a massive scale (ZDNet)  Pro-Russian hackers attack institutional websites in Italy, police say (Reuters)  Lazarus hackers target VMware servers with Log4Shell exploits (BleepingComputer) ITG23 Crypters Highlight Cooperation Between Cybercriminal Groups (Security Intelligence)  CrateDepression | Rust Supply-Chain Attack Infects Cloud CI Pipelines with Go Malware (SentinelOne)  Canada to ban Huawei/ZTE 5G equipment, joining Five Eyes allies (Reuters)
May 20, 2022
CISA Alert AA22-138B – Threat actors chaining unpatched VMware vulnerabilities for full system control. [CISA Alerts]
194
CISA is releasing this cybersecurity advisory to warn organizations that malicious cyber actors are exploiting CVE-2022-22954 and CVE-2022-22960. These vulnerabilities affect versions of VMware products. Successful exploitation permits malicious actors to trigger a server-side template injection that may result in remote code execution or escalation of privileges to root level access. Based on this activity, CISA expects malicious cyber actors to quickly develop a capability to exploit newly released VMware vulnerabilities CVE-2022-22972 and CVE-2022-22973 in the same impacted VMware products. AA22-138B Alert, Technical Details, and Mitigations AA22-138B.stix Emergency Directive 22-03 Mitigate VMware Vulnerabilities VMware Security Advisory VMSA-2022-0011 VMware Security Advisory VMSA-2022-0014 All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.
May 20, 2022
Information operations and the invasion of Ukraine. VMware patches vulnerabilities. F5 BIG-IP vulnerabilities atively exploited. TDI clarifies data incident. Robo-calling the Kremlin.
1849
Russian information operations surrounding the invasion of Ukraine. VMware patches vulnerabilities. F5 BIG-IP vulnerabilities undergoing active exploitation. Texas Department of Insurance clarifies facts surrounding its data incident. Robert M. Lee from Dragos is heading to Davos to talk ICS. Rick Howard speaks with author Chase Cunningham on his book "Cyber Warfare –Truth, Tactics and Strategies”. Robo-calling the Kremlin. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/96 Selected reading. Information Operations Surrounding the Russian Invasion of Ukraine (Mandiant)  CISA Issues Emergency Directive and Releases Advisory Related to VMware Vulnerabilities (CISA) Emergency Directive 22-03 (CISA)  Threat Actors Chaining Unpatched VMware Vulnerabilities for Full System Control (CISA)  Threat Actors Exploiting F5 BIG IP CVE-2022-1388 (CISA)  CISA Alert AA22-138A – Threat Actors Exploiting F5 BIG-IP CVE-2022-1388. (The CyberWire)  Additional facts: TDI data security event (Texas Department of Insurance)  This Hacktivist Site Lets You Prank Call Russian Officials (Wired) 
May 19, 2022
CISA Alert AA22-138A – Threat Actors Exploiting F5 BIG-IP CVE-2022-1388.
200
CISA and the Multi-State Information Sharing & Analysis Center (MS-ISAC), are releasing this joint Cybersecurity Advisory in response to active exploitation of CVE-2022-1388. This vulnerability is a critical iControl REST authentication bypass vulnerability affecting multiple versions of F5 Networks BIG-IP.  AA22-138A Alert, Technical Details, and Mitigations F5 Security Advisory K23605346 and indicators of compromise F5 guidance K11438344 for remediating a compromise Emerging Threats suricata signatures Palo Alto Networks Unit 42 Threat Brief: CVE-2022-1388. This brief includes indicators of compromise.  Cisco Talos Intelligence Group - Comprehensive Threat Intelligence: Threat Advisory: Critical F5 BIG-IP Vulnerability. This blog includes indicators of compromise. Note: due to the urgency to share this information, CISA and MS-ISAC have not yet validated this content. Randori’s bash script. This script can be used to identify vulnerable instances of BIG-IP. Note: MS-ISAC has verified this bash script identifies vulnerable instances of BIG-IP.  All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.
May 19, 2022
Privateering goes fully political. Compromised robots? Conti’s campaign against Costa Rica. Cyberconflict along the Nile. A reset in the cyber insurance market.
1533
Chaos ransomware group declares for Russia. Hacktivists claim to have compromised Russian-manufactured ground surveillance robots. Conti's ongoing campaign against Costa Rica. The claimed "international" cyberattack against Nile dam was stopped. Rick Howard speaks with author Caroline Wong on her book “Security Metrics, a Beginner's Guide”. Our guests are Kathleen Smith and Rachel Bozeman, hosts of the new podcast, Security Cleared Jobs. And the cyber insurance market experiences a “reset.” For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/96 Selected reading. Chaos Ransomware Variant Sides with Russia (Fortinet Blog) Did hackers commandeer surveillance robots at a Russian airport? (The Daily Dot)  Russian Hacking Cartel Attacks Costa Rican Government Agencies (New York Times)  Costa Rican president claims collaborators are aiding Conti's ransomware extortion efforts (CyberScoop)  "We will overthrow the government" - Does Conti have help inside Costa Rica? (Tech Monitor)  Costa Ricans scrambled to pay taxes by hand after cyberattack took down country’s collection system (Yahoo)  Ethiopia faces new cyberattacks on its Nile dam (Al-Monitor)  Cyber Insurers Raise Rates Amid a Surge in Costly Hacks (Wall Street Journal)
May 18, 2022
CISA Alert AA22-137A – Weak security controls and practices routinely exploited for initial access. [CISA Alerts]
169
This joint cybersecurity advisory was coauthored by the cybersecurity authorities of the US, Canada, New Zealand, the Netherlands, and the UK. Cyber actors routinely exploit poor security configurations, weak controls, and other poor cyber hygiene practices to gain initial access or as part of other tactics to compromise a victim’s system. This joint Cybersecurity Advisory identifies commonly exploited controls and practices, and includes best practices to mitigate these risks. AA22-137A Alert, Technical Details, and Mitigations White House Executive Order on Improving the Nation’s Cybersecurity NCSC-NL Factsheet: Prepare for Zero Trust NCSC-NL Guide to Cyber Security Measures N-able Blog: Intrusion Detection System (IDS): Signature vs. Anomaly-Based NCSC-NL Guide to Cyber Security Measures National Institute of Standards and Technology SP 800-123 – Keeping Servers Secured NCSC-UK Guidance – Phishing Attacks: Defending Your Organisation  Open Web Application Security Project (OWASP) Proactive Controls: Enforce Access Controls All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.
May 17, 2022
Russian cyber threats and NATO’s Article 5. Conti says it’s going to bring Cost Rica to its knees. BLE proof-of-concept hack. CISA warns of initial access methods. Thanos proprietor indicted.
1718
An assessment of the Russian cyber threat. NATO's Article 5 in cyberspace. Conti's ransomware attack against Costa Rica spreads, in scope and effect. Bluetooth vulnerabilities demonstrated in proof-of-concept. CISA and its international partners urge following best practices to prevent threat actors from gaining initial access. Joe Carrigan looks at updates to the FIDO alliance. Rick Howard and Ben Rothke discuss author Andrew Stewart's book "A Vulnerable System: The History of Information Security in the Computer Age". And,the doctor was in, but wow, was he also way out of line. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/95 Selected reading. Russia Planned a Major Military Overhaul. Ukraine Shows the Result. (New York Times)  The Cyberwar Against Pro-Ukrainian Countries is Real. Here’s What to Do (CSO Online)  Collective cyber defence and attack: NATO’s Article 5 after the Ukraine conflict (European Leadership Network)  Cyber attack on Costa Rica grows as more agencies hit, president says (Reuters) Ransomware gang threatens to ‘overthrow’ new Costa Rica government, raises demand to $20 million (The Record by Recorded Future)  Hacker Shows Off a Way to Unlock Tesla Models, Start Cars (Bloomberg) NCC Group uncovers Bluetooth Low Energy (BLE) vulnerability that puts millions of cars, mobile devices and locking systems at risk (NCC Group)  Technical Advisory – Tesla BLE Phone-as-a-Key Passive Entry Vulnerable to Relay Attacks (NCC Group Research)  Technical Advisory – Kwikset/Weiser BLE Proximity Authentication in Kevo Smart Locks Vulnerable to Relay Attacks (NCC Group Research) Technical Advisory – BLE Proximity Authentication Vulnerable to Relay Attacks (NCC Group Research)  Alert (AA22-137A) Weak Security Controls and Practices Routinely Exploited for Initial Access (CISA) Hacker and Ransomware Designer Charged for Use and Sale of Ransomware, and Profit Sharing Arrangements with Cybercriminals (U.S. Attorney’s Office for the Eastern District of New York)  US prosecutors allege Venezuelan doctor is ransomware mastermind (ZDNet)  'Multi-tasking doctor' was mastermind behind 'Thanos' ransomware builder, DOJ says (The Record by Recorded Future)  U.S. Charges Venezuelan Doctor for Using and Selling Thanos Ransomware (The Hacker News)
May 17, 2022
Users advised to patch actively exploited Zyxel vulnerability. Hacktivism and influence ops in Russia’s hybrid war. Ransomware notes. Indiscriminate hacktivism? Alt-coin sanctions case will proceed.
1517
Users are advised to patch Zyxel firewalls. Battlefield failure and popular morale in Russia’s hybrid war. Nuisance-level hacktivism in the hybrid war. Sweden and Finland move closer to NATO membership; concern over possible Russian cyberattacks rises. Intelligence, disinformation, or wishful thinking? Conti calls for rebellion in Costa Rica. PayOrGrief is just rebranded DoppelPaymer. Anonymous action in Sri Lanka seems indiscriminate and counterproductive. Dinah Davis from Arctic Wolf examines cyber security for startups. Rick Howard looks at two factor authentication. And a judge says cryptocurrency can’t be used to evade sanctions. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/94 Selected reading. Critical Vulnerability Allows Remote Hacking of Zyxel Firewalls (SecurityWeek)  Zyxel security advisory for OS command injection vulnerability of firewalls (Zyxel)  Growing evidence of a military disaster on the Donets pierces a pro-Russian bubble. (New York Times)  OpRussia update: Anonymous breached other organizations (Security Affairs)  Italy prevents pro-Russian hacker attacks during Eurovision contest (Reuters)  Finland, Sweden’s NATO moves prompt fears of Russian cyberattacks (The Hill)  Coup to remove cancer-stricken Putin underway in Russia, Ukrainian intelligence chief says (Fortune)  Conti ransomware gang calls for Costa Rican citizens to revolt if government doesn't pay (SC Magazine)  Anonymous wanted to help Sri Lankans. Their hacks put many in grave danger (Rest of World)  U.S. issues charges in first criminal cryptocurrency sanctions case (Washington Post)
May 16, 2022
Eric Escobar: Collaboration is key. [Pen tester] [Career Notes]
492
Principal consultant and pen tester at Secureworks, Eric Escobar, shares his career path translating his childhood favorite Legos to civil engineering and pivoting to cybersecurity. Eric was always headed toward engineering and got both his bachelor and master degrees in civil engineering. Upon breaking into a network with a friend, he was bitten by the cybersecurity bug. Making the switch to the red team and basically becoming a bankrobber for hire, Eric tests the security of many companies' networks. He feels that curiosity is an essential trait for cybersecurity and collaboration is key as no one person knows everything. He advises those interested in cybersecurity to just start. We thank Eric for sharing his story with us.
May 15, 2022
The current state of zero trust. [CyberWire-X]
1911
According to the zero trust philosophy, we all assume that our networks are already compromised and try to design them to limit the damage if it turns out to be so. In this episode of CyberWire-X, we’ve invited subject matter experts, Amanda Fennell, the Chief Information Officer and Chief Security Officer of Relativity, and Galeal Zino, CEO of episode Sponsor NetFoundry, to the Cyberwire Hash Table to discuss all the ways to think about the solution in the modern era: Software Defined Perimeter (SDP), Secure Access Service Edge (SASE), identity and authorization, and private WAN, all through a First Principle lens.
May 15, 2022
Vulnerabilities in IoT devices. [Research Saturday]
1412
Dr. May Wang, Chief Technology Officer at Palo Alto Networks, joins Dave Bittner to discuss their findings detailed in Unit 42's "Know Your Infusion Pump Vulnerabilities and Secure Your Healthcare Organization" research. Unit 42 recently set out to better understand how well hospitals and other healthcare providers are doing in securing smart infusion pumps, which are network-connected devices that deliver medications and fluids to patients. This topic is of critical concern because security lapses in these devices have the potential to put lives at risk or expose sensitive patient data. Unit 42's discovery of security gaps in three out of four infusion pumps that they reviewed highlights the need for the healthcare industry to redouble efforts to protect against known vulnerabilities, while diligently following best practices for infusion pumps and hospital networks. May walks us through Unit 42's work. The research can be found here: Know Your Infusion Pump Vulnerabilities and Secure Your Healthcare Organization
May 14, 2022
War crimes in cyberspace? Iranian cyberespionage (and a possible APT side-hustle). A backdoor for Roblox. Darkweb C2C trader sentenced. eBay newsletter conspirator pleads guilty. CIA gets a CISO.
1479
Ukraine holds its first war crimes trial. Are there war crimes in cyberspace? Iranian cyberespionage (and a possible APT side-hustle). Roblox seems to have been used to introduce a backdoor. CISA issues ICS advisories. Darkweb C2C trader sentenced. The last conspirator in the strange case of the eBay newsletter takes a guilty plea. Carole Theriault looks at Google’s new approach to cookies in Europe. Our guest is Mary Writz of ForgeRock on the growing importance of mobile device authentication security. And CIA gets a CISO. For links to all of today's stories check out our CyberWire daily news briefing: httpshttps://thecyberwire.com/newsletters/daily-briefing/11/93 Selected reading. Ukraine to put first Russian soldier on trial for war crimes | DW | 12.05.2022 (Deutsche Welle) Russian soldier on trial in first Ukraine war-crimes case (AP NEWS) First Russian soldier goes on trial in Ukraine for war crimes (the Guardian)  The Case for War Crimes Charges Against Russia’s Sandworm Hackers (Wired) Iranian hackers exposed in a highly targeted espionage campaign (BleepingComputer)  Iranian APT Cobalt Mirage launching ransomware attacks (SearchSecurity) Iranian Hackers Leveraging BitLocker and DiskCryptor in Ransomware Attacks (The Hacker News)  Iranian Cyberspy Group Launching Ransomware Attacks Against US (SecurityWeek)  Please Confirm You Received Our APT | FortiGuard Labs  (Fortinet Blog)  Roblox Exploited with Trojans from Scripting Engine (Avanan) Ukrainian cybercriminal sentenced to 4 years in U.S. prison for credential theft scheme (CyberScoop) Ukrainian sentenced to 4 years for selling hacked passwords (The Record by Recorded Future)  Ex-eBay exec charged with harassing newsletter publishers pleads guilty (Reuters) CIA selects new CISO with deep private sector experience (The Record by Recorded Future)
May 13, 2022
Killnet hits Italian targets. Access restored to RuTube. Hacktivism in the hybrid war. Emotet surges. NPM dependency confusion attacks were pentesting. Cybercrime and punishment.
1571
Killnet hits Italian targets. Access to RuTube is restored. Hacktivism in the hybrid war. Emotet surges. Clearing up the confusion of NPM dependency confusion attacks. Tim Eades from Cyber Mentor Fund on finding the right investors. Our guest is Michael DeBolt of Intel 471 on the growing interest in Biometrics in the criminal underground. And cybercrime and punishment, Florida-man edition. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/92 Selected reading. Ukraine maps reveal how much territory Russia has lost in just a few days (Newsweek)  Pro-Russian hackers target Italy institutional websites -ANSA news agency (Reuters)  Russian cyber experts restore RuTube access after three-day outage (Reuters)  They Fled Ukraine to Keep Their Cyber Startup Alive. Now, They’re Hacking Back. (Wall Street Journal) Ukraine hacktivism 'problematic' for security teams says NSA cyber chief (Tech Monitor) HP Wolf Security Threat Insights Report Q1 2022 | HP Wolf Security (HP Wolf Security) npm supply chain attack targets Germany-based companies with dangerous backdoor malware (JFrog) SaaS App Vanity URLs Can Be Spoofed for Phishing, Social Engineerin (SecurityWeek) Trio Of Cybercriminals Sentenced For Conspiracy To Commit Fraud And Aggravated Identity Theft (US Attorney for the Middle District of Florida)
May 12, 2022
CISA Alert AA22-131A – Protecting against cyber threats to managed service providers and their customers. [CISA Cybersecurity Alerts]
207
The cybersecurity authorities of the UK, Australia, Canada, New Zealand, and the US have observed a recent increase in malicious cyber activity against managed service providers (MSPs). Allied cybersecurity authorities expect state-sponsored cyber actors to increase their targeting of MSPs in an attempt to exploit provider-customer trust relationships. This advisory includes security guidance tailored for both MSPs and their customers.  AA22-131A Alert, Technical Details, and Mitigations Technical Approaches to Uncovering and Remediating Malicious Activity Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses APTs Targeting IT Service Provider Customers ACSC's Managed Service Providers: How to manage risk to customer networks  Global Targeting of Enterprise Managed Service Providers Cyber Security Considerations for Consumers of Managed Services  How to Manage Your Security When Engaging a Managed Service Provider Kaseya Ransomware Attack: Guidance for Affected MSPs and their Customers Baseline Cyber Security Controls for Small and Medium Organizations Actions to take when the cyber threat is heightened Top 10 IT Security Action Items to Protect Internet Connected Networks and Information CCCS's Alert: Malicious Cyber Activity Targeting Managed Service Providers  CISA Cybersecurity Alert: APT Activity Exploiting MSPs (2018) CISA Cyber Essentials and CISA Cyber Resource Hub  Improving Cybersecurity of Managed Service Providers  Shields Up Technical Guidance All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.
May 12, 2022
Consensus on the Viasat hack: Russia did it. Kaspersky remains under investigation. The Nerbian RAT is out. NPM dependencies exploited, but to what end? Advisories from CISA and its partners.
1543
There’s international consensus on the cyberattack against Viasat. Kaspersky remains under investigation. The Nerbian RAT is out. NPM dependencies are exploited, but to what end? Caleb Barlow examines Russia’s future on the internet. Our guest is Deepen Desai from Zscaler with the latest phishing research. And new advisories from CISA and its partners. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/91 Selected reading. Nerbian RAT Using COVID-19 Themes Features Sophisticated Evasion Techniques (Proofpoint) NPM dependency confusion hacks target German firms (ReversingLabs) npm Supply Chain Attack Targeting Germany-Based Companies (JFrog) Adminer in Industrial Products (CISA) Eaton Intelligent Power Protector (CISA)  Eaton Intelligent Power Manager Infrastructure (CISA)  Eaton Intelligent Power Manager (CISA) AVEVA InTouch Access Anywhere and Plant SCADA Access Anywhere (CISA)  Mitsubishi Electric MELSOFT GT OPC UA (CISA)  CISA Adds One Known Exploited Vulnerability to Catalog (CISA)  Alert (AA22-131A) Protecting Against Cyber Threats to Managed Service Providers and their Customers (CISA) Protecting Against Cyber Threats to Managed Service Providers and their Customers (CISA) Russia downed satellite internet in Ukraine -Western officials (Reuters)  US and its allies say Russia waged cyberattack that took out satellite network (Ars Technica)  Western powers blame Russia for Ukraine satellite hack (The Record by Recorded Future)  Russian cyber operations against Ukraine: Declaration by the High Representative on behalf of the European Union (European Council)  Attribution of Russia’s Malicious Cyber Activity Against Ukraine - United States Department of State (United States Department of State)  U.S. Government Attributes Cyberattacks on SATCOM Networks to Russian State-Sponsored Malicious Cyber Actors (CISA) Russia behind cyber-attack with Europe-wide impact an hour before Ukraine invasion (GOV.UK) Estonia joins the statement of attribution on cyberattacks against Ukraine (Ministry of Foreign Affairs, Republic of Estonia)  Statement on Russia’s malicious cyber activity affecting Europe and Ukraine (Canada.ca)  Attribution to Russia for malicious cyber activity against European networks (Australian Government Department of Foreign Affairs and Trade)  Russia hacked an American satellite company one hour before the Ukraine invasion (MIT Technology Review)  NSA Probing Reach of Software From Russia’s Kaspersky in US Systems (Bloomberg) 
May 11, 2022
Notes on cyber phases of Russia’s hybrid war, including an assessment of Victory Day as an influence op. A look at C2C markets. And Spain’s spyware scandal claims an intelligence chief.
1774
A quick introductory note on Russia’s hybrid war against Ukraine. Russian television schedules hacked to display anti-war message. Phishing campaign distributes Jester Stealer in Ukraine. European Council formally attributes cyberattack on Viasat to Russia. Costa Rica declares a state of emergency as Conti ransomware cripples government sites. DCRat and the C2C markets. The gang behind REvil does indeed seem to be back. More Joker-infested apps found in Google Play. Guest Nick Adams from Differential Ventures discusses what will drive continued growth of cybersecurity beyond attack surfaces and governance from a VC's perspective. Partner Ben Yelin from UMD CHHS on digital privacy concerns in the aftermath of the potential overturn of Roe vs Wade. And Spain’s spyware scandal takes down an intelligence chief. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/90 Selected reading. Ukraine morning briefing: Five developments as Joe Biden warns Vladimir Putin has 'no way out' (The Telegraph) Viewpoint: Putin now faces only different kinds of defeat (BBC News)  Putin's Victory Day speech gives no clue on Ukraine escalation (Reuters)  On Victory Day, Putin defends war on Ukraine as fight against ‘Nazis’ (Washington Post)  In Speech, Putin Shows Reluctance in Demanding Too Much of Russians (New York Times)  Putin's parade shows he "is going to continue at whatever cost" in Ukraine (Newsweek) Russia’s display of military might sent the West a strong message – just not the one Putin intended (The Telegraph) Russian TV Schedules Hacked on Victory Day to Show Anti-War Messages (HackRead)  Russian TV hacked to say ‘blood of Ukrainians is on your hands’ (The Telegraph)  Mass Distribution of Self-Destructing Malware in Ukraine (BankInfoSecurity)  Russian cyber operations against Ukraine: Declaration by the High Representative on behalf of the European Union (European Council)
May 10, 2022
Mixer gets sanctioned. Reward offered for Conti hoods. Ag company hit with ransomware. Hacktivism and cyberattacks in Russia’s hybrid war. That apology? The Kremlin takes it back.
1582
The US Treasury Department sanctions a cryptocurrency mixer. Rewards for Justice is interested in Conti. US tractor manufacturer AGCO was hit by a ransomware attack. Russian hacktivism hits German targets and threatens the UK. A Russian diplomatic account was apparently hijacked. Tracking Cobalt Strike servers used against Ukraine. Dinah Davis from Arctic Wolf defends against DDOS attacks. Rick Howard looks at Single Sign On. And no apology for you, Mr. Bennett. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/89 Selected reading. U.S. Treasury Issues First-Ever Sanctions on a Virtual Currency Mixer, Targets DPRK Cyber Threats (U.S. Department of the Treasury) Reward Offers for Information to Bring Conti Ransomware Variant Co-Conspirators to Justice (United States Department of State) AGCO ransomware attack disrupts tractor sales during U.S. planting season (Reuters) Agricultural equipment maker AGCO reports ransomware attack (The Record by Recorded Future) Russia’s chief diplomat in Scotland condemns Ukraine invasion in social media post (The Telegraph)   Pro-Russian Hackers Hit German Government Sites, Spiegel Says (Bloomberg) Tracking Cobalt Strike Servers Used in Cyberattacks on Ukraine (IronNet) Russia tensions with Israel may intensify as Kremlin denies Putin's apology (Newsweek)
May 09, 2022
Amanda Fennell: There's a cyber warrior in all of us [Information] [Career Notes]
543
Chief security officer and chief information officer at Relativity, Amanda Fennel shares her story from archeology to cybersecurity. She shares the path that lead her towards becoming an archeologist and how it turned out not being exactly what she expected. She then shares how she got into the cyber business and how her past has impacted what she's doing now. She describes how she would like to be remembered in the cyber world, she says "I do hope that I left things better than I found them, not just the security of a product or a company, but I believe strongly that every person has a little cyber warrior inside of them." We thank Amanda for sharing her story.
May 08, 2022
Attacking where vulnerable. [Research Saturday]
1034
Tushar Richabadas from Barracuda joins Dave Bittner to discuss their findings detailed in their "Threat Spotlight: Attacks on Log4Shell vulnerabilities." Their research shows the percentage of attackers targeting the vulnerabilities, and shows where the dips and spikes are over the course of the past couple of months. The research has also gathered where the attackers main IP addresses are located, with 83% of them located in the United States. They breakdown what this malware can do and how to protect yourself against it. They say "Due to the growing number of vulnerabilities found in web applications, it is getting progressively more complex to protect against attacks." The research can be found here: Threat Spotlight: Attacks on Log4Shell vulnerabilities
May 07, 2022
Victory Day approaches so shields up. Hackivists in the battlespace. Raspberry Robin and a USB worm. A carefully operated credential phishing campaign. Happy Mother’s Day (and stay safe online).
1287
An update on the war in Ukraine as Victory Day approaches. President Lukashenka on the war next door. Hackivists in the battlespace. Raspberry Robin and a USB worm. A carefully operated credential phishing campaign. Another ICS security alert from CISA. Dinah Davis from Arctic Wolf on reflection amplification techniques. Carole Theriault examines zero trust architecture access policies. Happy Mother’s Day (and stay safe online). For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/88 Selected reading. Mariupol steel mill battle rages as Ukraine repels attacks (Military Times)  Why the battle for Mariupol is important for Vladimir Putin. (New York Times) A race against time in Ukraine as Russia advances, West sends weapons (Washington Post) The AP Interview: Belarus admits Russia's war 'drags on' (AP NEWS) Russia’s ally Belarus criticises war effort for ‘dragging on’ (The Telegraph) NSA cyber boss seeks to discourage vigilante hacking against Russia (Defense News) Shields Up: Russian Cyberattacks Headed Our Way (JD Supra) Raspberry Robin gets the worm early (Red Canary)  VIP3R: New actor. Old story. Great success. (Menlo Security) Johnson Controls Metasys (CISA)  Top 3 Mother’s Day Scam Sites – Be Smart When Buying Gifts (Trend Micro News)
May 06, 2022
Dateline Moscow, Kyiv, and Minsk: Hacktivisim and privateering. Log4j vulnerabilities more widespread than initially thought. US Cyber Command deploys "hunt forward" team to Lithuania.
1435
Hacktivisim and privateering in Moscow, Kyiv, and Minsk. Log4j vulnerabilities are more widespread than initially thought. US Cyber Command deployed a "hunt forward" team to Lithuania. CISA adds five vulnerabilities to its Known Exploited Vulnerabilities Catalog. Jen Miller-Osborn from Palo Alto Networks discusses the findings from the Center for Digital Government's survey on Getting Ahead of Ransomware. Grayson Milbourne of Webroot/OpenText discusses OpenText's 2022 BrightCloud Threat Report. And Anonymous leaks emails allegedly belonging to the Nauru Police Force. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/87 Selected reading. Russian ally Belarus launches military quick-response drills (Washington Post) Putin’s Ukraine War: Desperate Belarus dictator strikes back (Atlantic Council) Russian ransomware group claims attack on Bulgarian refugee agency (CyberScoop) Russia and Ukraine Conflict Q&A | Cybersixgill (Cybersixgill) Threat Advisory: New Log4j Exploit Demonstrates a Hidden Blind Spot in the Global Digital Supply Chain (Cequence) Anonymous Leak 82GB of Police Emails Against Australia's Offshore Detention (HackRead)
May 05, 2022
More malware deployed in Eastern Europe. Cozy Bear is typosquatting. CuckooBees swarm around intellectual property. Tracking the DPRK’s hackers. Quiet persistence in corporate networks.
1724
An upswing in malware deployed against targets in Eastern Europe. Cozy Bear is typosquatting. CuckooBees swarm around intellectual property. Tracking the DPRK’s hackers. Quiet persistence in corporate networks. CISA issues an ICS advisory. Caleb Barlow on backup communications for your business during this period of "shields up." Duncan Jones from Cambridge Quantum sits down with Dave to discuss the NIST algorithm finalist Rainbow vulnerability. And, hey, officer, honest, it was just a Squirtle…. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/86 Selected reading. Update on cyber activity in Eastern Europe (Google)  Multiple government hacking groups stay busy targeting Ukraine and the region, Google researchers say (CyberScoop) Google: Nation-state phishing campaigns expanding to target Eastern Europe orgs (The Record by Recorded Future) SolarWinds hackers set up phony media outlets to trick targets (CyberScoop)  SOLARDEFLECTION C2 Infrastructure Used by NOBELIUM in Company Brand Misuse (Recorded Future)  Experts discover a Chinese-APT cyber espionage operation targeting US organizations (VentureBeat) Operation CuckooBees: Cybereason Uncovers Massive Chinese Intellectual Property Theft Operation (Cybereason Nocturnus)  Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques (Cybereason)  Chinese hackers cast wide net for trade secrets in US, Europe and Asia, researchers say (CNN)  Researchers tie ransomware families to North Korean cyber-army (The Record by Recorded Future) The Hermit Kingdom’s Ransomware Play (Trellix) New espionage group is targeting corporate M&A (TechCrunch)  Cyberespionage Group Targeting M&A, Corporate Transactions Personnel (SecurityWeek)  UNC3524: Eye Spy on Your Email (Mandiant)  Yokogawa CENTUM and ProSafe-RS (CISA)  Cops ignored call to nearby robbery, preferring to hunt Pokémon (Graham Cluley)
May 04, 2022
Hybrid war and disinfo from the swamp. Stormous hacks on behalf of Russia. DNS poisoning risk. Updates on Chinese cyberespionage campaigns. Notes on ransomware operations.
1448
Russia reroutes Internet traffic in occupied regions of Ukraine through Russian services. The Stormous gang, hacking on behalf of Russia. DNS poisoning risk. Updates on Chinese cyberespionage campaigns. Our guest Chetan Mathur of Next Pathway finds similarities between the cloud industry and the 1849 California Gold Rush. Eldan Ben-Haim of Apiiro on why cybersecurity is largely a culture issue. Notes on ransomware operations. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/85 Selected reading. Microsoft sees Russian cyberattacks on Ukraine 'getting more and more disruptive' (Inside Defense)  Sergey Lavrov claims Hitler had 'Jewish blood' (The Telegraph) Lavrov’s anti-Semitic outburst exposes absurdity of Russia’s “Nazi Ukraine” claims (Atlantic Council)  Russia likens Zelensky to Hitler as Mariupol says Russia worse than Nazis (Newsweek)  Russia reroutes internet in occupied Ukrainian territory through Russian telcos (The Record by Recorded Future)  Stormous: The Pro-Russian, Clout Hungry Ransomware Gang Targets the US and Ukraine (Trustwave) Zhadnost ‘stamps’ out Ukrainian National Postal Service’s website. (SecurityScorecard)  Industrial cybersecurity researchers, looking for help, go public with unpatched IoT bug (The Record by Recorded Future)  Nozomi Networks Discovers Unpatched DNS Bug in Popular C Standard Library Putting IoT at Risk (Nozomi Networks) Chinese "Override Panda" Hackers Resurface With New Espionage Attacks (The Hacker News)  Chinese Hackers Caught Exploiting Popular Antivirus Products to Target Telecom Sector (The Hacker News)  New Black Basta Ransomware Possibly Linked to Conti Group (SecurityWeek)  Experts Analyze Conti and Hive Ransomware Gangs' Chats With Their Victims (The Hacker News)  Conti and Hive ransomware operations: What we learned from these groups' victim chats (Cisco Talos)  Conti and Hive ransomware operations: (Cisco Talos)
May 03, 2022
The future of security validation – what next? [CyberWire-X]
1727
Security executives need visibility into their real cyber risk in real time. But with the flood of vulnerability alerts, how can organizations pinpoint impactful security gaps? To meet this challenge, security teams are shifting to an exploit-centric approach to security validation to expose potential threats from ransomware, leaked credentials, phishing, & more.  On this episode, of CyberWire-X, we explore how automation can help teams make this shift to prioritize remediation based on bottom line business impact. Rick Howard, the CyberWire's CSO, Chief Analyst and Senior Fellow, discusses the topic with Rick Doten, CISO, Carolina Complete Health and CyberWire Hash Table member, while Dave Bittner, CyberWire podcast host, engages with Sponsor Pentera's Jay Mar-Tang, Sales Engineering Manager for the Americas, about automated security validation.
May 03, 2022
Cyber sabotage and cyberespionage. Updates on Russia’s hybrid war against Ukraine. REvil seems to have returned.
1519
Cable sabotage in France remains under investigation. Spearphishing by Cozy Bear. Widespread and damaging Russian cyberattacks have yet to appear, but criminals find a new field of activity. Hacktivism and privateering. The legal and prudential limits to hacktivism. Applying lessons learned from an earlier cyberwar. Romanian authorities say last week’s DDoS incident was retaliation for Bucharest’s support of Kyiv. Rick Howard is dropping some SBOMS. Carole Theriault reports on virtual kidnappings. REvil seems to be back after all. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/84 Selected reading. How the French fiber optic cable attacks accentuate critical infrastructure vulnerabilities (CyberScoop)  Russian hackers compromise embassy emails to target governments (BleepingComputer)  Ukraine's defense applies lessons from a 15-year-old cyberattack on Estonia (NPR)  Feared Russian cyberattacks against US have yet to materialize (C4ISRNet) Hacking Russia was off-limits. The Ukraine war made it a free-for-all. (Washington Post)  A YouTuber is promoting DDoS attacks on Russia — how legal is this? (BleepingComputer) Ukraine’s Digital Fight Goes Global (Foreign Affairs) Romanian government says websites attacked by pro-Russian group (The Record by Recorded Future)  REvil ransomware returns: New malware sample confirms gang is back (BleepingComputer)
May 02, 2022
DevSecOps and securing the container. [CyberWire-X]
1913
The move to cloud has great potential to improve security, but the required process and cultural changes can be daunting. There are a vast number of critical vulnerabilities that make it to production and demand more effective mitigations. Although “shifting security left” should help, organizations are not able to achieve this quickly enough, and “shifting left” does not account for runtime threats. Organizations must strive to improve the prioritization of vulnerabilities to ensure the most dangerous flaws are fixed early. But even then, some risk will be accepted, and a threat detection and response program is required for full security coverage. On this episode of CyberWire-X, host Rick Howard, the CyberWire's CSO, Chief Analyst and Senior Fellow, explores how to secure your software development lifecycle, how to use a maturity model like BSIM, where do containers fit in that process, and the Sysdig 2022 Cloud-Native Security and Usage report. Joining Rick on this episode are Tom Quinn, CISO at T. Rowe Price and CyberWire Hash Table member, and from episode sponsor Sysdig is their Director of Thought Leadership, Anna Belak, to discuss their experiences and real world data, as well as practical approaches to managing cloud risk. 
May 01, 2022
Jon DiMaggio: Two roads diverged. [Strategy] [Career Notes]
529
Chief security strategist from Analyst1, Jon DiMaggio shares his story on how he grew to become apart of the cybersecurity world. He describes different jobs that paved the way to the knowledge he has one the industry right now, and he even shares about an experience that led him to path that split and which decision he would make, would be crucial in his career. He explains which way he ended up going and how a critical part of his career helped to determine that path. He say's "there's two paths when you have that happen, you can either let it defeat you, or you know, you come back swinging." We thank Jon for sharing his story.
May 01, 2022
Attackers coming in from the Backdoor? [Research Saturday]
1339
Vikram Thakur of Symantec Threat Hunter team joins Dave Bittner to discuss their work on Daxin, a new and the most advanced piece of malware researchers have seen from China-linked actors. Symantec said " There is strong evidence to suggest the malware, Backdoor.Daxin, which allows the attacker to perform various communications and data-gathering operations on the infected computer, has been used as recently as November 2021 by attackers linked to China." They go on to explain how Daxin is used to target organizations and governments of strategic interest to China and how those agencies can protect themselves. Symantec also discusses how this is the most advanced piece of malware their researchers have seen. The research can be found here: Daxin: Stealthy Backdoor Designed for Attacks Against Hardened Networks
Apr 30, 2022
Cyber phases of a hybrid war. DDoS in Romania. Flash loan caper hits a DeFi platform. Coca-Cola investigates Stormous claims. A Declaration for the Future of the Internet.
