CyberWire Daily

New IceFire version is out. A DUCKTAIL tale. Social engineering by Tehran. DPRK's LIGHTSHOW cyberespionage. The President's Budget and cybersecurity. The US Department of Defense issues its cyber workforce strategy. Remcos surfaces in attacks against Ukrainian government agencies. DDoS at a Ukrainian radio station. Dave Bittner sits down with Beth Robinson of Bishop Fox to share their 2023 Offensive Security Resolutions. Caleb Barlow from Cylete on the security implications of gigapixel images. And CISA releases five ICS advisories. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/47 Selected reading. IceFire Ransomware Returns | Now Targeting Linux Enterprise Networks (SentinelOne) DUCKTAIL: Threat Operation Re-emerges with New LNK, PowerShell, and Other Custom Tactics to Avoid Detection (Deep Instinct) Iran-linked hackers used fake Atlantic Council-affiliated persona to target human rights researchers (CyberScoop) Iranian APT Targets Female Activists With Mahsa Amini Protest Lures (Dark Reading). Iran threat group going after female activists, analyst warns (Cybernews) Stealing the LIGHTSHOW (Part One) — North Korea's UNC2970 (Mandiant) Stealing the LIGHTSHOW (Part Two) — LIGHTSHIFT and LIGHTSHOW (Mandiant) Cybersecurity in the US President's Budget for Fiscal Year 2024. (CyberWire) Biden’s budget proposal underscores cybersecurity priorities (Washington Post) Biden Budget Proposal: $200M for TMF, CISA With 4.9% Budget Boost (Meritalk) Cybersecurity Poised for Spending Boost in Biden Budget (Gov Info Security) Deputy Secretary of Defense Signs 2023-2027 DoD Cyber Workforce Strategy (U.S. Department of Defense) In new cyber workforce strategy, DoD hopes 'bold' retention initiatives keep talent coming back (Breaking Defense) Remcos Trojan Returns to Most Wanted Malware List After Ukraine Attacks (Infosecurity Magazine) February 2023’s Most Wanted Malware: Remcos Trojan Linked to Cyberespionage Operations Against Ukrainian Government (Check Point Software) Radio Halychyna cyber-attacked following appeal by Russian hacker group (International Press Institute) CISA Releases Five Industrial Control Systems Advisories | CISA (Cybersecurity and Infrastructure Security Agency CISA) Learn more about your ad choices. Visit megaphone.fm/adchoices

A wormable version of the PlugX USB malware is found. Compromised webcams as a security threat. Emotet botnet out of hibernation. Proof-of-concept: AI used to generate polymorphic keylogger. Turning to alternatives as conventional tactics fail. Dave Bittner speaks with Eve Maler of ForgeRock to discuss how digital identity can help create a more secure connected car experience. Johannes Ullrich from SANS on configuring a proper time server infrastructure. And Phishing messages via legitimate Google notifications. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/46 Selected reading. A border-hopping PlugX USB worm takes its act on the road (Sophos News) BitSight identifies thousands of global organizations using insecure webcams and other IoT devices, finding many susceptible to eavesdropping (BitSight) Emotet malware attacks return after three-month break (BleepingComputer) BlackMamba: Using AI to Generate Polymorphic Malware (HYAS) Russian Cyberwar in Ukraine Stumbles Just Like Conventional One (Bloomberg) Australian official demands Russia bring criminal hackers ‘to heel’ (The Record by Recorded Future) Russia will have to rely on nukes, cyberattacks, and China since its military is being thrashed in Ukraine, US intel director says (Business Insider) BEC 3.0 - Legitimate Sites for Illegitimate Purposes (Avanan) Learn more about your ad choices. Visit megaphone.fm/adchoices

CISA adds three known exploited vulnerabilities to its Catalog. A data breach at Acer exposes intellectual property. Sharp Panda deploys SoulSearcher malware in cyberespionage campaigns. US Cyber Command’s head warns against underestimating Russia in cyberspace. Dave Bittner sits down with Simone Petrella of N2K Networks to discuss the recently-released Defense Cyber Workforce Framework. Betsy Carmelite from Booz Allen Hamilton speaks about CISA's year ahead. And are large language models what the lawyers call an attractive nuisance. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/45 Selected reading. CISA Adds Three Known Exploited Vulnerabilities to Catalog (Cybersecurity and Infrastructure Security Agency CISA) March 7 CISA KEV Breakdown | Zoho, Teclib, Apache (Nucleus Security) Acer Confirms Breach After Hacker Offers to Sell Stolen Data (SecurityWeek) Acer confirms breach after 160GB of data for sale on hacking forum (BleepingComputer) “Sharp Panda”: Check Point Research puts a spotlight on Chinese origined espionage attacks against southeast asian government entities (Check Point Software) Pandas with a Soul: Chinese Espionage Attacks Against Southeast Asian Government Entities (Check Point Research) What can security teams learn from a year of cyber warfare? (Computer Weekly) Russian cyberattacks could intensify during spring offensives in Ukraine, US Cyber Command general says (Stars and Stripes) US Bracing for Bolder, More Brazen Russian Cyberattacks (VOA) Russia remains a ‘very capable’ cyber adversary, Nakasone says (C4ISRNet) Employees Are Feeding Sensitive Business Data to ChatGPT (Dark Reading) Learn more about your ad choices. Visit megaphone.fm/adchoices

HiatusRAT exploits business-grade routers. International law enforcement action against the DoppelPaymer gang. Ransomware hits a major Barcelona hospital. Productivity suites are increasingly attractive as phishing grounds. Transparent Tribe’s romance scams. Cyberattacks briefly disrupt Russian websites and media outlets. Ashley Leonard, CEO of Syxsense, sits down with Dave to discuss their "Advancing Zero Trust Priorities'' report. Joe Carrigan on a warning from Microsoft about a surge in token theft. And trolling for disinfo raw material. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/44 Selected reading. Black Lotus Labs uncovers another new malware that targets compromised routers (Lumen Newsroom) Germany and Ukraine hit two high-value ransomware targets | Europol (Europol) European Police, FBI Bust International Cybercrime Gang (VOA) German police lift lid on worldwide cyber blackmail gang (Deutsche Welle) Europol Hits Alleged Members of DoppelPaymer Ransomware Group (Decipher) An international sting brings another win against ransomware gangs (Washington Post) European police move in on DoppelPaymer (Computing) Police Looking for Russian Suspects Following DoppelPaymer Ransomware Crackdown (SecurityWeek) Cyberattack hits major hospital in Spanish city of Barcelona (AP NEWS). Cyberattack Hits Major Hospital in Spanish City of Barcelona (SecurityWeek) Barcelona's Hospital Clinic hit by ransomware cyberattack 'from outside Spain' (Euro Weekly News) Phishers’ Favorites 2022 Year-in-Review (Vade) Kremlin Website Down Amid Reports of Cyber Attacks on Russia (The Daily Beast) Russian diplomat blames West for recruiting hackers for operations against Moscow (TASS) Don’t Answer That! Russia-Aligned TA499 Beleaguers Targets with Video Call Requests (Proofpoint) Learn more about your ad choices. Visit megaphone.fm/adchoices

Cranes as a security threat. EPA memo addresses cybersecurity risks to water systems. Oakland's ransomware incident becomes a data breach. Carding rises in the Russian underworld. Sandworm's record in Russia's war. Rick Howard sits down with Andy Greenberg from Wired to discuss how Ukraine suffered more data-wiping malware last year than anywhere, ever. Dave Bittner speaks with Kathleen Smith of ClearedJobs.Net to talk about hiring veterans and setting them (and yourself) up for success. And AI’s latest misuse: bogus investment schemes. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/43 Selected reading. WSJ News Exclusive | Pentagon Sees Giant Cargo Cranes as Possible Chinese Spying Tools (Wall Street Journal) EPA Takes Action to Improve Cybersecurity Resilience for Public Water Systems (US EPA) EPA presses states to include cybersecurity in water safety reviews (SC Media) EPA Calls on States to Improve Public Water Systems’ Cybersecurity (Meritalk) EPA issues water cybersecurity mandates, concerning industry and experts (CyberScoop) City of Oakland Targeted by Ransomware Attack, Work Continues to… (City of Oakland). Ransomware gang leaks data stolen from City of Oakland (BleepingComputer) Ransomware hackers release some stolen Oakland data (CBS News) Oakland officials say ransomware group may release personal data on Saturday (The Record from Recorded Future News) Cybercrime site shows off with a free leak of 2 million stolen card numbers (The Record from Recorded Future News) A year of wipers: How the Kremlin-backed Sandworm has attacked Ukraine during the war (The Record from Recorded Future News) Bitdefender Labs warns of fresh phishing campaign that uses copycat ChatGPT platform to swindle eager investors (Hot for Security) Learn more about your ad choices. Visit megaphone.fm/adchoices

