CyberWire Daily

Guest Selena Larson, senior cyber threat analyst at Dragos, Inc., joins us to discuss their research into recent observations of ICS-targeting threats to manufacturing organizations. Cyber risk to the manufacturing sector is increasing, led by disruptive cyberattacks impacting industrial processes, intrusions enabling information gathering and process information theft, and new activity from Industrial Control Systems (ICS)-targeting adversaries. Dragos currently publicly tracks five ICS-focused activity groups targeting manufacturing: CHRYSENE, PARISITE, MAGNALLIUM, WASSONITE, and XENOTIME in addition to various ransomware activities capable of disrupting operations. Manufacturing relies on ICS to scale, function, and ensure consistent quality control and product safety. It provides crucial materials, products, and medicine and is classified as critical infrastructure. Due to the interconnected nature of facilities and operations, an attack on a manufacturing entity can have ripple effects across the supply chain that relies on timely and precise production to support product fulfillment, health and safety, and national security objectives. Ransomware adversaries are adopting ICS-aware functionality with the ability to stop industrial related processes and cause disruptive – and potentially destructive – impacts. Dragos has not observed ICS-specific malware targeting manufacturing operations on the same scale or sophistication as that used in the disruptive TRISIS and CRASHOVERRIDE malware attacks that targeted energy operations in Saudi Arabia and Ukraine, respectively. However, known and ongoing threats to manufacturing can have direct and indirect impact to operations. This report provides a snapshot of the threat landscape as of October 2020 and is expected to change in the future as adversaries and their behaviors evolve. The research can be found here: ICS Threat Activity on the Rise in Manufacturing Sector Learn more about your ad choices. Visit megaphone.fm/adchoices

Well-constructed phishing and smishing are reported out of Tehran. Estimates of SolarWinds compromise insurance payouts. Notes from industry on the convergence of criminal and espionage TTPs. Social engineering hooks baited with greed. Ring patches a bug that could have exposed users’ geolocation (and their reports of crime). Advice on cyber best practices from CISA and NSA. Robert M. Lee has thoughts for the incoming Biden administration. Our guest is Sir David Omand, former Director of GCHQ, on his book, How Spies Think: Ten Lessons in Intelligence. And an ethics officer is accused of cyberstalking. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/10 Learn more about your ad choices. Visit megaphone.fm/adchoices

There are other things going on besides Solorigate and deplatforming. There’s news about the SideWinder threat actor and its interest in South Asian cyberespionage targets. Google’s Project Zero describes a complex and expensive criminal effort. CISA discusses threats to cloud users, and offers some security recommendations. A scam-as-a-service affiliate network spreads from Russia to Europe and North America. Awais Rashid looks at shadow security. Our own Rick Howard speaks with Christopher Ahlberg from Recorded Future on Cyber Threat Intelligence. And SolarLeaks looks more like misdirection, Guccifer 2.0-style. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/9 Learn more about your ad choices. Visit megaphone.fm/adchoices

Speculation grows that the Solarigate threat actors were also behind the Mimecast compromise. SolarLeaks says it has the goods taken from FireEye and SolarWinds, but caveat emptor. Notes on Patch Tuesday. Joe Carrigan has thoughts on a WhatsApp ultimatum. Our guest is Andrew Cheung of 01 Communique with an update on quantum computing. And farewell to an infosec good guy. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/8 Learn more about your ad choices. Visit megaphone.fm/adchoices

A cyberespionage campaign, so far not attributed to any threat actor, continues to prospect government and industry targets in Colombia. A new bit of malware is found in the SolarWinds backdoor compromise. Mimecast certificates are compromised in another apparent software supply chain incident. Ubiquiti tells users to reset their passwords. A brief Capitol Hill riot update. Bidefender releases a free DarkSide ransomware decryptor. Ben Yelin revisits racial bias in facial recognition software. Our guest is Jessi Marcoff from Privitar on trend toward Chief People Officers. And Europol announces the takedown of the DarkMarket. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/7 Learn more about your ad choices. Visit megaphone.fm/adchoices