1566
Russian and Ukrainian operators exchange cyberattacks. Wiper malware: contained, but a potentially resurgent threat. #OpRussia update. DDoS in Romania. Flash loan caper hits a DeFi platform. Coca-Cola investigates Stormous breach claims. CISA issues two new ICS advisories. Caleb Barlow on cleaning up the digital exhaust of your home. Our guests are Freddy Dezeure and George Webster on reporting cyber risk to boards. A Declaration for the Future of the Internet. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/83 Selected reading. Russian missiles bombard Kyiv during UN chief’s visit (The Telegraph)  Zelenskiy urges ‘strong response’ after Russia strikes Kyiv during UN Ukraine visit (the Guardian)  Anonymous hacked Russian PSCB Commercial Bank and companies in the energy sector (Security Affairs)  Ongoing DDoS attacks from compromised sites hit Ukraine (Security Affairs)  Ukraine’s Digital Battle With Russia Isn’t Going as Expected (Wired)  CISA and FBI Update Advisory on Destructive Malware Targeting Organizations in Ukraine (CISA)  Government and researchers keep US attention on Russia's cyber activity in Ukraine (The Record by Recorded Future)  CISA Adds New Russian Malware to Cyber Advisory (Nextgov)  An Overview of the Increasing Wiper Malware Threat (Fortinet Blog)  Cyber Attacks Hit Romanian Government Websites (Balkan Insight)  More than $13 million stolen from DeFi platform Deus Finance (The Record by Recorded Future)  Coca-Cola Investigates Hacking Claim (Wall Street Journal)  Coca-Cola investigating data breach claims by Stormous group (Computing)  Has 'clown show' hacking gang Stormous really breached Coca-Cola? (Tech Monitor)  Delta Electronics DIAEnergie (CISA)  Johnson Controls Metasys (CISA) 1 A Declaration for the Future of the Internet (The White House)  FACT SHEET: United States and 60 Global Partners Launch Declaration for the Future of the Internet (The White House)  US joins 55 nations to set rules for internet, with eye on China and Russia (South China Morning Post) China, India, Russia missing from future of internet pledge by US, EU, and 33 others (ZDNet)  US, partners launch plan for 'future' of internet, as China, Russia use 'dangerous' malign practices (Fox News)  U.S. joins 55 nations to set new global rules for the internet (Reuters) Reporting Cyber Risk to Boards. Board Edition. Reporting Cyber Risk to Boards. CISO Edition.
Apr 29, 2022
Russia and Ukraine trade cyberattacks. Chinese intelligence services look at Russian targets. Five Eyes advise on “routinely exploited vulnerabilities.” Physical sabotage as cyberattack. Name that mascot.
1466
Microsoft summarizes the scale of Russian cyberattacks against Ukraine. Russian cyber capabilities should be neither overestimated nor underestimated. Russia has also come under cyberattack during its hybrid war. Chinese intelligence services are paying close attention to Russian targets. The Five Eyes advise us on “routinely exploited vulnerabilities.” Physical sabotage as cyberattack. Linda Gray-Martin and Britta Glade from RSA discuss what’s new at RSAC and cybersecurity trends. Marc van Zadelhoff of Devo talks about their new podcast Cyber CEOs Decoded coming to the CyberWire network. And, hey kids, name that mascot. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/82 Selected reading. Special Report: Ukraine (Microsoft)  Russian Cyber Capabilities Have ‘Reached Their Full Potential,’ Ukrainian Official Says (Wall Street Journal)  Industroyer2: Nozomi Networks Labs Analyzes the IEC 104 Payload (Nozomi Networks)  Russia Is Being Hacked at an Unprecedented Scale (Wired) BRONZE PRESIDENT targets Russian speakers with updated PlugX - Blog (Secureworks) CISA, FBI, NSA, and International Partners Warn Organizations of Top Routinely Exploited Vulnerabilities (National Security Agency/Central Security Service)  The Air Force is trusting the internet to name its ridiculous new cybersecurity mascot (Task & Purpose)
Apr 28, 2022
Russian privateering continues. Stonefly is straight out of Pyongyang, and the Lazarus Group has never really left. Foggy Bottom seeks (Russian) snitches.
1377
Heard on the Baltimore waterfront. Privateering against Western brands. An update on sanctions and counter sanctions. Stonefly, straight outta Pyongyang. Lazarus is also back (and not in the good way). Richard Hummel from NETSCOUT discusses their bi-annual Threat Intel Report. Jon DiMaggio from Analyst1 joins us to discuss his new book, “The Art of Cyberwarfare - An Investigator’s Guide to Espionage, Ransomware, and Organized Cybercrime.” And the US Department of State has added six Russian GRU officers to its Rewards for Justice program. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/81 Selected reading. Britain says Ukraine controls majority of its airspace (Reuters)  Latest strikes on Russia hint daring Ukraine is not intimidated by the Kremlin (The Telegraph)  West gearing up to help Ukraine for ‘long haul’, says US defence secretary (the Guardian)  U.S., allies promise to keep backing Ukraine in its war with Russia (Washington Post)  Russia-linked hackers claim to have breached Coca-Cola Company (CyberNews) Stormous ransomware gang claims to have hacked Coca-Cola (Security Affairs)  Chinese drone-maker DJI quits Russia and Ukraine (Register)  Russia to Cut Gas to Poland and Bulgaria, Making Energy a Weapon (Bloomberg)  Russia cuts off gas to Poland, Bulgaria, stoking tensions with E.U. over Ukraine (Washington Post)  Why Russia’s Economy Is Holding On (Foreign Policy)  Stonefly: North Korea-linked Spying Operation Continues to Hit High-value Targets (Symantec) A "Naver"-ending game of Lazarus APT (Zscaler) U.S. offers $10 mln reward for information on Russian intelligence officers -State Dept (Reuters) US offering $10 million for info on Russian military hackers accused of NotPetya attacks (The Record by Recorded Future)  Rewards for Justice – Reward Offer for Information on Russian Military Intelligence Officers Conducting Malicious Activity Against U.S. Critical Infrastructure - United States Department of State (United States Department of State)
Apr 27, 2022
Diplomacy and hybrid war. Heightened cyber tension as Quds Day approaches. Conti in Costa Rica. North Korean cyber operators target journalists. C2C notes.. A guilty plea in a cyberstalking case.
1694
Heightened cyber tension as Quds Day approaches. Costa Rican electrical utility suffers from Conti ransomware. Emotet’s operators seem to be exploring new possibilities. North Korean cyber operators target journalists who cover the DPRK. A guilty plea in a strange case of corporate-connected cyberstalking. Bel Yelin ponders the potential Twitter takeover. Mr. Security Answer Person John Pescatore addresses questions about vendors. And cybercrime, run like a business. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/80 Selected reading. Russia’s invasion of Ukraine: List of key events from day 62 (Al Jazeera)  Ukraine takes war behind enemy lines as Russian fuel depots set ablaze (The Telegraph)  Russia pounds eastern Ukraine as West promises Kyiv new arms (AP NEWS)  Finland, Sweden to begin NATO application in May, say local media reports (Reuters)  ‘Thanks, Putin’: Finnish and Swedish Lawmakers Aim for NATO Membership (Foreign Policy)  World War Three now a 'real' danger, Russian foreign minister Sergei Lavrov warns (The Telegraph)  Moscow cites risk of nuclear war as U.S., allies pledge heavier arms for Ukraine (Reuters)  Russia Warns of Nuclear War Risk as Ukraine Talks Go On (Bloomberg)  From Jordan to Japan: US invites 14 non-NATO nations to Ukraine defense summit (Breaking Defense) State TV says Iran foiled cyberattacks on public services (AP NEWS) State TV Says Iran Foiled Cyberattacks on Public Services (SecurityWeek) Iranian hackers claim they’ve hit the Bank of Israel - but ‘no proof,’ cyber authority says (Haaretz) North Korean hackers targeting journalists with novel malware (BleepingComputer) The ink-stained trail of GOLDBACKDOOR (Stairwell) Conti ransomware cripples systems of electricity manager in Costa Rican town (The Record by Recorded Future)  Emotet Tests New Delivery Techniques (Proofpoint)  Ex-eBay exec pleads guilty to harassing couple whose newsletter raised ire (Reuters) Mastermind of Natick couple’s harassment pleads guilty (Boston Globe)  Former eBay Executive Pleads Guilty to His Role in Cyberstalking Campaign (US Department of Justice)  Cyberkriminelle bieten Schadsoftware kostenlos an (IT-Markt)
Apr 26, 2022
Swapping small attacks in cyberspace. What Lapsus$ internal chatter reveals. Costa Rica won’t pay Conti’s ransom. No farms, no future. Locked Shields wraps up.
1403
Anonymous counts coup with their #OpRussia campaign. Alternative energy suppliers in Europe sustain cyberattacks. What Lapsus$ internal chatter reveals. Costa Rica won’t pay Conti’s ransom. Rick Howard hits the history books. Our guest is Paul Giorgi of XM Cyber with a look at multi-cloud hopping. Locked Shields wraps up. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/79 Selected reading. Ukraine's Postal Service DDOS'd After Printing Moskova Stamps (Gizmodo)  Since declaring cyber war on Russia Anonymous leaked 5.8 TB of Russian data (Security Affairs) European Wind-Energy Sector Hit in Wave of Hacks (Wall Street Journal)  Schneider Electric says no evidence that Incontroller/Pipedream malware exploits vulnerabilities (MarketScreener)  Aid groups helping Ukraine face both cyber and physical threats (CNN)  Leaked Chats Show LAPSUS$ Stole T-Mobile Source Code (KrebsOnSecurity)  Lapsus$ hackers breached T-Mobile’s systems and stole its source code (The Verge) Lapsus$ hackers targeted T-Mobile (TechCrunch) FBI Warns of Targeted Cyberattacks on Food Plants Amid Heightened Coverage of Fires (NTD)  Ransomware Attacks on Agricultural Cooperatives Potentially Timed to Critical Seasons (IC3)  Cyberattack causes chaos in Costa Rica government systems (ABC News)  Finland wins NATO cyber defense competition (C4ISRNet)
Apr 25, 2022
Danielle Jablanski: Finding the path to success [Strategy] [Career Notes]
531
Operational technology cybersecurity strategist from Nozomi Networks, Danielle Jablanski shares her story of building a target map to end up where she is today. She shares how she started in college and how different paths in life got her to be on the target of success where she is today. She says " you build out that kind of target of where you want to be, and understand that getting to that point might mean doing things you don't enjoy for a number of years, but figuring that out is another way to get to that target without having like a clear bullseye" She goes on to explain how this target map is helping her to create real change and ultimately makes an impact. We thank Danielle for sharing her story.
Apr 24, 2022
BABYSHARK is swimming again! [Research Saturday]
2220
John Hammond from Huntress joins Dave Bittner on this episode to discuss malware known as BABYSHARK and how it is swimming out for blood once again. Huntress's research says "This activity aligns with known tradecraft attributed to North Korean threat actors targeting national security think tanks." Huntress also adds that the activity was spotted on February 16th and immediately their ThreatOps team began following the trail of breadcrumbs. They said "This led them to uncover the malware that was set to target specifically this organization–and certain influential individuals within it." The research can be found here: Targeted APT Activity: BABYSHARK Is Out for Blood
Apr 23, 2022
The cyber phases of Russia's war against Ukraine. Sanctions and the criminal underworld. Conti’s fortunes. More_eggs resurfaces. BlackCat ransomware warning.
1804
A look at Russian malware used against Ukrainian targets. Actual and potential targets harden themselves against Russia cyberattacks. Sanctions and the criminal underworld. Conti’s fortunes. A credential stealer resurfaces in corporate networks. BlackCat ransomware warning. Tomer Bar from SafeBreach discusses MuddyWaters. Dr. Christopher Emdin previews his new book STEM, STEAM, Make, Dream. CISA releases three more ICS security advisories. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/78 Selected reading. Russia outlines when Ukraine war will end (Newsweek)  Russia racing against clock to win Ukraine war before May 9 'Victory Day' (Newsweek)  A deeper look at the malware being used on Ukrainian targets (The Record by Recorded Future) Ukraine ramps up cyber defences to slow surge in attacks (The Straits Times) Five Eyes Alert Warns of Heightened Risk of Russian Cyber Attacks (Bloomberg)  Preparing for Energy Industry Cyberattacks (Wall Street Journal) US sets dangerous precedents in cyberspace (Global Times)  Russia’s War in Ukraine Has Complicated the Means Through Which Cybercriminals Launder Funds. Here’s How They’re Adapting (Flashpoint)  U.S. Treasury Designates Facilitators of Russian Sanctions Evasion (U.S. Department of the Treasury) Russia says nyet, sanctions Mark Zuckerberg, LinkedIn’s Roslansky, VP Harris and other US leaders (TechCrunch)  Russia’s War in Ukraine Has Complicated the Means Through Which Cybercriminals Launder Funds. Here’s How They’re Adapting (Flashpoint)  GOLD ULRICK continues Conti operations despite public disclosures (Secureworks)  Costa Rica's Alvarado says cyber​​attacks seek to destabilize country as government transitions (Reuters) Hackers Spearphish Corporate Hiring Managers with Poisoned Resumes, Infecting Them with the More_Eggs Malware, Warns eSentire (eSentire)  BlackCat/ALPHV Ransomware Indicators of Compromise (IC3)  FBI: BlackCat ransomware breached at least 60 entities worldwide (BleepingComputer)  Delta Electronics ASDA-Soft (CISA)  Johnson Controls Metasys SCT Pro (CISA)  Hitachi Energy MicroSCADA Pro/X SYS600 (CISA) 
Apr 22, 2022
Renewed Five Eyes’ warning about potential Russian cyberattacks. FBI warns of the threat of ransomware attacks against the agriculture sector. REvil may be back in business.
1323
A renewed Five Eyes’ warning about potential Russian cyberattacks. The FBI warns of the threat of ransomware attacks against the agriculture sector. REvil may be back in business. Carole Theriault shares insights on bug bounty programs. Our own Rick Howard checks in with Zack Barack from Coralogix on where things stand with XDR. And beware of threats of Facebook account suspension. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/77 Selected reading. Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure US and allies warn of Russian hacking threat to critical infrastructure REvil's TOR sites come alive to redirect to new ransomware operation ( FBI Warns of Ransomware Attacks on Farming Co-ops During Planting, Harvest Seasons ( Phishing Site on Facebook Domain Used to Steal Credentials
Apr 21, 2022
Updates on Russia’s hybrid war. Pegasus spyware in the service of espionage. CISA issues alerts and vulnerability warnings. C2C markets. Extradition for Assange? A guilty plea in a US cyberstalking case.
1563
A Shuckworm update. Pegasus spyware found in UK government officials’ phones. CISA issues six ICS security alerts and adds three entries to its Known Exploited Vulnerabilities Catalog. Gangs succeed when criminals run them like a business. Julian Assange moves closer to extradition to the US. Tim Eades from Cyber Mentor Fund on cyber valuations. Our guest is Wes Mullins from deepwatch discussing adversary simulations. And a guilty plea in a high-profile cyberstalking case. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/76 Selected reading. Shuckworm: Espionage Group Continues Intense Campaign Against Ukraine UK Government Reportedly Infected With NSO Group Spyware ‘CatalanGate’ Spyware Infections Tied to NSO Group Pegasus Spyware and Citizen Surveillance: What You Need to Know Julian Assange extradition order issued by London court, moving WikiLeaks founder closer to US transfer . Former eBay executive to plead guilty to cyberstalking campaign targeting couple
Apr 20, 2022
In a hybrid war, it’s about the timing. Not quite all quiet on the cyber front. Pyongyand is phishing for wallets (and and other blockchained valuables). Emotet really likes those malicious macros.
1461
In a hybrid war, sometimes it’s about the timing. Not quite all quiet on the cyber front. Pyongyang is phishing for crypto wallets (and your NFTs, and other blockchained valuables). Emotet really likes those malicious macros. Joe Carrigan looks at prompt bombing. Bec McKeown from Immersive Labs explains human cyber capabilities. And it’s our anniversary this week: celebrate with us. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/75 Selected reading. Ukraine Update: Zelenskiy Says Battle for Donbas Has Begun (Bloomberg)  Ukraine at D+50: Russian reconstitution continues as shields stay up for ICS attacks. (The CyberWire) Military intel chief believes Russia not to achieve any wins in Ukraine by Easter as Kremlin wishes (Ukrinform) Ukraine War Divides Orthodox Faithful (New York Times)  US officials ramp up warnings about Russian cyberattacks (The Hill)  NATO Plays Cyberwar to Prep for a Real Russian Attack (Gizmodo)  FS-ISAC Leads Financial Sector in Global Live-Fire Cyber Exercise Locked Shields (PR Newswire)  If anyone understands Russian cyber dangers, it's Estonia's former president (Washington Post) North Korean State-Sponsored APT Targets Blockchain Companies (CISA)   TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies (CISA)  US warns of Lazarus hackers using malicious cryptocurrency apps (BleepingComputer)  Trends in the Recent Emotet Maldoc Outbreak | FortiGuard Labs (Fortinet Blog)
Apr 19, 2022
Nuisance-level cyber ops in a hybrid war. “CatalanGate.” Industrial Spy caters to victims’ competitors? Conti chatter. $5 million reward for info on DPRK ops. Exercise Locked Shields.
1520
Nuisance-level cyberattacks continue on both sides of Russia’s hybrid war against Ukraine. Face-saving disinformation. “CatalanGate.” Industrial Spy says it caters to its victims’ competitors. More on what’s been learned from Conti’s leaked chatter. Rewards for Justice offers $5 million for tips on DPRK cyber ops. Awais Rashid on supply chain risk management. Our guest is Jack Chapman from Egress to discuss a 232% increase in LInkedIn phishing attacks. And Exercise Locked Shields begins tomorrow. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/74 Selected reading. Occupants send computer viruses allegedly on behalf of SBU (Interfax-Ukraine) Ransomware groups go after a new target: Russian organizations (The Record by Recorded Future). Currency.com Targeted in Failed Cyber-Attack (Accesswire)  Russia says missile attacks on Kyiv will increase (Military Times)  Film and photos appear to show Russian cruiser Moskva shortly before it sank (the Guardian) CatalanGate: Extensive Mercenary Spyware Operation against Catalans Using Pegasus and Candiru (The Citizen Lab) New Industrial Spy stolen data market promoted through cracks, adware (BleepingComputer)  Event Overview: CONTI Leaks 2022 (BlueVoyant) U.S. offers $5 million for info on North Korean cyber operators (The Record by Recorded Future)  North Korea: Up to $5 Million Reward (US State Department) World´s Largest International Live-Fire Cyber Exercise launches in Tallinn (CCDCOE) 
Apr 18, 2022
Satya Gupta: Rising to your contribution. [CTO] [Career Notes]
565
Co-founder and CTO of Virsec, Satya Gupta shares his story of how he has over 25 years of expertise in embedded systems, network security and systems architecture. He also talks about how a colleague of his told him something that resinated with him, he said " that was really a remarkable statement that I heard from that person. You rise to the point where you can actually contribute." He also discusses how he got into the startup atmosphere and how different scenarios in his life helped to lead him to the successful man he has become in the cyber community. We thank Satya for sharing his story.
Apr 17, 2022
CyberWire Live: Hack the Port 2022 Fireside chat. [Special Edition]
2280
At the Hack the Port 2022 event, the CyberWire held a CyberWire Live event. CyberWire Daily Podcast host Dave Bittner was joined by Roya Gordon, OT/IoT Security Research Evangelist at Nozomi Networks, and Christian Lees, CTO at Resecurity. During this fireside chat format session, Dave and our guests discussed ICS, OT cybersecurity, the role of security research and demos, supply chain compromise, and IT/OT security trends among other things. Thanks to the team at MISI/DreamPort for this opportunity.
Apr 17, 2022
A fight to defend Taiwan financial institutions. [Research Saturday]
1154
Alan Neville from Symantec/Broadcom joins Dave Bittner on this episode to discuss Antlion, a Chinese state-backed hacker group, are using custom backdoors to target financial institutions in Taiwan. Symantec's blog shares the research behind the attacks and how the backdoor allowed the attackers to run WMI commands remotely. Symantec's research showed that "The goal of this campaign appears to have been espionage, as we saw the attackers exfiltrating data and staging data for exfiltration from infected networks." They have since found that this attack has been going on over the course of the past 18 months, in which 250 days were spent on the financial organization and around 175 days were spent on the manufacturing organization. The research can be found here: Antlion: Chinese APT Uses Custom Backdoor to Target Financial Institutions in Taiwan
Apr 16, 2022
Further developments in Russia’s hybrid war. Conti claims responsibility for the Nordex hack. Lazarus Group heist. Indictments in influence ops case.
1440
Further developments in the Incontroller/Pipedream industrial control system threat. Conti claims responsibility for the Nordex hack. The half-a-billion stolen from Ronin went to the Lazarus Group. And indictments in an influence ops case. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/73 Selected reading. Ukraine war: Russia threatens to step up attacks on Kyiv (BBC News)  Live Updates: Russia Sets Stage for Battle to Control Ukraine’s East (New York Times) Russian Troops Risk Repeating Blunders If They Try for May 9 Win (Bloomberg)  Why Putin may be aiming to declare victory over Ukraine on May 9 (Fortune)  What Victory Day means for Russian identity (Washington Post)  Spy games: expulsion of diplomats shines light on Russian espionage (the Guardian) Finland and Sweden pursue unlinked NATO membership (Defense News) What Finland Can Offer NATO (Foreign Policy) U.S. warns energy firms of a rapidly advancing hacking threat (E&E News)  Wind turbine firm Nordex hit by Conti ransomware attack (BleepingComputer)  Karakurt revealed as data extortion arm of Conti cybercrime syndicate (BleepingComputer) Threat Spotlight: Conti Ransomware Group Behind the Karakurt Hacking Team (Infinitum) US agency attributes $540 million Ronin hack to North Korean APT group (The Record by Recorded Future) North Korea Designation Update (U.S. Department of the Treasury)  Russian legislator, staff accused of trying to influence US lawmakers: DOJ (Newsweek)  Russian Legislator and Two Staff Members Charged with Conspiring to Have U.S. Citizen Act as an Illegal Agent of the Russian Government in the United States (US Department of Justice)
Apr 15, 2022
A nation-state threat actor targets industrial systems. It’s hard to recover from a threat to industrial systems. Lazarus Group resumes Operation Dream Job. OldGremlin is back. Conti runs like a business.
1387
A nation-state threat actor (probably Russian) targets industrial systems. A quick look at the GRU's earlier attempt against Ukraine's power grid. The difficulty of recovering from a credible threat to industrial systems. Lazarus Group resumes Operation Dream Job. OldGremlin speaks Russian, and it holds Russian companies for ransom. Carole Theriault looks at research on lie detection. Josh Ray from Accenture drops some SBOMs. And another look at the privateers in the Conti gang. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/72 Selected reading. Ukraine Update: U.S., EU to Send More Arms; Warship Damaged (Bloomberg)  INCONTROLLER: New State-Sponsored Cyber Attack Tools Target Multiple Industrial Control Systems (Mandiant). PIPEDREAM: CHERNOVITE's Emerging Malware Targeting Industrial Environments | Dragos (Dragos)  APT Cyber Tools Targeting ICS/SCADA Devices (CISA)  U.S. warns newly discovered malware could sabotage energy plants (Washington Post)  Industroyer2 Targets Ukraine’s Electric Grid: Here’s How Companies Can Stay Protected and Resilient (Nozomi Networks) Wind Turbine Giant Nordex Hit By Cyber-Attack (Infosecurity Magazine) Lazarus Targets Chemical Sector (Symantec) Old Gremlins, new methods (Group-IB) Leaked documents show notorious ransomware group has an HR department, performance reviews and an 'employee of the month' (CNBC)
Apr 14, 2022
Powergrid attacks, DDoS, and doxing in a hybrid war. Notes on botnets, and a threat actor changes its phish hooks. Patch Tuesday. Sentence passed in a sanctions evasion case.
1547
Indestroyer2 and Ukraine's power grid. More on last week's distributed denial-of-service attack against Finland. Anonymous claims to have doxed Russia's Ministry of Culture. Hafnium gets evasive. Enemybot is under development but worth keeping an eye on. Changing the phish hook. Patch Tuesday notes. Tim Eades from Cyber Mentor Fund on digital & security transformations. Our guest is Aaron Shilts from NetSPI onproactive public-private sector security collaboration. Sanctions evasion is serious business. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/71 Selected reading. Why Russia’s Cyber Warriors Haven't Crippled Ukraine (The National Interest) In Ukraine, a ‘Full-Scale Cyberwar’ Emerges (Wall Street Journal)  Russian hackers tried to bring down Ukraine’s power grid to help the invasion (MIT Technology Review)  Russia's Sandworm Hackers Attempted a Third Blackout in Ukraine (Wired) Ukraine Thwarts Cyberattack on Electric Grid, Officials Say (Wall Street Journal)  Zhadnost strikes again… this time in Finland. (SecurityScorecard) Anonymous Hits Russian Ministry of Culture- Leaks 446GB of Data (HackRead)  Tarrask malware uses scheduled tasks for defense evasion (Microsoft Security Blog)  Enemybot: A Look into Keksec's Latest DDoS Botnet (Fortinet Blog)  Enemybot: a new Mirai, Gafgyt hybrid botnet joins the scene (ZDNet)  Qbot malware switches to new Windows Installer infection vector (BleepingComputer)  Microsoft Releases April 2022 Security Updates (CISA) Google Releases Security Updates for Chrome (CISA)  Citrix Releases Security Updates for Multiple Products (CISA) Apache Releases Security Advisory for Struts 2 (CISA)  Valmet DNA (CISA)  Mitsubishi Electric MELSEC-Q Series C Controller Module (CISA)  Inductive Automation Ignition (CISA)  Mitsubishi Electric GT25-WLAN (CISA)  Aethon TUG Home Base Server (CISA)  U.S. crypto researcher sentenced to five years for helping North Korea evade sanctions (Reuters)
Apr 13, 2022
Cyber takes point in a hybrid war. Medical robot vulnerabilities remediated. A Cyber Civil Defense for the US? Europol leads the takedown of RaidForums.
1629
GRU deploys Industroyer2 against the Ukrainian energy sector. NB65 counts coup against Roscosmos. Anonymous doxes three more Russian companies. President Putin purges the FSB’s Fifth Service. CISA warns of an exploited firewall vulnerability. Medical robots’ vulnerabilities are remediated. A Cyber Civil Defense effort in the US. Ben Yelin on newly passed cyber legislation. Our guest is Chase Snyder from ExtraHop to discuss their recent Cyber Confidence Index. And good riddance to RaidForums. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/70 Selected reading. Russia’s Reset (New York Times) Russia will not pause military operation in Ukraine for peace talks (Reuters)  Industroyer2: Industroyer reloaded | WeLiveSecurity (WeLiveSecurity) CERT-UA warns of large-scale cyber attack on energy sector (Interfax-Ukraine) Russia's space programme hit by western cyber attack (The Telegraph) Anonymous Hits 3 Russian Entities, Leaks 400 GB Worth of Emails (HackRead)  Russia’s Ukraine Propaganda Has Turned Fully Genocidal (Foreign Policy)  Russia-Ukraine latest news: Vladimir Putin vows ‘clear and noble’ aims of Russian invasion will be achieved (The Telegraph) CISA warns orgs of WatchGuard bug exploited by Russian state hackers (BleepingComputer) CISA Adds Eight Known Exploited Vulnerabilities to Catalog (CISA)  Cynerio Discovers and Discloses JekyllBot:5, a Series of Critical Zero-Day Vulnerabilities Allowing Attackers to Remotely Control Hospital Robots (Cynerio) Craig Newmark Philanthropies Pledges $50 Million to Cyber Civil Defense (Global Cyber Alliance) 
Apr 12, 2022
Cyber skirmishing as Russia redeploys in Ukraine. Spyware in senior EC official’s device. Sharkbot-infested apps ejected from Google Play. Advice from CISA.
1524
US National Security Advisor says atrocities were part of Russia's plan. Russian commanders seek to keep troops away from dangerous sections of the Internet. Cyberattacks in Finland may be a shot across Helsinki's bow. CERT-UA warns of a phishing campaign. Hacktivists hit Russian organizations. Mixed reviews for US preemptive measures against GRU botnets. Sharkbot-infested apps ejected from Google Play. Johannes Ullrich from SANS on malicious ISO files embedded in HTML. Our guest is Neal Dennis from Cyware on threat intel sharing with members of Auto-ISAC. What you should do when your Shields are Up. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/69 Selected reading. Russia Shuffles Command in Ukraine as Thousands Flee the East (New York Times)  Sullivan: Intel indicates plan from ‘highest levels’ of Russian government to target civilians (The Hill)  Russian soldiers banned from social media as ‘uncomfortable truths’ drain their morale (The Telegraph)  West Seeks to Pierce Russia’s Digital Iron Curtain (Foreign Policy) YouTube blocks Russian parliament channel, drawing ire from officials (Reuters)  U.S. quietly paying millions to send Starlink terminals to Ukraine, contrary to SpaceX claims (Washington Post) Hackers use Conti's leaked ransomware to attack Russian companies (BleepingComputer)  Державна служба спеціального зв’язку та захисту інформації України (GUR) How Russia's Invasion Triggered a US Crackdown on Its Hackers (Wired) The U.S. Opens a Risky New Front in Cyberdefense (Bloomberg)  Meet the 1,300 librarians racing to back up Ukraine’s digital archives (Washington Post)  The Race to Save Posts That May Prove Russian War Crimes (Wired)  Exclusive: Senior EU officials were targeted with Israeli spyware (Reuters)  SharkBot Android Malware Continues Popping Up on Google Play (SecurityWeek)  SharkBot Banking Trojan spreads through fake AV apps on Google Play (Security Affairs)  Sharing Cyber Event Information: Observe, Act, Report (CISA)
Apr 11, 2022
SolarWinds through a first principle lens. [CSO Perspectives]
1281
Enjoy this sample of CSO Perspectives, a CyberWire Pro podcast. Like what you hear? Consider subscribing to CyberWire Pro for $99/year. Learn more. On this episode, host Rick Howard discusses if the first principles theories prevent material impact in the real world, such as the latest SolarWinds attack. Previous episodes referenced: S1E6: 11 MAY: Cybersecurity First Principles S1E7: 18 MAY: Cybersecurity first principles: zero trust S1E8: 26 MAY: Cybersecurity first principles: intrusion kill chains. S1E9: 01 JUN: Cybersecurity first principles - resilience S1E11: 15 JUN: Cybersecurity first principles - risk S2E3: 03 AUG: Incident response: a first principle idea. S2E4: 10 AUG: Incident response: around the Hash Table.  S2E7: 31 AUG: Identity Management: a first principle idea. S2E8: 07 SEP: Identity Management: around the Hash Table. Other resources: “A BRIEF HISTORY OF SUPPLY CHAIN ATTACKS,” by Secarma, 1 September 2018. “Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers,” by 365 Defender Research Team and the Threat Intelligence Center (MSTIC), Microsoft, 18 December 2020. “A Timeline Perspective of the SolarStorm Supply-Chain Attack,” by Unit 42, Palo Alto Networks, 23 December 2020. “Cobalt Strike,” by MALPEDIA. “Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon,” by Kim Zetter, Published by Crown, 3 June 2014. “Cybersecurity Canon,” by Ohio State University. “FireEye shares jump back to pre-hack levels,” Melissa Lee, CNBC, 23 December 2020. "Implementing Intrusion Kill Chain Strategies by Creating Defensive Campaign Adversary Playbooks," by Rick Howard, Ryan Olson, and Deirdre Beard (Editor), The Cyber Defense Review, Fall 2020. “Orion Platform,” by SolarWinds. “Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers,” by Andy Greenberg, Published by Doubleday, 7 May 2019.  “Solarstorm,” by Unit 42, Palo Alto Networks, 23 December 2020. “The Cybersecurity Canon: Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon,” by Rick Howard, The Cybersecurity Canon Project, 28 January 2015. “Using Microsoft 365 Defender to protect against Solorigate,” by the Microsoft 365 Defender Team, 28 December 2020.
Apr 11, 2022
Chenxi Wang: Overcoming the obstacle of fear. [Venture Capital] [Career Notes]
562
Founder and general partner of Rain Capital, Chenxi shares her story and how she conquered and got over the obstacle of fear to reach her goals in life. " I realized a lot of times my obstacle is my own fear rather than a real obstacle" Wang states, she also shares her story of breaking glass ceilings as a female founder and working in the field of cybersecurity. She hopes to be remembered for being a kind person and developing her own venture fund, as she shares her story to the top, she states what she does and how she got to be where she is today. We thank Chenxi for sharing her story.
Apr 10, 2022
The secrets behind Docker. [Research Saturday]
1314
Alon Zahavi from CyberArk, joins Dave Bittner on this episode to discuss CyberArk's work in conjunction with Patch Tuesday. CyberArk published about how Docker inadvertently created a new vulnerability and what happens when it's exploited. CyberArk's research concluded that an attacker may execute files with capabilities or setuid files in order to escalate its privileges up to root level. CyberArk found the new vuln in some of Microsoft’s Docker images, caused by misuse of Linux capabilities, a powerful additional layer of security that gives admins the ability to assign capabilities and privileges to processes and files in the Linux system The research can be found here: How Docker Made Me More Capable and the Host Less Secure
Apr 09, 2022
Disinformation in Russia’s war of aggression. Correlating overhead imagery and radio intercepts. Taking down state-sponsored cyber ops. Threats to power grids.
1448
Russian disinformation in its war against Ukraine. Overhead imagery and electronic intercepts suggest that Russian atrocities are matters of policy and strategy. Microsoft disrupts GRU cyber operations. Facebook takes down Iranian coordinated inauthenticity. India’s Power Ministry says it stopped a Chinese cyberattack. Dave Dufour from Webroot on evolving attack mechanisms. Our guest is Dan Petro of Bishop Fox with a warning for document redaction. Grid security and the value of exercises. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/68 Selected reading. Putin’s ‘probably given up’ on Kyiv as Ukraine war enters new phase (Defense News)  Ukraine says 39 killed in rocket strike on rail evacuation hub (Reuters) Russian rocket attack on Kramatorsk train station kills dozens—Ukraine (Newsweek)  Possible Evidence of Russian Atrocities: German Intelligence Intercepts Radio Traffic Discussing the Murder of Civilians in Bucha (Der Spiegel) Germany intercepts Russian talk of indiscriminate killings in Ukraine (Washington Post)  Microsoft says it disrupted Russian cyberattacks targeting Ukraine, West (The Hill) Disrupting cyberattacks targeting Ukraine - Microsoft On the Issues (Microsoft On the Issues)  GridEx VI Lessons Learned Report (NERC) Power Grid Stress Test Finds Low-Tech Needs for High-Tech Problems (Wall Street Journal)  Dire grid hacking scenario sparked “shields up” approach to Russian threat (Medium)
Apr 08, 2022
Blocking and tackling in the cyber phases of Russia’s hybrid war against Ukraine. Info-harvesting SDK. Recon into a power grid. Hydra Market indictment. Catphishing. Advance fee scams with a new twist.
1695
An update on US cyber defensive operations and the war in Ukraine. You can’t tell your oligarchs without a scorecard. Google ejects data-harvesting apps from Play. China preps the cyber battlespace against India’s power grid. More moves against Hydra Market. Bearded Barbie’s catphishing. Betsy Carmelite from BAH on a blueprint for achieving a secure and resilient dot gov. Our guest is Padraic O'Reilly from CyberSaint with a fresh look at ransomware. And your majesty, meet this here dissident, who also needs to move money for the best of reasons…. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/67 Selected reading. Pentagon: Russia has fully withdrawn from Kyiv, Chernihiv (Washington Post)  Zelenskyy tells UN: Act now on Russia or dissolve yourself altogether (Atlantic Council)  DoJ takes down Russian botnet that targeted WatchGuard and Asus routers (ZDNet)  FBI Disables "Cyclops Blink" Botnet Controlled by Russian Intelligence Agency (SecurityWeek)  Justice Department Announces Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s Main Intelligence Directorate (GRU) (US Department of Justice)  Adversarial Threat Report (Meta) Facebook cracks down on covert influence networks targeting Ukraine (Washington Post) Russian-backed hackers broke into Facebook accounts of Ukrainian military officials (CBS News)  Britain slaps sanctions on Russia’s biggest bank  (The Telegraph)  Russia hit with new round of U.S. sanctions as Biden decries 'major war crimes' (Reuters)  U.S. to Sanction Putin Children, Banks Over Bucha Atrocities (Bloomberg) The Forbes Ultimate Guide To Russian Oligarchs (Forbes)  Suspected Chinese Hackers Collect Intelligence From India’s Grid (Bloomberg)  Continued Targeting of Indian Power Grid Assets by Chinese State-Sponsored Activity Group (Recorded Future)  Operation Bearded Barbie: APT-C-23 Campaign Targeting Israeli Officials (Cybereason)  Google Bans Apps With Hidden Data-Harvesting Software (Wall Street Journal) The Nigerian Prince Scam, with a Russian Twist (Avanan)
Apr 07, 2022
Fire and cyber in Ukraine. Stone Panda (Cicada, APT10) expands its interests. Bogus e-commerce sites harvest banking credentials. Advice and guidance from CISA
1532
There’s a maneuver lull in Russia’s hybrid war against Ukraine, but fire and cyber ops continue. The US provides cyber assistance to Ukraine. The Cicada call of Stone Panda. Phony e-commerce sites seek to harvest banking credentials. CISA offers some advice and some guidance. Hydra Market sanctioned. Awais Rashid from Bristol University on anonymous communication systems. Our guest is Armaan Mahbod of DTEX Systems with a look at supermalicious insiders. And the most popular password is... For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/66 Selected reading. Russian military ‘weeks’ from being ready for new push as war takes its toll (The Telegraph) Russia's failure to take down Kyiv was a defeat for the ages (AP NEWS) U.S. Cyber Command providing cyber expertise and intelligence in Ukraine's fight against Russia (FedScoop)  Cyber Command chief: U.S. has 'stepped up' to protect Ukraine's networks (The Record by Recorded Future)  How Ukraine has defended itself against cyberattacks – lessons for the US (FIU News)  Cicada: Chinese APT Group Widens Targeting in Recent Espionage Activity (Symantec)  Fake e‑shops on the prowl for banking credentials using Android malware (WeLiveSecurity)  CISA adds Spring4Shell vulnerability, Apple zero-days to exploited catalog (The Record by Recorded Future)  LifePoint Informatics Patient Portal (CISA)  Rockwell Automation ISaGRAF (CISA)  Johnson Controls Metasys (CISA)  Philips Vue PACS (Update A) (CISA) Treasury Sanctions Russia-Based Hydra, World’s Largest Darknet Market, and Ransomware-Enabling Virtual Currency Exchange Garantex (U.S. Department of the Treasury) Most Common Passwords 2022 - Is Yours on the List? (CyberNews)
Apr 06, 2022
Disinformation at the UN. Phishing against Ukraine. Hydra Market taken down. Is someone carrying on for Lapsus$? Compromise at Mailchimp. FIN7 branches out into ransomware.
