CyberWire Daily

Breaking: US unseals three cases against Chinese intelligence officers. CISA says Daixin Team ransomware is an active threat. The FBI warns of Iranian threat group's activity. Meanwhile the Iranian nuclear agency says its email was hacked. Norway is concerned about threats to oil and gas infrastructure. A drop in ransomware correlates with Russia's hybrid war. Ann Johnson from Afternoon Cyber Tea speaks with AJ Yawn from ByteChek about breaking into the cybersecurity industry. Josh Ray from Accenture describes threats to the satellite industry. And cyber offense may be proving harder than thought. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/204 Selected reading. CISA Alert AA22-294A – #StopRansomware: Daixin Team. (CyberWire) #StopRansomware: Daixin Team (CISA) CISA Warns of Daixin Team Hackers Targeting Health Organizations With Ransomware (The Hacker News) Iranian Cyber Group Emennet Pasargad Conducting Hack-and-Leak Operations Using False-Flag Personas (FBI) FBI warns Iranian hackers active ahead of the U.S. midterms (NBC News) FBI Warns of Attacks From Iranian Threat Group Emennet Pasargad (Decipher) Iran Hackers Behind Attempt on US Election Are Still Active (Gov Info Security) FBI warns of ‘hack-and-leak’ operations from group based in Iran (The Record by Recorded Future) Iran's Atomic Energy Agency Says Its E-Mail Server Was Hacked (RadioFreeEurope/RadioLiberty) Iran says ‘specific foreign country’ behind hacktivist leak of atomic energy emails (The Record by Recorded Future) Iran’s Top Nuclear Agency Says Its Email Servers Were Hacked (Bloomberg) Ukraine Could Still Face Cyberattacks, Experts Say (CNET) Fears over Russian threat to Norway's energy infrastructure (AP NEWS) Norway PM: Russia poses ‘real and serious’ cyber threat to oil and gas industry (The Record by Recorded Future) Ukraine war cuts ransomware as Kremlin co-opts hackers (The Telegraph) Q&A: Kenneth Geers on the cyber war between Ukraine and Russia (The Record by Recorded Future) Learn more about your ad choices. Visit megaphone.fm/adchoices

FBI, CISA, and Department of Health and Human Services are releasing this joint advisory to provide information on the Daixin Team, a cybercrime group that is actively targeting U.S. businesses, predominantly in the Healthcare and Public Health Sector. AA22-294A Alert, Technical Details, and Mitigations Stopransomware.gov is a whole-of-government approach that gives one central location for ransomware resources and alerts. Resource to mitigate a ransomware attack: CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide. Ongoing Threat Alerts and Sector alerts are produced by the Health Sector Cybersecurity Coordination Center (HC3) and can be found at hhs.gov/HC3 For additional best practices for Healthcare cybersecurity issues see the HHS 405(d) Aligning Health Care Industry Security Approaches at 405d.hhs.gov CISA offers several no-cost scanning and testing services to help organizations reduce their exposure to threats by taking a proactive approach to mitigating attack vectors. See www.cisa.gov/cyber-hygiene-services U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email [email protected] To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at [email protected], or call (888) 282-0870, or report incidents to your local FBI field office. Learn more about your ad choices. Visit megaphone.fm/adchoices

Megan Doherty, a Technical Specialist from Microsoft Canada sits down to share her story of overcoming barriers in the workforce to get to where she is today in her career. Megan started out being a mechanical engineer before making the switch to do something with more creativity and problem solving. She shares about her passion of working with a group Microsoft created called "DigiGirlz." As well as just being able to work with her team who she says helps her face the world of adversity in her career. Megan said "There's so many barriers, just even mentally that we put on ourselves when it comes to looking for a career change or even thinking of cybersecurity as your next career path." She hopes that she leaves a legacy of kindness and compassion behind especially in the industry she is works in. We thank Megan for sharing her story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

Dick O'Brien from Symantec's Threat Hunter team sits down with Dave to discuss their work on "Witchetty - Group Uses Updated Toolset in Attacks on Governments in Middle East." Their research has found that the group known as Witchetty aka LookingFrog, has been progressively updating its toolset, including the new tool, backdoor Trojan (Backdoor.Stegmap) to launch malware attacks on targets in the Middle East and Africa. The research states "The attackers exploited the ProxyShell and ProxyLogon vulnerabilities to install web shells on public-facing servers before stealing credentials, moving laterally across networks, and installing malware on other computers. The researchers describe more on the new tool being used and why this new group is a threat. The research can be found here: Witchetty: Group Uses Updated Toolset in Attacks on Governments in Middle East Learn more about your ad choices. Visit megaphone.fm/adchoices

Blackbyte's new exfiltration tool. Hijacking student accounts for BEC. Zhora calls Russia's cyber campaigns a failure. Caleb Barlow explores new thinking for incident response. Our guest is Jon Hencinski of Expel, tracking the latest threat trends. OldGremlin ransomware is an outlier. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/203 Selected reading. Exbyte: BlackByte Ransomware Attackers Deploy New Exfiltration Tool (Symantec) Hijacking Student Accounts to Launch BEC-Style Attacks (Avanan) This sneaky kind of cybercrime rules them all (Washington Post) Russia Failing to Reach Cyber War Goals, Ukrainian Official Says (Meritalk) EU supports cybersecurity in Ukraine with over €10 million - EU NEIGHBOURS east (EU NEIGHBOURS east) Gremlins’ prey, secrets, and dirty tricks: the ransomware gang OldGremlin set new records (Group-IB) OldGremlin hackers use Linux ransomware to attack Russian orgs (BleepingComputer) OldGremlin, which targets Russia, debuts new Linux ransomware (Computing) It is one of the few ransomware groups in the world that prefer to target Russian organisations, but this may change experts advise More Russian Organizations Feeling Ransomware Pain (Bank Info Security) Learn more about your ad choices. Visit megaphone.fm/adchoices

DDoS as misdirection. NSA shares lessons learned from cyber operations observed in Russia's war against Ukraine. Advice from CISA on Zimbra.. A misconfigured Microsoft storage endpoint has been secured. Notes from a study on the Cybersecurity Workforce . The cost to businesses of phishing. Betsy Carmelite from Booz Allen Hamilton on managing mental health in the cyber workforce. Our guest is Ismael Valenzuela of Blackberry with insights on "The Cyber Insurance Gap". And updates to the ransomware leaderboard. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/202 Selected reading. Bulgarian cyberattack: Sabotage as a cover for spying? (Deutsche Welle) Bulgarian websites impacted by Killnet DDoS attack (SC Media) Lessons From Ukraine: NSA Cyber Chief Lauds Industry Intel (Meritalk) NSA Cybersecurity Director's Six Takeaways From the War in Ukraine (Infosecurity Magazine) NSA cyber chief says Ukraine war is compelling more intelligence sharing with industry (CyberScoop) Investigation Regarding Misconfigured Microsoft Storage Location (Microsoft Security Response Center) 2019 Cybersecurity Workforce Study ((ISC)²) The Business Cost of Phishing (Ironscales) Leading Ransomware Variants Q3 2022 (Intel471) Learn more about your ad choices. Visit megaphone.fm/adchoices

Killnet explains its actions against Bulgaria's government. The National Republican Army claims successful attacks on Russian companies. The Director of Germany's BSI is out. A vulnerability in Azure, disclosed and patched. Trends in ransomware. Carole Theriault has a fresh look at the ransomware question - to pay or not to pay? Tim Eades from Cyber Mentor Fund considers cyber insurance for the small and medium sized businesses. Social Security phishing. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/201 Selected reading. Cyberattack disrupts Bulgarian government websites over ‘betrayal to Russia’ (The Record by Recorded Future) Russians Against Putin: NRA Claims Massive Hack of Russian Government Contractors’ Computers - Kyiv Post - Ukraine's Global Voice (Kyiv Post) Germany fires cybersecurity chief after reports of possible Russia ties (Reuters) German Cybersecurity Chief Sacked Over Alleged Russia Ties (SecurityWeek) German cyber chief suspended following allegation he associated with Russian intelligence (The Record by Recorded Future) FabriXss (CVE-2022-35829): How We Managed to Abuse a Custom Role User Using CSTI and Stored XSS in Azure Fabric Explorer (Orca Security) Ransomware In Q3 2022 (Digital Shadows) Fresh Phish: A New Social Security Phishing Scam Preys Upon Our Biggest Worries (INKY) Learn more about your ad choices. Visit megaphone.fm/adchoices

