CyberWire Daily

Caroline Wong, Chief Strategy Officer from Cobalt sits down to share her story of her 15+ years in cybersecurity leadership, including practitioner, product, and consulting roles. As well as being a member of our very own Hash Table, Caroline also authored the popular textbook, Security Metrics: A Beginner's Guide and teachers cybersecurity courses on LinkedIn Learning as well as hosts the Humans of InfoSec podcast. Caroline's father pushed her to start her career in engineering, she went to UC Berkeley and got accepted into their Electrical Engineering and Computer Sciences program. As a college student, she was looking for an internship and found eBay, where she says she worked an entry level position available on the information security team, and says the rest is history. She shares that she loves to teach her peers, and how she would like to be remembered for being a good teacher, saying "I think that my favorite part of the work that I get to do is teaching. Um, and in particular, um, being able to communicate about cybersecurity concepts to a wide audience. I have such tremendous gratitude." We thank Caroline for sharing her story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

This week, our guest is Reece Baldwin from Kasada discussing their work on "No Honour Amongst Thieves: Unpacking a New OpenBullet Malware Campaign." The Kasada Threat Intelligence team has recently identified a malware campaign targeting users of OpenBullet, a tool popular within criminal communities to conduct credential stuffing attacks. This malware campaign was first uncovered when the team was digging around in a Telegram channel setup to share OpenBullet configurations. Reading through a few of the configurations they identified a function, ostensibly designed to bypass Google’s reCAPTCHA anti-bot solution. Th research states "While the versatility of OpenBullet’s configuration files enable complex attacks, they can also make it difficult for inexperienced attackers to fully understand what requests are being created and what data is being retrieved." The research can be found here: No Honour Amongst Thieves: Unpacking a New OpenBullet Malware Campaign Learn more about your ad choices. Visit megaphone.fm/adchoices

Apple issues emergency patches. "Multiple nation-state actors" target the aerospace sector. The DPRK targets security researchers. SpaceX interrupted service to block a Ukrainian attack against Russian naval units last year. The International Criminal Court will prosecute cyber war crimes. Operation KleptoCapture extends to professional service providers. Malek Ben Salem of Accenture ponders the long-term reliability of LLM-powered applications. Our guest is Elliott Champion from CSC on how cybercriminals are taking advantage of the Threads platform. And congratulations to the SINET 16. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/172 Selected reading. BLASTPASS: NSO Group iPhone Zero-Click, Zero-Day Exploit Captured in the Wild (The Citizen Lab) Apple issues software updates after spyware discoveries (Washington Post) Apple patches two zero-days under attack (CVE-2023-41064, CVE-2023-41061) (Help Net Security) CISA, FBI, and CNMF Release Advisory on Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475 | CISA (Cybersecurity and Infrastructure Security Agency CISA) Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475 (Cybersecurity and Infrastructure Security Agency CISA) AA23-250A: Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475 (Tenable®) CISA Warning: Nation-State Hackers Exploit Fortinet and Zoho Vulnerabilities (The Hacker News) Active North Korean campaign targeting security researchers (Google) Rigged Software and Zero-Days: North Korean APT Caught Hacking Security Researchers (SecurityWeek) Musk 'switched off Starlink in Ukraine over nuclear fears' (Computing) CNN Exclusive: 'How am I in this war?': New Musk biography offers fresh details about the billionaire's Ukraine dilemma | CNN Politics (CNN) Ukraine, US Intelligence Suggest Russia Cyber Efforts Evolving, Growing (Voice of America) The International Criminal Court Will Now Prosecute Cyberwar Crimes (WIRED) Technology Will Not Exceed Our Humanity (Digital Front Lines) Justice Department’s Oligarch Hunters Widen Scope to Include Facilitators (Wall Street Journal) Apple issues emergency patches. APTs target aerospace sector. DPRK targets security researchers. New BEC phishing kit. Notes from the hybrid war. ICC will prosecute cyber war crimes. SINET 16 announced. (CyberWire) Learn more about your ad choices. Visit megaphone.fm/adchoices

Microsoft releases results of their investigation into cloud email compromise. A vulnerability affects a resort booking service. Adversary emulation for OT networks. Identity protection and identity attack surfaces. Sanctioning privateers (with a bonus on vacation ideas). Rob Boyce from Accenture Security tracks new trends in ransomware. Our Threat Vector segment features Mastering IR Sniping A Deliberate Approach to Cybersecurity Investigations with Chris Brewer. And Estonia warns of ongoing cyber threats. On this segment of Threat Vector, Chris Brewer, a Director at Unit 42 and expert in digital forensics and incident response, joins host David Moulton discussing Mastering IR Sniping: A Deliberate Approach to Cybersecurity Investigations. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/171 Threat Vector links. Sniper Incident Response from Cactus Con on GitHub Sniper Incident Response presentation by Chris Brewer on YouTube Selected reading. Results of Major Technical Investigations for Storm-0558 Key Acquisition (Microsoft Security Response Center) Check-Out With Extra Charges - Vulnerabilities in Hotel Booking Engine Explained (Bitdefender) Deep Dive into Supply Chain Compromise: Hospitality's Hidden Risks (Bitdefender) MITRE and CISA release Caldera for OT attack emulation (Security Affairs) MITRE Caldera for OT now available as extension to open-source platform (Help Net Security) Silverfort and Osterman Research Report Exposes Critical Gaps in Identity Threat Protection (Silverfort) United States and United Kingdom Sanction Additional Members of the Russia-Based Trickbot Cybercrime Gang (US Department of the Treasury) Estonian PM: cyberspace is Ukraine war frontline (Euromaidan Press) Cyberwar and Conventional Warfare in Ukraine (19FortyFive) Learn more about your ad choices. Visit megaphone.fm/adchoices

There’s a new Agent Tesla variant. Lost credentials and crypto wallet hacks. Tension between DevSecOps and AI. Fancy Bear makes an attempt on Ukrainian energy infrastructure. A look at NoName057(16). Tim Starks from the Washington Post's Cybersecurity 202. Simone Petrella and Helen Patton discuss People as a security first principle. And cybersecurity jobs seem to be getting tougher (say the people who are doing them). For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/170 Selected reading. New Agent Tesla Variant Being Spread by Crafted Excel Document (Fortinet Blog) World's Largest Cryptocurrency Casino Stake Hacked for $41 Million (Hackread) Crypto casino Stake.com loses $41 million to hot wallet hackers (BleepingComputer) Experts Fear Crooks are Cracking Keys Stolen in LastPass Breach (KrebsOnSecurity) Global DevSecOps Report on AI Shows Cybersecurity and Privacy Concerns Create an Adoption Dilemma (GitLab) APT28 cyberattack: msedge as a bootloader, TOR and mockbin.org/website.hook services as a control center (CERT-UA#7469) (CERT-UA) Ukraine's CERT Thwarts APT28's Cyberattack on Critical Energy Infrastructure (The Hacker News) Ukraine says an energy facility disrupted a Fancy Bear intrusion (Record) What's in a NoName? Researchers see a lone-wolf DDoS group (Record) New Research from TechTarget’s Enterprise Strategy Group and the ISSA Reveals Continuous Struggles within Cybersecurity Professional Workforce - ISSA International (ISSA International) Life and Times 2023 Download Landing Page (ISSA International) E-book: The Life and Times of Cybersecurity Professionals Volume VI (ESG Global) Layoffs list extended by Malwarebytes, Fortinet, Veriff, SecureWorks (Cybernews) Learn more about your ad choices. Visit megaphone.fm/adchoices

A New variant of Chae$ malware is described. A "Smishing Triad" impersonates postal services. A MinIO storage exploit reported. Okta warns of attackers seeking senior admin privileges. LockBit compromises a UK security contractor. DDoS takes down a German financial regulator's site. Infamous Chisel as GRU combat support. Joe Carrigan on Meta uncovering a Chinese influence effort. Our guest is Connie Stack, CEO of Next DLP, discussing data breach notification procedure. And please -PLEASE- remember to change your default passwords. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/169 Selected reading. Threat Profile: Chae$ 4 Malware (Morphisec) "Smishing Triad" Targeted USPS and US Citizens for Data Theft (Resecurity) 'Smishing Triad' Targeted USPS and US Citizens for Data Theft (Security Affairs) New Attack Vector In The Cloud: Attackers caught exploiting Object Storage Services (Security Joes) Hackers exploit MinIO storage system to breach corporate networks (BleepingComputer) Okta Warns of Social Engineering Attacks Targeting Super Administrator Privileges (The Hacker News) More Okta customers trapped in Scattered Spider's web (Register) Cross-Tenant Impersonation: Prevention and Detection (Okta Security) Breaking: UK MoD attacked by LockBit (Computing) German financial agency site disrupted by DDoS attack since Friday (BleepingComputer) LogicMonitor customers hacked in reported ransomware attacks (BleepingComputer) LogicMonitor customers hit by hackers, because of default passwords (TechCrunch) Learn more about your ad choices. Visit megaphone.fm/adchoices

