CyberWire Daily

A second vulnerability is found and fixed in Log4j as both criminals and nation-state intelligence services increase their exploitation of Log4shell. Iranian intelligence services have been actively conducting cyberespionage against a range of targets in the Middle East and Asia. Andrea Little Limbago from Interos checks in on supply chain issues. Our guest is Suzy Greenberg from Intel with a look ahead toward the coming year. A quick look back at Patch Tuesday, and, finally, some musing on literacy, orality, and the way you pronounce stuff people tweet about... For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/239 Learn more about your ad choices. Visit megaphone.fm/adchoices

An update on the Log4shell, and how it’s being exploited in the wild. A ransomware attack disrupts a cloud-based business service provider. NSO Group is said to be considering selling off its Pegasus unit. A marketing presentation suggests Huawei has been deeply implicated in providing tools for Chinese repression. Nigeria’s cyber gangs are actng like Murder, Inc. An arrest in Romania, sentences in Germany. Joe Carrigan looks at the language of cyber security. Our guest Brad Hawkins of SaferNet wonders if digital privacy even exists anymore. And news from Mars. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/238 Learn more about your ad choices. Visit megaphone.fm/adchoices

The Log4shell vulnerability is trouble, and its remediation isn’t going to be quick or easy. In India, Prime Minister Modi’s Twitter account was hijacked. Official Brazilian COVID vaccination data bases are stolen and rendered unavailable. Extortionists claim to have taken sensitive, proprietary R&D information from Volvo. Phishing sites appear and vanish in a matter of hours. Rick the Toolman Howard expands his cast of characters. Robert M. Lee from Dragos shines a light on solar storms and risk management. And sentence is passed in a case related to the Kelihos botnet. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/237 Learn more about your ad choices. Visit megaphone.fm/adchoices

Manager in BARR Advisory's Cyber Risk Advisory Practice, Hannah Kenney, shares her journey from never considering technology as a career to having it click in an informations systems class in college. After noticing she was the only one in the room who enjoyed the lecture, Hannah knew she wanted to go down the technology route. In talking about her work, Hannah describes it as creative problem solving. She hopes "people see me as someone who viewed cybersecurity and risk as something that is focused on people first and foremost." We thank Hannah for sharing her story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

Guest Ilya Volovik, Team Lead of Cyber Intelligence at Gemini Advisory, discusses his team's work on "FIN7 Recruits Talent For Push Into Ransomware." The cybercriminal group FIN7 gained notoriety in the mid-2010s for large-scale malware campaigns targeting the point-of-sale (POS) systems. In 2018, Gemini Advisory reported FIN7’s compromise of Saks Fifth Avenue and Lord & Taylor stores and the subsequent sale of over 5 million payment cards on the dark web. According to the US Department of Justice, the broader FIN7 carding campaigns have resulted in the theft of over 20 million payment card records and cost victims over $1 billion, making FIN7 one of the most infamous and prolific cybercriminal groups of the last decade. Now with ransomware proving to be cybercriminals’ preferred high-profit, jackpot venture, FIN7 has redeployed their expertise and capacity towards ransomware, with reports indicating that the group was involved in attempted ransomware attacks on US companies as early as 2020. Furthermore, despite focus from law enforcement and the arrest of four FIN7 members from 2018 to 2020, FIN7’s continued activity shows that the group remains a powerful, active threat. The research can be found here: FIN7 Recruits Talent For Push Into Ransomware Learn more about your ad choices. Visit megaphone.fm/adchoices

Cyberespionage in support of Belt and Road, and of Beijing’s claims in the South China Sea. Karakurt ransomware skips the encryption and goes right to the doxing. Black Cat ransomware is rising. Vulnerable MikroTik devices are bot-herders’ favorites. The Log4Shell zero-day is being exploited in the wild, and will be a tough one to remediate. Julian Assange moves closer to extradition. Johannes Ullrich on changing user behavior. Our guest is Oliver Rochford of Securonix on the affordability of good security. And shoulder-surfing as a threat to Snapchat users. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/236 Learn more about your ad choices. Visit megaphone.fm/adchoices