Mobilizing DDoS-as-a-service. Interpol takes down the Black Axe gang members. A look at phishing trends. Spyder Loader is active in Hong Kong. Joe Carrigan looks at Google’s launch of passwordless authentication. Our guest is Dr. Eman El-Sheikh from University of West Florida's Center for Cybersecurity on NSA-funded National Cybersecurity Workforce Development Programs. And Europol announces arrests in a case of keyless car hacking. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/200 Selected reading. Project DDOSIA Russia's answer to disBalancer (Radwaare) Russian DDOSIA Project Pays Volunteers to Participate in DDOS Attacks on Western Companies (Gridinsoft Blogs) International crackdown on West-African financial crime rings (Interpol) Giant online scamming syndicate 'Black Axe' destroyed in Interpol-led operation (teiss) INTERPOL-led Operation Takes Down 'Black Axe' Cyber Crime Organization (The Hacker News) Operation Jackal: Interpol arrests Black Axe fraud suspects (Register) When the Black Axe falls: cybercrime suspects detained in global bust (Cybernews) International Police Action Blunts Black Axe Criminal Group - HS Today (Hstoday) Q3 2022 Cofense Phishing Intelligence Trends Review (Cofense) Spyder Loader: Malware Seen in Recent Campaign Targeting Organizations in Hong Kong (Symantec) Operation CuckooBees: Cybereason Uncovers Massive Chinese Intellectual Property Theft Operation (Cybereason) 31 arrested for stealing cars by hacking keyless tech | Europol (Europol) European gang that sold car hacking tools to thieves arrested (The Record by Recorded Future) Learn more about your ad choices. Visit megaphone.fm/adchoices

There’s been a Cyberattack against Tata Power. The FBI warns US state political parties of Chinese scanning. Russian influence ops play defense; China’s are on the offense. Ransom Cartel and a possible connection to REvil. "Prestige" ransomware is sighted in attacks on Polish and Ukrainian targets. Distributed denial-of-service attacks interfere with Bulgarian websites. Grayson Milbourne of OpenText Security Solutions on SBOMS. Our own Rick Howard checks in with Bryan Willett of Lexmark on implementation of Zero Trust. And Mr. Musk tweets his intention to continue to subsidize Starlink for Ukraine (probably). For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/199 Selected reading. Hackers Attack Tata Power IT Systems: All You Need To Know (IndiaTimes) Chinese hackers are scanning state political party headquarters, FBI says (Washington Post) The Defender's Advantage Cyber Snapshot Issue 2 — More Insights From the Frontlines (Mandiant) Ransom Cartel Ransomware: A Possible Connection With REvil (Unit 42) New “Prestige” ransomware impacts organizations in Ukraine and Poland (Microsoft Security Threat Intelligence) Bulgarian Government Hit By Cyberattack Blamed On Russian Hacking Group (RadioFreeEurope/RadioLiberty) 'The hell with it': Elon Musk tweets SpaceX will 'keep funding Ukraine govt for free' amid Starlink controversy (CNBC) Starlink isn't a charity, but the Ukraine war isn't a business opportunity (TechCrunch) Learn more about your ad choices. Visit megaphone.fm/adchoices

Amanda Adams, VP of Americas Alliances at CrowdStrike sits down to share her story as she pivoted into the tech field. She started her career by wanted to be involved with sports, after getting her masters degree Amanda was faced with a difficult choice between working for The Golden State Warriors and Cisco. She ultimately chose Cisco as her path to move forward and has been working in technology ever since. Now she works for a team where she gets to prove her social skills and is focused on partnerships. She say's that working in technology doesn't just have to be working with technology, there are many other ways you can get involved with the field. Amanda says "you can always pivot into the technology industry and support the broader mission by doing that job function." We thank Amanda for sharing her story. Learn more about your ad choices. Visit megaphone.fm/adchoices

Between multi-cloud deployments, more employees working remotely, and increasing use of SaaS applications, the number of entry points for attackers to infiltrate your systems has exploded. But gaining visibility into all these possible attack vectors is time-consuming and often incomplete or just a snapshot in time. If the first rule of cyber is to “know what you have,” how can cyber professionals get a comprehensive, current picture of their assets? How can they feel confident that they understand which assets may be more vulnerable and prioritize defenses accordingly? In the first half of this episode of Cyberwire-X, the CyberWire's CSO, Chief Analyst, and Senior Fellow, Rick Howard, is joined by Hash Table member Jaclyn Miller, the Head of InfoSec & IT at DispatchHealth. In the second half of the episode, Cody Pierce, Chief Product Officer at episode sponsor LookingGlass Cyber Solutions, talks with Dave Bittner. Listen to the discussions about answering the foundational cyber questions (What do I have? Is it protected?), why context is critical, and how an adversarial perspective helps you be a better defender. Learn more about your ad choices. Visit megaphone.fm/adchoices

Brigid O Gorman from Symantec's Threat Hunter team joins Dave to discuss their research on "Noberus Ransomware - Darkside and BlackMatter Successor Continues to Evolve its Tactics." The research states that Noberus ransomware (aka BlackCat, ALPHV) is more dangerous than ever because attackers have been using new tactics, tools, and procedures in recent months. In the research, Symantec says, "Among some of the more notable developments has been the use of a new version of the Exmatter data exfiltration tool, and the use of Eamfo, information-stealing malware that is designed to steal credentials stored by Veeam backup software." They go over an in-depth look at how its affiliate program operates. The research can be found here: Noberus Ransomware: Darkside and BlackMatter Successor Continues to Evolve its Tactics Learn more about your ad choices. Visit megaphone.fm/adchoices

County election workers find themselves targets of phishing. Impersonating Intrusion Truth. The LDS Church discloses data compromise. SpaceX asks for Starlink funding. Does Killnet have potential to do more damage than it so far has? Deepen Desai from Zscaler on Joker, Facestealer and Coper banking malwares on the Google Play store. Our guest is Maxime Lamothe-Brassard of LimaCharlie to discuss how the cybersecurity is following in the footsteps of software engineering. And the Gamers’ attack surface? It’s big, big, really big, Noobs. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/198 Selected reading. 2022 Election Phishing Attacks Target Election Workers (Trellix) Suspicious Twitter accounts impersonating research group try to blame the NSA for Chinese hacks (The Daily Dot) Statement and FAQ on Church Account Data Incident (Church of Jesus Christ of Latter Day Saints) Exclusive: Musk's SpaceX says it can no longer pay for critical satellite services in Ukraine, asks Pentagon to pick up the tab (CNN) Killnet: don't underestimate the “script kiddies,” experts say (Cybernews) Gaming Is Booming. That’s Catnip for Cybercriminals. (New York Times) Learn more about your ad choices. Visit megaphone.fm/adchoices

Emotet ups its game. COVID-19 small business grants as phishbait. Google Translate is spoofed for credential harvesting. Research on the Budworm espionage group. Kevin Magee from Microsoft shares why cybersecurity professionals should join company boards. Our guest is Chris Niggel from Okta with a look at identity shortfalls. And Internet outages during missile strikes, and the prospects of Russia’s hybrid war. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/197 Selected reading. Emotote’s evolution. (ESET) Fresh Phish: Small Business COVID-19 Grants Designed for Disaster (INKY) Spoofing Google Translate to Steal Credentials (Avanan) Budworm: Espionage Group Returns to Targeting U.S. Organizations (Symantec Blog) Internet outages hit Ukraine following Russian missile strikes (Bitdefender) Starlink helped restore energy, communications infrastructure in parts of Ukraine - official (Reuters) Ukraine’s Vice PM Thanks Starlink for Help to Restore Connections After Missile Attack from Russia (Tech Times) We must tackle Europe’s winter cyber threats head-on (POLITICO) The conflict in Ukraine makes us rethink cyberwar (The Japan Times) Learn more about your ad choices. Visit megaphone.fm/adchoices