This interview from August 25th, 2023 originally aired as a shortened version on the CyberWire Daily Podcast. In this extended interview, Dave Bittner sits down with Jeff Welgan, Chief Learning Officer at N2K Networks, to expand on the NICE framework in strategic workforce intelligence. Learn more about your ad choices. Visit megaphone.fm/adchoices

This week's guest is Rick Doten, the VP of Information Security at Centene Corporation, he sits down to share his story and provide wise words of wisdom after conquering this industry for 30 years. Rick, like many others in the field started off not knowing what he wanted to do, so he tried out a few things, including doing in-user training and desktop support, eventually evolving to do systems analysis work and designing software. Rick shares that his main day to day roles are spending time helping out the corporate global CISO, CTO, and head of platform within the organization, he shares that his nickname is the neighborhood cat because he's everywhere. Rick shares advice for people getting into the industry for the first time, saying "There is a rainbow of different roles in cyber security, and I feel like I've done all of them in the last 30 years. So there are different things that, that you, the thing that like appeal to you the most because you're going to excel and want to hyper focus on the thing that you really, really are interested in and not the thing that you're not" We thank Rick for sharing his story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

Kristopher Russo and Stephanie Regan from Palo Alto Networks Unit 42 join Dave to talk about Threat Group Assessment: Muddled Libra. With an intimate knowledge of enterprise information technology, this threat group presents a significant risk even to organizations with well-developed legacy cyber defenses. Posing threats to organizations in the software automation, BPO, telecommunications and technology industries, Muddled Libra is a threat group that favors targeting large outsourcing firms serving high-value cryptocurrency institutions and individuals. The research can be found here: Threat Group Assessment: Muddled Libra Learn more about your ad choices. Visit megaphone.fm/adchoices

A VMConnect supply chain attack is connected to the DPRK. Reports of an aledgedly "fully undetectable information stealer." DB#JAMMER brute forces exposed MSSQL databases. A Cyberattack on a Canadian utility. The state of DevSecOps. A look at hacktivism, today and beyond. Betsy Carmelite from Booz Allen on threat intelligence as part of a third-party risk management program. Our guest is Adam Marré from Arctic Wolf Networks, with an analysis of Chinese cyber tactics. And a free decryptor is released for Key Group ransomware. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/168 Selected reading. VMConnect supply chain attack continues, evidence points to North Korea (ReversingLabs) Securonix Threat Labs Security Advisory: Threat Actors Target MSSQL Servers in DB#JAMMER to Deliver FreeWorld Ransomware (Securonix) Montreal electricity organization latest victim in LockBit ransomware spree (Record) LockBit ransomware gang targets electrical infrastructure organization in Montreal (teiss) [Analyst Report] SANS 2023 DevSecOps Survey (Synopsys) SANS 2023 DevSecOps Survey (Application Security Blog) Government Agencies Report New Russian Malware Targets Ukrainian Military (National Security Agency/Central Security Service) Russian military hackers take aim at Ukrainian soldiers' battle plans, US and allies say (CNN) Ukraine: The First Cyber Lessons (AFCEA International) The Return of Hacktivism: A Temporary Reprise or Here for Good? (ReliaQuest) Decrypting Key Group Ransomware: Emerging Financially Motivated Cyber Crime Gang (EclecticIQ) Learn more about your ad choices. Visit megaphone.fm/adchoices

China deploys tools used against Uyghurs in broader espionage. The Five Eyes call out a GRU cyberespionage campaign. Russian hacktivist auxiliaries hit Czech banks and the platform formerly known as Twitter. A Spring-Kafka zero-day is discovered. Deepen Desai from Zscaler explains RedEnergy Stealer-as-a-Ransomware attacks. Luke Nelson of UHY Consulting on ransomware’s impact on schools. And, hey, go Wolverines: the University of Michigan overcomes a cyberattack that delayed the academic year. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/167 Selected reading. BadBazaar espionage tool targets Android users via trojanized Signal and Telegram apps (We Live Security) Earth Estries Targets Government, Tech for Cyberespionage (Trend Micro) Infamous Chisel Malware Analysis Report (Cybersecurity and Infrastructure Security Agency CISA) UK and allies support Ukraine calling out Russia's GRU for new malware campaign (NCSC) Hackers Attack Czech Banks, Demanding End of Support For Ukraine (Brno Daily) More Russian attacks on Czech banks: Hackers call for end of support to Ukraine (Expats.cz) Anonymous Sudan hacks X to put pressure on Elon Musk over Starlink (BBC News) Contrast Assess uncovers Spring-Kafka deserialization zero day (Contrast Security) U. Michigan restores campus internet after cyberattack disrupts first week of classes (EdScoop) Internet restored on University of Michigan campus, ongoing issues still expected (mlive) University of Michigan isn't disclosing details of internet outage cyberattack (Detroit Free Press) Expert weighs in on school cyberattacks as University of Michigan makes progress on internet outages (CBS News) Learn more about your ad choices. Visit megaphone.fm/adchoices

An international operation takes down Qakbot. Chinese threat actors anticipated Barracuda remediations. A look at adversary-in-the-middle attacks, making phishbait more effective and the emergence of a new ransomware threat. Narrative themes in Russian influence operations. My conversation with Natasha Eastman from (CISA), Bill Newhouse from (NIST), and Troy Lange from (NSA) to discuss their recent joint advisory on post-quantum readiness. Microsoft’s Ann Johnson from Afternoon Cyber Tea speaks with Cyber Threat Alliance President and CEO Michael Daniel about the current state of cybercrime. And when toilet bowls are outlawed, only outlaws will have toilet bowls. Listen to the full conversation with Natasha Eastman, Bill Newhouse, and Troy Lange here: A joint advisory on post-quantum readiness. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/165 Selected reading. Operation Duck Hunt bags Qakbot. (CyberWire) FBI, Partners Dismantle Qakbot Infrastructure in Multinational Cyber Takedown (Federal Bureau of Investigation) Qakbot Malware Disrupted in International Cyber Takedown (US Department of Justice) Law Enforcement Takes Down Qakbot (Secureworks) Qakbot: Takedown Operation Dismantles Botnet Infrastructure (Symantec) Chinese APT Was Prepared for Remediation Efforts in Barracuda ESG Zero-Day Attack (SecurityWeek) Phishing-as-a-Service Gets Smarter: Microsoft Sounds Alarm on AiTM Attacks (The Hacker News) The Lure of Subject Lines in Phishing Emails - How Threat Actors Utilize Dates to Trick Victims (Cofense) The Emergence of Ransomed: An Uncertain Cyber Threat in the Making (Flashpoint) Cancelled flights: Air traffic disruption caused by flight data issue (BBC News) Russian Offensive Campaign Assessment, August 29, 2023 (Institute for the Study of War) Learn more about your ad choices. Visit megaphone.fm/adchoices

In this extended interview, Dave Bittner sits down with Natasha Eastman from the Cybersecurity and Infrastructure Security Agency (CISA), Bill Newhouse from the National Institute of Standards and Technology (NIST), and Troy Lange from the National Security Agency (NSA) to discuss their their recent joint advisory on post-quantum readiness and how to prepare for post-quantum cryptography. You can find the joint advisory here: Quantum-Readiness: Migration to Post-Quantum Cryptography Quantum computing: A threat to asymmetric encryption. Learn more about your ad choices. Visit megaphone.fm/adchoices