Conti continues, undeterred. Magecart skimmers are infesting WooCommerce instances. Users are finding url redirection attacks difficult to detect. A quick look at the workings of the Hive ransomware gang. Russia blocks Tor. The US Senate holds hearings on social media and adolescent mental health. Dinah Davis from Arctic Wolf on assessing your security posture. Our guest Neal Dennis of Cyware discusses Automation And Unification. And Grinchbots are still prowling for presents. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/235 Learn more about your ad choices. Visit megaphone.fm/adchoices

Amazon resolves its Tuesday outage as observers wonder about cloud risks. A stand-off at the Russo-American summit, but chatter in the dark web suggests that the Russophone underworld is feeling uneasy. A look at the arbitrage process that governs the criminal-to-criminal market. Carole Theriault reads the fine print. Andrea Little Limbago looks at global regulatory regimes. A DeFi platform asks for its stolen money back, and a guy looks for his private key in a physical garbage dump. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/234 Learn more about your ad choices. Visit megaphone.fm/adchoices

Notes on today’s Russo-America summit. Microsoft seizes websites used by the Chinese threat actor Nickel. Google takes technical and legal action against a Russian botnet. Ben Yelin unpacks Australia’s aim to uncover online trolls. Our guest is Ed Amorosa from TAG Cyber. And the real Satoshi Nakamoto has yet to stand up--just ask a Florida jury. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/233 Learn more about your ad choices. Visit megaphone.fm/adchoices

Cryptocurrency exchange loses almost $200 million as two hot wallets are compromised. Phones belonging to US State Department personnel concerned with Uganda are found to have been infected with NSO Group’s Pegasus surveillance technology. Mandiant reports recent activity by the threat group thought responsible for the SolarWinds compromise. Cybersecurity will be on the agenda at tomorrow’s Russo-US summit. Caleb Barlow outlines threats to the Winter Olympics. Rick the-toolman Howard looks at the marketing hype-cycle. And US Cyber Command says it’s been imposing costs. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/232 Learn more about your ad choices. Visit megaphone.fm/adchoices

Distinguished Security Strategist at Splunk, Ryan Kovar, shares his journey that started in the US Navy and how it contributed to his leadership in life after the military. Cutting his teeth as sysadmin on the USS Kitty Hawk, Ryan worked as a contractor following the Navy. At Splunk, he leads the SURGe research team to solve what he calls the "blue collar for the blue team problems". He works hard on incorporating diversity of thought. Ryan notes, "I've been doing cybersecurity or IT now for over 20 years and of that 20 years of knowledge, only about five years of that knowledge is really relevant. You can't sit on your laurels in this industry." We thank Ryan for sharing his story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

It's important for employees to be brought into the fold as security's allies, rather than as its adversaries. For cybersecurity teams that operate with an adversarial mindset appropriate for external threats, it can be challenging to approach internal threats differently. You can't treat employees the same way you treat nation-state hackers. But employees play a pivotal role in preventing data leaks, making it important to create a company-wide culture of transparency. Transparency feeds trust, which builds a strong foundation for Security Awareness Training to be truly effective. The CyberWire's Jennifer Eiben hosts this women in cybersecurity podcast. Kathleen Smith of ClearedJobs.Net moderates the panel. Panelists include Michelle Killian from Sponsor Code 42, Sam Humphries of Exabeam, and Masha Sedova of Elevate Security. Learn more about your ad choices. Visit megaphone.fm/adchoices

Guest Christo Butcher of NCC Group's Research and Intelligence Fusion Team discusses their research into a cybercriminal group they dubbed SnapMC. Forget ransomware, too expensive and too much hassle. Randomly enter through a known vulnerability, take a look around, lock away data and leave again. And all that within half an hour: hit & run. An email is then sent to the affected organization: pay or else the stolen data will be published and/or sold. This is the opportunistic approach of a new group of blackmailers who don't even bother to encrypt data. NCC Group has given them the name SnapMC: a combination of 'snap' (a sudden, sharp cracking sound or movement) and MC, from mc.exe, the primary tool they use to exfiltrate data. They have only seen SnapMC's attacks in the Netherlands for the time being. They do not target specific sectors and we have not (yet) been able to associate them with known attackers. The research can be found here: SnapMC: extortion without ransomware SnapMC skips ransomware, steals data Learn more about your ad choices. Visit megaphone.fm/adchoices

