CyberWire Daily

Kaseya isn’t saying where it got its REvil decryptor. Transportation services disrupted at two major South African ports by an unspecified cyber incident. Another company is mentioned as an alleged source of abused intercept tools as the controversy over NSO Group’s Pegasus software continues. Johannes Ullrich from SANS on supply chains, development tools and insecure libraries. Our own Rick Howard looks at enterprise encryption. And a guilty plea gets a swatter five years: he got off easy. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/142 Learn more about your ad choices. Visit megaphone.fm/adchoices

With the recent onslaught of ransomware attacks across healthcare institutions, critical infrastructure, and the public sector, it's clear that ransomware isn’t going anywhere. But given how common ransomware attacks have become, how is it that we've been unable to put a stop to them? Companies often overlook the role that hardware security plays in meeting this challenge, and that oversight has become a bad actor's dream. Michael Nordquist speaks about the recent surge in ransomware attacks, and how strong hardware security, combined with software security and personnel security awareness, can be the answer to the industry’s prayers. In this episode of CyberWire-X, guest Steve Winterfeld from Akamai shares his insights with the CyberWire's Rick Howard, and Michael Nordquist of sponsor Intel offers his thoughts to the CyberWire's Dave Bittner. Learn more about your ad choices. Visit megaphone.fm/adchoices

Chief Product Officer at Cybint Solutions, Ingrid Toppelberg, shares her journey from consulting to bootcamp coach and cybersecurity education. As a young girl, Ingrid wanted to do everything from being a teacher to the head of the World Bank. After consulting for several years, Ingrid found cybersecurity. What she found fascinating about the cyber world is how important it is for absolutely everyone at all levels to know about cybersecurity. Ingrid also develops and conducts bootcamps to reskill displaced people into cybersecurity. Ingrid says to those interested in cyber, "just do it. We need different kinds of minds in cyber keeping us safe." We thank Ingrid for sharing her story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

Guest Christopher Budd, Senior Global Threat Communications Manager at Avast, joins Dave to talk about some research his team did when they looked into a Reddit report saying their Avast folder was empty and other reports like it. The team found a new malware they’re calling “Crackonosh” in part because of some possible indications that the malware author may be Czech. Crackonosh is distributed along with illegal, cracked copies of popular software and searches for and disables many popular antivirus programs as part of its anti-detection and anti-forensics tactics. The research can be found here: Crackonosh: A New Malware Distributed in Cracked Software Learn more about your ad choices. Visit megaphone.fm/adchoices

The Olympics are underway, and the authorities are on the alert for cyberattacks. Kaseya has a decryptor for the REvil ransomware, but it hasn’t said how it got the key. NSO Group says it’s not responsible for customer misuse of its Pegasus intercept tool. US policy toward Chinese cyber activities shows continuity, with some diplomatic intensification, but hawks would like to see more action. Our guest Jack Williams from Hexagon joins Dave to discuss the promises and challenges of smart cities. Podcast partner Chris Novak of Verizon talks about advancing incident response. And Dutch police make arrests in their investigation of the Fraud Family. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/141 Learn more about your ad choices. Visit megaphone.fm/adchoices

It’s extortion after all at Saudi Aramco. Controversy and investigation over alleged misuse of NSO Group’s Pegasus intercept tool continues. Warning of Chinese espionage from ANSSI, and China’s denunciation of all this kind of “baseless slander.” Phishing in Milanote. FIN7 resurfaces after the conviction of some key members. Dinah Davis from Arctic Wolf on the importance of identity management. Our guest Jenn Donahue shares key strategies for mentoring and supporting female engineers, scientists, and leaders of the future. And IBM sifts through the ashes of a ransomware gang for a look at the business of crime. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/140 Learn more about your ad choices. Visit megaphone.fm/adchoices