Gabriela Smith-Sherman, a former Federal agency CISO with over 15 years of experience in leading and implementing comprehensive enterprise cybersecurity programs and initiatives, sits down to share her journey. She is a U.S. combat disabled veteran who understands the importance of mission and is dedicated to delivering high-quality results and value to customers through innovative solutions. Gabriela shares about her time in the military and how her being apart of the service was one of the best decisions she made and dedicates all her hard work to her time in the military. She also shares how it was tough getting out of the routine of the military and being a civilian now was a hard transition, but she says that she thrives in the chaos of the IT world and that the military helped her to prepare for the cyber industry. She said "I think my military experience has prepared me, uh, to be in those kind of chaotic positions and be very calm about the approach." We thank Gabriela for sharing her story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

Dor Zvi, Co-Founder and CEO from Red Access to discuss their work on "New Chrome Exploit Lets Attackers Completely Disable Browser Extensions." A recently patched exploit is tricking Chrome browsers on all popular OSs to not only give attackers visibility of their targets’ browser extensions, but also the ability to disable all of those extensions. The research states the exploit consists of a bookmarklet exploit that allows threat actors to selectively force-disable Chrome extensions using a handy graphical user interface making Chrome mistakenly identify it as a legitimate request from the Chrome Web Store. The research can be found here: New Chrome Exploit Lets Attackers Completely Disable Browser Extensions Learn more about your ad choices. Visit megaphone.fm/adchoices

Implementing the US National Cybersecurity Strategy. The US National Cybersecurity Strategy was informed by lessons from Russia's war. Two threat actors from China up their game. Responding to a phishing campaign. #StopRansomware: Royal Ransomware. CISA releases five ICS advisories. Sameer Jaleel, Kent State University Associate CIO on closing functionality gaps and creating a safer digital environment for students.Johannes Ullrich from SANS on establishing an "End of Support" inventory.EPA issues a memo on water system cybersecurity. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/42 Selected reading. National Cybersecurity Strategy (The White House) US cyber leaders discuss the new National Cyber Strategy. (CyberWire) Biden vows to wield ‘all instruments’ in fighting cyberthreats (Defense News) Chinese state-backed hackers Iron Tiger target Linux devices with new malware (Tech Monitor) Chinese hackers use new custom backdoor to evade detection (BleepingComputer) Scam alert: Trezor warns users of new phishing attack (Cointelegraph) FBI and CISA Release #StopRansomware: Royal Ransomware | CISA (Cybersecurity and Infrastructure Security Agency CISA) CISA Releases Five Industrial Control Systems Advisories | CISA (Cybersecurity and Infrastructure Security Agency CISA) EPA Takes Action to Improve Cybersecurity Resilience for Public Water Systems (US EPA) Learn more about your ad choices. Visit megaphone.fm/adchoices

CISA and FBI are releasing this joint advisory to disseminate known Royal ransomware IOCs and TTPs identified through recent FBI threat response activities. AA23-061A Alert, Technical Details, and Mitigations AA23-061A STIX XML Royal Rumble: Analysis of Royal Ransomware (cybereason.com) DEV-0569 finds new ways to deliver Royal ransomware, various payloads - Microsoft Security Blog 2023-01: ACSC Ransomware Profile - Royal | Cyber.gov.au See Stopransomware.gov, a whole-of-government approach, for ransomware resources and alerts. No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment. See CISA Insights Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses for guidance on hardening MSP and customer infrastructure. U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email [email protected] To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at [email protected], or call (888) 282-0870, or report incidents to your local FBI field office. Learn more about your ad choices. Visit megaphone.fm/adchoices

The Cybersecurity and Infrastructure Security Agency is releasing this Cybersecurity Advisory detailing activity and key findings from a recent CISA red team assessment—in coordination with the assessed organization—to provide network defenders recommendations for improving their organization's cyber posture. AA23-059A Alert, Technical Details, and Mitigations No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment. See CISA Insights Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses for guidance on hardening MSP and customer infrastructure. U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email [email protected] To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at [email protected], or call (888) 282-0870, or report incidents to your local FBI field office. Learn more about your ad choices. Visit megaphone.fm/adchoices

CyberWire Daily podcast host Dave Bittner is joined by CyberWire editor John Petrik for an extended discussion about the Russian invasion of Ukraine and its effect on cybersecurity at the one year anniversary. John and his team have covered the Ukrainian conflict with daily news stories since the invasion began, and in fact, had quite a lot of coverage prior to the invasion. They take stock of where things stand, what has happened, and what we expected versus reality. Learn more about your ad choices. Visit megaphone.fm/adchoices

The White House releases its US National Cybersecurity Strategy. Red-teaming critical infrastructure. Redis cryptojacker discovered. Russia bans several messaging apps. Our guest is Kapil Raina from CrowdStrike with the latest on Threat Hunting. Dinah Davis from Arctic Wolf on the top healthcare industry cyber attacks. And hacktivist auxiliaries continue their nuisance-level activities. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/41 Selected reading. National Cybersecurity Strategy (The White House) FACT SHEET: Biden-Harris Administration Announces National Cybersecurity Strategy (The White House) Biden administration releases new cybersecurity strategy (AP NEWS) White House pushes for mandatory regulations, more offensive cyber action under National Cyber Strategy (The Record from Recorded Future News) Here's why Biden's new cyber strategy is notable (Washington Post) How the U.S. National Cyber Strategy Reaches Beyond Government Agencies (Wall Street Journal) Biden National Cyber Strategy Seeks to Hold Software Firms Liable for Insecurity (Wall Street Journal) CISA Red Team Shares Key Findings to Improve Monitoring and Hardening of Networks (Cybersecurity and Infrastructure Security Agency CISA) CISA red-teamed a 'large critical infrastructure organization' and didn't get caught (The Record from Recorded Future News) Redis Miner Leverages Command Line File Hosting Service (Cado Security | Cloud Investigation) Russia bans foreign messaging apps (Computing) U.S. Consulate hacked by "Putin supporters" (Newsweek) Learn more about your ad choices. Visit megaphone.fm/adchoices

The LastPass data breach built on an earlier attack. Forensic visibility and the Google Cloud Platform. An overview of hacktivist auxiliaries in Russia's war against Ukraine. Dish acknowledges sustaining a cyberattack. MKS Instruments discloses a ransomware incident. Carole Theriault has a lesson about ChatGPT and school systems. Ann Johnson from Afternoon Cyber Tea speaks with Stacy Hughes from Voya Financial about her journey to being CISO. And Bitdefender releases a decryptor for MortalKombat ransomware. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/40 Selected reading. LastPass sustains a second data breach. (CyberWire) Incident 2 – Additional details of the attack (LastPass Support) LastPass Says DevOps Engineer Home Computer Hacked (SecurityWeek) LastPass: Keylogger on home PC led to cracked corporate password vault (Naked Security) LastPass data was stolen by hacking an employee’s home computer (The Verge) LastPass says employee’s home computer was hacked and corporate vault taken (Ars Technica) LastPass is in Big Trouble (Gizmodo) LastPass: DevOps engineer hacked to steal password vault data in 2022 breach (BleepingComputer) The LastPass security breach is still going from bad to worse (Cybersecurity Connect) Mitiga on forensic visibility and the Google Cloud Platform. (CyberWire) Mitiga Security Advisory: Insufficient Forensic Visibility in GCP Storage (Mitiga) Google Cloud Platform Exfiltration: A Threat Hunting Guide (Mitiga) The Cyber Warfare Report (GroupSense) Dish Network confirms ransomware attack behind multi-day outage (BleepingComputer) DISH tells SEC that ransomware attack caused outages; personal info may have been stolen (The Record from Recorded Future News) Ransomware attack on chip supplier causes delays for semiconductor groups (Financial Times) Bitdefender Releases Decryptor for MortalKombat Ransomware (Bitdefender Labs) Victims of MortalKombat ransomware can now decrypt their locked files for free (The Record from Recorded Future News) Learn more about your ad choices. Visit megaphone.fm/adchoices

