CyberWire Daily

Shiran Guez from Akamai sits down with Dave to discuss their research on "Chatbots, Celebrities, and Victim Retargeting and Why Crypto Giveaway Scams Are Still So Successful." Researchers at Akamai have been on the lookout for crypto giveaway scams. These scams have been impersonating celebrities and brands, most notably Elon Musk and his associated companies. The research states "the scams are delivered through various social media platforms as well as direct messaging apps such as WhatsApp or Telegram." These scams have helped add to the existing damages that exceed $1 billion caused by crypto fraud. The research can be found here: Chatbots, Celebrities, and Victim Retargeting: Why Crypto Giveaway Scams Are Still So Successful Learn more about your ad choices. Visit megaphone.fm/adchoices

Daggerfly APT targets an African telecommunications provider. EvilExtractor is an alleged teaching tool apparently gone bad. A Chinese speaking threat group is active against Taiwan and South Korea. Europe’s air traffic control is under attack. Cecilia Marinier from RSAC and Barmak Meftah, a judge of ISB, discuss the RSA innovation sandbox. Awais Rashid from University of Bristol on the cybersecurity of smart farming. Forget about those evil maids. What about these evil sys admins? For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/77 Selected reading. Daggerfly: APT Actor Targets Telecoms Company in Africa (Symantec) EvilExtractor – All-in-One Stealer (Fortinet Blog) Chinese-language threat group targeted a dozen South Korean institutions (Record) Xiaoqiying/Genesis Day Threat Actor Group Targets South Korea, Taiwan (Recorded Future) WSJ News Exclusive | Europe’s Air-Traffic Agency Under Attack From Pro-Russian Hackers (Wall Street Journal) Intelligence Leaks Cast Spotlight on a Recurring Insider Threat: Tech Support (Wall Street Journal) Russia’s invasion of Ukraine is also being fought in cyberspace (Atlantic Council) CFP European Cybersecurity Seminar 2023-2024 (European Cyber Conflict Research Initiative) #CYBERUK23: Russian Cyber Offensive Exhibits ‘Unprecedented’ Speed and Agility (Infosecurity Magazine) Learn more about your ad choices. Visit megaphone.fm/adchoices

The 3CX compromise involved a two-stage supply-chain attack. Impersonating ChatGPT. Russia's security organs say they're cracking down on leaks. Updates on the Discord Papers case. Belarus arrests a pro-Russian hacktivist. Rob Boyce from Accenture Security on Dark Web cyber criminals targeting CRM systems. Our guest is Mike Loewy from the Tide Foundation, with an innovative approach to distributed key security. And, is Minsk going wobbly on Moscow? For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/76 Selected reading. 3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise; Suspected North Korean Actor Responsible (Mandiant) ChatGPT-Themed Scam Attacks Are on the Rise (Palo Alto Networks Unit 42) Russian Offensive Campaign Assessment, April 19, 2023 (Institute for the Study of War) Belarus-linked hacking group targets Poland with new disinformation campaign (Record) Killnet Ostracizes Leader of Anonymous Russia, Adding New Chapter to Pro-Kremlin Hacktivist Drama (Flashpoint) Belarus-linked hacking group targets Poland with new disinformation campaign (Record) Learn more about your ad choices. Visit megaphone.fm/adchoices

The UK National Cyber Security Centre (NCSC), NSA, CISA, and FBI are releasing this joint advisory to provide TTPs associated with APT28’s exploitation of Cisco routers in 2021. AA23-108A Alert, Technical Details, and Mitigations Malware Analysis Report Resource to mitigate a ransomware attack: CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide. No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment. See CISA Insights Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses for guidance on hardening MSP and customer infrastructure. U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email [email protected] To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at [email protected], or call (888) 282-0870, or report incidents to your local FBI field office. Learn more about your ad choices. Visit megaphone.fm/adchoices

Play ransomware's new tools. Fancy Bear is out and about. Updates on Sandworm. Ransomware in Russia's war against Ukraine. The US Air Force opens an investigation into the alleged leaker's Air National Guard wing. The Washington Post’s Tim Starks joins us with insights on the Biden administration's attempts to better secure the water supply. Carole Theriault chats with Cisco Talos' Vanja Svacjer about the threat landscape, now and tomorrow. And KillNet’s in the education business with a new hacker course: “Dark School.” For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/75 Selected reading. Play Ransomware Group Using New Custom Data-Gathering Tools (Symantec) NCSC-UK, NSA, and Partners Advise about APT28 Exploitation of Cisco Routers (National Security Agency/Central Security Service) APT28 exploits known vulnerability to carry out reconnaissance and deploy malware on Cisco routers (NCSC) State-sponsored campaigns target global network infrastructure (Cisco Talos Blog) Ukraine remains Russia’s biggest cyber focus in 2023 (Google) Fog of War: How the Ukraine Conflict Transformed the Cyber Threat Landscape (Google Threat Analysis Group) M-Trends 2023: Cybersecurity Insights From the Frontlines (Mandiant) Faltering against Ukraine, Russian hackers resort to ransomware: Researchers (Breaking Defense) Air Force unit in document leaks case loses intel mission (AP NEWS) Pentagon Details Review of Policies for Handling Classified Information (New York Times) Ukraine at D+419: GRU cyber ops scrutinized. (CyberWire) Learn more about your ad choices. Visit megaphone.fm/adchoices

Brace yourselves, it’s Space Symposium week! Wet dress rehearsal for Starship. UK launches the International Bilateral Fund. Orbit Fab gets a series A round. Boeing announces their anti-jam payload for WGS. The FAA wants to balance air travel and space travel. Our interview with Steve Luczynski, Board Chair of the Aerospace Village, on their mission, programs, and upcoming activities at the RSA Conference next week. All this and more. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our weekly intelligence briefing, Signals and Space, and you’ll never miss a beat. T-Minus Guest Our featured guest is Steve Luczynski, Board Chair of the Aerospace Village, on the Aerospace Village nonprofit, their mission, their programs, and their upcoming activities at the RSA Conference next week. You can follow Steve on LinkedIn and Twitter. Selected Reading SpaceX's launch of Starship could remake space exploration | Washington Post UK Space Agency funding for international space partnerships | GOV.UK. SpaceX launches seventh Transporter rideshare mission | SpaceNews Exolaunch’s 21 rideshare smallsats deployed during the SpaceX Transporter-7 mission | SatNews HawkEye 360’s nexgen Cluster 7 smallsats are successfully launched | SatNews TrustPoint Announces Launch of First Commercially-Funded, Purpose-Built PNT Microsatellite | Business Wire China claims its Space Station has achieved 100% oxygen regeneration in orbit | Interesting Engineering Boeing Unveils Anti-Jam Payload For Next Space Force Wideband Global SATCOM Satellite | Via Satellite As counterspace weapons ‘proliferate,’ the new cold war for space races forward: studies | Breaking Defense The Moon is the Best Place to Transport Rocket Fuel | Universe Today US aviation authorities may delay some space launches to avoid air traffic disruption | Reuters NASA launches stadium-sized balloon from New Zealand | SpaceConnect Audience Survey We want to hear from you! Please complete our wicked fast 4 question survey. It’ll help us get better and deliver you the most mission-critical space intel every day. Want to hear your company in the show? You too can reach the most influential leaders in the industry. Here’s a link to our media kit. Contact us at [email protected] to request more info about sponsoring T-Minus. Want to join us for an interview? Please send your interview pitch to [email protected] and include your name, affiliation, and topic proposal, and our editor will get back to you for scheduling. T-Minus is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

An Iranian threat actor exploits N-day vulnerabilities. CSC exposes subdomain hijacking vulnerabilities. More on the Discord Papers. An update on Russia’s NTC Vulkan. Joe Carrigan on the aftermath of a $98M online investment fraud. Our guest is Blake Sobczak from Synack , host of the podcast WE'RE IN! And threat actor nomenclature: a scorecard, and a Periodic Table no more. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/74 Selected reading. Nation-state threat actor Mint Sandstorm refines tradecraft to attack high-value targets (Microsoft Security) An Iranian hacking group went on the offensive against U.S. targets, Microsoft says (Washington Post) New CSC Research Finds One in Five DNS Records are Susceptible to Subdomain Hijacking Due to Insufficient Cyber Hygiene | CSC (CSC) DOD Assessing Document Disclosures and Implementing Mitigation Measures (U.S. Department of Defense) After leak, Pentagon purges some users' access to classified programs, launches security review (Breaking Defense) Why Did a 21-Year-Old Guardsman Have Access to State Secrets? (Vice) U.S. officials have examined whether alleged doc leaker had foreign links (POLITICO) The Air Force Loves War Gamers Like Alleged Leaker Teixeira (Military.com) FBI Investigating Ex-Navy Noncommissioned Officer Linked to Pro-Russia Social-Media Account (Wall Street Journal) Pentagon leak suggests Russia honing disinformation drive – report (the Guardian) Dragos Analyzes Russian Programs Threatening Critical Civilian Infrastructure (Dragos) Microsoft shifts to a new threat actor naming taxonomy (Microsoft) Learn more about your ad choices. Visit megaphone.fm/adchoices