CISA warns of threats to industrial control systems, profusely illustrated with examples from recent history. Ransomware can be operated either in the course of privateering or as an APT side hustle. Security firms outline new and evolving threats and vulnerabilities. Reaction continues to the Pegasus Project’s reports on intercept tools. Joe Carrigan unpacks recent Facebook revelations and allegations. Our guest is Dave Humphrey from Bain Capital on his tech investment bets and predictions. And do you know what “military grade” means? Neither do we, but we think we have an idea. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/139 Learn more about your ad choices. Visit megaphone.fm/adchoices

The US says China contracted with criminals to carry out cyberespionage campaigns. Norway says China was behind an attack on its parliamentary email system. China denounces accusations of cyberespionage as slander, and says it’s the real victim, because the CIA is the one stealing IP from China. AWS expels NSO Group from its CloudFront CDM. NSO denies it permits its intercept tools to be abused. Saudi Aramco sustains a data breach. Ben Yelin describes calls for bans on government use of facial recognition software. Our guest is Tom Kellermann from VMware on the potential cybersecurity threats facing the Olympic Games. And an MSP struggles with ransomware. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/138 Learn more about your ad choices. Visit megaphone.fm/adchoices

Allied governments formally attribute exploitation of Microsoft Exchange Server to China’s Ministry of State Security. A US Federal indictment names four MSS officers in conjunction with another, long-running cyberespionage campaign. The US Department of Commerce adds six Russian organizations to the Entities List. The Pegasus Project outlines alleged abuse of NSO Group’s intercept tool. Thomas Etheridge from CrowdStrike on the importance of real-time response, continuous monitoring and remediation. Our guest is Neha Joshi from Accenture on solving the cybersecurity staffing gap and how to stand up a successful, diverse security team. And there’s hacktivism in Southeast Asia. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/137 Learn more about your ad choices. Visit megaphone.fm/adchoices

CEO of ActiveNav, Peter Baumann, takes us on his career journey from minor home electrical experiments to the business of data discovery. He began his career as an electrical engineer, but felt an entrepreneurial spirit was part of his makeup. Following his return to college to study business and finance, Peter talks about being set on the path to shine the light on the data to provide discovery capability. To those interested in the field, he suggests having a broad familiarity of different approaches. We thank Peter for sharing his story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

Guest Nathan Howe, Vice President of Emerging Technology at Zscaler, joins Dave to discuss his team's work, "2021 “Exposed” Report Reveals Corporate and Cloud Infrastructures More at Risk Than Ever From Expanded Attack Surfaces." The modern workforce has resulted in an increase of users, devices, and applications existing outside of controlled networks, including corporate networks, the business emphasis on the “network” has decreased and the reliance on the internet as the connective tissue for businesses has increased. Zscaler analyzes the attack surface of 1,500 organizations and identifies trends affecting businesses of all sizes and industries, across all geographies. Key findings include: The attack surface impact based on company size The countries with the greatest attack surface The industries that are most exposed The research can be found here: “Exposed”: The world’s first report to reveal how exposed corporate networks really are. Learn more about your ad choices. Visit megaphone.fm/adchoices

Russia’s Ministry of Defense says its website sustained a distributed denial-of-service attack this morning. Facebook disrupts a complex Iranian catphishing operation aimed at military personnel and employees of defense and aerospace companies. Microsoft and Citizen Lab describe the recent operations of an Israeli intercept tool vendor. The US shows no signs of relenting on Huawei. Johannes Ullrich from the SANS technology institute has been Hunting Phishing Sites with Shodan. Our guest is Rick Van Galen from 1Password with insights from their Hiding in Plain Sight report. And there’s nothing new on the REvil front--the gang is as much in the wind as it was early this week. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/136 Learn more about your ad choices. Visit megaphone.fm/adchoices

A Chinese APT is active against targets in Myanmar and, especially, the Philippines. Cyberespionage campaigns suggest that there’s a thriving market for zero-days. MI5 warns against spying, disinformation, and radicalization. REvil continues to lie low (and the Kremlin hasn’t seen anything). CISA offers ransomware mitigation advice. Bogus Coinbase sites steal credentials. Ransomware attacks on old SonicWall products expected. Daniel Prince from Lancaster University looks at Getting into the industry, and whether a degree is worth it. Our guest is Kurtis Minder from GroupSense, tracking 3 divergent ransomware trends. And Rewards for Justice offers a million dollars for tips on cyberattacks. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/135 Learn more about your ad choices. Visit megaphone.fm/adchoices