The US Marshals Service sustains a data breach. Blind Eagle is a phish hawk. Dish continues to work toward recovery. OneNote attachments are used to distribute Qakbot. Ben Yelin has analysis on the Supreme Court’s hearing on a section 230 case. Mr Security Answer Person John Pescatore has thoughts on Chat GPT. And CISA Director Easterly urges vendors to make software secure-by-design. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/39 Selected reading. U.S. Marshals Service investigating ransomware attack, data theft (BleepingComputer) US Marshals says prisoners’ personal information taken in data breach (TechCrunch) Blind Eagle Deploys Fake UUE Files and Fsociety to Target Colombia's Judiciary, Financial, Public, and Law Enforcement Entities (BlackBerry) Dish hit by multiday outage after reported cyberattack (TechCrunch) DISH says ‘system issue’ affecting internal servers, phone systems (The Record from Recorded Future News) Take Note: Armorblox Stops OneNote Malware Campaign (Armorblox) Ukraine & Intelligence: One Year on – with Shane Harris (SpyCast) U.S. cyber official praises Apple security and suggests Microsoft, Twitter need to step it up (CNBC) U.S. cyber chief warns tech companies to curb unsafe practices (CBS News) Tech manufacturers are leaving the door open for Chinese hacking, Easterly warns (The Record from Recorded Future News) CISA Director Calls Out Industry Using Consumers as Cyber 'Crash Test Dummies' (Nextgov.com) The Designed-in Dangers of Technology and What We Can Do About It (Cybersecurity and Infrastructure Security Agency) Learn more about your ad choices. Visit megaphone.fm/adchoices

Social engineering with generative AI. Mylobot and BHProxies. PureCrypter is deployed against government organizations and staged through Discord. Dish Network reports disruption. Third-party app and software as a service risk. Further assessments of the cyber phase of Russia's war so far, with warnings to stay alert. Are tough times coming in gangland? Comments on NIST's revisions to its Cybersecurity Framework are due this Friday. AJ Nash from ZeroFox on Mis/Dis/and Malinformation. Rick Howard digs into Zero Trust. And get this—AI is writing science fiction! For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/38 Selected reading. Social engineering with generative AI. (CyberWire) Who’s Behind the Botnet-Based Service BHProxies? (KrebsOnSecurity) Mylobot: Investigating a proxy botnet (Bitsight) PureCrypter targets government entities through Discord (Menlo Security) PureCrypter malware hits govt orgs with ransomware, info-stealers (BleepingComputer) Uncovering the Risks & Realities of Third-Party Connected Apps: ‍2023 SaaS-to-SaaS Access Report (Adaptive Shield) Ukraine war anniversary likely to bring ‘disruptive’ cyberattacks on West, agencies warn (Global News) How the Ukraine War Has Changed Russia’s Cyberstrategy (Foreign Policy) A year of wiper attacks in Ukraine (WeLiveSecurity) Russia's yearlong cyber focus on Ukraine (Axios) A year after Russia's invasion, cyberdefenses have improved around the world (Washington Post) One year on, how is the war playing out in cyberspace? (WeLiveSecurity) The Russia-Ukraine cyber war: one year later (IT World Canada) Russia launched large-scale operations in cyberspace alongside war (euronews) WSJ News Exclusive | Hackers Extort Less Money, Are Laid Off as New Tactics Thwart More Ransomware Attacks (Wall Street Journal) AI-generated fiction is flooding literary magazines — but not fooling anyone (The Verge) Learn more about your ad choices. Visit megaphone.fm/adchoices

Mike Fey, CEO and co-founder of Island.io, joins to share his story, falling in love with technology and being fascinated by it at a young age. Mike quickly started working for companies where he grew in his role, becoming CTO of McAfee and then GM of the Enterprise business, stepping out to then become president and COO of Blue Coat, which was eventually acquired by Symantec, eventually wanting to get into his own business. He shares that being a small business owner is a lot of hard work and very tiring at times, he says "especially in a startup, the highs are very high and the lows are very low." Mike also mentions how easy it is to get knocked down when being in charge of your own business, but that teamwork is what helps to bring him back up. Mike says he wants to eventually help change the world and hopefully his legacy will help him to do that some day. We thank Mike for sharing his story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

Andy Patel from WithSecure Labs joins with Dave to discuss their study that demonstrates how GPT-3 can be misused through malicious and creative prompt engineering. The research looks at how this technology, GPT-3 and GPT-3.5, can be used to trick users into scams. GPT-3 is a user-friendly tool that employs autoregressive language to generate versatile natural language text using a small amount of input that could inevitably interest cybercriminals. The research is looking for possible malpractice from this tool, such as phishing content, social opposition, social validation, style transfer, opinion transfer, prompt creation, and fake news. The research can be found here: Creatively malicious prompt engineering Learn more about your ad choices. Visit megaphone.fm/adchoices

CISA advises increased vigilance on the first anniversary of Russia's war. CERT-UA reports current Russian cyberattacks were prepared in December 2021. How the war has changed the cyber underworld. Air raid alerts sound in nine Russian cities; Russia blames hacking. Our space correspondent Maria Varmazis speaks with Zhanna Malekos Smith at the Center for Strategic & International Studies about a new security agreement between Japan and the US. Kathleen Smith of ClearedJobs.Net clears misperceptions about the cleared space. And Dole continues recovery from ransomware. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/37 Selected reading. CISA Urges Increased Vigilance One Year After Russia's Invasion of Ukraine (Cybersecurity and Infrastructure Security Agency | CISA) Ukraine says Russian hackers backdoored govt websites in 2021 (BleepingComputer) Ukraine suffered more data-wiping malware than anywhere, ever (Ars Technica) The First Crypto War? Assessing the Illicit Blockchain Ecosystem One Year Into Russia's Invasion of Ukraine (TRM Insights) Ransomware Gang Conti Has Re-Surfaced and Now Operates as Three Groups: TRM Labs (CoinDesk). Ukraine suffered more data-wiping malware than anywhere, ever (Ars Technica) Russia-Ukraine War: 3 Cyber Threat Effects, 1 Year In (ReliaQuest) Russian cybercrime alliances upended by Ukraine invasion (Register) Study: Old pacts ditched the moment Moscow moved in How the Russia-Ukraine war has changed cyberspace (The Hill) Authorities blame hackers after air raid sirens sound over radio in multiple Russian cities (Meduza) Russia blames 'hackers' for fake missile strike alerts (Register) Fruit giant Dole suffers ransomware attack impacting operations (BleepingComputer) Food giant Dole hit by ransomware (Computing) CISA Releases Three Industrial Control Systems Advisories (CISA) Learn more about your ad choices. Visit megaphone.fm/adchoices

Cyberattacks in Russia's war so far, and their future prospects. The Lazarus Group may be employing a new backdoor. Clasiopa targets materials research organizations. Ransomware interferes with food production. Evernote is used in a BEC campaign to bypass security filters. Identity-based cyberattacks. Pirated versions of Final Cut Pro deliver cryptominers. Caleb Barlow has thoughts on Twitter, Mudge, and lessons learned. Marc Van Zadelhoff from Cyber CEOs Decoded podcast speaks with Amanda Renteria, CEO of Code for America, about attracting diverse talent. And what have the scalperbots been up to, lately. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/36 Selected reading. A year into Ukraine, looking back at 5 prewar predictions (Breaking Defense) Dutch intelligence: Many cyberattacks by Russia are not yet public knowledge (The Record from Recorded Future News) WinorDLL64: A backdoor from the vast Lazarus arsenal? (WeLiveSecurity) Clasiopa: New Group Targets Materials Research (Symantec) Cyberattack on food giant Dole temporarily shuts down North America production, company memo says (CNN Business) Business Email Compromise Scam Leads to Credential Harvesting Evernote Page (Avanan) The 2023 State of Identity Security Report (Oort) Beware of macOS cryptojacking malware. (Jamf Threat Labs) Quarterly Index: Top 5 Scalper Bot Targets of Q4 2022 (Netacea) Learn more about your ad choices. Visit megaphone.fm/adchoices