The alleged Discord Papers leaker has been charged. We look at how the Papers spread online. A life lived online as a security risk. US tax season scams, at the 11th filing hour. Caleb Barlow from Cylete on the layoffs in security that many thought would never happen. Maria Varmazis and Brandon Karpf share the launch of the new space podcast, T-Minus. And KillNet says it’s open for business. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/73 Selected reading. Inside the furious week-long scramble to hunt down a massive Pentagon leak (CNN Politics) Massachusetts Air National Guard’s Intelligence Mission in the Spotlight (New York Times) Leaker of U.S. secret documents worked on military base, friend says (Washington Post) WSJ News Exclusive | Social-Media Account Overseen by Former Navy Noncommissioned Officer Helped Spread Secrets (Wall Street Journal). A Russian Disinformation Empire in Oak Harbor, Washington (Malcontent News) Pro-Russia propagandist unmasked as New Jersey tropical fish seller (The Telegraph) Suspect charged in case involving leaked classified military documents (Washington Post) Jack Teixeira, suspect in Pentagon leaks, charged under Espionage Act (the Guardian) Leak suspect appears in court as US spells out its case (AP NEWS) Airman in Pentagon intel leak charged (Military Times) Airman charged in Pentagon intel leak regretted joining the military (Military Times) He’s from a military family — and allegedly leaked U.S. secrets (Washington Post) Jack Teixeira's alleged Discord leaks show why the US should stop showering Top Secret clearances on 21-year-old keyboard warriors (Business Insider). The military loved Discord for Gen Z recruiting. Then the leaks began. (Washington Post) A new kind of leaker: Spilling state secrets to impress online buddies (Washington Post) Was the Gen-Z Pentagon leaker motivated by social media clout? (the Guardian) Microsoft president claims Russian intelligence is trying to "penetrate gaming communities" (GamesIndustry.biz) How Gamers Eclipsed Spies as an Intelligence Threat (Foreign Policy) Crafty PDF link is part of another tax-season malware campaign (Record) Tax season scams. (CyberWire) Ukraine at D+414: Discord Papers arrest, cyberespionage, and hacktivist DDoS. (CyberWire) Learn more about your ad choices. Visit megaphone.fm/adchoices

Jack Chapman, VP of Threat Intelligence at Egress sits down to share his story on how he found his way into the cybersecurity field as well as his journey creating a cybersecurity company that was successfully acquired. Jack previously co-founded anti-phishing company Aquilai and served as its Chief Technology Officer, working closely with the UK’s intelligence and cyber agency GCHQ to develop cutting-edge product capabilities. Aquilai was acquired by Egress in 2021. Now he is working with Egress as what he calls their "chief bad guy," helping to shield his team from threats. He says "I'm probably what you call a servant leader, my mission is to enable and shield my teams from things that will prevent them from succeeding in their missions, whatever that might look like." Jack hopes to be remembered for making a meaningful impact to help drive the field forward. We thank Jack for sharing his story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

Scott Fanning, Senior Director of Product Management, Cloud Security at CrowdStrike, sits down to talk about the first-ever Dero cryptojacking operation targeting Kubernetes infrastructure. The research defines Dero as "a cryptocurrency that claims to offer improved privacy, anonymity and higher and faster monetary rewards compared to Monero, which is a commonly used cryptocurrency in cryptojacking operations." CrowdStrike was the first organization to discover Dero, and has been observing the cryptojacking operation since the beginning of February 2023. The operation focuses mainly on locating Kubernetes clusters with anonymous access enabled on a Kubernetes API and listening on non-standard ports accessible from the internet. The research can be found here: CrowdStrike Discovers First-Ever Dero Cryptojacking Campaign Targeting Kubernetes Learn more about your ad choices. Visit megaphone.fm/adchoices

"Read the Manual" and the ransomware-as-a-service market. Bitter APT may be targeting Asia-Pacific energy companies. A Cozy Bear sighting. Hacktivist auxiliaries hit Canadian targets. Deepen Desai of Zscaler describes job scams following tech layoffs. Our guest is Kelly Shortridge from Fastly with insights on the risks from bots. And there’s been an arrest in the Discord Papers case. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/72 Selected reading. Read The Manual Locker: A Private RaaS Provider (Trellix) Phishing Campaign Targets Chinese Nuclear Energy Industry (Intezer) Espionage campaign linked to Russian intelligence services (Baza wiedzy) Russian cyberspies hit NATO and EU organizations with new malware toolset (CSO Online) Pro-Russia hackers say they were behind Hydro-Quebec cyberattack (Montreal CTV News - 04-13-2023) Cyberattack knocks out website and mobile app for Quebec’s hydro utility (Toronto Star) F.B.I. Arrests National Guardsman in Leak of Classified Document (New York Times) DOD Calls Document Leak 'a Criminal Act' (U.S. Department of Defense) Learn more about your ad choices. Visit megaphone.fm/adchoices

Transparent Tribe expands its activity against India's education sector. A Lazarus sub-group is after defense sector targets. The FBI's Denver office warns of potential juicejacking. Legion: a Python-based credential harvester. The source of leaked US intelligence may be closer to identification. Johannes Ullrich from SANS explains upwork scams. Our guest is Charlie "Tuna" Moore of Vanderbilt University on the cyber lessons from Russia’s war on Ukraine. Canada responds to claims of Russian cyberattacks. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/71 Selected reading. Transparent Tribe (APT36) | Pakistan-Aligned Threat Actor Expands Interest in Indian Education Sector (SentinelOne) Following the Lazarus group by tracking DeathNote campaign (Securelist) DPRK threat actors target C3X and defense sector at large. (CyberWire) FBI office warns against using public phone charging stations at airports or malls, citing malware risk (CBS News) The FBI warns of juicejacking and other risks of public tech. (CyberWire) Legion: an AWS Credential Harvester and SMTP Hijacker (Cado Security) The Legion credential harvester. (CyberWire) Leaker of U.S. secret documents worked on military base, friend says (Washington Post) U.S. may change how it monitors the web after missing leaked documents for weeks (NBC News) Cyberattacks on Canada’s gas infrastructure left ‘no physical damage,’ Trudeau says (Global News) Russian attacks on Ukrainian infrastructure cause internet outages, cutting off a valuable wartime tool (CyberScoop) US Warns Russia Getting Creative in Cyberspace (VOA) APT Winter Vivern Resurfaces (Avertium) Learn more about your ad choices. Visit megaphone.fm/adchoices

Patch Tuesday update. Another commercial surveillance company is outed. Voice security and the challenge of fraud. CISA updates its Zero Trust Maturity Model. Effects of the US intelligence leaks. Our guest Eric Goldstein, Executive Assistant Director for Cybersecurity at CISA, outlines CISA's role in the cybersecurity community. André Keartland of Netsurit makes the case for DevSecOps. Russian cyber auxiliaries believed responsible for disrupting the Canadian PM's website. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/70 Selected reading. Patch Tuesday overview. (CyberWire) DEV-0196: QuaDream’s “KingsPawn” malware used to target civil society in Europe, North America, the Middle East, and Southeast Asia (Microsoft Threat Intelligence) Threat Report on the Surveillance-for-Hire Industry (Meta) Sweet QuaDreams: A First Look at Spyware Vendor QuaDream’s Exploits, Victims, and Customers (The Citizen Lab) Voice Intelligence and Security Report (Pindrop) CISA Releases updated Zero Trust Maturity Model (Cybersecurity and Infrastructure Security Agency) CISA Releases Zero Trust Maturity Model Version 2 (Cybersecurity and Infrastructure Security Agency CISA) A leak of files could be America’s worst intelligence breach in a decade (The Economist) Interagency Effort Assessing Impact of Leaked Documents, Strategizing Way Forward (U.S. Department of Defense) What we know about the Pentagon document leak (Axios) The ongoing scandal over leaked US intel documents, explained (Vox) Pentagon leak threatens Biden's foreign policy doctrine ahead of overseas trip (Axios) Schumer calls for all-senator briefing on leaked Ukraine documents (The Hill) The key countries and revelations from the Pentagon document leak (Washington Post) Exclusive: Leaked U.S. intel document claims Serbia agreed to arm Ukraine (Reuters) Up to 50 UK special forces present in Ukraine this year, US leak suggests (the Guardian) Egypt denies leak about supplying Russia with 40,000 rockets (Al Jazeera) DDoS attacks block PM Trudeau’s web site (IT World Canada) Learn more about your ad choices. Visit megaphone.fm/adchoices

