CyberWire Daily

CISA, NSA, and the MS-ISAC are releasing this alert to warn network defenders about malicious use of legitimate remote monitoring and management software. AA23-025A Alert, Technical Details, and Mitigations For a downloadable copy of IOCs, see AA23-025.stix Silent Push uncovers a large trojan operation featuring Amazon, Microsoft, Geek Squad, McAfee, Norton, and Paypal domains No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment. See CISA Insights Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses for guidance on hardening MSP and customer infrastructure. U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email [email protected] To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at [email protected], or call (888) 282-0870, or report incidents to your local FBI field office. Learn more about your ad choices. Visit megaphone.fm/adchoices

How do the North Koreans get away with it? They do run their cyber ops like a creepy start-up business. A spoofing vulnerability is discovered in Windows CryptoAPI. Python-based malware is distributed via phishing. MacOS may have a reputation for threat-resistance, but users shouldn't get cocky. DevSecOps survey results show tension between innovation and security. Russian hacktivist auxiliaries hit German targets. Tim Starks from the Washington Post Cyber 202 shares insights from his interview with Senator Warner. Our guest is Keith McCammon of Red Canary to discuss cyber accessibility. And Private sector support for Ukraine's cyber defense. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/16 Selected reading. TA444: The APT Startup Aimed at Acquisition (of Your Funds) (Proofpoint) Exploiting a Critical Spoofing Vulnerability in Windows CryptoAPI (Akamai) Securonix Security Advisory: Python-Based PY#RATION Attack Campaign Leverages Fernet Encryption and Websockets to Avoid Detection (Securonix) BlackBerry's Inaugural Quarterly Threat Intelligence Report Reveals Threat Actors Launch One Malicious Threat Every Minute (BlackBerry) Global CIO Report Reveals Growing Urgency for Observability and Security to Converge (Dynatrace) Russian 'hacktivists' briefly knock German websites offline (Reuters) How Microsoft is helping Ukraine’s cyberwar against Russia (Computerworld) CISA Releases Two Industrial Control Systems Advisories (CISA) Learn more about your ad choices. Visit megaphone.fm/adchoices

At the 2022 Cyber Marketing Con, the CyberWire presented a CISO Q&A panel session on how to help cyber marketers reach CISOs and other security executives in the industry. The panel included Rick Howard, CSO of N2K Networks, Jaclyn Miller, Head of InfoSec and IT at DispatchHealth, Ted Wagner, CISO of SAP NS2, and was moderated by board director & and operating partner, Michelle Perry. Listen in as the panel discusses: What works and doesn’t work in getting a security executive’s attention. Message trust, message fatigue, and what you can do about it. Trusted information sources and how security executives use them. Positioning and messaging that is actually meaningful to decision makers. The security executive’s purchasing behavior and why skepticism is the driving force. Stay tuned until the end to hear us answer some additional bonus questions submitted by attendees. Learn more about your ad choices. Visit megaphone.fm/adchoices

DragonSpark conducts "opportunistic" cyberattacks in East Asia. ProxyNotShell and OWASSRF exploit chains target Microsoft Exchange servers. The IoT supply chain is threatened by exploitation of Realtek Jungle SDK vulnerability. CISA adds an entry to its Known Exploited Vulnerabilities Catalog. A Cisco study finds organizations see positive returns from investment in privacy. What's the hacktivist's postwar future? Joe Carrigan tracks a romance scam targeting seniors. Our guest is Pete Lund of OPSWAT to discuss the security of removable media devices. And a retired G-Man is indicted on multiple charges. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/15 Selected reading. DragonSpark | Attacks Evade Detection with SparkRAT and Golang Source Code Interpretation (SentinelOne) Technical Advisory: Proxy*Hell Exploit Chains in the Wild (Bitdefender) Realtek SDK Vulnerability Attacks Highlight IoT Supply Chain Threats (Unit 42) CISA Adds One Known Exploited Vulnerability to Catalog (CISA) 2023 Data Privacy Benchmark Study (Cicso) Hacktivism Is a Risky Career Path (WIRED) Retired FBI Executive Charged With Concealing $225,000 In Cash Received From An Outside Source (Department of Justice, U.S. Attorney’s Office, District of Columbia) Former Special Agent In Charge Of The New York FBI Counterintelligence Division Charged With Violating U.S. Sanctions On Russia (Department of Justice, U.S. Attorney’s Office, Southern District of New York) Former Senior F.B.I. Official in New York Charged With Aiding Oligarch (New York Times) Learn more about your ad choices. Visit megaphone.fm/adchoices

The FAA attributes its January NOTAM outage. Malicious OneNote attachments are appearing in phishing campaigns. The Vastflux ad campaign has been disrupted. Ukraine moves toward closer cybersecurity collaboration with NATO. Rick Howard considers the best of 2022. Deepen Desai from Zscaler looks at VPN Risk. And, finally, we’re betting you want alerts for sports book customers and online gamers. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/14 Selected reading. FAA Says Contractor Unintentionally Caused Outage That Disrupted Flights (Wall Street Journal) Not a cyberattack, but an IT failure: the FAA's NOTAM outage. (CyberWire) Hackers now use Microsoft OneNote attachments to spread malware (BleepingComputer) Traffic signals: The VASTFLUX Takedown (HUMAN Security) Ukraine signs agreement to join NATO cyber defense center (The Record from Recorded Future News) FanDuels warns of data breach after customer info stolen in vendor hack (BleepingComputer) Industry looks at the MailChimp data incident. (CyberWire) PSA: Don’t play GTA Online on PC right now (Video Games) You might not want to play GTA Online right now due to security vulnerabilities (RockPaperShotgun) Riot Games hacked, delays game patches after security breach (BleepingComputer) Riot hit by ‘social engineering attack’ that will affect patch cadence for multiple titles (Dot Esports) Learn more about your ad choices. Visit megaphone.fm/adchoices

Miriam Wugmeister, co-chair of Morrison & Foerster’s Privacy and Data Security practice, sits down to share her in-depth experience and understanding of privacy and data security laws, obligations, and practices across a wide range of industries. She talks about how she grew up not knowing exactly what she wanted to get into as a profession, starting off as a chemical engineering major in college before switching to philosophy. She then got asked to work on a project relating to a company’s privacy and fell in love with the subject matter, deciding then to pursue it as a career. Miriam mentions how technology is not as complicated as tech people might have you think. She hopes she can advertise a tech degree for young women and men looking to get into the field, as well as making sure she "encourages women and diverse lawyers to, uh, come into this area to thrive." We thank Miriam for sharing her story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

The public web data domain is a fancy way to say that there is a lot of information sitting on websites around the world that is freely available to anybody who has the initiative to collect it and use it for some purpose. When you do that collection, intelligence groups typically refer to it as open source intelligence, or OSINT. Intelligence groups have been conducting OSINT operations for over a century if you consider books and newspapers to be one source of this kind of information. In the modern day, hackers conduct OSINT operations in order to recon their potential victims by collecting email addresses, personal information, IP addresses, software versions, network configurations, and, if they are lucky, login credentials for websites and social media platforms. The question is, how can the good guys use these techniques to improve their security posture or maybe help the business in some kind of material way? On this episode of CyberWire-X, the CyberWire’s Rick Howard and Dave Bittner discuss OSINT operations to improve your security posture with guests Steve Winterfeld, Hash Table member and Advisory CISO for Akamai, and Or Lenchner, CEO at our episode sponsor Bright Data. Learn more about your ad choices. Visit megaphone.fm/adchoices