Refund fraud as a service. Costs of a nuisance. Remaining on alert during a hybrid war. Renewed activity by Polonium. Andrea Little Limbago from Interos discussing quantum computing policy. CyberWire Space Correspondent Maria Varmazis speaks with Dr. Gregory Falco on lessons learned from Russia’s attack on Viasat. Reflections on the Uber case's impact on security professionals. And when it comes to phishing-as-a-service, we’ll take decaf. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/196 Selected reading. The Fresh Phish Market: Behind the Scenes of the Caffeine Phishing-as-a-Service Platform (Mandiant) Caffeine phishing. (CyberWire) Refund Fraud as a Service (Netacea) Amid reports of JP Morgan cyberattack, experts call Killnet unsophisticated, ‘media hungry’ (SC Media) Hacktivists Force Companies to Respond to Low-Level Cyberattacks (Wall Street Journal) Nato warns Russian sabotage on Western targets 'could trigger Article 5' (The Telegraph) US Not Ruling Out Russian Cyber Offensive (VOA) Ukraine at D+230: Escalation, but unlikely to be sustainable. (CyberWire) POLONIUM targets Israel with Creepy malware (WeLiveSecurity) Hacking group POLONIUM uses ‘Creepy’ malware against Israel (BleepingComputer) Security chiefs fear ‘CISO scapegoating’ following Uber-Sullivan verdict (The Record) Sullivan verdict sends shockwaves through the security industry (Security Info Watch) Reflections on the Uber case's impact on security. (CyberWire) Learn more about your ad choices. Visit megaphone.fm/adchoices

Russia's Killnet suspected in DDoS attack on major US airports. Starlink service interruptions reported. Bundesbahn communications network sabotaged in northern Germany. Germany's cybersecurity chief faces scrutiny over alleged ties to Russia. Ben Yelin on the FCC's crackdown on robocalls. Ann Johnson from Afternoon Cyber Tea talking with Sounil Yu from JupiterOne about the importance and evolution of cyber resilience. Overworked CISOs may be a security risk, but in an encouraging counterpoint, another study shows a record of CISO success during the pandemic. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/195 Selected reading. US Airport Websites Hit by Suspected Pro-Russian Cyberattacks (SecurityWeek) Hackers knock some U.S. airport websites offline (Washington Post) Hackers took down U.S. airport web sites, Department of Homeland Security confirms (USA TODAY) Pro-Russian hackers claim responsibility for taking down US airport websites (Computing) US airports' sites taken down in DDoS attacks by pro-Russian hackers (BleepingComputer) Pro-Putin goons target US airport websites with DDoS flood (Register) Russian Sanctions Instigator Lloyd’s Possibly Hit by Cyber-Attack (Infosecurity Magazine) Lloyd's of London reboots network after suspicious activity (Register) Colorado.gov Back Online After Cyber Attack (GovTech) Defending Ukraine: SecTor session probes a complex cyber war (IT World Canada) Ukrainian officials reportedly say there have been 'catastrophic' Starlink outages in recent weeks (Business Insider) Frontline Ukraine troops are reportedly enduring Starlink outages (Engadget). Elon Musk’s foray into geopolitics has Ukraine worried (The Economist) Elon Musk needs to clarify Ukraine's reported Starlink outages: Kinzinger (Newsweek) Attack on German Rail Network ‘Targeted, Professional,’ Police Say (Bloomberg) An act of sabotage shut down parts of Germany's rail system for hours this weekend (NPR.org) Germany rail chaos could have been caused by Russia, says MP (The Telegraph) Sabotage blamed for major disruption on Germany’s rail network (The Telegraph) No sign that foreign state was behind German rail sabotage, police say (Reuters) Germany Won’t Rule Out Foreign Country Role in Rail Sabotage (Bloomberg) Germany's cybersecurity chief faces dismissal, reports say (Reuters) German cybersecurity chief investigated over Russia ties (ABC News) German Cybersecurity Chief to be Sacked Over Alleged Russia Ties: Sources (SecurityWeek) „Wir müssen wachsam bleiben“ (Tagesspiegel) 1 in 5 Chief Information Security Officers (CISOs) Work More Than 25 Extra Hours Per Week (Tessian) 2022 Devo SOC Performance Report (Devo) 2022 Deloitte-NASCIO Cybersecurity Study (Deloitte Insights) Cybersecurity Survey of State CISOs Identifies Many Positive Trends (PR Newswire) Learn more about your ad choices. Visit megaphone.fm/adchoices

This interview from September 23rd, 2022 originally aired as a shortened version on the CyberWire Daily Podcast. In this extended interview, CyberWire’s space correspondent, Maria Varmazis, interviews host of spaceflight podcast “Main Engine Cutoff,” Anthony Colangelo about the upcoming Apple iPhone 14 “Emergency SOS via Satellite” feature & what it means for satellite communications in the consumer sector. Learn more about your ad choices. Visit megaphone.fm/adchoices

In today’s episode, our sandbox heads to the deployment pipeline for a conversation on the who/what/when/and why of a DevSecOps program and how it adds value to your business. And your main questions- – how you can encourage buy-in and adoption. Joining me today are Marcin Swiety, Relativity’s Senior Director of Global Security and IT, and Raphael Theberge - Director of Security Integrations. So, grab your DORA metrics, your source controls, and staging environments, and let’s dive in. Learn more about your ad choices. Visit megaphone.fm/adchoices

The age-old battle between offensive and defensive security practitioners is most often played out in the penetration testing cycle. Pentesters ask, “Is it our fault if they don’t fix things?” While defenders drown in a sea of unprioritized findings and legacy issues wondering where to even start. But the real battle shouldn’t be between the teams; it should be against the real adversaries. So why do pentesters routinely come back and find the same things they reported a year ago? Do the defenders just not care or does the onus fall on the report? Everyone really wants the same thing: better security. To get there, the primary communication tool between consultant and client, offensive and defensive teams — the pentest report — must be consumable and actionable and tailored to the audience who receives it. In the first half of this episode of Cyberwire-X, the CyberWire's CSO, Chief Analyst, and Senior Fellow, Rick Howard, is joined by Hash Table members Amanda Fennell, the CIO and CSO of Relativity, and William MacMillan, the SVP of Security Product and Program Management at Salesforce. In the second half of the episode, Dan DeCloss, the Founder and CEO of episode sponsor PlexTrac, joins Dave Bittner discuss the politics around pentest reporting and how better reports can support real progress. Learn more about your ad choices. Visit megaphone.fm/adchoices

Payal Chakravarty, Head of Product for Security and Risk from Coalition, sits down to share her story of working at several different organizations, including interning for IBM and Microsoft. After obtaining her master's degree, she worked with IBM a bit more closely and fell in love with one of the projects she was working on. Payal had a very interesting career path going from physical to virtual, virtual to cloud now, cloud to containers. She says that there is still some bias she has dealt with as a woman in her field, she says, "I think the way you handle it is you negotiate or you kind of calmly handle the situation, there's no ego involved." Payal shares that in working in this field you need to be in love with it, giving the advice that don't just choose a job because of the money or because it's cool, but because you feel connected to it as a profession. We thank Payal for sharing her story. Learn more about your ad choices. Visit megaphone.fm/adchoices

Jen Miller-Osborn from Palo Alto Networks' Unit 42 joins Dave to discuss their recent work on "Russian APT29 Hackers Use Online Storage Services, DropBox and Google Drive." The research shares the insight into an active campaign from Russia’s Foreign Intelligence Service, that is leveraging the use of trusted, legitimate cloud services including Google Drive as a staging platform to deliver malware. The research states that when these tactics are used, it is extremely difficult for organizations to detect the malicious activity in connection with the campaign. These tactics are used to collect victim information, evade detection, and deliver Cobalt Strike. The research can be found here: Russian APT29 Hackers Use Online Storage Services, DropBox and Google Drive Learn more about your ad choices. Visit megaphone.fm/adchoices