Key trends in Identity Access Management. RagnarLocker and critical infrastructure. Cyber criminals capitalize on the AI hype. Updates on the leaked US classified documents, and speculation of whether Russian hackers compromised a Canadian gas pipeline. Ben Yelin describes a multimillion dollar settlement over biometric data. Microsoft’s Ann Johnson from Afternoon Cyber Tea talking about cyber paradigm shifts with Samir Kapuria. And a welcome to GCHQ's new boss. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/69 Selected reading. 4 key trends from the Gartner IAM Summit 2023 (Venture Beat) Threat Actor Spotlight: Ragnarlocker Ransomware (Sygnia) From Chatgpt To Redline Stealer: The Dark Side Of Openai And Google Bard (Veriti) Biden administration doesn't know extent of classified Pentagon document leak (CBS News) Ukraine ‘alters counter-offensive plans’ after Pentagon leak (The Telegraph) Ukraine had to change military plans because of US Pentagon leak, source says (CNN) Leaked Pentagon documents claim that hackers breached a Canadian gas network. Here’s what to know. (Washington Post) Pro-Russia Hackers Say They Breached Canadian Pipeline, but Experts Are Skeptical (Wall Street Journal) Leaked US intel: Russia operatives claimed new ties with UAE (AP NEWS) Egypt secretly planned to supply rockets to Russia, leaked U.S. document says (Washington Post) How the Latest Leaked Documents Are Different From Past Breaches (New York Times) How U.S. friends and foes have responded to leaked Pentagon documents (Washington Post) Pentagon leaks: US seeks to mend ties after claims Washington spied on key allies (the Guardian) Pentagon Probe Under Way in Leaks Case (Wall Street Journal) Pentagon assessing damage after 'highly classified' US secrets leaked online (Breaking Defense) The Pentagon’s Purported Classified-Document Leak: The Biggest Takeaways and Questions So Far (Wall Street Journal) The ongoing scandal over leaked US intel documents, explained (Vox) Leaked documents a 'very serious' risk to security: Pentagon (AP NEWS) The Discord servers at the center of a massive US intelligence leak (CyberScoop) Social-Media Platform Discord Emerges at Center of Classified U.S. Documents Leak (Wall Street Journal) Why Leaked Pentagon Documents Are Still Circulating on Social Media (New York Times) Clues Left Online Might Aid Leak Investigation, Officials Say (New York Times Ukraine at D+411: US leaks remain under investigation. (CyberWire) New Director GCHQ announced (GCHQ) Learn more about your ad choices. Visit megaphone.fm/adchoices

An Iranian APT MERCURY exploits known vulnerabilities. The US investigates apparent leaks of classified information about Russia's war against Ukraine. KillNet claims it has paralyzed NATO websites. More apparent doxing of the GRU. Britta Glade and Monica Koshgarian of RSA Conference talking about content curation. Grayson Milbourne from OpenText Cybersecurity hopes to remove shame from cyber attacks. And, finally, some notes on cloud security trends. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/68 Selected reading. MERCURY and DEV-1084: Destructive attack on hybrid environment (Microsoft Threat Intelligence) Leaked US battlefield intelligence on Ukraine is fake, says Kyiv (The Telegraph) Russia Claims Leaked Pentagon Intelligence on Ukraine is U.S. Disinformation (US News and World Report) Leaked US secret NATO-Ukraine war docs likely altered, say experts (SC Media) Ukraine’s air defences could soon run out of missiles, apparent Pentagon leak suggests (the Guardian) Russia nearly shot down British spy plane near Ukraine, leaked document says (Washington Post) Justice Dept. will investigate leak of classified Pentagon documents (Washington Post) US investigating whether Ukraine war documents were leaked (Military Times) U.S. Reviewing Online Appearance Of Sensitive Documents Related To Ukraine, Pentagon Says (RadioFreeEurope/RadioLiberty) WSJ News Exclusive | Pentagon Investigates More Social-Media Posts Purporting to Include Secret U.S. Documents (Wall Street Journal) New Details on Intelligence Leak Show It Circulated for Weeks Before Raising Alarm (Wall Street Journal) Intelligence leak exposes U.S. spying on adversaries and allies (Washington Post) Secret US Documents on Ukraine War Plan Spill Onto Internet: Report (SecurityWeek) US hit by ‘worst leak of secret documents since Edward Snowden’ (The Telegraph) Ukraine at D+410: Static, sanguinary lines. (CyberWire) Report Finds 90% of IT Professionals Have Experienced a Cybersecurity Breach (Skyhigh Security) Learn more about your ad choices. Visit megaphone.fm/adchoices

Karen Worstell, Senior Cybersecurity Strategist from VMware sits down to share her journey and discusses her experience as a woman in cyber. Starting her career off as a chemist, after graduating with a bachelor's degree in chemistry and a bachelor's degree in molecular biology, she took some time off to be with her family, she came back to a science field that was far more advanced than before she had left. She decided to go in another direction which led her to cyber. She started teaching herself programming and found she was very good at it. Now that she works in cyber, she says "You, you have to know yourself, know what you want, and know where you're, know where you plant your feet. I used to use a phrase a lot that said, uh, don't be afraid to take a stand but know where your feet are planted." We thank Karen for sharing her story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

Sahar Abdelnabi from CISPA Helmholtz Center for Information Security sits down with Dave to discuss their work on "A Comprehensive Analysis of Novel Prompt Injection Threats to Application-Integrated Large Language Models." There is currently a large advance in the capabilities of Large Language Models or LLMs, as well as being integrated into many systems, including integrated development environments (IDEs) and search engines. The research states, "The functionalities of current LLMs can be modulated via natural language prompts, while their exact internal functionality remains implicit and unassessable." This could lead them to be susceptible to targeted adversarial prompting, as well as making them adaptable to even unseen tasks. Researchers demonstrated these said attacks to see if the LLMs needed new techniques for more defense. The research can be found here: More than you've asked for: A Comprehensive Analysis of Novel Prompt Injection Threats to Application-Integrated Large Language Models Learn more about your ad choices. Visit megaphone.fm/adchoices

Preventing abuse of the Cobalt Strike pentesting tool. US investigates a leak of sensitive documents related to the war in Ukraine. Hacktivist activity continues. Google's advice for boards. Electronic lockpicks for electronic locks. Nexx security devices may have security flaws. Tesla employees reportedly shared images and videos from Teslas in the wild. Matt O'Neill from US Secret Service discussing investment crypto scams. Our guest is James Campbell of Cado Security on the challenges of a cloud transition. And CISA releases seven ICS advisories. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/67 Selected reading. Stopping cybercriminals from abusing security tools (Microsoft On the Issues) Microsoft leads effort to disrupt illicit use of Cobalt Strike, a dangerous hacking tool in the wrong hands (CyberScoop) Ukraine War Plans Leak Prompts Pentagon Investigation (New York Times) DDoS attacks rise as pro-Russia groups attack Finland, Israel (TechRepublic) Perspectives on Security for the Board (Google Cloud) Thieves Use CAN Injection Hack to Steal Cars (SecurityWeek) How thieves steal cars using vehicle CAN bus (Register) Own a Nexx “smart” alarm or garage door opener? Get rid of it, or regret it (Graham Cluley). Hack and enter! The “secure” garage doors that anyone can open from anywhere – what you need to know (Naked Security) Special Report: Tesla workers shared sensitive images recorded by customer cars (Reuters) CISA Releases Seven Industrial Control Systems Advisories (Cybersecurity and Infrastructure Security Agency CISA) Learn more about your ad choices. Visit megaphone.fm/adchoices