SideCopy, a Pakistani APT, is phishing for information in both India and Afghanistan. A Colorado electrical utility continues to recover from a cyber incident it sustained early last month. The GAO tells the US Congress that the nation still lacks a comprehensive cybersecurity strategy. The Missouri Highway Patrol continues, for some reason, to investigate a responsible disclosure as a criminal hack. Dinah Davis from Arctic Wolf on hackers targeting Minecraft. Our guest is Blake Darché from Area 1 Security with research on phishing. And it appears Moscow thinks a Group-IB leader outed Fancy Bear to the US. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/231 Learn more about your ad choices. Visit megaphone.fm/adchoices

An APT is exploiting Internet-facing instances of ServiceDesk Plus. Meta releases its end-of-year Adversarial Threat Report, and adds “Brigading” and “Mass Reporting” to “Coordinated Inauthentic Behavior” as activities that will get accounts shut down. CISA names the first members of its Cybersecurity Advisory Committee. Sentencing, American and Russian style. Malek Ben Salem has a look at cyber resilience. Our guest is PJ Kirner from Illumio with a look ahead to 2022. And an alleged false whistleblower is under indictment, and under arrest. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/230 Learn more about your ad choices. Visit megaphone.fm/adchoices

RTF template injection is newly favored by APTs. Malware hides in February 31st. Milords and miladies, the Principality of Sealand hath been hacked. Finland's National Cyber Security Center warns of a large-scale Flubot campaign in progress. False alarms are flagging Emotet where it isn’t found. Iranians victimized by a smishing campaign. CISA issues industrial control system advisories. Kevin Magee from Microsoft is really trying to rid the world of passwords. Our guest is Mike Hendrickson of Skillsoft to discuss turning the tide in this fight against cybercrime. And Mr. Putin says Russia’s in favor of international cooperation against cybercrime. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/229 Learn more about your ad choices. Visit megaphone.fm/adchoices

Today, it’s all crime all the time. Cybercrime, the C2C underground market, and the expansive holiday shopping season. Rebranding in gangland. How crooks exclude targets on the basis of language or geolocation. Shaming as a criminal pressure tactic. Bad apps in the Play Store. Andrea Little Limbago looks at internet blackouts. Carole Theriault wonders what the Metaverse really means. And living large while living on the lam. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/228 Learn more about your ad choices. Visit megaphone.fm/adchoices

A reply-chain incident is reported at a major international furniture and housewares retailer. North Korean operators are phishing for South Korean marks using bogus Samsung recruiting emails as phishbait. Fancy Bear has been seen pawing at Gmail. A regional escalation to civilian targets in the cyber conflict between Iran and Israel. More organizations are added to the US Entity List. Johannes Ullrich looks at decrypting Cobalt Strike. Our own Rick Howard wonders if executive really need to know how to drive that tank. And tension between Russia and Ukraine continues to rise. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/227 Learn more about your ad choices. Visit megaphone.fm/adchoices

Associate Director at Raytheon Intelligence and Space in the Cyber Protection Services Division Anisha Patel always loved math and it defined her career journey. As a first-generation American from an Asian household, Anisha said she was destined for a STEM-focused career and chose electrical engineering. She began her career and remains at Raytheon (formerly E-Systems) working in several areas of the business thanks to her skills and informal mentors. Starting a rotational assignment in program management (7 years ago), Anisha said she "went to the dark side and then the hole closed and there I ended up." Anisha talks about the need to bring diversity of thought into the industry and adds to her team with this in mind. We thank Anisha for sharing her story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