A US Executive Order outlines US-EU data-sharing privacy safeguards. CISA, NSA, and the FBI list the top vulnerabilities currently being exploited by China. A look at election security and credit risk to US states. COVID-19-themed social engineering continues. Robert M. Lee from Dragos on securing the food and beverage industry. Carole Theriault interviews Joel Hollenbeck from Check Point Software on threat actors phishing school board meetings. Notes from the hybrid war: Killnet and US state government sites, the prospects of deterrence in cyberspace, and, finally, maybe the most motivated draft evaders in military history. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/194 Selected reading. FACT SHEET: President Biden Signs Executive Order to Implement the European Union-U.S. Data Privacy Framework (The White House) Top CVEs Actively Exploited By People’s Republic of China State-Sponsored Cyber Actors (CISA) Government credit risk associated with election risk (CyberWire) Exploiting COVID-19: how threat actors hijacked a pandemic (Proofpoint) Ukraine at D+125: Abandoned tanks and discontented hawks. (CyberWire) Department Press Briefing – October 6, 2022 - United States Department of State (United States Department of State) 2 Russians fleeing military service reach remote Alaska island (Military Times) Learn more about your ad choices. Visit megaphone.fm/adchoices

This joint Cybersecurity Advisory provides the top CVEs used by the People’s Republic of China state-sponsored cyber actors. PRC cyber actors continue to exploit these known vulnerabilities and use publicly available tools to target networks of interest. PRC state-sponsored cyber actors have actively targeted U.S. and allied networks as well as software and hardware companies to steal intellectual property and develop access into sensitive networks. AA22-279A Alert, Technical Details, and Mitigations For more information on PRC state-sponsored malicious cyber activity, see CISA’s China Cyber Threat Overview and Advisories webpage, FBI’s Industry Alerts, and NSA’s Cybersecurity Advisories & Guidance. People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices CISA offers several no-cost scanning and testing services to help organizations reduce their exposure to threats by taking a proactive approach to mitigating attack vectors. See www.cisa.gov/cyber-hygiene-services U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System (PDNS) services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email [email protected] To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at [email protected], or call (888) 282-0870, or report incidents to your local FBI field office. Learn more about your ad choices. Visit megaphone.fm/adchoices

Microsoft updates mitigations for ProxyNotShell. Lloyd's of London investigates a suspected cyberattack. Killnet hits networks of US state governments. The FBI and CISA weigh in on election security. Credential theft in the name of Zoom. Tim Eades from Cyber Mentor Fund on the move to early-stage investing in times of war and recession. Our guest is Nick Lumsden of Tenacity Cloud on cloud infrastructure sprawl. The former security chief at Uber was found guilty in a case involving data breach cover-up. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/193 Selected reading. Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server (Microsoft Security Response Center) Microsoft updates guidance for ‘ProxyNotShell’ bugs after researchers get around mitigations (The Record by Recorded Future) Microsoft Updates Mitigation for Exchange Server Zero-Days (Dark Reading) Microsoft updates mitigation for ProxyNotShell Exchange zero days (BleepingComputer) Lloyd's of London investigates possible cyber attack (Reuters) Insurance giant Lloyd’s of London investigating cyberattack (The Record by Recorded Future) Russian-speaking hackers knock US state government websites offline (CNN) Malicious Cyber Activity Against Election Infrastructure Unlikely to Disrupt or Prevent Voting (FBI and CISA) FBI: Cyberattacks targeting election systems unlikely to affect results (BleepingComputer) Zoom: 1 Phish, 2 Phish Email Attack (Armorblox) Former Uber Security Chief Found Guilty of Obstructing FTC Probe (Wall Street Journal) Former Uber security chief convicted of covering up 2016 data breach (Washington Post) Uber’s Former Security Chief Convicted of Data Hack Coverup (Bloomberg) Former Uber Security Chief Found Guilty of Hiding Hack From Authorities (New York Times) Former Uber CISO Joe Sullivan Found Guilty Over Breach Cover Up (SecurityWeek) Learn more about your ad choices. Visit megaphone.fm/adchoices

Data’s stolen from a US "Defense Industrial Base organization." Major sideloading cryptojacking campaign is in progress. Nord Stream and threats to critical infrastructure. US Cyber Command describes "hunt forward" missions in Ukraine. Andrew Hammond from SpyCast speaks with hacker Eric Escobar about the overlap of traditional intelligence and cybersecurity. Our guest is AJ Nash from ZeroFox with an update on the current threat landscape. Fraud meets romance. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/192 Selected reading. Impacket and Exfiltration Tool Used to Steal Sensitive Information from Defense Industrial Base Organization (CISA) CISA: Multiple government hacking groups had ‘long-term’ access to defense company (The Record by Recorded Future) US Govt: Hackers stole data from US defense org using new malware (BleepingComputer) Side-Loading OneDrive for profit – Cryptojacking campaign detected in the wild (Bitdefender Labs) Drone-loaded seabed ship is latest weapon in Royal Navy's arsenal to counter Russian threat (The Telegraph) Opinion Undersea pipeline sabotage demands the West prepare for more attacks (Washington Post) Ukraine Hasn’t Won the Cyber War Against Russia Yet (World Politics Review) USCYBERCOM Executive Director David Frederick Outlines Cyber Threats & Highlights Importance of Industry Partnerships (GovCon Wire) Romance scammer and BEC fraudster sent to prison for 25 years (Naked Security) Learn more about your ad choices. Visit megaphone.fm/adchoices

From November 2021 through January 2022, the CISA responded to APT activity against a Defense Industrial Base organization’s enterprise network. During incident response activities, CISA discovered that multiple APT groups compromised the organization’s network, and some APT actors had long-term access to the environment. APT actors used an open-source toolkit called Impacket to gain their foothold within the environment and further compromise the network, and also used a custom data exfiltration tool, CovalentStealer, to steal the victim’s sensitive data. AA22-277A Alert, Technical Details, and Mitigations CISA Cyber Hygiene Services Malware Analysis Report (MAR)-10365227-1.stix MAR-10365227-2.stix MAR-10365227-3.stix CISA offers several no-cost scanning and testing services to help organizations reduce their exposure to threats by taking a proactive approach to mitigating attack vectors. See www.cisa.gov/cyber-hygiene-services U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System (PDNS) services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email [email protected] To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at [email protected], or call (888) 282-0870, or report incidents to your local FBI field office. Learn more about your ad choices. Visit megaphone.fm/adchoices

CISA issues a Binding Operational Directive. An LA school district says ransomware operators missed most sensitive PII. An API protection report describes malicious transactions. Analysis of cyber risk in relation to SaaS applications. Joe Carrigan describes underground groups using stolen identities and deepfakes. Our guest is Eve Maler from ForgeRock on consumer identity breaches. And someone is making a nuisance of themself in Russia. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/191 Selected reading. Binding Operational Directive 23-01 (CISA) CISA Directs Federal Agencies to Improve Cybersecurity Asset Visibility and Vulnerability Detection (Cybersecurity and Infrastructure Security Agency) CISA aims to expand cyber defense service across fed agencies, potentially further (Federal News Network) CISA directs federal agencies to track software and vulnerabilities (The Record by Recorded Future) Student, Teacher Data Not Affected in Los Angeles School District Hack (Wall Street Journal) ‘No evidence of widespread impact,’ LAUSD says of data released by hackers (KTLA) New API Threat Research Shows that Shadow APIs Are the Top Threat Vecto (Cequence Security) Secureworks State of the Threat Report 2022: 52% of ransomware incidents over the past year started with compromise of unpatched remote services (Secureworks) Russian Citizens Wage Cyberwar From Within (Kyiv Post) Russian Hackers Take Aim at Kremlin Targets: Report (Infosecurity Magazine) Russian retail chain 'DNS' confirms hack after data leaked online (BleepingComputer) Learn more about your ad choices. Visit megaphone.fm/adchoices