New phishing techniques. Arrests in the Genesis Market case. APT43’s Archipelago. Russia's turn in the Security Council chair immediately becomes an occasion for disinformation. Our guest is Nick Tausek from Swimlane to discuss supply chain attack trends. Tim Starks from the Washington Post has the latest on the DOJ’s attempts to disrupt cyber crime. And, make robo-love, not robo-war: nuisance-level hacktivism in the interest of Ukraine. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/66 Selected reading. New Phishing Campaign Exploits YouTube Attribution Links, Cloudflare Captcha (Vade Security) Criminal Marketplace Disrupted in International Cyber Operation (U.S. Department of Justice) Takedown of notorious hacker marketplace selling your identity to criminals | Europol (Europol) Notorious criminal marketplace selling victim identities taken down in international operation (National Crime Agency) Check your hack (Politie) Carr Announces Investigation into Suspected Users of Genesis Dark Web Marketplace Following FBI Takedown of Illicit Site (Office of Attorney General of Georgia Chris Carr) U.S., European Police Shut Down Hacker Marketplace, Make 119 Arrests (Wall Street Journal) 120 Arrested as Cybercrime Website Genesis Market Seized by FBI (SecurityWeek) International cops put the squeeze on Genesis Market users (Register) FBI obtained detailed database exposing 60,000 users of the cybercrime bazaar Genesis Market (CyberScoop) Genesis Black Market Dismantled, But Experts Warn of Potential Vacuum (Nextgov.com) How we’re protecting users from government-backed attacks from North Korea (Google) Google TAG Warns of North Korean-linked ARCHIPELAGO Cyberattacks (The Hacker News) ‘Outrageous’: Russia Accused of Spreading Disinformation at U.N. Event (New York Times) Des hackers ont acheté 23.000 euros de sex-toys avec de l’argent russe (20 minutes) Thanks to Ukrainian hackers, war freak orders £20,000 worth drones for Russian soldiers, gets sex toys instead (First Post) Ukrainian hackers exchange Russian fighter’s drone order for dildos (New York Post) ‘It’s bullshit’: Inside the weird, get-rich-quick world of dropshipping (WIRED) Learn more about your ad choices. Visit megaphone.fm/adchoices

Genesis Market gets taken down. Proxyjackers exploit Log4j vulnerabilities. Fast-encrypting Rorschach ransomware uses DLL sideloading. Killnet attempts DDoS attacks against the German ministry. Carole Theriault ponders AI assisted cheating. Johannes Ullrich tracks malware injected in a popular tax filing website. Soft power and Russia’s hybrid war. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/65 Selected reading. 'Operation Cookie Monster': International police action seizes dark web market (Reuters) Stolen credential warehouse Genesis Market seized by FBI (Register) FBI Seizes Bot Shop ‘Genesis Market’ Amid Arrests Targeting Operators, Suppliers (KrebsOnSecurity) Genesis Market, one of world’s largest platforms for cyber fraud, seized by police (Record) 'Operation Cookie Monster': FBI seizes popular cybercrime forum used for large-scale identity theft (CNN) Cybercrime marketplace Genesis Market shut by FBI, international law enforcement (CNBC) FBI seizes stolen credentials market Genesis in Operation Cookie Monster (BleepingComputer) Notorious Genesis Market cybercrime forum seized in international law enforcement operation (CyberScoop) Proxyjacking has Entered the Chat (Sysdig) Rorschach – A New Sophisticated and Fast Ransomware (Check Point Research) Russian hackers attack German ministry’s website (TVP World) Zimbra Flaw Exploited by Russia Against NATO Countries Added to CISA 'Must Patch' List (SecurityWeek) Zimbra vulnerability exploited by Russian hackers targeting Nato countries - CISA (Tech Monitor) CISA Adds One Known Exploited Vulnerability to Catalog (Cybersecurity and Infrastructure Security Agency CISA) NVD - CVE-2022-27926 (National Vulnerability Database) The Interview - Russian cyber weapons 'could do a lot of damage' in the US: Former counterterrorism czar (France 24) Biden cybersecurity chief 'surprised' Russia has not hit US targets amid Ukraine war (Washington Examiner) Ukrainian Cyber War Confirms the Lesson: Cyber Power Requires Soft Power (Council on Foreign Relations) Learn more about your ad choices. Visit megaphone.fm/adchoices

Did "appeasement" embolden Russia's cyber operators? Western Digital discloses a cyberattack. Rilide is a new strain of malware in active use. The Mantis cyberespionage group uses new, robust tools and tactics. The challenges of threat hunting. Joe Carrigan has thoughts on public school systems making cyber security part of the curriculum. Our guest May Mitchell of Open Systems addresses closing the talent gap. And when it comes to criminal enterprise, size matters. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/64 Selected reading. Russia's shadow war: Vulkan files leak show how Putin's regime weaponises cyberspace (The Conversation) Russia's Invasion of Ukraine Heralds New Era of Warfare (VOA) West’s Cyber Appeasement Gave Putin Green Light: James Stavridis (Bloomberg Law) Western Digital Provides Information on Network Security Incident (Business Wire) Western Digital confirms breach, shuts down systems (Computing) Western Digital discloses network breach, My Cloud service down (BleepingComputer) WD says law enforcement probing breach of internal systems (Register) Western Digital investigating MyCloud data breach affecting Mac desktop drives (Macworld) Users fume after My Cloud network breach locks them out of their data (Ars Technica) Typhon Reborn V2: Updated stealer features enhanced anti-analysis and evasion capabilities (Cisco Talos Blog) Mantis: New Tooling Used in Attacks Against Palestinian Targets (Symantec) Inside the Mind of a Threat Hunter: Team Cymru's Latest Report Sheds Light on Challenges Faced by Cybersecurity Analysts (Accesswire) Wages Dominate Cybercrime Groups' Operating Expenses (PR Newswire) Inside the Halls of a Cybercrime Business (Trend Micro) Size Matters: Unraveling the Structure of Modern Cybercrime Organizations (Trend Micro) Learn more about your ad choices. Visit megaphone.fm/adchoices

"Cylance" the ransomware (with no relation to Cylance, the security company). An update on the 3CX incident. The FSB's arrest of a Wall Street Journal reporter. Simone Petrella from N2K Networks unpacks 2023 cybersecurity training trends. Deepen Desai from Zscaler has the latest on cloud security. And Hacktivists claim to have tricked wives of Russian combat pilots into revealing personal information. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/63 Selected reading. "Cylance" ransomware (no relation to Cylance). (CyberWire Pro) New Cylance Ransomware Targets Linux and Windows, Warn Researchers (HackRead) New Cylance Ransomware strain emerges, experts speculate about its notorious members (IT PRO) More evidence links 3CX supply-chain attack to North Korean hacking group (Record) 3CX supply chain attack: the unanswered questions (Computing) 3CX Desktop App Compromised (CVE-2023-29059) (Fortinet Blog) Evan Gershkovich Loved Russia, the Country That Turned on Him (Wall Street Journal) The Ukrainian hoax that revealed the Russian pilots who bombed Mariupol theatre (The Telegraph) Ukrainian Hacktivists Trick Russian Military Wives for Personal Info (HackRead) Learn more about your ad choices. Visit megaphone.fm/adchoices

Alon Jackson, chief executive and Co-founder of Astrix Security, sits down to share his story to rising success. Before being on the vendor side of things, Jackson served in various strategic roles in the Cyber Security Division of the Israeli Military Intel Unit 8200 for more than 8 years, including leading the Cloud Security division and serving as the Head of the Cyber Security R&D Department. His experience in the military inspired him to learn more about the industry and jump to the private sector. Fast forward years later, he co-founded his company to help address security gaps seen in the industry. He mentions how being a start up CEO can be difficult sometimes, and how it may feel as though you're an octopus with all the multitasking that comes with the job. Alon says that one of his main goals as a contributor in this industry is making sure people remember him and his company for years to come, saying he wants to help by " building a company that people kind of know about, remember, and is important in the world." We thank Alon for sharing his story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

Dick O'Brien from Symantec’s Threat Hunter team discusses their research on "Blackfly - Espionage Group Targets Materials Technology." Researchers say the Blackfly espionage group (aka APT41), has been mounting attacks against Asian materials and composite organizations in attempts to steal intellectual property. This group has been known as one of the longest known Chinese advanced persistent threat (APT) groups since at least 2010. The research shares that "early attacks were distinguished by the use of the PlugX/Fast (Backdoor.Korplug), Winnti/Pasteboy (Backdoor.Winnti), and Shadowpad (Backdoor.Shadowpad) malware families." The research can be found here: Blackfly: Espionage Group Targets Materials Technology Learn more about your ad choices. Visit megaphone.fm/adchoices