1409
Disinformation at the UN. Russian cyber operations against Ukraine. Bravo, BKA: German police take down a major contraband market. Under arrest but still in business? At least someone’s carrying on for Lapsus$. Compromise at Mailchimp. Joe Carrigan describes Javascript vulnerabilities. Carole Theriault with an eye on romance scams through the lens of Netflix's "The Tinder Swindler". And a well-known gang branches out. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/65 Selected reading. Live Updates: U.N. Security Council to Meet as Evidence of War Crimes Mounts (New York Times)  Elephant Framework Delivered in Phishing Attacks against Ukrainian Organizations (Intezer)  Germany takes down Hydra, world's largest darknet market (BleepingComputer) LAPSUS$ hacks continue despite two hacker suspects in court (Naked Security)  FIN7 hackers evolve toolset, work with multiple ransomware gangs (BleepingComputer) Notorious hacking group FIN7 adds ransomware to its repertoire (CyberScoop) Hackers breach MailChimp's internal tools to target crypto customers (BleepingComputer)  Email marketing giant Mailchimp has confirmed a data breach (TechCrunch) 
Apr 05, 2022
Doxing, trolling, and censorship in a hybrid war. Borat RAT. State’s Bureau of Cyberspace and Digital Policy. National Supply Chain Integrity Month. Wild youth. Hey spooks: brown bag it like the GRU.
1790
Doxing, trolling, and censorship in a hybrid war. Western organizations remain on alert for a Russian cyber campaign. Known Russian threat actors continue operations against Ukraine proper. Borat RAT described. Welcome the US State Department’s Bureau of Cyberspace and Digital Policy. National Supply Chain Integrity Month. Your wild ways will break your mother’s heart. Rick Howard weighs in on Shields Up. Josh Ray from Accenture on ideological differences on underground forums. And fast food as an OPSEC issue (and an OSINT source). For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/64 Selected reading. Ukraine intelligence leaks names of 620 alleged Russian FSB agents (Security Affairs)  Anonymous leaked 15 GB of data allegedly stolen from the Russian Orthodox Church (Security Affairs)  Listen Now: Deputy national security adviser talks about the risk of Russia waging cyberwar (NPR One)  Inside Cyber Front Z, the ‘People’s Movement’ Spreading Russian Propaganda (Vice) Ukraine Accuses Russia of Using WhatsApp Bot Farm to Ask Military to Surrender (Vice) ‘It’s like 1937’: Informants denounce anti-Ukraine war Russians (The Telegraph)  Cyber Espionage Actor Deploying Malware Using Excel (Bank Info Security) New Borat remote access malware is no laughing matter (BleepingComputer) Deep Dive Analysis – Borat RAT (Cyble) Establishment of the Bureau of Cyberspace and Digital Policy (United States Department of State)  Supply Chain Integrity Month (CISA) April is National Supply Chain Integrity Month. As Russia Plots Its Next Move, an AI Listens to the Chatter (Wired)  Data leak from Russian delivery app shows dining habits of the secret police (The Verge) 
Apr 04, 2022
Living security: the current state of XDR. [CyberWire-X]
1828
In this CyberWire-X episode, host Rick Howard, the CyberWire's CSO, Chief Analyst and Senior Fellow, explores the state of XDR. Joining Rick on this episode are Ted Wagner, SAP National Security Services CISO and CyberWire Hash Table member, and from episode sponsor Trellix are Bryan Palma, the Trellix Chief Executive Officer, and John Fokker, the Trellix Head of Cyber Investigations. Listen as Rick and guests discuss XDR, SASE, SIEM, and SOAR.
Apr 03, 2022
Michael DeBolt: From acting to cyber. [Intelligence] [Career Notes]
428
Chief intelligence officer at Intel 471, Michael shares his story where he started as an actor and quickly changed over to intelligence and what the transition was like for him. Michael grew up wanting to be an actor and even was able to land some acting jobs, after going into the Marine Corps he decided to leave acting behind and start a new path in his journey. He says looking for a purpose really helped to shape him, saying "looking back on it, I feel like my life purpose has really been all about kind of this relentless pursuit of justice" and how the risks in his life has helped to right the wrongs of the world. We thank Michael for sharing his story.
Apr 03, 2022
A popular malware scheme and pay-per-install services. [Research Saturday]
1235
Guest Michael DeBolt from Intel 471 joins Dave Bittner on this episode to discuss one of the most popular commodity malware loaders on the underground – PrivateLoader. The blog provides an analysis of campaigns since May 2021, full details on a Pay-per-install (PPI) malware service, the methods operators employ to obtain “installs,” and insights on the malware families the service delivers. On Intel 471's blog, it shows the breakdown of how the PrivateLoader download is delivered and how it works. The blog states "Visitors are lured into clicking a “Download Crack” or “Download Now” button to obtain an allegedly cracked version of the software." Michael explains more about this popular commodity malware loader. The research can be found here: PrivateLoader: The first step in many malware schemes
Apr 02, 2022
Epistemic closure in a hybrid war. Wiper used against VIasat modems. US Treasury sanctions more Russian actors. Remediating Spring4shell. Notes from law enforcement. And we’re not joking.
1546
Attempting to evolve rules of cyber conduct during a hot hybrid war. Waiting for major Russian cyber operations. Viasat terminals were hit by wiper malware. Patches and detection scripts for Spring4shell. Warning of ransomware threat to local governments. Emergency data requests under Senatorial scrutiny. NSA employee charged with mishandling classified material. Andrea Little Limbago from Interos on Bots, Warriors and Trolls. Rick Howard speaks with Maretta Morovitz on cyber deception. And no April Foolin’ here For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/63 Selected reading. Russia’s War Lacks a Battlefield Commander, U.S. Officials Say (New York Times)  Putin may be self-isolating from his military advisers, says White House (The Telegraph)  Confronting Russian Cyber Censorship (Wilson Center)  Zelensky Fires Two Generals (Wall Street Journal)  French intelligence chief Vidaud fired over Russian war failings (BBC News)  Cyber War Talks Heat Up at UN With Russia at Table (Bloomberg.com) Foreign Ministry statement on continued cyberattack by the “collective West” (Ministry of Foreign Affairs of the Russian Federation)  New Protestware Found Lurking in Highly Popular NPM Package (Checkmarx.com) Russia targeting Ukraine, countries opposing war in cyberspace (Jerusalem Post) Conti Leaks: Examining the Panama Papers of Ransomware (Trellix)  British intelligence agencies: Moscow continuously attacks Ukraine in cyberspace (The Times Hub) AcidRain | A Modem Wiper Rains Down on Europe (SentinelOne) SentinelOne finds ties between Viasat hack and Russian actor (SC Magazine) ExtraHop CEO: Expect a Russian cyber response to sanctions (Register) Treasury sanctions Russian research center blamed for Trisis malware (CyberScoop)  Treasury Targets Sanctions Evasion Networks and Russian Technology Companies Enabling Putin’s War (U.S. Department of the Treasury) Evgeny Viktorovich Gladkikh – Rewards For JusticeArtboard 4Artboard 4 (Rewards for Justice)  Spring confirms ‘Spring4Shell’ zero-day, releases patched update (The Record by Recorded Future)  Spring4Shell (CVE-2022-22965): Are you vulnerable to this Zero Day? (Cyber Security Works)  Ransomware Attacks Straining Local US Governments and Public Services (IC3)  Senate’s Wyden Probes Use of Forged Legal Requests by Hackers (Bloomberg)  NSA Employee Charged with Mishandling Classified Material (Military.com) National Security Agency Employee Indicted for Willful Transmission and Retention of National Defense Information (US Department of Justice)  National Security Agency Employee Facing Federal Indictment for Willful Transmission and Retention of National Defense Information (US Department of Justice)
Apr 01, 2022
Moscow poorly served by its intelligence services, say London and Washington. Cyber phases of the hybrid war. A new zero-day, and some resurgent criminal activity.
1401
Russian cyber operators collect against domestic targets. More details on the Viasat hack. Ukrainian hacktivists say they can interfere with Russian geolocation. Spring4shell is another remote-code-execution problem. The Remcos Trojan is seeing a resurgence. Malicious links distributed via Calendly. Johannes Ullrich from SANS on attack surface detection. Our guest is Fleming Shi from Barracuda on cybersecurity champions. Phishing with “emergency data requests.” Lapsus$ may be back from vacation. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/62 Selected reading. Vladimir Putin is being lied to by his advisers, says GCHQ (The Telegraph)  U.S. intelligence suggests that Putin’s advisers misinformed him on Ukraine. (New York Times)  White House: Intel shows Putin misled by advisers on Ukraine (AP NEWS)  Russian troops sabotaging their own equipment and refusing orders in Ukraine, UK spy chief says (CNBC)  Phishing campaign targets Russian govt dissidents with Cobalt Strike (BleepingComputer)  KA-SAT Network cyber attack overview (Viasat.com)  Tracking cyber activity in Eastern Europe (Google) Ukrainian Hackers Take Aim at Russian Artillery, Navigation Signals (Defense One)  Russian efforts in Ukraine have not yet spilled over into cyberattacks on US, says lawmaker (C4ISRNet) New Spring Framework RCE Vulnerability Confirmed - What to do? (Sonatype)  New Spring4Shell Zero-Day Vulnerability Confirmed: What it is and how to be prepared (Contrast Security) Spring Core on JDK9+ is vulnerable to remote code execution (Praetorian)  Spring4Shell: No need to panic, but mitigations are advised (Help Net Security)  Remcos Trojan: Analyzing the Attack Chain (Morphisec)  Apple and Meta Gave User Data to Hackers Who Used Forged Legal Requests (Bloomberg)  Fresh Phish: Phishers Schedule Victims on Calendar App (INKY)  Lapsus$ claims Globant as its latest breach victim (TechCrunch)
Mar 31, 2022
Taking down bot farms. Cyber aggression. Kinetic influence ops, Spamming yourself? CS control system advisories. Sanctions are also biting Russian cyber gangs.
1469
Taking down bot farms. Russia says the US is the aggressor in cyberspace. Influence operations, arriving at Mach 10. The call is coming from inside the house! Cyber incidents affect aviation services. CISA posts ICS control system advisories. I welcome Tim Eades from the Cyber Mentor Fund. Our guest is Alex Holland from HP Wolf Security describing a new wave of attacks. And Sanctions are also biting Russian cyber gangs. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/61 Selected reading. Ukraine dismantles 5 disinformation bot farms, seizes 10,000 SIM cards (BleepingComputer) Russia accuses U.S. of massive 'cyber aggression' (Reuters)  Russia Has Fired 'Multiple' Hypersonic Missiles Into Ukraine, US General Confirms (Defense One)  BREAKING: Russian Aviation Authority Suffers Cyberattack (Mentour Pilot)  Bradley Airport Website Suffers Cyber Attack (NBC Connecticut)  Philips e-Alert (CISA)  Rockwell Automation ISaGRAF (CISA)  Omron CX-Position (CISA)  Hitachi Energy LinkOne WebView (CISA) Modbus Tools Modbus Slave (CISA)  Delta Electronics DIAEnergie (CISA) “Your rubles will only be good for lighting a fire”: Cybercriminals reel from impact of sanctions (Digital Shadows)  Sanctions Hitting Russian Cyber-Criminals Hard (Infosecurity Magazine) 
Mar 30, 2022
Cyber phases of a hybrid war continue at a nuisance level. IcedID’s distribution vectors. Automating software supply-chain attacks. CISA offers power supply risk mitigation guidance.
1759
A cyberattack takes down a major Ukrainian Internet provider. GhostWriter is said to deploy Cobalt Strike against the Ukrainian government. Anonymous makes some large claims. This just in: spies drive drunk: Ukrainian intelligence doxes FSB officers. Conventional criminals continue to exploit sympathy for Ukraine in social engineering scams. Red-Lili automates software supply-chain attacks. Ben Yelin considers Russian cyber capabilities. Mr. Security Answer Person John Pescatore addresses security automation. And CISA offers mitigation guidance on risks to uninterruptible power supplies. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/60 Selected reading. Russia says it will scale back near Kyiv as talks progress (AP NEWS)  Ukraine Claims Some Battle Successes as Russia Focuses on Another Front (New York Times)  Ukrainian telecom company's internet service disrupted by 'powerful' cyberattack (Reuters)  ‘Most Severe’ Cyberattack Since Russian Invasion Crashes Ukraine Internet Provider (Forbes)  GhostWriter APT targets state entities of Ukraine with Cobalt Strike Beacon  (Security Affairs)  Secret World of Pro-Russia Hacking Group Exposed in Leak (Wall Street Journal)  Anonymous is working on a huge data dump that will blow Russia away (Security Affairs) While Twitter suspends Anonymous accounts, the group hacked VGTRK Russian Television and Radio (Security Affairs) Names and addresses of 620 FSB officers published in data breach (Times)  Russian spies unmasked in embarrassing blow for Vladimir Putin (The Telegraph)  New Conversation Hijacking Campaign Delivering IcedID (Intezer) Spoofed Invoice Used to Drop IcedID (Fortinet Blog)  A Beautiful Factory for Malicious Packages (Checkmarx)  School of Hard Knocks: Job Fraud Threats Target University Students (Proofpoint)  Mitigating Attacks Against Uninterruptible Power Supply Devices (CISA Insights)
Mar 29, 2022
Notes on the cyber aspects of the ongoing hybrid war. DDoS in the Marshall Islands. Lapsus$ Group post mortems. US FCC sanctions Kaspersky. CISA adds Known Exploited Vulnerabilities to its Catalog.
1498
Preparing for the spread of cyberattacks. A look at Cyber operations in the hybrid war. C3 and electronic warfare. The Republic of the Marshall Islands suffers rolling DDoS attacks. Okta gives a detailed account of its experience with the Lapsus$ Group. Lapsus$ under the law enforcement microscope. The FCC sanctions Kaspersky. Malek Ben Salem from Accenture on getting full potential from deception systems. Our guest is Greg Scasny of Blueshift Cybersecurity with remote workforce security concerns. And CISA adds to its Known Exploited Vulnerabilities Catalog. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/59 Selected reading. ‘Preparation, not panic’: Top US cyber official asks Americans to look out for Russian hacking efforts CNN Russia hacked Ukrainian satellite communications, officials believe BBC News Chinese cyberattacks on NATO countries increase 116% since Russia's invasion of Ukraine: study Fox Business Why hasn't Russia used its 'full scope' of electronic warfare?Breaking Defense Russian troops’ tendency to talk on unsecured lines is proving costly Washington Post Marshall Islands telecom service hit by cyber attack RNZ Okta: "We made a mistake" delaying the Lapsus$ hack disclosure BleepingComputer Who is LAPSUS$, the Big, Bad Cybercrime Gang Hacking Tech's Biggest Companies? Gizmodo FCC puts Kaspersky on security threat list, says it poses “unacceptable risk“ Ars Technica U.S. FCC adds Russia's Kaspersky, China telecom firms to national security threat list Reuters CISA Adds 66 Known Exploited Vulnerabilities to Catalog CISA
Mar 28, 2022
The breakdown of Shuckworm's continued cyber attacks against Ukraine. [Research Saturday]
1236
Guest Dick O'Brien from Symantec joins Dave Bittner on this episode to discuss how "Shuckworm Continues Cyber-Espionage Attacks Against Ukraine." The Russia-linked Shuckworm group (aka Gamaredon, Armageddon) has been active since 2013 and is known to use phishing emails to distribute either freely available remote access tools. In July 2021, Symantec observed Shuckworm activity on an organization in Ukraine and this continued until August 2021. According to a November 2021 report from the Security Service of Ukraine (SSU), since 2014 the Shuckworm group has been responsible for over 5,000 attacks against more than 1,500 Ukrainian government systems. Dick walks us through Symantec's investigation. The research can be found here: Shuckworm Continues Cyber-Espionage Attacks Against Ukraine
Mar 26, 2022
Fears of Russian escalation, with both chemical and cyber weapons, rise. DPRK APTs exploit Chrome vulnerabilities. Mustang Panda is back. Arrests made in the Lapsus$ case.
1563
Fears of Russian escalation as Ukraine’s counteroffensive sees successes. Warnings of possible Russian cyberattacks gain context from attribution of the Viasat incident and two US unsealed indictments. CISA continues to recommend best practices. North Korean APTs exploit Chrome vulnerabilities. Mustang Panda is back. David Dufour from Webroot on ransomware gangs and cartels. Our guest is Liliana Monge of Sabio Coding Bootcamp on creating opportunities for those looking to pursue a career in tech. And boy, boy, your wild ways will break your mother’s heart. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/58 Selected reading. Ukrainian forces advance east of Kyiv as Russians fall back (Reuters) Counteroffensive in Ukraine Shifts Dynamic of War (New York Times) Ukrainian forces claim to destroy a Russian landing ship. (New York Times)  Putin's war in Ukraine nearing possibly more dangerous phase (AP NEWS)  Syrians watch in horror as Putin deploys the Aleppo playbook in Ukraine (CNN)  Joe Biden: We will respond in kind if Vladimir Putin uses chemical weapons in Ukraine (The Telegraph)  A month into the Russian invasion, Ukraine is still mostly online (The Record by Recorded Future) Russian military behind hack of satellite communication devices in Ukraine at war’s outset, U.S. officials say (Washington Post)  Hackers Attacked Satellite Terminals Through Management Network, Viasat Officials Say (Air Force Magazine) Four Russian Government Employees Charged in Two Historical Hacking Campaigns Targeting Critical Infrastructure Worldwide (US Department of Justice)  US charges four Russian hackers over cyber-attacks on global energy sector (the Guardian)  North Korean Actors Exploited Chrome Flaw to Target U.S. Orgs (Decipher)  Countering threats from North Korea (Google) New Mustang Panda hacking campaign targets diplomats, ISPs (BleepingComputer)  Chinese APT Combines Fresh Hodur RAT with Complex Anti-Detection (Threatpost) Lapsus$: Oxford teen accused of being multi-millionaire cyber-criminal (BBC News)
Mar 25, 2022
Updates on Russia’s hybrid war against Ukraine. The leader of the Lapsus$ Gang may be a 16-year-old living with his Mom. Wanted cybercriminals. Hacktivism’s sometimes wayward aim.
1605
Concerns persist that President Putin will take his revenge in cyberspace for sanctions. Wiper attacks reported continuing in Ukraine. Russia also sustains cyberattacks. Lapsus$--living at home, with Mom. A carder kingpin finds his way onto the FBI’s Most Wanted List. Andrea Little Limbago from Interos on collective resilience. Our guest is Amit Shaked from Laminar Security on shadow data. Anonymous says it hit Nestlé, but Nestlé says it never happened. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/57 Selected reading. As Ukraine invasion stalls, Putin looks to cyber for revenge attack on US (Newsweek) Threat looms of Russian attack on undersea cables to shut down West’s internet (France 24)  A Mysterious Satellite Hack Has Victims Far Beyond Ukraine (Wired)  Anonymous hacks unsecured printers to send anti-war messages across Russia (HackRead) 'We want them to go to the Stone Age': Ukrainian coders are splitting their time between work and cyber warfare (CNBC)  Teen Suspected by Cyber Researchers of Being Lapsus$ Mastermind (Bloomberg) Nestlé denies Anonymous hack, claiming it accidentally leaked data dump itself (Fortune)  Nestlé says 'Anonymous' data leak actually a self-own (Register) Nestlé: You Can't Hack Us, We Leaked Our Own Data (Gizmodo)  FBI adds Russian cybercrime market owner to most wanted list (BleepingComputer) United States of America v. Igor Dekhtyar (US District Court for the Eastern District of Texas)
Mar 24, 2022
Insider Risk Excellence Awards. [CyberWire-X]
1356
In this CyberWire-X episode, host Dave Bittner chats with the judges of the Insider Risk Excellence Awards. The inaugural awards program, announced during last September's Insider Risk Summit, recognizes the best of the best in Insider Risk Management. They honor the work of individuals and organizations as they address Insider Risk in the most collaborative work environment we’ve ever seen. Judges Joe Payne, President and CEO, Code42 and Chairman, Insider Risk Summit and Wendy Overton, Director of Cyber Strategy and Insider Risk Leader, Optiv, talk about the growing Insider Risk problem, reveal the winners of each award category and pull back the curtain on how each of these Insider Risk trailblazers are making an impact. 
Mar 24, 2022
British-American warnings of a Russian cyber threat, and Russia’s response. More on the Lapsus$ gang incidents at Microsoft and Okta. And Secureworks looks at Conti and sees a criminal ecosystem.
1595
The US and the UK warn of impending Russian cyberattacks, and Russia responds with warnings against “banditry,” crime, and bad manners. CISA issues two new ICS advisories. Microsoft confirms a Lapsus$ gang incident, and so does Okta, but Okta’s case is more complicated. Josh Ray from Accenture on the cyber workforce. Our guest is Tom Gaffney from F-Secure with some ways to reduce digital anxietySecureworks takes a look at the criminal ecosystem around Conti. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/56 Selected reading. Ukraine war has put our relationship with US at breaking point - Russia (Daily Post Nigeria)  Kremlin dismisses U.S. warning of potential Russian cyber attacks (Reuters) . As Biden puts US on alert, Russia seeks talks to help prevent cyber war (Newsweek)  U.K. echoes Biden warning on Russian cyberattacks (The Record by Recorded Future)  Biden: Russia mulling cyberattacks on US (C4ISRNet)  National Security Advisor details new intelligence on potential Russian cyberattacks (FOX 5 DC) The Threat of Russian Cyberattacks Looms Large (The New Yorker)  FBI sees growing Russian hacker interest in US energy firms (AP NEWS)  CISA Call with Critical Infrastructure Partners on Potential Russian Cyberattacks Against the U.S. (YouTube)  CISA highlights new reporting hotline amid warnings about potential Russian cyber attacks (Federal News Network) Delta Electronics DIAEnergie (CISA)  Delta Electronics DIAEnergie (Update B) (CISA)  Microsoft, Okta Investigating Data Theft Claims (SecurityWeek)  Hackers hit authentication firm Okta, customers 'may have been impacted' (Reuters)  'This Is Really, Really Bad': Lapsus$ Gang Claims Okta Hack (Wired). Okta ‘identifying and contacting’ customers potentially affected by Lapsus$ breach (The Record by Recorded Future)  Okta Investigates Report of Security Breach, Says It Finds No Evidence of New Attack (Wall Street Journal)  Fury As Okta—The Company That Manages 100 Million Logins—Fails To Tell Customers About Breach For Months (Forbes)  Cloudflare’s investigation of the January 2022 Okta compromise (Cloudflare Blog). Updated Okta Statement on LAPSUS$ (Okta)  GOLD ULRICK leaks reveal organizational structure and relationships (Secureworks)  Details of Conti ransomware affiliate released (ComputerWeekly.com)  More can be done to curb misuse of Cobalt Strike, expert says (VentureBeat)
Mar 23, 2022
White House adds its voice to CISA’s Shields Up, warning of the possibility of Russian cyberattacks. New malware strains described, new criminal attack techniques observed.
1529
White House warns of large-scale Russian cyberattacks. Browser-in-the-Browser attacks. New Conti affiliate described. Android malware “Facestealer” described. Android malware “Facestealer” described. Microsoft and Okta investigate possible Lapsus$ attacks. Arid Gopher is out in the wild. Our guest is Swathi West of Barr Advisory on opportunities for the underrepresented in cybersecurity. Joe Carrigan wonders if we can’t just get rid of passwords once and for all. And advancing censorship by finding “extremism” and “Russophobia” in Meta’s platforms. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/55 Selected reading. Russia's hybrid war with Ukraine: strategy, norms, and alliances (The CyberWire) Statement by President Biden on our Nation’s Cybersecurity (The White House)  FACT SHEET: Act Now to Protect Against Potential Cyberattacks (The White House)  Statement from CISA Director Easterly on Potential Russian Cyberattacks Against the United States (CISA)  Press Briefing by Press Secretary Jen Psaki and Deputy NSA for Cyber and Emerging Technologies Anne Neuberger, March 21, 2022 (The White House)  Statement from Secretary Mayorkas on Cybersecurity Preparedness (US Department of Homeland Security)  Conti Affiliate Exposed: New Domain Names, IP Addresses and Email… (eSentire)  New Phishing toolkit lets anyone create fake Chrome browser windows (BleepingComputer). New Browser-in-the Browser (BITB) Attack Makes Phishing Nearly Undetectable (The Hacker News) Arid Gopher: Newest Micropsia Malware Variant (Deep Instinct)  Spyware dubbed Facestealer infects 100,000+ Google Play users (Pradeo)  Okta confirms investigation into potential breach (The Record by Recorded Future)  Microsoft investigating alleged Lapsus$ hack of Azure DevOps source code repositories (Computing)  Russian War Report: Meta officially declared “extremist organization” in Russia (Atlantic Council) 
Mar 22, 2022
Hacktivism, protestware, and information operations in a hybrid war. Brazi-based cyber gangs active in extortion. Steganography opens a backdoor. A free decryptor for Diavol ransomware.
1637
The widely expected, intense Russian cyber campaign has yet to appear. "Protestware" as a dangerous turn in hacktivism. Information operations and the persistence of independent channels of news. Social media as an opsec problem.Lapsus$ may have hit Microsoft. A second Brazilian gang tries its hand at extortion. A snakey backdoor afflicts French organizations. AD Bryan Vorndran of the FBI Cyber Division on what the agency brings to the table in the cyberspace. Rick Howard considers infrastructure as code. Emsisoft offers a free decryptor for Diavol ransomware. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/54 Selected reading. Volodymyr Zelensky tells Russia to seek ‘meaningful’ peace talks or face catastrophic losses (The Telegraph) Cyber threats and the Ukraine conflict (Avast) Cyber ‘cold war’ rages online but Russia holds back on massive digital attacks (Times of Israel)  Mar 13- Mar 19 Ukraine – Russia the silent cyber conflict (Security Affairs)  Former CIA officer shows what a Russian cyberattack on the US would look like (Fox News)  EU and US agencies warn that Russia could attack satellite communications networks (Security Affairs)  Banks on alert for Russian reprisal cyberattacks on Swift (Ars Technica)  Activists are targeting Russians with open-source “protestware” (MIT Technology Review)  Cyber warfare gets real for satellite operators (SpaceNews) More Conti ransomware source code leaked on Twitter out of revenge (BleepingComputer)  Open Source Maintainer Sabotages Code to Wipe Russian, Belarusian Computers (Vice)  Anonymous has unleashed a successful cyberwar to undermine Putin's Ukraine invasion (Fortune)  Some Russians are breaking through Putin’s digital iron curtain — leading to fights with friends and family (Washington Post)  On Russia's VK, anti-war messages defy Vladimir Putin's Ukraine censors (Newsweek) Why Russia’s anti-war movement matters (Atlantic Council)  Telegram Thrives Amid Russia’s Media Crackdown (Wall Street Journal)  British soldiers are ordered off WhatsApp amid fears that sensitive military details could be accessed by Russian hackers (Daily Mail) Microsoft Investigating Claim of Breach by Extortion Gang (Vice)  Hacking group that went after NVIDIA may have also attacked Microsoft (Windows Central)  Microsoft Allegedly Breached by LAPSUS Group (Cyber Kendra)  Lapsus$ gang sends a worrying message to would-be criminals (Register)  TransUnion cyber attack – hackers demand R225 million ransom (Business Tech). TransUnion Confirms Data Breach at South Africa Business (SecurityWeek)  UPDATE | TransUnion believes breach of 54 million SA records unrelated to current hack (Fin24)  Banks move to protect consumers in wake of TransUnion cyberattack (TechCentral)  Serpent, No Swiping! New Backdoor Targets French Entities with Unique Attack Chain (Proofpoint)  Emsisoft releases free decryptor for the victims of the Diavol ransomware (Security Affairs)
Mar 21, 2022
Derek Manky: Putting the rubber to the road. [Threat Intelligence] [Career Notes]
548
Chief Security Strategist and VP of Global Threat Intelligence at FortiGuard Labs, Derek Manky, shares his story from programmer to cybersecurity and how it all came together. Derek started his career teaching programming because he had such a passion for it. When he joined Fortinet, Derek said putting where it "really started putting the rubber to the road and connecting my previous experience with programming and debugging and knowledge of operating systems and all that with real-world applications." Derek advises that it doesn't need to be complicated getting into the cybersecurity field and that there are many avenues to enter the field. He hopes to have made a real dent, or "hopefully a crater" in cyber crime when he ends his career. We thank Derek for sharing his story with us. 
Mar 20, 2022
Implications of data leaks of sensitive OT information. [Research Saturday]
1448
Guest Nathan Brubaker from Mandiant joins Dave Bittner on this episode to discuss Mandiant Threat Intelligence's research: "1 in 7 Ransomware Extortion Attacks Leak Critical Operational Technology Information." Data leaks have always been a concern for organizations. The exposure of sensitive information can result in damage to reputation, legal penalties, loss of intellectual property, and even impact the privacy of employees and customers. However, there is little research about the challenges posed to industrial organizations when threat actors disclose sensitive details about their OT security, production, operations, or technology. In 2021, Mandiant Threat Intelligence continued observing ransomware operators attempting to extort thousands of victims by disclosing terabytes of stolen information on shaming sites. This trend, which Mandiant Threat Intelligence refers to as “Multifaceted Extortion,” impacted over 1,300 organizations from critical infrastructure and industrial production sectors in just one year. Nathan walks us through their research and findings. The research can be found here: 1 in 7 Ransomware Extortion Attacks Leak Critical Operational Technology Information
Mar 19, 2022
Hacktivism and other cyberattacks continue against Russian targets, but some hacktivism may go too far. C2C market notes. Advice from CISA and NIST. Prank calls as statecraft.
1514
Hacktivism and other cyberattacks continue against Russian targets, but some hacktivism that affects software supply chains may go too far. An initial access broker in the criminal-to-criminal market. BlackMatter may be working with BlackCat. CISA offers a warning and advice to SATCOM operators. NIST offers some guidance on industrial control system security. Johannes Ullrich reminds us to patch our backup tools. Our guest is Armando Saey from MISI with insights on maritime port security. And Rear Admiral Mehoff, call your office. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/53 Selected reading. Popular NPM Package Updated to Wipe Russia, Belarus Systems to Protest Ukraine Invasion (The Hacker News)  Software Supply Chain Weakness: Snyk Warns of 'Deliberate Sabotage' of NPM Ecosystem (SecurityWeek)  Russian government websites face ‘unprecedented’ wave of hacking attacks, ministry says (Washington Post)  Ukraine’s Digital Ministry Is a Formidable War Machine (Wired) Exposing initial access broker with ties to Conti (Google)  Experts Find Some Affiliates of BlackMatter Now Spreading BlackCat Ransomware (The Hacker News) Strengthening Cybersecurity of SATCOM Network Providers and Customers (CISA)  NIST SPECIAL PUBLICATION 1800-10 Protecting Information and System Integrity in Industrial Control System Environments: Cybersecurity for the Manufacturing Sector (NIST) Hoax caller claiming to be Ukrainian PM got through to UK defence secretary (the Guardian)  Russians target Priti Patel and Ben Wallace with fake video calls (The Telegraph) 
Mar 18, 2022
Debunking deepfakes. Hacktivism and information warfare. The prospect of “splinternets.” Germany warns of security product risks. Disruption of Ukrainian ISPs. New wrinkles in phishing.
1479
Not-so-deepfakes debunked. Hacktivism and information warfare in Russia’s war against Ukraine. The prospect of an age of “splinternets.” Germany warns of risks from Kaspersky security products. Disruption of Ukrainian ISPs. David Dufour from Webroot on cyberattacks hitting the automotive sector. Carole Theriault ponders parental disclosure of tracking their kids. Three new wrinkles to social engineering. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/52 Selected reading. Russia and Ukraine ‘draw up 15-point peace plan’ (The Telegraph)  Deepfake video of Zelenskyy could be 'tip of the iceberg' in info war, experts warn (NPR.org)  The Russia-Ukraine War And The Revival Of Hacktivism (Digital Shadows)  In a Chilling Threat, Putin Vows to Rid Russia of ‘Traitors’ (Bloomberg) Russia is risking the creation of a “splinternet”—and it could be irreversible (MIT Technology Review)  Traffic interception and MitM attacks among security risks of Russian TLS certs (CSO Online)  Germany's BSI warns against Kaspersky AV over spying concerns (CSO Online)  Major Ukrainian Internet Provider Triolan Suffers Severe Cyber Attacks and Infrastructure Destruction During Russian Invasion (CPO Magazine) The Attack of the Chameleon Phishing Page (Trustwave)  The Email Bait … and Phish: Instagram Phishing Attack (Armorblox)  Using CAPTCHA Forms to Bypass Filters (Avanan)
Mar 17, 2022
Ukrainian President Zelenskyy addresses the US Congress, as Russia’s hybrid war continues. LokiLocker ransomware flies a false flag. CISA warns of Russian cyber threat. Advance fee arrest.
1523
Ukrainian President Zelenskyy addresses the US Congress, as intelligence services, contractors, and hacktivists wage their part of a hybrid war. BlackBerry describes LokiLocker, a new strain of ransomware that’s not Iranian, but would have you think it is. CISA and the FBI warn of a Russian cyber campaign. Nigeria arrests an alleged advance-fee scam artist (he’s been wanted for some time.) For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/51
Mar 16, 2022
Disinformation and cyberattacks in Russia’s hybrid war against Ukraine. DDoS attack hits Israeli telcos. Captured tools are old news. Recent trends in cybercrime.
1726
Biowar disinformation. A new wiper is discovered in Ukrainian systems. Cyber criminals look for letters of marque from both sides (and some of them are looking like hacktivists). Ukrainian cybersecurity firms and intelligence services mobilize against Russia. Ben Yelin evaluates cyber engagements in the crisis. A protester crashes a Russian news broadcast. DDoS attack takes down Israeli sites. China claims to have “captured” NSA hacking tools. Our guest is Ben Brook CEO of Transcend with a look at data privacy. Recent trends in cybercrime. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/50 Selected reading. Researchers find new destructive wiper malware in Ukraine (The Verge)  Cloud Native Technologies Used in Russia-Ukraine Cyber Attacks (Aqua Security)  Financially motivated threat actors willing to go after Russian targets (Help Net Security)  Kyiv’s hackers seize their wartime moment (POLITICO)  Global Incident Report: Threat Actors Divide Along Ideological Lines over the Russia-Ukraine Conflict on Underground Forums (Accenture) Political fallout in cybercrime circles upping the threat to Western targets (CyberScoop) A protester storms a live broadcast on Russia’s most-watched news show, yelling, ‘Stop the war!’ (New York Times) Denial-of-service attack knocked Israeli government sites offline (CyberScoop)  China claims it captured NSA spy tool that already leaked (Register)  Ransomware Variants Q4 2021 (Intel471.com)  Cequence Security Releases Report Revealing Top 3 Attack Trends in API Security (Cequence) 
Mar 15, 2022
Russia’s hybrid war against Ukraine becomes more firepower intensive, but hackers make their mark. Cybercrime does business as usual.