Enjoy a peek into CyberWire Pro's Research Briefing as the team is off recovering from our Thanksgiving feasts. This is the spoken edition of our weekly Research Briefing, focused on threats, vulnerabilities, and consequences, as they’re played out in cyberspace. This week's headlines: Iranian threat actors target the IT supply chain. North Korean cyberespionage. More information on Emotet's return. Like what you hear? Consider subscribing to CyberWire Pro for $99/year. Learn more. Learn more about your ad choices. Visit megaphone.fm/adchoices

Our team decided to extend our Thanksgiving holiday and thought you might like to try a sample of a CyberWire Pro podcast called Interview Selects. These podcasts are a series of extended interviews, exclusives, and a curated selection of our most engaging and informative interviews over the years, featuring cyber security professionals, journalists, authors and industry insiders. On this episode, the interview October 27th, 2021 originally aired as a shortened version on the CyberWire Daily Podcast. In this extended interview, Dave Bittner speaks with Carolyn Crandall of Attivo Networks on what organizations should be focused on to protect AD. Like what you hear? Consider subscribing to CyberWire Pro for $99/year. Learn more. Learn more about your ad choices. Visit megaphone.fm/adchoices

Thanks for joining us for our fun project brought to you by the team of Hacking Humans, the CyberWire's social engineering podcast. Co-hosts Dave Bittner and Joe Carrigan are joined by Rick Howard in this series where they view clips from their favorite movies with examples of the social engineering scams and schemes you hear about on Hacking Humans. In this episode, Dave, Joe and Rick are watching Joe's and Rick's scene picks. They watch each of the selected scenes, describe the on-screen action for you, and then the team deconstructs what they saw. Grab your popcorn and join us for a trip to the movies. Links to this episode's clips if you'd like to watch along: Joe's clip from "The Simpsons: Father and Son Grifting" episode Rick's pick from "Paper Moon" Learn more about your ad choices. Visit megaphone.fm/adchoices

An apparent cyberespionage campaign targets the Iranian diaspora. Babadeda is an emerging crypter seeing use against alt-coin and NFt speculators. RATDispenser is out in the wild, a malware-as-a-service operation. Proofs-of-concept published for Microsoft exploits. Apple sues NSO Group. Group-IB’s founder asks President Putin for clemency. Caleb Barlow on the difference between working for a company that is funded by VCs, PEs, angels or is public. Our guest today is Karl Sigler from Trustwave on the results of the 2021 Trustwave SpiderLabs Telemetry Report. And there’s a guilty plea in the Wolf of Sophia case. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/226 Learn more about your ad choices. Visit megaphone.fm/adchoices

Tardigrade malware infests the US biomanufacturing sector. GoDaddy suffers a significant data breach. A Gizmodo-led consortium will review and release the Facebook Papers. Ben Yelin on our privacy rights during emergency situations. Our guest is Ric Longenecker of Open Systems to discuss how ransomware attacks represent the number one threat for universities. And NSO Group may not recover from current controversy over its Pegasus intercept tool. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/225 Learn more about your ad choices. Visit megaphone.fm/adchoices

The Lazarus Group seems interested in learning from, by which they mean stealing from, some of the world’s leading state-sponsored cyber operators. Void Balaur remains an enigma, but it’s not the only player in the C2C market. CISA and the FBI warn all, but especially critical infrastructure operators, to remain alert during the holidays. Some scammers are impersonating the US SEC. Dinah Davis from Arctic Wolf on what security gifts to get your family this year. Our guest today is Carole Theriault on online gaming during the pandemic. And cyberattacks are reported on an airline, a utility, and a manufacturer of wind turbines. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/224 Learn more about your ad choices. Visit megaphone.fm/adchoices

Director of Google Cloud's Office of the CISO, MK Palmore, dedicated much of his life to public service and now brings his experience working for the greater good to the private sector. A graduate of the US Naval Academy, including the Naval Academy Prep School that he calls the most impactful educational experience of his life, MK commissioned into the US Marine Corps following his service academy time. He joined the FBI and that is where he came into the cybersecurity realm. MK is passionate about getting more diversity, equity and inclusion into industry. We thank MK for sharing his story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