The Vulkan papers offer a glimpse into Mr. Putin’s cyber war room. The 3CXDesktopApp vulnerability and supply chain risk. A cross site scripting flaw in Azure Service Fabric Explorer can lead to remote code execution. Rob Boyce from Accenture Security on threats toEV charging stations. Our guest is Steve Benton from Anomali Threat Research, sharing a ‘less is more’ approach to cybersecurity. And AlienFox targets misconfigured servers. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/62 Selected reading. A Look Inside Putin's Secret Plans for Cyber-Warfare (Spiegel) Secret trove offers rare look into Russian cyberwar ambitions (Washington Post) 7 takeaways from the Vulkan Files investigation (Washington Post) ‘Vulkan files’ leak reveals Putin’s global and domestic cyberwarfare tactics (the Guardian) Contracts Identify Cyber Operations Projects from Russian Company NTC Vulkan (Mandiant) 3CX DesktopApp Security Alert - Mandiant Appointed to Investigate (3CX) Information on Attacks Involving 3CX Desktop App (Trend Micro) 3CX Confirms Supply Chain Attack as Researchers Uncover Mac Component (SecurityWeek) There’s a new supply chain attack targeting customers of a phone system with 12 million users (TechCrunch) Super FabriXss: From XSS to an RCE in Azure Service Fabric Explorer by Abusing an Event Tab Cluster Toggle (CVE-2023-23383) (Orca Security) Dissecting AlienFox | The Cloud Spammer’s Swiss Army Knife (SentinelOne) Learn more about your ad choices. Visit megaphone.fm/adchoices

The 3CXDesktopApp is under exploitation in a supply chain campaign. An open letter asks for a pause in advanced AI development. All your grammar and usage are belong us. Combosquatting might fool even the wary. Defender had flagged Zoom and other safe sites as dangerous. Recognizing the importance of OSINT. Matt O'Neill from US Secret Service discussing his agency’s cybersecurity mission. Our guest is Ping Li from Signifydwith a look at online fraud. And the FSB arrests a US journalist. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/61 Selected reading. 3CX DesktopApp Security Alert (3CX) Supply Chain Attack Against 3CXDesktopApp (CISA) Pause Giant AI Experiments: An Open Letter (Future of Life Institute) In Sudden Alarm, Tech Doyens Call for a Pause on ChatGPT (WIRED AI chatbots making it harder to spot phishing emails, say experts (the Guardian) The Most Common Combosquatting Keyword Is “Support” (Akamai) False positives in Microsoft Defender. (CyberWire) Exploitation is a Dish Best Served Cold: Winter Vivern Uses Known Zimbra Vulnerability to Target Webmail Portals of NATO-Aligned Governments in Europe (Proofpoint) ESET Research Podcast: A year of fighting rockets, soldiers, and wipers in Ukraine (WeLiveSecurity) Russia Ramping Up Cyberattacks Against Ukraine (VOA) A new age of spying gives Kyiv the upper hand (The Telegraph) Russia arrests Wall Street Journal reporter on spying charge (AP NEWS) Russia detains a Wall Street Journal reporter, accusing him of espionage. (New York Times) Learn more about your ad choices. Visit megaphone.fm/adchoices

Traffers and the threat to credentials. A newly discovered WiFi protocol flaw. Cross-chain bridge attacks. A shift in Russian cyber operations. Ann Johnson from Afternoon Cyber Tea chats with EY principal Adam Malone. Our guest is Toni Buhrke from Mimecast with a look at the State of Email Security. And is piracy patriotic? For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/60 Selected reading. Traffers and the growing threat against credentials (Outpost24 blog) WiFi protocol flaw allows attackers to hijack network traffic (BleepingComputer) Cross-chain bridge attacks. (CyberWire) 2023 Annual State of Email Security Report (Cofense) From Ukraine to the whole of Europe:cyber conflict reaches a turning point (Thales Group) Russia Ramps Up Cyberattacks On Ukraine Allies: Analysts (Barron's) Pro-Russian hackers shift focus from Ukraine to EU countries (Radio Sweden) Russian hackers attack Slovak governmental websites after country supplies Mig-29s to Ukraine (Ukrainska Pravda) Ukraine's Defense Ministry says Russia is encouraging online piracy (The Jerusalem Post) Learn more about your ad choices. Visit megaphone.fm/adchoices

Twitter gets a subpoena for a source-code leaker’s information. The insider risk to data. Russian hacktivist auxiliaries target the French National Assembly. Recent trends in cyberattacks sustained by Ukraine. Ben Yelin unpacks the White House executive order on spyware. Mr. Security Answer Person John Pescatore ponders the permanence of ransomware. And Cyberespionage and cybercrime in the interest of Pyongyang’s weapons programs. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/59 Selected reading. GitHub Suspends Repository Containing Leaked Twitter Source Code (SecurityWeek) Twitter takes down source code leaked online, hunts for downloaders (BleepingComputer) Annual Data Exposure Report 2023 (Code 42) Russian Hackers Target French National Assembly Website (Privacy Affairs) Pro-Russian Hacktivists: A Reaction to a Western Response to a Russian Aggression (Radware Blog) Ukraine at D+397: Cyberespionage and battlespace preparation. (CyberWire) APT43: North Korean Group Uses Cybercrime to Fund Espionage Operations (Mandiant) Learn more about your ad choices. Visit megaphone.fm/adchoices

IcedID is evolving away from its banking malware roots. An Emotet phishing campaign spoofs IRS W9s. The FBI warns of BEC scams. A Fake booter service as a law enforcement honeypot. Phishing in China's nuclear energy sector. Reports of an OpenAI and a ChatGPT data leak. Does Iran receive Russian support in cyberattacks against Albania? My conversation with Linda Gray Martin and Britta Glade from RSAC with a preview of this year's conference. Our own Rick Howard takes a field trip to the National Cryptologic Museum. And De-anonymizing Telegram. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/58 Selected reading. Fork in the Ice: The New Era of IcedID (Proofpoint) Emotet malware distributed as fake W-9 tax forms from the IRS (BleepingComputer) Internet Crime Complaint Center (IC3) | Business Email Compromise Tactics Used to Facilitate the Acquisition of Commodities and Defrauding Vendors (IC3) Phishing Campaign Targets Chinese Nuclear Energy Industry (Intezer) 'Bitter' espionage hackers target Chinese nuclear energy orgs (BleepingComputer) UK Sets Up Fake DDoS-for-Hire Sites to Trap Hackers (PCMag Middle East) UK National Crime Agency reveals it ran fake DDoS-for-hire sites to collect users’ data (Record) OpenAI: ChatGPT payment data leak caused by open-source bug (BleepingComputer) OpenAI says a bug leaked sensitive ChatGPT user data (Engadget) March 20 ChatGPT outage: Here’s what happened (OpenAI) How Albania Became a Target for Cyberattacks (Foreign Policy) Russia’s Rostec allegedly can de-anonymize Telegram users (BleepingComputer) Learn more about your ad choices. Visit megaphone.fm/adchoices

Rick Howard, N2K’s CSO and The CyberWire’s Chief Analyst and Senior Fellow, sits down with Director of the National Cryptologic Museum, Dr. Vince Houghton. The National Cryptologic Museum is the NSA's affiliated museum sharing the nation's best cryptologic secrets with the public. In this special episode, Rick interviews Dr. Houghton from within the walls of the National Cryptologic Museum, discussing the new and improved museum along with the new exhibits they uncovered during the pandemic. Learn more about your ad choices. Visit megaphone.fm/adchoices

Tanya Janca, CEO and Founder of We Hack Purple, sits down to talk about her exciting path into the field of cybersecurity. Trying several different paths in high school, she soon found she was good at computer science. When it came to picking a college, she knew that was the field she wanted to get into. After college, she was able to use her skills to work at a couple of different organizations, eventually getting into the Canadian government. While there, she held the position of CISO for the Canadian election in 2015 when Justin Trudeau was elected, but she knew she wanted to try something new. She switched from programming to security and after working at Microsoft as a presenter, she eventually found that she wanted to start her own company, saying "at first it was just me presenting, but now we have community members present to each other and it's just been really beautiful to see that grow." She hopes that with her and her community's help, nobody is left feeling unsafe when it comes to being online. Learn more about your ad choices. Visit megaphone.fm/adchoices