Similarities are found between Sunburst backdoor code and malware used by Turla. CISA expands advice on dealing with Solorigate. Courts revert to paper...and USB drives. More members of the US Congress report devices stolen during last week’s riot. Online inspiration for violence seems distributed, not centralized. Caleb Barlow examines protocols for handling inbound intel. Rick Howard looks at Solorigate through the lens of first principles. And platforms as publishers? For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/6 Learn more about your ad choices. Visit megaphone.fm/adchoices

Vice President of Security and Support Operations of Alert Logic Tom Gorup shares how his career path led him from tactics learned in Army infantry using machine guns and claymores to cybersecurity replacing the artillery with antivirus and firewalls. Tom built a security automation solution called the Grunt (in recollection of his role in the Army) that automated firewall blocks. He credits his experience in battle-planning for his expertise in applying strategic thinking to work in cybersecurity, noting that communication is key in both scenarios. Tom advises that those looking into a new career shouldn't shy away from failure as failure is just another opportunity to learn. We thank Tom for sharing his story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

Deep Instinct's Shimon Oren joins us to talk about his team's research on "Why Emotet's latest wave is harder to catch than ever before - Part 2." Emotet appears to have reemerged more evasive than before, this time with a payload delivered from a loader that security tools aren’t equipped to handle. Emotet, the largest malware botnet today, started in 2014 and continues to be one of the most challenging threats in today’s landscape. This botnet causes huge damage by spreading ransomware and info stealers to its infected systems. Recently, a rise in the number of Emotet infections was observed in France, Japan, and New Zealand. The high number of infections shows the effectiveness of the Emotet malware at staying undetected. Shimon joins us to discuss how Deep Instinct investigated the payload that was encrypted inside the loader, analyzes the next steps in the infection process, and discovers the techniques used to make this malware difficult to analyze. The original blog post and updated post on the research can be found here: Emotet Analysis: Why Emotet’s Latest Wave is Harder to Catch than Ever Before Why Emotet's latest wave is harder to catch than ever before - Part 2 Learn more about your ad choices. Visit megaphone.fm/adchoices

Solorigate and its effect on sensitive corporate information. The DC riots show the cybersecurity consequences of brute physical access to systems. A North Korean APT resurfaces with the RokRat Trojan. Ransomware remains very lucrative, and why? Because people continue to pay up. Thomas Etheridge from CrowdStrike on The Role of Outside Counsel in the IR Process.Our guest is Larry Lunetta from Aruba HPE on how enterprises can bolster security in the era of hybrid work environments. And a criminal hacker gets twelve years in US Federal prison. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/8 Learn more about your ad choices. Visit megaphone.fm/adchoices

CISA updates its guidance on Solorigate, and issues an alert that the threat actor may have used attack vectors other than the much-discussed SolarWinds backdoor. Some reports suggest that a widely used development tool produced by a Czech firm may have been compromised. The cyberespionage campaign is now known to have extended to the Department of Justice and the US Federal Courts. Robert M. Lee shares lessons learned from a recent power grid incident in Mumbai. Our guest is Yassir Abousselham from Splunk on how attackers find new ways to exploit emerging technologies. Cyber implications of the Capitol Hill riot. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/4 Learn more about your ad choices. Visit megaphone.fm/adchoices

The US Cyber Unified Coordination Group says the Solorigate APT is “likely Russian in origin.” Threat actors are scanning for systems potentially vulnerable to exploitation through a Zyxel backdoor. ElectroRAT targets crypto wallets. Babuk Locker is called the first new ransomware strain of 2021. The New York Stock Exchange re-reconsiders delisting three Chinese telcos. Joe Carrigan from Johns Hopkins joins us with the latest clever exploits from Ben Gurion University. Our guest is Jens Bothe from OTRS Group the importance of the US establishing standardized data privacy regulations. And Julain Assange is denied bail. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/3 Learn more about your ad choices. Visit megaphone.fm/adchoices

More assessments of the Solorigate affair, with an excursus on Pearl Harbor. Shareholders open a class action suit against SolarWinds, but no signs of an enforcement action for speculated insider trading. Emissary Panda seems to be working an APT side hustle. Kevin Magee has insights from the Microsoft Digital Defense Report. Our guest is Jason Passwaters from Intel 471 with a look at the growing range of ransomware as a service offerings. And to-ing and fro-ing on Chinese telecoms at the New York Stock Exchange. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/2 Learn more about your ad choices. Visit megaphone.fm/adchoices