As ransomware attacks rapidly rise in frequency, eye-popping ransom demands grab headlines, and consumers experience product shortages and difficulty accessing services as the organizations they do business with are knocked offline. However, little is reported about the impact of a ransomware attack inside an organization. However, little is reported about the impact of a ransomware attack inside an organization. In this show, we cover what steps organizations are taking now to prepare for a ransomware attack and what happens to an organization on that especially bad day when ransomware comes calling. The CyberWire's Rick Howard speaks with Hash Table member Don Welch, Vice president for Information Technology and Global Chief Information Officer at New York University, and show sponsor Keeper Security's CEO & Co-Founder Darren Guccione joins The CyberWire's Dave Bittner on this CyberWire-X as they share their expertise on the topic. Learn more about your ad choices. Visit megaphone.fm/adchoices

Guests Nicholas Boucher and Ross Anderson from the University of Cambridge join Dave Bittner to discuss their research, "Trojan Source: Invisible Vulnerabilities." The researchers present a new type of attack in which source code is maliciously encoded so that it appears different to a compiler and to the human eye. This attack exploits subtleties in text-encoding standards such as Unicode to produce source code whose tokens are logically encoded in a different order from the one in which they are displayed, leading to vulnerabilities that cannot be perceived directly by human code reviewers. ‘Trojan Source’ attacks, as they call them, pose an immediate threat both to first-party software and of supply-chain compromise across the industry. They present working examples of Trojan-Source attacks in C, C++, C#, JavaScript, Java, Rust, Go, and Python. They propose definitive compiler-level defenses, and describe other mitigating controls that can be deployed in editors, repositories, and build pipelines while compilers are upgraded to block this attack. The project website and research can be found here: Trojan Source: Invisible Source Code Vulnerabilities project website Trojan Source: Invisible Vulnerabilities research paper Learn more about your ad choices. Visit megaphone.fm/adchoices

Software supply chain incidents: FatPipe, PyPi, and IT services generally. A look at recent Iranian operations. The US Federal Reserve publishes its disclosure rules for banks sustaining cyber incidents. CISA issues a set of ICS advisories. Two of the Five Eyes announce plans for continued, even closer cooperation in cyberspace. Johannes Ullrich on attackers abusing "PAM" (Plug Authentication Modules). Our guest is Hatem Naguib, CEO at Barracuda Networks. And a real evil maid seems to have been out and about in Tel Aviv. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/223 Learn more about your ad choices. Visit megaphone.fm/adchoices

Red Curl is a Russophone gang with an unusual target list. North Korea’s TA406 is having a busy year, hacking for intelligence and for profit. Wicked Panda’s getting good at code-signing, and software supply chain attacks are in Beijing’s long-term plans. A spearphishing campaign abuses legitimate collaboration tools. Kevin Magee from Microsoft has an insider’s look at Windows 11 security. Our guest is Kevin Bocek of Venafi to discuss Security Software Build Environments. And selling confiscated cryptocurrency to compensate victims of scams. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/222 Learn more about your ad choices. Visit megaphone.fm/adchoices

CISA, the FBI, the ACSC, and the NCSC issue a joint advisory warning of an Iranian cyber campaign exploiting known vulnerabilities in Fortinet and Microsoft Exchange. A Belarusian connection to Ghostwriter. Candiru tools reported in watering holes. SideCopy’s interest in Afghanistan. RAMP shows an interest in attracting Chinese operators. Josh Ray from Accenture Security digs into the CONTI playbook leak. Our guest is Matt Keeley from Bishop Fox on fuzzing. And Pompompurin wants to sell you leaked Robinhood data. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/221 Learn more about your ad choices. Visit megaphone.fm/adchoices