SolarWinds patches a zero-day exploited by a Chinese threat group. Patch Tuesday notes. What’s up with REvil: takedown, retirement, rebranding, or glitch? (Don’t bet against rebranding.) Joe Carrigan from JHU ISI on cell phone carriers sneaking us ads via SMS. Our guest is Nicko van Someren of Absolute Software with a look at endpoint risk. And bots like futbol. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/134 Learn more about your ad choices. Visit megaphone.fm/adchoices

SolarWinds addresses a zero-day that was exploited in the wild. A watering hole campaign lures users of online gaming sites. Inauthentic accounts (now suspended) get a blue check mark. Trickbot is back, with new capabilities. The DarkSide hits fashion retailer Guess. Malek Ben Salem from Accenture on Remediation of Vulnerabilities using AI. Our guest is Jeff Williams from Contrast Security with a look at Application Security in Financial Services. And some updates on Kaseya, its customers, and the current state of REvil. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/133 Learn more about your ad choices. Visit megaphone.fm/adchoices

Kaseya has patched the VSA on-premises and SaaS versions affected by REvil ransomware. The US tries some straight talk about privateering with Russia, but with what effect remains to be seen. Russia’s autarkic Internet poses some challenges for international security. Iranian rail and government sites were hit with a cyber incident over the weekend. Ukraine says Russian threat actors defaced its Naval website. Carole Theriault looks at ethics in phishing simulations. Josh Ray from Accenture tracks real world incident response trends. And tracking just how much the ransomware gangs are taking in. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/132 Learn more about your ad choices. Visit megaphone.fm/adchoices

Cloud attacks have become so widespread that the Department of Homeland Security (DHS) has warned against an increase of nation states, criminal groups and hacktivists targeting cloud-based enterprise resources. APTs such as Pacha Group, Rocke Group and TeamTNT have been rapidly modifying their existing tools to target Linux servers in the cloud. Modifying their existing code to create new malware variants which are easily bypassing traditional security solutions. The solution? In order to detect and respond to these attacks security teams need visibility into what code is running on their systems. In this episode of CyberWire-X, guest Jonas Walker from Fortinet shares his insights with the CyberWire's Rick Howard, and Ell Marquez of sponsor Intezer offers her thoughts to the CyberWire's Dave Bittner. Learn more about your ad choices. Visit megaphone.fm/adchoices

Senior Threat Analyst and Shift Lead for VMware Taree Reardon shares her journey to becoming leader for women in the cybersecurity field. A big gamer who has always been interested in hacking and forensics, Taree found her passion while learning about cybersecurity. She's dedicated to diversity and inclusion and found her footing on a team made up of 50% women. Taree spends her days tracking and blocking attacks and as a champion for women. Trusting yourself is top on her list of advice. We thank Taree for sharing her story. Learn more about your ad choices. Visit megaphone.fm/adchoices

Guest Daniel Kats, Senior Principal Research Engineer at NortonLifeLock, joins Dave to discuss his team's work, "Encrypted Chat Apps Doubling as Illegal Marketplaces." Encrypted chat apps are gaining popularity worldwide due to their central premise of not sending user data to tech giants. Some popular examples include WhatsApp, Telegram and Signal. These apps have also been adopted by businesses to securely communicate directly to their users. Additionally, these apps have been instrumental to subverting authoritarian regimes. However, NortonLifeLock found that encrypted chat apps are also being used by criminals to sell illegal goods. Because content moderation is, by design, nearly impossible on these apps, they allow for an easy vector for dealers of illicit goods to communicate directly to customers without fear of law enforcement involvement. The research can be found here: Encrypted Chat Apps Doubling as Illegal Marketplaces Learn more about your ad choices. Visit megaphone.fm/adchoices