Name collision as a DNS risk. A LockBit derivative is active against targets in Spain. QR codes as phishbait. Cybersecurity trends in Healthcare. A Russian hacktivist auxiliary hits Polish organizations, while investigation of railroad incidents in Poland continues. Ben Yelin looks at the SEC cracking down on NFTs. Mr. Security Answer Person John Pescatore opens up the listener mail bag. And a look at a probably accidental glitch affecting air travel in the UK. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/164 Selected reading. What's in a name? Strange behaviors at top-level domains creates uncertainty in DNS (Cisco Talos) Spain warns of LockBit Locker ransomware phishing attacks (BleepingComputer) Think Before You Scan: The Rise of QR Codes in Phishing (Trustwave SpiderLabs) 78% of Healthcare Organizations Experienced Cyber Incidents in Past Year, 60% of Which Impacted Patient Care (Claroty) Polish stock exchange, banks knocked offline by pro-Russian hackers (Cybernews) Two Men Arrested Following Poland Railway Hacking (SecurityWeek) Century-old technology hack brought 20 trains to a halt in Poland (Cybernews) Poland investigates train mishaps for possible Russian connection (Washington Post) Flight chaos ‘to last for days’ after air traffic control failure (The Telegraph) UK flight chaos could last for days, airline passengers warned (the Guardian) Government can’t rule out cyber attack caused air traffic chaos (MSN) Learn more about your ad choices. Visit megaphone.fm/adchoices

The DPRK's Lazarus Group exploits ManageEngine issues. A Data breach at Kroll is traced to SIM swapping. Unusually destructive ransomware hits CloudNordic. Spawn of LockBit. Polish trains are disrupted by hacktivists. Rick Howard looks at the MITRE attack framework. Our guests are Andrew Hammond and Erin Dietrick from the International Spy Museum. And Influence laundering as a long-term disinformation tactic. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/163 Selected reading. North Korean APT Hacks Internet Infrastructure Provider via ManageEngine Flaw (SecurityWeek) Lazarus Group exploited ManageEngine vulnerability to target critical infrastructure (Help Net Security) Cyber scams keep North Korean missiles flying (Radio Free Asia) Claimant Data Breached in Genesis, FTX and BlockFi Bankruptcy Cases (Wall Street Journal) Kroll data breach exposes info of FTX, BlockFi, Genesis creditors (BleepingComputer) Crypto investor data exposed by a SIM swapping attack against a Kroll employee (Security Affairs) Kroll Employee SIM-Swapped for Crypto Investor Data (KrebsOnSecurity) Kroll Suffers Data Breach: Employee Falls Victim to SIM Swapping Attack (The Hacker News) FTX bankruptcy handler Kroll discloses data breach (The Stack) CloudNordic Faces Severe Data Loss After Ransomware Attack (Hackread) CloudNordic loses most customer data after ransomware attack | TechTarget (Security) Lockbit leak, research opportunities on tools leaked from TAs (SecureList) LockBit 3.0 Ransomware Builder Leak Gives Rise to Hundreds of New Variants (The Hacker News) Poland investigates cyber-attack on rail network (BBC News) Poland investigates hacking attack on state railway network (Reuters) Hackers bring down Poland’s train network in massive cyber attack (Ticker News) The Cheap Radio Hack That Disrupted Poland's Railway System (WIRED) Russia Pushes Long-Term Influence Operations Aimed at the U.S. and Europe (New York Times) Newly declassified US intel claims Russia is laundering propaganda through unwitting Westerners (CNN Politics) Learn more about your ad choices. Visit megaphone.fm/adchoices

This week, we welcome Dina Haines, an Industry Partnership Manager with the National Security Agency's Cybersecurity Collaboration Center. Dina found from a young age, she was always interested in the field, taking after her father who worked in the space industry, paving the way for her to fall in love with the field. She worked in the private sector for a bit, moving around every now and again, eventually landing the position she works now. Dina says her day to day job is helping the NSA to bend and protect cyberspace by bringing in private industry. She says "I try to spend a lot of time listening and seeing where people, where they're coming from, where they're at, you know, potentially in their career, where they're at in their job that day, and then try to, um, support them and bring them up and, and float the entire boat." We thank Dina for sharing her story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

Tal Skverer from Astrix Security joins to discuss their work on "GhostToken – Exploiting GCP application infrastructure to create invisible, unremovable trojan app on Google accounts." Astrix’s Security Research Group revealed a 0-day flaw in Google’s Cloud Platform (GCP) on June 19, 2022, which was found to affect all Google users. The research states "The vulnerability, dubbed “GhostToken”, could allow threat actors to change a malicious application to be invisible and unremovable, effectively leaving the victim’s Google account infected with a trojan app forever." Google issued a patch to this vulnerability in April of this year, but researchers explain why this can be severe. The research can be found here: GhostToken – Exploiting GCP application infrastructure to create invisible, unremovable trojan app on Google accounts Learn more about your ad choices. Visit megaphone.fm/adchoices

Telekopye and the rise of commodified phishing kits. Lazarus Group fields new malware. Implications of China's campaign against vulnerable Barracuda appliances. Abhubllka ransomware's targeting and low extortion demands. Malek Ben Salem of Accenture outlines generative AI Implications to spam detection. Jeff Welgan, Chief Learning Officer at N2K Networks, unpacks the NICE framework and strategic workforce intelligence. And a new hacktivist group emerges, and takes a particular interest in NATO members. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/162 Selected reading. eBay Users Beware Russian 'Telekopye' Telegram Phishing Bot (Dark Reading) Telekopye: Hunting Mammoths using Telegram bot (ESET) Lazarus Group's infrastructure reuse leads to discovery of new malware (Cisco Talos Blog) FBI fingers China for attacks on Barracuda email appliances (Register) Suspected PRC Cyber ActorsContinue to Globally Exploit Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868) (FBI) Identifying ADHUBLLKA Ransomware: LOLKEK, BIT, OBZ, U2K, TZW Variants (Netenrich) Ransomware ecosystem targeting individuals, small firms remains robust (Record) Ransomware With an Identity Crisis Targets Small Businesses, Individuals (Dark Reading) Hacking group KittenSec claims to 'pwn anything we see' to expose corruption (CyberScoop) Learn more about your ad choices. Visit megaphone.fm/adchoices

There’s a new sophistication in BEC campaigns. Trends in brand impersonation–crooks still like to pretend they’re from Redmond. The future of Russian influence operations in the post-Prigozhin era. Andrea Little Limbago from Interos shares insights on the new cyber workforce strategy. In our latest Threat Vector segment David Moulton of Palo Alto Networks is joined by Stephanie Ragan, Senior Consultant at Unit 42 to discuss Muddled Libra. And more on the doxing of a deputy Duma chair, who seems to have been selling hot iPhones as a side hustle (maybe). And the growing problem of Synthetic identity fraud. On this segment of Threat Vector, Stephanie Ragan, Senior Consultant at Unit 42, joins host David Moulton to discuss Muddled Libra. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/162 Selected reading. BEC Trends: Payroll Diversion Dominates and Sneaky Multi-Persona Attacks Emerge (Trustwave) Q2 2023 Threat Landscape Report: All Roads Lead to Supply Chain Infiltrations (Kroll) Microsoft Impersonated Most in Phishing Attacks Among Nearly 350 Brands (Abnormal Security) TransUnion Analysis Finds Synthetic Identity Fraud Growing to Record Levels (TransUnion) Ukraine at D+546: Yevgeny Prigozhin dies in a plane crash. (CyberWire) Without Prigozhin, expect some changes around the edges on Russian influence operations (Washington Post) 2023 H1 Global Threat Analysis Report (Radware) Lapsus$: Court finds teenagers carried out hacking spree (BBC News) British court convicts two teen Lapsus$ members of hacking tech firms (Record) Treasury Designates Roman Semenov, Co-Founder of Sanctioned Virtual Currency Mixer Tornado Cash (U.S. Department of the Treasury) Tornado Cash Founders Charged With Money Laundering And Sanctions Violations (U.S. Attorney for the Southern District of New York) Russian Duma leader’s emails hacked and leaked (Cybernews) Ukrainian hackers expose money laundering and sanction evasion by senior Russian politician (teiss) Learn more about your ad choices. Visit megaphone.fm/adchoices