1621
The situation in Russia’s war against Ukraine, and Mr. Putin’s frustration with his intelligence services. Provocations, state-hacking, and influence operations in a hybrid war. Lapsus$ hits Ubisoft with ransomware. LockBit hits Bridgestone America. The Escobar banking Trojan is out in the wild. Kaspersky source apparently not compromised after all. Dan Prince wonders if we are properly preparing for the roles of tomorrow? Rick Howard is pulling on the kill chain. And the wayward aim of public opinion. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/49 Selected reading. After more than two weeks of war, the Russian military grinds forward at a heavy cost (Washington Post)  Ukraine war latest: Talks resume as Russia strikes Kyiv (BBC News)  US view of Putin: Angry, frustrated, likely to escalate war (AP NEWS)  Kremlin arrests FSB chiefs in fallout from Ukraine chaos (Times)  Russian Cyber Restraint in Ukraine Puzzles Experts (SecurityWeek) Russia's cyber offensive against Ukraine has been limited so far. Experts are divided on why (KESQ) ‘ Not the time to go poking around’: How former U.S. hackers view dealing with Russia (POLITICO) We're seeing 800% increase in cyberattacks, says MSP (Register) Russia makes claims of US-backed biological weapon plot at UN (the Guardian)  Russian media spreading disinformation about US bioweapons as troops mass near Ukraine (Bulletin of the Atomic Scientists)  Russian TikTok Influencers Are Being Paid to Spread Kremlin Propaganda (Vice) The White House is briefing TikTok stars about the war in Ukraine (Washington Post)  Android malware Escobar steals your Google Authenticator MFA codes (BleepingComputer)  Google Attempts to Explain Surge in Chrome Zero-Day Exploitation (SecurityWeek) Google: We're spotting more Chrome browser zero-day flaws in the wild. Here's why (ZDNet). Ubisoft says it experienced a ‘cyber security incident’, and the purported Nvidia hackers are taking credit (The Verge) UPDATE 1-Japan's Denso hit by apparent ransomware attack - NHK (Reuters) LockBit ransomware group claims to have hacked Bridgestone Americas (Security Affairs)
Mar 14, 2022
Kristin Strand: Be firm in your goals. [Consultant] [Career Notes]
446
Cybersecurity Associate Consultant at BARR Advisory, Kristin Strand, shares her journey from the military to teaching and now to cybersecurity. Kristin shares how she'd wanted to be a teacher since she was young. She joined the Army to help pay for college and throughout her career has taken advantage of programs to help her move on to her next challenge. From teaching, Kristin decided to transition to IT and came to cybersecurity through a Department of Labor program. She's also currently training to be a drill sergeant. Kristin advises you stand firm to your goals and know what you want. It will come around. We thank Kristin for sharing her story with us.
Mar 13, 2022
The story of REvil: From origin to beyond. [Research Saturday]
2021
Guest Jon DiMaggio, Chief Security Strategist at Analyst1, joins Dave Bittner to discuss his team's research "A History of REvil" that chronicles the rise and fall of REvil. The REvil gang is an organized criminal enterprise based primarily out of Russia that runs a Ransomware as a Service (RaaS) operation. The core members of the gang reside and operate out of Russia. REvil leverages hackers for hire, known as affiliates, to conduct the breach, steal victim data, delete backups, and infect victim systems with ransomware for a share of the profits. Affiliates primarily stem across eastern Europe, though a small percentage operate outside that region. In return, the core gang maintains and provides the ransomware payload, hosts the victim data leak/auction site, facilitates victim communication and payment services, and distributes the decryption key. In simpler terms, the core gang are the service provider and persona behind the operation, while the affiliates are the hired muscle facilitating attacks. Jon walks us through the team's findings and details REvil's story. The research can be found here: A History of REvil
Mar 12, 2022
An update on the hybrid war in Ukraine. Conti and its users are still up and active. CISA releases twenty-four ICS security advisories. An extradition in the NetWalker case.
1607
An update on the hybrid war in Ukraine. Allegations of war crimes and Russian disinformation. Chemical, biological, and radiological weapons disinformation. Preparing for cyberattacks. Cyber operations against Russia. GPS interference reported along Finland’s border. Conti and its users are still up and active. CISA releases twenty-four ICS security advisories. Malek Ben Salem from Accenture on deception systems. Our guest is Joe Payne from Code42 on data exposure. An extradition in the NetWalker case. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/48 Selected reading. Russia 'did not attack Ukraine' says Lavrov after meeting Kuleba (euronews)  Read the latest cybersecurity analysis (Accenture) Where conflict is reported in Ukraine right now (The Telegraph)  How U.S. Bioweapons in Ukraine Became Russia’s New Big Lie (Foreign Policy)  Russian embassy demands Meta stop 'extremist activities' (NASDAQ:FB) (SeekingAlpha) Transparency Org Releases Alleged Leak of Russian Censorship Agency (Vice)  SecurityScorecard Discovers new botnet, ‘Zhadnost,’ responsible for… (SecurityScorecard)  Inside the Russian cyber war on Ukraine that never was (Task & Purpose)  Report: Recent 10x Increase in Cyberattacks on Ukraine (KrebsOnSecurity)  Russian defense firm Rostec shuts down website after DDoS attack (BleepingComputer)  The Spectacular Collapse of Putin’s Disinformation Machinery (Wired)  Will Russians Choose Truth or Lies? Ukraine’s Fate Depends on Them (Bloomberg)  Finnish govt agency warns of unusual aircraft GPS interference (BleepingComputer) Corporate website contact forms used to spread BazarBackdoor malware (BleepingComputer) U.S. Warns of Conti Ransomware Attacks as Gang Deals With Leak Fallout (SecurityWeek)  Ex Canadian government worker extradited to U.S. to face more ransomware charges (CBC)  Former Canadian Government Employee Extradited to the United States to Face Charges for Dozens of Ransomware Attacks Resulting in the Payment of Tens of Millions of Dollars in Ransoms (US Department of Justice) 
Mar 11, 2022
Cyber phases of a hybrid war. Google stops a Judgment Panda campaign and Symantec tracks Daxin. CISA updates its Conti alert. An alleged REvil member is arraigned in Texas.
1814
Prebunking a provocation. A spot report on the cyber phases of a hybrid war. Google stops a Judgment Panda campaign against US Government Gmail users. Symantec continues to track the origins and uses of the Daxin backdoor. CISA updates its Conti alert. Josh Ray from Accenture has tips on Log4J. Our guest is Chetan Conikee of ShiftLeft with strategies for reducing attackability. And law northeast of the Pecos, as an alleged member of REVil is arraigned in Texas. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/47 Selected reading. Vladimir Putin ‘plotting chemical weapons attack in Ukraine’ (The Telegraph) White House warns Russia could use chemical weapons in Ukraine (TheHill)  Russia, China May Be Coordinating Cyber Attacks: SaaS Security Firm (eSecurityPlanet)  More Than 5 Million Anti-Propaganda Text Messages Sent to Russians in Anonymous Information Warfare (Hstoday)  Anonymous hacked Russian cams, websites, announced a clamorous leak (Security Affairs)  EXCLUSIVE BNP Paribas bars Russia-based staff from computer systems as cyber attack fears grow (Reuters)  CISA updates Conti ransomware alert with nearly 100 domain names (BleepingComputer)  Google Blocks Chinese Phishing Campaign Targeting U.S. Government (SecurityWeek) Symantec tracked down one developer of ‘China’s most advanced piece of malware’ (Sc Magazine)  Daxin Backdoor: In-Depth Analysis, Part One (Symantec) Daxin Backdoor: In-Depth Analysis, Part Two (Symantec) Sodinokibi/REvil Ransomware Defendant Extradited to United States and Arraigned in Texas (US Department of Justice)
Mar 10, 2022
Waiting for the Bears to come out. APT41 hits US state governments. A surge in mobile malware, and a look at yesterday’s Patch Tuesday.
1693
Zelenskyy addresses the House of Commons. Cyber operations in Russia's war against Ukraine. Chinese cyber espionage campaign hits six US state governments (but it might be an APT side-hustle). A surge in mobile malware. Joe Carrigan looks at derestricting your software. Our guest Bob Dudley discusses cyberattacks against the European energy sector. And a quick look back at Patch Tuesday. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/46 Selected reading. Volodymyr Zelensky speech: Ukrainian President vows to fight Russians in 'forests, fields and on shores' as he channels Winston Churchill (The Telegraph)  Putin’s Endgame Starts to Look Like Reducing Ukraine to Rubble (Bloomberg Live Updates: Biden Bans Russian Oil Imports and Major U.S. Brands Close Outlets (New York Times) The March 2022 Security Update Review (Zero Day Initiative)  EU countries call for cybersecurity emergency response fund -document (Reuters) Annual Threat Assessment of the U.S. Intelligence Community (Office of the Director of National Intelligence) PTC Axeda agent and Axeda Desktop Server | (CISA)  AVEVA System Platform (CISA) Sensormatic PowerManage (CISA) 
Mar 09, 2022
Updates on Russia’s hybrid war, including cyber ops and influence operations. Mustang Panda focuses on Europe in its cyberespionage. Ransomware hits oil and gas sector. UPS vulnerabilities.
1605
Updates from the UK’s Ministry of Defense on Russia’s War in Ukraine. Influence operations: the advantage still seems to go to Ukraine, as Russian efforts look inward. Assessing the effects of hacktivism and cyber operations in the hybrid war. Privateering: Conti, Ragnar Locker, and (probably) others. Mustang Panda rears up in European diplomatic networks. Ransomware hits a Romanian fuel distributor. Andrea Little Limbago from Interos on data traps. Carole Theriault tracks the fight against deepfakes. Vulnerabilities found in UPS devices. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/45
Mar 08, 2022
Cyber dimensions of Russia’s hybrid war against Ukraine. Hacktivists and cybercriminals choose sides. Lapsu$ releases NVIDIA and Samsung data (and says a victim hacked back).
1694
Russian influence operations fail as few support Russia's war of aggression. Ukraine will become a "contributing participant" in NATO's CCDCOE. Ukrainian cyberattacks, and the marshaling of hacktivists. Russian cyberattacks: surprisingly restrained and unsurprisingly supported by criminal organizations like Conti. The FBI’s Bryan Vorndran joins us with insights on the work his team did on Sodinokibi. Rick Howard looks at vulnerability management. Lapsu$ gang releases data taken from NVIDIA and Samsung in separate extortion incidents. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/44 Selected reading. What Happened on Day 11 of Russia’s Invasion of Ukraine (New York Times) Putin says Ukraine's future in doubt as cease-fires collapse  After temporary cease-fires break down, Putin threatens Ukraine’s government (AP NEWS)  Ukraine to join NATO cyber defence centre as 'contributing participant' (Reuters) Putin Is Raising an Iron Firewall Around Russia (Bloomberg)  Three reasons Moscow isn't taking down Ukraine's cell networks (POLITICO)  Hacktivists Stoke Pandemonium Amid Russia’s War in Ukraine (Wired)  DDoS hacktivism: A highly risky exercise (Avast) This Ukrainian cyber firm is offering hackers bounties for taking down Russian sites (The Record by Recorded Future) Ukraine Cyber Official: We Only Attack Military Targets (SecurityWeek)  Volunteer Hackers Converge on Ukraine Conflict With No One in Charge (New York Times)  Russia shares list of 17,000 IPs allegedly DDoSing Russian orgs (BleepingComputer)  Ukraine's 'IT army' targets Belarus railway network, Russian GPS (Reuters)  HawkEye 360 detects GPS interference in Ukraine (SpaceNews)  Hackers are being forced to pick sides in the Russia-Ukraine war (KTVH)  Nvidia allegedly hacks back (Avast) Credentials of 71,000 NVIDIA Employees Leaked Following Cyberattack (SecurityWeek)  Leaked stolen Nvidia cert can code-sign Windows malware (Register)  Hackers claim massive Samsung leak, including encryption keys and source code (Android Police)  Lapsus$ group leaks 190GB of Samsung data, source code (Computing)  Samsung’s secret data leaks after devastating cyberattack (SamMobile) 
Mar 07, 2022
Chetan Conikee: Create narratives of your journey. [CTO] [Career Notes]
599
Founder and CTO of ShiftLeft, Chetan Conikee shares his story from computer science to founding his own company. When choosing a career, Chetan notes that "the liking and doing has to matter and be in conjunction with each other." Explaining the parallels in his home country of India and where he studied his for his masters in the US, Chetan stresses the need to find someone who inspires you to follow and learn from. On being an entrepreneur, he says, "The entrepreneurial mindset is a sum total of many sufferings that lead to success." Chethan advises you take time out to write narratives so that you are remembered and so that others following a similar path may learn from you. We thank Chetan for sharing his story with us.
Mar 06, 2022
HEAT: Examining the next-class of browser-based attacks. [CyberWire-X]
2132
Modern enterprises have evolved drastically over the last two years as a result of the global pandemic. Due in part to organizations pivoting quickly to new business models by migrating apps and services to the cloud to enable hybrid and remote workforces, the “new” office has quickly become the web browser. Today, business users are spending an average of 75% of their workday in a browser – that’s where productivity takes place! But the digital enhancements of the last two years have ushered in widespread transformation that expanded attack surfaces and created new opportunities for cyber miscreants, giving rise to Highly Evasive Advanced Threats (HEAT). During this episode of CyberWire-X, the CyberWire's Dave Bittner speaks with Dan Prince, Senior Lecturer in Security and Protection Science at the School of Computing and Communications at Lancaster University, about the topic. Show Sponsor Menlo Security's Nick Edwards and Dave explore what HEAT attacks are, how they work, and why they’re resulting in the rise of ransomware attacks and account takeovers.
Mar 06, 2022
An abuse of trust: Potential security issues with open redirects. [Research Saturday]
1431
Guest Mike Benjamin, VP of Security Research at Fastly, joins Dave Bittner to talk about the Fastly Security Research Team's work on "Open redirects: real-world abuse and recommendations." Open URL redirection is a class of web application security problems that makes it easier for attackers to direct users to malicious resources. This vulnerability class, also known as “open redirects,” arises when an application allows attackers to pass information to the app that results in users being sent to another location. That location can be an attacker-controlled website or server used to distribute malware, trick a user into trusting a link, execute malicious code in a trusted way, drive ad fraud, or even perform SEO manipulation. Knowing how an open redirect can be abused is helpful — but knowing how to design around it in the first place is even more important. Mike walks us through what his team uncovered, explains how redirects are used, how they can be abused, and how you can prevent that abuse. The research can be found here: Open redirects: real-world abuse and recommendations
Mar 05, 2022
Swapping propaganda shots. ICANN will not block the Internet in Russia. Hacktivists achieve a nuisance-level of success. NVIDIA gets a most curious demand. And there’s no US draft.
1590
Propaganda engagements in Russia’s hybrid war against Ukraine. ICANN will not block the Internet in Russia. Hacktivists, real and pretended, achieve a nuisance-level of success in Russia’s war. Scams and misinformation circulate in Telegram. NVIDIA gets a most curious demand from a cyber gang. CISA’s ICS advisories. Johannes Ullrich looks at phishing pages on innocent websites. Our guest is Chase Snyder from ExtraHop to discuss implications of the cyber talent shortage. And, hey, newsflash, no matter what the texts on your phone might say, there’s no military draft in the US. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/43 Selected readings. Putin Thought Ukraine Would Fall Quickly. An Airport Battle Proved Him Wrong (Wall Street Journal) Russia's chaotic and confusing invasion of Ukraine is baffling military analysts (CNBC)  Last Vestiges of Russia’s Free Press Fall Under Kremlin Pressure (New York Times)  Don’t mention the war: Russian state media sells the lie of Ukrainians shelling their own cities (The Telegraph)  Russian troops in disarray and ‘crying’ in combat, radio messages reveal (The Telegraph)  Demoralised Russian soldiers tell of anger at being ‘duped’ into war (the Guardian) The propaganda war has eclipsed cyberwar in Ukraine (MIT Technology Review) Ukraine's request to cut off Russia from the global internet has been rejected (CNN)  No, the Army isn’t sending Ukraine draft notices via text (Army Times)  Hackers Who Broke Into NVIDIA's Network Leak DLSS Source Code Online (Hacker News)  Hackers warn Nvidia to open-source their GPU drivers or face data leak (Computing)  Cybercriminals who breached Nvidia issue one of the most unusual demands ever (Ars Technica)  BD Pyxis (CISA)  BD Viper LT (CISA)  IPCOMM ipDIO (CISA)
Mar 04, 2022
Russia and Belarus exchange cyber operations with Ukraine. The US announces Task Force KleptoCapture. Vulnerable infusion pumps. TCP middlebox reflection. Notes on sanctions.
1824
The UN condemns Russia’s war in Ukraine. Ukraine’s cyber volunteers appear to be operating under the direction of Kyiv’s Ministry of Defense, and may be targeting Russian infrastructure. Belarusian cyber operators are phishing with stolen Ukrainian credentials in a cyberespionage campaign. Task Force KleptoCapture. Infusion pumps found vulnerable to cyberattack. TeaBot is found in the Play Store. TCP middlebox reflection. Dan Prince from Lancaster University on trustworthy autonomous systems. Our guest is John Shegerian from ERI on the security angle of e-recycling. And no more Harleys for Mr. Putin. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/42 Selected reading. Cyber Realism in a Time of War Russian Hybrid War Report: Social platforms crack down on Kremlin media as Kremlin demands compliance Russia's war spurs corporate exodus, exposes business risks Using DDoS, DanaBot targets Ukrainian Ministry of Defense Asylum Ambuscade: State Actor Uses Compromised Private Ukrainian Military Emails to Target European Governments and Refugee Movement Phishing campaign targets European officials assisting in refugee operations Anonymous vs. Russia: Hackers Say Space Agency Breached, More Than 1,500 Websites Hit Conti Ransomware Source Code Leaked Hacker Group Anonymous Vows to Disrupt Russia's Internet — RT Websites Become 'Subject of Massive DDoS Attacks' Ukrainian cyber resistance group targets Russian power grid, railways Army of Cyber Hackers Rise Up to Back Ukraine U.S. Officials Detail Efforts to Enforce Raft of New Russia Rules TCP Middlebox Reflection: Coming to a DDoS Near You TeaBot Android Banking Malware Spreads Again Through Google Play Store Apps Infusion Pump Vulnerabilities: Common Security Gaps
Mar 03, 2022
Slow-motion brutality against Ukraine as sanctions begin to bite Russia. Big Tech takes sides. Ransomware continues to bother major corporations.
1769
Russia’s invasion in Ukraine is still slow, but it’s grown more brutal. Sanctions are beginning to hit Russia hard. The cyber phase of this hybrid war seems more informational than destructive, which is surprising. Big Tech has taken Ukraine’s side, and some Russian companies face a tough balancing act. Our guest is Lavi Lazarovitz from CyberArk with predictions on supply chain security. Malek Ben Salem from Accenture on deploying effective deception systems. And ransomware continues to pester major corporations. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/41 Selected reading. Ukraine at D+6: Shocking and awful. (The CyberWire) The Fog of Cyberwar Descends on Ukraine and Russia (Bloomberg)  Russian Electric Vehicle Chargers Hacked, Tell Users ‘PUTIN IS A DICKHEAD’ (Vice)  Western Sanctions Bite Russian Economy, but Pose Unpredictable Risks (Wall Street Journal)  Targeted APT Activity: BABYSHARK Is Out for Blood (Huntress)  5 New Vulnerabilities Discovered in PJSIP Open Source Library (JFrog)  Nvidia says hackers are leaking company data after ransomware attack (TechCrunch)  Insurer Aon falls victim to a cyber attack (Computing)  Toyota to restart Japan production after cyberattack on supplier triggers one-day halt (The Edge Markets)  Cyberattack on Toyota's supply chain shuts all its factories in Japan for 24 hours (CNN)
Mar 02, 2022
Updates on Russia’s invasion of Ukraine, and the cyber phases of a hybrid war. Hacktivists and privateers. New Chinese malware described. Registration-bombing.
1787
Stalled columns, rocket fire, and negotiation over Ukraine. Two new pieces of malware found in use against Ukrainian targets. Ben Yelin joins us with analysis. Dealing with WhisperGate and HermeticWiper. The muted cyber phases of a hybrid war. Leaked files reveal Conti as a privateer. Sanctions move from deterrence to economic "war of attrition." Daxin: a backdoor that hides in normal network traffic. Registration-bombing lets fraud hide in the weeds. Our guest is Tresa Stephens from Allianz on the elevated concern for cyber risk among business leaders. And Razzlekhan talking a deal? Resources Ukraine Fighting Overshadows Chance of Russia Talks’ Success (Bloomberg) Both sides agree to second set of talks even as fighting rages. Russia suffers market seizure as ruble plunges on sanctions. After a Fumbled Start, Russian Forces Hit Harder in Ukraine (New York Times) After days of miscalculation about Ukraine’s resolve to fight, Russian forces are turning toward an old pattern of opening fire on cities and mounting sieges. The dire predictions about a Russian cyber onslaught haven’t come true in Ukraine. At least not yet. (Washington Post) For more than a decade, military commanders and outside experts have laid out blueprints for how cyberwar would unfold: military and civilian networks would be knocked offline, cutting-edge software would sabotage power plants, and whole populations would be unable to get money, gas or refrigerated food. A Free-for-All But No Crippling Cyberattacks in Ukraine War (SecurityWeek) In the early days of the war in Ukraine, Russia's ability to create mayhem through malware hasn’t had much of a noticeable impact CISA, FBI Issue Warnings on WhisperGate, HermeticWiper Attacks (SecurityWeek) The two U.S. agencies warn that both malware families were used in destructive cyberattacks targeting organizations in Ukraine. Anonymous Hacker Group Targets Russian State Media (SecurityWeek) Hacker group Anonymous claimed responsibility on for disrupting the work of websites of pro-Kremlin Russian media in protest of the invasion of Ukraine. Ukraine’s Volunteer ‘IT Army’ Is Hacking in Uncharted Territory (Wired) The country has enlisted thousands of cybersecurity professionals in the war effort against Russia. After Conti backs war, ransomware gangs realize peril of patriotism amid infighting (SC Magazine) Ransomware is actually a complex global economy. Different groups design ransomware and license that ransomware for use in attacks, with the latter often using many different vendors of the former. So while the designers of Conti may be Russian, the affiliate groups using Conti may include Ukrainians. And like in any business, there is peril in angering the consumer. A ransomware group paid the price for backing Russia (The Verge) Is proximity to the Putin regime becoming a liability? U.N. General Assembly set to isolate Russia over Ukraine invasion (Reuters) The 193-member United Nations General Assembly began meeting on the crisis in Ukraine on Monday ahead of a vote this week to isolate Russia by deploring its "aggression against Ukraine" and demanding Russian troops stop fighting and withdraw. Russia defends invasion during emergency UN General Assembly (Deutsche Welle) A clear majority of UN member states are expected to vote to condemn Russia's actions as Moscow becomes increasingly isolated internationally. The New Russian Sanctions Playbook (Foreign Affairs) Deterrence is out, and economic attrition is in. Russia seeks to halt investor stampede as sanctions hammer economy (Reuters) Russia said it was placing temporary curbs on foreigners seeking to exit Russian assets on Tuesday, putting the brakes on an accelerating investor exodus driven by crippling Western sanctions imposed over the invasion of Ukraine. For links to all of today's stories check out CyberWire daily news briefing for March 1, 2022.
Mar 01, 2022
An update on Russia’s hybrid war against Ukraine. Offensive cyber operations under hacktivist guise. Russian privateers return (also as hacktivists). Some non-war-related hacking.
1628
Ukrainian resistance may have stalled the Russian advance at key points. Cyber operations against Ukraine (and Russia). Diplomacy, now short of surrender? A SWIFT kick. Return of the privateers, now in the guise of patriotic hacktivists. Not all hacking is war-related. Josh Ray from Accenture on KillACK Backdoor Malware Continues to Evolve. Rick Howard revisits the cyber sand table. Criminals exploit Ukraine's suffering in social engineering campaigns. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/39
Feb 28, 2022
Sloane Menkes: What is the 2%? [Consultant] [Career Notes]
581
Principal in PricewaterhouseCoopers Cyber Risk and Regulatory Practice, Sloane Menkes, shares her story of how non-linear math helped to shape her life and career. Sloane credits a high school classmate for inspiring her mantra "What is the 2%?" that she employs when she feels like things are shutting down. She talks about her experiences in calculus class at the US AIr Force Academy that helped to enlighten her and inform the intuitive problem solving skill or way of thinking that she'd been employing in her life. She joined Office of Special Investigations and working with Howard Schmidt is where Sloane first started to get interested in cybersecurity. She shares what she loves about the consulting role is that the environment is constantly changing, and she offers some advice for women interested in cybersecurity. We thank Sloane for sharing her story with us.
Feb 27, 2022
Noberus ransomware: Coded in Rust and tailored to victim. [Research Saturday]
1294
Guest Dick O'Brien, Principal Editor at Symantec, joins Dave to discuss their team's research, "Noberus: Technical Analysis Shows Sophistication of New Rust-based Ransomware." Noberus is new ransomware used in mid-November attack, ConnectWise was likely infection vector. Symantec, a division of Broadcom Software, tracks this ransomware as Ransom.Noberus and our researchers first spotted it on a victim organization on November 18, 2021, with three variants of Noberus deployed by the attackers over the course of that attack. This would appear to show that this ransomware was active earlier than was previously reported, with MalwareHunterTeam having told BleepingComputer they first saw this ransomware on November 21. Noberus is an interesting ransomware because it is coded in Rust, and this is the first time we have seen a professional ransomware strain that has been used in real-world attacks coded in this programming language. Noberus appears to carry out the now-typical double extortion ransomware attacks where they first steal information from victim networks before encrypting files. Noberus adds the .sykffle extension to encrypted files. The research can be found here: Noberus: Technical Analysis Shows Sophistication of New Rust-based Ransomware
Feb 26, 2022
Hybrid aggression and hybrid resistance. Sanctions, defense, and (maybe) retaliation. MuddyWater is newly active. Trickbot seems to have retired. Notes on misinformation and the fog of war.
1761
Russia’s full-scale invasion meets regular and irregular Ukrainian resistance. Public uses of intelligence products. Hybrid aggression and hybrid defense in cyberspace, as the civilized world imposed sanctions on Russia. Iran’s MuddyWater threat actor is back, with renewed cyberespionage. Good-bye to Trickbot. Carole Theriault wraps up her look at mobile device security. Rick Howard checks in with Matthew Sharp ( Logicworks) & "Rock" Lambros (RockCyber) on "The CISO Evolution". And some notes on the fog of war. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/38
Feb 25, 2022
Russia’s full-scale invasion of Ukraine began this morning at 5:00 AM, Kyiv local time. Cyberattacks are serving as combat support and strategic disruption.
1507
Russia opens a general war against Ukraine, with rocket fires, heavy forces, and a not-so-veiled threat to NATO. Cyber operations are serving as combat support and strategic disruption. While the war in Ukraine dominates the news, elsewhere in the world cybercrime and cyberespionage continue at their customary levels. Carole Theriault looks to the security of your mobile devices. And our guest is Dr. Chenxi Wang of Rain Capital with insights on the new NIST software supply chain security standards. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/37
Feb 24, 2022
Putin goes medieval (we paraphrase the UK defense secretary). Cyberattack disrupts a logistics giant. Two reports look at the state of industrial cybersecurity.
1843
With diplomacy at a stand and Russian troops now openly in Ukraine, Western governments impose sanctions on Russia. A fresh round of distributed denial-of-service attacks against Ukraine. Cobalt Strike continues to be misused by criminals. A cyberattack has severely disrupted a major logistics firm. My conversation with Assistant Director Bryan Vorndran of the FBI Cyber Division. Our guest Ed Amoroso from TAG Cyber explains Research as a Service. And two looks at the recent and prospective state of industrial cybersecurity. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/36
Feb 23, 2022
Escalation in Russia’s hybrid aggression. APT10’s espionage against Taiwan’s financial sector. Developments in the C2C market. Jamming your teen’s Internet access.
1817
Russia escalates its hybrid war against Ukraine, with cyber implications for the rest of the world. Xenomorph banking Trojan hits European Android users. APT10’s months-long espionage campaign against Taiwan’s banks. Hive ransomware’s flawed encryption is good news. Trickbot’s place in the C2C market. Joe Carrigan shares the latest evolution of business email compromise. John Pescatore’s Mr. Security Answer Person returns. And there’s a right way and a wrong way to keep your teen offline. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/35
Feb 22, 2022
Interview select: Kenneth Geers of NATO's CCD COE on "Cyber War in Perspective: Russian Aggression Against Ukraine."
1432
As we break to observe Washington's birthday, our team thought you might like to try a sample of a CyberWire Pro podcast called Interview Selects. These podcasts are a series of extended interviews, exclusives, and a curated selection of our most engaging and informative interviews over the years, featuring cyber security professionals, journalists, authors and industry insiders. In this extended interview, Dave Bittner speaks with Kenneth Geers from NATO's CCD COE on "Cyber War in Perspective: Russian Aggression Against Ukraine." Like what you hear? Consider subscribing to CyberWire Pro for $99/year. Learn more.
Feb 21, 2022
Bonus: Afternoon Cyber Tea: IoT-Based Infrastructures
1792
Afternoon Cyber Tea with Ann Johnson is a CyberWire Network podcast created by Microsoft Security. It's a bi-weekly show that comes out every other Tuesday. We thought you would enjoy this episode in particular and hope you consider subscribing in your favorite podcast app. Diana Kelly, the co-founder, and CTO of SecurityCurve, a cybersecurity consulting firm, joins Ann Johnson on this episode of Afternoon Cyber Tea. Diana is a globally known security expert who donates much of her time volunteering in the cybersecurity community while also serving on the Association for Computing Machinery Ethics and Plagiarism Committee. Diana talks with Ann about helping inexperienced organizations get up to speed on the cybersecurity landscape, some of the current significant security and privacy hurdles currently plaguing the field, and some of the best practices to assist network defenders and users trying to combat botnet threats.      In This Episode You Will Learn:      How companies can protect themselves from new unsecure devices   When security risks correspond with access management and IoT devices  Why we need security programs to grow to a new level     Some Questions We Ask:  How should network defenders and users combat botnet threats?  What types of universal IoT standards need to be created?   What privacy hurdles are currently plaguing the field of IoT-connected devices?     Resources:    View Diana Kelly on LinkedIn  View Ann Johnson on LinkedIn    Related:   Listen to: Security Unlocked: CISO Series with Bret Arsenault     Listen to: Security Unlocked   Afternoon Cyber Tea with Ann Johnson is produced by Microsoft and distributed as part of The CyberWire Network.  
Feb 21, 2022
Joe Carrigan: Build your network. [Security engineer] [Career Notes]
609
Senior security engineer with the Johns Hopkins University Information Security Institute and the Institute for Assured Autonomy, Joe Carrigan, shares what he calls his life mistake and what spurred him to finally choose a career in technology. Throughout his life, Joe had interest in technology, he even worked at the computer lab in college, but never set his sights on that for a career. A conversation with a stranger guided him in that direction and he's been there ever since. As co-host of the CyberWire's Hacking Humans, Joe sees some heartbreaking results of scams and feels education of the public will help to prevent these. Joe reminds us to build our networks as they include people we can always go back to either when searching for a position or looking to fill one on our teams. We thank Joe for sharing his story with us.
Feb 20, 2022
What Log4Shell has taught us. [CyberWire-X]
1928
If 2021 taught us anything, it’s that our supply chain–especially our technical supply chain–hangs in the balance of a very fragile system. The year came to a close with the announcement of the Log4j zero day. Talk about saving the best for last. On this episode of CyberWire-X, the CyberWire's Rick Howard speaks with Tom Quinn CISO at T. Rowe Price, about the topic. Show Sponsor ExtraHop’s Head of Product, Ted Driggs, joins the CyberWire's Dave Bittner to examine what Log4Shell tells us about the state of cyber defense going into 2022, and what enterprises can do to prepare. Through these conversations, we explore the challenges that enterprises had in patching the vulnerability, take a closer look at the advanced post-compromise threat activity spotted in the wild, and glean lessons that can be learned to build resilience against the next Log4j-style zero day.
Feb 20, 2022
Instagram hijacks all start with a phish. [Research Saturday]
1378
Guest Marcelle Lee, Senior Security Researcher and Emerging Threats Lead, from SecureWorks joins Dave to share her team's work on "Ransoms Demanded for Hijacked Instagram Accounts." An extensive phishing campaign has targeted corporate Instagram accounts since approximately August 2021. The threat actors demand ransoms from the victims to restore access. Organizations typically focus on traditional enterprise cybersecurity threats. However, some threats are more subtle, targeting organizations on unexpected platforms. In October 2021, Secureworks Counter Threat Unit (CTU) researchers identified a phishing campaign that hijacks corporate Instagram accounts, as well as accounts of individual influencers who have a large number of followers. The threat actors then extort ransom payments from the victims. The activity continues at the time of the interview. The research can be found here: Ransoms Demanded for Hijacked Instagram Accounts
Feb 19, 2022
False flags, disinformation, and cyber operations in a hybrid conflict. Log4j vulnerabilities exploited. Wiper used against Iranian television. Kraken’s evolution. CISA’s guide to free security tools.
1747
False flags and disinformation in Ukraine, as Western governments warn of the risk of both Russian escalation and the prospects of cyberattacks spreading beyond Ukraine’s borders. Log4j “Day-1” vulnerabilities exploited in the wild. Threat actors deployed a wiper in the course of hijacking Iranian television. The Kraken botnet is evolving, picking up an information-stealing capability. Our guest is Brittany Allen of Sift to discuss the DOJ seizing 3.6B worth of stolen crypto. Chris Novak from Verizon addresses Geopolitics and threat intelligence. And CISA launches a Catalog of Free Cybersecurity Services and Tools. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/34
Feb 18, 2022
Someone’s engaged in provocation in the Donbas. Ukraine sees a Russian influence operation in recent DDoS attacks. Ice phishing as a threat made for a decentralized web.
1762
Provocation may have begun in Ukraine, and no one but Russia can see any signs of a Russian withdrawal of troops to garrison. Recent DDoS attacks in Ukraine are seen as an influence operation. The compromise of International Red Cross data has been tentatively attributed to an unnamed state actor. Johannes Ullirch from SANs shares a fancy phish. Our guests are Mike Theis and Stacy Hadeka from Hogan Lovells to discuss the cyber aspects of the False Claims Act. And Microsoft describes ice phishing: social engineering for a decentralized web3. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/33
Feb 17, 2022
A warning of cyberespionage targeting US cleared defense contractors. Update on the hybrid war against Ukraine. China’s favorite RAT. QR codes. Addiction to alt-coin speculation.
1858
US agencies warn of Russian cyberespionage against cleared defense contractors. Updates on the Russian pressure against Ukraine. ShadowPad as China’s RAT of choice. BlackCat claims to have leaked data stolen in a double-extortion ransomware attack. Follow the bouncing QR code. Dinah Davis from Arctic Wolf on Canada’s government ransomware playbook. Rick Howard chats with Bill Mann from Styra on DevSecOps. And if you’re addicted to cryptocurrency speculation, the first step in recovery is admitting you’ve got a problem. (The second step is to step away from the phone.) For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/32
Feb 16, 2022
Cyberattacks reported in Ukraine as Russia signals a willingness to negotiate with NATO. TA2541 targets aviation and allied sectors. BlackCat’s tough to shake. Romance scams. Beamers.
1638
Reports of cyberattacks against Ukrainian targets as the parties to the crisis resume negotiations. The US has been forthcoming with intelligence on Russia’s ambitions in the region; those revelations form part of an influence strategy. An apparent criminal group is targeting aviation and related sectors. BlackCat ransomware victims are having difficulty recovering. Why conditions favor romance scams. Ben Yelin looks at pending cyber breach notification laws. Our guest Padraic O'Reilly from CyberSaint on the effectiveness of Biden's plan to protect the water sector. And “beamers” defraud Roblox players. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/31
Feb 15, 2022
Hybrid war warnings over Russian designs on Ukraine. Senators ask about CIA bulk surveillance. No charges against reporter who inspected a website. Hacktivists or vigilantes?
1473
The US and the UK warn of the possibility of false-flag provocations as Russia keeps the pressure on Ukraine. NATO members and others issue warnings of the threat of Russian cyber operations spilling over the Ukrainian border. Two US Senators want an accounting from the CIA over an alleged bulk collection operation. No charges filed in the case of a reporter who viewed a website source. Hacktivism and vigilantism. 49ers hacked. Daniel Prince from Lancaster University on improving security in agile health IoT development. Rick Howard targets supply chain issues with the hash table. And have a careful Valentine’s Day. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/30
Feb 14, 2022
Roselle Safran: So much opportunity. [Entrepreneur][Career Notes]
487
CEO and Founder of KeyCaliber, Roselle Safran, takes us on her circuitous career journey from startup to White House and back to startup again. With a degree in civil engineering, Roselle veered off into a more technical role at a startup and she says "caught the startup bug." After convincing a hiring manager that she could learn on the job, she transitioned to computer forensics and started on the path of cybersecurity. Roselle worked in government for the Department of Homeland Security and then to the Executive Office of the President leading all of the security operations. She jumped back into the world of startups and has stayed there. Roselle tells people interested in a career in cybersecurity to just apply. Learn as much as you can and go for it. We thank Roselle for sharing her story with us.