CISA adds three entries to its Known Exploited Vulnerabilities Catalog. "Hydrochasma" is a new cyberespionage threat actor. IBM claims the biggest effect of cyberattacks in 2022 was extortion. Social network hijacking in the C2C market. A credential theft campaign against data centers. LockBit claims an attack on a water utility in Portugal. Tim Starks from the Washington Post describes calls to focus on harmonizing cyber regulations. Our guest is Luke Vander Linden, host of the RH-ISAC Podcast. Disrupting Mr. Putin's speech, online, and what the hybrid war suggests about the future of cyber auxiliaries. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/35 Selected reading. CISA Adds Three Known Exploited Vulnerabilities to Catalog (CISA) Hydrochasma: Previously Unknown Group Targets Medical and Shipping Organizations in Asia (Symantec) IBM Security X-Force Threat Intelligence Index 2023 (IBM) S1deload Stealer – Exploring the Economics of Social Network Account Hijacking (Bitdefender Labs) Cyber Attacks on Data Center Organizations (Resecurity) Hackers Scored Data Center Logins for Some of the World's Biggest Companies (Bloomberg) LockBit gang takes credit for attack on water utility in Portugal (The Record from Recorded Future News) Ukraine Suffered More Data-Wiping Malware Last Year Than Anywhere, Ever (WIRED) Ukrainian hackers claim disruption of Russian TV websites during Putin speech (The Record from Recorded Future News) Ukraine's volunteer cyber army could be model for other nations: experts (Newsweek) Ukraine's largest charity wants to raise $1.3 million for ‘cyber offensive’ (The Record from Recorded Future News) Learn more about your ad choices. Visit megaphone.fm/adchoices

GoDaddy has discovered a compromise of its systems. Twitter disables SMS authentication for those not subscribed to Twitter Blue. Last week’s cyber incident impacting German airports was confirmed to be DDoS. The consequences of cyber irregular participation in cyber wars. Semiconductor tech giant Applied Materials sees significant financial losses from a cyberattack. Joe Carrigan on scammers dangling fake job offers to students. Our guests are Max Shuftan & Monisha Bush from the SANS Institute, on the reopening of their HBCU Cyber Academy application window. And is Bing channeling Tay? For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/34 Selected reading. GoDaddy Inc. - Statement on recent website redirect issues (GoDaddy) GoDaddy: Hackers stole source code, installed malware in multi-year breach (Bleeping Computer) GoDaddy SEC Filing (SEC) An update on two-factor authentication using SMS on Twitter(Twitter) Twitter Limits SMS-Based 2-Factor Authentication to Blue Subscribers Only (The Hacker News) SMS-Based 2FA Will Be Limited to Twitter Blue Users (HackRead) Twitter will limit uses of SMS 2-factor authentication. What does this mean for users? (NPR) Twitter's Two-Factor Authentication Change 'Doesn't Make Sense' (WIRED) Twitter Shuts Off Text-Based 2FA for Non-Subscribers (SecurityWeek) Official: Twitter will now charge for SMS two-factor authentication (The Verge) German airport websites downed by DDoS attacks (Register) German airports hit by DDoS attack, ‘Anonymous Russia’ claims responsibility (The Record from Recorded Future) Russian phishing attacks flooded Ukraine, tripled against NATO nations in 2022: Report (Breaking Defense) Civilian hackers could become military targets, Red Cross warns (The Record from Recorded Future News) I helped create a 'cyber army' to help Ukraine defeat Russia. We can't fight with guns, but we can fight with our laptops. (Business Insider) How Uncle Sam enlisted Big Tech to thwart Russia from launching catastrophic cyberwar (The Washington Times) Big Tech Descends on Munich Conference in Support of Ukraine (Bloomberg) Applied Materials will take a $250M hit to sales this quarter, thanks to a cyberattack at one of its suppliers (Silicon Valley Business Journal) Semiconductor industry giant says ransomware attack on supplier will cost it $250 million (The Record by Recorded Future) How should AI systems behave, and who should decide? (OpenAI) Why Bing Is Being Creepy (Intelligencer) Microsoft's new chatbot is a liar. And it says it's ready to call the cops. (Mother Jones) After AI chatbot goes a bit loopy, Microsoft tightens its leash (Washington Post). My Week of Being Gaslit and Lied to by the New Bin (Information) Learn more about your ad choices. Visit megaphone.fm/adchoices

Dave Bittner had a conversation with Commander Brandon Campbell of US Navy Cyber Defense Operations Command and Captain Steve Correia, Commanding Officer of Naval Network Warfare Command. They discussed the Navy’s cybersecurity advances and how they have implemented them. Commander Brandon Campbell is the former Operations Director at Navy Cyber Defense Operations Command and Task Force 1020 where they protect, detect, and respond to global cyber threats against Navy networks. Captain J. Steve Correia is the Commanding Officer of Naval Network Warfare Command and the Commander of Task Force 1010 under the U.S. Navy’s Fleet Cyber Command where they execute tactical-level command and control to direct, operate, maintain and secure Navy communication and network systems. Learn more about your ad choices. Visit megaphone.fm/adchoices

Rachel Tobac, CEO from SocialProof Security sits down to share her amazing story on becoming what's known in the industry as an ethical hacker and CEO of a company. Rachel shares how she was always fascinated with spy movies and as she grew older that fascination turned into a real desire. Finding out she liked learning how the human brain works, she decided to start off in neuroscience. Wanting a change and with the help of her husband she was able to start getting more into hacking, finding she loved the fact that she was pretending to be someone to hack into a company and finding the weak spots. She shares how as a leader now she likes to be authentic with her team. She says "I think in the security world sometimes we take ourselves pretty seriously and a lot of times it's because we're dealing with really serious topics, and so in the moment we have to be extremely serious, but when you get a five minute break in between your crisis meetings, find a way to laugh if you can." We thank Rachel for sharing her story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

Wendy Nather from Cisco sits down with Dave to discuss their work on "Cracking the Code to Security Resilience: Lessons from the Latest Cisco Security Outcomes Report." The report describes what security resilience is, while also going over how companies can achieve this resilience. Wendy talks through some of the key findings based off of the report, and after surveying 4,751 active information security and privacy professionals from 26 countries, we find out some of the top priorities to achieving security resilience. From there the research goes on to explain from the findings which data-backed practices lead to the outcomes that can be implemented in cybersecurity strategies. The research can be found here: Cracking the Code to Security Resilience: Lessons from the Latest Cisco Security Outcomes Report Achieving Security Resilience Learn more about your ad choices. Visit megaphone.fm/adchoices

The FBI is investigating incidents on its networks. Frebniis backdoors Microsoft servers. ProxyShell vulnerabilities are used to install a cryptominer. Havoc's post-exploitation framework. Atlassian discloses a data breach. German airports sustain a cyber incident. An Aspen Institute report concludes that cyber assistance benefits Ukraine. US announces "Disruptive Technology Strike Force." Robert M. Lee from Dragos on the value of capture the flag events. Our guests are Commander Brandon Campbell of US Navy Cyber Defense Operations Command and Captain Steve Correia, Commanding Officer of Naval Network Warfare Command. And CISA releases fifteen ICS advisories. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/33 Selected reading. Exclusive: FBI says it has 'contained' cyber incident on bureau's computer network (CNN) Frebniis: New Malware Abuses Microsoft IIS Feature to Establish Backdoor (Symantec, by Broadcom Software) ProxyShellMiner Campaign Creating Dangerous Backdoors (Morphisec) Attacks with novel Havoc post-exploitation framework identified (SC Media) Atlassian says recent data leak stems from third-party vendor hack (BleepingComputer) German airport websites down in possible hacker attack (Deutsche Welle) The Cyber Defense Assistance Imperative – Lessons from Ukraine (Aspen Institute) U.S. launches 'disruptive technology' strike force to target national security threats (Reuters) Justice Department to Increase Scrutiny of Technology Exports, Investments (Wall Street Journal) ICS-CERT Advisories (CISA) Learn more about your ad choices. Visit megaphone.fm/adchoices