Older threats, including Emotet and Mirai, are out and about, and an old vulnerability, Rowhammer, gets a fresh proof-of-concept. A new banking Trojan threatens Europe. Intel works on vulnerabilities. CISA advises awareness of recently reported DDS vulnerabilities. Joe Carrigan explains how spearphishers are using customer complaints as bait. Rick Howard epaks with Carlos Vega from Devo on Supply Chain issues. And an arrest is made in a Maryland revenge porn case. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/220 Learn more about your ad choices. Visit megaphone.fm/adchoices

Exploitation of a configuration error in the FBI’s Law Enforcement Enterprise Portal enables hackers to send bogus warning emails. Philippine Office of Civil Defense Twitter account briefly hijacked. Update on Iranian politically motivated threat group MosesStaff. Discount retailer Costco discloses a point-of-sale skimmer incident. Dinah Davis from Arctic Wolf track zero days. Rick the Toolman Howard drops by the studio. And the US seeks extradition of a Russian alt-coin baron on charges of laundering Ryuk’s money. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/219 Learn more about your ad choices. Visit megaphone.fm/adchoices

Ground Labs' Head of Engineering, Swati Shekhar, shares her circuitous route from and back to engineering. Always being interested in leveraging the tools available to solve problems, Swati talks about how she found her place in engineering. She mentions how she had her first real experience with a computer when she was 17 in her first year at college. Aside from being one of 30 young women in a sea of 500 young men there, Swati described it as a "good culture shock because anything that takes you out of your comfort zone actually makes you learn and grow." She notes that challenges experienced in life increase your risk appetite so significantly. Swati advises those looking to make a job change to be certain of what is attracting them and to be yourself. We thank Swati for sharing her story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

Ransomware: the problem that everyone is talking about, yet somehow continues to get worse with each passing year. In 2021, the cost of ransomware to global businesses is estimated to reach a whopping $20B. The problem has reached such a critical mass that it can no longer be cast away as some unknowable IT problem–everyone from cyber insurance providers to the federal government have taken note. The CyberWire's Rick Howard speaks with Hash Table member Kevin Ford of Environmental Systems Research Institute (ESRI), and ExtraHop's VP, GM of International and Global Security Programs, Mike Campfield, joins The CyberWire's Dave Bittner on this CyberWire-X for a retrospective on ransomware in 2021. Mike shares his predictions on how it will evolve in 2022 and beyond, and what controls enterprises can put into place to build their resilience to the growing threat. Learn more about your ad choices. Visit megaphone.fm/adchoices

Senior Intelligence Researcher at Anomali, Tara Gould, joins Dave to discuss their team's work on "Inside TeamTNT’s Impressive Arsenal: A Look Into A TeamTNT Server." Anomali Threat Research discovered an open server to a directory listing that they attribute with high confidence to the German-speaking threat group, TeamTNT.The server contains source code, scripts, binaries, and cryptominers targeting Cloud environments.Other server contents include Amazon Web Services (AWS) Credentials stolen from TeamTNT stealers are also hosted on the server. This inside view of TeamTNT infrastructure and tools in use can help security operations teams to improve detection capabilities for related attacks, whether coming directly from TeamTNT or other cybercrime groups leveraging their tools. The research can be found here: Inside TeamTNT’s Impressive Arsenal: A Look Into A TeamTNT Server Learn more about your ad choices. Visit megaphone.fm/adchoices

Notes on rising international tension in Eastern Europe. A watering-hole campaign in Hong Kong. The US and the EU have joined the Paris Call. NSO Group’s prospective CEO resigns his position before formally assuming it. Void Balaur, a cybermercenary group, is active in the Russophone cyber underground. Johannes Ullrich on leaked vaccination cards and Covid tests. Our guest is Carolyn Crandall of Attivo Networks on what organizations should be focused on to protect Active Directory. CISA intends to increase its capacity to work against misinformation and disinformation. CISA also intends to recruit white hat hackers to an advisory board. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/218 Learn more about your ad choices. Visit megaphone.fm/adchoices