Feb 13, 2022
SysJoker backdoor masquerades as benign updates. [Research Saturday]
944
Guests Avigayil Mechtinger and Ryan Robinson from Intezer discuss SysJoker malware, a backdoor that targets Windows, Linux and MacOS, Malware targeting multiple operating systems has become no exception in the malware threat landscape. Vermilion Strike, which was documented just last September, is among the latest examples until now.   In December 2021, the team at Intezer discovered a new multi-platform backdoor that targets Windows, Mac, and Linux. The Linux and Mac versions are fully undetected in VirusTotal. Intezer named this backdoor SysJoker. SysJoker was first discovered during an active attack on a Linux-based web server of a leading educational institution. After further investigation, Intezer found that SysJoker also has Mach-O and Windows PE versions. Based on Command and Control (C2) domain registration and samples found in VirusTotal, Intezer estimates that the SysJoker attack was initiated during the second half of 2021.   The research can be found here: New SysJoker Backdoor Targets Windows, Linux, and macOS
Feb 12, 2022
Update on Russia’s hybrid threat to Ukraine. Vodafone Portugal continues its recovery. The FritzFrog peer-to-peer botnet is back. And there’s a new wrinkle in the old familiar Nigerian prince scam.
1746
Update on Russia’s hybrid threat to Ukraine, with observations on possible international spillover. Vodafone Portugal continues its recovery. The FritzFrog peer-to-peer botnet is back, and has resumed operations against government, healthcare, and education targets. Caleb Barlow warns of attacks coming from inside your network. Our guest is Tom Boltman of Kovrr on the shift in the cyber insurance market due to ransomware. And there’s a new wrinkle in the old familiar Nigerian prince scam–did you know the UN was compensating victims by sending them ATM cards? Neither did the UN. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/29
Feb 11, 2022
Liquidating Lviv botfarms. Notes on hybrid war. Digital frameups in India? The Lazarus Group’s new yet familiar phishbait. Warnings about ransomware.
1747
Ukraine takes down two botfarms pushing panic. Thoughts on hybrid warfare. Russia and China explain how we ought to see the political and online worlds. Digital frameups are reported in India. Lazarus phishes with bogus job offers. Espionage services looking for journalists’ sources. David Dufour from Webroot ponders the Metaverse. Our guest is Amanda Fennell, host of the Security Sandbox podcast. And public and private-sector warnings about ransomware.
Feb 10, 2022
A Foreign Office hack is disclosed (but that’s it). Preparing for a cyber escalation in the hybrid war Russia’s waging against Ukraine. Multi-cloud threats. Patch Tuesday notes. Razzlekhan raps.
1638
Britain’s Foreign Office sustained a cyberattack last month (the details are secret). Poland stands up a Cyber Defense Force as Europe and North America raise their level of cyber readiness. Negotiations over the Russian pressure on Ukraine are likely to be protracted. Threats to multi-cloud environments. Patch Tuesday notes. Dinah Davis from Arctic Wolf on keeping kids safe online. Carole Theriault examines Mozilla’s Privacy Not Included campaign. And Razzlekhan rocks the mic with her mad skillz, or used to, anyway. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/27
Feb 09, 2022
Crowdfunding hacktivists and other irregulars. The Molerats have some new tools. Right-to-left override. Arrests in a cryptocurrency money-laundering case.
1679
Diplomacy continues over the Russian threat to Ukraine. In the meantime, hacktivists and others are said to be receiving crowdfunding through alt-coin remittances. The Molerats are back, and they have some new tools. Right-to-left override is being seen again in the wild. Vodafone Portugal is taken offline by a cyberattack. Joe Carrigan on Meta’s ten billion dollar privacy hit. Our guest is Greg Otto from Intel 471 to discuss shifts in ransomware strains. And two arrests are made in a money-laundering case connected with the Bitfinex hack. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/26
Feb 08, 2022
Russia’s hybrid war against Ukraine is currently heavier on the cyber than it is on the kinetic. BlackCat’s connection with DarkSide. An alert on LockBit. And six Indian call centers indicted.
1639
The FSB is active against Ukrainian targets as NATO continues to work out the cybersecurity assistance it will provide Kyiv. BlackCat is found to be connected to the DarkSide gang, either as a superseding affiliate or as a simple rebranding of the same old crew. The FBI issues an alert about LockBit. Kevin Magee from Microsoft on their final report on Nobellium and the Solar Winds attack. Rick Howard steers the hash table toward supply chains. And the US has indicted six call centers in India on charges related to some familiar scams. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/25
Feb 07, 2022
Chris Hadnagy: Show them that you're worth it. [Social engineer] [Career Notes]
528
CEO and Chief Human Hacker at Social-Engineer, Chris Hadnagy, went from phone phreaker to social engineering authority with many things in between. In college, Chris took phone phreaking to a new level and recreated Cap'n Crunch whistle sound with a computer, strung a bunch of modems together, and inadvertently took down 75% of Sarasota County's phone system. His foray into social engineering came after a slew of non-tech jobs. Chris advises us maybe not to read his first book, but to read a lot to help educate yourself and to get yourself out there and prove yourself. We thank Chris sharing his story with us.
Feb 06, 2022
The persistent and patient nature of advanced threat actors. [Research Saturday]
1196
Guest Danny Adamitis from Black Lotus Labs joins Dave to discuss their team's new research "New Konni Campaign Kicks the New Year Off by Targeting Russian Ministry of Foreign Affairs." Black Lotus Labs, the threat research team of Lumen Technologies, uncovered a series of targeted actions against the Russian Federation’s Ministry of Foreign Affairs (MID). Based upon the totality of information available and the close correlation with prior reporting, we assess with moderate confidence these actions leveraged the Konni malware, which has previously been associated with the Democratic People’s Republic of Korea, and were undertaken to establish access to the MID network for the purpose of espionage. This activity cluster demonstrates the patient and persistent nature of advanced actors in waging multi-phased campaigns against perceived high-value networks. After gaining access through stolen credentials, the actor was able to exploit trusted connections to distribute and load the malware, first by impersonating a government software program coinciding with new Covid mandates, and then through sending trojanized files from a compromised account. The research can be found here: New Konni Campaign Kicks Off The New Year By Targeting Russian Ministry Of Foreign Affairs
Feb 05, 2022
Update on Russian cyber ops and disinformation around Ukraine. Ransomware disrupts European ports. Chinese intelligence services exploit a Zimbra zero-day.
1678
Primitive Bear is snuffling around Ukraine, and Russia may be preparing deepfake video to lend legitimacy to its claims with respect to its neighbor. European ports and other logistical installations are under attack by ransomware, apparently uncoordinated criminal activity. Daniel Prince from Lancaster University on safeguarding IoT in Healthcare. Our guest is Chris Wysopal of Veracode with research on increases in automation and componentization in software development. And a Chinese APT is said to be exploiting a Zimbra webmail cross-site-scripting zero-day, so users beware. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/24
Feb 04, 2022
Ukraine goes to a higher state of cyber alert. Chinese cyberespionage hits financial services in Taiwan. Arid Viper is back, and so is Adalat Ali. BlackCat disrupts fuel distro in Germany. Hacking the DPRK.
1782
Ukraine and NATO increase their cyber readiness. Chinese cyberespionage has been looking closely at financial services in Taiwan. Hacktivists hit Iranian state television. Arid Viper is phishing for targets in the Palestinian Territories, and apparently doesn’t care who knows it. BlackCat ransomware implicated in attacks on German fuel distribution firms. Verizon’s Chris Novak shares his thoughts on the cyber talent pool. Our guest is Torin Sandall from Styra on Open Policy Agent. And, Bro, treat yourself to a pair of Vans. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/23
Feb 03, 2022
Both sides in the conflict over Ukraine are talking with their allies and preparing for conflict in cyberspace. A cyberattack disrupts gasoline distribution in Germany. Notes on APTs and privateers.
1637
Tensions between Russia and Ukraine, and between Russia and NATO, remain high as diplomacy is at a temporary impasse: both sides have stated their incompatible positions and are consulting with their allies. NATO prepares to render cyber assistance to Ukraine. An unspecified cyberattack affects gasoline distribution in Germany. The White Tur threat group borrows heavily from several APTs, but itself remains mysterious. Charming Kitten gets some new claws. Caleb Barlow on Harvard’s analysis of Equifax. Our guest is Gunter Ollmann from Devo discussing their third annual SOC Performance Report. And the Trickbot gang seems to be privateering in that old familiar way. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/22
Feb 02, 2022
Updates on the crisis over Ukraine, as Russian cyber operations continue. Ransomware threatens OT. Ramnit remains a leading banking Trojan. Bots infesting some NFT markets. Agencies advise opsec.
1890
No progress so far in talks over the Ukraine crisis, as Moscow’s diplomacy and influence operations merge in a narrative of a Russia beset by armed Nazis, goaded on by a greedy America that doesn’t want Russia competing in world markets. Ransomware and cyberthreats to OT systems. Ramnit is still up and at em in the banking Trojan world. Bots are following big brands in NFT markets, with predictable effects. Ben Yelin has an update on NSO Groups’s marketing attempts to the FBI. An introduction to Dr. Andrew Hammond and the SpyCast podcast. And sending that sample in for your doctor? Bro, buy locally. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/21
Feb 01, 2022
The UN Security Council will take up Russia’s hybrid war against Ukraine as Western powers prepare sanctions. Other ransomware and social engineering campaigns.
1710
The US takes Russia to the UN Security Council over its threat to Ukraine, and, while Russian forces remain in assembly areas, a campaign of cyberattack and influence operations continues. Western powers, notably the UK and the US, are preparing sanctions against Russia. Elsewhere, ongoing ransomware and social engineering. Dinah Davis from Arctic Wolf on Linux malware via IoT devices. Rick Howard shares his favorite sources for keeping up to date. And there’s a pair of decisions in a long-running case involving HP Enterprise’s purchase of Autonomy. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/20
Jan 31, 2022
Helen Patton: A platform to talk about security. [CISO] [Career Notes]
615
Advisory CISO at Cisco, Helen Patton, shares that a combination of dumb luck, hard work and serendipity that got her to where she is today. Growing up in the country in Australia, Helen notes that computers were not really a thing. She happened into technology after moving to the US, as she was the only person in her office under 40. Of course she would be comfortable with computers and able to handle a database conversion, right? That launched her into a career that spanned supporting small nonprofits, working at one of the biggest banks on Wall Street while leading a global team, being the CISO of a major university, and now Advisory CISO at Cisco. Helen recently wrote a book, "Navigating the Cybersecurity Career Path," to help others know when it's time to move on from one role to another role as part of desire to give back to the community. We thank Helen for sharing her story with us.
Jan 30, 2022
Zero Trust for cloud assets: Identity authentication and authorization. [CyberWire-X]
2055
Applying Zero Trust principles to access rights can be tricky given the volume and dynamic nature of services in the cloud. Serverless computer services, like AWS Lambda, multiply the volume of identities to manage. These cloud services often have excessive permissions to access sensitive data and can become a potential entry point for an attacker to exploit. The CyberWire's Rick Howard speaks with Scott Farber, Principal Cyber Architect & Zero Trust Technical Lead at MITRE about the topic. Show Sponsor Sysdig's Vice President of Security Product Management, Maor Goldberg, brings experience with data center and cloud to a discussion with CyberWire-X on the considerations for managing access rights in this hybrid world. They consider the pros and cons of different approaches to enforcing least privilege in the cloud.
Jan 30, 2022
Use of legitimate tools possibly linked to Seedworm. [Research Saturday]
973
Guest Sylvester Segura from the Symantec Threat Hunter Team joins Dave to discuss their team's work on "Espionage Campaign Targets Telecoms Organizations across Middle East and Asia." Attackers most likely linked to Iran have attacked a string of telecoms operators in the Middle East and Asia over the past six months, in addition to a number of IT services organizations and a utility company. Organizations in Israel, Jordan, Kuwait, Saudi Arabia, the United Arab Emirates, Pakistan, Thailand, and Laos were targeted in the campaign, which appears to have made no use of custom malware and instead relied on a mixture of legitimate tools, publicly available malware, and living-off-the-land tactics. While the identity of the attackers remains unconfirmed, there is some evidence to suggest a link to the Iranian Seedworm (aka MuddyWater) group. The targeting and tactics are consistent with Iranian-sponsored actors. The research can be found here: Espionage Campaign Targets Telecoms Organizations across Middle East and Asia
Jan 29, 2022
Diplomacy and cyber warnings in the Ukraine crisis. REvil may not actually be out of business. A warning about Iranian state-directed hacking. And Data Privacy Day is observed.
1710
Diplomatic channels remain open even as NATO and the US reject Russian demands over Ukraine. More warnings over Russian cyber operations in the hybrid conflict (Voodoo Bear is mentioned in dispatches). Social media as a source of tactical intelligence. The FBI tells industry to be alert for Iranian hacking. Ransomware continues to circulate. Josh Ray from Accenture digs into the Bassterlord Networking Manual. Carole Theriault examines a university data backup snafu. And a happy Data Privacy Day to all. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/19
Jan 28, 2022
Updates on the hybrid war in Ukraine. Industrial espionage in Germany, conventional espionage in Western Asia. C2C markets, social engineering, and scamware.
1507
Cyber risk continues over Ukraine as the US and NATO reject Russian demands. Emissary Panda’s industrial espionage against German industry. Fancy Bear is spotted in Western Asia. The C2C market’s initial access broker Prophet Spider is selling access to unpatched VMware Horizon instances. Social engineering adapts to its marks. Thomas Etheridge from CrowdStrike on the power of Identity/Zero Trust in stopping ransomware attacks. Our guest is Gary Guseinov of Real Defense to discuss M&A activity. And Dark Herring scamware is ejected from app stores, but not before hitting over a hundred million victims. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/18
Jan 27, 2022
Tensions between Russia and Ukraine remain high as NATO offers Ukraine cyber, diplomatic, and other support. DDoS in the DPRK. DazzleSpy in the watering hole. TrickBot ups its game.
1719
Tensions between Russia and Ukraine remain high as NATO offers Ukraine cyber, diplomatic, and other support. North Korea gets DDoSed. DazzleSpy hits Hong Kong dissidents drawn to a watering hole. TrickBot ups its game. A quick look at ransomware trends. Microsoft’s Kevin Magee unpacks a recent World Economic Forum report. Our own Rick Howard speaks with Chriss Knisley from MITRE ATT&CK Defender on certifications. And Dame Fortune teaches Michiganders to throw caution to the winds. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/17
Jan 26, 2022
Hacktivism as irregular operations-short-of-war. A banking Trojan aims at fraudulent wire transfers. DTPacker’s two-step delivery. REvil re-forms? Ransomware and insider threats. DDoS in Andorra.
1969
Tensions remain high as Russia assembles troops near Ukraine and NATO moves to higher states of readiness. The Belarusian Cyber Partisans claim responsibility for a ransomware attack against Belarusian railroads. The BRATA banking Trojan spreads, as does DTPacker malware. REvil alumni may be getting the band back together. Ransomware operators working harder to recruit insiders at their targets. Joe Carrigan has the story of a romance scammer in custody. Mr. Security Answer Person John Pescatore has thoughts on BYOD. And there’s a major DDoS campaign shutting down the Internet in Andorra. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/16
Jan 25, 2022
Updates on the continuing hybrid war in Ukraine. Julian Assange will get another chance to avoid extradition. And Russian privateers find that they’re expendable.
1724
Updates on the continuing hybrid war in Ukraine. The UK charges Russia with trying to install a puppet in Kyiv. Nominal hacktivists claim an attack against Belarusian railroads. Compromise of Greek parliamentary email accounts reported. Netherlands authorities warn against relaxing your guard against Log4j exploitation. Julian Assange will get another chance to avoid extradition. Rick Howard’s been pondering his reading list. Dinah Davis from Arctic Wolf on securing your smart speakers. And Russian privateers find that they’re expendable. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/15
Jan 24, 2022
Andrew Maloney: Never-ending thirst for knowledge. [COO] [Career Notes]
545
COO and Co-Founder of Query. AI, Andrew Maloney, shares how the building blocks he learned in the military helped him get where he is today. Coming from a blue collar family with a minimal knowledge of computers, Andrew went into computer operations in the Air Force. While deployed to Oman just after the start of the Iraq War, Andrew said he got his break into security. That's where he learned the components that fit together in order to effectively secure an environment. Andrew's words of wisdom: You've got to keep pushing and you've got to believe in yourself and never sell yourself short. We thank Andrew for sharing his story with us.
Jan 23, 2022
A collaboration stumbles upon threat actor Lyceum. [Research Saturday]
1136
Guest Rob Boyce, Accenture's Global Lead for Cyber Incident Response and Transformation Services, joins Dave to discuss joint research done by Accenture’s Cyber Threat Intelligence (ACTI) group and Prevailion’s Adversarial Counterintelligence Team (PACT). The teams dug into recently publicized campaigns of the cyber espionage threat group Lyceum (aka HEXANE, Spirlin) to further analyze the operational infrastructure and victimology of this actor. The team’s findings corroborate and reinforce previous ClearSky and Kaspersky research indicating a primary focus on computer network intrusion events aimed at telecommunications providers in the Middle East. Additionally, the research expands on this victim set by identifying additional targets within internet service providers (ISPs) and government agencies. Although all victim-identifying information has been redacted, this report seeks to provide these targeted industry and geographic verticals with additional knowledge of the threat and mitigation opportunities. The research can be found here: Who are latest targets of cyber group Lyceum?
Jan 22, 2022
Ukrainian crisis continues, with attendant risk of hybrid warfare. MoonBounce malware in the wild. Pirate radio hacks a number station.
1636
US and Russian talks over Ukraine conclude with an agreement to further exchanges next week. Western governments continue to recommend vigilance against the threat of Russian cyberattacks against critical infrastructure. The US Treasury Department sanctions four Ukrainian nationals for their work on behalf of Russia’s FSB and its influence operations. A firmware bootkit is discovered in the wild. Security turnover at Twitter. Caleb Barlow looks at wifi hygiene. Our guest is Allan Liska on his latest ransomware book. And a number station gets hacked, in style. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/14
Jan 22, 2022
Looking toward tomorrow’s Russo-American talks about the Ukraine crisis. A memorandum gives NSA oversight authority for NSS. A look at the C2C markets.
1812
As Russian forces remain in assembly areas near the Ukrainian border, the US and Russia prepare for tomorrow’s high-level talks in Geneva. NATO members look to their cyber defenses. US President Biden issues a Memorandum on Improving the Cybersecurity of National Security, Department of Defense, and Intelligence Community Systems. Notes on C2C markets. Mirai is exploiting Log4j flaws. Verizon’s Chris Novak shares insights on Log4j challenges. Our guest is Ryan Kovar from Splunk with a look at the year ahead. And Olympic athletes heading to China? Better grab that burner phone. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/13
Jan 20, 2022
Updates on what Ukraine is now calling “BleedingBear.” CISA advises organizations to prepare for Russian cyberattacks. Other cyberespionage campaigns, and a new ransomware strain.
1622
Ukraine confirms that it was hit by wiper malware last week, as tension between Moscow and Kyiv remains high. It remains high as well between Russia and NATO, as Russia continues marshaling conventional forces around Ukraine. CISA advises organizations to prepare to withstand Russian cyberattacks. Other cyberespionage campaigns are reported, as is a new strain of ransomware. Microsoft’s Kevin Magee provides friendly counsel for CISOs and boards. Our guest is Clar Rosso from ISC2 on the communication gap between cybersecurity teams and executive leaders when it comes to ransomware. And the natural disaster in Tonga may offer lessons in resilience and recovery. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/12
Jan 19, 2022
A new member of the Winnti Cluster is described. Cobalt Strike used against unpatched VMware Horizon servers. Ukraine blames Russia for what seems to be a destructive supply chain attack.
1565
A new Chinese cyberespionage group is described. Cobalt Strike implants are observed hitting unpatched VMware Horizon servers. Ukraine attributes last week’s cyberattacks to Russia (with some possibility of Belarusian involvement as well). Microsoft doesn’t offer attribution, but it suggests that the incidents were more destructive than ransomware or simple defacements. The US warns of possible provocations. Ben Yelin looks at a bipartisan TLDR bill. Our guest is Lisa Plaggemier from the National Cybersecurity Alliance on the ongoing threat of phishing. And the REvil arrests in Russia may have been for “leverage.” For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/11
Jan 18, 2022
SOAR - a first principle idea. [CSO Perspectives}
1021
Rick explains the network defender evolution from defense-in-depth in the 1990s, to intrusion kill chains in 2010, to too many security tools and SOAR in 2015, and finally to devsecops somewhere in our future.  Resources: “Cybersecurity First Principles: DevSecOps.” by Rick Howard, CSO Perspectives, The CyberWire, 8 June 2020. “FAQ,” RSA Conference, 2020. "Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains,” by Eric Hutchins, Michael Cloppert, Rohan Amin, Lockheed Martin Corporation, 2010, last visited 30 April 2020.   “Malware? Cyber-crime? Call the ICOPs!” by Jon Oltsik, CSO, Cybersecurity Snippets, 22 June 2015. “Market Guide for Security Orchestration, Automation and Response Solutions,” by Gartner, ID G00727304, 21 September 2020.  “MITRE ATT&CK,” by Mitre. “The Cybersecurity Canon: The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win,” book review by Rick Howard, Palo Alto Networks, 21 October 2016. “The Cyber Kill Chain is making us dumber: A Rebuttal,” by Rick Howard, LinkedIn, 29 July 2017. “The Evolution of SOAR Platforms,” by Stan Engelbrecht, SecurityWeek, 27 July 2018. “What is SOAR (Security Orchestration, Automation, and Response)?” by Kevin Casey, The Enterprisers Project, 30 October 2020.
Jan 17, 2022
Marina Ciavatta: Going after the human error. [Social engineer] [Career Notes]
636
Social engineer and CEO of Hekate, Marina Ciavatta, shares her story of how people think her job is a la Mission Impossible coming from the ceiling with a rope and stealing stuff in the dead of the night. Marina does physical pentesting. Starting with an unused degree in journalism, Marina turned her talent for writing into a job as a content producer for a technology company and this appealed to her self-proclaimed nerdism. She fell in love with hacking and got into pentesting thanks to a friend. Marina recommends those interested in physical pentesting "try to find other social engineers to mingle. It's in the name. We are social creatures." We thank Marina for sharing her story with us.
Jan 16, 2022
Keeping APIs on the radar: Evaluating the banking industry. [Research Saturday]
1597
This episode features guest Alissa Knight, former hacker and partner at Knight Ink, along with Karl Mattson, CISO from Noname Security, discussing findings on severe API vulnerabilities in U.S. banking applications research that was conducted by Alissa and funded by Noname Security. The research, “Scorched Earth: Hacking Bank APIs,” unveils a number of vulnerabilities in the banking, cryptocurrency exchange, and FinTech industries. In her Money 20/20 keynote presentation entitled “Scorched Earth: Hacking Bank APIs”. In her presentation, Alissa revealed that she was able to gain access to 55 different banks and change PIN codes and move money in and out of accounts. Three lessons learned include: API security vulnerabilities affect all enterprises, API security needs to be operationalized across the enterprise, and API security requires posture management, runtime security, and active testing. Details can be found here: White paper: Hacking Banks and Cryptocurrency Exchanges Through Their APIs Blog post: 3 API Security Lessons from “Scorched Earth: Hacking Bank APIs” Press release: New Research Shows Vulnerabilities in Banking, Cryptocurrency Exchange, and FinTech APIs Allow Unauthorized Transactions and PIN Code Changes of Customers Alissa's presentation at Money 20/20.
Jan 15, 2022
Influence operations in the grey zone. FSB raids REvil. Open Source Software Security Summit looks to public-private cooperation. Privateering and state-sponsored cybercrime.
1815
A large-scale cyberattack against Ukrainian websites looks like an influence operation, and Russian intelligence services are the prime suspects. The FSB raids REvil. The White House Open Source Software Security Summit looks toward software bills of materials. MuddyWater exploits Log4shell. The DPRK is working to steal cryptocurrency. Caleb Barlow shares the consequences of the 3G network shutdown. Our guest is John Lehmann from Intellectual Point with programs that help military veterans transition to the cybersecurity industry. Honor among thieves, and spies. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/10
Jan 14, 2022
A public-private conference takes up open source software security at the White House. MuddyWater attributed to Iran. Espionage and ransomware arrests.
1669
A White House government-industry summit today addresses open-source software security. The US officially makes its second attribution of the week to a nation-state: it calls out Iran as the operator of the MuddyWater threat group. Israel arrests five on charges related to spying for Iran (they’re thought to have been recruited through catphishing). Citizen Lab finds Pegasus in Salvadoran phones. Ukraine arrests a ransomware gang. Thomas Etheridge from CrowdStrike on the importance of threat hunting for zero days. Our guest is Dr. David Bader of New Jersey Institute of Technology discussing the challenges of securing massive-scale analytics. And ransomware hits US state and local governments. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/9
Jan 13, 2022
The US and EU seek to shore up cybersecurity as Russo-Ukraininan tensions run high. NIST updates secure system standards. Ransomware exploits Log4shell. Dog bites man: fraud in social media.
1644
The US issues an alert over the prospect of Russian cyberattacks, and the EU begins a series of stress tests, both in apparent response to concerns over the prospect of a Russian attack on Ukraine. NIST updates its guidance on Engineering Trustworthy Secure Systems. NIght Sky ransomware exploits Log4shell. Phishing afflicts a hotel chain. Carole Theriault examines international efforts to stop digital fraud. Ben Yelin fon Seattle Police Faking Radio Chatter. And we’re shocked, shocked, to learn of fraud and piracy on a social media platform.  For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/8
Jan 12, 2022
Software supply chains and the free-rider problem. An APT is bitten by its own RAT. Europol told to clean up its data. A leak investigation in Denmark. QR-code phishbait.
1652
Log4shell as an instance of a more general software supply chain issue. An APT apparently mistakenly infects itself with its own RAT. A new backdoor, SysJoker, is in use in the wild. A warning on commercial surveillance software. A leak investigation continues in Denmark. Joe Carrigan explains bogus QR codes. Our guest is Casey Allen of Concentric on cyber vulnerabilities in automobiles. And, Europol is told it has a year to clear its databases of information on people not involved in crime. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/7
Jan 11, 2022
CISA provides an account of progress toward Log4shell remediation. Other issues are reported in open-source libraries. Undersea cable security. FIN7’s BadUSB campaign. Security and Yealink.
1847
CISA describes progress toward remediating Log4shell. Other open-source libraries are found to have similar issues, in one case problems deliberately introduced by the developer. Concerns are expressed over undersea cable security. FIN7’s BadUSB campaign. Security questions about another Chinese-made phone. Our guest is Bob Maley from Black Kite on their report - The Government Called, Are You Ready to Answer? Chris Novak from Verizon on PCI 4.0. And Russo-American talks open in Geneva. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/6
Jan 10, 2022
Julian Waits: Find a way to help society. [Serial Entrepreneur] [Career Notes]
634
Senior Vice President and Executive in Residence with Rapid7 and Chairman for Cyversity, Julian Waits, grew up in the era of the Justice League and Superman and it shaped his career. Julian always wanted to do something where he could find a way to help society to basically help others. Starting out as a Baptist minister with aspirations of being a professional musician, Julian found it more practical to take some technology classes and practice his saxophone when he had time. His first tech job was at Texaco where he worked on early networks and moved into systems engineering at Compaq. Julian notes his ADD made coding less attractive than talking with others to solve problems and Compaq provided him with opportunities to pivot. Searching out diversity, Julian moved to DC, and had his first taste of startups. He now describes himself as a serial entrepreneur. We thank Julian for sharing his story with us.
Jan 09, 2022
The rise of Karakurt Hacking Team.
850
Guest Rob Boyce, Accenture's Global Lead for Cyber Incident Response and Transformation Services, joins Dave to discuss their research "Karakurt rises from its lair." Accenture Security has identified a new threat group, the self-proclaimed Karakurt Hacking Team, that has impacted over 40 victims across multiple geographies. The threat group is financially motivated, opportunistic in nature, and so far, appears to target smaller companies or corporate subsidiaries versus the alternative big game hunting approach. Based on intrusion analysis to date, the threat group focuses solely on data exfiltration and subsequent extortion, rather than the more destructive ransomware deployment. In addition, Accenture Security assesses with moderate-to-high confidence that the threat group’s extortion approach includes steps to avoid, as much as possible, drawing attention to its activities. The research can be found here: Karakurt rises from its lair
Jan 08, 2022
Kazakhstan shuts down its Internet as civil unrest continues (and one consequence is a disruption of alt-coin mining in that country). More on Log4j. Ransomware hits school website provider.
1538
Kazakhstan shuts down its Internet as civil unrest continues (and one consequence is a disruption of alt-coin mining in that country). The UK’s NHS warns of unknown threat actors exploiting Log4j bugs in unpatched VMware Horizon servers. In the US, CISA continues to assist Federal agencies with Log4j remediation, and observers call for more Government support of open-source software security. A major provider of school websites is hit with ransomware. Our guest is John Belizaire of Soluna Computing with a new approach to data center efficiency. Thomas Etheridge from CrowdStrike on supply chain risks. And the US extends the deadline to apply for grants in support of rip-and-replace. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/5
Jan 07, 2022
Log4j and industrial control systems. Regulators consider the software supply chain. Malsmoke hits an old vulnerability. Social engineering via Google Docs. Call spoofing and robocalls.
1814
ICS vendors address Log4j vulnerabilities. Regulators and legislators think about addressing issues in the software supply chain. Ransomware gangs were quick to exploit Log4shell. An old, and patched, Windows vulnerability is being exploited by the Malsmoke gang. Social engineering of Google Docs users is up. Mr. Klyshin pleads not guilty. Robert M. Lee from Dragos makes the case for salary transparency. Our guest is George Gerchow from Sumo Logic with new approaches for the modern threat landscape. And call spoofing is making robocalls moderately more plausible. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/4
Jan 06, 2022
CISA reports progress on Log4j. The FTC warns US businesses about taking Log4j risk mitigation seriously. Gangland updates, and some notes on hybrid war.
1839
CISA says US Federal agencies are now largely in compliance with Log4j risk mitigation guidance. The FTC issues advice and a warning on Log4j to US businesses. A skimmer is installed through cloud-delivered video. The Vice Society’s ransomware is meddling with supermarket operations in the UK. The Atlantic Council offers advice on strategy for the grey zone. Hacktivists are expected to punish greenwashing in 2022. Caleb Barlow on recent FBI PIN about how ransomware operators are looking for material non-public information to improve their chances of being paid. Our guest is Helen Patton from Cisco on her book, Navigating the Cybersecurity Career Path. And James Pond is the CEO of hybrid war! For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/11/3
Jan 05, 2022
Log4j issues persist. Konni RAT found in New Year’s greetings. Hacktivism or state-directed cyber action? Moscow worries about Mr. Klyushin’s knowledge. The Show-Me-Too-Much State.
2007
It’s going to take time, vigilance, and attention to detail to manage the Log4j risks. A North Korean APT is trying to install the Konni RAT into Russian diplomats’ devices. More hacktivist-looking incidents follow the anniversary of Iranian General Soleimani’s death. Other, self-inflicted, software supply chain incidents. The Kremlin is said to be worried about what Mr. Klyushin might tell the Americans who’ve got him in jail. Ben Yelin on the tension between ephemeral messaging apps and the public’s right to know. Mr Security Answer Person John Pescatore joins our show. And the Show-Me state needs to rethink all that showin’. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/11/2
Jan 04, 2022
Log4j updates, including an Aquatic Panda sighting. Cyberattacks hit news services in Norway, Israel, and Portugal. Addressing Y2K22.
1589
Aquatic Panda has been found working Log4shell exploits against an academic institution. Apache fixes new Log4j issues reported last week, and Microsoft also updates Windows Defender to address Log4j risks. Cyberattacks, criminal or hacktivist in motivation, hit news outlets around the new year. Microsoft works on fixing a Y2K22 bug in on-premise Exchange Server. Andrea Little Limbago from Interos on technology spheres of influence. Our guest is Mark Dehus from Lumen’s Black Lotus Labs with DDoS insights. And CISA issues some ICS security advisories. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/11/1
Jan 03, 2022
Cybersecurity predictions for 2022. [CyberWire-X]
1794
Industry experts discuss their cybersecurity predictions for 2022, what trends and attacks will be most prevalent in the year ahead, and how organizations should be preparing for the new year. In this show, we cover what they think the industry might see in 2022 (and some we probably won't see). The CyberWire's Rick Howard speaks with Hash Table member Kevin Magee, Chief Security Officer at Microsoft Canada, and show sponsor Keeper Security's CTO & Co-Founder Craig Lurey joins The CyberWire's Dave Bittner on this CyberWire-X and shares his insights on the topic.
Jan 02, 2022
Dr. Rois Ni Thuama: Get into the game. [Cyber governance] [Career Notes]
560
Head of Cyber Governance with Red Sift, Dr. Rois Ni Thuama shares the circuitous route of her career into cyber governance. She notes the route "looks really clean, but actually it was a bit more Jeremy Bearimy." While at Trinity College, Rois was moved to be part of history unfolding in South Africa and pause her studies. While there, she began making music videos and wildlife documentaries. Upon her return to London, Rois started working in corporate governance and risk at a music technology startup. This ignited her enthusiasm for startups. She now works in a company with several coworkers from that tech startup doing cyber governance. Rois advises law students of many ways into the industry including doing coding, learning risk management, and understanding privacy legislation, and then "just get into the game." We thank Rois for sharing her story. 
Jan 02, 2022
Encore: When big ransomware goes away, where should affiliates go? [Research Saturday]
1288
Our guest Doel Santos, Threat Research Analyst at Palo Alto Networks, joins Dave Bittner to talk about Unit 42's work on "Ransomware Groups to Watch: Emerging Threats." As part of Unit 42’s commitment to stop ransomware attacks, they monitor the activity of existing groups, search for dark web leak sites and fresh onion sites, identify up-and-coming players and study tactics, techniques and procedures. During their operations, Unit 42 observed four emerging ransomware groups that are currently affecting organizations and show signs of having the potential to become more prevalent in the future. Doel discusses these (AvosLocker, Hive Ransomware, HelloKitty, and LockBit 2.0) with Dave. The research can be found here: Ransomware Groups to Watch: Emerging Threats
Jan 01, 2022
CyberWire Pro Interview Selects: Jaclyn Miller from NTT, Ltd.
792
During our winter break, our team thought you might like to try a sample of a CyberWire Pro podcast called Interview Selects. These podcasts are a series of extended interviews, exclusives, and a curated selection of our most engaging and informative interviews over the years, featuring cyber security professionals, journalists, authors and industry insiders. On this episode, the interview originally aired as a shortened version on the CyberWire Daily Podcast. In this extended interview, Dave Bittner speaks with Jaclyn Miller from NTT, Ltd. on diversity, inclusion and remote access security. Like what you hear? Consider subscribing to CyberWire Pro for $99/year. Learn more.
Dec 31, 2021
CyberWire Pro Interview Selects: Sir David Omand.
1295
During our winter break, our team thought you might like to try a sample of a CyberWire Pro podcast called Interview Selects. These podcasts are a series of extended interviews, exclusives, and a curated selection of our most engaging and informative interviews over the years, featuring cyber security professionals, journalists, authors and industry insiders. On this episode, the interview originally aired as a shortened version on the CyberWire Daily Podcast. In this extended interview, Dave Bittner speaks with Sir David Omand, former GCHQ Director, on his book, How Spies Think: Ten Lessons in Intelligence.. Like what you hear? Consider subscribing to CyberWire Pro for $99/year. Learn more.
Dec 30, 2021
CyberWire Pro Interview Selects: Zan Vautrinot on boards.
1217
During our winter break, our team thought you might like to try a sample of a CyberWire Pro podcast called Interview Selects. These podcasts are a series of extended interviews, exclusives, and a curated selection of our most engaging and informative interviews over the years, featuring cyber security professionals, journalists, authors and industry insiders. On this episode, the interview originally aired as a shortened version on the CyberWire Daily Podcast. In this extended interview, Rick Howard speaks with Zan Vautrinot about boards. Like what you hear? Consider subscribing to CyberWire Pro for $99/year. Learn more.
Dec 29, 2021
CyberWire Pro Interview Selects: Bill Wright of Splunk.
587
During our winter break, our team thought you might like to try a sample of a CyberWire Pro podcast called Interview Selects. These podcasts are a series of extended interviews, exclusives, and a curated selection of our most engaging and informative interviews over the years, featuring cyber security professionals, journalists, authors and industry insiders. On this episode, the interview originally aired as a shortened version on the CyberWire Daily Podcast. In this extended interview, Dave Bittner speaks with Bill Wright of Splunk on the ongoing geopolitical ransomware trend. Like what you hear? Consider subscribing to CyberWire Pro for $99/year. Learn more.
Dec 28, 2021
CSO Perspectives: Pt 2 – Mitre ATT&CK: from the Rick the Toolman Series.
1388
In this “Rick the Toolman” episode, Rick interviews Steve Winterfeld, from Akamai, on the current state and future of the Mitre ATT&CK Framework. For a complete reading list and even more information, check out Rick’s more detailed essay on the topic.