The Smoke Loader botnet has a creepy new payload. Ransomware gets faster. How AI has evolved in malicious directions. The Snatch ransomware gang threatens to snitch. The FSB continues to use both USBs and phishing emails as attack vectors. A ransomware attack shutters Belgian social service offices. Tim Starks from the Washington Post explains a Biden administration win in a DC court. Our guest Ben Sebree of CivicPlus describes how the public sector could combat cybercrime during cloud adoption. And the deadline for comment on US cybersecurity regulations? It’s been extended. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/161 Selected reading. Smoke Loader Drops Whiffy Recon Wi-Fi Scanning and Geolocation Malware (SecureWorks) Time keeps on slippin’ slippin’ slippin’: The 2023 Active Adversary Report for Tech Leaders (Sophos News) HP Wolf Security Threat Insights Report Q2 2023 | HP Wolf Security (HP Wolf Security) Barracuda XDR Insights: How AI learns your patterns to protect you (Barracuda) Deep Instinct Study Finds Significant Increase in Cybersecurity Attacks Fueled by Generative AI (Deep Instinct) Cyberattack on Belgian social service centers forces them to close (Record) Ukraine’s Military Hacked by Russian Backed USB Malware (Ophtek) Request for Information on Cyber Regulatory Harmonization; Request for Information: Opportunities for and Obstacles To Harmonizing Cybersecurity Regulations (Federal Register) Learn more about your ad choices. Visit megaphone.fm/adchoices

HiatusRAT shifts its targets. Ecuador's difficulties with voting is attributed to cyberattacks. Carderbee is an APT targeting Hong Kong. auDA (OOO-duh) turns out not to have been breached. Ukrainian hacktivists claim to dox a senior member of Russia's Duma. Russian influence operations take aim at NATO's July summit. Joe Carrigan describes attacks on LinkedIn accounts. Our guest is John Hernandez from Quest to discuss why he believes the MOVEit flaw is a wakeup call for CISOs. Security, not by obscurity, but by typo. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/160 Selected reading. HiatusRAT Malware Resurfaces: Taiwan Firms and U.S. Military Under Attack (The Hacker News) New HiatusRAT campaign targets Taiwan and U.S. military procurement system (Security Affairs) HiatusRAT Returns after a Hiatus in a Fresh Wave of Attacks (Cyware Labs) No rest for the wicked: HiatusRAT takes little time off in a return to action (Lumen) Ecuador’s national election agency says cyberattacks caused absentee voting issues (Record) Carderbee: APT Group use Legit Software in Supply Chain Attack Targeting Orgs in Hong Kong Resolution of cyber incident (auDA) Ukrainian hackers claim to leak emails of Russian parliament deputy chief (Record) Summit Old, Summit New (Graphika) Summit Old, Summit New: Russia-Linked Actors Leverage New and Old Tactics in Influence Operations Targeting Online Conversations About NATO Summit (Graphika) The simple typo that stopped bank robbers from stealing $1 billion (LAD Bible) Learn more about your ad choices. Visit megaphone.fm/adchoices

The DPRK's Kimsuky attempts to hit joint military exercises. Australian domain administrator auDA (OW-duh) may have been breached. WoofLocker's version of a tech support scam. The US Intelligence Community warns of cyber threats to space systems. Rick Howard looks at forecasting cyber risk. Deepen Desai from Zscaler shares ransomware trends. And more wartime disinformation out of Russia. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/159 Selected reading. Suspected N. Korean Hackers Target S. Korea-US Drills (SecurityWeek) N. Korean Kimsuky APT targets S. Korea-US military exercises (Security Affairs) North Korean hackers target US-South Korea military drills, police say (The Economic Times Cyber incident update (auDA) Australia’s .au domain administrator denies data breach after ransomware posting (Record) Hackers claim to have breached auDA (iTnews) Catching up with WoofLocker, the most elaborate traffic redirection scheme to tech support scams (Malwarebytes) WoofLocker Toolkit Hides Malicious Codes in Images to Run Tech Support Scams (The Hacker News) US warns space companies about foreign spying (Reuters) Intelligence Agencies Warn Foreign Spies Are Targeting U.S. Space Companies (New York Times) US Warns Space Industry of Growing Risks of Spying and Satellite Attacks (Bloomberg) Foreign countries targeting tech from US space companies, intel agencies warn (The HIll) Pentagon urges US space companies to stay vigilant against foreign intelligence (TechCrunch) Safeguarding the US Space Industry: Keeping Your Intellectual Property in Orbit (DNI) What To Do About The U.S. Intelligence Community Warning on Safeguarding The Space Industry (OODA Loop) Countering disinformation with facts - Russian invasion of Ukraine (Government of Canada) Sergey Lavrov: Throwing Russia off balance is ultimate aim (TASS) Moscow says US unwillingness to end Ukraine conflict (Merh News Agency) Russian invaders sending threats to Kherson region’s residents via social media - watchdog (Ukrinform) Learn more about your ad choices. Visit megaphone.fm/adchoices

This week, our guest is Luke Vander Linden, Vice President of Membership & Marketing from RH-ISAC and host of the RH-ISAC podcast here at the CyberWire. Luke sits down to share his story all the way back to when he was a very young age where he was a child model and actor to where he is now working in the cyber industry. Luke fell into the marketing field after his time as a child actor, where he really started to find his passion. After finding his passion, he decided to branch out to different areas in the field, working in public libraries and advocacy groups, this is where he started to really enjoy the prospect of working with individuals who support organizations, which got him started in the RH-ISAC world. Luke shares that he wears many hats these days, working in the podcast business while also working on the leadership team at RH-ISAC. His advice for people getting into this industry is "I think with age comes this knowledge, but also with experiences. So, I mean, to that point, don't be afraid to go out there and fail, give it a shot." We thank Luke for sharing his story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

Dmitry Bestuzhev from Blackberry joins to discuss their work on "RomCom Resurfaces: Targeting Politicians in Ukraine and U.S.-Based Healthcare Providing Aid to Refugees from Ukraine." Research suggests that the RomCom threat team has been tracked carefully following the geopolitical events surrounding the war in Ukraine, and are now targeting politicians in Ukraine who are working closely with Western countries. This group is different from others in that their focus is more on secrets or information which can be useful in geopolitics and specifically the war in Ukraine, instead of financial gain. The research says "Although it is unclear at this point what initial infection vector was used to kick off the execution chain, previous RomCom attacks used targeted phishing emails to point a victim to a cloned website hosting Trojanized versions of popular software." The research can be found here: RomCom Resurfaces: Targeting Politicians in Ukraine and U.S.-Based Healthcare Providing Aid to Refugees from Ukraine Learn more about your ad choices. Visit megaphone.fm/adchoices

Phishing for Zimbra credentials. PlayCrypt ransomware described. The Cuba ransomware group adopts new tools. #NoFilter. Cyber criminals threaten security researchers. Our guest is Kevin Paige from Uptycs with thoughts on the Blackhat conference. Eric Goldstein, Executive Assistant Director at CISA joins us discussing next steps on the Secure by Design journey. And Russian disinformation takes on "Anglo-Saxonia." For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/158 Selected reading. Mass-spreading campaign targeting Zimbra users (We Live Security) PlayCrypt Ransomware Group Wreaks Havoc in Campaign Against Managed Service Providers (Adlumin SaaS Security) Cuba Ransomware Deploys New Tools: Targets Critical Infrastructure Sector in the U.S. and IT Integrator in Latin America (BlackBerry) NoFilter Attack: Sneaky Privilege Escalation Method Bypasses Windows Security (The Hacker News) Cyber security researchers become target of criminal hackers (Financial Times) Britain plotting to assassinate pro-Russian leaders in Africa, says Moscow (The Telegraph) Ukraine at D+540: Russification and disinformation. (CyberWire) Learn more about your ad choices. Visit megaphone.fm/adchoices

Building a proxy botnet. Active flaws in PowerShell Gallery. A cyber incident disrupts Clorox. Scams lure would-be mobile beta-testers. Lessons learned from the Russian cyberattack on Viasat. An update on cyber threats to Starlink. Robert M. Lee from Dragos shares his thoughts on the waves of layoffs that have gone through the industry. Steve Leeper of Datadobi explains mitigating risks associated with illegal data on your network. And hey, world leader: it’s never too late to stop manifesting a chronic cranio-urological condition, as they more-or-less say in the Quantum Realm. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/157 Selected reading. ProxyNation: The dark nexus between proxy apps and malware (AT&T Alien Labs) Massive 400,000 proxy botnet built with stealthy malware infections (BleepingComputer) PowerHell: Active Flaws in PowerShell Gallery Expose Users to Attacks (Aqua Security) Clorox Operations Disrupted By Cyber-Attack (Infosecurity Magazine) Cyber Criminals Targeting Victims through Mobile Beta-Testing Applications (IC3) FBI warns about scams that lure you in as a mobile beta-tester (Naked Security) Incident response lessons learned from the Russian attack on Viasat (CSO Online) Recent Intel Report Reveals New Starlink Vulnerabilities, Increasing Concerns About the Future of Global Satellite Internet (Debrief) Hacked electronic sign declares “Putin is a dickhead” as Russian ruble slumps (Graham Cluley) Learn more about your ad choices. Visit megaphone.fm/adchoices