North Korea's APT37 is distributing M2RAT. Multilingual BEC attacks, and how they happen. Assessing the cyber phase of Russia's war as the first anniversary of the invasion approaches. Killnet's attempt to rally hacktivists and criminals to the cause of Russia. Dinah Davis from Arctic Wolf describes continuous network scanning. Our guest is Dr. Inka Karppinen of CybSafe with a look at cyber security through the lens of a behavioral psychologist. And Grand Theft Auto is now also a TikTok challenge. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/32 Selected reading. RedEyes hackers use new malware to steal data from Windows, phones (BleepingComputer) Multilingual Executive Impersonation Attacks (Abnormal Intelligence) Fog of War: How the Ukraine Conflict Transformed the Cyber Threat Landscape (Google Threat Analysis Group) Following the Money: Killnet’s ‘Infinity Forum’ Wooing Likeminded Cybercriminals (Flashpoint) Hyundai, Kia patch bug allowing car thefts with a USB cable (BleepingComputer) Hyundai and Kia Launch Service Campaign to Prevent Theft of Millions of Vehicles Targeted by Social Media Challenge (NHTSA) Learn more about your ad choices. Visit megaphone.fm/adchoices

SideWinder is an APT with possible origins in India. MortalKombat ransomware debuts. The GoAnywhere zero day was exploited in a data breach. Belarusian Cyber-Partisans release Russian data. Betsy Carmelite from Booz Allen Hamilton shares an overview of cyber deception. Our guest is Ashley Allocca from Flashpoint with a look at the Breaches and Malware Threat Landscape. And notes on Patch Tuesday. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/31 Selected reading. Molted skin: APT SideWinder 2021 campaign that targeted over 60 companies in the Asia-Pacific (Group-IB) New MortalKombat ransomware and Laplas Clipper malware threats deployed in financially motivated campaign (Cisco Talos Blog) Tonga is the latest Pacific Island nation hit with ransomware (The Record from Recorded Future News) LockBit demanded £66mn from Royal Mail (Computing) City of Oakland declares state of emergency after ransomware attack (BleepingComputer) City of Oakland Targeted by Ransomware Attack, Work Continues to Secure and Restore Services Safely (City of Oakland) Huge data dump from Russia’s censorship agency posted online (Cybersecurity Connect) Russian system to scan internet for undesired content and dissent (Reuters) Patch Tuesday: Three zero-days and nine 'Critical' RCE flaws fixed (Computing) Microsoft February 2023 Patch Tuesday fixes 3 exploited zero-days, 77 flaws (BleepingComputer) Apple Releases Security Updates for Multiple Products (CISA) SAP Security Patch Day for February 2023 (Onapsis) Citrix Releases Security Updates for Workspace Apps, Virtual Apps and Desktops (CISA) Adobe Releases Security Updates for Multiple Products (CISA) The first national cyber director's last day is today (Washington Post) Learn more about your ad choices. Visit megaphone.fm/adchoices

"Blender" reappears as "Sinbad." A Tonto Team cyberespionage attempt against Group-IB is thwarted. DarkBit claims responsibility for a ransomware attack on Technion University. An overview of ICS and OT security. Ben Yelin looks at surveillance oversight at the state level. Ann Johnson from Afternoon Cyber Tea speaks with Marene Allison about the CISO transformation. And it’s Valentine's Day, that annual holiday of love, chocolate, flowers, and online scams. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/30 Selected reading. Has a Sanctioned Bitcoin Mixer Been Resurrected to Aid North Korea’s Lazarus Group? (Elliptic Connect) Nice Try Tonto Team (Group-IB) Hackers attack Israel’s Technion University, demand over $1.7 million in ransom (ARN) Israel's top tech university postpones exams after ransomware attack (The Record from Recorded Future News) Russian hackers ‘disrupt Turkey-Syria earthquake aid’ in cyber attack on Nato (The Independent) Killnet DDoS attacks disrupt Nato websites (ComputerWeekly.com) Russian Hackers Disrupt NATO Earthquake Relief Operations (Dark Reading) What Happened to #OpRussia? (Dark Reading) Russian-linked malware was close to putting U.S. electric, gas facilities ‘offline’ last year (POLITICO) 2022 ICS/OT Cybersecurity Year in Review Executive Summary (Dragos) What’s love got to do with it? 4 in 5 Valentine’s Day-themed spam emails are scams, Bitdefender Antispam Lab warns (Hot for Security) Learn more about your ad choices. Visit megaphone.fm/adchoices

CISA adds to its Known Exploited Vulnerabilities Catalog. Cl0p claims responsibility for GoAnywhere exploitation. Victims mine for gold; attackers use pig butchering tactics. Hacktivists disrupt Iranian television during Revolution Day observances. Killnet claims a DDoS attack against NATO earthquake relief efforts. CyberWire UK Correspondent Carole Theriault asks what can we learn from the recent Roomba privacy snafu? Rick Howard looks at first principles we considered along the way. And can you name and shame the shameless? For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/29 Selected reading. CISA Adds Three Known Exploited Vulnerabilities to Catalog (CISA) GoAnywhere MFT Zero-Day Exploitation Linked to Ransomware Attacks (SecurityWeek) Clop ransomware claims it breached 130 orgs using GoAnywhere zero-day (BleepingComputer) Fool’s Gold: dissecting a fake gold market pig-butchering scam (Sophos) Iranian State TV Hacked During President's Speech on Revolution Day (HackRead) Russian hackers disrupt Turkey-Syria earthquake relief (The Telegraph) Hacking marketplace emerges from Killnet partnership, seeks pro-Russia donations (SC Media) Russian Government evaluates the immunity to hackers acting in the interests of Russia (Security Affairs) Russia’s Ransomware Gangs Are Being Named and Shamed (WIRED) Learn more about your ad choices. Visit megaphone.fm/adchoices

Jaden Dicks, a new intern at CyberVista, a company that merged with CyberWire to become N2K Networks, shares his story as a young man growing up trying to get into the cyber community. From a very young age, Jaden hoped to become part of the cybersecurity field, He recalls growing up constantly being surrounded by technology, and now with the help of Urban Alliance, Jaden was able to secure this internship with CyberVista. Urban Alliance is a nonprofit that connects young adults with paid work experiences, such as internships to help them bridge the gaps between education and the workforce. Jaden hopes that this internship will help him further advance his career and help him to pursue his goals of working in cyber. He also shares advice to younger people like him who are looking to branch out and start working toward your goals, even as a teenager, and what has helped him to find his rhythm. We thank Jaden for sharing his story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

Pascal Ackerman, OT Security Strategist from Guidepoint Security, joins Dave to discuss his work on discovering a vulnerability in the integrity of common HMI client-server protocol. This research is a Proof of Concept (PoC) attack on the integrity of data flowing across the industrial network with the intention of intercepting, viewing, and even manipulating values sent to (and from) the HMI, ultimately trying to trick the user into making a wrong decision, ultimately affecting the proper operation of the process. In this research, they are targeting Rockwell Automation’s FactoryTalk View SE products, trying to highlight the lack of integrity and confidentiality on the production network and the effect that has on the overall security of the production environment. The research can be found here: GuidePoint Security researcher discovers vulnerability in the integrity of common HMI client-server protocol Learn more about your ad choices. Visit megaphone.fm/adchoices