Brigid O. Gorman from Symantec's Threat Hunter Team joins Dave to discuss their report "Billbug - State-sponsored Actor Targets Cert Authority and Government Agencies in Multiple Asian Countries." The team has discovered that state-sponsored actors compromised a digital certificate authority in an Asian country during a campaign in which multiple government agencies were also targeted. The research states they believe Billbug, which is a long-established advanced persistent threat (APT) group has been active since about 2009. They say "In activity documented by Symantec in 2019, we detailed how the group was using a backdoor known as Hannotog (Backdoor.Hannotog) and another backdoor known as Sagerunex (Backdoor.Sagerunex). Both these tools were also seen in this more recent activity." The research can be found here: Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries Learn more about your ad choices. Visit megaphone.fm/adchoices

Ransomware hits Costa Rican government systems, again. A Chinese threat actor deploys the BOLDMOVE backdoor against unpatched FortiOS. Credential stuffing afflicts PayPal users. T-Mobile discloses a data breach. A cyberattack hits a remote Canadian utility. The Wagner Group sponsors a hackathon. Malek Ben Salem from Accenture describes prompt injection for chatbots. Our guest is Paul Martini of iboss with insights on Zero Trust. And the FSB’s Gamaredon APT runs a hands-on Telegraph phishing campaign against Ukrainian targets. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/13 Selected reading. Bolster Your Company Defenses With Zero Trust Edge (Forrester) MICITT detecta incidente informático en el MOPT, el cual ya se encuentra contenido (MICITT) MOPT mantiene habilitados todos los servicios de manera presencial (MICITT) Costa Rica’s Ministry of Public Works and Transport crippled by ransomware attack (Record) Suspected Chinese Threat Actors Exploiting FortiOS Vulnerability (CVE-2022-42475) (Mandiant) Attackers Crafted Custom Malware for Fortinet Zero-Day (Dark Reading) Chinese hackers used recently patched FortiOS SSL-VPN flaw as a zero-day in October (Security Affairs) PayPal accounts breached in large-scale credential stuffing attack (BleepingComputer) PayPal Confirms Over 34,000 Customer Accounts Were Breached (EcommerceBytes) 35,000 PayPal accounts hacked, and users could've prevented it (PCWorld) Thousands Of PayPal Accounts Hacked—Is Yours One Of Them? (Forbes) Nearly 35,000 PayPal users had SSNs, tax info leaked during December cyberattack (The Record from Recorded Future News) T-Mobile Says Hacker Stole Data for 37 Million Customers (Bloomberg) T-Mobile Says Hackers Stole Data on About 37 Million Customers (Wall Street Journal) T-Mobile Says Hackers Used API to Steal Data on 37 Million Accounts (SecurityWeek) Cyberattack hits Nunavut's Qulliq Energy Corp. (CBC News) Nunavut power utility’s servers hit by cyber attack | IT World Canada News (IT World Canada) Russian War Report: Russian hacker wanted by the FBI reportedly wins Wagner hackathon prize (Atlantic Council) Gamaredon (Ab)uses Telegram to Target Ukrainian Organizations (Blackberry) Gamaredon Group Launches Cyberattacks Against Ukraine Using Telegram (The Hacker News) Hitachi Energy PCU400 (CISA) Bolster Your Company Defenses With Zero Trust Edge (iBoss) Learn more about your ad choices. Visit megaphone.fm/adchoices

A hostile takeover of the Solaris contraband market. Ukraine warns that Russian cyberattacks continue. An overview of 2H 2022 ICS vulnerabilities. Codespaces accounts can act as malware servers. Blank-image attacks. Campaigns leveraging HR policy themes. Dinah Davis from Arctic Wolf has tips for pros for security at home. Our guest is Gerry Gebel from Strata Identity describes a new open source standard that aims to unify cloud identity platforms. And travel-themed phishing increases. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/12 Selected reading. Friday the 13th on the Dark Web: $150 Million Russian Drug Market Solaris Hacked by Rival Market Kraken (Elliptic Connect) Russia-linked drug marketplace Solaris hacked by its rival (The Record from Recorded Future News) Cyber-attacks have tripled in past year, says Ukraine’s cybersecurity agency (the Guardian) Ukraine: Russians Aim to Destroy Information Infrastructure (Gov Info Security) Ukraine says Russia is coordinating missile strikes, cyberattacks and information operations (The Record by Recorded Future) ICS Vulnerabilities and CVEs: Second Half of 2022 (SynSaber) Abusing a GitHub Codespaces Feature For Malware Delivery (Trend Micro) The Blank Image Attack (Avanan) Phishing Attacks Pose as Updated 2023 HR Policy Announcements (Abnormal Security) Spammers phish eager vacationers with travel-themed lures, Bitdefender Antispam Lab warns (Bitdefender) Learn more about your ad choices. Visit megaphone.fm/adchoices

CISA adds to its Known Exploited Vulnerability Catalog. Attacks against industrial systems. DNV is recovering from ransomware. Chinese cyberespionage is reported against Iran. The persistence of nuisance-level hacktivism. Robert M. Lee from Dragos outlines pipeline security. Our guest is Yasmin Abdi from Snap on bringing her team up to speed with zero trust. And a side-effect of Russia's war: a drop in paycard fraud. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/11 Selected reading. Bolster Your Company Defenses With Zero Trust Edge (iBoss) CISA Adds One Known Exploited Vulnerability to Catalog (CISA) GE Digital Proficy Historian (CISA) Mitsubishi Electric MELSEC iQ-F, iQ-R Series (CISA) Siemens SINEC INS (CISA) Contec CONPROSYS HMI System (CHS) Update A (CISA) Nozomi Networks Researchers Take a Deep Look into the ICS Threat Landscape (Nozomi Networks) A look at IoT/ICS threats. (CyberWire) DNV's fleet management software recovering from ransomware attack. (CyberWire) DNV says up to 1,000 ships affected by ransomware attack (Computing) Ransomware attack on maritime software impacts 1,000 ships (The Record from Recorded Future News) Chinese Playful Taurus Activity in Iran (Unit 42) Playful Taurus: a Chinese APT active against Iran. (CyberWire) Russian hackers allegedly tried to disrupt a Ukrainian press briefing about cyberattacks (Axios) Russia's Ukraine War Drives 62% Slump in Stolen Cards (Infosecurity Magazine) Annual Payment Fraud Intelligence Report: 2022 (Recorded Future) Learn more about your ad choices. Visit megaphone.fm/adchoices

A Phishing campaign impersonates DHL. Conscription and mobilization provide criminals with phishbait for Russian victims. Norton LifeLock advises customers that their accounts may have been compromised. Trends in data protection. Veracode's report on the state of software application security. Ben Yelin looks at NSO group’s attempt at state sovereignty. Ann Johnson from Afternoon Cyber Tea speaks with Microsoft’s Chris Young about the importance of the security ecosystem. And Ukraine calls for a "digital United Nations." For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/10 Selected reading. Cloud 9: Top Cloud Penetration Testing Tools (Bishop Fox) Our Top Favorite Fuzzer crowdsourcing pen testing tools (Bishop Fox) DHL Phishing Attack. Simply Delivered. (ArmorBlox) Credential phishing campaign impersonates DHL. (CyberWire) Phishing scam invites Russian Telegram users to check ‘conscription lists’ to see if they’ll be drafted in February (Meduza) NortonLifeLock warns that hackers breached Password Manager accounts (BleepingComputer) Norton LifeLock says thousands of customer accounts breached (TechCrunch). NortonLifeLock notifies thousands of users about compromised Password Manager accounts (Computing) Data Protection Trends Report 2023 (Veeam) Trends in data protection. (CyberWire) How Orca Found Server-Side Request Forgery (SSRF) Vulnerabilities in Four Different Azure Services (Orca Security) Orca describes four Azure vulnerabilities. (CyberWire) State Of Software Security (Veracode) A look at the state of software security. (CyberWire) Ukraine calls for ‘Cyber United Nations’ amid Russian attacks (POLITICO) Learn more about your ad choices. Visit megaphone.fm/adchoices