Earlier this month, the White House released the National Cybersecurity Strategy, the first issued since 2018. The strategy refocuses roles, responsibilities, and resource allocations in the digital ecosystem, with a five pillar approach. Those pillars are: defending critical infrastructure, disrupting threat actors, shaping market forces to drive security and resilience, investing in a resilient future, and forging international partnerships. We wanted to delve into the strategy and its intended effects further, so Dave Bittner spoke with representatives from industry and inside government. Dave first speaks with Adam Isles, Principal and Head of Cybersecurity Practice at The Chertoff Group, sharing industry's take on the strategy. Following that conversation, Dave had a discussion with Steve Kelly, Special Assistant to the President and Senior Director for Cybersecurity and Emerging Technology at the National Security Council, for a look at the strategy from inside the White House. Links to resources: Point of View: 2023 National Cybersecurity Strategy The Chertoff Group's blog National Cybersecurity Strategy 2023 Learn more about your ad choices. Visit megaphone.fm/adchoices

On this episode, Jérôme Segura, senior threat researcher at Malwarebytes, shares his team's work, "WordPress sites backdoored with ad fraud plugin." WordPress is an immensely popular content management system (CMS) powering over 43% of all websites. Many webmasters will monetize their sites by running ads and need to draw particular attention to search engine optimization (SEO) techniques to maximize their revenues. The Malwarebytes team discovered a few dozen WordPress blogs using the same plugin that mimics human activity by automatically scrolling a page and following links within it, all the while a number of ads were being loaded and refreshed. The blogs would only exhibit this invalid traffic behavior when launched from a specific URL created by this plugin, otherwise they appeared completely legitimate. The research can be found here: WordPress sites backdoored with ad fraud plugin Learn more about your ad choices. Visit megaphone.fm/adchoices

A CISA tool helps secure Microsoft clouds.JCDC and pre-ransomware notification. CISA releases six ICS advisories. Reply phishing. Cl0p goes everywhere exploiting GoAnywhere. Russian electronic warfare units show the ability to locate Starlink terminals. Betsy Carmelite from Booz Allen Hamilton on the DoD's zero trust journey. Analysis of the National Cybersecurity strategy from our special guests, Adam Isles, Principal at the Chertoff Group and Steve Kelly, Special Assistant to the President and Senior Director for Cybersecurity and Emerging Technology with the National Security Council. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/57 Selected reading. JCDC Cultivates Pre-Ransomware Notification Capability (Cybersecurity and Infrastructure Security Agency CISA) US cyber officials make urgent push to warn businesses about vulnerabilities to hackers (CNN) Untitled Goose Tool Aids Hunt and Incident Response in Azure, Azure Active Directory, and Microsoft 365 Environments | CISA (Cybersecurity and Infrastructure Security Agency CISA) New CISA tool detects hacking activity in Microsoft cloud services (BleepingComputer) CISA Releases Six Industrial Control Systems Advisories (Cybersecurity and Infrastructure Security Agency CISA) The Microsoft Reply Attack (Avanan) More victims emerge from Fortra GoAnywhere zero-day attacks (Security | More Clop GoAnywhere attack victims emerge (SC Media) Mass-Ransomware Attack on GoAnywhere File Transfer Tool Exposes Companies Worldwide (Medium) City of Toronto confirms data theft, Clop claims responsibility (BleepingComputer) Canadian movie chain Cineplex among the victims of GoAnywhere MFT hack (Financial Post) Personal data of Rio Tinto's Aussie staff may have been hacked - memo (Reuters) Another GoAnywhere Attack Affects Japanese Giant Hitachi Energy (Heimdal Security Blog) Using Starlink Paints a Target on Ukrainian Troops (Defense One) As CISA chief notes lack of Russian cyberattacks against US, experts focus on enhancing nuclear reactor security (Utility Dive) Using Deception to Learn About Russian Threat Actors (Security Boulevard) Learn more about your ad choices. Visit megaphone.fm/adchoices

DPRK threat actor Kimsuky uses a Chrome extension to exfiltrate emails, while ScarCruft prospects South Korean organizations. Hacktivists' claims of attacks on OT networks may be overstated. Ghostwriter remains active in social engineering attempts to target Ukrainian refugees. Joe Carrigan has cyber crime by the numbers. Our guest is Christian Sorensen from SightGain with analysis of the cyber effects of Russia’s war. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/56 Selected reading. North Korean hackers using Chrome extensions to steal Gmail emails (BleepingComputer) Joint Cyber Security Advisory (Korean) (BundesamtfuerVerfassungsschutz) North Korean APT group ‘Kimsuky’ targeting experts with new spearphishing campaign (Record) ScarCruft's Evolving Arsenal: Researchers Reveal New Malware Distribution Techniques (The Hacker News) The Unintentional Leak: A glimpse into the attack vectors of APT37 (Zscaler) CHM Malware Disguised as Security Email from a Korean Financial Company: Redeyes (Scarcruft) (ASEC BLOG) A Propaganda Group is Using Fake Emails to Target Ukrainian Refugees (Bloomberg) We (Did!) Start the Fire: Hacktivists Increasingly Claim Targeting of OT Systems | Mandiant (Mandiant) Fact or fiction, hacktivists' claims of industrial sabotage in Russia or Ukraine get attention online (CyberScoop) The 5×5—Conflict in Ukraine's information environment (Atlantic Council) How the Russia-Ukraine conflict has impacted cyber-warfare (teiss) CommonMagic APT gang attacking organisations in Ukraine (Tech Monitor) Learn more about your ad choices. Visit megaphone.fm/adchoices

Malware could detect sandbox emulations. A VEC supply chain attack. A new APT is active in Russian-occupied sections of Ukraine. An alleged Russian patriot claims responsibility for the D.C. Health Link attack. CISA and NSA offer guidance on identity and access management (IAM). Tim Starks from the Washington Post has analysis on the BreachForums takedown. Our guest is Ryan Heidorn from C3 Integrated Solutions with a look at the CMMC compliance timeline. And Baphomet backs out. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/55 Selected reading. ZenGo uncovers security vulnerabilities in popular Web3 Transaction Simulation solutions: The red pill attack (ZenGo) Stopping a $36 Million Vendor Fraud Attack (Abnormal Intelligence) Bad magic: new APT found in the area of Russo-Ukrainian conflict (Securelist) Unknown actors target orgs in Russia-occupied Ukraine (Register) New 'Bad Magic' Cyber Threat Disrupt Ukraine's Key Sectors Amid War (The Hacker News) Partisan suspects turn on the cyber-magic in Ukraine (Cybernews) Hacker tied to D.C. Health Link breach says attack 'born out of Russian patriotism' (CyberScoop) CISA and NSA Release Enduring Security Framework Guidance on Identity and Access Management | CISA (Cybersecurity and Infrastructure Security Agency CISA) ESF Partners, NSA, and CISA Release Identity and Access Management Recommended Best Practi (National Security Agency/Central Security Service) Identity and Access Management: Recommended Best Practices for Administrators (NSA and CISA) CISA Releases Updated Cybersecurity Performance Goals (Cybersecurity and Infrastructure Security Agency CISA) CISA Releases Eight Industrial Control Systems Advisories | CISA (Cybersecurity and Infrastructure Security Agency CISA) End of BreachForums could take a bite out of cybercrime (Washington Post) BreachForums says it is closing after suspected law enforcement access to backend (Record) Learn more about your ad choices. Visit megaphone.fm/adchoices

Threat group with novel malware operates in Southeast Asia. Data theft extortion on the rise. Key findings of Cisco's Cybersecurity Readiness Index. iPhones are no longer welcome in the Kremlin. Russian cyber auxiliaries and privateers devote increased attention to the healthcare sector. Chris Eng from Veracode shares findings of their Annual Report on the State of Application Security. Johannes Ullrich from SANS Institute discusses scams after the failure of Silicon Valley Bank. And BreachForums seems to be under new management. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/54 Selected reading. NAPLISTENER: more bad dreams from developers of SIESTAGRAPH (Elastic Blog) Unit 42 Ransomware and Extortion Report Highlights: Multi-Extortion Tactics Continue to Rise (Palo Alto Network) Ransomware and extortion trends. (CyberWire) Cisco Cybersecurity Readiness Index (Cisco) A look at resilience: companies' ability to fight off cyberattacks. (CyberWire) Putin to staffers: throw out your iPhones over security (Register) Black Basta, Killnet, LockBit groups targeting healthcare in force (SC Media) After BreachForums arrest, new site administrator says the platform will live on (Record) Learn more about your ad choices. Visit megaphone.fm/adchoices