Two Microsoft Exchange zero-days exploited in the wild. A supply chain attack, possibly from Chinese intelligence services. There’s new Lazarus activity: bring-your-own-vulnerable-driver. The Mexican government falls victim to apparent hacktivism. Flying under partial mobilization’s radar. Betsy Carmelite from Booz Allen Hamilton talks about addressing the cyber workforce skills gap. Our guest Rachel Tobac from SocialProof Security brings a musical approach to security awareness training. How’s your off-boarding program working out? For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/190 Selected reading. Microsoft Releases Guidance on Zero-Day Vulnerabilities in Microsoft Exchange Server (CISA) Customer Guidance for Reported Zero-day Vulnerabilities in Microsoft Exchange Server (Microsoft Security Response Center) Warning: New attack campaign utilized a new 0-day RCE vulnerability on Microsoft Exchange Server (GTSC) URGENT! Microsoft Exchange double zero-day – “like ProxyShell, only different” (Naked Security) Microsoft confirms two Exchange Server zero days are being used in cyberattacks (The Record by Recorded Future)Microsoft confirms new Exchange zero-days are used in attacks (BleepingComputer) Two Microsoft Exchange zero-days exploited in the wild. (CyberWre) CISA Adds Three Known Exploited Vulnerabilities to Catalog (CISA) Suspected Chinese hackers tampered with widely used customer chat program, researchers say (Reuters) Report: Commercial chat provider hijacked to spread malware in supply chain attack (The Record by Recorded Future) CrowdStrike Falcon Platform Identifies Supply Chain Attack via a Trojanized Comm100 Chat Installer (crowdstrike.com) Amazon‑themed campaigns of Lazarus in the Netherlands and Belgium (WeLiveSecurity) Lazarus & BYOVD: evil to the Windows core (Virus Bulletin) Lazarus hackers abuse Dell driver bug using new FudModule rootkit (BleepingComputer) Mexican government suffers major data hack, president's health issues revealed (Reuters) Mexican president confirms ‘Guacamaya’ hack targeting regional militaries (The Record by Recorded Future) Analysis: Mexico data hack exposes government cybersecurity vulnerability (Reuters) Russians dodging mobilization behind flourishing scam market (BleepingComputer) Honolulu Man Pleads Guilty to Sabotaging Former Employer’s Computer Network (US Department of Justice) Learn more about your ad choices. Visit megaphone.fm/adchoices

On this episode of CyberWire-X, we dive into the essential role of open-source intelligence in identifying cyber and physical threats and reducing risk across your organization. The CyberWire's CSO, Chief Analyst, and Senior Fellow, Rick Howard, is joined in the first half by Hash Table members Dr. Georgianna Shea, CCTI and TCIL Chief Technologist at the Foundation for Defense of Democracies, and Bob Turner, Field CISO – Education at Fortinet. In the second half of the show, CyberWire podcast host Dave Bittner talks with our episode sponsor risk intelligence firm Flashpoint's Chief Intelligence Officer Tom Hofmann. They explore the foundational importance of open source intelligence, which includes social media platforms and geospatial data and insights. Plus, they explore real-life examples of how organizations, from governments to commercial enterprises, are leveraging open source intelligence and technology every day to protect their people, places, assets, and critical infrastructure. Learn more about your ad choices. Visit megaphone.fm/adchoices

Kayla Williams, CISO of Devo, sits down to share her story, from graduating with a finance degree to rising to where she is now. She quickly learned that finance was not for her and changed paths, working towards gaining an information security certificate. From there she was able to excel and was offered the opportunity to move to England which changed her life. Working in her new role, she really enjoys thriving with her team. She says "We really try to be the department of no problem versus the department of no." She mentions how her and her team work on a day to day basis together solving issues and yet she says not everything related to cybersecurity needs to be a fire drill. She would rather her and her team build bridges in the face of adversity and in the face of people who may be naysayers. We thank Kayla for sharing her story. Learn more about your ad choices. Visit megaphone.fm/adchoices

David Prefer from SANS sits down with Dave to discuss how a new covert channel exfiltrates data via a browser's built-in bookmark sync. David goes on to describe how this research will "describe how the ability to synchronize bookmarks across devices introduces a novel vector for data exfiltration and other misuses." In the research, he shares how he tested his said hypothesis and goes on to describe how the interesting find was tested on multiple browsers including Chrome, Edge, Brave and Opera. In his research, he found that bookmarks are able to keep data and synchronize it, making it easier to infiltrate and extract data from. David shares the rest of his findings, as well as what organizations and browser developers can do to work on this new threat. The research can be found here: Bookmark Bruggling: Novel Data Exfiltration with Brugglemark Learn more about your ad choices. Visit megaphone.fm/adchoices

North Korean operators "weaponize" open-source software. The SolarMarker info-stealer returns. A quick review of Fast Company's WordPress hijacking incident. Deepfakes, and their evolution into an underworld and influence ops tool. Kinetic sabotage in the Baltic raises concerns about threats to infrastructure in cyberspace. Chris Novak from Verizon with a mid-year check in. Our guest is MK Palmore of Google Cloud on why collective cybersecurity ultimately depends on having a diverse, skilled workforce. And the US arrests three in two alleged spying cases. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/189 Selected reading. ZINC weaponizing open-source software (Microsoft Security Threat Intelligence | LinkedIn Threat Prevention and Defense) Lazarus Group Affiliate Uses Trojanized Open Source Apps in New Campaigns (Decipher) North Korea weaponizes open-source software. (CyberWire) Info-Stealing Malware, SolarMarker, is Using Watering Hole Attacks… (eSentire) Fast Company hack causes obscene Apple News notifications. (CyberWire) The Future of Deepfakes. (CyberWire) Fourth Nord Stream Leak Spotted, NATO Sees 'Sabotage' - The Moscow Times (The Moscow Times) Russian spy chief: West was behind sabotage of Nord Stream (Reuters) NATO Formally Blames Sabotage for Nord Stream Pipeline Damage (Wall Street Journal) NATO: Nord Stream pipeline leaks result of "sabotage" (Axios) Pentagon chief: Too soon to say who might be behind Nord Stream pipeline attack (www.euractiv.com) First on CNN: European security officials observed Russian Navy ships in vicinity of Nord Stream pipeline leaks (CNN) Mysterious Blasts and Gas Leaks: What We Know About the Pipeline Breaks in Europe (New York Times) NATO issues 'sabotage' warning after gas pipeline explosions (NBC News) Russia’s Purported Sabotage Of The Nord Stream Pipeline Marks A Point Of No Return (Forbes) Nach Angriff auf Nord Stream 1 und 2: Ist Deutschland vor russischen Hackern sicher? (WirtschaftsWoche) 'We all have to be worried': War in Ukraine boosts energy cyberattack risks, says Petrobras executive (Upstream Online) Finnish intelligence warns Russia ‘highly likely’ to turn to cyber in winter (The Record by Recorded Future) Ukraine War Goes Hybrid (Energy Intelligence) New Warnings from Ukraine About Looming Russian Cyberattacks (VOA)a Russian Cyber Efforts in Ukraine See Muted Results, Says Panel (USNI News) Ukraine-Russia Conflict: Ukraine Alerts Energy Enterprises to Possible Cyberattack Escalation (Security Boulevard) Ukraine is Winning the Cyber War (CEPA) Hitachi Energy MicroSCADA Pro X SYS600 (CISA) Hitachi Energy MicroSCADA Pro X SYS600 (CISA) Baxter Sigma Spectrum Infusion Pump (CISA) ARC Informatique PcVue (Update A) (CISA) Delta Electronics DOPSoft (CISA) Delta Electronics DOPSoft (Update B) (CISA) Former NSA Employee Arrested on Espionage-Related Charges (US Department of Justice) Major in the United States Army and a Maryland Doctor Facing Federal Indictment for Allegedly Providing Confidential Health Information to a Purported Russian Representative to Assist Russia Related to the Conflict In Ukraine (US Department of Justice) Learn more about your ad choices. Visit megaphone.fm/adchoices