China accuses the US of installing backdoors in a Wuhan lab. NetScaler backdoors are found. A Phishing scam targets executives. LinkedIn sees a surge in account hijacking. Raccoon Stealer gets an update. Cryptocurrency recovery scams. We kick off our new Learning Layer segment with N2K’s Sam Meisenberg. And a Moscow court fines Reddit and Wikipedia, for unwelcome content about Russia's war. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/156 Selected reading. Ministry warns of data security risks after US agencies identified behind cyberattack on Wuhan Earthquake Monitoring Center (Global Times) China accuses U.S. intelligence agencies as source behind Wuhan cybersecurity attack (ZDNET) China teases imminent exposé of seismic US spying scheme (Register) 2,000 Citrix NetScaler Instances Backdoored via Recent Vulnerability (SecurityWeek) Cloud Account Takeover Campaign Leveraging EvilProxy Targets Top-Level Executives at over 100 Global Organizations (Proofpoint) LinkedIn Accounts Under Attack (Cyberint) LinkedIn faces surge of account hijacking (Computing) LinkedIn accounts hacked in widespread hijacking campaign (BleepingComputer) Raccoon Stealer malware returns with new stealthier version (BleepingComputer) FBI warns of increasing cryptocurrency recovery scams (BleepingComputer) Russia slaps Reddit, Wikipedia with fines (Cybernews) Learn more about your ad choices. Visit megaphone.fm/adchoices

New targets of Chinese cyberespionage are uncovered. Monti ransomware is back. An evasive phishing campaign exposed. A Realtors' network taken down by cyberattack. A closer look at NoName057(16). Perspective on cyberwar - remember Pearl Harbor, but don’t see it everywhere. Ben Yelin on the Consumer Financial Protection Bureau’s plans to regulate surveillance tech. Microsoft’s Ann Johnson and Charlie Bell ponder the future of security. And scammers are targeting kids playing Fortnite and Roblox. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/155 Selected reading. Chinese spies who read State Dept. email also hacked GOP congressman (Washington Post) Binary Ballet: China’s Espionage Tango with Microsoft (SecurityHQ) Microsoft Exchange hack to be investigated by US Cyber Safety Board (Computing) Monti ransomware targets VMware ESXi servers with new Linux locker (BleepingComputer) Evasive Phishing Campaign Steals Cloud Credentials Using Cloudflare R2 and Turnstile (Netskope) Cyberattack on Bay area vendor cripples real estate industry (The Real Deal) Intel insiders go undercover revealing fresh details into NoName hacktivist operations (Cybernews) Why the US Military Wants You To Rethink the Idea of 'Cyber War' (The Messenger) A Huge Scam Targeting Kids With Roblox and Fortnite 'Offers' Has Been Hiding in Plain Sight (WIRED) Learn more about your ad choices. Visit megaphone.fm/adchoices

An African power generator has been targeted by ransomware. The APT31 group is believed to be responsible for attacks on industrial systems in Eastern Europe. There have been arrests related to the takedown of LolekHosted. Ukraine's SBU has alleged that Russia's GRU is using specialized malware to attack Starlink. Microsoft has decided not to extend licenses for its products in Russia. Rick Howard opens his toolbox on DDOS. In our Solution Spotlight: Simone Petrella and Camille Stewart Gloster discuss the White House release of its cybersecurity workforce and education strategy. And the Cyber Safety Review Board will be investigating cases of cyberespionage against Exchange. Watch the full video of Simone and Camille here: Solution Spotlight: Simone Petrella and Camille Stewart Gloster For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/154 Selected reading. DroxiDat-Cobalt Strike Duo Targets Power Generator Network (Infosecurity Magazine) New SystemBC Malware Variant Targets Southern African Power Company (The Hacker News) Power Generator in South Africa hit with DroxiDat and Cobalt Strike (Security Affairs) Southern African power generator targeted with DroxiDat malware (Record) Common TTPs of attacks against industrial organizations. Implants for uploading data (Kaspersky ICS CERT) APT31 Linked to Recent Industrial Attacks in Eastern Europe (Infosecurity Magazine) Researchers Shed Light on APT31's Advanced Backdoors and Data Exfiltration Tactics (The Hacker News) LOLEKHosted admin arrested for aiding Netwalker ransomware gang (BleepingComputer) Russian spy agencies targeting Starlink with custom malware, Ukraine warns (The Telegraph) Russia Bans iPhones And iPads For Official Use: Report (BW Businessworld) Microsoft Suspends Extending Licenses For Companies in Russia (RadioFreeEurope/RadioLiberty) Department of Homeland Security’s Cyber Safety Review Board to Conduct Review on Cloud Security (US Department of Homeland Security) Microsoft Exchange hack is focus of cyber board’s next review (Record) Microsoft is under scrutiny after a recent attack by suspected Chinese hackers (Windows Central) The DHS’s CSRB to review cloud security practices following the hack of Microsoft Exchange govt email accounts (Security Affairs) Microsoft's role in data breach by Chinese hackers to be part of US cyber inquiry (Firstpost) Learn more about your ad choices. Visit megaphone.fm/adchoices

Dr. Georgianna Shea, the Chief Technologist at the Transformative Cyber Innovation Lab at the Foundations for Defensive Democracies (FDD) sits down to share her incredible story, moving around to different roles and how that has lead her to where she is today. Her careers have taken her to many different states throughout the years, as she has learned and grew into the roles she took on, from Hawaii to D.C., Dr. Shea has done it all. Sharing some advice, Dr. Shea says "My words of wisdom are take advantage of every opportunity and don't wait for anybody. I try to mentor people and I talk to young people a lot, you know, trying to get into the field and, and I see a lot of waiting on other people." She explains that you are able to work on your own to become an expert, and taking that initiative will be the thing to get you to where you want to be. We thank Dr. Georgianna Shea for sharing her story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

Alex Delamotte from SentinelLabs joins Dave to discuss their work on "Cloudy With a Chance of Credentials | AWS-Targeting Cred Stealer Expands to Azure, GCP." As actors find more ways to profit from compromising services, SentinelLabs finds that cloud service credentials are becoming increasingly targeted. The lack of threats explicitly targeting Azure and GCP credentials up to this point means there are likely many fresh targets. The research states "These campaigns share similarity with tools attributed to the notorious TeamTNT cryptojacking crew. However, attribution remains challenging with script-based tools, as anyone can adapt the code for their own use." The research can be found here: Cloudy With a Chance of Credentials | AWS-Targeting Cred Stealer Expands to Azure, GCP Learn more about your ad choices. Visit megaphone.fm/adchoices

Charming Kitten collects against Iranian expatriate dissidents. The Cyber Safety Review Board reports on Lapsus$. A Call for comment on open-source, memory-safe standards. How NSA is coping with the cyber labor market. Yandex is restructuring. The Washington Post’s Tim Starks joins us with the latest cyber security efforts from the DOD. Our guest is Dan L. Dodson, CEO of Fortified Health Security with insights on protecting patient data. And How Viasat was hacked. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/153 Selected reading. Germany says Charming Kitten hackers target Iran dissidents (Deutsche Welle) Cyber Safety Review Board Releases Report on Activities of Global Extortion-Focused Hacker Group Lapsus$ (US Department of Homeland Security) Review Of The Attacks Associated with Lapsus$ And Related Threat Groups Report (Cybersecurity and Infrastructure Security Agency CISA) Fact Sheet: Office of the National Cyber Director Requests Public Comment on Open-Source Software Security and Memory Safe Programming Languages (ONCD | The White House) Amid historic hiring surge, NSA considers hybrid, unclassified work options (Federal News Network) Exclusive: Fear of tech 'brain drain' prevents Russia from seizing Yandex for now, sources say (Reuters) Yandex co-founder Volozh slams Russia's 'barbaric' invasion of Ukraine (Reuters) Satellite hack on eve of Ukraine war was a coordinated, multi-pronged assault (CyberScoop) Learn more about your ad choices. Visit megaphone.fm/adchoices