US and Republic of Korea agencies outline the DPRK ransomware threat. Reddit is breached. CISA releases six ICS advisories. Flaws are found in IIoT devices. Dinah Davis from Arctic Wolf shares cybersecurity stats every IT professional should know. Our guest is Kayla Williams from Devo autonomous SOCs. And, it’s almost Valentine’s Day. Have you noticed? (The hoods have.) For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/28 Selected reading. #StopRansomware - Ransomware Attacks on Critical Infrastructure Fund DPRK Espionage Activities (CISA) #StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities (CISA) U.S., South Korean Agencies Partner to #StopRansomware Threat from DPRK (National Security Agency/Central Security Service) US and South Korea accuse North Korea of using hospital ransoms to fund more hacking (The Record from Recorded Future News) North Korea using healthcare ransomware attacks to fund further cybercrime, feds say (SC Media) U.S., South Korea Warn of North Korean Ransomware Threats (Bank Info Security) r/reddit - We had a security incident. Here’s what we know. (reddit) Hackers breach Reddit to steal source code and internal data (BleepingComputer) Reddit Breached With Stolen Employee Credentials (Dark Reading) Reddit Says It Was Hacked But That You Don't Need to Worry. Probably. (Gizmodo) Control By Web X-400, X-600M (CISA) LS ELECTRIC XBC-DN32U (CISA) Johnson Controls System Configuration Tool (SCT) (CISA) Horner Automation Cscape Envision RV (CISA) Omron SYSMAC CS/CJ/CP Series and NJ/NX Series (CISA) ARC Informatique PcVue (CISA) Industrial Wireless IoT - The direct path to your Level 0 (Otorio) Critical Infrastructure at Risk from New Vulnerabilities Found in Wireless IIoT Devices (The Hacker News) Romance scammers’ favorite lies exposed (Federal Trade Commission) New FTC Data Reveals Top Lies Told by Romance Scammers (Federal Trade Commission) Romance scammers could cause unhappy Valentine’s Day (Washington Post) Love Bytes (Georgia State News Hub) As V-Day nears: Romance scams cost victims $1.3B last year (Register) Michigan AG warns of cybersecurity risks after data breach of gaming sites (mlive) Learn more about your ad choices. Visit megaphone.fm/adchoices

CISA, NSA, FBI, the US Department of Health and Human Services, the Republic of Korea National Intelligence Service, and the Republic of Korea Defense Security Agency are issuing this alert to highlight ongoing ransomware activity against Healthcare and Public Health Sector organizations and other critical infrastructure sector entities. AA23-040A Alert, Technical Details, and Mitigations CISA’s North Korea Cyber Threat Overview and Advisories webpage. Stairwell provided a YARA rule to identify Maui ransomware, and a Proof of Concept public RSA key extractor at the following link: https://www.stairwell.com/news/threat-research-report-maui-ransomware/ See Stopransomware.gov, a whole-of-government approach, for ransomware resources and alerts. No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment. See CISA Insights Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses for guidance on hardening MSP and customer infrastructure. U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email [email protected] To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at [email protected], or call (888) 282-0870, or report incidents to your local FBI field office. Learn more about your ad choices. Visit megaphone.fm/adchoices

War-floating. A phishing campaign pursues Ukrainian and Polish targets. Pakistan's navy is under cyberattack. A new criminal threat-actor uses screenshots for recon. ESXiArgs is widespread, but its effects are still being assessed. The UK and US issue joint sanctions against Russian ransomware operators. Robert M. Lee from Dragos addresses attacks to electrical substations. Our guest is Denny LeCompte from Portnox discussing IoT security segmentation strategies. And is LockBit next on law enforcement’s wanted list? For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/27 Selected reading. Chinese Balloon Had Tools to Collect Communications Signals, U.S. Says (New York Times) UAC-0114 Campaign Targeting Ukrainian and Polish Gov Entitities (The State Cyber Protection Centre of the State Service of Special Communication and Information Protection of Ukraine) NewsPenguin, a Previously Unknown Threat Actor, Targets Pakistan with Advanced Espionage Tool (BlackBerry) Screentime: Sometimes It Feels Like Somebody's Watching Me (Proofpoint) Florida state court system, US, EU universities hit by ransomware outbreak (Reuters). No evidence global ransomware hack was by state entity, Italy says (Reuters) Ransomware campaign stirs worry despite uncertain impact (Washington Post) VMware Security Response Center (vSRC) Response to 'ESXiArgs' Ransomware Attacks (VMware Security Blog) CISA and FBI Release ESXiArgs Ransomware Recovery Guidance (CISA) United States and United Kingdom Sanction Members of Russia-Based Trickbot Cybercrime Gang (U.S. Department of the Treasury) Ransomware criminals sanctioned in joint UK/US crackdown on international cyber crime (National Crime Agency) Learn more about your ad choices. Visit megaphone.fm/adchoices

CISA and the FBI are releasing this alert in response to the ongoing ransomware campaign, known as “ESXiArgs.” Malicious actors are exploiting known vulnerabilities in VMware ESXi servers that are likely running unpatched and out-of-service or out-of-date versions of VMware ESXi software to gain access and deploy ransomware. AA23-039A Alert, Technical Details, and Mitigations CISA has released an ESXiArgs recovery script at github.com/cisagov/ESXiArgs-Recover VMware Security Response Center (vSRC) Response to 'ESXiArgs' Ransomware Attack… Enes Sonmez and Ahmet Aykac, YoreGroup Tech Team: decrypt your crypted files in… See Stopransomware.gov, a whole-of-government approach, for ransomware resources and alerts. No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment. See CISA Insights Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses for guidance on hardening MSP and customer infrastructure. U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email [email protected] To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at [email protected], or call (888) 282-0870, or report incidents to your local FBI field office. Learn more about your ad choices. Visit megaphone.fm/adchoices

CISA releases an ICS security advisory affecting a smart facility system. LockBit threatens to release Royal Mail data tomorrow. Cl0p ransomware expands to Linux-based systems. A vulnerability is identified in Toyota's GSPIMS. There’s an ESXiArgs update: new trackers and mitigation tools are available. Russia is running two new cyberespionage campaigns against Ukraine. Our guest is Roya Gordon from Nozomi Networks discusses the ICS Threat Landscape. And The Washington Post’s Tim Starks provides analysis on last night’s State of the Union. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/26 Selected reading. CISA Releases One Industrial Control Systems Advisory (CISA) LockBit group threatens to publish stolen Royal Mail data tomorrow (Computing) Cl0p Ransomware Targets Linux Systems with Flawed Encryption | Decryptor Available (SentinelOne) Hacking into Toyota’s global supplier management network (Eaton Works) Researcher breaches Toyota supplier portal with info on 14,000 partners (BleepingComputer) Vulnerability Provided Access to Toyota Supplier Management Network (SecurityWeek) CISA Releases ESXiArgs Ransomware Recovery Script (CISA) ESXiArgs Ransomware Campaign Targets VMWare ESXi Vulnerability (SecurityScorecard) Graphiron: New Russian Information Stealing Malware Deployed Against Ukraine (Symantec) Remcos software deployed in spying attempt on Ukraine’s government, CERT says (The Record from Recorded Future News) The State of the Union was light on cybersecurity (Washington Post) Biden calls for action on privacy rights in State of the Union (CyberScoop) Learn more about your ad choices. Visit megaphone.fm/adchoices

VMware ESXi exploitations. Super Bowl cyber risks. Scalping bots. The curious case of the Moscow billboards. Joe Carrigan tracks pig butchering apps in online app stores. Our guest is David Liebenberg from Cisco Talos, to discuss incident response trends. And, in sportsball, it’s gonna be the Chiefs by a couple of hat tricks, or something. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/25 Selected reading. Ransomware Hits Unpatched VMware Systems: 'Send Money Within 3 Days' (Virtualization Review) Massive ransomware attack targets VMware ESXi servers worldwide (CSO Online) CISA steps up to help VMware ESXi ransomware victims (SC Media) ‘Massive’ new ESXiArgs ransomware campaign has compromised thousands of victims (The Record from Recorded Future News) Have you clicked “Report Junk” lately on your #mobile device? (Proofpoint) CyRC special report: Secure apps? Don’t bet on it (Synopsys) DataDome’s Inaugural E-Commerce Holiday Bot & Online Fraud Report Reveals the US as the Top Source of Bot Attacks (DataDome) Darknet drug market BlackSprut openly advertises on billboards in Moscow (The Record from Recorded Future News) Learn more about your ad choices. Visit megaphone.fm/adchoices