Kaseya continues to work through remediation of the VSA vulnerability exploited by REvil, with completion expected Sunday afternoon. And while REvil has made a nuisance of itself, this time they may not have seen a big payday, or at least not yet. The US is still considering its retaliatory and other options in the big ransomware case. China’s MSS is active against targets in Asia. Andrea Little Limbago from Interos looks at Government access to data analysis. Our guest is Leon Gilbert from Unisys with data from their Digital Workplace Insights report. And scammers are baiting their hooks with Black Widow lures. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/131 Learn more about your ad choices. Visit megaphone.fm/adchoices

Ukrainian government websites may have come under an unspecified cyberattack early this week. Kaseya delays its VSA patch until Sunday, and offers assistance to victims of VSA exploitation by REvil. The US continues to mull its response to Russia over REvil and Cozy Bear. A small electric utility’s business systems go offline after a ransomware attack. Microsoft continues to grapple with PrintNightmare. Caleb Barlow from CynergisTek on the changing Cyber Insurance landscape. Our guest is Kwame Yamgnane from Qwasar on how he seeks to inspire minority kids to code. And the US will try again to get Julian Assange extradited. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/130 Learn more about your ad choices. Visit megaphone.fm/adchoices

Kaseya continues to work on patching its VSA products. The US mulls retaliation for the Kaseya ransomware campaign, as well as for Cozy Bear’s attempt on the Republican National Committee and Fancy Bear’s brute-forcing efforts. (Russia denies any wrongdoing.) Current events phishbait. Microsoft patches PrintNightmare. Joe Carrigan looks at recent updates to Google’s Scorecards tool. Our guest Umesh Sachdev of Uniphore describes his entrepreneurial journey. And the Lazarus Group is back, phishing for defense workers. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/129 Learn more about your ad choices. Visit megaphone.fm/adchoices

Updates on the Kaseya ransomware incident, as REvil strikes again. Concerns about other ransomware attacks against industrial targets rise. Google expels credential-stealing apps from the Play Store. Online gamers draw various threat actors. Carole Theriault examines the elements that could put you in the crosshairs for ransomware. Ben Yelin has an update on the Facebook antitrust case. And the Tokyo Olympic Games will be on alert for cyberattacks. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/128 Learn more about your ad choices. Visit megaphone.fm/adchoices

Senior technical project manager Dwayne Price takes us on his career journey from databases to project management. Always fascinated with technology and one who appreciates the aspects of the business side of a computer implementations, Dwayne attended UMBC for both his undergraduate and graduate degrees in information systems management. A strong Unix administration background prepared him to understand the relationship between Unix administration and database security. He recommends those interested in cybersecurity check out the NICE Framework as it speaks to all the various different types of roles in cybersecurity, Dwayne prides himself on his communication skills and openness. We thank Dwayne for sharing his story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

Guest Tom Roter from Minera Labs joins Dave to discuss his team research: "Rigging a Windows Installation." It is common knowledge that pirated software might contain malware, yet millions still put themselves and their devices at risk and download from dubious sources. It is even more surprising to see the popularity of torrented operating system installations, which are ranked at the top of most torrent tracker ranking lists. Today we will prove conventional wisdom right and show off a devious, yet clever attack chain employed by an infected Windows 10 image, frequently shared and downloaded by tens of thousands of users. Over the last year, numerous malicious PowerShell events popped up in our telemetry. The events caught our attention because a payload was being downloaded into the “C:\Windows” directory, which is usually well guarded under NTFS permissions, this implies that the attacker had very high privilege on the compromised system. The research can be found here: Rigging a Windows installation Learn more about your ad choices. Visit megaphone.fm/adchoices

Mitigations for the PrintNightmare vulnerability are suggested. Wizard Spider has a new strain of ransomware in its toolkit. A new RagnarLocker strain is in circulation. NETGEAR patches router firmware. Russia reacts to US and US reports of a GRU brute-forcing campaign: Moscow says it didn’t do it. Kevin Magee from Microsoft shares some of the tools he uses to keep himself and his team up to date. Our guest is Andrew Patel from F-Secure on how to prepare security teams for AI-powered malware. And a quick look at the true costs of cybercrime. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/127 Learn more about your ad choices. Visit megaphone.fm/adchoices