A New Magento campaign is discovered. Gootloader malware-as-a-service afflicts law firms. Researchers find security flaws affecting cryptowallets. Panasonic warns of increasing attacks against IoT. A Belarusian cyberespionage campaign outlined. The five cyber phases of Russia's hybrid war, and lessons in resilience from Ukraine's experience. In our Threat Vector segment, Kristopher Russo, Senior Threat Researcher for Unit 42 joins David Moulton to discuss Muddled Libra. Kayla Williams from Devo describes their work benefiting the community at BlackHat. And a new DARPA challenge seeks to bring artificial intelligence to cybersecurity. On this segment of Threat Vector, Kristopher Russo, Senior Threat Researcher for Unit 42, joins host David Moulton to discuss part one of two Muddled Libra. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/152 Threat Vector links. Threat Group Assessment: Muddled Libra Guest: Kristopher Russo: From practitioner to researcher Kristopher Russo has spent years entrenched in various specializations of cybersecurity. As a researcher focused on ransomware and cybercrime he brings a from the trenches perspective to cyber threat intelligence. Selected reading. Xurum: New Magento Campaign Discovered (Akamai) Gootloader: Why your Legal Document Search May End in Misery (Trustwave) Fireblocks Researchers Uncover Vulnerabilities Impacting Dozens of Major Wallet Providers (Fireblocks) New BitForge cryptocurrency wallet flaws lets hackers steal crypto (BleepingCompute Panasonic Warns That IoT Malware Attack Cycles Are Accelerating (WIRED) MoustachedBouncer: Espionage against foreign diplomats in Belarus (We Live Security) Belarus hackers target foreign diplomats with help of local ISPs, researchers say (TechCrunch) Pro-Russian hackers claim attacks on French, Dutch websites (Record) Zhora: Russia's cyber 'war crimes' will outlast invasion (Register) The Power of Resilience (Cybersecurity and Infrastructure Security Agency CISA) Biden-Harris Administration Launches Artificial Intelligence Cyber Challenge to Protect America’s Critical Software (The White House) AIxCC (AIxCC) The Biden administration wants to put AI to the test for cybersecurity (Washington Post) Learn more about your ad choices. Visit megaphone.fm/adchoices

Reports of a Wide-ranging cyberespionage campaign by China's Ministry of State Security. EvilProxy phishing tool targets executives, and defeats multifactor authentication. Vulnerabilities in CPUs. Yashma ransomware targets a wide range of countries. MacOS threat trends. Is there a Russian attempt to disrupt British elections? Rob Boyce from Accenture checks in from the Blackhat conference. Maria Varmazis talking with Black Hat Aerospace Village's Kaylin Trychon and Steve Luczynski. Ukraine claims to have stopped a Russian spyware campaign. And Patch Tuesday has come and gone, but the vulnerabilities remain–unless, of course, you’ve applied the patches. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/151 Selected reading. Chinese hackers targeted at least 17 countries across Asia, Europe and North America (Record) RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale (Recorded Future) Cloud Account Takeover Campaign Leveraging EvilProxy Targets Top-Level Executives at over 100 Global Organizations (Proofpoint) ‘Downfall’ vulnerability leaves billions of Intel CPUs at risk (CyberScoop) New Inception attack leaks sensitive data from all AMD Zen CPUs (BleepingComputer) New Yashma Ransomware Variant Targets Multiple English-Speaking Countries (The Hacker News) Suspected Vietnamese hacker targets Chinese, Bulgarian organizations with new ransomware (Record) Black Hat USA 2023 – Bitdefender macOS Threat Report Reveals Key Dangers for Mac Users (Bitdefender) Russia ‘tops list of suspects’ in cyber attack which exposed data of 40m UK voters (The Telegraph) Electoral Commission hack: Five things you need to know (Computing) ‘Hostile actors’ hacked British voter registry, electoral agency says (Washington Post) Electoral Commission apologises for security breach involving UK voters’ data (the Guardian) Ukraine says it prevented Russian hacking of armed forces combat system (Reuters) Ukraine says it thwarted attempt to breach military tablets (Record) Russian secret services try to penetrate operation planning electronic system of Ukraine's army (Ukrainska Pravda) Patch Tuesday: Adobe Patches 30 Acrobat, Reader Vulns (SecurityWeek) Patch Tuesday: Microsoft (Finally) Patches Exploited Office Zero-Days (SecurityWeek) Microsoft Releases August 2023 Security Updates (Cybersecurity and Infrastructure Security Agency CISA) Fortinet Releases Security Update for FortiOS (Cybersecurity and Infrastructure Security Agency CISA) Adobe Releases Security Updates for Multiple Products (Cybersecurity and Infrastructure Security Agency CISA) Patch Tuesday review: August 2023. (CyberWire) Learn more about your ad choices. Visit megaphone.fm/adchoices

Reports on a 2020 Chinese penetration of Japan's defense networks. MOVEit-connected supply chain issues aren't over. Akamai looks at the current state of ransomware. Mallox ransomware continues its evolution. Machine identities and shadow access. Ukrainian hacktivist auxiliaries hit Russian websites. Joe Carrigan unpacks statistics recently released by CISA. Our guest is Jeffrey Wheatman from Black Kite discussing the market shift from SRS to cyber risk intelligence. And radiation sensor reports from Chernobyl may have been manipulated. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/150 Selected reading. China hacked Japan’s sensitive defense networks, officials say (Washington Post) Japan says cannot confirm leakage after report says China hacked defence networks (Reuters) MOVEit hack spawned around 600 breaches but isn't done yet - cyber analysts (Reuters) Mallox Ransomware Group Revamps Malware Variants, Evasion Tactics (Dark Reading) TargetCompany Ransomware Abuses FUD Obfuscator Packers (Trend Micro) New IAM Research by Stack Identity Finds Machine Identities Dominate Shadow Access in the Cloud, Revealing Easy Attack Vector for Hackers (Business Wire) Ukraine-Linked Group Claims It Hacked Website Of Moscow Property Registration Bureau (RadioFreeEurope/RadioLiberty) Ukraine-linked group claims it hacked Moscow property registration bureau website – RFE/RL (Euromaidan Press) Pro-Ukrainian hackers breach Moscow engineering service website (New Voice of Ukraine) Ukrainian state agencies targeted with open-source malware MerlinAgent (Record) The Mystery of Chernobyl’s Post-Invasion Radiation Spikes (WIRED) Learn more about your ad choices. Visit megaphone.fm/adchoices

North Korean cyberespionage against a Russian aerospace firm. The Reptile rootkit is used against South Korean systems. An update on Cloudzy. Cl0p is using torrents to move data stolen in MOVEit exploitation. Andrea Little Limbago from Interos wonders about the dangers of jumping head first into new technologies? Rick Howard ponders quantum computing. And Meduza is back on Apple Podcasts. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/149 Selected reading. Exclusive: North Korean hackers breached top Russian missile maker (Reuters) North Korean hackers stole secrets of Russian hypersonic missile maker (Euractiv) Comrades in Arms? | North Korea Compromises Sanctioned Russian Missile Engineering Company (SentinelOne) Reptile Rootkit: Advanced Linux Malware Targeting South Korean Systems (The Hacker News) UPDATE: Cloudzy Command and Control Provider Report (Halcyon) Reptile Rootkit: Advanced Linux Malware Targeting South Korean Systems (The Hacker News) Clop ransomware now uses torrents to leak data and evade takedowns (BleepingComputer) Ukraine may be winning ‘world’s first cyberwar’ (The Kyiv Independent) Apple has removed Meduza’s flagship news podcast ‘What Happened’ from Apple Podcasts, without explaining the reason (Meduza) Learn more about your ad choices. Visit megaphone.fm/adchoices

Manuel Hepfer a cybersecurity researcher from ISTARI sits down to share his story with us. Manuel shares as a kid he was very interested in STEM, and in school he remembered a programming class that he fell in love which made him want to pursue a career in cyber. Studying at the University of Oxford he began working towards acquiring a degree in Cybersecurity and Strategic Management. He found research to be a passion and wanted to share his passion, he decided he wanted to publish, so Manuel published an article in MIT Sloan management review that's titled "Make Cybersecurity a Strategic Asset." He shares that finding a passion, like he did, is the key to working in cyber, saying "I think what I learned at the time is the value of discipline and self motivation. And now you can always come up with a lot of discipline and self motivation, but you'll run out of steam at some point if you're not very passionate about some of the things that you're doing." We thank Manuel for sharing his story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