Gene Fay, CEO of ThreatX sits down to share his experience rising through the ranks to get to where he is today. He shares how even at a young age he wanted to work in an office and become a businessman, though at the time he did not understand what that entailed. After college he acquired a job that was revolutionizing video editing for post-production studios as well as TV stations, where he started to really learn about technology. Gene talks about leading from the front and how a good leader will always do so, even if he has to lead from two different fronts. He said "it's kind of the two fronts, sometimes you've gotta put on the leadership face, and believe it, that, that you can get, and we can get through any situation, cuz sometimes you're, your gut feelings are, might be wrong and, or it's a moment in time and if you can help the team grind through that situation, it does get better." We thank Gene for sharing his story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

Mohammad Kazem Hassan Nejad from WithSecure joins Dave to discuss the team’s research, “DUCKTAIL returns - Underneath the ruffled feathers.” DUCKTAIL is a financially motivated malware operation that targets individuals and businesses operating on the Facebook Ads and Business platform. The research states “The malware is designed to steal browser cookies and take advantage of authenticated Facebook sessions to steal information from the victim's Facebook account.” WithSecure has found that after a short hiatus, DUCKTAIL has returned with slight changes in their mode of operation. The research can be found here: DUCKTAIL returns: Underneath the ruffled feathers Learn more about your ad choices. Visit megaphone.fm/adchoices

GitHub disables NoName accounts. Russia dismisses reports of cyberespionage attempts against US National Laboratories. The Royal Mail cyber incident is now identified as ransomware attack. An update on the NOTAM issues that interfered with civil aviation. A Citrix vulnerability is exploited by ransomware group. CISA publishes its annual report. Bryan Vorndran of the FBI Cyber Division calibrates expectations with regard to the IC3. Our guest is Kayne McGladrey with insights on 2023 from the IEEE. And Positive Hack Days and the growing isolation of Russia's cyber sector. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/9 Selected reading. Impact of Technology in 2023 and Beyond (IEEE) Ukraine at D+323: Fighting in Soledar, and industrial mobilization. (CyberWire) GitHub disables pro-Russian hacktivist DDoS pages (CyberScoop) Russia criticises Reuters story on Russian hackers targeting U.S. nuclear scientists (Reuters) Royal Mail cyber incident now identified as ransomware attack. (CyberWire) Not a cyberattack, but an IT failure. (CyberWire) The Guardian breach and news media as targets. (CyberWire) Citrix vulnerability exploited by ransomware group. (CyberWire) 2022 Year In Review (CISA) Russia’s largest hacking conference reflects isolated cyber ecosystem (Brookings) Learn more about your ad choices. Visit megaphone.fm/adchoices

Iranian VPN users are afflicted by Trojanized installation apps. Phishing on the static expressway. NoName057(16) hacktivist auxiliaries target NATO. Yesterday’s flight outage appears not to have been caused by a cyberattack. Royal Mail is disrupted by a "cyber incident." Carole Theriault thinks Meta needs to step up their game when blocking financial scams. Our guest is Mark Sasson from Pinpoint Search Group to discuss why cybersecurity may no longer be a candidate-driven market. And HR phishbait dangles raises, and some employees bite. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/8 Selected reading. EyeSpy - Iranian Spyware Delivered in VPN Installers (Bitdefender Labs) Phishing on the Static Expressway. (CyberWire) NoName057(16) - The Pro-Russian Hacktivist Group Targeting NATO (SentinelOne) Not a cyberattack, but an IT failure. (CyberWire) FAA NOTAM Statement (FAA) Canadian Pilot-Alert System Reports Outage Hours After U.S. Grounding Order (Wall Street Journal) US air travel resumes but thousands of flights delayed after planes grounded - live updates (The Telegraph) US Flights Latest: Departures Resume After FAA Lifts Ground Stop (Bloomberg) Royal Mail suffers ‘severe service disruption’ after cyber incident (Glasgow Times) Royal Mail issues major disruption warning after 'cyber incident' (Computing) Parcels and letters stuck in limbo as Royal Mail is hit by a suspected hack (The Telegraph) Cyber Incident Hits UK Postal Service, Halts Overseas Mail (SecurityWeek) Learn more about your ad choices. Visit megaphone.fm/adchoices

Patch Tuesday. CISA releases two ICS Advisories and makes some additions to its Known Exploited Vulnerabilities Catalog. Dark Pink APT is active against Asian targets. Kinsing cryptojacking targets Kubernetes instances. Ukrainian hacktivists conduct DDoS against Iranian sites. Risk exposure and a hospital's experience with ransomware. The Health3PT initiative seeks to manage 3rd-party risk. Tim Starks from the Washington Post’s Cyber 202 on cyber rising to the level of war crime. Our guest is Connie Stack, CEO of Next DLP, on the path to leadership within cyber for women. And phishing with Pokémon NFTs. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/7 Selected reading. The Daily 202 (Latest Cybersecurity 202) Microsoft Releases January 2023 Security Updates (CISA) > Adobe Releases Security Updates for Multiple Products (CISA) Black Box KVM (CISA) Delta Electronics InfraSuite Device Master (CISA) Known Exploited Vulnerabilities Catalog (CISA) Dark Pink (Group-IB) New Dark Pink APT group targets govt and military with custom malware (BleepingComputer) Kinsing cryptojacking. (CyberWire) Ukraine at D+321: "Difficult in places." (CyberWire) Iranian websites impacted by pro-Ukraine DDoS attacks (SC Media) Ransomware attack against SickKids said to be unusual. (CyberWire) Health3PT seeks a uniform approach to healthcare supply chain issues. (CyberWire) Breaking the glass ceiling: My journey to close the leadership gap. (CyberWire, Creating Connections) Pokémon NFTs used as malware vectors. (CyberWire) Learn more about your ad choices. Visit megaphone.fm/adchoices

A look back at ransomware in 2022. Lessons from Russia's war: crooks, hacktivists, and auxiliaries. Cyberattacks as war crimes. The state of SSE adoption. RSA Conference 2023 opens applications for the Launch Pad and the Innovation Sandbox. Joe Carrigan looks at online scams targeting military members. Our guest is Richard Caralli from Axio on the State of Ransomware Preparedness. And the most common known exploited vulnerabilities affecting the financial sector. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/6 Selected reading. Ransomware trends: 2022. (CyberWire) State of Ransomware Preparedness Research Study: 2022 (Axio) Kyiv argues Russian cyberattacks could be war crimes (POLITICO) Ukraine official says Russian cyberattacks on its energy network could equate to war crimes (Yahoo) Ukraine war and geopolitics fuelling cybersecurity attacks - EU agency (EU Reporter) Industry-first research from Axis Security finds 65% percent of organizations plan to adopt a Security Service Edge platform within next two years (Axis Security) RSAC Launch Pad is Back! (RSA Conference 2023) The Best in Innovation Programs Starts Here (RSA Conference 2023) Top KEVs in the U.S. Financial Services Sector (LookingGlass) Learn more about your ad choices. Visit megaphone.fm/adchoices