Gray-hat support for Iranian dissidents. Selling access wholesale in the C2C market. Novel malware’s discovered targeting VMware hypervisors. The Witchetty espionage group uses an updated toolkit. Deepen Desai from Zscaler has a Technical Analysis of Industrial Spy Ransomware. Ann Johnson of Afternoon Cyber Tea speaks with Michal Braverman-Blumenstyk, CTO for Microsoft Security, about Israel's cyber innovation. And Russian troops phone call revelations. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/188 Selected reading. Hacker Groups take to Telegram, Signal and Darkweb to assist Protestors in Iran (Check Point Software) Hackers Use Telegram and Signal to Assist Protestors in Iran (Infosecurity Magazine) Hackers Aid Protests Against Iranian Government with Proxies, Leaks and Hacks (The Hacker News) Hackers seek to help — and profit from — Iran protests (The Record by Recorded Future) Ransomware and Wholesale Access Markets: A $10 investment can lead to millions in profit (Cybersixgill) Selling access wholesale in the C2C market. (CyberWire) Bad VIB(E)s Part One: Investigating Novel Malware Persistence Within ESXi Hypervisors (Mandiant) Bad VIB(E)s Part Two: Detection and Hardening within ESXi Hypervisors (Mandiant) Mandiant has identified new malware that targets VMware ESXi, Linux vCenter servers, and Windows virtual machines. (CyberWire) Securonix Threat Labs Security Advisory: Detecting STEEP#MAVERICK: New Covert Attack Campaign Targeting Military Contractors (Securonix) Steep#Maverick cyberespionage campaign. (CyberWire) Witchetty: Group Uses Updated Toolset in Attacks on Governments in Middle East (Symantec) Witchetty espionage group uses updated toolkit. (CyberWire) ‘Putin Is a Fool’: Intercepted Calls Reveal Russian Army in Disarray (New York Times) Cyber Warfare Rife in Ukraine, But Impact Stays in Shadows (SecurityWeek) Russian hackers' lack of success against Ukraine shows that strong cyber defences work, says cybersecurity chief (ZDNET) Failure of Russia’s cyber attacks on Ukraine is most important lesson for NCSC (ComputerWeekly) Learn more about your ad choices. Visit megaphone.fm/adchoices

DDoS remains the most characteristic mode of cyber ops in Russia's hybrid war against Ukraine. A leaked LockBit 3.0 builder is being used in ransomware attacks. Meta takes down Russian disinformation networks. Lazarus Group is spearphishing with bogus job offers. Joe Carrigan looks at SNAP benefit scams. Our guest is Crane Hassold of Abnormal Security with the latest in advanced email attack trends. And the cloud…is complicated. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/187 Selected reading. Adversaries Continue Cyberattack Onslaught with Greater Precision and Innovative Attack Methods According to 1H2022 NETSCOUT DDoS Threat Intelligence Report (NETSCOUT) Leaked LockBit 3.0 builder used by ‘Bl00dy’ ransomware gang in attacks (BleepingComputer) Removing Coordinated Inauthentic Behavior From China and Russia (Meta) Russia is spoofing mainstream media to smear Ukraine, Meta says (Protocol) Operation In(ter)ception: social engineering by the Lazarus Group. (CyberWire) How cloud complexity affects security. (CyberWire) Learn more about your ad choices. Visit megaphone.fm/adchoices

Ukraine's Defense Intelligence warns of coming Russian cyberattacks against infrastructure. Next moves for Lapsus$? We know it’s a bear market, but take a look at your wallet, crypto speculators, at least now and then. Mr Security Answer Person john Pescatore on next year's most over-hyped term. Ben Yelin explains a thirty five million dollar data privacy settlement. And, finally, developments in the Optus breach. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/186 Selected reading. Invaders Preparing Mass Cyberattacks on Facilities of Critical Infrastructure of Ukraine and Its Allies (Defence Intelligence of the Ministry of Defence of Ukraine) Ukraine Says Russia Planning 'Massive Cyberattacks' on Critical Infrastructure (SecurityWeek) Ukraine warns of Russian cyber attacks targeting critical infrastructure (Computing) Russia plans “massive cyberattacks” on critical infrastructure, Ukraine warns (Ars Technica) Ukraine warns allies: Russia plans 'massive cyberattacks' (Register) Hackers Working With Russia to Coordinate Cyberattacks, Google Says - Tech News Briefing - WSJ Podcasts (Wall Street Journal) Viasat Hack "Did Not" Have Huge Impact on Ukrainian Military Communications, Official Says (Zero Day) Who’s next in Lapsus$’ crosshairs? (Digital Shadows) Report: Sift Uncovers New Cashout Scam Targeting Forgotten Crypto Accounts (GlobeNewswire News Room) Optus hacker releases 10,000 customers' details and issues new threat (Sky News) ‘Last thing I need’: Optus customer scrambles to protect himself (Australian Financial Review) An alleged hacker has offered their 'deepest apologies' to Optus. Here's the latest on the data breach (ABC) Singtel's Optus under further fire for cyber breach; purported hackers claim data deleted (The Straits Times) ‘Not feasible’ to crack properly encrypted data (Australian Financial Review) Optus hack not 'sophisticated' as claims 10,000 customers have data publicly released (9News) Everything Happening in This Optus Cyberattack Shitstorm, I Promise (Vice) Australian cybersecurity minister lambasts Optus for ‘unprecedented' hack (The Record by Recorded Future) FBI Working With Australian Authorities on Optus Cyberattack (MarketScreener) Learn more about your ad choices. Visit megaphone.fm/adchoices

Unrest in Iran finds expression in cyberspace. Albania explains its reasons for severing relations with Iran. Cybercrime in the hybrid war. Rick Howard on risk forecasting with data scientists. Dave Bittner sits down with Dr. Bilyana Lilly to discuss her new book: "Russian Information Warfare: Assault on Democracies in the Cyber Wild West."And there seems to have been an arrest in the Uber and Rockstar breaches. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/185 Selected reading. Iran’s War Within (Foreign Affairs) Iran’s Hijab Protests Have Lit a Fire the Regime Can’t Put Out (World Politics Review) ‘Something big is happening’: the Iranians risking everything to protest (the Guardian) Dissident: 'Iranian women are furious' over headscarf death (AP NEWS) OpIran: Anonymous declares war on Teheran amid Mahsa Amini’s death (Security Affairs) IDF official says military foiled ‘dozens’ of Iran cyberattacks on civilian sites (Times of Israel) Analysis | 'Our Conflict With Iran Is Unparalleled', Say Israel's Elite Cyber Unit Commanders (Haaretz) US Issues License to Expand Internet Access for Iranians (VOA) US Treasury carves out Iran sanctions exceptions for internet providers (The Record by Recorded Future) Iran and Albania: diplomacy and cyber operations (CyberWire) Ukraine dismantles hacker gang that stole 30 million accounts (BleepingComputer) The SBU neutralized a hacker group that "hacked" almost 30 million accounts of Ukrainian and EU citizens (SSU) Les détails personnels de stars, dont Sir David Attenborough et Sarah Ferguson, ont été divulgués après le piratage d'un magasin bio par des escrocs russes (News 24) London Police Arrested 17-Year-Old Hacker Suspected of Uber and GTA 6 Breaches (The Hacker News) UK teen suspected of Uber and Rockstar hacks arrested (Computing) Learn more about your ad choices. Visit megaphone.fm/adchoices

Adam Marrè, CISO from Arctic Wolf sits down to share his story of rising through the ranks. After 9/11 he decided he wanted to make a difference in the world and so he chose to go into the FBI, there he learned the skills that got him to where he is today. In his time at the FBI, he was able to do what he loved which was working with computers while gaining more knowledge on cybersecurity and became computer forensic certified. Ultimately he needed a change in the end and decided to leave the FBI, He was able to learn the leadership skills he needed to move past that career path and follow a new dream. He is now able to share his passion with the world and help people understand security to help protect themselves as well as helping people finding success in their careers and in their lives. We thank Adam for sharing his story. Learn more about your ad choices. Visit megaphone.fm/adchoices

Gafnit Amiga, Director of Security Research from Lightspin joins Dave to discuss her team's research "AWS RDS Vulnerability Leads to AWS Internal Service Credentials." The research describes how the vulnerability was caught and right after it was reported the AWS Security team applied an initial patch limited only to the recent Amazon Relational Database Service (RDS) and Aurora PostgreSQL engines, excluding older versions. They followed by personally reaching out to the customers affected by the vulnerability and helped them through the update process. The research states "Lightspin's Research Team obtained credentials to an internal AWS service by exploiting a local file read vulnerability on the RDS EC2 instance using the log_fdw extension." The research can be found here: AWS RDS Vulnerability Leads to AWS Internal Service Credentials Learn more about your ad choices. Visit megaphone.fm/adchoices