Updates on the spreading consequences of Solorigate, including Microsoft’s disclosure that threat actors gained access to source code repositories. A hard-coded backdoor is found in Zyxel firewalls and VPNs. Kawasaki Heavy Industries says parties unknown accessed sensitive corporate information. Slack has been having troubles today. Andrea Little Limbago from Interos on democracies aligning against global techno-dictators. Our guest is Drew Daniels from Druva with a look at the true value of data. And a British court declines to extradite WikiLeaks’ Julian Assange to the United States. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/1 Learn more about your ad choices. Visit megaphone.fm/adchoices

Vice President of Global Systems Engineering Ellen Sundra shares her career path from life as a college grad who found her niche by creating a training program to a leader in cybersecurity. She realized that training and educating people was her passion. Ellen sees her value in providing soft skills as a natural balance to her technical team at Forescout Technologies. Being a woman in a male-dominated world proved to be a challenge and gaining her confidence to share her unique point of view helped her excel in it. Ellen recommends keeping your eyes open for how your skill set fits into cybersecurity. Find your perspective and really embrace it! We thank Ellen for sharing her story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

Researchers at Cisco's Talos Unit recently published research exploring the tactics, technics and procedures of the global malvertising ecosystem. Craig Williams is head of Talos Outreach at Cisco, and he guides us through the life cycle of malicious online ads, along with tips for protecting yourself and your organization. The research can be found here: https://blog.talosintelligence.com/2019/07/malvertising-deepdive.html Learn more about your ad choices. Visit megaphone.fm/adchoices

This interview from November 6th, 2020 originally aired as a shortened version on the CyberWire Daily Podcast. In this extended interview, Rick Howard speaks with Andy Greenberg on the Sandworm Indictments. Learn more about your ad choices. Visit megaphone.fm/adchoices

Cyber threat intelligence analyst Selena Larson takes us on her career journey from being a journalist to making the switch to industrial security. As a child who wrote a book about a green goldfish who dealt with bullying, Selena always liked investigating and researching things. Specializing in cybersecurity journalism led to the realization of how closely aligned or similar skills are required from an investigative journalist and a cyber threat intelligence analyst. Our thanks to Selena for sharing her story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

Researchers at Symantec have been tracking Seedworm, a cyber espionage group targeting the Middle East as well as Europe and North America. The threat group targets government agencies, oil & gas facilities, NGOs, telecoms and IT firms. Al Cooley is director of product management at Symantec, and he joins us to share their findings. The original research can be found here: https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group Learn more about your ad choices. Visit megaphone.fm/adchoices

Dave shares a story of airport penetration testing with high degree of yuck-factor. Joe explores research on protecting passwords from social engineering. The catch-of-the-day comes courtesy of Graham Cluley's email spam box. Dave interviews Wired's Security Staff Writer Lily Hay Newman on her article tracking Nigerian email scammers. Have a Catch of the Day you'd like to share? Email it to us at [email protected] or hit us up on Twitter. Learn more about your ad choices. Visit megaphone.fm/adchoices

Dave has an update on Baltimore’s spyplane, Ben describes concerns over violations by the FBI, CIA, NSA of FISA court rules, and later in the show our conversation with Kim Zetter on her recent article in The Intercept, titled “How Cops Can Secretly Track Your Phone.” It’s all about stingrays and dirtboxes, so stick around for that. While this show covers legal topics, and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. Links to stories: Elizabeth Goitein on Twitter In appeals court, Baltimore surveillance plane suit gets a mixed reaction Got a question you'd like us to answer on our show? You can send your audio file to [email protected] or simply leave us a message at (410) 618-3720. Hope to hear from you. Thanks to our sponsor, KnowBe4. Learn more about your ad choices. Visit megaphone.fm/adchoices

Cozy Bear lived up to its reputation for quiet patience. Counting the cost of the SVR cyberespionage campaign. What do intelligence services do with all the data they collect? An Iranian influence campaign sought to foment US post-election violence. Joe Carrigan looks at social engineering aimed at domain registrars. Our guest is John Worrall from ZeroNorth on the importance of security champions. And a last look ahead at 2021. Learn more about your ad choices. Visit megaphone.fm/adchoices