Dec 27, 2021
Encore: Andrew Hammond: Understanding the plot. [Historian and Curator] [Career Notes]
456
Historian and Curator at the International Spy Museum. Dr. Andrew Hammond, shares how he came to share the history of espionage and intelligence as a career. Starting out in the Royal Air Force when 9/11 happened, Andrew found himself trying to understand what was going on in the world. Studying history and international relations gave him some perspective and led him on his career path which included an introduction to museum industry at the 9/11 Museum. After a stint in academia in the UK, Andrew found his way back to the US and eventually ended up at the International Spy Museum in Washington, DC. He said one of the "greatest parts of the job being able to engage with the artifacts" and share their stories. We thank Andrew for sharing his story with us.
Dec 26, 2021
CyberWire Pro Research Briefing from 12/21/2021.
544
Enjoy a peek into CyberWire Pro's Research Briefing as the team is off taking our long winter's nap. This is the spoken edition of our weekly Research Briefing, focused on threats, vulnerabilities, and consequences, as they’re played out in cyberspace. This week's headlines: US Commission on International Religious Freedom reportedly hacked. Sophistication of NSO exploit on par with nation-state tooling. Conti ransomware actors exploit Log4Shell. Like what you hear? Consider subscribing to CyberWire Pro for $99/year. Learn more.
Dec 25, 2021
The CyberWire: The 12 Days of Malware.
283
Merry Christmas and Happy Holidays from the CyberWire and our friends! Enjoy our rendition of the 12 Days of Malware created by Dave Bittner and performed by Dave and friends: Rachel Tobac, Jayson Street, Ron Eddings & Chris Cochran, Ray [Redacted], Dinah Davis, Camille Stewart, Rick Howard, Michelle Dennedy, Jack Rhysider, Johannes Ullrich, and Charity Wright. Ba dum bum bum. Sing along if you are game! Check out our video for the full effect! The 12 Days of Malware lyrics On the first day of Christmas, my malware gave to me: A keylogger logging my keys. On the second day of Christmas, my malware gave to me: 2 Trojan Apps... And a keylogger logging my keys. On the third day of Christmas, my malware gave to me: 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the fourth day of Christmas, my malware gave to me: 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the fifth day of Christmas, my malware gave to me: 5 Zero Days! 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the sixth day of Christmas, my malware gave to me: 6 Passwords spraying... 5 Zero Days! 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the seventh day of Christmas, my malware gave to me: 7 Scripts a scraping... 6 Passwords spraying... 5 Zero Days! 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the eighth day of Christmas, my malware gave to me: 8 Worms a wiping... 7 Scripts a scraping... 6 Passwords spraying... 5 Zero Days! 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the ninth day of Christmas, my malware gave to me: 9 Rootkits rooting... 8 Worms a wiping... 7 Scripts a scraping... 6 Passwords spraying... 5 Zero Days! 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the tenth day of Christmas, my malware gave to me: 10 Darknet markets... 9 Rootkits rooting... 8 Worms a wiping... 7 Scripts a scraping... 6 Passwords spraying... 5 Zero Days! (Bah-dum-dum-dum!) 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the eleventh day of Christmas, my malware gave to me: 11 Phishers phishing... 10 Darknet markets... 9 Rootkits rooting... 8 Worms a wiping... 7 Scripts a scraping... 6 Passwords spraying... 5 Zero Days! (Bah-dum-dum-dum!) 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the twelfth day of Christmas, my malware gave to me: 12 Hackers hacking... 11 Phishers phishing... 10 Darknet markets... 9 Rootkits rooting... 8 Worms a wiping... 7 Scripts a scraping... 6 Passwords spraying... 5 Zero Days! 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys.
Dec 25, 2021
CyberWire Pro Interview Selects: Hatem Naguib of Barracuda Networks.
659
During our winter break, our team thought you might like to try a sample of a CyberWire Pro podcast called Interview Selects. These podcasts are a series of extended interviews, exclusives, and a curated selection of our most engaging and informative interviews over the years, featuring cyber security professionals, journalists, authors and industry insiders. On this episode, the interview originally aired as a shortened version on the CyberWire Daily Podcast. In this extended interview, Dave Bittner speaks with Hatem Naguib, new CEO of Barracuda Networks, to discuss his views on how cybersecurity trends have drastically changed over the past year, including the rise of ransomware. Like what you hear? Consider subscribing to CyberWire Pro for $99/year. Learn more.
Dec 24, 2021
Log4j updates, including one deadline. Other, non-Log4j, challenges. RSAC postpones itself until June. A German court awards pain-and-suffering damages in a breach case.
1709
An update of where things stand with respect to the Log4j vulnerabilities, and a reminder that there are other matters to attend to as well. RSAC postpones its annual security shindig to June, hoping to avoid the COVID. A German court awards pain-and-suffering damages for a data breach. Carole Theriault looks at hiring challenges in cyber. Robert M. Lee from Dragos with insights from his own entrepreneurial journey. And a new start-up seeks to take lemons and make them into lemonade. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/245
Dec 23, 2021
The Five Eyes have some joint advice on detecting, defending against, and responding to Log4j exploitation. Notes on ransomware, espionage, and cyber conflict.
1705
More criminals exploit vulnerabilities in Log4j. The Five Eyes issue a joint advisory on Log4j-related vulnerabilities, as other government organizations look into defending themselves against Log4shell. Ransomware updates. Russo-Ukrainian tensions rise, as does the likelihood of Russian cyberattacks against its neighbor. Uganda and NSO Group’s troubles. CISA issues six ICS advisories. Malek Ben Salem explains synthetic voices. Our guest is Dr. David Lanc from Ionburst on embracing Data Out protection. And some advice on how to be the family help desk and CISO during the holiday season. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/244
Dec 22, 2021
Belgium’s MoD suffers Log4shell attack. A man-in-the-middle concept. APT activity. Five Russians face US charges (one’s in custody). Fortunes of coin-mining. Holiday greetings from CISA and the FBI.
1687
Belgium’s Ministry of Defense comes under attack via Log4j vulnerabilities. A cellular handover, man-in-the-middle exploit is described by researchers. The FBI says an APT group is exploiting unpatched Zoho ManageEngine Desktop Central servers. The US charges five Russian nationals with a range of cybercrimes. Coin-miners in China feel some heat. Ben Yelin describes a Meta lawsuit targeting anonymous phishers. Our guest Todd Carroll of CybelAngel explains the shifting tactics of “troll farms”. And, Grinchbots aside, CISA and the FBI offer holiday greetings and advice. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/243
Dec 21, 2021
Log4j: new exploitation, new mitigations, new risk assessments. Service interruptions, Space Force’s capture-the-flag, and official interventions.
1611
Updates on Log4j vulnerabilities: new exploitation, new mitigations, new risk assessments, some good advice from the NCSC, and from Betsy Carmelite and Mike Saxton, analysts at Booz Allen Hamilton. Kronos interruptions continue into the holiday season. NCA shares compromised passwords with Have I Been Pwned. A power grid security exercise in Ukraine, AWS outage last week put down to congestion. Hack-A-Sat promises more transparency. Tis the season for charity scams, as Carole Theriault reports. And the SEC wants financial services companies to use proper channels, not, say, WhatsApp and personal email. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/242
Dec 20, 2021
Ed Amoroso: Security shouldn't be the main dish. [Computer Science] [Career Notes]
633
Chief Executive Officer and Founder of TAG Cyber, Ed Amoroso, shares how he learned on the job and grew his career. In his words, Ed "went from my dad having an ARPANET connection and I'm learning Pascal, to Bell Labs, to CISO, to business, to quitting, to starting something new. And now I'm riding a new exponential up and it's a hell of a ride." Hear from Ed how he sees security as a side dish that you'll progress into naturally once you've paid your dues and mastered a skill like networking, software or databases. We thank Ed for sharing his story with us.
Dec 19, 2021
Discovering ChaosDB, a critical vulnerability in the CosmosDB. [Research Saturday]
1061
Guests Sagi Tzadik and Nir Ohfeld of cloud security company Wiz join Dave to discuss their research "ChaosDB: How we hacked thousands of Azure customers’ databases." Nearly everything we do online these days runs through applications and databases in the cloud. While leaky storage buckets get a lot of attention, database exposure is the bigger risk for most companies because each one can contain millions or even billions of sensitive records. Every CISO’s nightmare is someone getting their access keys and exfiltrating gigabytes of data in one fell swoop. Database exposures have become alarmingly common in recent years as more companies move to the cloud, and the culprit is usually a misconfiguration in the customer’s environment. In this case, customers were not at fault. The research can be found here: ChaosDB: How we hacked thousands of Azure customers’ databases ChaosDB: How to discover your vulnerable Azure Cosmos DBs and protect them
Dec 18, 2021
Log4j updates, with a side of Fancy Bear. Roots of Huawei’s career as a security risk. Tropic Trooper is back. Meta boots “cyber mercenaries.” Other cyberespionage incidents.
1526
It seems that Fancy Bear may be interested in Log4shell after all. CISA issues Emergency Directive 22-02, which addressed Log4j. Huawei’s reputation as a security risk may be traceable to a 2012 incident in an Australian telco’s networks. Tropic Trooper is back, and interested in transportation. Meta kicks out seven “cyber mercenary” surveillance outfits. PseudoManusrypt looks curiously indiscriminate. Johannes Ullrich from SANS Technology Institute on making the great Chinese firewall work for you. Our guest is Terry Halvorsen from IBM on next-gen cybersecurity efforts to fix the cybersecurity inequity. And the US Commission on International Religious Freedom is reportedly hacked. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/241
Dec 17, 2021
Log4Shell exploited by criminals and intelligence services. Private sector offensive cyber capabilities. Noberus ransomware used in double-extortion attacks. Squid Game phishbait.
1587
Log4Shell is exploited by criminals and intelligence services. Private sector offensive cyber capabilities are on par with nation-states. Noberus ransomware is used in double-extortion attacks. Malek Ben Salem from Accenture looks at cyber twins. Our guest is Tom Kellermann from VMware with reaction to CISA’s Binding Operational Directive. And Squid Game phishbait. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/240
Dec 16, 2021
Log4j and Log4shell updates. Cyberespionage and C2C market developments. Patch Tuesday notes. And how do you pronounce that, anyway?.
1695
A second vulnerability is found and fixed in Log4j as both criminals and nation-state intelligence services increase their exploitation of Log4shell. Iranian intelligence services have been actively conducting cyberespionage against a range of targets in the Middle East and Asia. Andrea Little Limbago from Interos checks in on supply chain issues. Our guest is Suzy Greenberg from Intel with a look ahead toward the coming year. A quick look back at Patch Tuesday, and, finally, some musing on literacy, orality, and the way you pronounce stuff people tweet about... For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/239
Dec 15, 2021
Log4Shell updates. Payroll provider disrupted by ransomware. Companies supporting surveillance distance themselves from the business. Cybercrime and IRL punishment.
1920
An update on the Log4shell, and how it’s being exploited in the wild. A ransomware attack disrupts a cloud-based business service provider. NSO Group is said to be considering selling off its Pegasus unit. A marketing presentation suggests Huawei has been deeply implicated in providing tools for Chinese repression. Nigeria’s cyber gangs are actng like Murder, Inc. An arrest in Romania, sentences in Germany. Joe Carrigan looks at the language of cyber security. Our guest Brad Hawkins of SaferNet wonders if digital privacy even exists anymore. And news from Mars. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/238
Dec 14, 2021
Updates on Log4shell, now being exploited in the wild. India PM’s Twitter account is hijacked. Extortion at Brazil’s Ministry of Health and Volvo. Phishing sites’ lifespan. Sentence passed.
1634
The Log4shell vulnerability is trouble, and its remediation isn’t going to be quick or easy. In India, Prime Minister Modi’s Twitter account was hijacked. Official Brazilian COVID vaccination data bases are stolen and rendered unavailable. Extortionists claim to have taken sensitive, proprietary R&D information from Volvo. Phishing sites appear and vanish in a matter of hours. Rick the Toolman Howard expands his cast of characters. Robert M. Lee from Dragos shines a light on solar storms and risk management. And sentence is passed in a case related to the Kelihos botnet. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/237
Dec 13, 2021
Hannah Kenney: Focused on people. [Risk] [Career Notes]
466
Manager in BARR Advisory's Cyber Risk Advisory Practice, Hannah Kenney, shares her journey from never considering technology as a career to having it click in an informations systems class in college. After noticing she was the only one in the room who enjoyed the lecture, Hannah knew she wanted to go down the technology route. In talking about her work, Hannah describes it as creative problem solving. She hopes "people see me as someone who viewed cybersecurity and risk as something that is focused on people first and foremost." We thank Hannah for sharing her story with us.
Dec 12, 2021
FIN7 repositioning focus into ransomware. [Research Saturday]
1760
Guest Ilya Volovik, Team Lead of Cyber Intelligence at Gemini Advisory, discusses his team's work on "FIN7 Recruits Talent For Push Into Ransomware." The cybercriminal group FIN7 gained notoriety in the mid-2010s for large-scale malware campaigns targeting the point-of-sale (POS) systems. In 2018, Gemini Advisory reported FIN7’s compromise of Saks Fifth Avenue and Lord & Taylor stores and the subsequent sale of over 5 million payment cards on the dark web. According to the US Department of Justice, the broader FIN7 carding campaigns have resulted in the theft of over 20 million payment card records and cost victims over $1 billion, making FIN7 one of the most infamous and prolific cybercriminal groups of the last decade. Now with ransomware proving to be cybercriminals’ preferred high-profit, jackpot venture, FIN7 has redeployed their expertise and capacity towards ransomware, with reports indicating that the group was involved in attempted ransomware attacks on US companies as early as 2020. Furthermore, despite focus from law enforcement and the arrest of four FIN7 members from 2018 to 2020, FIN7’s continued activity shows that the group remains a powerful, active threat. The research can be found here: FIN7 Recruits Talent For Push Into Ransomware
Dec 11, 2021
Cyberespionage in Southeast Asia. Two young extortion gangs make their bones. Bot-herders like MikroTik devices. Log4Shell zero-day exploited in the wild. Update on the Assange case.
1470
Cyberespionage in support of Belt and Road, and of Beijing’s claims in the South China Sea. Karakurt ransomware skips the encryption and goes right to the doxing. Black Cat ransomware is rising. Vulnerable MikroTik devices are bot-herders’ favorites. The Log4Shell zero-day is being exploited in the wild, and will be a tough one to remediate. Julian Assange moves closer to extradition. Johannes Ullrich on changing user behavior. Our guest is Oliver Rochford of Securonix on the affordability of good security. And shoulder-surfing as a threat to Snapchat users. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/236
Dec 10, 2021
Ransomware gangs, paycard skimmers, and Grinchbots. Russia blocks Tor, and the US Senate holds hearings on social media and its arguably malign influence on youth.
1881
Conti continues, undeterred. Magecart skimmers are infesting WooCommerce instances. Users are finding url redirection attacks difficult to detect. A quick look at the workings of the Hive ransomware gang. Russia blocks Tor. The US Senate holds hearings on social media and adolescent mental health. Dinah Davis from Arctic Wolf on assessing your security posture. Our guest Neal Dennis of Cyware discusses Automation And Unification. And Grinchbots are still prowling for presents.  For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/235
Dec 09, 2021
AWS resolves service issues. A summit stand-off. Dark web chatter, and arbitrage courts in the C2C world. Looking for stolen or lost alt-coin.
1444
Amazon resolves its Tuesday outage as observers wonder about cloud risks. A stand-off at the Russo-American summit, but chatter in the dark web suggests that the Russophone underworld is feeling uneasy. A look at the arbitrage process that governs the criminal-to-criminal market. Carole Theriault reads the fine print. Andrea Little Limbago looks at global regulatory regimes. A DeFi platform asks for its stolen money back, and a guy looks for his private key in a physical garbage dump. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/234
Dec 08, 2021
The Russo-US summit is expected to take up tension over Ukraine and tensions in cyberspace. Microsoft disrupts APT15. Google disrupts Glupteba. Satoshi Nakamoto is...out there still?
1730
Notes on today’s Russo-America summit. Microsoft seizes websites used by the Chinese threat actor Nickel. Google takes technical and legal action against a Russian botnet. Ben Yelin unpacks Australia’s aim to uncover online trolls. Our guest is Ed Amorosa from TAG Cyber. And the real Satoshi Nakamoto has yet to stand up--just ask a Florida jury. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/233
Dec 07, 2021
Hot wallets hacked. Pegasus found in US State Department personnel’s phones. Cozy Bear update. Cybersecurity on the Russo-US summit agenda. US Cyber Command says it’s imposing costs.
1447
Cryptocurrency exchange loses almost $200 million as two hot wallets are compromised. Phones belonging to US State Department personnel concerned with Uganda are found to have been infected with NSO Group’s Pegasus surveillance technology. Mandiant reports recent activity by the threat group thought responsible for the SolarWinds compromise. Cybersecurity will be on the agenda at tomorrow’s Russo-US summit. Caleb Barlow outlines threats to the Winter Olympics. Rick the-toolman Howard looks at the marketing hype-cycle. And US Cyber Command says it’s been imposing costs. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/232
Dec 06, 2021
Ryan Kovar: Everyday, assume compromise. [Strategy] [Career Notes]
524
Distinguished Security Strategist at Splunk, Ryan Kovar, shares his journey that started in the US Navy and how it contributed to his leadership in life after the military. Cutting his teeth as sysadmin on the USS Kitty Hawk, Ryan worked as a contractor following the Navy. At Splunk, he leads the SURGe research team to solve what he calls the "blue collar for the blue team problems". He works hard on incorporating diversity of thought. Ryan notes, "I've been doing cybersecurity or IT now for over 20 years and of that 20 years of knowledge, only about five years of that knowledge is really relevant. You can't sit on your laurels in this industry." We thank Ryan for sharing his story with us.
Dec 05, 2021
Rediscover trust in cybersecurity: A women in cybersecurity podcast. [Special edition]
2571
It's important for employees to be brought into the fold as security's allies, rather than as its adversaries. For cybersecurity teams that operate with an adversarial mindset appropriate for external threats, it can be challenging to approach internal threats differently. You can't treat employees the same way you treat nation-state hackers. But employees play a pivotal role in preventing data leaks, making it important to create a company-wide culture of transparency. Transparency feeds trust, which builds a strong foundation for Security Awareness Training to be truly effective. The CyberWire's Jennifer Eiben hosts this women in cybersecurity podcast. Kathleen Smith of ClearedJobs.Net moderates the panel. Panelists include Michelle Killian from Sponsor Code 42, Sam Humphries of Exabeam, and Masha Sedova of Elevate Security.
Dec 05, 2021
Getting in and getting out with SnapMC. [Research Saturday]
1116
Guest Christo Butcher of NCC Group's Research and Intelligence Fusion Team discusses their research into a cybercriminal group they dubbed SnapMC. Forget ransomware, too expensive and too much hassle. Randomly enter through a known vulnerability, take a look around, lock away data and leave again. And all that within half an hour: hit & run. An email is then sent to the affected organization: pay or else the stolen data will be published and/or sold. This is the opportunistic approach of a new group of blackmailers who don't even bother to encrypt data. NCC Group has given them the name SnapMC: a combination of 'snap' (a sudden, sharp cracking sound or movement) and MC, from mc.exe, the primary tool they use to exfiltrate data. They have only seen SnapMC's attacks in the Netherlands for the time being. They do not target specific sectors and we have not (yet) been able to associate them with known attackers. The research can be found here: SnapMC: extortion without ransomware SnapMC skips ransomware, steals data
Dec 04, 2021
Espionage phishbait in South and Southwest Asia. A utility recovers from a cyber incident. GAO tells the US Congress cyber strategy is wanting. Investigations, Moscow and Missouri style.
1527
SideCopy, a Pakistani APT, is phishing for information in both India and Afghanistan. A Colorado electrical utility continues to recover from a cyber incident it sustained early last month. The GAO tells the US Congress that the nation still lacks a comprehensive cybersecurity strategy. The Missouri Highway Patrol continues, for some reason, to investigate a responsible disclosure as a criminal hack. Dinah Davis from Arctic Wolf on hackers targeting Minecraft. Our guest is Blake Darché from Area 1 Security with research on phishing. And it appears Moscow thinks a Group-IB leader outed Fancy Bear to the US.  For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/231
Dec 03, 2021
More APT activity. Brigading, Mass Reporting, and Coordinated Inauthentic Behavior. CISA names the CSAC members. Cybercriminals sentenced. A whistleblower with an ulterior motive?
1526
An APT is exploiting Internet-facing instances of ServiceDesk Plus. Meta releases its end-of-year Adversarial Threat Report, and adds “Brigading” and “Mass Reporting” to “Coordinated Inauthentic Behavior” as activities that will get accounts shut down. CISA names the first members of its Cybersecurity Advisory Committee. Sentencing, American and Russian style. Malek Ben Salem has a look at cyber resilience. Our guest is PJ Kirner from Illumio with a look ahead to 2022. And an alleged false whistleblower is under indictment, and under arrest. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/230
Dec 02, 2021
Trends among the APTs. Imaginary times and imaginary places. Flubot in Finland. Emotet false alarms in Office. Smishing for Iranian Android users. CISA’s ICS advisories. Moscow on cybercrime.
1731
RTF template injection is newly favored by APTs. Malware hides in February 31st. Milords and miladies, the Principality of Sealand hath been hacked. Finland's National Cyber Security Center warns of a large-scale Flubot campaign in progress. False alarms are flagging Emotet where it isn’t found. Iranians victimized by a smishing campaign. CISA issues industrial control system advisories. Kevin Magee from Microsoft is really trying to rid the world of passwords. Our guest is Mike Hendrickson of Skillsoft to discuss turning the tide in this fight against cybercrime. And Mr. Putin says Russia’s in favor of international cooperation against cybercrime. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/229
Dec 01, 2021
Cybercrime and the criminal-to-criminal markets that support it during the holiday shopping season. Shaming as a pressure tactic. Living large, even when living on the lam.
1545
Today, it’s all crime all the time. Cybercrime, the C2C underground market, and the expansive holiday shopping season. Rebranding in gangland. How crooks exclude targets on the basis of language or geolocation. Shaming as a criminal pressure tactic. Bad apps in the Play Store. Andrea Little Limbago looks at internet blackouts. Carole Theriault wonders what the Metaverse really means. And living large while living on the lam. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/228
Nov 30, 2021
Reply-chain attacks. Intelligence services go phishing. Civilian targets hit in Israeli-Iranian cyber conflict. The Entity List expands. Russo-Ukrainian tensions rise.
1300
A reply-chain incident is reported at a major international furniture and housewares retailer. North Korean operators are phishing for South Korean marks using bogus Samsung recruiting emails as phishbait. Fancy Bear has been seen pawing at Gmail. A regional escalation to civilian targets in the cyber conflict between Iran and Israel. More organizations are added to the US Entity List. Johannes Ullrich looks at decrypting Cobalt Strike. Our own Rick Howard wonders if executive really need to know how to drive that tank. And tension between Russia and Ukraine continues to rise. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/227
Nov 29, 2021
Anisha Patel: Right along with them. [Program management] [Career Notes]
495
Associate Director at Raytheon Intelligence and Space in the Cyber Protection Services Division Anisha Patel always loved math and it defined her career journey. As a first-generation American from an Asian household, Anisha said she was destined for a STEM-focused career and chose electrical engineering. She began her career and remains at Raytheon (formerly E-Systems) working in several areas of the business thanks to her skills and informal mentors. Starting a rotational assignment in program management (7 years ago), Anisha said she "went to the dark side and then the hole closed and there I ended up." Anisha talks about the need to bring diversity of thought into the industry and adds to her team with this in mind. We thank Anisha for sharing her story with us.
Nov 28, 2021
CyberWire Pro Research Briefing from 11/23/2021
498
Enjoy a peek into CyberWire Pro's Research Briefing as the team is off recovering from our Thanksgiving feasts. This is the spoken edition of our weekly Research Briefing, focused on threats, vulnerabilities, and consequences, as they’re played out in cyberspace. This week's headlines: Iranian threat actors target the IT supply chain. North Korean cyberespionage. More information on Emotet's return. Like what you hear? Consider subscribing to CyberWire Pro for $99/year. Learn more.
Nov 27, 2021
CyberWire Pro Interview Selects: Carolyn Crandall of Attivo Networks.
541
Our team decided to extend our Thanksgiving holiday and thought you might like to try a sample of a CyberWire Pro podcast called Interview Selects. These podcasts are a series of extended interviews, exclusives, and a curated selection of our most engaging and informative interviews over the years, featuring cyber security professionals, journalists, authors and industry insiders. On this episode, the interview October 27th, 2021 originally aired as a shortened version on the CyberWire Daily Podcast. In this extended interview, Dave Bittner speaks with Carolyn Crandall of Attivo Networks on what organizations should be focused on to protect AD. Like what you hear? Consider subscribing to CyberWire Pro for $99/year. Learn more.
Nov 26, 2021
Misdirection and layering with a con in the middle. [Hacking Humans Goes to the Movies]
1065
Thanks for joining us for our fun project brought to you by the team of Hacking Humans, the CyberWire's social engineering podcast. Co-hosts Dave Bittner and Joe Carrigan are joined by Rick Howard in this series where they view clips from their favorite movies with examples of the social engineering scams and schemes you hear about on Hacking Humans. In this episode, Dave, Joe and Rick are watching Joe's and Rick's scene picks. They watch each of the selected scenes, describe the on-screen action for you, and then the team deconstructs what they saw. Grab your popcorn and join us for a trip to the movies. Links to this episode's clips if you'd like to watch along: Joe's clip from "The Simpsons: Father and Son Grifting" episode Rick's pick from "Paper Moon"
Nov 25, 2021
Phishing in the Iranian diaspora. Not your grandma and grandpa’s crytper. Malware-as-a-service. Proofs-of-concept (one is a zero-day). Apple sues NSO Group.  
1739
An apparent cyberespionage campaign targets the Iranian diaspora. Babadeda is an emerging crypter seeing use against alt-coin and NFt speculators. RATDispenser is out in the wild, a malware-as-a-service operation. Proofs-of-concept published for Microsoft exploits. Apple sues NSO Group. Group-IB’s founder asks President Putin for clemency. Caleb Barlow on the difference between working for a company that is funded by VCs, PEs, angels or is public. Our guest today is Karl Sigler from Trustwave on the results of the 2021 Trustwave SpiderLabs Telemetry Report. And there’s a guilty plea in the Wolf of Sophia case. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/226
Nov 24, 2021
Tardigrade malware infests the US biomanufacturing sector. GoDaddy suffers a significant data breach. Facebook Papers to be reviewed and released. NSO Group’s troubles.
1773
Tardigrade malware infests the US biomanufacturing sector. GoDaddy suffers a significant data breach. A Gizmodo-led consortium will review and release the Facebook Papers. Ben Yelin on our privacy rights during emergency situations. Our guest is Ric Longenecker of Open Systems to discuss how ransomware attacks represent the number one threat for universities. And NSO Group may not recover from current controversy over its Pegasus intercept tool. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/225
Nov 23, 2021
Stealing from the best? An enigma in the criminal-to-criminal market. CISA’s holiday caution. Someone’s impersonating the SEC. Three weekend cyberattacks.
1308
The Lazarus Group seems interested in learning from, by which they mean stealing from, some of the world’s leading state-sponsored cyber operators. Void Balaur remains an enigma, but it’s not the only player in the C2C market. CISA and the FBI warn all, but especially critical infrastructure operators, to remain alert during the holidays. Some scammers are impersonating the US SEC. Dinah Davis from Arctic Wolf on what security gifts to get your family this year. Our guest today is Carole Theriault on online gaming during the pandemic. And cyberattacks are reported on an airline, a utility, and a manufacturer of wind turbines. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/224
Nov 22, 2021
MK Palmore: Lead from where you stand. [CISO] [Career Notes]
520
Director of Google Cloud's Office of the CISO, MK Palmore, dedicated much of his life to public service and now brings his experience working for the greater good to the private sector. A graduate of the US Naval Academy, including the Naval Academy Prep School that he calls the most impactful educational experience of his life, MK commissioned into the US Marine Corps following his service academy time. He joined the FBI and that is where he came into the cybersecurity realm. MK is passionate about getting more diversity, equity and inclusion into industry. We thank MK for sharing his story with us.
Nov 21, 2021
How ransomware impacts organizations. [CyberWire-X]
1820
As ransomware attacks rapidly rise in frequency, eye-popping ransom demands grab headlines, and consumers experience product shortages and difficulty accessing services as the organizations they do business with are knocked offline. However, little is reported about the impact of a ransomware attack inside an organization. However, little is reported about the impact of a ransomware attack inside an organization.  In this show, we cover what steps organizations are taking now to prepare for a ransomware attack and what happens to an organization on that especially bad day when ransomware comes calling. The CyberWire's Rick Howard speaks with Hash Table member Don Welch, Vice president for Information Technology and Global Chief Information Officer at New York University, and show sponsor Keeper Security's CEO & Co-Founder Darren Guccione joins The CyberWire's Dave Bittner on this CyberWire-X as they share their expertise on the topic.
Nov 21, 2021
Using bidirectionality override characters to obscure code. [Research Saturday]
1585
Guests Nicholas Boucher and Ross Anderson from the University of Cambridge join Dave Bittner to discuss their research, "Trojan Source: Invisible Vulnerabilities." The researchers present a new type of attack in which source code is maliciously encoded so that it appears different to a compiler and to the human eye. This attack exploits subtleties in text-encoding standards such as Unicode to produce source code whose tokens are logically encoded in a different order from the one in which they are displayed, leading to vulnerabilities that cannot be perceived directly by human code reviewers. ‘Trojan Source’ attacks, as they call them, pose an immediate threat both to first-party software and of supply-chain compromise across the industry. They present working examples of Trojan-Source attacks in C, C++, C#, JavaScript, Java, Rust, Go, and Python. They propose definitive compiler-level defenses, and describe other mitigating controls that can be deployed in editors, repositories, and build pipelines while compilers are upgraded to block this attack. The project website and research can be found here: Trojan Source: Invisible Source Code Vulnerabilities project website Trojan Source: Invisible Vulnerabilities research paper
Nov 20, 2021
Software supply chain threats. Recent Iranian cyber operations. Banking disclosure rules. ICS updates. UK, US announce closer cooperation in cyberops. A real, literal, evil maid?
1543
Software supply chain incidents: FatPipe, PyPi, and IT services generally. A look at recent Iranian operations. The US Federal Reserve publishes its disclosure rules for banks sustaining cyber incidents. CISA issues a set of ICS advisories. Two of the Five Eyes announce plans for continued, even closer cooperation in cyberspace. Johannes Ullrich on attackers abusing "PAM" (Plug Authentication Modules). Our guest is Hatem Naguib, CEO at Barracuda Networks. And a real evil maid seems to have been out and about in Tel Aviv. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/223
Nov 19, 2021
Developments in cyber gangland, and the increasingly complicated entanglement of crooks and spies. Selling confiscated alt-coin to compensate fraud victims.
1487
Red Curl is a Russophone gang with an unusual target list. North Korea’s TA406 is having a busy year, hacking for intelligence and for profit. Wicked Panda’s getting good at code-signing, and software supply chain attacks are in Beijing’s long-term plans. A spearphishing campaign abuses legitimate collaboration tools. Kevin Magee from Microsoft has an insider’s look at Windows 11 security. Our guest is Kevin Bocek of Venafi to discuss Security Software Build Environments. And selling confiscated cryptocurrency to compensate victims of scams. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/222
Nov 18, 2021
CISA and its partners warn of Iranian cyber ops. Cyberespionage in the Middle East with Candiru tools. Belarus connected to Ghostwriter. Facebook boots SideCopy. RAMP recruits members.
1410
CISA, the FBI, the ACSC, and the NCSC issue a joint advisory warning of an Iranian cyber campaign exploiting known vulnerabilities in Fortinet and Microsoft Exchange. A Belarusian connection to Ghostwriter. Candiru tools reported in watering holes. SideCopy’s interest in Afghanistan. RAMP shows an interest in attracting Chinese operators. Josh Ray from Accenture Security digs into the CONTI playbook leak. Our guest is Matt Keeley from Bishop Fox on fuzzing. And Pompompurin wants to sell you leaked Robinhood data. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/221
Nov 17, 2021
Threats and vulnerabilities, old and new, include Emotet and Mirai. CISA advises of DDS vulnerabilities. Arrest in a revenge porn case.
1760
Older threats, including Emotet and Mirai, are out and about, and an old vulnerability, Rowhammer, gets a fresh proof-of-concept. A new banking Trojan threatens Europe. Intel works on vulnerabilities. CISA advises awareness of recently reported DDS vulnerabilities. Joe Carrigan explains how spearphishers are using customer complaints as bait. Rick Howard epaks with Carlos Vega from Devo on Supply Chain issues. And an arrest is made in a Maryland revenge porn case.  For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/220
Nov 16, 2021
Official online channels hijacked in separate US, Philippine incidents. Update on MosesStaff, a ransomware group interested in politics, not profit. Costco breach. Ryuk money-laundering case.
1338
Exploitation of a configuration error in the FBI’s Law Enforcement Enterprise Portal enables hackers to send bogus warning emails. Philippine Office of Civil Defense Twitter account briefly hijacked. Update on Iranian politically motivated threat group MosesStaff. Discount retailer Costco discloses a point-of-sale skimmer incident. Dinah Davis from Arctic Wolf track zero days. Rick the Toolman Howard drops by the studio. And the US seeks extradition of a Russian alt-coin baron on charges of laundering Ryuk’s money.  For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/219
Nov 15, 2021
Swati Shekhar: Challenges increase your risk appetite. [Engineering] [Career Notes]
634
Ground Labs' Head of Engineering, Swati Shekhar, shares her circuitous route from and back to engineering. Always being interested in leveraging the tools available to solve problems, Swati talks about how she found her place in engineering. She mentions how she had her first real experience with a computer when she was 17 in her first year at college. Aside from being one of 30 young women in a sea of 500 young men there, Swati described it as a "good culture shock because anything that takes you out of your comfort zone actually makes you learn and grow." She notes that challenges experienced in life increase your risk appetite so significantly. Swati advises those looking to make a job change to be certain of what is attracting them and to be yourself. We thank Swati for sharing her story with us.
Nov 14, 2021
The real costs of ransomware in 2021, 2022, and beyond. [CyberWire-X]
1747
Ransomware: the problem that everyone is talking about, yet somehow continues to get worse with each passing year. In 2021, the cost of ransomware to global businesses is estimated to reach a whopping $20B. The problem has reached such a critical mass that it can no longer be cast away as some unknowable IT problem–everyone from cyber insurance providers to the federal government have taken note. The CyberWire's Rick Howard speaks with Hash Table member Kevin Ford of Environmental Systems Research Institute (ESRI), and ExtraHop's VP, GM of International and Global Security Programs, Mike Campfield, joins The CyberWire's Dave Bittner on this CyberWire-X for a retrospective on ransomware in 2021. Mike shares his predictions on how it will evolve in 2022 and beyond, and what controls enterprises can put into place to build their resilience to the growing threat.
Nov 14, 2021
A glimpse into TeamTNT. [Research Saturday]
981
Senior Intelligence Researcher at Anomali, Tara Gould, joins Dave to discuss their team's work on "Inside TeamTNT’s Impressive Arsenal: A Look Into A TeamTNT Server." Anomali Threat Research discovered an open server to a directory listing that they attribute with high confidence to the German-speaking threat group, TeamTNT.The server contains source code, scripts, binaries, and cryptominers targeting Cloud environments.Other server contents include Amazon Web Services (AWS) Credentials stolen from TeamTNT stealers are also hosted on the server. This inside view of TeamTNT infrastructure and tools in use can help security operations teams to improve detection capabilities for related attacks, whether coming directly from TeamTNT or other cybercrime groups leveraging their tools. The research can be found here: Inside TeamTNT’s Impressive Arsenal: A Look Into A TeamTNT Server
Nov 13, 2021
Tension in Eastern Europe. A Hong Kong watering hole. US, EU join the Paris Call. Cybermercenaries. CISA’s plans for countering disinformation, and for forming a white-hat hacker advisory group.
1578
Notes on rising international tension in Eastern Europe. A watering-hole campaign in Hong Kong. The US and the EU have joined the Paris Call. NSO Group’s prospective CEO resigns his position before formally assuming it. Void Balaur, a cybermercenary group, is active in the Russophone cyber underground. Johannes Ullrich on leaked vaccination cards and Covid tests. Our guest is Carolyn Crandall of Attivo Networks on what organizations should be focused on to protect Active Directory. CISA intends to increase its capacity to work against misinformation and disinformation. CISA also intends to recruit white hat hackers to an advisory board. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/218
Nov 12, 2021
Let's go to the movies. [Hacking Humans Goes to the Movies]
1511
Welcome to a fun new project by the team who brings you Hacking Humans, the CyberWire's social engineering podcast. Co-hosts Dave Bittner and Joe Carrigan are joined by Rick Howard in this series. They view clips from their favorite movies with examples of the social engineering scams and schemes you hear about on Hacking Humans. In this first episode, Dave, Joe and Rick are watching Dave's and Joe's picks. They watch each of the selected scenes, describe the on-screen action for you, and then the team deconstructs what they saw. Grab your popcorn and join us for a trip to the movies. Links to movie clips if you'd like to watch along: Dave's pick from "The Grifters" Joe's clip from "Matchstick Men"
Nov 11, 2021
Cyberespionage from Tehran. Clopp ransomware operators exploit vulnerable SolarWinds instances. Mercenaries and lawful intercept vendors. Patch Tuesday.