Telegram impersonation affects a cryptocurrency firm. Phishing with Facebook termination notices. Russian phishing continues to target Moldova. The IEEE on the impact of technology in 2023. Glass ceilings in tech leadership. Seattle Schools sue social media platforms. Malek Ben Salem from Accenture explains coding models. Our guest is Julie Smith, identity security leader and executive director at IDSA, with insights on identity and security strategies. And dealing with the implications of ChatGPT. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/5 Selected reading. Impact of Technology in 2023 and Beyond (IEEE) Telegram insider server access offered to Dark Web customers (SafetyDetectives) Moldovaʼs government hit by flood of phishing attacks (The Record from Recorded Future News) OPWNAI : Cybercriminals Starting to Use ChatGPT (Check Point Research) Hackers exploiting ChatGPT to write malicious codes to steal your data (Business Standard) Armed With ChatGPT, Cybercriminals Build Malware And Plot Fake Girl Bots (Forbes) Hackers Exploiting OpenAI’s ChatGPT to Deploy Malware (HackRead) Cybercriminals are already using ChatGPT to own you (SC Media) Threat Report: Impersonation Detected in Telegram Chats to Deliver Malware (Safeguard Cyber) Seattle schools sue tech giants over social media harm (ABC News) Seattle Public Schools sues TikTok, YouTube, Instagram and others, seeking compensation for youth mental health crisis (GeekWire) Ghost Writer: Microsoft Looks to Add OpenAI’s Chatbot Technology to Word, Email (The Information) Microsoft plans to use ChatGPT in Bing. Here's why it could be a threat to Google. (Freethink) ChatGPT Hits Ethical Roadblock; Blocked (Analytics India Magazine) A College Kid Built an App That Sniffs Out Text Penned by AI (The Daily Beast) A Princeton student built an app which can detect if ChatGPT wrote an essay to combat AI-based plagiarism (Business Insider) Learn more about your ad choices. Visit megaphone.fm/adchoices

Teresa Rothaar, a governance, risk, and compliance (GRC) analyst at Keeper Security sits down to share her story, from performer to cyber. She fell in love with writing as a young girl, she experimented with writing fanfiction which made her want to grow up to be in the arts. After attending college she found that she was good at math, lighting the way for her to start her cyber career. Teresa moved to being a writer at Keeper, finding she wanted to spread out and try more, so she ended up becoming an analyst while still doing writing on the side. She quotes David Duchovny in an interview once, explaining how sometimes you need to keep your head down and outwork others. Teresa said this resonated with her, saying, "that's how I went from a foreclosure box on the porch to where I am now. I have a good job and, and I have a career and I have a really good career and I absolutely love it." We thank Teresa for sharing her story. Learn more about your ad choices. Visit megaphone.fm/adchoices

Marisa Atkinson, an analyst from Flashpoint, joins Dave to discuss a new blog post from Flashpoint’s research team about “RisePro” Stealer, malware from Russia, and Pay-Per-Install Malware “PrivateLoader.” “RisePro” is written in C++ and appears to possess similar functionality to the stealer malware “Vidar.” It's also a newly identified stealer, that began appearing as a stealer source for log credentials on the illicit log shop Russian Market on December 13, 2022. The research states, "Samples that Flashpoint analysts identified indicate that RisePro may have been dropped or downloaded by the pay-per-install malware downloader service “PrivateLoader” in the past year." Analysts identified several sets of logs uploaded to the illicit underground Russian Market, which listed their source as “RisePro.” The research can be found here: “RisePro” Stealer and Pay-Per-Install Malware “PrivateLoader” Learn more about your ad choices. Visit megaphone.fm/adchoices

Security vulnerabilities in automobiles. CircleCI customers should "rotate their secrets." CISA Director Easterly notes Russian failures, but warns that shields should stay up. Attempted cyberespionage against US National Laboratories. Turla effectively recycles some commodity malware infrastructure. Robert M. Lee from Dragos shares his outlook on ICS for the new year. Our CyberWire Space correspondent Maria Varmazis interviews Diane Janosek from NSA about her research on space-cyber. And the Guardian continues to recover from last month's ransomware attack. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/4 Selected reading. Hitachi Energy UNEM (CISA) Hitachi Energy FOXMAN-UN (CISA) Hitachi Energy Lumada Asset Performance Management (CISA) Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More (Sam Curry) Toyota, Mercedes, BMW API flaws exposed owners’ personal info (BleepingComputer) 16 Car Makers and Their Vehicles Hacked via Telematics, APIs, Infrastructure (SecurityWeek) Ferrari, BMW, Rolls Royce, Porsche and more fix vulnerabilities giving car takeover capabilities (The Record by Recorded Future) CircleCI security alert: Rotate any secrets stored in CircleCI (CircleCI). CircleCI warns of security breach — rotate your secrets! (BleepingComputer) CircleCI Urges Customers to Rotate Secrets Following Security Incident (The Hacker News) CISA director: US needs to be vigilant, ‘keep our shields up’ against Russia (The Hill) Exclusive-Russian Hackers Targeted U.S. Nuclear Scientists (Reuters via US News) Notorious Russian Spies Piggybacked on Other Hackers' USB Infections (WIRED) Turla: A Galaxy of Opportunity | Mandiant (Mandiant) Fallout from Guardian cyber attack to last at least a month (ComputerWeekly) State of Ransomware Preparedness (Axio) Learn more about your ad choices. Visit megaphone.fm/adchoices

The PurpleUrchin freejacking campaign. Bluebottle activity against banks in Francophone Africa. The PyTorch framework sustains a supply-chain attack. 2022's ransomware leaderboard. Cellphone traffic as a source of combat information. FBI Cyber Division AD Bryan Vorndran on the interaction and collaboration of federal agencies in the cyber realm. Our guest Jerry Caponera from ThreatConnect wonders if we need more "Carrots" Than "Sticks" In Cybersecurity Regulation. And two incommensurable views of information security. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/3 Selected reading. An analysis of the PurpleUrchin campaign. (CyberWire) PurpleUrchin Bypasses CAPTCHA and Steals Cloud Platform Resources (Unit 42) Bluebottle observed in the wild. (CyberWire) Bluebottle: Campaign Hits Banks in French-speaking Countries in Africa (Symantec) PyTorch incident disclosed, assessed. (CyberWire) PyTorch dependency poisoned with malicious code (Register) Compromised PyTorch-nightly dependency chain between December 25th and December 30th, 2022. (PyTorch) Most active, impactful ransomware groups of 2022. (CyberWire) 2022 Year in Review: Ransomware (Trustwave) Russia says phone use allowed Ukraine to target its troops (AP NEWS) For Russian Troops, Cellphone Use Is a Persistent, Lethal Danger (New York Times) Kremlin blames own soldiers for Himars barracks strike as official death toll rises (The Telegraph) No Water’s Edge: Russia’s Information War and Regime Security (Carnegie Endowment for International Peace) Learn more about your ad choices. Visit megaphone.fm/adchoices

Ad practices draw a large EU fine (and may set precedents for online advertising). Updates on the LastPass breach, and on Russian cyber activity against Poland. Malek Ben Salem from Accenture explains smart deepfakes. Our guest is Leslie Wiggins, Program Director for Data Security at IBM Security on the role of the security specialist. And cellphones, opsec, and the Makiivka strike. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/2 Selected reading. Meta’s Ad Practices Ruled Illegal Under E.U. Law (New York Times) Meta Fined More Than $400 Million in EU for Serving Ads Based on Online Activity (Wall Street Journal) Meta's New Year kicks off with $410M+ in fresh EU privacy fines (TechCrunch) LastPass data breach: notes and actions to take. (CyberWire) Poland warns of attacks by Russia-linked Ghostwriter hacking group (BleepingComputer) Russia says phone use allowed Ukraine to target its troops (AP NEWS) Russian soldier gave away his position with geotagged social media posts (Task & Purpose) Russian commanders blamed for heavy losses in New Year’s Day strike (Washington Post) Learn more about your ad choices. Visit megaphone.fm/adchoices