US and British authorities warn of a large-scale GRU campaign aimed at brute-forcing its way into European and American organizations. Reports of a major cyberattack on German critical infrastructure appear very much exaggerated. IndigoZebra uses Dropbox in ministry-to-ministry deception aimed at the Afghan government. Currently active ransomware groups are profiled, and REvil is now going after Linux systems in addition to Windows machines. A cyber most-wanted, and priorities in a US Treasury campaign against money laundering. Malek Ben Salem looks at supply chain security. Our guest is Brandon Hoffman of Intel471 with insights on China’s data underground. And, hey, it’s Dmitri from Yurga, long-time listener, first-time caller. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/126 Learn more about your ad choices. Visit megaphone.fm/adchoices

A report on threats to industrial control systems is out, and it focuses on ransomware, coinjacking, and legacy malware. EternalBlue remains a problem. The US is preparing a formal attribution in the case of the Microsoft Exchange Server campaign. An international police operation has taken down DoubleVPN, and the authorities seem pretty pleased with their work. Joe Carrigan examines vulnerabilities in systems from Dell. Our guest is Vikram Thakur from Symantec on Multi-Factor Authentication evasion. And the guy who allegedly provided the Gozi banking malware with its bulletproof hosting has been collared in Bogota. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/125 Learn more about your ad choices. Visit megaphone.fm/adchoices

Legitimate tools are abused as commodity initial access payloads. Hades ransomware is circulating in some new sectors. Criminal markets are sharing more features with legitimate markets, including advertising, recruiting, and even funding rounds. Cybercrime uses cryptocurrency, but the key to success may be location more than technology. Ben Yelin describes insurance companies collaborating on cyber breach data collection. Our guest is Michael Osborn from Moody's on a recent rash of cyber attacks hitting higher education. And Denmark’s central bank is reported to have been a victim of the SolarWinds compromise. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/124 Learn more about your ad choices. Visit megaphone.fm/adchoices

The SVR’s Nobelium appears to be back, this time with a less-than-fully successful cyberespionage campaign. The Netfilter driver is assessed as malware. Idle hands seem to make for more attacks against online gaming. Mercedes-Benz USA reports a data exposure incident. CISA starts to keep track of bad practices. The International Institute for Strategic Studies publishes a net assessment of national cyber power. Carole Theriault looks at the security implications of frictionless online commerce. Our guest is Clar Rosso from (ISC)2 with insights on Building Resilient Cybersecurity Teams. And Loki is a trickster, and his name is a lousy password. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/123 Learn more about your ad choices. Visit megaphone.fm/adchoices

There’s truth in the sentiment, “teamwork makes the dream work.” When team members don’t feel included or heard in their environment, they’re not going to do their best work, so it’s up to managers, supervisors, and even global security directors to foster a workplace and culture that doesn’t allow anyone to be silenced. On this episode, Microsoft’s CISO, Bret Arsenault, sits with his friend and peer, Emma Smith, Director of Global Cybersecurity for Vodafone. Throughout the conversation, they discuss returning to in-person work after over a year of being remote and some of the inherent difficulties that come with the change, especially as they relate to inclusivity. In This Episode You Will Learn: How focusing on digital society, inclusion for all, and the planet allows for practical actions. Why 5G is so important for a hybrid workforce. Why Emma and Bret support eliminating passwords. Some Questions We Ask: How does Emma look at inclusion initiatives from an industry perspective? What is ‘withstander’ training and why is it crucial for effective leadership? What are Emma’s three points of wisdom for security practitioners? Subscribe: https://SecurityUnlockedCISOSeries.com Resources: Emma Smith’s LinkedIn. https://www.linkedin.com/in/emma-smith-0388aa4b/ Brett Arsenault’s LinkedIn: https://www.linkedin.com/in/bret-arsenault-97593b60/ Related: Security Unlocked: The Microsoft Security Podcast https://SecurityUnlockedPodcast.com Security Unlocked: CISO Series with Bret Arsenault is produced by Microsoft and distributed as part of The CyberWire Network. Learn more about your ad choices. Visit megaphone.fm/adchoices