Aleksandar Milenkoski from SentinelOne joins to discuss their work on "Kimsuky Strikes Again | New Social Engineering Campaign Aims to Steal Credentials and Gather Strategic Intelligence." Researchers have been tracking the North Korean APT group Kimsuky and their attempt at a social engineering campaign targeting experts in North Korean affairs. The research states "The campaign has the objective of stealing Google and subscription credentials of a reputable news and analysis service focusing on North Korea, as well as delivering reconnaissance malware." Kimsuky has been tracked engaging in extensive email correspondence using spoofed URLs and extensive email correspondence, along with Office documents weaponized with the ReconShark malware. The research can be found here: Kimsuky Strikes Again | New Social Engineering Campaign Aims to Steal Credentials and Gather Strategic Intelligence Learn more about your ad choices. Visit megaphone.fm/adchoices

The Five Eyes warn against top exploited vulnerabilities. The Rilide info stealer in the wild. Malicious PyPI packages. Valerie Abend, Global Cyber Strategy Lead from Accenture, unpacks the Securities and Exchange Commission’s recently announced cyber regulations. In our Solution spotlight: Our own Simone Patrella speaks with Microsoft’s Ann Johnson on how Microsoft is attracting and retaining top cyber talent. And cyber attacks continue to gutter on both sides of Russia's war against Ukraine. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/148 Selected reading. CISA, NSA, FBI, and International Partners Release Joint CSA on Top Routinely Exploited Vulnerabilities of 2022 | CISA (Cybersecurity and Infrastructure Security Agency CISA) CISA, NSA, FBI and International Partners Issue Advisory on the Top Routinely Exploited Vu (National Security Agency/Central Security Service) New Rilide Stealer Version Targets Banking Data and Works Around Google Chrome Manifest V3 (Trustwave) Tunnel Vision: CloudflareD AbuseD in the WilD (GuidePoint Security) VMConnect: Malicious PyPI packages imitate popular open source modules (ReversingLabs) Bilyana Lilly on how cybersecurity assistance to Ukraine has helped thwart Russian cyberattacks (CyberScoop) Microsoft says Russia-linked hackers behind dozens of Teams phishing attacks (Reuters) Ukraine's invisible battle to jam Russian weapons (BBC News) How Ukraine’s cyberwarriors are upending everyday life in Russia (Times) Learn more about your ad choices. Visit megaphone.fm/adchoices

Open Bullet malware is seen in the wild. Threat actors exploit a Salesforce vulnerability for phishing. BlueCharlie (that’s Russia’s FSB) shakes up its infrastructure. Midnight Blizzard (and that’s Russia’s SVR) uses targeted social engineering. How NoName057(16) moved on to Spanish targets. Robert M. Lee from Dragos shares his reaction to the White House’s national cybersecurity strategy. Our guest Raj Ananthanpillai of Trua warns against oversharing with ChatGPT. And NSA releases guidance on hardening Cisco next-generation firewalls. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/147 Selected reading. No Honour Amongst Thieves: A New OpenBullet Malware Campaign (Kasada) “PhishForce” — Vulnerability Uncovered in Salesforce’s Email Services Exploited for Phishing… (Medium) Hackers exploited Salesforce zero-day in Facebook phishing attack (BleepingComputer) Hackers exploit Salesforce email zero-day for Facebook phishing campaign (Computing) Russia-based hackers building new attack infrastructure to stay ahead of public reporting (Record) Midnight Blizzard conducts targeted social engineering over Microsoft Teams (Microsoft Security) Unraveling Russian Multi-Sector DDoS Attacks Across Spain (Radware) Pro-Russian Hackers Claim Cyberattacks on Italian Banks (MarketWatch) NSA Releases Guide to Harden Cisco Next Generation Firewalls (National Security Agency/Central Security Service) Cisco Firepower Hardening Guide (US National Security Agency) Learn more about your ad choices. Visit megaphone.fm/adchoices

An illicit market in account restoration. Resilience and the cyber workforce. New post-exploitation techniques in Amazon Web Services. Incursions into Norwegian government networks went on for four months. Rob Boyce from Accenture Security describes a “Perfect Storm” in the Dark Web threat landscape. Carole Theriault shares mental health social media warnings for teens. And the Russian legislation seeks to reduce or eliminate online privacy. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/146 Selected reading. Amazon employees leak secret info that marketplace sellers can buy on Telegram (CNBC) Cyber Workforce Benchmark Report (Immersive Labs) Mitiga Security Advisory: Abusing the SSM Agent as a Remote Access Trojan (Mitiga) Cado Security Labs 2023 Threat Findings Report (Cado Security) Cyberattack on Norway Ministries Lasted at Least Four Months (Bloomberg) CISA and International Partner NCSC-NO Release Joint Cybersecurity Advisory on Threat Actors Exploiting Ivanti EPMM Vulnerabilities (Cybersecurity and Infrastructure Security Agency) Putin Outlaws Anonymity: Identity Verification For Online Services, VPN Bypass Advice a Crime (TorrentFreak) Russia Is Returning to Its Totalitarian Past (Foreign Policy) Learn more about your ad choices. Visit megaphone.fm/adchoices

C2-as-a-service with APTs as the customers. Cyberespionage activity by Indian APTs. Gamers under attack. StarLink limits Ukrainian access to its systems. The EU levies new sanctions against “digital information manipulation.” Ukraine's Security Service takes down money-laundering exchanges. Ben Yelin unpacks fediverse security risks. Our guests are Mike Marty, CEO of The Retired Investigators Guild, & Tom Brennan, executive director of CREST, discussing their efforts on cybercrime investigation and cold case resolution. And Nozomi's OT IoT security report, sees a lot of opportunistic, low-grade whacking at industrial organizations. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/145 Selected reading. Cloudzy with a Chance of Ransomware: Unmasking Command-and-Control Providers (C2Ps) (Halcyon) APT Bahamut Targets Individuals with Android Malware Using Spear Messaging - CYFIRMA (CYFIRMA) Hackers steal Signal, WhatsApp user data with fake Android chat app (BleepingComputer) Patchwork Hackers Target Chinese Research Organizations Using EyeShell Backdoor (The Hacker News) Hackers exploit BleedingPipe RCE to target Minecraft servers, players (BleepingComputer) Call of Duty Self-Spreading Worm Takes Aim at Player Lobbies (Dark Reading) Call of Duty worm malware used to hack players exploits years-old bug (TechCrunch) Elon Musk 'refuses to turn on Starlink' for Crimea drone attack (The Telegraph) How Elon Musk Was Able to Exert Control in Ukraine War (The Street) EU strikes Russia again as digital infowar rages on (Cybernews) Ukraine Cracks Down on Illicit Financing Network (Gov Info Security) Unpacking the OT & IoT Threat Landscape with Unique Telemetry Data (Nozomi Networks) China's Volt Typhoon APT Burrows Deeper Into US Critical Infrastructure (Dark Reading) Learn more about your ad choices. Visit megaphone.fm/adchoices

The US issues a National Cyber Workforce and Education strategy. Hunting Chinese malware staged in US networks. CISA warns of Barracuda backdoor. WikiLoader malware is discovered. P2Pinfect is a malware botnet targeting publicly-accessible Redis servers. Johannes Ullrich from SANS describes attacks against YouTube content creators. Rick Howard previews his conversation with AWS Ciso CJ Moses. And Russia’s SVR continues cyberespionage against Ukrainian and European diplomatic services. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/144 Selected reading. FACT SHEET: Biden-Harris Administration Announces National Cyber Workforce and Education Strategy, Unleashing America’s Cyber Talent (The White House) National Cyber Workforce and Education Strategy: Unleashing America’s Cyber Talent (The White House) The White House releases the US National Cyber Workforce and Education Strategy. (CyberWire) US hunts Chinese malware staged to interfere with US military operations. (CyberWire) U.S. Hunts Chinese Malware That Could Disrupt American Military Operations (New York Times) CISA Releases Malware Analysis Reports on Barracuda Backdoors (Cybersecurity and Infrastructure Security Agency CISA)CISA: New Submarine malware found on hacked Barracuda ESG appliances (BleepingComputer) Out of the Sandbox: WikiLoader Digs Sophisticated Evasion (Proofpoint) Cado Security Labs Encounter Novel Malware, Redis P2Pinfect (Cado Security) P2PInfect: The Rusty Peer-to-Peer Self-Replicating Worm (Unit 42) BlueBravo Adapts to Target Diplomatic Entities with GraphicalProton Malware (Recorded Future) BlueBravo Adapts to Target Diplomatic Entities with GraphicalProton Malware (Recorded Future Insikt Group) BlueBravo Deploys GraphicalProton Backdoor Against European Diplomatic Entities (The Hacker News) Learn more about your ad choices. Visit megaphone.fm/adchoices