Recent DPRK cyber operations: spying and theft. Twitter’s data incident. 3Commas breached. Poland warns of increased Russian offensive cyber activity. Port of Lisbon hit by ransomware. DHS announces SBIR topics. New additions to the Known Exploited Vulnerabilities Catalog. Ben Yelin on the legal conundrum of AI generated code. Our guest is Tanya Janca from She Hacks Purple with insights on API security. And, news flash! LockBit says they have a conscience. (Yeah, right.) For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/1 Selected reading. Recent DPRK cyber operations: spying and theft. (CyberWire) Twitter targeted in extortion hack. (CyberWire) 3Commas' API compromised. (CyberWire) Russian cyberattacks (Special Services) LockBit activity over the holidays. (CyberWire) CISA Adds Two Known Exploited Vulnerabilities to Catalog (CISA) DHS Small Business Innovation Research (SBIR) Program FY23 Solicitation (SAM.gov) The SBIR and STTR Programs. (SBIR/STTR) Learn more about your ad choices. Visit megaphone.fm/adchoices

Between the emergence of sophisticated nation-state actors, the rise of ransomware-as-a-service, the increasing attack surface remote work presents, and much more, organizations today contend with more complex risk than ever. A “Secure-by-Design” approach can secure software environments, development processes and products. That approach includes increasing training for employees, adopting zero trust, leveraging Red Teams, and creating a unique triple-build software development process. SolarWinds calls its version of this process the "Next-Generation Build System," and offers it as a model for secure software development that will make supply chain attacks more difficult. On this episode of CyberWire-X, host Rick Howard, N2K’s CSO, and CyberWire’s Chief Analyst and Senior Fellow, discusses software supply chain lessons learned from the SolarWinds attack of 2020 with Hash Table members Rick Doten, the CISO for Healthcare Enterprises and Centene, Steve Winterfeld, Akamai's Advisory CISO, and Dawn Cappelli, Director of OT-CERT at Dragos, and in the second half of the show, Rick speaks with our episode sponsor, SolarWinds, CISO Tim Brown. Learn more about your ad choices. Visit megaphone.fm/adchoices

On Thursday October 20, 2022, the CyberWire was pleased to host the annual Women in Cybersecurity Reception at the International Spy Museum in Washington, DC. This annual event brought together almost 300 people to highlight and celebrate the value and successes of women in the cybersecurity industry. The reception included an industry-led panel discussion called “The Hidden Impact of Cybersecurity’s Talent Gap on the Cyber-Enabled Community,” discussing cyber-enabled professionals who aren’t usually included in conversations around the cybersecurity skills gap. The panel, moderated by Simone Petrella of CyberVista, included perspectives from experts including Davida Gray of MindPoint Group, Jennifer Walsmith of Northrop Grumman, Kyla Guru of Bits N’ Bytes, and Amy Mushahwar from Alston & Bird. Learn more about your ad choices. Visit megaphone.fm/adchoices

Scott Fanning from CrowdStrike's research team, joins Dave to discuss their work on "LemonDuck Targets Docker for Cryptomining Operations." LemonDuck is a well-known cryptomining botnet, and the research suggests attackers are attracted to the monetary gain from the recent boom in cryptocurrency. LemonDuck was caught trying to disguise its attack against Docker by running an anonymous mining operation by the use of proxy pools. Scott shares how its unknown which organizations have been targeted and just how much cryptocurrency has been stolen. The research can be found here: LemonDuck Targets Docker for Cryptomining Operations Learn more about your ad choices. Visit megaphone.fm/adchoices

SHOW NOTES This interview from October 28th, 2022 originally aired as a shortened version on the CyberWire Daily Podcast. In this extended interview, Dave Bittner sits down with Nick Schneider of Arctic Wolf to discuss why he believes 2023 will see a resurgence of ransomware and why the decline of crypto will not deter future ransomware actors. Learn more about your ad choices. Visit megaphone.fm/adchoices

Thanks for joining us again for another episode of fun project brought to you by the team of Hacking Humans, the CyberWire's social engineering podcast. Hacking Humans co-host Dave Bittner is joined by Rick Howard in this series where they view clips from their favorite movies and television shows with examples of the social engineering scams and schemes you hear Dave and co-host Joe Carrigan talk about on Hacking Humans. In this episode, Dave and Rick watch each of the selected scenes, describe the on-screen action for you, and then they deconstruct what they saw. Grab your bowl of popcorn and join us for some fantastic scams and frauds. On this episode, Dave and Rick are joined by guest contributor Amanda Fennell. You can find Amanda on Twitter at @Chi_from_afar. Links to this episode's clips if you'd like to watch along: Dave's clip from the movie Zombieland Rick's clip from the movie Traveller Amanda's clip from the movie The Girl with the Dragon Tattoo Learn more about your ad choices. Visit megaphone.fm/adchoices

This interview from September 16th, 2022 originally aired as a shortened version on the CyberWire Daily Podcast. In this extended interview, Dave Bittner sits down with Diana Kelley, CSO & Co-founder of Cybrize to discuss the need for innovation and entrepreneurship in cybersecurity. Learn more about your ad choices. Visit megaphone.fm/adchoices

This interview from September 30th, 2022 originally aired as a shortened version on the CyberWire Daily Podcast. In this extended interview, Dave Bittner sits down with MK Palmore from Google Cloud to talk about why collective cybersecurity ultimately depends on having a diverse, skilled workforce. Learn more about your ad choices. Visit megaphone.fm/adchoices

Spearphishing against Japanese political entities. Trojanized Windows 10 installers target Ukraine. XLL files abused to deliver malware. Learn more about your ad choices. Visit megaphone.fm/adchoices

Merry Christmas and Happy Holidays from the CyberWire and our friends! Enjoy our rendition of the 12 Days of Malware created by Dave Bittner and performed by Dave and friends: Rachel Tobac, Jayson Street, Ron Eddings & Chris Cochran, Ray [Redacted], Dinah Davis, Camille Stewart, Rick Howard, Michelle Dennedy, Jack Rhysider, Johannes Ullrich, and Charity Wright. Ba dum bum bum. Sing along if you are game! Check out our video for the full effect! The 12 Days of Malware lyrics On the first day of Christmas, my malware gave to me: A keylogger logging my keys. On the second day of Christmas, my malware gave to me: 2 Trojan Apps... And a keylogger logging my keys. On the third day of Christmas, my malware gave to me: 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the fourth day of Christmas, my malware gave to me: 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the fifth day of Christmas, my malware gave to me: 5 Zero Days! 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the sixth day of Christmas, my malware gave to me: 6 Passwords spraying... 5 Zero Days! 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the seventh day of Christmas, my malware gave to me: 7 Scripts a scraping... 6 Passwords spraying... 5 Zero Days! 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the eighth day of Christmas, my malware gave to me: 8 Worms a wiping... 7 Scripts a scraping... 6 Passwords spraying... 5 Zero Days! 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the ninth day of Christmas, my malware gave to me: 9 Rootkits rooting... 8 Worms a wiping... 7 Scripts a scraping... 6 Passwords spraying... 5 Zero Days! 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the tenth day of Christmas, my malware gave to me: 10 Darknet markets... 9 Rootkits rooting... 8 Worms a wiping... 7 Scripts a scraping... 6 Passwords spraying... 5 Zero Days! (Bah-dum-dum-dum!) 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the eleventh day of Christmas, my malware gave to me: 11 Phishers phishing... 10 Darknet markets... 9 Rootkits rooting... 8 Worms a wiping... 7 Scripts a scraping... 6 Passwords spraying... 5 Zero Days! (Bah-dum-dum-dum!) 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the twelfth day of Christmas, my malware gave to me: 12 Hackers hacking... 11 Phishers phishing... 10 Darknet markets... 9 Rootkits rooting... 8 Worms a wiping... 7 Scripts a scraping... 6 Passwords spraying... 5 Zero Days! 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. Learn more about your ad choices. Visit megaphone.fm/adchoices