Cl0p ransomware hits Hitachi Energy. The US Department of Justice investigates ByteDance in alleged surveillance of journalists. A Hacktivist auxiliary hits Indian healthcare records. Pirated software is used to carry malware. The Effects of cyberattack on Latitude persist. Adam Meyers from CrowdStrike shares findings from the 2023 CrowdStrike Global Threat Report. Rick Howard has the latest preview of CSO Perspectives. And Pompompurin is arrested for an alleged role in BreachForums. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/53 Selected reading. Hitachi Energy confirms data breach after Clop GoAnywhere attacks (BleepingComputer) Hitachi Energy Group hit by cyber-attack, says network operations not compromised (cnbctv18.com) Justice Department Probes TikTok’s Tracking of U.S. Journalists (Wall Street Journal) The FBI And DOJ Are Investigating ByteDance’s Use Of TikTok To Spy On Journalists (Forbes) KillNet and affiliate hacktivist groups targeting healthcare with DDoS attacks (Azure Network Security Team) Pro-Russia hackers are increasingly targeting hospitals, researchers warns (Record) Russian hacktivist group targets India’s health ministry (CSO Online) Russian Hacktivist group Phoenix targets India’s Health Ministry Website (Threat Intelligence | CloudSEK) Ukraine warns that hacked software can be infected with Russian viruses (Kyiv Independent) Russian hackers spread infected software through torrents (SSSCIP) Australia's Latitude takes systems offline, Federal Police investigate cyberattack (Reuters) FBI targets notorious cybercrime market with teen’s arrest (Washington Post) Dark Web ‘BreachForums’ Operator Charged With Computer Crime (Bloomberg) Feds arrest alleged BreachForums owner linked to FBI hacks (The Verge) NY Man Charged as 'Pompompurin,' the Boss of BreachForums (KrebsOnSecurity) Breach Forums Admin 'Pompompurin' Arrested in New York (Cyber Kendra) Pompompurin Unmasked: Infamous BreachForums Mastermind Arrested in New York (The Hacker News) Learn more about your ad choices. Visit megaphone.fm/adchoices

Kathleen Smith, CMO from ClearedJobs.Net, sits down to share her story as she remembers having big shoes to fill in her childhood. She strived for greatness at an early age, as her parents told her she would be going to college and would follow strong guidelines to become successful. Kathleen can remember being into the hard sciences when she was in school, which sparked an interest in becoming a biochemist and law student. Eventually she found her passion as a translator, saying that "doing the translator role, I wanted to get into international marketing and I was going on to get my degree on that." She found her way to ClearedJobs.Net and fell in love with it. She had sought to find a workplace that wouldn't burn her out, where she can also be a part of the team. Kathleen found what she was passionate about and made it a reality for herself, and now she just wants young women starting in the field to know the importance of finding something they are passionate about. We thank Kathleen for sharing her story. Learn more about your ad choices. Visit megaphone.fm/adchoices

CISA, FBI, and the Multi-State Information Sharing and Analysis Center are releasing this joint advisory to share known LockBit 3.0 ransomware IOCs and TTPs identified through FBI investigations as recently as March 2023. AA23-075A Alert, Technical Details, and Mitigations Stopransomware.gov is a whole-of-government approach that gives one central location for ransomware resources and alerts. Resource to mitigate a ransomware attack: CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide. No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment. See CISA Insights Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses for guidance on hardening MSP and customer infrastructure. U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email [email protected] To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at [email protected], or call (888) 282-0870, or report incidents to your local FBI field office. Learn more about your ad choices. Visit megaphone.fm/adchoices

Bar Block, Threat Intelligence Researcher at Deep Instinct, joins Dave to discuss their work on "ChatGPT and Malware - Making Your Malicious Wishes Come True." Deep Instinct goes into depth on just how dangerous ChatGPT can be in the wrong hands as well as how artificial intelligence is better at creating malware than providing ways to detect it. Researchers go on to explain how the AI app can be used in the wrong hands saying "Examples of malicious content created by the AI tool, such as phishing messages, information stealers, and encryption software, have all been shared online." The research can be found here: ChatGPT and Malware: Making Your Malicious Wishes Come True Learn more about your ad choices. Visit megaphone.fm/adchoices

BianLian gang’s pivot. HinataBot is a Go-based threat. The US Social Security Administration is impersonated in attempted vishing attacks. BlackSnake in the RaaS criminal market. More Silicon Valley Bank-themed phishing. Caleb Barlow from Cylete on security implications you need to consider now about Chat GPT. Our guest is Isaac Roth from LeakSignal with advice on securing the microservices application layer. And Russian operators exploit an Outlook vulnerability. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/52 Selected reading. BianLian Ransomware Gang Continues to Evolve ([redacted]) Uncovering HinataBot: A Deep Dive into a Go-Based Threat (Akamai) Social InSecurity: Armorblox Stops Attack Impersonating Social Security Administration (Armorblox) Netskope Threat Coverage: BlackSnake Ransomware (Netskope) Fresh Phish: Silicon Valley Bank Phishing Scams in High Gear (INKY) Outlook zero day linked to critical infrastructure attacks (Cybersecurity Dive) CVE-2023-23397: Exploitations in the Wild – What You Need to Know (Deep Instinct) Everything We Know About CVE-2023-23397 (Huntress) Microsoft Mitigates Outlook Elevation of Privilege Vulnerability (Microsoft Security Response Center) Learn more about your ad choices. Visit megaphone.fm/adchoices

Telerik exploited, for carding (probably) and other purposes. Cloud storage re-up attacks. Cybercriminals use new measures to avoid detection of phishing campaigns. "Winter Vivern" seems aligned with Russian objectives. Microsoft warns of a possible surge in Russian cyber operations. Boss Sandworm. Johannes Ullrich from SANS talking about malware spread through Google Ads. Our guest is David Anteliz from Skybox Security with thoughts on federal government cybersecurity directives. And don't fear the Reaper. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/51 Selected reading. Threat Actors Exploited Progress Telerik Vulnerability in U.S. Government IIS Server (Cybersecurity and Infrastructure Security Agency CISA) Threat Actors Exploit Progress Telerik Vulnerability in U.S. Government IIS Server | CISA (Cybersecurity and Infrastructure Security Agency CISA) CISA: Federal civilian agency hacked by nation-state and criminal hacking groups (CyberScoop) US govt web server attacked by 'multiple' criminal gangs (Register) The Cloud Storage Re-Up Attack (Avanan) Threat Spotlight: 3 novel phishing tactics (Barracuda) Winter Vivern | Uncovering a Wave of Global Espionage (SentinelOne) Is Russia regrouping for renewed cyberwar? (Microsoft On the Issues) A year of Russian hybrid warfare in Ukraine (Microsoft Threat Intelligence) Russian hackers preparing new cyber assault against Ukraine - Microsoft report (Reuters) Microsoft Warns Russia May Plan More Ransomware Attacks Beyond Ukraine (Bloomberg) This Is the New Leader of Russia's Infamous Sandworm Hacking Unit (WIRED) What's known and not about US drone-Russian jet encounter (AP NEWS) Russia tries to retrieve downed US drone in Black Sea (The Telegraph) Downed U.S. drone points to cyber vulnerabilities (Washington Post) Learn more about your ad choices. Visit megaphone.fm/adchoices

CISA, FBI, and the Multi-State Information Sharing and Analysis Center are releasing this joint Cybersecurity Advisory to provide IT infrastructure defenders with TTPs, IOCs, and methods to detect and protect against recent exploitation against Microsoft Internet Information Services web servers. AA23-074A Alert, Technical Details, and Mitigations AA23-074A STIX XML MAR-10413062-1.v1 Telerik Vulnerability in U.S. Government IIS Server Telerik: Exploiting .NET JavaScriptSerializer Deserialization (CVE-2019-18935) ACSC Advisory 2020-004 Bishop Fox CVE-2019-18935: Remote Code Execution via Insecure Deserialization in Telerik UI Volexity Threat Research: XE Group GitHub: Proof-of-Concept Exploit for CVE-2019-18935 Microsoft: Configure Logging in IIS GitHub: CVE-2019-18935 No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment. See CISA Insights Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses for guidance on hardening MSP and customer infrastructure. U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email [email protected] To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at [email protected], or call (888) 282-0870, or report incidents to your local FBI field office. Learn more about your ad choices. Visit megaphone.fm/adchoices