Welcome to a fun new project by the team who brings you Hacking Humans, the CyberWire's social engineering podcast. Co-hosts Dave Bittner and Joe Carrigan are joined by Rick Howard in this series. They view clips from their favorite movies with examples of the social engineering scams and schemes you hear about on Hacking Humans. In this first episode, Dave, Joe and Rick are watching Dave's and Joe's picks. They watch each of the selected scenes, describe the on-screen action for you, and then the team deconstructs what they saw. Grab your popcorn and join us for a trip to the movies. Links to movie clips if you'd like to watch along: Dave's pick from "The Grifters" Joe's clip from "Matchstick Men" Learn more about your ad choices. Visit megaphone.fm/adchoices

Tehran’s Lyceum group expands its activities against ISPs and telcos in Israel, Morocco, Tunisia, and Saudi Arabia. Clopp is going after unpatched instances of SolarWinds. Cyber mercenaries are quietly competing with lawful intercept vendors. NSO Group receives a setback from the US 9th Circuit. Mexico makes an arrest in its Pegasus investigation. Carole Theriault shares her thoughts on the supply chain. Josh Ray from Accenture Security on Moving Left of the Ransomware Boom. And notes on Patch Tuesday. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/217 Learn more about your ad choices. Visit megaphone.fm/adchoices

Hive ransomware hits electronics retailer Media Markt. Robinhood Markets sustains a data breach it traces to social engineering. Ben Yelin looks at the law behind U.S. police demanding your phone passcode. Dave checks in with Rick Howard for his thoughts on the Trojan Source vulnerability. And more notes on the international action against REvil, including the US application of sanctions (with Baltic cooperation) to three companies involved in supporting the gang’s financial infrastructure. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/216 Learn more about your ad choices. Visit megaphone.fm/adchoices

REvil operators arrested and indicted. China says a foreign intelligence service accessed passenger travel records. Suspected Emissary Panda campaign. Conti (sort of) apologizes. Caleb Barlow thinks it’s time to re-think your security documentation. Our guest is Jessica Hetrick of Optiv Security on cyber fraud running rampant. And the FBI warns of ransomware attacks targeting casinos. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/215 Learn more about your ad choices. Visit megaphone.fm/adchoices

Senior Vice President for Strategy, Partnerships, and Corporate Development at IronNet Cybersecurity, Jamil Jaffer, shares how his interest in technology brought him full circle. Always a tech guy, Jamil paid he way through college doing computer support. Jamil went to law school and worked in various jobs in Washington DC including a stint in the newly-created National Security division of the Justice Department just after 9/11. When talking about adversity, Jamil notes, "Adversity has happened in life, but you gotta run at those things. To me, you know, I like risk. I think risk is something that a lot of people shy away from." We thank Jamil for sharing his story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

Guest Mor Levi, Vice President of Cyber Practices from Cybereason, joins Dave Bittner to discuss her team's work on "Operation GhostShell - Novel RAT Targets Global Aerospace and Telecoms Firms." In July 2021, the Cybereason Nocturnus and Incident Response Teams responded to Operation GhostShell, a highly-targeted cyber espionage campaign targeting the Aerospace and Telecommunications industries mainly in the Middle East, with additional victims in the U.S., Russia and Europe. The Operation GhostShell campaign aims to steal sensitive information about critical assets, organizations’ infrastructure and technology. During the investigation, the Nocturnus Team uncovered a previously undocumented and stealthy RAT (Remote Access Trojan) dubbed ShellClient which was employed as the primary espionage tool. To learn more, listen to the episode. The research can be found here: Operation GhostShell - Novel RAT Targets Global Aerospace and Telecoms Firms Learn more about your ad choices. Visit megaphone.fm/adchoices

The US offers a reward of up to ten million dollars for information leading to the identification or location of the leaders of the DarkSide ransomware gang. Researchers expect BlackMatter’s nominally retired operators to resurface in other criminal organizations. Ukraine outlines Russian FSB cyber operations during the hybrid war that’s been waged since 2014. Deterrence in cyberspace. Carole Theriault takes on high value targets. Our guest is Bill Mann of Styra on rising compliance regulations and security drift. An arrest is made in Special Counsel Durham’s investigation. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/214 Learn more about your ad choices. Visit megaphone.fm/adchoices