Dr. May Wang, CTO of IoT Security at Palo Alto Networks, joins Dave Bittner to discuss their findings detailed in Unit 42's "Know Your Infusion Pump Vulnerabilities and Secure Your Healthcare Organization" research. Unit 42 recently set out to better understand how well hospitals and other healthcare providers are doing in securing smart infusion pumps, which are network-connected devices that deliver medications and fluids to patients. This topic is of critical concern because security lapses in these devices have the potential to put lives at risk or expose sensitive patient data. Unit 42's discovery of security gaps in three out of four infusion pumps that they reviewed highlights the need for the healthcare industry to redouble efforts to protect against known vulnerabilities, while diligently following best practices for infusion pumps and hospital networks. May walks us through Unit 42's work. The research can be found here: Know Your Infusion Pump Vulnerabilities and Secure Your Healthcare Organization Learn more about your ad choices. Visit megaphone.fm/adchoices

The Vice Society may be upping its marketing game. Royal ransomware may have a connection to Conti. Royal delivers ransom note by hacked printer. KillNet goes after healthcare. CISA's Stakeholder Engagement Strategic Plan. Adam Meyers from CrowdStrike looks at cyber espionage. Giulia Porter from RoboKiller does not want to talk to you about your car’s extended warranty. And holiday wishes to all. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/245 Selected reading. Custom-Branded Ransomware: The Vice Society Group and the Threat of Outsourced Development (SentinelOne) Vice Society ransomware gang switches to new custom encryptor (BleepingComputer) Conti Team One Splinter Group Resurfaces as Royal Ransomware with Callback Phishing Attacks (Trend Micro) Researchers Link Royal Ransomware to Conti Group (SecurityWeek) Major Australian university dealing with suspected cybersecurity attack (7NEWS) Printers at Queensland's second-largest university spit out ransomware messages after cyber attack (ABC) Pro-Russian Hacktivist Group ‘KillNet’ Threat to HPH Sector (HC3) HHS alert warns KillNet hacktivist group targeted US healthcare entity (SC Media) HC3 Analyst Note TLP Clear Pro-Russian Hacktivist Group Killnet Threat to HPH Sector December 22, 2022 | AHA (American Hospital Association) Strategic Plan for Stakeholder Engagement (CISA) Learn more about your ad choices. Visit megaphone.fm/adchoices

The FBI warns of malicious advertising. A new gang makes an unwelcome appearance in the holiday season. Ukraine will receive more Starlink terminals after all. Cyber phases of the hybrid war: a view from Kyiv–the bears and their adjuncts are opportunistic agents of chaos. Caleb Barlow thinks boards of directors need to up their cyber security game. Our guest is AJ Nash from ZeroFox with a look at legislative restrictions on TikTok. And reports say that US National Cyber Director Chris Inglis is preparing to retire. We wish him the best of luck. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/244 Selected reading. Cyber Criminals Impersonating Brands Using Search Engine Advertisement Services to Defraud Users (FBI) A sophisticated fraud ring is waging war on commerce, using rapidly changing tactics (Signifyd) Ukraine to Get Thousands More Starlink Antennas, Minister Says (Bloomberg) Ukraine’s Cyber Units Aim to Retain Staff, Keep Services Stable as War Enters Year Two (Wall Street Journal) Top Biden cybersecurity adviser to step down (CNN) Chris Inglis to resign as national cyber director (CyberScoop). First-ever national cyber director Chris Inglis set to retire in coming months: sources (Axios). White House cyber adviser to resign (The Hill) Chris Inglis, Biden's top cyber adviser, plans to leave government in coming months (POLITICO). White House Cyber Director Chris Inglis to Step Down (Bank Info Security) Learn more about your ad choices. Visit megaphone.fm/adchoices

The Godfather banking Trojan has deep roots in older code. FuboTV was disrupted around its World Cup coverage. The Guardian has been hit with an apparent ransomware attack. A threat actor abuses AWS Elastic IP transfer. Moldova may be receiving more Russian attention in cyberspace. CISA releases six industrial control system advisories. Ben Yelin looks at legislation addressing health care security. Our guest is Hugh Njemanze of Anomali with advice on preparing for the holiday break. And criminals are impersonating other criminals' underworld souks. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/243 Selected reading. Godfather: A banking Trojan that is impossible to refuse (Group-IB) FuboTV outage during World Cup semifinal was caused by cyberattack (Record) Guardian hit by serious IT incident believed to be ransomware attack (the Guardian) Elastic IP Hijacking — A New Attack Vector in AWS (Mitiga) Telegram Hack Exposes Growing Russian Cyber Threat in Moldova (Balkan Insight) Fuji Electric Tellus Lite V-Simulator (CISA) Rockwell Automation GuardLogix and ControlLogix controllers (CISA) ARC Informatique PcVue (CISA) Rockwell Automation MicroLogix 1100 and 1400 (CISA) Delta 4G Router DX-3021 (CISA) Prosys OPC UA Simulation Server (CISA) The scammers who scam scammers on cybercrime forums: Part 3 (Sophos News) Learn more about your ad choices. Visit megaphone.fm/adchoices

SentinelSneak is out in the wild. XLLs for malware delivery. CERT-UA warns of attacks against the DELTA situational awareness system. FSB cyber operations against Ukraine. Trends in the cyber phases of Russia's hybrid war. Mr. Security Answer Person John Pescatore offers his sage wisdom. Microsoft’s Ann Johnson from Afternoon Cyber Tea speaks with Dr. Chenxi Wang from Rain Capital. And an unusually unpleasant sextortion campaign. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/242 Selected reading. SentinelSneak is not a legitimate SDK. (CyberWire) SentinelSneak: Malicious PyPI module poses as security software development kit (ReversingLabs) Malicious Python Trojan Impersonates SentinelOne Security Client (Dark Reading) Malicious ‘SentinelOne’ PyPI package steals data from developers (BleepingComputer) Cisco research on XLL Abuse. (CyberWire) Threat Spotlight: XLLing in Excel - threat actors using malicious add-ins (Cisco Talos Blog) Ukraine at D+299: Cyber operations 300 days into the war. (CyberWire) Cyber Dimensions of the Armed Conflict in Ukraine (CyberPeace Institute) Ukraine's DELTA military system users targeted by info-stealing malware (BleepingComputer) Ukraine's Delta Military Intel System Hit by Attacks (Infosecurity Magazine) Russia’s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine (Unit 42) FBI and Partners Issue National Public Safety Alert on Financial Sextortion Schemes | Federal Bureau of Investigation (Federal Bureau of Investigation) HSI, federal partners issue national public safety alert on sextortion schemes (US Immigration and Customs Enforcement) Learn more about your ad choices. Visit megaphone.fm/adchoices