Patch Tuesday notes. Silicon Valley Bank's collapse and its effects on the cybersecurity sector. SVR's APT29 used a Polish state visit to the US as phishbait. Regularizing hacktivist auxiliaries. Our guest is Crane Hassold from Abnormal Security with a look at threats to email. Grayson Milbourne from OpenText Cybersecurity addresses chaos within the supply chain. And LockBit claims to have compromised an aerospace supply chain. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/50 Selected reading. March 2023 Patch Tuesday: Updates and Analysis (CrowdStrike) Microsoft Releases March 2023 Security Updates (Cybersecurity and Infrastructure Security Agency CISA) Adobe Releases Security Updates for Multiple Products (Cybersecurity and Infrastructure Security Agency CISA) Mozilla Releases Security Updates for Firefox 111 and Firefox ESR 102.9 (Cybersecurity and Infrastructure Security Agency CISA) SAP Security Patch Day for March 2023 (Onapsis) March Patch Tuesday review. (CyberWire) What the collapse of Silicon Valley Bank means for cyber and the tech startup ecosystem. (CyberWire) NOBELIUM Uses Poland's Ambassador’s Visit to the U.S. to Target EU Governments Assisting Ukraine (BlackBerry) Ukraine Tracks Increased Russian Focus on Cyberespionage (Bank Info Security) Ukraine scrambles to draft cyber law, legalizing its volunteer hacker army (Newsweek) Ransomware Group Claims Theft of Valuable SpaceX Data From Contractor (SecurityWeek) Learn more about your ad choices. Visit megaphone.fm/adchoices

Expect phishing, BEC scams, and other social engineering to use Silicon Valley Bank lures. An "attack superhighway." Unauthorized software in the workplace. A new cyberespionage group emerges. Squad up (but not IRL). Ben Yelin unpacks the FBI director’s recent admission of purchasing location data. Ann Johnson from Afternoon Cyber Tea speaks with Jason Barnett from HCA Healthcare about cyber resilience. And, not that you’d consider a life of crime, but what are the gangs paying cyber criminals, nowadays? For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/49 Selected reading. SVB's collapse and the potential for fraud. (CyberWire) State-of-the-Internet: malicious DNS traffic. (CyberWire) Unauthorized software in the workplace. (CyberWire) Talos uncovers espionage campaigns targeting CIS countries, including embassies and EU health care agency (Cisco Talos Blog) STALKER 2 game developer hacked by Russian hacktivists, data stolen (BleepingComputer) GSC Game World suffers Stalker 2 leak after latest cyber attack (GamesIndustry.biz) Threat Groups Offer $240k Salary to Tech Jobseekers (Security Intelligence) Learn more about your ad choices. Visit megaphone.fm/adchoices

Coping with Silicon Valley Bank's collapse. BatLoader's abusing Google Search Ads. More on Emotet’s re-emergence. Reflections on Medusa rising. An international law enforcement action against NetWire. Rob Shapland from Falanx Cyber on ethical hacking and red teaming. Bryan Ware from LookingGlass looks at exploited vulnerabilities in the US financial sector. And in Ukraine, it’s more-or-less quiet on the cyber front (but in Estonia and Georgia, not so much). For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/48 Selected reading. One of Silicon Valley's top banks fails; assets are seized (AP NEWS) US, UK try to stem fallout from Silicon Valley Bank collapse (AP NEWS) In abrupt reversal, regulators to cover Silicon Valley Bank, Signature uninsured deposits (American Banker) Silicon Valley Bank collapse will not trigger new financial crisis, insists Sunak (The Telegraph) ‘Banking system is safe’: Joe Biden reassures markets in address on Silicon Valley Bank collapse – live updates (the Guardian) BatLoader Continues to Abuse Google Search Ads to Deliver Vidar Stealer and Ursnif (eSentire) BATLOADER Malware Uses Google Ads to Deliver Vidar Stealer and Ursnif Payloads (The Hacker News) Emotet Again! The First Malspam Wave of 2023 (Deep Instinct) Emotet attempts to sell access after infiltrating high-value networks (SC Media) Medusa ransomware gang picks up steam as it targets companies worldwide (BleepingComputer) Alleged seller of NetWire RAT arrested in Croatia (Help Net Security) FBI and international cops catch a NetWire RAT (Register) How the FBI proved a remote admin tool was actually malware (TechCrunch) Estonia’s Election Was More Than Just a Win for Kallas (World Politics Review) Estonian official says parliamentary elections were targeted by cyberattacks (Record) Learn more about your ad choices. Visit megaphone.fm/adchoices

Bat El Azerad, CEO and Co-founder of mobile phishing protection company novoShield, shares her personal account of her experience as a female leader in the cybersecurity field as well as some insights into how far the industry has come and where it is headed in terms of the gender gap. Bat El speaks about how she grew into her role of becoming a CEO, by sharing where she started and how she got involved with novoShield. She share's that being a woman in this industry can be tough and so she shares some advice, saying "so you have to be very focused and to find the right niche to bring something to the table because the competition in this industry and the level of innovation, um, is, is great." Bat El hopes that throughout her time in the industry she hopes people remember her for her vision, and the mission she is helping to create and maintain at her company. We thank Bat El for sharing her story. Learn more about your ad choices. Visit megaphone.fm/adchoices

Ron Masas of Imperva discusses their work, the "Google Chrome “SymStealer” Vulnerability. How to Protect Your Files from Being Stolen." By reviewing the ways the browser handles file systems, specifically searching for common vulnerabilities relating to how browsers process symlinks, the Imperva Red Team discovered that when files are dropped onto a file input, it’s handled differently. Dubbing it as CVE-2022-40764, researchers found a vulnerability that "allowed for the theft of sensitive files, such as crypto wallets and cloud provider credentials." In result, over 2.5 billion users of Google Chrome and Chromium-based browsers were affected. The research can be found here: Google Chrome “SymStealer” Vulnerability: How to Protect Your Files from Being Stolen Learn more about your ad choices. Visit megaphone.fm/adchoices

New IceFire version is out. A DUCKTAIL tale. Social engineering by Tehran. DPRK's LIGHTSHOW cyberespionage. The President's Budget and cybersecurity. The US Department of Defense issues its cyber workforce strategy. Remcos surfaces in attacks against Ukrainian government agencies. DDoS at a Ukrainian radio station. Dave Bittner sits down with Beth Robinson of Bishop Fox to share their 2023 Offensive Security Resolutions. Caleb Barlow from Cylete on the security implications of gigapixel images. And CISA releases five ICS advisories. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/47 Selected reading. IceFire Ransomware Returns | Now Targeting Linux Enterprise Networks (SentinelOne) DUCKTAIL: Threat Operation Re-emerges with New LNK, PowerShell, and Other Custom Tactics to Avoid Detection (Deep Instinct) Iran-linked hackers used fake Atlantic Council-affiliated persona to target human rights researchers (CyberScoop) Iranian APT Targets Female Activists With Mahsa Amini Protest Lures (Dark Reading). Iran threat group going after female activists, analyst warns (Cybernews) Stealing the LIGHTSHOW (Part One) — North Korea's UNC2970 (Mandiant) Stealing the LIGHTSHOW (Part Two) — LIGHTSHIFT and LIGHTSHOW (Mandiant) Cybersecurity in the US President's Budget for Fiscal Year 2024. (CyberWire) Biden’s budget proposal underscores cybersecurity priorities (Washington Post) Biden Budget Proposal: $200M for TMF, CISA With 4.9% Budget Boost (Meritalk) Cybersecurity Poised for Spending Boost in Biden Budget (Gov Info Security) Deputy Secretary of Defense Signs 2023-2027 DoD Cyber Workforce Strategy (U.S. Department of Defense) In new cyber workforce strategy, DoD hopes 'bold' retention initiatives keep talent coming back (Breaking Defense) Remcos Trojan Returns to Most Wanted Malware List After Ukraine Attacks (Infosecurity Magazine) February 2023’s Most Wanted Malware: Remcos Trojan Linked to Cyberespionage Operations Against Ukrainian Government (Check Point Software) Radio Halychyna cyber-attacked following appeal by Russian hacker group (International Press Institute) CISA Releases Five Industrial Control Systems Advisories | CISA (Cybersecurity and Infrastructure Security Agency CISA) Learn more about your ad choices. Visit megaphone.fm/adchoices