Senior Program Manager for Governance, Risk and Compliance at Illumio, Maria Thompson-Saeb shares experiences that led to her career in cybersecurity. Interested in computers and not a fan of math, Maria opted for information systems management rather than computer science. She started her career as a government contractor. Once in the private sector, Maria moved into the Unix and Linux environments where she says "something that would totally change everything." She gained an interest in security and took it upon herself to train up and move into that realm. Maria notes it was not without roadblocks, but that being flexible helped her address those challenges and make her career in security happen. We thank Maria for sharing her story. Learn more about your ad choices. Visit megaphone.fm/adchoices

Guest Yonatan Striem-Amit joins Dave to talk about Cybereason's research "Prometei Botnet Exploiting Microsoft Exchange Vulnerabilities." The Cybereason Nocturnus Team responded to several incident response (IR) cases involving infections of the Prometei Botnet against companies in North America, observing that the attackers exploited recently published Microsoft Exchange vulnerabilities (CVE-2021-27065 and CVE-2021-26858) in order to penetrate the network and install malware. Yonatan shares his team's findings of the investigation of the attacks, including the initial foothold sequence of the attackers, the functionality of the different components of the malware, the threat actors’ origin and the bot’s infrastructure. The research can be found here: Prometei Botnet Exploiting Microsoft Exchange Vulnerabilities Learn more about your ad choices. Visit megaphone.fm/adchoices

REvil hits a Brazilian medical diagnostics company and a British fashion retailer. A misconfigured cloud database exposes millions of WordPress user records. A new cryptojacker is deploying XMrig to mine Monero. A judgment is issued against a hacker and one of the traders he worked with to trade securities on non-public information. Johannes Ullrich from SANS on server site request forgery and errors in validating IP addresses. Our guest is Tom Patterson from Unisys reacts to the DOJ launching a ransomware taskforce. A FIN7 operator is sentenced to seven years. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/122 Learn more about your ad choices. Visit megaphone.fm/adchoices

The ChaChi Trojan is out, about, and interested in educational institutions. Bogus free subscription cancellations figure in a social engineering campaign designed to get the victims to download BazarLoader. Ursnif is automating fraudulent bank transfers with Cerberus Android malware. The US Senate invites the Department of Defense to think of ransomware as analogous to piracy, and Defense says it’s thinking along those lines. And rest in peace, John McAfee. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/121 Learn more about your ad choices. Visit megaphone.fm/adchoices

ReverseRat looks like a state-run espionage tool active in South and Central Asia. The US Justice Department seizes thirty-three sites run by media aligned with the Iranian government. Poland offers more clarity on a cyberespionage campaign it attributes to Russia. An intercept and inspection company’s executives are indicted for complicity with torture. NSA opens a Cybersecurity Collaboration Center for industry. Joe Carrigan examines Apple’s push to replace passwords. Our guest is Shehzad Merchant of Gigamon with a breakdown on security guidelines for hybrid cloud programs. And the FSB says it hopes for “reciprocity.” For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/120 Learn more about your ad choices. Visit megaphone.fm/adchoices

Malicious Google ads for Signal and Telegram are being used to lure the unwary into downloading an info-stealer. LV ransomware looks like repurposed REvil. A study of the US Defense Industrial Base finds that many smaller firms, particularly ones that specialize in research and development, are vulnerable to ransomware attacks. Rick Howard ponders how we categorize state sponsored cybercrime. Our guest is Sudheer Koneru from Zenoti on how data privacy impacts salons and spas. And it’s high noon in the Black Sea. Do you know where your warships are? For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/119 Learn more about your ad choices. Visit megaphone.fm/adchoices