BEC takes aim at physical goods (including food). BlackCat ransomware activity increases. Epic Games settles an FTC regulatory case. The InfraGard database was pulled from a dark web auction site. CISA releases forty-one ICS advisories. Rick Howard interviews author Andy Greenberg. Rob Boyce from Accenture examines holiday cyber threats. The growing value of open source intelligence. Twitter says vox populi, vox dei. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/241 Selected reading. FBI, FDA OCI, and USDA Release Joint Cybersecurity Advisory Regarding Business Email Compromise Schemes Used to Steal Food (CISA) Colombian energy supplier EPM hit by BlackCat ransomware attack (BleepingComputer) Events D.C. data published online in apparent ransomware attack (Washington Post) Fortnite Video Game Maker Epic Games to Pay More Than Half a Billion Dollars over FTC Allegations of Privacy Violations and Unwanted Charges (Federal Trade Commission) Hacker Halts Sale of FBI's High-Profile InfraGard Database (HackRead) CISA Releases Forty-One Industrial Control Systems Advisories (Cybersecurity and Infrastructure Security Agency) Russia’s Wartime Cyber Operations in Ukraine: Military Impacts, Influences, and Implications (Carnegie Endowment for International Peace) How open-source intelligence has shaped the Russia-Ukraine war (GOV.UK) Front-line video makes Ukrainian combat some of history’s most watched (Washington Post) Elon Musk Polls Twitter Users, Asking Whether He Should Step Down (Wall Street Journal) Musk asks: Should I stay as CEO? (Computing) Elon Musk’s Twitter Poll Shows Users Want Him to Step Down (Wall Street Journal) Elon Musk’s Twitter poll: 10 million say he should step down (the Guardian) Learn more about your ad choices. Visit megaphone.fm/adchoices

With a recession looming, many business leaders are looking for ways to cut spending wherever possible. And while tool bloat affects many security teams, it can be a challenging problem to tackle for a couple of reasons. First, there’s the fear that security will be lost if a tool is removed. Second, there’s the daunting task of unraveling complex systems. And finally, there’s the perennial talent shortage. Like all challenges in security, they’re made even worse by the fact that there’s not enough people able to tackle them. During this CyberWire-X episode, host Rick Howard, the CyberWire’s CISO, Chief Analyst and Senior Fellow, speaks with Hash Table member Ted Wagner, the CSO of SAP National Security Services, and host Dave Bittner speaks with sponsor ExtraHop Senior Technical Marketing Manager Jamie Moles. They discuss solutions to help business and security leaders to not just address these challenges, but to get more out of their tooling as they do. They discuss strategies for how to determine which tools you actually need and which you can get rid of, as well as the step-change benefits that can be realized when you consolidate, automate, and integrate your security solutions. Learn more about your ad choices. Visit megaphone.fm/adchoices

Don Pezet, CTO of ACI Learning, sits down to share his over 25 years of experience in the industry. Don previously spent time as a field engineer in the financial and insurance industries supporting networks around the world. He co-founded ITProTV in 2012 to help create the IT training that he wished he had when he got started in his IT career. He also shares insights for anyone else wishing to pursue IT, no matter their age or past experience. Don explains how important stepping stones are as you get into this field, stating "know that that first job you get is probably not going to be the job you want to have your whole life, but it's a stepping stone that leads to where you want to get." Don started teaching on the side as well as working in the IT field and explains how much his teaching skills come in handy to help him with his leadership skills, which in turn helps him to be a better CTO, helping his customers. We thank Don for sharing his story. Learn more about your ad choices. Visit megaphone.fm/adchoices

Or Katz from Akamai sits down with Dave to discuss research on highly sophisticated phishing scams and how they are abusing holiday sentiment. This particular threat, most recently has focused on Halloween deals, enticing victims with the chance to win a free prize, including from Dick’s Sporting Goods or Tumi Backpacks. It then requests credit card details to cover the cost of shipment. From mid-September to the end of October 2022, Akamai's research were able uncover and track this threat. This kit mimics well known retail stores in hopes to hijack credit card information, feeding off of people's holiday spirit. The research can be found here: Highly Sophisticated Phishing Scams Are Abusing Holiday Sentiment Learn more about your ad choices. Visit megaphone.fm/adchoices

A predatory loan app is discovered embedded in mobile apps. Facebook phishing. GPS disruptions are reported in Russian cities. NSA warns against dismissing Russian offensive cyber capabilities. Farewell, SHA-1. Kevin Magee from Microsoft looks at cyber signals. Our guest is Jason Witty of USAA to discuss the growing risk from quantum computing. And welcome to the world, Leviathans. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/240 Selected reading. Zimperium teams discover new malware in Flutter developed apps (SecurityBrief Asia) Meta-Phish: Facebook Infrastructure Used in Phishing Attack Chain (Trustwave) GPS Signals Are Being Disrupted in Russian Cities (WIRED) NSA cyber director warns of Russian digital assaults on global energy sector (CyberScoop) Russia's cyber war machine in Ukraine hasn't lived up to Western hype. Report analyses why (ThePrint) NIST Retires SHA-1 Cryptographic Algorithm (NIST) Historic activation of the U.S. Army’s 11th Cyber Battalion (DVIDS) Learn more about your ad choices. Visit megaphone.fm/adchoices

Trojanized Windows 10 installers are deployed against Ukraine. Alleged booters have been collared, and their sites disabled. A progress report on US anti-ransomware efforts. Suspicion in a cyberattack against India turns toward China. Bryan Vorndran from the FBI’s Cyber Division talks about deep fakes. Our guest is Lisa Plaggemier from the National Cybersecurity Alliance (NCA) on the launch of their Historically Black Colleges and Universities Career Program. And hybrid war and fissures in the underworld. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/239 Selected reading. Trojanized Windows 10 Operating System Installers Targeted Ukrainian Government (Mandiant) Federal Prosecutors in Los Angeles and Alaska Charge 6 Defendants with Operating Websites that Offered Computer Attack Services (US Department of Justice) Global crackdown against DDoS services shuts down most popular platforms | Europol (Europol) Readout of Second Joint Ransomware Task Force Meeting (Cybersecurity and Infrastructure Security Agency) US finds its ‘center of gravity’ in the fight against ransomware (The Record by Recorded Future) AIIMS cyber attack may have originated in China, Hong Kong (The Times of India) AIIMS Delhi Servers Were Hacked By Chinese, Damage Contained: Sources (NDTV.com) Russia-Ukraine war reaches dark side of the internet (Al Jazeera) Learn more about your ad choices. Visit megaphone.fm/adchoices