New ransomware exploits a VMware ESXi vulnerability. Roasted 0ktapus squads up. LockBit says ION paid the ransom. Russian cyber auxiliaries continue attacks against healthcare organizations. Attribution on the Charlie Hebdo attack. Deepen Desai from Zscaler describes recent activity by Ducktail malware. Rick Howard looks at cyber threat intelligence. And the top US cyber diplomat says his Twitter account was hacked. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/24 Selected reading. Ransomware Gang in Trading Hack Says Ransom Was Paid (Bloomberg) Regulators weigh in on ION attack as LockBit takes credit (Register) Russian hackers launch attack on City of London infrastructure (The Armchair Trader) Ransomware attack on data firm ION could take days to fix -sources (Reuters) Linux version of Royal Ransomware targets VMware ESXi servers (BleepingComputer) Ransomware scum attack old VMWare ESXi vulnerability (Register) Italy sounds alarm on large-scale computer hacking attack (Reuters) Italy's TIM suffers internet connection problems (Reuters) Italy sounds alarm on large-scale computer hacking attack (Jerusalem Post) Italian National Cybersecurity Agency (ACN) warns of massive ransomware campaign targeting VMware ESXi servers (Security Affairs) Campagne d’exploitation d’une vulnérabilité affectant VMware ESXi (CERT-FR) VMSA-2021-0002 (VMware) CERT-FR warns of a new wave of ransomware attacks targeting VMware ESXi servers (Security Affairs) ‘0ktapus’ hackers are back and targeting tech and gaming companies, says leaked report (TechCrunch) Customizable new DDoS service already appears to have fans among pro-Russia hacking groups (The Record from Recorded Future News) Russian Hackers Take Down At Least 17 U.S. Health System Websites (MedCity News) Tallahassee Memorial HealthCare, Florida, has taken IT systems offline after cyberattack (Security Affairs) Iran responsible for Charlie Hebdo attacks - Microsoft On the Issues (Microsoft On the Issues) Piratage de « Charlie Hebdo » : un groupe iranien à la manœuvre, selon Microsoft (Le Monde) Iran behind hack of French magazine Charlie Hebdo, Microsoft says (Reuters) Microsoft attributes Charlie Hebdo data leak to Iran-linked NEPTUNIUM APT (Security Affairs America's top cyber diplomat says his Twitter account was hacked (CNN) Learn more about your ad choices. Visit megaphone.fm/adchoices

Penetration testing is a vital part of a robust security program, but the traditional pentesting model is in a rut. Assessments happen infrequently, the scope is often very broad, and the report is usually overwhelming. What if you could increase the overall ROI of your pentesting program and avoid these limitations? Every penetration test should have specific goals. Coverage of the MITRE ATT&CK framework or the OWASP Top Ten is a great start, but a pentest could provide exponential value by applying a more strategic approach. In this episode of CyberWire-X, the CyberWire’s Rick Howard and Dave Bittner discuss what it means to "shift left" with your penetration testing by working on a threat-informed test plan with guests and Hash Table members Bob Turner, the Field CSO of Fortinet, Etay Maor, the Senior Director for Security Strategy at Cato Networks, and Dan DeCloss, the Founder and CEO of our episode sponsor PlexTrac. Learn more about your ad choices. Visit megaphone.fm/adchoices

Yasmin Abdi, a Security Engineering Manager at Snapchat and the CEO and Founder of NoHack, sits down to share her story on how she got to be in her amazing current roles. From a young age, Yasmin was fascinated by the overlap of cybersecurity and crime and law. In her time in college, she was able to intern at big tech companies like Snapchat, Google, and Facebook. She decided to stick with Snapchat, which had the security aspect and security composure that she wanted. In her role at Snapchat, she gets to work with her team to help take down all kinds of bad content and keep up the platform’s integrity, and found she fell in love with the work along the way. Yasmin shares the sage advice to grow your community as much as you can, saying to"form a community of like-minded people. People that you can bounce ideas off of, people that can help support you when times are low. Find mentors, find people that you aspire to be like, and really find that community of people." We thank Yasmin for sharing her story. Learn more about your ad choices. Visit megaphone.fm/adchoices

Tom Bonner and Eoin Wickens from HiddenLayer's SAI Team to discuss their research on weaponizing machine learning models with ransomware. Researchers at HiddenLayer’s SAI Team have developed a proof-of-concept attack for surreptitiously deploying malware, such as ransomware or Cobalt Strike Beacon, via machine learning models. The attack uses a technique currently undetected by many cybersecurity vendors and can serve as a launchpad for lateral movement, deployment of additional malware, or the theft of highly sensitive data. In this research the team raising awareness by demonstrate how easily an adversary can deploy malware through a pre-trained ML model. The research can be found here: WEAPONIZING MACHINE LEARNING MODELS WITH RANSOMWARE Learn more about your ad choices. Visit megaphone.fm/adchoices

CISA has released six ICS Advisories. A look at a North Korean cyberespionage campaign. ChatGPT and its attack potential. A new Python-based supply chain attack. There’s traffic on the Static Expressway: ClickFunnels seen in use for redirection. KillNet continues its campaign against hospitals. Ransomware as misdirection for cyberespionage. Part two of my conversation with Kathleen Smith of ClearedJobs.Net discussing trends in the cleared space. Our guest is Eric Bassier of Quantum talking about the multi-layered approach to ransomware protection. And Russian surveillance extends to Telegram chats. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/23 Selected reading. Delta Electronics DIAScreen (CISA) Mitsubishi Electric GOT2000 Series and GT SoftGOT2000 (CISA) Baicells Nova (CISA) Delta Electronics DVW-W02W2-E2 (CISA) Delta Electronics DX-2100-L1-CN (CISA) Mitsubishi Electric GT SoftGOT2000 (CISA) No Pineapple! –DPRK Targeting of Medical Research and Technology Sector (WithSecure) Hackers linked to North Korea targeted Indian medical org, energy sector (The Record from Recorded Future News) North Korean hackers stole research data in two-month-long breach (BleepingComputer) ChatGPT May Already Be Used in Nation State Cyberattacks, Say IT Decision Makers in BlackBerry Global Research (BlackBerry) Supply Chain Attack by New Malicious Python Package, “web3-essential” ((Frotinet) Leveraging ClickFunnels to Bypass Security Services (Avanan) Report: 'KillNet' targeting hospitals in countries helping Ukraine in war efforts (Becker’s Hospital Review) Intelligence agency says ransomware group with Russian ties poses 'an enduring threat' to Canada (CBC) Les ransomwares, couverture des groupes APT pour du cyber-espionnage (Le Monde Informatique) The Kremlin Has Entered the Chat (WIRED) Learn more about your ad choices. Visit megaphone.fm/adchoices

Cisco patches a command injection vulnerability. NIST issues antiphishing guidance. HeadCrab malware's worldwide distribution campaign. The Gamaredon APT is more interested in collection than destruction. Kathleen Smith of ClearedJobs.Net looks at hiring trends in the cleared community. Bennett from Signifyd describes the fraud ring that’s launched a war on commerce against U.S. merchants. And trends in cyberattacks by state-sponsored actors. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/22 Selected reading. Command-Injection Bug in Cisco Industrial Gear Opens Devices to Complete Takeover (Dark Reading) Phishing Resistance – Protecting the Keys to Your Kingdom (NIST) OneNote Documents Increasingly Used to Deliver Malware | Proofpoint UK (Proofpoint) HeadCrab: A Novel State-of-the-Art Redis Malware in a Global Campaign (Aquasec) Another UAC-0010 Story (The State Cyber Protection Centre of the State Service of Special Communication and Information Protection of Ukraine) Russia-backed hacker group Gamaredon attacking Ukraine with info-stealing malware (The Record from Recorded Future News) City of London traders hit by Russia-linked cyber attack (The Telegraph) ChristianaCare recovers from cyberattack, restores website service (6abc Philadelphia) Nation-State Threats and the Rise of Cyber Mercenaries: Exploring the Microsoft Digital Defense Report (CSO Online) Microsoft Digital Defense Report 2022 (Microsoft Security) Learn more about your ad choices. Visit megaphone.fm/adchoices