Morgan Adamski from the National Security Agency (NSA) sits down to talk about her path to getting into cybersecurity. Remembering back to when she was a kid, she recalls using old technology to chat with friends online, that's where it all began for Morgan. She shares how in high school she fell in love with the concept of debating and being on a team. During her high school career, 9/11 occurred, and she became fascinated with who was behind the biggest attack America had seen in the 21st century, driving her to pursue a degree in National Security. Coming out of college, she was able to get a job in the DIA, after working there for two years, she found herself at the NSA, where she is now. Morgan shares how her leadership style helps her to not only connect dots on problems, but also see around corners, saying "it's not just about connecting the dots, it's about seeing around the corners and so that helps me better predict, um, how do I build an organization that's successful three to five years down the road." We thank Morgan for sharing her story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

Ashlee Benge from ReversingLabs discussing their research titled "Operation Brainleeches: Malicious npm packages fuel supply chain and phishing attacks." Researchers recently discovered over a dozen malicious packages published to the npm open source repository. These packages are targeting Microsoft 365 users and appear to target application end users while also supporting email phishing campaigns. Research supports that the malicious campaign encompassed more than a dozen files designed to steal sensitive user credentials. The research states "This most recent campaign caught our attention because of a number of features and characteristics in related npm packages that correlate with malicious intent." The research can be found here: Operation Brainleeches: Malicious npm packages fuel supply chain and phishing attacks Learn more about your ad choices. Visit megaphone.fm/adchoices

A joint warning on IDOR vulnerabilities. IcedID’s BackConnect protocol evolves over one year. Cl0p claims to have accessed data from another Big Four accounting firm. Ransomware victims increased significantly in 2023. Cyberattacks support influence operations. Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger joins us to discuss the Biden Administration's recent cyber initiatives. Eric Goldstein, Executive Assistant Director at CISA, looks at cybersecurity performance goals. And spelling counts. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/143 Selected reading. Preventing Web Application Access Control Abuse (Joint Cybersecurity Advisory: ACSC, NSA, CISA) Inside the IcedID BackConnect Protocol (Part 2) (Team Cymru) Deloitte denies Cl0p data breach impacted client data in wake of MOVEit attack (ITPro) Ransomware Report: Q2 2023 (ReliaQuest) Kenya ICT minister admits cyber-attack on eCitizen portal, insists data secure (The East African) Anonymous Sudan: the group behind recent anti-Kenya cyberattacks (TechCabal) Kenya President Ruto to skip Russia-Africa Summit (The East African) UK accidentally sent military emails meant for US to Russian ally (POLITICO) Learn more about your ad choices. Visit megaphone.fm/adchoices

The Mirai botnet afflicts Tomcat. CardioComm services are downed by cyberattack. Uptycs calls infostealers “organization killers" as related security incidents double in a year. Legacy third-party risk management practices meet with dissatisfaction. Cyber skill gaps reported in the UK's workforce. Our guest is George Prichici of OPSWAT with a look at a Microsoft Teams vulnerability. Our new Threat Vector segment features a conversation with David Moulton and Michael Sikorski on the potential threats from LLMs and AI. And SiegedSec hits NATO sites. On this first segment of Threat Vector, Michael "Siko" Sikorski, CTO & VP of Engineering for Unit 42, joins host David Moulton to discuss LLMs & AI and the impacts to expect on social engineering, phishing, and more. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/142 Threat Vector links. Palo Alto Networks Unit 42 Selected reading. Tomcat Under Attack: Exploring Mirai Malware and Beyond (Aquasec) CardioComm, a provider of ECG monitoring devices, confirms cyberattack downed its services (TechCrunch) Detecting the Silent Threat: 'Stealers are Organization Killers' (Uptycs) Cyber security skills in the UK labour market 2023 (DSIT) NATO investigates alleged data theft by SiegedSec hackers (BleepingComputer) NATO investigating apparent breach of unclassified information sharing platform (CyberScoop) SiegedSec Compromise NATO (Cyberint) Learn more about your ad choices. Visit megaphone.fm/adchoices

FraudGPT is a chatbot with malign intent. Stealer logs in the C2C market. Signs in the blockchain that some Conti alumni are working with the Akira gang. Tim Starks from Washington Post's Cybersecurity 202 on the White House’s new National Cyber Director nominee. Maria Varmazis speaks with David Luber, Deputy Director of NSA's Cybersecurity Directorate, on space systems as critical infrastructure. And a kinetic strike against a cyber target: Ukrainian drones may have hit Fancy Bear’s Moscow digs. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/141 Selected reading. FraudGPT: The Villain Avatar of ChatGPT (Netenrich) Stealer Logs & Corporate Access (Flare) Over 400,000 corporate credentials stolen by info-stealing malware (BleepingComputer) The Alarming Rise of Infostealers: How to Detect this Silent Threat (The Hacker News) Conti and Akira: Chained Together (Arctic Wolf) Ukraine-Russia war: Ukraine vows further drone strikes on Moscow and Crimea (The Telegraph) Learn more about your ad choices. Visit megaphone.fm/adchoices

A zero-day attack of undetermined origin targets government offices in Norway. Russia accuses the US of cyber aggression. Data breaches exact a rising cost. 74% of survey respondents say their company would pay ransom to recover stolen or encrypted data. Executives and security teams differ in their perception of cyber threat readiness. Mr. Security Answer Person John Pescatore looks at risk metrics. Joe Carrigan on a new dark market AI tool called Worm GPT. And Apple issues urgent patches. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/140 Selected reading. Norway says Ivanti zero-day was used to hack govt IT systems (BleepingComputer) Norway investigates cyberattack affecting 12 government ministries (Record) Norwegian government IT systems hacked using zero-day flaw (BleepingComputer) Putin ally accuses US of planning cyberattacks on Russian critical infrastructure (Al Arabiya English) Cost of a Data Breach Report 2023 (IBM Security) Ransom Monetization Rates Fall to Record Low Despite Jump In Average Ransom Payments (Coveware) 2023 Cyber Threat Readiness Report (Swimlane) Apple Releases Security Updates for Multiple Products (Cybersecurity and Infrastructure Security Agency CISA) Apple fixes 16 security flaws with iOS 16.6, two actively exploited (9to5Mac) Apple Rolls Out Urgent Patches for Zero-Day Flaws Impacting iPhones, iPads and Macs (The Hacker News) Apple fixes new zero-day used in attacks against iPhones, Macs (BleepingComputer) iOS 16.6: Apple Suddenly Releases Key iPhone Update With Urgent Fixes (Forbes) Learn more about your ad choices. Visit megaphone.fm/adchoices

North Korea's increasingly supple cyber offensives. A look at Cl0p. The NetSupport RAT's fake update vectors. HotRat is a Trojan that accompanies illegally pirated software and games. Crackable radio encryption standard: a bug or a feature? Chris Novak from Verizon discusses ransomware through the lens of the DBIR. Carole Theriault describes a ransomware attack that hit close to home. And an alleged money-laundering crypto-rapper is back in the news. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/139 Selected reading. North Korea Leverages SaaS Provider in a Targeted Supply Chain Attack | Mandiant (Mandiant) Ransomware Roundup - Cl0p (Fortinet Blog) FakeSG enters the 'FakeUpdates' arena to deliver NetSupport RAT (Malwarebytes) Researchers Find ‘Backdoor’ in Encrypted Police and Military Radios (Vice) Unmasking HotRat: The hidden dangers in your software downloads (Avast) Researchers Find ‘Backdoor’ in Encrypted Police and Military Radios (Vice) Crypto rapper 'Razzlekhan,' husband reach plea deal over Bitfinex hack laundering (Reuters) Learn more about your ad choices. Visit megaphone.fm/adchoices