The GRU's closely coordinating with cyber criminals. An unidentified threat actor deploys malicious NPM packets. Gootloader uses blogging and SEO poisoning to attract victims. Metador is a so-far unattributed threat actor. Johannes Ullrich from SANS on Resilient DNS Infrastructure. Maria Varmazis interviews Anthony Colangelo, host of spaceflight podcast Main Engine Cutoff, about the iPhone 14 “Emergency SOS via Satellite” feature. And having too much time on your hands while doing time is not a good thing. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/184 Selected reading. GRU: Rise of the (Telegram) MinIOns (Mandiant) Void Balaur | The Sprawling Infrastructure of a Careless Mercenary (SentinelOne) An unidentified threat actor deploys malicious NPM packets (CyberWire) Threat analysis: Malicious npm package mimics Material Tailwind CSS tool (ReversingLabs) A Multimillion Dollar Global Online Credit Card Scam Uncovered (ReasonLabs) Gootloader Poisoned Blogs Uncovered by Deepwatch’s ATI Team (Deepwatch) The Mystery of Metador | An Unattributed Threat Hiding in Telcos, ISPs, and Universities (SentinelOne) SC inmate sentenced for ‘sextortion’ scheme that targeted military (Stars and Stripes) Learn more about your ad choices. Visit megaphone.fm/adchoices

GRU operators masquerade as Ukrainian telecommunications providers. Another video game maker is compromised to spread malware. Noberus may be a successor to Darkside and BlackMatter ransomware. Robert M. Lee from Dragos explains Crown Jewel analysis. Our guest is Nathan Hunstad from Code42 with thoughts on insider risk events. Threat actors have their insider threats, too. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/183 Selected reading. Russia-Nexus UAC-0113 Emulating Telecommunication Providers in Ukraine (Recorded Future) Russian Cyberspies Targeting Ukraine Pose as Telecoms Providers (SecurityWeek) Shadowy Russian Cell Phone Companies Are Cropping Up in Ukraine (WIRED) CISA Alert AA22-264A – Iranian state actors conduct cyber operations against the government of Albania. (CyberWire) Iranian State Actors Conduct Cyber Operations Against the Government of Albania (CISA) 2K Games says hacked help desk targeted players with malware (BleepingComputer) 2K Games helpdesk hacked to spread malware to players (TechRadar) Rockstar parent company hacked again as 2K Support sends users malware (Dexerto) ‘Grand Theft Auto VI’ leak is Rockstar’s nightmare, YouTubers’ dream (Washington Post) Noberus Ransomware: Darkside and BlackMatter Successor Continues to Evolve its Tactics (Symantec) LockBit ransomware builder leaked online by “angry developer” (BleepingComputer) Learn more about your ad choices. Visit megaphone.fm/adchoices

This alert builds on previous NSA and CISA guidance to stop malicious ICS activity and reduce OT exposure. The alert documentation linked in the show notes describes TTPs that malicious actors use to compromise OT/ICS assets. It also recommends mitigations that owners and operators can use to defend their systems from each of the listed TTPs. NSA and CISA encourage OT and ICS owners and operators to apply the recommendations in this documentation. AA22-265A Alert, Technical Details, and Mitigations NSA and CISA guidance to stop malicious ICS activity and reduce OT exposure For NSA client requirements or general cybersecurity inquiries, contact [email protected]. To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at [email protected]. To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at [email protected], or call (888) 282-0870, or report incidents to your local FBI field office. Learn more about your ad choices. Visit megaphone.fm/adchoices

In July 2022, Iranian state cyber actors—identifying as “HomeLand Justice”—launched a destructive cyber attack against the Government of Albania which rendered websites and services unavailable. An FBI investigation indicates Iranian state cyber actors acquired initial access to the victim’s network approximately 14 months before launching the destructive cyber attack, which included a ransomware-style file encryptor and disk wiping malware. AA22-264A Alert, Technical Details, and Mitigations CISA’s free Cyber Hygiene Services (CyHy) CISA’s zero–trust principles and architecture. Iran Cyber Threat Overview and Advisories. All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at [email protected] or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or [email protected]. Learn more about your ad choices. Visit megaphone.fm/adchoices

It’s partial mobilization in Russia, and airline flights departing Russia are said to be sold out. Further notes on the IT Army's claimed hack of the Wagner Group. Leveraging Netflix for credential harvesting. Rockstar Games suffers a leak of new Grand Theft Auto footage. Ben Yelin has the latest on regulations targeting crypto. Our guest is Amy Williams from BlueVoyant discussing the value of feminine energy in the male dominated field of cybersecurity. CISA releases eight ICS Advisories. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/182 Selected reading. Russia moves toward annexing Ukraine regions in a major escalation (Washington Post) Four occupied Ukraine regions plan imminent ‘votes’ on joining Russia (the Guardian) Putin sets partial military call-up, won’t ‘bluff’ on nukes (AP NEWS) Putin announces partial military mobilization for Russian citizens (Axios) Pro-Ukraine Hacktivists Claim to Have Hacked Notorious Russian Mercenary Group (Vice) Fresh Phish: Netflix Bad Actors Go Behind the Scenes to Stage a Credential Harvesting Heist (INKY) Leveraging Netflix for credential harvesting. (CyberWire) Social Engineering: How A Teen Hacker Allegedly Managed To Breach Both Uber And Rockstar Games (Forbes) Rockstar Games suffers leak of new Grand Theft Auto footage. (CyberWire) LastPass source code breach – incident response report released (Naked Security) Notice of Recent Security Incident (The LastPass Blog) The LastPass incident. (CyberWire) Medtronic NGP 600 Series Insulin Pumps (CISA) Hitachi Energy PROMOD IV (CISA) Hitachi Energy AFF660/665 Series (CISA) Dataprobe iBoot-PDU (CISA) Host Engineering Communications Module (CISA) AutomationDirect DirectLOGIC with Ethernet (CISA) AutomationDirect DirectLOGIC with Serial Communication (CISA) MiCODUS MV720 GPS tracker (Update A) (CISA) Learn more about your ad choices. Visit megaphone.fm/adchoices

An overview of Russian cyber operations. The IT Army of Ukraine claims to have doxed the Wagner Group. Who dunnit? Lapsus$ dunnit. Emily Mossburg from Deloitte and Shelley Zalis of the Female Quotient on why gender equality is essential to the success of the cyber industry. We’ve got a special preview of the International Spy Museum's SpyCast's latest episode with host Andrew Hammond interviewing Robert Gates on the 75th anniversary of the CIA. And a look at the risk of stolen single sign-on credentials. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/181 Selected reading. Ukraine's IT Army hacks Russia's Wagner Group (Computing) Untangling the Russian web: Spies, proxies, and spectrums of Russian cyber behavior (Atlantic Council) Security update | Uber Newsroom (Uber Newsroom) Tentative attribution in the Uber breach. (CyberWire) Uber says Lapsus$-linked hacker responsible for breach (Reuters) Uber blames security breach on Lapsus$, says it bought credentials on the dark web (ZDNET) Uber's breach shows how hackers keep finding a way in (Protocol) Uber attributes hack to Lapsus$, working with FBI and DOJ on investigation (The Record by Recorded Future) Uber data breach spotlights need for enterprises to ‘get the basics right’, say experts (ITP.net) "Keys to the Kingdom" at Risk: Analyzing Exposed SSO Credentials of Public Companies (Bitsight) Learn more about your ad choices. Visit megaphone.fm/adchoices