Microsoft tallies more than a hundred ransomware gangs. Sandworm's NikoWiper hits Ukraine's energy sector. Mobilizing cybercriminals in a hybrid war. Firebrick Ostrich and business email compromise. Telegram is used for sharing stolen data and selling malware. Crypto scams find their way into app stores. Bryan Vorndran of the FBI Cyber Division outlines the services the FBI provides during an incident response. Ann Johnson from Afternoon Cyber Tea speaks with actor producer Tim Murck about the intersection of cyber awareness and storytelling. And we are shocked - shocked! - that there are fraudulent cyber professional credentials circulating online. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/21 Selected reading. Microsoft: Over 100 threat actors deploy ransomware in attacks (BleepingComputer) SocGholish: A Tale of FakeUpdates (Reliaquest) ESET APT Activity Report T3 2022 (WeLiveSecurity) Pro-Russian DDoS attacks raise alarm in Denmark, U.S. (The Record from Recorded Future News) ChristianaCare's website restored after attack; pro-Russia 'hacktivist' group takes credit (Delaware News Journal) Univ. of Iowa Hospitals website possibly hit by cyberattack (KCRG) Cyber attack causes problems with UM Health websites (The Detroit News) How the war in Ukraine has strengthened the Kremlin's ties with cybercriminals (The Record from Recorded Future News) Dark Covenant 2.0: Cybercrime, the Russian State, and War in Ukraine (Recored Future) Russia’s cyberwar against Ukraine offers vital lessons for the West (Atlantic Council) BEC Group Uses Secondary Personas & Lookalike Domains in Third-Party… (Abnormal Intelligence) Telegram's place in the cyber underworld. (CyberWire) Crypto scams found in the App Store. (CyberWire) Exposure to third-party risk. (CyberWire) Cyber certification deceit. (CyberWire) Learn more about your ad choices. Visit megaphone.fm/adchoices

Some perspective on the cybercriminal labor market. DocuSign is impersonated in a credential-harvesting campaign. Social engineering pursues financial advisors. Killnet is active against the US healthcare sector. Mr. Security Answer Person John Pescatore has thoughts on cryptocurrency. Ben Yelin and I debate the limits of section 230. And, hey, who’s the real victim in cyberspace? A hint: probably not you, Mr. Putin. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/20 Selected reading. Perspectives on the cybercriminal labor market. (CyberWire). IT specialists search and recruitment on the dark web (Securelist) Cybercrime job ads on the dark web pay up to $20k per month (BleepingComputer) Report on hackers' salaries shows poor wages for developers (Register) Cybercrime groups offer six-figure salaries, bonuses, paid time off to attract talent on dark web (CyberScoop) Application security risks. (CyberWire) Survey gives insight into new app security challenges (Cisco App Dynamics) DocuSign impersonated in credential phishing attack. (CyberWIre) Breaking the Impersonation: Armorblox Stops DocuSign Attack (Armorblox) "Pig butchering" and financial advisor impersonation scams. (CyberWire) No Blocking, No Issue: The Curious Ecosystem of Financial Advisor Impersonation Scams (Domain Tools) Ukraine at D+341: Killnet hits US hospitals.(CyberWire) HC3 TLP Clear Analyst Note: Pro-Russian Hacktivist Group Threat to HPH Sector (American Hospital Association) HHS, AHA Warn of Surge in Russian DDoS Attacks on Hospitals (Gov Info Security) Russian hackers allegedly take down Duke University Hospital’s website (Carolina Journal) The Evolution of DDoS: Return of the Hacktivist (FSISAC) Russia becomes target of West’s coordinated aggression in cyberspace — MFA (TASS) Learn more about your ad choices. Visit megaphone.fm/adchoices

Gootloader's evolution. Yandex source code leaked (and Yandex blames a rogue insider). New GRU wiper malware is active against Ukraine. Latvia reports cyberattacks by Gamaredon. Russia and the US trade accusations of malign cyber activity. A hacktivist auxiliary's social support system. Deepen Desai from Zscaler describes the Lilithbot malware. Rick Howard looks at chaotic simians. And wannabes can be a nuisance, too: LockBit impersonators are seen operating in northern Europe. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/19 Selected reading. Welcome to Goot Camp: Tracking the Evolution of GOOTLOADER Operations (Mandiant) Yandex denies hack, blames source code leak on former employee (BleepingComputer) Hackers use new SwiftSlicer wiper to destroy Windows domains (BleepingComputer) Sandworm APT targets Ukraine with new SwiftSlicer wiper (Security Affairs) Ukraine: Sandworm hackers hit news agency with 5 data wipers (BleepingComputer) Ukraine Links Media Center Attack to Russian Intelligence (BankInfoSecurity) Latvia confirms phishing attack on Ministry of Defense, linking it to Russian hacking group (The Record from Recorded Future News) Russia knows US recruits hackers, trains Ukrainian IT-army — Deputy Foreign Minister (TASS) Taking down the Hive ransomware gang. (CyberWire) US puts a $10m bounty on Hive while Russia shuts down access (Register) Exploring Killnet’s Social Circles (Radware) Copycat Criminals mimicking Lockbit gang in northern Europe (Security Affairs) Learn more about your ad choices. Visit megaphone.fm/adchoices

Our guest, Charlie Moore, is a recently retired USAF Lieutenant General who sits down to share his story from flying high in the air to becoming a bigwig in the cyber community. He was most recently the Deputy Commander of the United States Cyber Command, and also spent part of his career as a human factors engineer working on human interfaces for fighter aircraft. When he first began his Air Force career, he was a member of the last class entering into the Academy that was not issued desktop computers. Charlie discusses how this changed as the year went on and how that impacted his career both in and out of the military. Charlie worked for different companies over the years to further his career and his goals, and discusses how his flying career has helped him and says, "I was extremely passionate about the flying aspect of my career for 25 years and I became even more passionate about operating in this space." We thank Charlie for sharing his story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

Cybersecurity interview with ChatGPT. In part one of CyberWire’s Interview with the AI, Brandon Karpf interviews ChatGPT about topics related to cybersecurity. Rick Howard joins Brandon to analyze the conversation and discuss potential use cases for the cybersecurity community. ChatGPT is a chatbot launched by OpenAI and built on top of OpenAI’s GPT-3 family of large language models. Cyber questions answered by ChatGPT in part one of the interview. What were the most significant cybersecurity incidents up through 2021? What leads you to characterize these specific events as significant? What were the specific technical vulnerabilities associated with these incidents? Who were the cyber actors involved in each of these attacks? Do you think it's valuable to attribute cyber attacks to specific actors? Learn more about your ad choices. Visit megaphone.fm/adchoices

Roya Gordon from Nozomi Networks sits down with Dave to discuss their research on "Vulnerabilities in BMC Firmware Affect OT/IoT Device Security." Researchers at Nozomi Networks has revealed that there are thirteen vulnerabilities that affect BMCs of Lanner devices based on the American Megatrends (AMI) MegaRAC SP-X. The research states "By abusing these vulnerabilities, an unauthenticated attacker may achieve Remote Code Execution (RCE) with root privileges on the BMC, completely compromising it and gaining control of the managed host." As well as mentioning what patches could be in the future to help fix these vulnerabilities. The research can be found here: Vulnerabilities in BMC Firmware Affect OT/IoT Device Security – Part 1 Learn more about your ad choices. Visit megaphone.fm/adchoices

An update on the takedown of the Hive ransomware gang, plus insights from CrowdStrike’s Adam Meyers. If you say you’re going to unleash the Leopards, expect a noisy call from Killnet. Our guest is ExtraHop CISO Jeff Costlow talking about nation-state attackers in light of ongoing Russian military operations. CISA has released eight ICS advisories, and the agency has also added an entry to its Known Exploited Vulnerabilities Catalog. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/18 Selected reading. Cybercriminals stung as HIVE infrastructure shut down (Europol) U.S. Department of Justice Disrupts Hive Ransomware Variant (U.S. Department of Justice) Director Christopher Wray’s Remarks at Press Conference Announcing the Disruption of the Hive Ransomware Group (Federal Bureau of Investigation) Taking down the Hive ransomware gang. (CyberWire) US hacks back against Hive ransomware crew (BBC News) Cyberattacks Target Websites of German Airports, Admin (SecurityWeek) Delta Electronics CNCSoft ScreenEditor (CISA) Econolite EOS (CISA) Snap One Wattbox WB-300-IP-3 (CISA) Sierra Wireless AirLink Router with ALEOS Software (CISA). Mitsubishi Electric MELFA SD/SQ series and F-series Robot Controllers (CISA) Rockwell Automation products using GoAhead Web Server (CISA) Landis+Gyr E850 (CISA) Mitsubishi Electric MELSEC iQ-F, iQ-R Series (CISA) CISA Has Added One Known Exploited Vulnerability to Catalog (CISA) Learn more about your ad choices. Visit megaphone.fm/adchoices