1426
Tehran’s Lyceum group expands its activities against ISPs and telcos in Israel, Morocco, Tunisia, and Saudi Arabia. Clopp is going after unpatched instances of SolarWinds. Cyber mercenaries are quietly competing with lawful intercept vendors. NSO Group receives a setback from the US 9th Circuit. Mexico makes an arrest in its Pegasus investigation. Carole Theriault shares her thoughts on the supply chain. Josh Ray from Accenture Security on Moving Left of the Ransomware Boom. And notes on Patch Tuesday.  For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/217
Nov 10, 2021
Ransomware hits an electronics retailer and a new-school financial services company. Updates on international action against REvil.
1522
Hive ransomware hits electronics retailer Media Markt. Robinhood Markets sustains a data breach it traces to social engineering. Ben Yelin looks at the law behind U.S. police demanding your phone passcode. Dave checks in with Rick Howard for his thoughts on the Trojan Source vulnerability. And more notes on the international action against REvil, including the US application of sanctions (with Baltic cooperation) to three companies involved in supporting the gang’s financial infrastructure. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/216
Nov 09, 2021
REvil operators arrested and indicted. China says a foreign intelligence service accessed passenger travel records. Suspected Emissary Panda campaign.
1487
REvil operators arrested and indicted. China says a foreign intelligence service accessed passenger travel records. Suspected Emissary Panda campaign. Conti (sort of) apologizes. Caleb Barlow thinks it’s time to re-think your security documentation. Our guest is Jessica Hetrick of Optiv Security on cyber fraud running rampant. And the FBI warns of ransomware attacks targeting casinos. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/215
Nov 08, 2021
Jamil Jaffer: You should run towards risk. [Strategy] [Career Notes]
451
Senior Vice President for Strategy, Partnerships, and Corporate Development at IronNet Cybersecurity, Jamil Jaffer, shares how his interest in technology brought him full circle. Always a tech guy, Jamil paid he way through college doing computer support. Jamil went to law school and worked in various jobs in Washington DC including a stint in the newly-created National Security division of the Justice Department just after 9/11. When talking about adversity, Jamil notes, "Adversity has happened in life, but you gotta run at those things. To me, you know, I like risk. I think risk is something that a lot of people shy away from." We thank Jamil for sharing his story with us.
Nov 07, 2021
An incident response reveals itself as GhostShell tool, ShellClient. [Research Saturday]
1199
Guest Mor Levi, Vice President of Cyber Practices from Cybereason, joins Dave Bittner to discuss her team's work on "Operation GhostShell - Novel RAT Targets Global Aerospace and Telecoms Firms." In July 2021, the Cybereason Nocturnus and Incident Response Teams responded to Operation GhostShell, a highly-targeted cyber espionage campaign targeting the Aerospace and Telecommunications industries mainly in the Middle East, with additional victims in the U.S., Russia and Europe.  The Operation GhostShell campaign aims to steal sensitive information about critical assets, organizations’ infrastructure and technology. During the investigation, the Nocturnus Team uncovered a previously undocumented and stealthy RAT (Remote Access Trojan) dubbed ShellClient which was employed as the primary espionage tool. To learn more, listen to the episode. The research can be found here: Operation GhostShell - Novel RAT Targets Global Aerospace and Telecoms Firms
Nov 06, 2021
$10 million reward for DarkSide info. BlackMatter members expected to resurface. Ukraine outlines Russia’s FSB cyber ops. Persistent engagement as deterrence. Arrest in Crossfire Hurricane inquiry.
1560
The US offers a reward of up to ten million dollars for information leading to the identification or location of the leaders of the DarkSide ransomware gang. Researchers expect BlackMatter’s nominally retired operators to resurface in other criminal organizations. Ukraine outlines Russian FSB cyber operations during the hybrid war that’s been waged since 2014. Deterrence in cyberspace. Carole Theriault takes on high value targets. Our guest is Bill Mann of Styra on rising compliance regulations and security drift. An arrest is made in Special Counsel Durham’s investigation. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/214
Nov 05, 2021
Britain’s Labour Party sustains a “data incident.” CERT-FR describes a new affiliate gang, Lockean. US, Russian intelligence chiefs discuss cybersecurity. Gas is flowing in Iran again. Start-ups honored.
1558
Britain’s Labour Party is affected by a ransomware incident a third-party provider sustained. ANSSI identifies a new ransomware affiliate gang, “Lockean.” Notes on how and why BlackMatter and REvil went on the lam. Russo-American talks discussed cybercrime and cybersecurity. Iran’s gas stations are fully back in business, following the cyber sabotage they sustained. Kevin Magee from Microsoft has highlights from their 2021 Digital Defence Report. Our guest is Ofer Ben Noon of Talon Cyber Security addressing browser vulnerabilities. And DataTribe has announced the winners of its fourth annual Cybersecurity Start-up Challenge. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/213
Nov 04, 2021
Ransomware gangs talk about retiring, and about deception. High-level Russo-American talks. US sanctions four spyware vendors. CISA tells US agencies to patch known, exploited vulnerbalities.
1395
The BlackMatter ransomware gang says that it’s retiring under pressure from the authorities. The spokesman for the Groove group says his gang doesn’t exist--he was just playing the media. Quiet, high-level talks held between senior US and Russian officials. The US Commerce Department sanctions four spyware vendors. Carole Theriault wonders if you can train yourself free of social engineering. Josh Ray from Accenture Security with insights from their Cyber Investigations and Forensic Response team. CISA tells Federal agencies to get patching. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/212
Nov 03, 2021
Trojan Source--a threat to the software supply chain. Ransomware goes to influence operations school. Triple extortion? Criminal target selection.
1676
Researchers describe Trojan Source, a hard-to-detect threat to the software supply chain. A ransomware gang takes a page from the information operator’s book. From double extortion to triple extortion, as other ransomware gangs add distributed denial-of-service to encryption and doxing. Criminals are now hacking on material, non-public information, the FBI warns. Joe Carrigan looks at multifactor adoption at Twitter. Our guest is Steve Ragan from Akamai on API security. And criminals hit healthcare providers in Newfoundland. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/211
Nov 02, 2021
Iranian officials blame the US and Israel for gas station cyber sabotage. A new direction for NSO? Cyber extortion, Minecraft phishing, and sugar daddies looking for sugar babies (sez they).
1395
Iran hasn’t finished investigating its gas station cyber sabotage, but Tehran is pretty sure the Great and Lesser Satans are behind it. NSO Group says it’s going in a new, nicer direction. The Conti gang hits a luxury jewelry dealer, and another, unknown group hits an upscale art dealership. The Chaos gang is after Minecraft players (players who cheat). Caleb Barlow on pre-breach pre-approvals. Rick Howard introduces sand tables in cyber space. And sugar daddies come to the world of advance fee scams. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/210
Nov 01, 2021
Jadee Hanson: Cybersecurity is a team effort. [CISO] [Career Notes]
579
Jadee Hanson, CIO and CISO at Code 42, started her technology journey thanks to the help of a teacher in high school. She began college studying computer science and ended with a degree in computer information systems as it had more of the business side. Working in the private sector for companies such as Deloitte, Target and Code 42, Jadee gained experience and specialized in insider risk. She notes "utopia for me and my team is to get to a spot where the team is just firing on all cylinders and being really proactive about what's coming and what's changing." Jadee mentions she tries hard to do things that might scare her every day. For those interested in the field, especially young women, Jadee recommends they get involved and then stay curious. We thank Jadee for sharing her story with us.  
Oct 31, 2021
Malware sometimes changes its behavior. [Research Saturday]
1668
Dr. Tudor Dumitras from University of Maryland and joins Dave Bittner to share a research study conducted in collaboration with industry partners from Facebook, NortonLifeLock Research Group and EURECOM. The project is called: "When Malware Changed Its Mind: An Empirical Study of Variable Program Behaviors in the Real World." In the study, the team analyzed how malware samples change their behavior when executed on different hosts or at different times. Such “split personalities” may confound the current techniques for malware analysis and detection. Malware execution traces are typically collected by executing the samples in a controlled environment (a “sandbox”), and the techniques created and tested using such traces do not account for the broad range of behaviors observed in the wild. In the paper, the team shows how behavior variability can make those techniques appear more effective than they really are, and they make some recommendations for dealing with the variability. The research and executive summary can be found here: When Malware Changed Its Mind: An Empirical Study of Variable Program Behaviors in the Real World Analysing malware variability in the real world
Oct 30, 2021
Iranian-Israeli cyber tensions rise. Decaf ransomware described. Philippine government phshbait. Unemployment due to cyberattack. Europol’s latest collars. Facebook rebrands as “Meta.”
1678
Tensions between Iran and Israel rise as sources in Tehran blame Israel for hacking gas stations, and as apparent Iranian hacktivists dox Israeli defense personnel. A new ransomware strain is discovered. A criminal group is spoofing emails from Philippine agencies. Europol and partners sweep up a cyber gang. Betsy Carmelite from BAH on convergence of 5G and healthcare. Our guest is Justin Wray from CoreBTS with a look at the security issues facing online gaming and casinos. And the company formerly known as Facebook rebrands as “Meta.” For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/209
Oct 29, 2021
The Malware Mash!
185
Oct 29, 2021
Hacktivists or intelligence services in Iran? BOLO NIkolay K. Renouncing Conti, and all its empty promises. SEO poisoning. US cyber strategic intent.
1578
Iran continues its recovery from a cyberattack that disrupted subsidized fuel distribution. Wanted in Stuttgart (but living it up in Russia): ransomware kingpin Nikolay K. The Conti ransomware gang gets poor customer service notices. Food distribution is on the cybercriminals’ target lists. SolarMarker’s use of SEO poisoning. The US publishes a statement of strategic intent for its cybersecurity czar’s office. David Dufour from Webroot wonders if there’s any hope at slowing down malware. Our own Brandon Karpf describes the DoD’s Skillbridge program. And decryptors are made available for three ransomware strains. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/208
Oct 28, 2021
Coups and comms blackouts. Fuel sale sabotage in Iran. Wslink described. Operation Dark HunTor takes down a contraband market. FTC looks into Facebook. LockBit speaks.
1549
Sudan is under a blackout as a military junta consolidates control over the government. Iran says a cyberattack--unattributed so far--was responsible for disrupting fuel distribution in that country. A novel loader is discovered. Operation Dark HunTor takes down a darkweb contraband market. The US FTC is looking into Facebook’s privacy settlement. The LockBit gang talks, and it’s insufferable. Andrea Little Limbago from Interos on government internet interventions. Carole Theriault weighs in on Facebook glasses. And Halloween is another day closer. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/207
Oct 27, 2021
Ransomware and privateering, counteroffense and deterrence. The US State Department will reestablish its cyber office. And looking forward to Halloween.
1657
Notes on ransomware and privateering: Conti’s barking at its victims, someone’s exploiting billing software, and BlackMatter repeated some coding errors its DarkSide predecessor committed. GCHQ suggests that the UK will undertake a more assertive imposition of costs on cyber gangs. The US State Department will reestablish its cyber bureau. Software supply chain cyberespionage, and what can be done about it. Ben Yelin on school laptop privacy concerns. Our guest is David White of Axio to discuss Ransomware Preparedness. And some more scare-notes for Halloween. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/206
Oct 26, 2021
SolarMarket malware carried in some WordPress sites. Russian privateers don’t much like REvil’s takedown. The SVR in the supply chain. Malicious Squid Games app. Scary social media.
1425
SolarMarket infestations are up, and circulating through WordPress sites. More indications that REvil was taken down by a US-led but thoroughly international public-private partnership, and the other Russian privateers have their noses seriously out of joint. Russia’s SVR is getting busy in software supply chains. Criminals take advantage of the popularity of Squid Games. Dinah Davis from Arctic Wolf on how even hackers have internal politics. Rick Howard checks in with the Hash Table on compliance. And Halloween is coming: do you know what your apps are up to? For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/205
Oct 25, 2021
Mark Nunnikhoven: Providing clarity about security. [Cloud strategy] [Career Notes]
503
Distinguished Cloud Strategist at Lacework, Mark Nunnikhoven, has gone from taking technology to its limits for his own understanding to providing clarity about security for others. Mark fell in love with his Commodore 128 and once he realized he could bend the machine to his will, it set him on the path to technology. While he had some bumps in the road, dropping out of high school and not following the traditional path in college, Mark did complete his masters in information security. His professional life took him from Canadian public service to the private sector where Mark noted the culture shift was an eye-opening experience. Mark always looks to learn something new and share that with others and that is evidenced as his includes teaching as a facet of his career. We thank Mark for sharing his story with us.
Oct 24, 2021
When big ransomware goes away, where should affiliates go? [Research Saturday]
1258
Our guest Doel Santos, Threat Research Analyst at Palo Alto Networks, joins Dave Bittner to talk about Unit 42's work on "Ransomware Groups to Watch: Emerging Threats." As part of Unit 42’s commitment to stop ransomware attacks, they monitor the activity of existing groups, search for dark web leak sites and fresh onion sites, identify up-and-coming players and study tactics, techniques and procedures. During their operations, Unit 42 observed four emerging ransomware groups that are currently affecting organizations and show signs of having the potential to become more prevalent in the future. Doel discusses these (AvosLocker, Hive Ransomware, HelloKitty, and LockBit 2.0) with Dave. The research can be found here: Ransomware Groups to Watch: Emerging Threats
Oct 23, 2021
Counting coup against REvil (and other gangs are taking note). Export controls and dual use. A timing bug will surface this weekend.
1666
REvil’s troubles appear to be the work of an international law enforcement operation. Other gangs have noticed, and they’re looking a little spooked, even as they evolve their tactics in a maturing criminal-to-criminal market. Questions are raised about the efficacy of surveillance tool export controls. Caleb Barlow has cyber security considerations for CEOs and boards. Our guest is Mickey Boodeai of Transmit Security on the movement to do away with passwords. And if you liked Y2K, you’re going to love ten-twenty-four.  For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/203
Oct 22, 2021
Evil Corp identified as the threat actor behind ransomware attacks on Sinclair and Olympus. Privateering. Fin7’s front company. Sentencing in a bulletproof hosting case.
1659
Evil Corp is identified as the operator behind the ransomware that hit the Sinclair Broadcast Group and Olympus. The US Defense Department complains of Russian toleration for ransomware gangs. The Fin7 gang has set up a front company to recruit talent. Betsy Carmelite from Booz Allen Hamilton on building mission-driven 5G security with zero trust. Our guest is Robert Carolina on ethics. And sentences are handed down in a bulletproof hosting case. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/203
Oct 21, 2021
Cyberespionage campaign looks a lot like SIGINT collection. Magnitude gets more capable. VPN exploits solicited. Ransomware trends. Seven years for UPMC hacker. Plenty of Candy Corn coming.
1472
The LightBasin “activity cluster” has been active indeed against telecom infrastructure in what looks like an espionage campaign. The Magnitude exploit kit adds capabilities for hitting Chromium browsers. An exploit broker is interested in cloud-based VPNs. Victims continue to pay in ransomware attacks. A hacker gets seven years for conspiracy to defraud and identity theft. David Dufour from Webroot looks at the coming threat landscape. Our guest is Paul Shread from eSecurity Planet on backup tools for ransomware. And a Candy Corn shortage is averted. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/202
Oct 20, 2021
TA505’s recent activity. Advice on defending organizations from BlackMatter. CISA RFI seeks EDR information. REvil’s halting attempts to return. Sinclair’s incident response.
1326
A look at TA505, familiar yet adaptable. A US joint cybersecurity advisory outlines the BlackMatter threat to critical infrastructure. CISA asks industry for technical information on endpoint detection and response capabilities. Is REvil trying to run on reputation? The Sinclair Broadcasting ransomware incident seems to provide a case study in rapid disclosure. Carole Theriault considers the fight for online anonymity. Joe Carrigan shares steps to protect the C-Suite. And there’s a decryptor out for BlackByte. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/201
Oct 19, 2021
A US broadcaster sustains a ransomware attack. North Korean catphis expelled from Twitter. REvil’s Tor sites are hijacked. Hacking back. Prosecution and responsible disclosure?
1440
The Sinclair Broadcast Group discloses that it sustained a ransomware attack over the weekend. Twitter kicks out two North Korean catphish deployed in a cyberespionage campaign. REvil goes offline, again, perhaps this time for good. Hacking back, at least insofar as you let the hoods know you can see them. Rick Howard previews the newest season of CSO Perspectives. Johannes Ullrich from SANS on Expired Domain Dumpster Diving. And an update on the Missouri disclosure and proposed hacking prosecution. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/200
Oct 18, 2021
Ell Marquez: It's okay to be new. [Linux] [Career Notes]
562
Linux and Security Advocate at Intezer Ell Marquez shares her journey from the family ranch to security. Needing a life change due to a bunch of circumstances that had occurred that left her almost homeless, Ell found out about a six week Linux boot camp that took her down the path toward technology. She fell in love security at at BSides Conference and hasn't looked back. Ell says she recently started a campaign called "it's okay to be new" noting that no matter how long you've been in the industry, you need to be new because technology changes so quickly. She concludes by offering one final piece of advice to everybody is just "be unapologetically yourself." We thank Ell for sharing her story with us.
Oct 17, 2021
Groove Gang making a name for themselves. [Research Saturday]
1323
Guest Michael DeBolt, Chief Intelligence Officer from Intel471, joins Dave Bittner to discuss their work on "How Groove Gang is shaking up the Ransomware-as-a-Service market to empower affiliates." McAfee Enterprise ATR believes, with high confidence, that the Groove gang is associated with the Babuk gang, either as a former affiliate or subgroup. These cybercriminals are happy to put aside previous Ransomware-as-a-Service hierarchies to focus on the ill-gotten gains to be made from controlling victim’s networks, rather than the previous approach which prioritized control of the ransomware itself. The research can be found here: How Groove Gang is shaking up the Ransomware-as-a-Service market to empower affiliates
Oct 16, 2021
CISA and its partners warn of threats to water and wastewater treatment facilities. The curious case of Missouri teachers’ Social Security Numbers.
1387
A CISA-issued Joint Advisory warns of threats and vulnerabilities at water and wastewater treatment facilities. CISA issues twenty-two other industrial control system advisories. Andrea Little Limbago from Interos on trends in the human element of security. Our guest is Gidi Cohen from Skybox with Vulnerability and Threat Trends. And the Governor of Missouri intends to prosecute the Saint Louis Post-Dispatch to the fullest extent of whatever the law turns out to be. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/199
Oct 15, 2021
Notes from the underground: data breach extortion and a criminal market shuts down. International cooperation against ransomware. Cyber risk and higher education.
1537
Data breach extortion seems to be an emerging criminal trend. Notes on a darknet market’s retirement. Verizon advises Visible users to look to their credentials. Windows users’ attention is drawn to seven potentially serious vulnerabilities (all patchable). The Necro botnet is installing Monero cryptojackers. Organizing an international response to ransomware. Carole Theriault shares thoughts on social engineering. Dinah Davis from Arctic Wolf on the supply chain attack framework. And a quick look at the state of cyber risk in higher education. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/198
Oct 14, 2021
Cyber Espionage, again. Patched SolarWinds yet? Patch Tuesday. The international conference on ransomware has begun. Booter customers get a warning. A disgruntled insider alters aircraft records.
1779
A Chinese-speaking APT is distributing the MysterySnail RAT in what appears to be a cyberespionage campaign. Some users still haven’t patched vulnerable SolarWinds instances. Notes on yesterday’s Patch Tuesday. The US-convened international ransomware conference kicked off today, and Russia wasn’t invited. Former users of a criminal booter service get a stern warning letter from the Dutch police. Caleb Barlow reacts to a recent ransomware tragedy. Our guest is Rob Gurzeev of CyCognito on the security issues with subsidiaries. And a Florida woman is charged with altering aircraft records. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/197
Oct 13, 2021
Espionage by password spraying, and espionage via peanut butter sandwich. Ransomware and DDoS warnings. Two journalists get the Nobel Peace Prize
1799
Teheran is running password spraying attacks (especially on Thursdays and Sundays). More on the renewed popularity of DDoS attacks. NCSC warns British businesses against ransomware. Two journalists win the Nobel Peace Prize. Joe Carrigan shares his thoughts on GriftHorse. Our guest is Bindu Sundaresan from AT&T Cybersecurity football season and cyber risks. And watch out for small data cards in your peanut butter sandwiches, kids. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/196
Oct 12, 2021
Extra: Let's talk about Facebook's research. [Caveat]
2645
Our guest is author and journalist Steven Levy. He’s editor-at-large at Wired and his most recent book is "Facebook: The Inside Story. Steven offers his insights on Facebook’s internal research teams, Ben shares a newly-decided court case on whether Big Tech companies can be sued under the Anti-Terrorism statute, and Dave's got the story of some warrantless surveillance being declared unconstitutional in Colorado.  While this show covers legal topics, and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney.  Links to stories: Federal appeals court clears social media companies in Pulse shooting lawsuit Colorado Supreme Court Rules Three Months of Warrantless Video Surveillance Violates the Constitution Got a question you'd like us to answer on our show? You can send your audio file to caveat@thecyberwire.com or simply leave us a message at (410) 618-3720. Hope to hear from you. 
Oct 11, 2021
Brandon Karpf: A sailor of the 21st century. [Transitioning service member] [Career Notes]
657
Lieutenant in the US Navy and Skillbridge Fellow at the CyberWire, Brandon Karpf, knew he wanted to join the military at a young age. He achieved that through the US Naval Academy where he was a member of the men's heavyweight rowing team. Commissioning into the cryptologic field as a naval cryptologic warfare officer, Brandon was sent to MIT for a graduate degree where he experienced the exact opposite end of the spectrum from USNA's structured life. Brandon's work with both NSA and US Cyber Command helped him gain experience and cyber operations skills. As he is transitions from active duty to civilian life, Brandon shares the difficulties that process brings about. Through Skillbridge Fellowship program, Brandon's transition has him sharing his skills with the CyberWire. We thank Brandon for sharing his skills and his story with us.
Oct 10, 2021
Taking a closer look at UNC1151. [Research Saturday]
1091
Matt Stafford, Senior Threat Intelligence Researcher, from Prevailion joins Dave to talk about their work on "Diving Deep into UNC1151’s Infrastructure: Ghostwriter and beyond." Prevailion’s Adversarial Counterintelligence Team (PACT) used advanced infrastructure hunting techniques and Prevailion’s visibility into threat actor infrastructure creation to uncover previously unknown domains associated with UNC1151 and the “Ghostwriter” influence campaign. UNC1151 is likely a state-backed threat actor waging an ongoing and far-reaching influence campaign that has targeted numerous countries across Europe. Their operations typically display messaging in general alignment with the security interests of the Russian Federation; their hallmarks include anti-NATO messaging, intimate knowledge of regional culture and politics, and strategic influence operations (such as hack-and-leak operations used in conjunction with fabricated messaging and/or forged documents). PACT assesses with varying degrees of confidence that there are 81 additional, unreported domains clustered with the activity that FireEye and ThreatConnect detailed in their respective reports. PACT also assesses with High Confidence that UNC1151 has targeted additional European entities outside of the Baltics, Poland, Ukraine and Germany, for which no previous public reporting exists. The research can be found here: Diving Deep into UNC1151’s Infrastructure: Ghostwriter and beyond
Oct 09, 2021
Fancy Bear’s snuffling at Gmail credentials. FIN12’s threat to healthcare, and BlackMatter’s threat to agriculture. REvil tries to reestablish itself in the underworld. Twitch update. Sachkov is charged.
1503
Google warns fourteen-thousand Gmail users that Fancy Bear has probably been after their passwords. FIN12, a fast-running ransomware group, is after hospitals’ and healthcare providers’ money. BlackMatter remains active against the agriculture sector. REvil is back and talking on the RAMP forum, but so far it’s getting a chilly reception. Twitch traces its vulnerability to a server misconfiguration. David Dufour from webroot wonders about cracking down on crypto. Our guest is Jeff Dileo of NCC on mastering container security. And Group-IB’s CEO is charged with treason. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/195
Oct 08, 2021
Espionage, mostly cyber but also physical. DDoS in the Philippines. TSA regulations for rail and airline cybersecurity are coming. US DoJ promises civil action for cyber failures. Twitch update. And NFTs.
1571
Cyberespionage seems undeterred by stern warnings. DDoS hits the Philippine Senate. The US Department of Homeland Security intends to issue cybersecurity regulations for passenger rail and airlines. The US Department of Justice intends to use the False Claims Act to bring civil actions against government contractors who fail to follow “recognized cybersecurity standards.” An update on the Twitch breach. Josh Ray from Accenture looks at what’s going on with Fancy Lazarus. Our guest is Sam Ingalls from eSecurity Planet on the state of Blockchain applications in cybersecurity. And what would it take to get you kids into a nice non-fungible token? For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/194
Oct 07, 2021
Twitch is breached. MalKamak: a newly described Iranian threat actor. Chinese cyberespionage against India. SafeMoon phishbait. The ransomware threat. What counts as compromise.
1871
Twitch is breached. A newly discovered Iranian threat group is described. A Chinese cyberespionage campaign in India proceeds by phishing. SafeMoon alt-coin is trendy phishbait in criminal circles. As the US prepares to convene an anti-ransomware conference, Russian gangs show no signs of slacking off. Betsy Carmelite from BAH on AI/ ML in cyber defensive operations. Our guest is Adam Flatley of Redacted with recommendations from the Ransomware Task Force. And observations on what counts as compromising material. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/193
Oct 06, 2021
Facebook’s back up, and the outage was due to an error, not an attack. A look at AvosLocker and Atom Silo ransomware. The case of the Kyiv ransomware gangsters. Thoughts on the Pandora Papers.
1739
Facebook restores service after dealing with an accidental BGP configuration issue. There’s now a data auction site for AvosLocker ransomware. Atom Silo ransomware is quiet, patient, and stealthy. The state of investigation into those two guys collared on a ransomware beef in Kyiv last week. Ben Yelin is skeptical of data privacy poll results. Our guest is Microsoft’s Ann Johnson, host of the newest show to join the CyberWire network, Afternoon Cyber Tea. And what would they have thought of the Pandora Papers in Deadwood, back in the day? For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/192
Oct 05, 2021
Privacy and the Pandora Papers. Flubot’s scare tactics. Exploiting an account recovery system. Conti warns victims not to talk to the press. An international meeting on cybercrime? A ransomware bust.
1565
The Pandora Papers leak erstwhile private financial transactions by the rich and well-connected (and it’s 150 mainstream news organizations who cooperated in bringing them to light). Flubot is using itself to scare victims into installing Flubot. Coinbase thieves exploited account recovery systems to obtain 2FA credentials. The US plans to convene an international conference on fighting cybercrime. Conti warns its victims not to talk to reporters. Andrea Little Limbago from Interos on modeling cyber risk. Carole Theriault has thoughts on facial recognition software. And a ransomware bust in Ukraine leads us to ask, why Capri Sun. (Think about it, kids.) For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/191
Oct 04, 2021
Pattie Dillon: Take the leap. [Anti-fraud] [Career Notes]
516
Product Manager in Anti-Fraud Solutions at SpyCloud, Pattie Dillon shares her journey from raising her family to specializing in the anti-fraud space. Upon reentering the workforce, Pattie worked on identity verification and developed a system with privacy concerns in mind. She moved to work in gift cards and was exposed to money laundering. Traveling along the fraud spectrum, Pattie learned about underground data and feels that this data can be leveraged to actually prevent and fight online fraud. Pattie believes if you don't try, you'll never know. We know we appreciate Pattie sharing her story with us.
Oct 03, 2021
Cloud configuration security: Breaking the endless cycle. [CyberWire-X]
1983
Moving to the cloud creates a tremendous opportunity to get security right and reduce the risk of data breach. But most cloud security initiatives get underway after services are deployed in the cloud. It’s frustrating when major breaches resulting from basic mistakes, like S3 buckets left unsecured or secrets exposed. Continually checking for risky configurations and unusual behavior in cloud logs is a requirement, but there is an opportunity to be proactive. What if you could configure your security and access controls as you set up cloud infrastructure? The CyberWire's Rick Howard speaks with Hash Table members Kevin Ford of North Dakota State government and Steve Winterfeld of Akamai, as well as sponsor Sysdig's Omer Azaria to discuss how security teams are adopting Infrastructure as Code (IaC) security as part of their overall cloud security strategy to reduce risk.
Oct 03, 2021
IoT security and the need for randomness. [Research Saturday]
2015
Dan Petro, Lead Researcher, and Allan Cecil, Security Consultant, from Bishop Fox join Dave to share their research "You're Doing IoT RNG," that they presented at DefCon 29. There’s a crack in the foundation of Internet of Things (IoT) security, one that affects 35 billion devices worldwide. Basically, every IoT device with a hardware random number generator (RNG) contains a serious vulnerability whereby it fails to properly generate random numbers, which undermines security for any upstream use. In order to perform most security-relevant operations, computers need to generate secrets via an RNG. These secrets then form the basis of cryptography, access controls, authentication, and more. The details of exactly how and why these secrets are generated varies for each use. The research can be found here: You're Doing IoT RNG
Oct 02, 2021
Phishing for those who fear Pegasus. ChamelGang APT active against multiple countries. Problems with a ransomware decryptor. Controversial proofs-of-concept. And a death blamed on ransomware.
1548
A malware campaign offers bogus protection against Pegasus surveillance. A new APT, ChamelGang, is found active against targets in at least ten countries. A ransomware gang can’t get its decryptor right. A proof-of-concept shows that charges can be made from a non-contact Visa card in an iPhone wallet. David Dufour from Webroot warns of potential perils in cyber insurance. Our guest is Shamla Naidoo from Netskope with advice for cyber innovators .And ransomware may be responsible for a child’s death in an Alabama hospital. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/190
Oct 01, 2021
GriftHorse’s premium service scams. Facebook open sources a static analysis tool. Update on the Group-IB affair. What the Familiar Four are up to. Counting ransomware strains.
1721
GriftHorse will subscribe afflicted Android users to premium services they never knew they’d signed up for (and wouldn’t want if they did). Facebook releases a static analysis tool it uses internally to check apps for security issues. Speculation about what put Group-IB’s CEO in hot water with the Kremlin. A look from NSA about where the major nation-state cyberthreats currently stand. Malek Ben Salem from Accenture has thoughts on quantum security. Our guest is author and Wired editor at large Steven Levy joins us with insights on Facebook’s internal research teams. And a short census of ransomware strains. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/189
Sep 30, 2021
DDoS is on an upward trend, and it’s being used for extortion. A payroll provider recovers from an unspecified cyberattack. Russia charges Group-IB CEO with treason. NSA, CISA, advise on using VPNs.
1348
Distributed denial-of-service attacks have been making a comeback, and many of them represent criminal extortion attempts. A major British payroll provider is recovering from a cyberattack, but it’s not providing much information on the nature of that attack. Russian authorities arrest the founder of Group-IB on treason charges. Johannes Ullrich from SANS on Out of Band Phishing Using SMS messages. Our UK correspondent Carole Theriault wonders how online trolling is still a thing. And NSA and CISA release guidelines on secure use of virtual private networks. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/188
Sep 29, 2021
Homecomings, happy and not so happy. A backdoor for espionage, a Trojan for cybercrime. DDoS techniques, those iPhone zero-days, and indictments. And one guilty plea.
1576
The triumphant homecoming of Huawei’s CFO. Microsoft describes the FoggyWeb backdoor, a significant cyberespionage tool. Kaspersky looks at the BloodyStealer Trojan and finds it especially risky to gamers. A novel approach to distributed denial-of-service. Apple looks into those iPhone zero-days. Joe Carrigan looks at the latest offerings in passwordless authentication. Our guest is Mathieu Gorge of VigiTrust on how law enforcement and executives can work together to fight cyber threats. And a look at doings in cybercrime: the US arrests more than thirty members of the Black Axe gang, a Russian convict is deported back to face Russian justice, and a blockchain maven pleads guilty to helping Pyongyang. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/187
Sep 28, 2021
The EU ask Russia to knock it off, and specifically to stop with the GhostWriter. Zoombombing in Cambodia. Conti is back; Colossus is a new entrant in the ransomware field. Meng returns to China.
1488
The EU publicly blames Russia for GhostWriter, and counsels Moscow to amend its ways. Finland’s security services warn of foreign cyberespionage and influence threats. Zoombombing at the highest levels in Cambodia. A ransomware operation, “Colossus,” is described. Conti is back, as predicted, and has hit a major European call center. Dinah Davis from Arctic Wolf on cybersecurity learning standards. Our guest is Otavio Freire from SafeGuard Cyber with insights on how to defend against nation-state actors and zero-day exploits. And Huawei’s CFO is back in China. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/186
Sep 27, 2021
Dave Bittner: From puppet shows to podcasts. [Media] [Career Notes]
617
Host of the CyberWire Podcast, Dave Bittner, wanted to work with the Muppets, so naturally he landed in cybersecurity. Dave and his Cookie Monster puppet spent much of his childhood putting on shows for his parents friends. During one of those performances, he was discovered and got his start at the local PBS station. A radio, television and film major in college, Dave owned his own company and as the most tech-savvy member of the group, handled that side of things. Dave notes his cybersecurity challenges back then consisted of maybe a corrupt floppy disk. It wasn't until he joined the CyberWIre that cybersecurity became Dave's focus. A former boss showed him how to lead a team and treat everyone with kindness regardless of their role. We thank Dave for sharing his story with us.
Sep 26, 2021
Why it’s time for cybersecurity to go mainstream. [CyberWire-X]
2435
The commonly held, idealized picture of technology is that tech makes our lives easier, safer, and better in just about every respect. But an unintended consequence of that picture is an unjustified assumption that companies will sell more products if they serve the public interest, and that may not be so. On the consumer side, personal technology investments are often a race to the price bottom, with little attention paid to the security of the products we buy. Vendors may enjoy less scrutiny and accountability, but that's not necessarily in the consumers' interest. Good things almost always come when technology steps out of the shadows and into the light of the mainstream. It’s time that happened in cybersecurity, where everyone, from suppliers to consumers, has a role to play. In this episode of CyberWire-X, knowledgeable representatives across that spectrum to learn what they have to say about risk, accountability, and, above all, transparency. Guest Dr. Georgianna Shea from the Foundation for Defense of Democracies shares her insights with the CyberWire's Rick Howard, and Sponsor Tanium's CISO for the Americas Chris Hallenbeck joins the CyberWire's Dave Bittner to discuss achievable steps the government, private sector, and the broader public can take to start moving the needle on cybersecurity.
Sep 26, 2021
Vulnerabilities in the public cloud. [Research Saturday]
1380
Guest Ariel Zelivansky, Senior Manager of Security Research at Palo Alto Networks, joins Dave to discuss Unit 42's work on the first cross-account container takeover in the public cloud. The Unit 42 Threat Intelligence team has identified the first known vulnerability that could enable one user of a public cloud service to break out of their environment and execute code on environments belonging to other users in the same public cloud service. This unprecedented cross-account takeover affected Microsoft's Azure Container-as-a-Service (CaaS) platform. Researchers named the finding Azurescape because the attack started from a container escape – a technique that enables privilege escalation out of container environments. The research can be found here: What You Need to Know About Azurescape Finding Azurescape – Cross-Account Container Takeover in Azure Container Instances Note: Microsoft is a sponsor of the CyberWire, however, we cover them as we would any other company.
Sep 25, 2021
Cyberattacks against a Russian rocket shop and the Port of Houston. As ransomware gangs increase activity, the US considers defenses. Pegasus found in French Ministers’ phones. Meng heads home?
1471
Someone is phishing for Russian rocketeers. The Port of Houston discloses a cyberattack, which the Port says it deflected before it had operational consequences. Ransomware gangs are up and active, and the US is considering mandatory reporting by victims as a defensive policy. Pegasus spyware is said to have been found in the phones of five French government ministers. Johannes Ullrich from the SANS Technology Institute on Attackers Hunting for Environment Variables. Our guest is Graeme Bunton of DNS Abuse Institute. And Huawei’s Meng Wanzhou may soon be headed home from Vancouver. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/185
Sep 24, 2021
Ransomware hits another US farm co-op, as Russan gangs seem to continue attacks without interference from Moscow. A new APT is described. REvil was cheating? CISA warns about Conti.