Britain’s Labour Party is affected by a ransomware incident a third-party provider sustained. ANSSI identifies a new ransomware affiliate gang, “Lockean.” Notes on how and why BlackMatter and REvil went on the lam. Russo-American talks discussed cybercrime and cybersecurity. Iran’s gas stations are fully back in business, following the cyber sabotage they sustained. Kevin Magee from Microsoft has highlights from their 2021 Digital Defence Report. Our guest is Ofer Ben Noon of Talon Cyber Security addressing browser vulnerabilities. And DataTribe has announced the winners of its fourth annual Cybersecurity Start-up Challenge. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/213 Learn more about your ad choices. Visit megaphone.fm/adchoices

The BlackMatter ransomware gang says that it’s retiring under pressure from the authorities. The spokesman for the Groove group says his gang doesn’t exist--he was just playing the media. Quiet, high-level talks held between senior US and Russian officials. The US Commerce Department sanctions four spyware vendors. Carole Theriault wonders if you can train yourself free of social engineering. Josh Ray from Accenture Security with insights from their Cyber Investigations and Forensic Response team. CISA tells Federal agencies to get patching. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/212 Learn more about your ad choices. Visit megaphone.fm/adchoices

Researchers describe Trojan Source, a hard-to-detect threat to the software supply chain. A ransomware gang takes a page from the information operator’s book. From double extortion to triple extortion, as other ransomware gangs add distributed denial-of-service to encryption and doxing. Criminals are now hacking on material, non-public information, the FBI warns. Joe Carrigan looks at multifactor adoption at Twitter. Our guest is Steve Ragan from Akamai on API security. And criminals hit healthcare providers in Newfoundland. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/211 Learn more about your ad choices. Visit megaphone.fm/adchoices

Iran hasn’t finished investigating its gas station cyber sabotage, but Tehran is pretty sure the Great and Lesser Satans are behind it. NSO Group says it’s going in a new, nicer direction. The Conti gang hits a luxury jewelry dealer, and another, unknown group hits an upscale art dealership. The Chaos gang is after Minecraft players (players who cheat). Caleb Barlow on pre-breach pre-approvals. Rick Howard introduces sand tables in cyber space. And sugar daddies come to the world of advance fee scams. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/210 Learn more about your ad choices. Visit megaphone.fm/adchoices

Jadee Hanson, CIO and CISO at Code 42, started her technology journey thanks to the help of a teacher in high school. She began college studying computer science and ended with a degree in computer information systems as it had more of the business side. Working in the private sector for companies such as Deloitte, Target and Code 42, Jadee gained experience and specialized in insider risk. She notes "utopia for me and my team is to get to a spot where the team is just firing on all cylinders and being really proactive about what's coming and what's changing." Jadee mentions she tries hard to do things that might scare her every day. For those interested in the field, especially young women, Jadee recommends they get involved and then stay curious. We thank Jadee for sharing her story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

Dr. Tudor Dumitras from University of Maryland and joins Dave Bittner to share a research study conducted in collaboration with industry partners from Facebook, NortonLifeLock Research Group and EURECOM. The project is called: "When Malware Changed Its Mind: An Empirical Study of Variable Program Behaviors in the Real World." In the study, the team analyzed how malware samples change their behavior when executed on different hosts or at different times. Such “split personalities” may confound the current techniques for malware analysis and detection. Malware execution traces are typically collected by executing the samples in a controlled environment (a “sandbox”), and the techniques created and tested using such traces do not account for the broad range of behaviors observed in the wild. In the paper, the team shows how behavior variability can make those techniques appear more effective than they really are, and they make some recommendations for dealing with the variability. The research and executive summary can be found here: When Malware Changed Its Mind: An Empirical Study of Variable Program Behaviors in the Real World Analysing malware variability in the real world Learn more about your ad choices. Visit megaphone.fm/adchoices