An update on the Uber breach. Emotet and other malware delivery systems. Belarusian Cyber Partisans work against the regime in Minsk. Grayson Milbourne of OpenText Security Solutions on the arms race for vulnerabilities. Rick Howard continues his exploration of cyber risk. And risky piracy sites–that’s on the Internet, kids, not the high seas. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/180 Selected reading. Developments in the case of the Uber breach. (CyberWire) Preliminary lessons from the Uber breach. (CyberWire) Uber says “no evidence” user accounts were compromised in hack (The Verge) Uber Claims No Sensitive Data Exposed in Latest Breach… But There's More to This (The Hacker News) Uber apparently hacked by teen, employees thought it was a joke (The Verge) Uber hacker claims to have full control of company's cloud-based servers (9to5Mac) The Uber Hack’s Devastation Is Just Starting to Reveal Itself (WIRED) Uber was breached to its core, purportedly by an 18-year-old. Here’s what’s known (Ars Technica) Uber hacked by teen who annoyed employee into logging them in - report (Jerusalem Post) 18-year-old allegedly hacks Uber and sends employees messages on Slack (Interesting Engineering) Uber Investigating Massive Security Breach by Alleged Teen Hacker (Gizmodo) Uber cyber attack: protecting against social engineering (Information Age) Threat actor breaches many of Uber’s critical systems (Cybersecurity Dive) Uber hacker claims to have full control of company's cloud-based servers (9to5Mac) Uber confirms hack in the the latest access and identity nightmare for corporate America (SC Media) Uber hacked, attacker tears through the company's systems (Help Net Security) Uber confirms it is investigating cybersecurity incident (The Record by Recorded Future) UBER HAS BEEN HACKED, boasts hacker – how to stop it happening to you (Naked Security) Emotet and other malware delivery systems. (CyberWire) Emotet botnet now pushes Quantum and BlackCat ransomware (BleepingComputer) AdvIntel's State of Emotet aka "SpmTools" Displays Over Million Compromised Machines Through 2022 (AdvIntel) August’s Top Malware: Emotet Knocked off Top Spot by FormBook while GuLoader and Joker Disrupt the Index (Check Point Software) How Belarusian hacktivists are using digital tools to fight back (The Record by Recorded Future) Malvertising on piracy sites. (CyberWire) Unholy Triangle (Digital Citizens' Alliance) Piracy Advertising Researchers Fall Victim to Ransomware Attacks (TorrentFreak) Learn more about your ad choices. Visit megaphone.fm/adchoices

Jaya Baloo, a Chief Information Security Officer from Avast sits down to share her story, sharing how she got into the technology field at a younger age with being introduced to computers and games on her PS 24. She started off going to college for political science and after not knowing what to do after that, she got her first start in cybersecurity. After falling in love with cybersecurity she kept moving up the ranks in different organizations before finding herself at Avast. She shares that at Avast she leans on her team quite a bit and you should never be afraid to bounce ideas off of your teammates. She says "The best ideas come from like bouncing ideas off of each other, sharing within the group and then if I can't figure it out myself, that's why I hire these amazing individuals it's to help me figure it out." We thank Jaya for sharing her story. Learn more about your ad choices. Visit megaphone.fm/adchoices

Sam Crowther, CEO of Kasada join's Dave to discuss their work on "The New Way Fraudsters Bypass Bot Management." Kasada researchers recently discovered a new type of bot called Solver Services, which is used and created by bad actors to bypass the majority of bot management systems. The research states "Now it’s easier than ever for mainstream bot operators to scrape content, take over accounts, hoard inventory, and commit other forms of automated fraud against organizations using legacy bot management solutions." Attackers are able to by these “Solver” bots, APIs, and services for less than $500 per month to make a profit. The research can be found here: The Emergence of Solver Services: The New Way Fraudsters Bypass Bot Management Vendors Learn more about your ad choices. Visit megaphone.fm/adchoices

Uber suffers a data breach. Social media executives testify before Congress. A Large DDoS attack is thwarted in Eastern Europe. The FBI warns of increased cyberattacks against healthcare payment processors. Policy makers consider new OT security incentives. Malek Ben Salem from Accenture on future-proof cloud security. Our guest Diana Kelley from Cybrize discusses the need for innovation and entrepreneurship in cybersecurity. And if you’ve been hoping for a LockerGoga decryptor, you’re in luck. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/179 Selected reading. Uber hacked, internal systems breached and vulnerability reports stolen (BleepingComputer) Uber suffers computer system breach, alerts authorities (Washington Post) Uber Investigating Data Breach After Hacker Claims Extensive Compromise (SecurityWeek) Uber Investigating Breach of Its Computer Systems (New York Times) Uber investigating "total compromise" of its internal systems (Computing) There’s No Honor Among Thieves: Carding Forum Staff Defraud Users in an ESCROW Scam (Digital Shadows) Social media hearings highlight lack of trust, transparency in sector (The Record by Recorded Future) Breaking the Boycott (Cybersixgill) Record-Breaking DDoS Attack in Europe (Akamai) Cyber Criminals Targeting Healthcare Payment Processors, Costing Victims Millions in Losses (FBI) Siemens Mobility CoreShield OWG Software (CISA) Siemens Simcenter Femap and Parasolid (CISA) Siemens RUGGEDCOM ROS (CISA) Siemens Mendix SAML Module (CISA) Siemens SINEC INS (CISA) Siemens RUGGEDCOM ROS (Update A) (CISA) Simcenter Femap and Parasolid (CISA) Siemens Industrial Products Intel CPUs (Update A) (CISA) Siemens OpenSSL Affected Industrial Products (CISA) Siemens OpenSSL Vulnerability in Industrial Products (Update E) (CISA) Siemens SCALANCE (CISA) CISA Adds Six Known Exploited Vulnerabilities to Catalog (CISA) Building on our Baseline: Securing Industrial Control Systems Against Cyberattacks (House Committee on Homeland Security) Bitdefender Releases Universal LockerGoga Decryptor in Cooperation with Law Enforcement (Bitdefender Labs) Learn more about your ad choices. Visit megaphone.fm/adchoices

This joint Cybersecurity Advisory highlights continued malicious cyber activity by advanced persistent threat actors affiliated with the Iranian Government’s Islamic Revolutionary Guard Corps. The IRGC-affiliated actors are actively targeting a broad range of entities, including entities across multiple U.S. critical infrastructure sectors as well as Australian, Canadian, and United Kingdom organizations. AA22-257A Alert, Technical Details, and Mitigations AA22-257A.stix CISA’s Iran Cyber Threat Overview and Advisories FBI’s Iran Threat webpage. Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities Technical Approaches to Uncovering and Remediating Malicious Activity All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at [email protected] or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or [email protected]. Learn more about your ad choices. Visit megaphone.fm/adchoices

Nuisance-level DDoS and cyberespionage continue to mark Russia's cyber campaign in the hybrid war. There’s a US Presidential memorandum on software supply chain security. Webworm repurposes older RATs. Trends in cyber insurance claims. OriginLogger may be the new Agent Tesla. The SparklingGoblin APT described. Mathieu Gorge of VigiTrust describes cyber vulnerabilities in the hospitality industry. Dinah Davis from Arctic Wolf explains a PayPal phishing attack. And Royal funeral phishbait. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/178 Selected reading. Pro-Russia hackers claim to have temporarily brought down Japanese govt websites (Asia News Network) Gamaredon APT targets Ukrainian government agencies in new campaign (Cisco Talos) Russia-linked Gamaredon APT target Ukraine with a new info-stealer (Security Affairs) Fears grow of Russian spies turning to industrial espionage (The Record by Recorded Future) Enhancing the Security of the Software Supply Chain through Secure Software Development Practices (The White House) Enhancing the Security of the Software Supply Chain to Deliver a Secure Government Experience (The White House) White House releases post-SolarWinds federal software security requirements (Federal News Network) Webworm: Espionage Attackers Testing and Using Older Modified RATs (Threat Hunter Team Symantec) Coalition Releases 2022 Cyber Claims Report: Mid-year Update (GlobeNewswire News Room) OriginLogger: A Look at Agent Tesla’s Successor (Unit 42) You never walk alone: The SideWalk backdoor gets a Linux variant (WeLiveSecurity) [Scam site harvests credentials] (Proofpoint) Current, former social media execs address national security issues at Senate hearing (Fox Business) Senators Have Stopped Embarrassing Themselves at Tech Hearings (Slate Magazine) Learn more about your ad choices. Visit megaphone.fm/adchoices