The South Korean nuclear research organization sustained an apparent cyberespionage incident. Norway’s investigation of its 2018 breach of government networks concludes that China’s APT31 was behind it. Poland accuses Russia in a long-running email hacking case. Our guest is Mark Testoni from SAP NS2 on where the Justice Department should focus during its upcoming cyber review. Chris Novak of Verizon on financial vs. espionage breaches. NATO seeks to clarify its policies in cyberspace, including a recommitment to Article 5 and a revision of the Tallinn Manual. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/118 Learn more about your ad choices. Visit megaphone.fm/adchoices

CEO and co-founder of Orca Security Avi Shua shares his thoughts on ways to succeed in cybersecurity. Avi's excitement about cybersecurity began when he was 13 as he tried to think of ways to get around the school's network security. He joined the Israeli Army's Intelligence Unit 8200 and experienced some unique cybersecurity training programs that he would eventually come to teach. Learning to solve problems on your own is a skill Avi acquired and took into his professional career. In his current position, Avi works to advance Orca's mission. He loves that his company works to reduce friction and enables security people to do their jobs. Instead of becoming of plumbers connecting things, Avi says they can do their job and become real security practitioners. We thank Avi for sharing his story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

Guests Gage Mele and Yury Polozov join Dave to talk about Anomali's research "Primitive Bear (Gamaredon) Targets Ukraine with Timely Themes." Anomali Threat Research identified malicious samples that align with the Russia-sponsored cyberespionage group Primitive Bear’s (Gamaredon, Winterflounder) tactics, techniques, and procedures (TTPs). Primitive Bear, known primarily to focus on Ukraine, has been very active in 2021. However, the themes of the samples Anomali found, as well as those shared by the security community, could also be used to target multiple former Union of Soviet Socialist Republic (USSR) countries. Anomali Threat Research found malicious .docx files being distributed by Primitive Bear, likely through spearphishing, that attempted to download remote template .dot files through template injection. The research can be found here: Primitive Bear (Gamaredon) Targets Ukraine with Timely Themes Learn more about your ad choices. Visit megaphone.fm/adchoices

Phishing, with a bogus hardware wallet as bait. Empty threats from a DarkSide impersonator. Cyber vigilantes may be distributing anti-piracy malware. Data security incidents at a cruise line and a US grocery chain. Malek Ben Salem from Accenture looks at optimizing security scanning. Our guest is Edward Roberts of Imperva on their 2021 Bad Bots Report. And a conviction for a crypter, with sentencing to follow. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/117 Learn more about your ad choices. Visit megaphone.fm/adchoices

The US-Russian summit took up cyber conflict, cyber privateering, and cyber deterrence, ending with the prospect of further discussions. Ferocious Kitten’s domestic surveillance. Ransomware gangs are using a lot of initial access brokers. The Molerats are back. Troubleshooting a wave of intermittent Internet interruptions. NSA offers advice on securing business communication tools. Ukrainian police arrest six alleged Clop gangsters. Andrea Little Limbago from Interos on bringing the private sector back into the defense equation. Our guest is Charles Herring of WitFoo, with the case for cybersecurity as an extension of law enforcement. Nine alleged ransomware hoods collared in Seoul. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/116 Learn more about your ad choices. Visit megaphone.fm/adchoices

Southwest flights are back in the air after an IT issue disrupted them yesterday. Paradise ransomware source code has been leaked online. Some networked camera feeds may be accessible to unauthorized viewers. TSA is preparing a second, more prescriptive pipeline cybersecurity directive. The Russo-US summit is underway. Our guest is Jay Paz from Cobalt on bad actors targeting hackers. Joe Carrigan looks at malware hosted on Steam. And the “face of Anonymous” has been extradited from Mexico to the US. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/115 Learn more about your ad choices. Visit megaphone.fm/adchoices

Microsoft disrupts a major BEC campaign. The scope of cyberespionage undertaken via exploitation of vulnerable Pulse Secure instances seems wider than previously believed. Secureworks offers an account of Hades ransomware, and differs with others on attribution. Final notes during the run-up to tomorrow’s US-Russia summit, where cyber will figure prominently. Helping employees stay secure. Carole Theriault wonders if the internet of things is becoming the internet of everything. Ben Yelin weighs in on the Supreme Court’s ruling affecting the Computer Fraud and Abuse Act. And Reality Winner has been released to a halfway house. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/114 Learn more about your ad choices. Visit megaphone.fm/adchoices