1490
Ransomware hits a second US Midwestern farm co-op. The US House hears from the FBI that Russia seems not to have modified its toleration of privateering gangs (at least yet). A new APT, “FamousSparrow,” is described. REvil seems to have been--surprise!--cheating its criminal affiliates. Josh Ray from Accenture with an update on the Hades Threat Group. Our guest is Tim Eades of vArmour on the urgent need to update cyber strategies in healthcare. CISA issues a new warning, this one on the Conti ransomware operation.  For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/184
Sep 23, 2021
Ransomware is rising, and governments try to evolve an effective response. A look at the cyber underworld. Snooping smartphones. An advance fee scam is criminal business as usual.
1685
BlackMatter continues to make a nuisance of itself on a large scale. The US is woofing about taking action against ransomware, and Treasury has sanctioned a rogue cryptocurrency exchange, but some advocate stronger measures. Where did all those Ukrainian cybercriminal chat platforms go? A warning of the “censor mode” in some Chinese manufactured smartphones. Caleb Barlow shares thoughts on CMMC certification. Our guest is Kevin Jones of Virsec with reactions to the White House Cybersecurity Summit. And, hey, no, really, Apple is not celebrating the iPhone 13 by giving away a stash of Bitcoin. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/183
Sep 22, 2021
BlackMatter hits an Iowa agricultural cooperative. US Treasury Department moves against ransomware’s support system. FBI gave Kaseya the REvil decryptor. Camorra cybercriminals arrested.
1588
Ransomware hits an Iowa agricultural cooperative, which doesn’t meet, the criminals say, the standard for “critical infrastructure.” US Treasury Department announces steps against ransomware’s economic support system. Did Kaseya get its REvil decryptor from the FBI? Ben Yelin describes a major federal court victory for security researchers. Our guest is Dave Stapleton from CyberGRX on the rise of extortionware. And Europol, along with Spanish and Italian police, take down a Camorra cybercrime ring. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/182
Sep 21, 2021
Electioneering, domestic, but with international implications. The Mirai botnet is exploiting OMIGOD. Container shipper sustains data breach. Odd ads. Phishing with Mr. Musk’s name.
1603
Cyber electioneering, in Hungary and Russia, the latter with some international implications. The Mirai botnet is exploiting the OMIGOD vulnerability. A shipping company deals with data extortion. Government websites have been serving up some oddly adult-themed ads. Malek Ben Salem from Accenture has thoughts on quantum security in the automotive industry. Our guest is Padraic O'Reilly of CyberSaint to discuss concerns about the Defense Industrial Base. And no, there’s no such thing as the Elon Musk Mutual Aid Society. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/181
Sep 20, 2021
Limor Kessem: Be an upstander. [Security Advisor] [Career Notes]
477
Executive Security Advisor at IBM Security Limor Kessem says she started her cybersecurity career by pure chance. Limor made a change from her childhood dream of being a doctor and came into cybersecurity with her passion, investment, discipline, and perseverance. Limor talks about how we must tighten our core security and at the same time we allow innovation to help us move forward with the times. She's been fortunate to have been able to stand up for others and has had others support her. She said that is very motivating and has allowed her to really explore every possible thing in her career that she can contribute without limiting herself to a certain role. We thank Limor for sharing her story with us.
Sep 19, 2021
An IoT educational exercise reveals a far-reaching vulnerability. [Research Saturday]
1464
Guest Jake Valletta, Director of Professional Services at Mandiant, joins Dave to talk about the critical vulnerability Mandiant disclosed that affects millions of IoT devices. Mandiant disclosed a critical risk vulnerability in coordination with the Cybersecurity and Infrastructure Security Agency (“CISA”) that affects millions of IoT devices that use the ThroughTek “Kalay” network. This vulnerability, discovered by researchers on Mandiant’s Red Team in late 2020, would enable adversaries to remotely compromise victim IoT devices, resulting in the ability to listen to live audio, watch real time video data, and compromise device credentials for further attacks based on exposed device functionality. These further attacks could include actions that would allow an adversary to remotely control affected devices. The research can be found here: Mandiant Discloses Critical Vulnerability Affecting Millions of IoT Devices
Sep 18, 2021
Patch that password manager. The hidden hand of the troll farm. Election meddling. Coin-mining’s costs, and a crackdown in China. If you really loved me, you’d speculate in Dogecoin....or something.
1648
Patch your Zoho software now--vulnerable instances are being actively exploited. Maximum engagement isn’t necessarily good engagement: the hidden hand of the trolls replaces the invisible hand of the marketplace of ideas. Politics ain’t beanbag, Russian edition. An indictment emerges from the US investigation into possible misconduct during the 2016 elections. The costs of coin-mining. Josh Ray from Accenture on protecting critical infrastructure. Our guest is Tony Pepper from Egress with a look at Insider Data Breaches. And don’t mix investment advice with matters of the heart. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/180
Sep 17, 2021
A CSO's 9/11 Story: CSO Perspectives Bonus.
1713
For the 20th anniversary of 9/11, Rick Howard, the Cyberwire’s CSO, Chief Analyst, and Senior Fellow, recounts his experience from inside the Pentagon running the communications systems for the Army Operations Center.
Sep 17, 2021
Election-season cyber incidents in Germany. South Africa works to recover from a ransomware attack on government networks. Cryptojacking botnet moves to Windows targets. Ransomware notes.
1631
Denial-of-service at a German election agency, as Federal prosecutors investigate GhostWriter. More nation-states get into election meddling. South Africa works to recover from a ransomware attack against government networks. A cryptojacking botnet moves from Linux to Windows. A ransomware gang threatens to burn your data if you bring in third-party help. Ransomware cyberinsurance claims rise. Rick Howard checks in with Tom Ayres from Lead Up Strategies on Cyber Piracy. Caleb Barlow shares insights on CMMC. And it’s a really good week to patch. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/179
Sep 16, 2021
No crackdown on ransomware from Moscow (at least so far). Cyber Partisans in Belarus. A long-running Chinese cyber campaign. Phishing and other cybercrime. Mercenaries.
1522
That Russian crackdown on ransomware gangs people thought they were seeing? Hasn’t happened, at least according to the FBI. The Cyber Partisans take a virtual whack at President Lukashenka’s government in Belarus. Operation Harvest is complicated and long-running. Phishing with a promise of infrastructure funding. The criminal market for bogus vaccine cards. Johannes Ullrich from SANS on dealing with image uploads - vulnerabilities in conversion libraries. Our UK correspondent Carole Theriault on Deepfakes - what you need to know now. And a deferred prosecution agreement in a “cyber mercenary” case. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/178
Sep 15, 2021
NSO Group’s Pegasus was installed in a zero-click exploit: iOS users should patch. Vermillion Strike hits Linux systems. Enforcing the law against cybercrime.
1352
Citizen Lab finds, and Apple patches, a zero-day used for zero-click installation of Pegasus spyware. A Cobalt Strike beacon has been turned to cyberespionage use against Linux targets. The Russian government could, it seems, take action against cybercrime, but its will-to-enforcement seems to be inconsistent. Ben Yelin from UMD CHHS with more on Apple's CSAM controversy, our guest is Mel Shakir from Dreamit Ventures on selling to CISOs, and their customer sprints. REvil makes nice with grumpy affiliates. And criminals’ commitment to the common good seems weak. That’s not a surprise, is it? For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/177
Sep 14, 2021
The continuing problem of Meris and its bot-driven DDoS. Mustang Panda visits Indonesia. DPRK’s social media battlespace prep. Al Qaeda marks 9/11’s anniversary. And REvil seems to be back.
1354
The Meris botnet continues to disrupt New Zealand banks, and has turned up elsewhere, too. Mustang Panda compromised Indonesian government networks. North Korean operators are using social media to soften up their prospective targets. Al Qaeda sympathizers marked the twentieth anniversary of 9/11 by calling for--what else?--more 9/11s. Malek Ben Salem from Accenture on deep unlearning, our own Rick Howard is in, talking about the latest episode of CSO Perspectives on adversary playbooks, and REvil seems to be back in business after taking what some of its hoods call “a break.” For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/176
Sep 13, 2021
Joe Bradley: A bit of a winding road. [Chief Scientist] [Career Notes]
419
Chief Scientist at LivePerson Joe Bradley takes us down his circuitous career journey that led him back to math. Joe had many ambitions from opera singer to middle school teacher, spent some time at two national labs and went back to his first love of math and physics. He notes that many of the most mathematically intuitive people that he's met are people that also have a creative outlet and a lot of times it's music. Adding a business aspect to his technical work, Joe came to his current position. He recommends going deep into your preferred subject and hopes that it helps you to become something different because of all you put into the work. We thank Joe for sharing his story with us.
Sep 12, 2021
A Google Chrome update that just didn't feel right. [Research Saturday]
1229
Guest Jon Hencinski from Expel joins Dave Bittner to discuss his team's recent work on "Expel SOC Stops Ransomware Attack Aimed at WordPress CMS via Drive-By Download Disguised as Google Chrome Update." In July, 2021, Expel's SOC stopped a ransomware attack at a large software and staffing company. The attackers compromised the company’s WordPress CMS and used the SocGholish framework to trigger a drive-by download of a Remote Access Tool (RAT) disguised as a Google Chrome update. In total, four hosts downloaded a malicious Zipped JScript file that was configured to deploy a RAT, but we were able to stop the attack before ransomware deployment and help the organization remediate its WordPress CMS. Jons walk us through what happened, how they caught it, and provide recommendations on how to secure your WordPress CMS.  The research can be found here: Expel SOC Stops Ransomware Attack Aimed at WordPress CMS via Drive-By Download Disguised as Google Chrome Update
Sep 11, 2021
Investigations--the SEC looks into Solarigate, German prosecutors inquire into GhostWriter. The Meris botnet is responsible for recent DDoS attacks. Implausible deniability. The SINET 16 are announced.
1632
The SEC’s inquiry into the SolarWinds incident may expose other, unrelated data breaches. Researchers identify an IoT botnet, Meris, as responsible for DDoS attacks against a number of banks. German prosecutors have opened an investigation into the GhostWriter campaign. Researchers look at the cozy, implausibly deniable relationship between Russia’s security services and cyber gangs. A money-launderer gets eleven years. David Dufour from Webroot has straight talk about paying the ransom. Our guest is Jeff Williams from Contrast Security with a look at AppSec Observability. Congratulations to the SINET 16 winners. And we remember 9/11: has it already been twenty years? For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/175
Sep 10, 2021
Credential theft at the UN? Intelligence services and privateers. DDoS hits a big multinational. A look at AlphaBay 2.0. Notes on the C2C marketplace.
1538
A cyberattack is reported at the UN, with agency data apparently lost to parties and parts unknown. The Bears are quieter, but the privateers are up and at ‘em. DDoS hits Yandex. Cyberespionage using the SideWalk backdoor. TeamTNT is getting tougher to detect. A SWOT analysis of the newly reconstituted AlphaBay contraband market. The Groove Gang is a new age criminal affiliate program. Caleb Barlow describes attackers leveraging US and European infrastructure to hide in plain sight. Our guest is Brad Thies of BARR Advisory on what the next 5 years may have in store for cloud security. And irritate your online chums for just 50 bucks a pop. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/174
Sep 09, 2021
BladeHawk Android cyberespionage campaign in progress. Labor Day was quiet, but the gangs are now back at it. REvil’s remnant stirs. Bulletproof hosting. Phishing keywords.
1462
BladeHawk cyberespionage campaign in progress. Microsoft warns of targeted attacks in progress. Hey--the hoods took a breather over Labor Day, but the straw hats are off now, and they’re back at work. Someone is rummaging in REvil’s unquiet grave. Bulletproof hosting services and the criminal marketplace. Mike Benjamin from Black Lotus Labs on ReverseRAT 2.0. Rick Howard checks in with Philip Reiner from the Ransomware Taskforce. And does a New Urgent Message Require Action? Maybe not. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/173
Sep 08, 2021
A threat from Ragnar Locker. GhostWriter in the Bundestag. BKA bought Pegasus. Taliban sifts data for potential opponents. France-Visas hacked. Modified apps. Privacy notes. A TrickBot arrest.
1563
No spectacular flurry of Labor Day ransomware, but Ragnar Locker threatens its victims. Berlin complains to Moscow about GhostWriter. Another Pegasus customer is disclosed. The Taliban is searching for data on potential domestic opponents. France-Visas hacked. Modified apps in circulation. Joe Carrigan unpacks a Covid based phishing scam. Carole Theriault weighs in on the ransomware pay-or-do-not-pay discussion. ProtonMail answers a warrant, Apple delays CSAM screening, and an alleged TrickBot coder is arrested. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/172
Sep 07, 2021
Security operations centers: a first principle idea. [CSO Perspectives]
990
The idea of operations centers has been around as far back as 5,000 B.C. This show covers the history of how we got from general purpose operations centers to the security operations centers today, the limitations of those centers, and what we need to do as a community make them more useful in our infosec program.
Sep 06, 2021
Natali Tshuva: Impacting critical industries. [CEO] [Career Notes]
454
CEO and co-founder of Sternum, Natali Tshuva shares how she took her interest in science and technology and made a career and company out of it. Beginning her computer science undergraduate degree at age 14 through a special program in Israel, Natali says it opened up a new world for her. Her required service in the IDF found Natali as a member of Unit 8200, the Israeli intelligence. In the Israeli corporate space following the IDF, Natali discovered how cybersecurity could actually create impact in the real world environment and found a way to combine her cybersecurity expertise with the passion to impact critical industries like the medical industry. Natali recommends that those entering the field get some hands-on experience and use your unique strengths to find a way to make the world a better place. We thank Natali for sharing her story. 
Sep 05, 2021
Like a computer network but for physical objects. [Research Saturday]
1489
Guest Ben Seri, Armis' VP of Research, joins Dave to talk about a set of remote code execution (RCE) vulnerabilities in the pneumatic tube system of Swisslog. Nine vulnerabilities in critical infrastructure used by 80% of major hospitals in North America. Swisslog’s Translogic Pneumatic Tube System (PTS), a solution that plays a crucial role in patient care, found vulnerable to devastating attack. Dubbed PwnedPiper, the vulnerabilities allow for complete take over of the Translogic Nexus Control Panel, which powers all current models of Translogic PTS stations. Older IP-connected Translogic stations are also impacted, but are no longer supported by Swisslog. The research can be found here: PwnedPiper
Sep 04, 2021
Watch out for cybercrime over holidays (like Labor Day). Ransomware warning for the food and agriculture sector. Gift card and loyalty program fraud. NIST draft IoT guidelines out for comment.
1429
Uncle Sam recommends cyber vigilance during your kinetic relaxation this Labor Day weekend. The ransomware threat to food and agriculture. “Low and slow” fraud from compromised email in-boxes. Israel promises an investigation of cyber export controls. Josh Ray from Accenture Security on giving back to the community and the Jenkins Attack Framework for red teaming. Our guest is Andy Ellis on the transparency in cybersecurity initiative. And NIST has draft consumer IoT guidelines out for comment. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/171
Sep 03, 2021
LockBit updates. The BrakTooth bugs infesting Bluetooth. Malicious cable proof-of-concept. EU fines WhatsApp over GDPR issues. Insider threats. Action against an alleged stalkerware vendor.
1511
The LockBit gang jumps the gun, and crows a bit higher than the facts seem to warrant. Ghostwriter seems to ride a much bigger infrastructure than previously believed. BrakTooth bugs afflict “billions” of Bluetooth devices. OMG cables include a keylogger that phones home. The EU fines WhatsApp over GDPR violations. Insider threats can be difficult to recognize. David Dufour from Webroot thinks it’s great that you haven’t been breached...yet. Our guest is Mark Nunnikhoven from Lacework with results from their Cloud Threat Report. And an alleged stalkerware vendor is sanctioned by the US Federal Trade Commission. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/170
Sep 02, 2021
A look at cyber gangland. Sino-Australian tension in cyberspace. Vulnerabilities reported (and disputed) in a home security system. Labor Day warnings.
1572
Ransomware continues to hold pride-of-place in cybercrime. A look inside the mind of cyber gangland, or at least that portion of their mind they’re willing to expose. Business email compromise operators look for communication skills, and the underworld seems to think university students make good money mules. Reports of vulnerabilities in a home security system. When Canberra angered Beijing. Caleb Barlow has thoughts on the FBI response to MS Exchange vulnerabilities. Our guest’s are Peter Singer and Lisa Guernsey on New America's Teaching Cyber Citizenship initiative. And CISA and the FBI advise being alert over Labor Day. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/169
Sep 01, 2021
Dangers of data collected in Afghanistan. Another cryptocurrency theft. Hardware backdoors? LockBit dumps airline’s data. CISA opens registration for the President’s Cup. Too much gaming, kids.
1483
Possible consequences of the Taliban’s seizure of Afghanistan’s APPS data. Another DeFi platform sustains a cryptocurrency theft. How would one handle a hardware backdoor? LockBit begins dumping data stolen from Bangkok Airways. Registration for CISA’s President’s Cup is now open. Joe Carrigan describes the superiority of AI generated phishing emails. Rick Howard speaks with Art Poghosyan from Britive on Software Defined Perimeters. And China moves to keep minors from wasting too much time in online gaming. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/168
Aug 31, 2021
Data breaches and ransomware. Another gang says it’s retiring. New warrants against cybercrime in Australia. Roles and missions in the US. Hoosier data?
1311
Data breach and ransomware affect an airline’s customers. The Phorpiex botnet operators say they’re going out of business, and everything must go. New warrants for the Australian Federal Police in cybercrime cases. US Federal cybersecurity roles and responsibilities. Rick Howard takes on adversary playbooks. Josh Ray from Accenture Security on The Biden Administration's cybersecurity executive order, what it means for product security. And Indiana warns of a COVID-19 contact tracking database exposure. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/167
Aug 30, 2021
Rich Hale: Understanding the data. [CTO] [Career Notes]
439
Chief Technology Officer of ActiveNav Rich Hale takes us through his career aspirations of board game designer (one he has yet to realize), through his experience with the Royal Air Force to the commercial sector where his firm works to secure dark data. During his time in the Air Force, Rich was fortunate to serve on a wide range of different platforms from training aircraft to bombers, and all the way into procurement and policy. Transitioning to the commercial sector, Rich notes he was well prepared for some aspects, but lacking in some he's made up on his own. Rich likes to lead with vision and empower his teams. He counsels that you should not fear making a career change, but be sure to look twice before making the leap. We thank Rich for sharing his story with us.
Aug 29, 2021
Joker malware family: not a joke for Google Play. [Research Saturday]
1137
Guest Deepen Desai, Zscaler's Chief Information Security Officer and VP Security Research & Operations, joins Dave to discuss their ThreatLabz team's research "Joker Joking in Google Play: Joker malware targets Google Play store with new tactics." Joker is one of the most prominent malware families targeting Android devices. Despite public awareness of this particular malware, it keeps finding its way into Google’s official application market by employing changes in its code, execution methods, or payload-retrieving techniques. This spyware is designed to steal SMS messages, contact lists, and device information, and to sign the victim up for premium wireless application protocol (WAP) services. Zscaler’s ThreatLabz research team has been constantly monitoring the Joker malware. Recently, they observed regular uploads of it onto the Google Play store. ThreatLabz notified the Google Android Security team, who have taken prompt action to remove the suspicious apps from the Google Play store.  This prompted them to evaluate how Joker is so successful at getting around the Google Play vetting process. The team saw 11 different samples regularly uploaded to Google Play recently clocking 30k installs. The research can be found here: Joker Joking in Google Play: Joker malware targets Google Play store with new tactics
Aug 28, 2021
The T-Mobile hacker speaks (we think). SparklingGoblin enters the cyberespionage ring. Is someone stealing data to train AI? Cellebrite’s availability. Ragnarok ransomware says it’s going out of business.
1514
A young man claiming responsibility for the T-Mobile breach talks to the Wall Street Journal. A new cyberespionage group, “SparklingGoblin,” seems particularly interested in educational institutions, especially in Southeast and East Asia. Are governments training AI with stolen data? Mitigations for Microsoft issues. Cellebrite tools may still be available to Chinese police. Kevin Magee from Microsoft wonders if leaders have over pivoted toward technical skill. Our guest is Bill Wright of Splunk on the ongoing geopolitical ransomware trend. And another ransomware gang says it’s going out of business...we’ll wait and see. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/166
Aug 27, 2021
A quick look back at yesterday’s White House industry meeting. Revolution, coup, or a bit of both? Storytelling for security. Lessons from Olympic scams. Notes from the underworld.
1705
Outcomes from the White House industry cybersecurity summit: standards, training, zero-trust, and multifactor authentication. The Cyber Partisans aim at the overthrow of Lukashenka’s rule in Minsk. A role for storytelling in security. Scams, sports, and streaming. Speculation about the ShinyHunters’ next moves. Verizon’s Chris Novak on Reducing false positives in threat intelligence. Bentsi Ben Atar from Sepio Systems on the risks of hardware-based attacks, internal abusers, corporate espionage, and Wi-Fi. And cybercriminals like their VPNs, too. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/165
Aug 26, 2021
Hacktivism in Belarus. The Taliban’s data grab. Four rising ransomware operations. The White House cybersecurity summit with industry leaders is in progress.
1497
Politically motivated hacktivism in Belarus. The Taliban’s data grab in Afghanistan. Four rising ransomware operations. Mike Benjamin from Black Lotus Labs on UDP reflectors. Our guest is Chris Grove of Nozomi Networks with insights on OT/IoT Security. And the White House says “concrete announcements” are expected after today’s meetings on cybersecurity with industry leaders, so we’ll be staying tuned. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/164
Aug 25, 2021
Apple CSAM: well-intentioned, slippery slope. [Caveat]
2455
Guest David Derigiotis, Corporate Senior Vice President at Burns & Wilcox, joins Dave and Ben for an in-depth discussion this episode. Departing from our usual format, we take a closer look at the implications of Apple’s recent announcements that they will be enabling scanning for Child Sexual Abuse Materials, CSAM, on iOS devices. We devote the entire episode to this topic and hope you will join us.
Aug 25, 2021
Apparent hacktivism exposes Iranian prison CCTV feeds. Misconfigured Power Apps expose data. FBI warns of the OnePercent Group. Mr. White Hat gives back. Dog bites man
1654
More hacktivism appears to have hit Iran. Misconfigured Power Apps portals expose data on millions. The FBI warns of the activities of a ransomware affiliate gang. Mr. White Hat really does seem to have given back all that stolen alt-coin. Ben Yelin checks in on Apple’s CSAM plans. Our guest is Charles DeBeck from IBM Security on the true cost Cost of a Data Breach. And, finally, dog bites man: criminals cheat other criminals. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/163
Aug 24, 2021
Notes on the fall of Afghanistan, with its cyber and kinetic implications. US State Department hack reported. ShinyHunters resurface. Further incentive to patch Microsoft Exchange Server.
1194
The Taliban consolidates control over Afghanistan, and it’s doing so online as well as on the ground. Reports say the US State Department has come under cyberattack; State says that any such incident was without significant effect. The ShinyHunters say they’ve obtained a great deal of PII from AT&T, but AT&T says that, whatever the crooks have, it didn’t come from AT&T. Rick Howard on orchestration. Carole Theriault on women in cybersecurity - are thing getting any better? And exploitation gives organizations even more incentive to patch Microsoft Exchange server instances. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/162
Aug 23, 2021
Jennifer Walsmith: Pioneering and defining possible. [Cyber Solutions] [Career Notes]
534
Vice President for Cyber and Information Solutions within Mission Systems at Northrop Grumman, Jennifer Walsmith takes us on her pioneering career journey. Following in her father's footsteps at the National Security Agency, Jennifer began her career out of high school in computer systems analysis. Jennifer notes she saw the value of a college degree and at her parents' urging attended night school. She completed her bachelors in computer science at University of Maryland, Baltimore County with the support of the NSA. Jennifer talks about the support of her team at NSA where she was one of the first women to have a career and a family, raising two children while working. Upon retirement from government service, Jennifer chose an organization with values that closely matched her own and uses her position to help her team define possible where they sometimes think they can't. We thank Jennifer for sharing her story with us.
Aug 22, 2021
From board advisor to board member: evolution of the modern CISO. [CyberWire-X]
2827
The recent frequency of ransomware attacks and heightened visibility of supply chain risks has garnered the attention of executive teams and boards of directors for companies of all sizes, across all industries. For CISOs, these recent events have significantly amplified the importance of establishing and maintaining effective relationships and lines of communication with boards of directors. CISOs are now spending more time than ever engaging, reporting, and answering to boards regarding questions around where their organization is on the cyber risk spectrum. For CISOs, this heightened risk environment presents both a challenge and an opportunity. In this episode of CyberWire-X, guest ret. Major General Zan Vautrinot and Sponsor JM Search's Jamey Cummings joins the CyberWire's Rick Howard to discuss how today’s CISOs are challenged to develop an ever-expanding skill set to effectively execute in their role while also satisfying concerns and areas of interest of their board of directors. Jamey will also discuss how the evolving role of the CISO is unlocking opportunities for CISOs to elevate their stature, and can open the door for them to serve in board roles as companies are increasingly prioritizing information security and technology risk management skills for their directors. 
Aug 22, 2021
Exploring vulnerabilities of off-the-shelf software. [Research Saturday]
1050
Guest Tomislav Peričin, Reversing Labs' Chief Software Architect and Co-Founder, joins Dave to discuss his team's research that addresses the importance of validating third-party software components as a way to manage the risks that they can introduce. Developing software solutions is a complex task requiring a lot of time and resources. In order to accelerate time to market and reduce the cost, software developers create smaller pieces of functional code which can be reused across many projects. The concept of code reuse is one of the cornerstones of modern software engineering and it is universally accepted that everybody should strive towards it. However, in addition to the positives, organizations need to be aware of the security risks introduced by such third-party components. The growing number of cyber incidents that target the software supply chain are focused on high-value target compromises. With the latest surge and public uproar, the US President Biden has issued the Executive Order on Improving the Nation’s Cybersecurity in order to create an institutional framework addressing these kinds of security risks. The research can be found here: Third-party code comes with some baggage
Aug 21, 2021
Warm wallet pilferage. Advice on reducing the ransomware risk. Regulatory action in the T-Mobile breach. China’s privacy law. FTC refiles monopoly complaint against Facebook. Better MICE traps?
1517
Pilferage reported from Liquid Global’s alt-coin warm wallets. CISA offers advice on reducing the risk of ransomware. The FCC is looking into the T-Mobile breach, and Moody’s raises questions about the telco’s risk management. China passes its own version of GDPR. The FTC refiles its monopoly complaint against Facebook. Caleb Barlow on 3rd Party Breach Notifications and finding out if your information is being traded on the dark web. Rick Howard speaks with hash table member Zan Vautrinot about serving on boards. And the FBI warns that insiders can be recruited for industrial espionage. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/161
Aug 20, 2021
T-Mobile outlines what it’s offering customers hit by its data breach. Taliban on good T&C behavior? Apple’s CSAM. OS bug may affect medical devices. A report on 2020’s US Census Bureau hack.
1510
T-Mobile describes what it intends to do for those who may have been affected by its big data breach. The Taliban is taking care not to get banned from social media. Apple defends its CSAM measures against a technical objection, but advocacy groups see a slippery policy slope. The US FDA warns of vulnerabilities in an OS used by medical devices. A report on a 2020 incident at the US Census Bureau. David Dufour shares a few surprises from Webroot’s 2021 Threat Report. Our guest is Brandon Hoffman from Intel 471 on cybercriminals creating turbulence for the transportation industry. And a Bitcoin tumbler cops a guilty plea. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/160
Aug 19, 2021
Taliban seizes HIIDE devices. T-Mobile customer data compromised. Ransomware attack against Brazil’s Treasury. Social engineering espionage. Ransomware vs. sewers. IoT bug disclosed.
1448
The Taliban now has, among other things, a lot of biometric devices. T-Mobile concludes that some customer data were compromised in last week’s incident. InkySquid’s in the watering hole. Brazil’s Treasury sustained, and says it contained, a ransomware attack. Siamese Kitten’s social engineering on behalf of Tehran. Sewage systems hacked in rural Maine. Josh Ray from Accenture Security on what nation state adversaries may have learned from observing the events surrounding Colonial pipeline. Our guest Manish Gupta from ShiftLeft looks at issues with the Software Bill of Materials. And an IoT vulnerability is disclosed, and mitigations are recommended. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/159
Aug 18, 2021
Consequence of the Taliban victory for influence operations and information security. Privateering gangs described. Data exposures, data compromises.
1390
Al Qaeda online sources cheer the Taliban’s ascendancy. The new rulers of Afghanistan are likely to have acquired a good deal of sensitive data along with political rule and a quantity of US-supplied military equipment. Terrorist watchlist data were found in an exposed server (now taken offline). Connections between gangland and Russian intelligence. T-Mobile was hacked, but it’s unclear what if any data were compromised. Joe Carrigan on FlyTrap Android Malware Compromising Thousands of Facebook Accounts. Our guest is Liam O’Murchu from Symantec on what keeps him up at night. And some personal information was exposed in the Colonial Pipeline incident. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/158
Aug 17, 2021
Possible consequences of Afghanistan’s fall to the Taliban. Non-state actors’ political motives. Poly Network rewards “Mr. White Hat.” C2C offering will check your alt-coin. Breach at T-Mobile?
1420
The Taliban has effectively taken control of Afghanistan, and the fall of Kabul is likely to have a quick, near-term effect on all forms of security. The Indra Group’s actions against Iranian interests suggest the potential of non-state, politically motivated actors. Crooks returned almost all the money rifled from DeFi provider Poly Network. A new C2C service tells hoods if their alt-coin is clean. DeepBlueMagic is a new strain of ransomware. Chris Novak of Verizon on advancing incident response. Rick Howard is taking on Orchestration in this week’s CSO Perspectives. And T-Mobile investigates claims of a data breach. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/157
Aug 16, 2021
Rick Howard: Give people resources. [CSO] [Career Notes]
489
Chief Security Officer, Chief Analyst, and Senior Fellow at the CyberWire, Rick Howard, shares his travels through the cybersecurity job space. The son of a gold miner who began his career out of West Point in the US Army, Rick worked his way up to being the Commander of the Army's Computer Emergency Response Team. Rick moved to the commercial sector working for Bruce Schneier running Counterpane's global SOC. Rick's first CSO job was for Palo Alto Networks where he was afforded the opportunity to create the Cybersecurity Canon Hall of Fame and the Cyber Threat Alliance. Upon considering retirement, Rick called up on the CyberWire to ask about doing a podcast and he was hired on to the team. Rick shares a proud moment through a favorite story. We thank Rick for sharing his story with us.
Aug 15, 2021
You can add new features, just secure the old stuff first. [Research Saturday]
1934
Guests Will Schroeder and Lee Christensen from SpecterOps join Dave to share the research they recently presented at Black Hat USA on the security of Microsoft's Active Directory Certificate Services. Their abstract: Microsoft’s Active Directory Public Key Infrastructure (PKI) implementation, known as Active Directory Certificate Services (AD CS), has largely flown under the radar of both the offensive and defensive communities. AD CS is widely deployed, and provides attackers opportunities for credential theft, machine persistence, domain escalation, and subtle domain persistence. We present relevant background on certificates in Active Directory, detail the abuse of AD CS through certificate theft and active malicious enrollments for user and machine persistence, discuss a set of common misconfigurations that can result in domain escalation, and explain a method for stealing a Certificate Authority’s private key in order to forge new user/machine “golden” certificates. By bringing light to the security implications of AD CS, we hope to raise awareness for both attackers and defenders alike of the security issues surrounding this complex, widely deployed, and often misunderstood system. The blog post and white paper can be found here: Certified Pre-Owned blog post Certified Pre-Owned white paper
Aug 14, 2021
Cyberespionage follows South Asian conflict. LockBit’s $50 million demand. Insider risk. Trend Micro warns unpatched Apex is under attack. PrintNightmare persists. Google and Apple on privacy.
1746
ReverseRat is back and better, and it’s sniffing at Afghanistan. LockBit wants $50 million from Accenture. When employees leave, do they take your data with them? (Survey, or rather, telemetry, says yes.) Unpatched Apex One instances are under active attack. PrintNightmare continues to resist patching. Google bans SafeGraph. Apple explains what’s up with iCloud privacy. Caleb Barlow wonders if ransomware payments financing criminal infrastructure in Russia. Our guest is Oliver Rochford from Securonix on the notion of cyberwar. And the SynAck ransomware gang rebrands. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/156
Aug 13, 2021
More stolen alt-coin is returned. Accenture reports minimal effects in the alleged LockBit attack. Home routers attacked. Source code for sale? PrintNightmare exploited in the wild. Extradition cases.
1567
More stolen coin is returned in the case of the Poly Network cross-chain hack. Accenture says the incident it sustained had no significant effect, and the LockBit ransomware gang who claimed responsibility release some relatively anodyne files. Home routers are under attack. Crooks are offering what they claim to be Bkav source code for sale on Raidforums. Magniber weaponizes a PrintNightmare flaw. Dinah Davis from Arctic Wolf shares stats on the state of women in cyber. Our guest is Peter Voss of Aigo.ai on what’s missing in artificial intelligence. Two extradition cases proceed. And the Solarium Commission reports. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/155
Aug 12, 2021
A $600 million alt-coin heist. LockBit claims it hit Accenture. A false-flag cyberespionage campaign. A REvil key is posted. AlphaBay is back. Facebook takes down vaccine disinfo campaign.
1632
Cross-chain attack steals millions in cryptocurrency. LockBit claims to have hit Accenture, but Accenture says with negligible consequences. Emissary Panda flies a false Iranian flag. Ekranoplan posts a key for the REvil strain used against Kaseya. AlphaBay has risen from the grave, sort of. Johannes Ullrich has thoughts on resetting 2FA. Our guest is Idan Plotnik from Apiiro on their win of the 2021 RSAC Innovation Sandbox Contest. And you can’t fool us, you bought-and-paid-for influencers you: no vaccine is going to turn us into monkeys. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/154
Aug 11, 2021
A threat to release stolen proprietary data. The C2C market: division of labor and loss-leading marketing ploys. Misconfigured Salesforce Communities. Sanctions-induced headwinds for Huawei.
1657
RansomEXX threatens to release stolen proprietary data. Some looks at the C2C market, the criminal division of labor, and a splashy carder marketing ploy. Misconfigured Salesforce Communities expose organizational data. Our guest is Ron Brash from Verve International on a CISA advisory regarding GE ICS equipment. Ben Yelin on the proposed U.S. Bureau of Cyber Statistics. Huawei faces sanctions-induced headwinds. Mexico’s investigation of Pegasus abuse continues, but so far without arrests or resignations. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/153
Aug 10, 2021
Home router vulnerabilities exploited in the wild. ACSC warns of a LockBit spike in LockBit. Flytrap Android Trojan is out. SCADA recon. Child protection. Wiretaps and social media.
1417
Home router vulnerabilities exploited in the wild. ACSC warns of a spike in LockBit ransomware attacks. The Flytrap Android Trojan is still concealed in malicious apps. An unidentified threat actor has been prospecting SCADA systems in Southeast Asia. Rick Howard checks in with the Hash Table about Backups. Mike Benjamin from Lotus Labs on watering hole attacks. Apple’s new child protection measures attract skepticism from privacy hawks. Wiretaps extended to social media. And using three random words for your password. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/152
Aug 09, 2021
Alyssa Miller: We have to elevate others. [BISO] [Career Notes]
524
Business Information Security Officer at S&P Global Ratings, Alyssa Miller, joins us to talk about her journey to become a champion to create a welcoming nature and acceptance of diversity in the cybersecurity community. Starting her first full-time tech position while still in college, Alyssa noted the culture shock being in both worlds. Entering as a programmer and then moving to pen testing where she got her start in security, Alyssa grew into a leader who is committed to elevating those around her. Some stumbling blocks along the way gave her pause and helped point her in her current role where Alyssa works to bring more diverse views to improve the problem-solving in the space, something she sees as a key to success for the industry. We thank Alyssa for sharing her story with us.
Aug 08, 2021
SideCopy malware campaigns expand and evolve. [Research Saturday]
1278
Guest Asheer Malhotra, Threat Researcher of Cisco Talos Intelligence Group, joins Dave to discuss his team's research "InSideCopy: How this APT continues to evolve its arsenal." Cisco Talos has observed an expansion in the activity of SideCopy malware campaigns, targeting entities in India. In the past, the attackers have used malicious LNK files and documents to distribute their staple C#-based RAT. We are calling this malware "CetaRAT." SideCopy also relies heavily on the use of Allakore RAT, a publicly available Delphi-based RAT. Recent activity from the group, however, signals a boost in their development operations. Talos has discovered multiple new RAT families and plugins currently used in SideCopy infection chains. Targeting tactics and themes observed in SideCopy campaigns indicate a high degree of similarity to the Transparent Tribe APT (aka APT36) also targeting India. These include using decoys posing as operational documents belonging to the military and think tanks and honeytrap-based infections. The research can be found here: InSideCopy: How this APT continues to evolve its arsenal blog post InSideCopy: How this APT continues to evolve its arsenal report
Aug 07, 2021
FTC warns of smishing targeting the unemployed. Initial access: buying it one way or another. Is the criminal gig economy vulnerable? Ransomware continues to hit healthcare.
1872