The FBI’s InfraGard user data shows up for sale. An update on Iranian cyber operations. NSA warns of Chinese cyber threats. Challenges in sharing data for threat detection and prevention. Legitimately signed drivers are used in targeted attacks. Patch Tuesday addressed a lot of actively exploited issues. Tim Starks from the Washington Post Cybersecurity 202 shares his reporting on ICS vulnerabilities. Our guest is Mike Fey from Island with an introduction to the enterprise browser space. And the US indicts five Russian nationals on sanctions-evasion charges. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/238 Selected reading. FBI’s Vetted Info Sharing Network ‘InfraGard’ Hacked (KrebsOnSecurity) Would’ve, Could’ve, Should’ve…Did: TA453 Refuses to be Bound by Expectations (Proofpoint) APT5: Citrix ADC Threat Hunting Guidance (NSA) U.S. agency warns that hackers are going after Citrix networking gear (Reuters) NSA Outs Chinese Hackers Exploiting Citrix Zero-Day (SecurityWeek) Effect of data on Federal agencies' policies. (CyberWire) I Solemnly Swear My Driver Is Up to No Good: Hunting for Attestation Signed Malware (Mandiant) Driving Through Defenses | Targeted Attacks Leverage Signed Malicious Microsoft Drivers (SentinelOne) SAP Security Patch Day December 2022 (Onapsis) December 2022 Security Updates (Microsoft Security Response Center) December Patch Tuesday Updates | 2022 - Syxsense Inc (Syxsense Inc) Microsoft December 2022 Patch Tuesday fixes 2 zero-days, 49 flaws (BleepingComputer) Microsoft Squashes Zero-Day, Actively Exploited Bugs in Dec. Update (Dark Reading) Microsoft fixes exploited zero-day, revokes certificate used to sign malicious drivers (CVE-2022-44698) (Help Net Security) Microsoft Releases December 2022 Security Updates (CISA) Apple security updates (Apple Support) We finally know why Apple pushed out that emergency 16.1.2 update (Macworld) Why You Should Enable Apple’s New Security Feature in iOS 16.2 Right Now (Wirecutter) Apple Releases Security Updates for Multiple Products (CISA) Citrix ADC and Citrix Gateway Security Bulletin for CVE-2022-27518 (Citrix) State-sponsored attackers actively exploiting RCE in Citrix devices, patch ASAP! (CVE-2022-27518) (Help Net Security) Citrix Releases Security Updates for Citrix ADC, Citrix Gateway (CISA) VMware Patches VM Escape Flaw Exploited at Geekpwn Event (SecurityWeek) Experts detailed a previously undetected VMware ESXi backdoor (Security Affairs) VMware Releases Security Updates for Multiple products (CISA) Mozilla Releases Security Updates for Thunderbird and Firefox (CISA) Adobe Patches 38 Flaws in Enterprise Software Products (SecurityWeek) CISA Releases Three Industrial Control Systems Advisories (CISA) Five Russian Nationals, Including Suspected FSB Officer, and Two U.S. Nationals Charged with Helping the Russian Military and Intelligence Agencies Evade Sanctions (US Department of Justice) Russian Military and Intelligence Agencies Procurement Network Indicted in Brooklyn Federal Court (US Department of Justice) Learn more about your ad choices. Visit megaphone.fm/adchoices

Uber sustains a third-party breach. A phishing campaign hits Ukrainian in-boxes. The enduring riddle of why Russian offensive cyber operations have failed in Ukraine. Joe Carrigan on credit card skimming. Carole Theriault describes a UK food store chain that uses facial recognition technology to track those with criminal or antisocial behavior. And 2023’s ransomware-as-a-service leader board. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/237 Selected reading. Uber suffers new data breach after attack on vendor, info leaked online (BleepingComputer) Uber has been hacked yet again with code and employee data released online (SiliconANGLE) Uber hit by new data breach — what you need to know (Tom's Guide) Uber’s data breach. (CyberWire) Ukrainian railway, state agencies allegedly targeted by DolphinCape malware (The Record by Recorded Future) Cyber Operations in Ukraine: Russia’s Unmet Expectations (Carnegie Endowment for International Peace) The most prolific ransomware groups of 2022 (Searchlight Security) Learn more about your ad choices. Visit megaphone.fm/adchoices

TrueBot found in Cl0p ransomware attacks. Royal ransomware targets the healthcare sector. Recent Iranian cyber activity. A night at the opera: an update on the cyberattack against the Metropolitan Opera. New Cloud Atlas activity reported. Europe looks to the cybersecurity of its power grid. Rob Boyce from Accenture describes Dark web actors diversifying their toolsets. Rick Howard explains fractional CISOs. And international support for Ukrainian cyber defense continues, more extensively and increasingly overt. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/236 Selected reading. Breaking the silence - Recent Truebot activity (Cisco Talos Blog) New TrueBot Malware Variant Leveraging Netwrix Auditor Bug and Raspberry Robin Worm (The Hacker News) TrueBot infections were observed in Clop ransomware attacks (Security Affairs) Clop ransomware uses TrueBot malware for access to networks (BleepingComputer) Royal Ransomware (US Department of Health and Human Services) US Dept of Health warns of ‘increased’ Royal ransomware attacks on hospitals (The Record by Recorded Future) Iran-Backed MuddyWater's Latest Campaign Abuses Syncro Admin Tool (Dark Reading) MuddyWater Hackers Target Asian and Middle East Countries with Updated Tactics (The Hacker News) New MuddyWater Campaign Uses Legitimate Remote Administration Tools to Deploy Malware (Cyber Security News) Shows will go on at Met Opera despite cyber-attack that crashed network (ABC7 New York) Cyberattack disrupts Metropolitan Opera (SC Media) Cloud Atlas targets entities in Russia and Belarus amid the ongoing war in Ukraine (Check Point Research) APT Cloud Atlas: Unbroken Threat (Positive Technologies) European Electricity Sector Lacks Cyber Experts as Ukraine War Raises Hacking Risks (Wall Street Journal) How the US has helped counter destructive Russian cyberattacks amid Ukraine war (The Hill) The Australian company training Ukrainian veterans in cybersecurity (Australian Financial Review) How Proton intends to thwart Russian cybercensorship with its VPN (HiTech Wiki) Cyber Lessons Learned from the War in Ukraine (YouTube) War in Ukraine Dominated Cybersecurity in 2022 (CNET) Learn more about your ad choices. Visit megaphone.fm/adchoices

Historically, the U.S. government has relied almost solely on its own intelligence analysis to inform strategic decisions. This has been especially true surrounding geopolitical events and nation-level cybersecurity situations. However, the explosion of assets being connected to the internet, along with the fact that most critical infrastructure is owned by private sector organizations, means that commercially developed cyber threat intelligence is being generated at a faster pace than ever before. In the Russia/Ukraine conflict, we saw how commercially generated satellite intelligence played a critical role in alerting the public and ensuring our allies were ready for an invasion. At LookingGlass, we believe commercial threat intelligence can provide similar anticipatory insight – and that it can be shared more easily and quickly than intelligence generated solely by the U.S. government. Ultimately, the public and private sectors need to work together to protect the interests of the American people. Currently, both private industry and academia are targeted by foreign adversaries, just as are government agencies. This means that commercial entities also have access to adversary tactics, techniques, and procedures (TTPs) and indicators of compromise, and they have that access from a different perspective, which is valuable intelligence for the government. On this episode of CyberWire-X, host Rick Howard, the CyberWire’s CISO, Chief Analyst and Senior Fellow, speaks with Hash Table member Wayne Moore, CISO at Simply Business, and host Dave Bittner speaks with Bryan Ware, CEO at episode sponsor LookingGlass Cyber Solutions. They’ll discuss why the U.S. government needs commercial cyber threat intelligence now more than ever before and how both the public and private sectors will benefit from closer, trusted cyber partnerships. Learn more about your ad choices. Visit megaphone.fm/adchoices

Jameeka Aaron, Chief Information Security Officer at Auth0, a product unit of Okta, sits down to share her story following two different paths that led her to where she is today. Jameeka has 20 years of IT and cybersecurity experience and has mitigated security risks at Nike, the U.S. Navy, and now Auth0. She joined the Navy not knowing what she wanted to do after high school and ended up becoming a Radioman, which is now titled IT. She shares her experiences of challenges she faced being the youngest, and the only woman, and the only woman of color in her group. She followed two different paths, getting an education as well as being in the Navy, and started her career at Lockheed Martin Mission Systems in San Diego. She eventually found her way to Auth0 in 2018. She says "I realized cybersecurity folks can do anything, everywhere. We're everywhere, we're in every industry and so I started to kind of say, I wanna work on programs that are fun for me." We thank Jameeka for sharing her story. Learn more about your ad choices. Visit megaphone.fm/adchoices