Volkswagen warns North American customers of a third-party data breach. An “anti-monopoly agenda” advances in the US House Judiciary Committee. Speculation about how the FBI recovered ransom from DarkSide. How EA was hacked. Is Avaddon going out of business? Craig Williams from Cisco Talos explains why they’re calling some cyber criminals “privateers”. Rick Howard shares thoughts on professional development. And a strange case of a gamekeeper turned poacher (allegedly). For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/113 Learn more about your ad choices. Visit megaphone.fm/adchoices

Principal Research Scientist for Human Behavior at Forcepoint, Margaret Cunningham shares her story of how she landed in cybersecurity. With a background in psychology and counseling and not feeling that one-on-one counseling was her thing, Margaret had a transformational moment in her PhD program in applied experimental technology when she realized she could "provide helping services and good work services at a broader scale." Margaret found her professional footing at DHS's Human Systems Integration Branch of Science and Technology Department as the person who figured out how to measure how new technologies impacted human performance. Margaret points out that making connections and reading whatever you can is important to stay up to date in the field. She notes that her statistical analysis skills are an asset. She hopes to create champions in human behavior and performance in the world of technology. We thank Margaret for sharing her story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

Guest Adam Tagert is a Science of Security (SoS) Researcher in the National Security Agency Research Directorate. The National Security Agency (NSA) sponsors the Science of Security (SoS) Initiative for the promotion of a foundational cybersecurity science that is needed to mature the cybersecurity discipline and to underpin advances in cyberdefense. Adam works in all aspects of SoS particularly in the promotion of collaboration and use of foundational cybersecurity research. He promotes rigorous research methods by leading the Annual Best Scientific Cybersecurity Paper Competition. Adam joins Dave Bittner to discuss the NSA's SoS Initiative and their Science of Security and Privacy 2021 Annual Report. Information on the SoS Initiative and the report can be found here: Science of Security Science of Security and Privacy 2021 Annual Report Learn more about your ad choices. Visit megaphone.fm/adchoices

Diplomatic Backdoor afflicts Africa, Europe, and Southwest Asia. Electronic Arts source code stolen. “Fancy Lazarus” is back: despite the name, it’s an extortion gang, not an espionage service. An international law enforcement action takes down a credential market. Making good data available for AI research. There’s a growing appetite for cyber regulation in Washington. Thomas Etheridge from CrowdStrike looks at protecting cloud data, and Matt Chiodi of Palo Alto Networks' Unit 42 has highlights from their Cloud Threat report. And hold that side order of fries - a McBreach is disclosed. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/112 Learn more about your ad choices. Visit megaphone.fm/adchoices

JBS discloses that it paid REvil roughly eleven-million dollars in ransom. REvil not only had a good haul, but the gang made a few points about its brand, too. Colonial Pipeline explains, and defends, its decision to pay ransom. The US Congress has a third-party problem that constituents may or may not notice. Dan Prince from Lancaster University on the science of cybersecurity. Our guest is Kris McConkey from PwC on their Cyber Threats 2020 - Report on the Global Threat Landscape. The FBI’s recovery of some of the ransom Colonial Pipeline paid to the DarkSide was good, but it doesn’t necessarily represent a new normal. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/111 Learn more about your ad choices. Visit megaphone.fm/adchoices

SentinelOne attributes the cyberespionage campaign against Russia’s FSB to Chinese services. President Biden replaces his predecessor’s bans on TikTok and WeChat with a process of engagement, security reviews, and data protection. More on the FBI-led Operation Trojan Shield. Privateering, again. NATO’s Article 5 in cyberspace. Joe Carrigan weighs in on recent high profile cyber incidents. Our guest is Shashi Kiran from Aryaka on their 2021 State of the WAN report. And notes on Patch Tuesday. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/110 Learn more about your ad choices. Visit megaphone.fm/adchoices