The US continues to count the cost of the SVR’s successful cyberespionage campaign. Attribution, and why it’s the TTPs and not the org chart that matters. Emotet makes an unhappy holiday return. It seems unlikely that NSA and US Cyber Command will be separated in the immediate future. Big Tech objects, in court, to NSO Group and its Pegasus spyware (or lawful intercept product, depending on whether you’re in the plaintiff’s or the respondent’s corner). Ben Yelin looks at hyper realistic masks designed to thwart facial recognition software. Our guest Neal Dennis from Cyware wonders if there really isn't a cybersecurity skills gap. And a quick look at some more predictions. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/245 Learn more about your ad choices. Visit megaphone.fm/adchoices

Cozy Bear’s big sweep through US networks gets bigger, longer, more carefully prepared, and worse in every way. IBM uncovers a big, conventionally criminal “evil mobile emulator farm,” and that’s no good, either. Citizen Lab finds more to complain about with respect to alleged abuse of NSO Group’s Pegasus tools. Awais Rashid from Bristol University on taking a risk-based approach to security. Rick Howard speaks with Cyral CEO Manav Mital on infrastructure as code. And tech executives are worried about Pandas and Bears and Kittens, oh my. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/244 Learn more about your ad choices. Visit megaphone.fm/adchoices

CEO and co-founder of Dragos Robert Lee talks about how he came to cybersecurity through industrial control systems. Growing up with parents in the Air Force, Robert's father tried to steer him away from military service. Still Rob chose to attend the Air Force Academy where he had greater exposure to computers through ICS. Robert finds his interest lies in things that impact the physical world around us. In his work, Dragos focuses on identifying what people are doing bad and helping people understand how to defend against that. Rob describes the possibility of making a jump to control system security from another area recommending you bring something to the table. Rob talks about the world he would like to leave to his son and his hopes for the future. We thank Rob for sharing his story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

On August 24, 2020, Snyk announced the discovery of suspicious behaviors in the iOS version of a popular advertising SDK known as Mintegral. At that time, they had confirmed with partners in the advertising attribution space that at minimum, Mintegral appeared to be using this functionality to gather large amounts of data and commit ad attribution fraud. Their research showed that Mintegral was using code obfuscation and method swizzling to modify the functionality of base iOS SDK methods without the application owner’s knowledge. Further, their research proved that Mintegral was logging all HTTP requests including its headers which could even contain authorization tokens or other sensitive data. Since that time Mintegral announced that they were opening the source of their SDK to the market. While the SDK can only be downloaded by registered partners, a major game publisher shared the source code with Snyk for further analysis. They also continued their research by digging deeper into the Android versions of the SDK in which they hadn’t found similar behaviors at the time of the initial disclosure. This has resulted in some significant discoveries that necessitate an update to the previous disclosure. Additionally, Mintegral and the community at large have responded to the situation, and Snyk felt a summary of the events was a good way to finalize their research into this SDK. Joining us on Research Saturday to discuss their research is Snyk's Alyssa Miller. The original blog and Snyk's update can be found here: SourMint: malicious code, ad fraud, and data leak in iOS SourMint: iOS remote code execution, Android findings, and community response Learn more about your ad choices. Visit megaphone.fm/adchoices

Cozy Bear’s software supply chain compromise and its massive cyberespionage effort against the US Government and the associated private sector, is still being untangled. But it’s very extensive, very bad, and very tough to remediate. Both CISA and NSA have advice about the incident, and we check in with Robert M. Lee from Dragos for his thoughts. John Pescatore from SANS advocates renewing our focus on information security. Iran may be running a ransomware campaign for influence purposes. The Joker’s Stash criminal souk appears to have taken a hit. And don’t let your guard down during the holidays. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/243 Learn more about your ad choices. Visit megaphone.fm/adchoices

The SolarWinds supply chain compromise may not have been an act of war, but it was certainly a very damaging espionage effort. The FBI, CISA, and ODNI are leading a whole-of-government response to the incident. Three companies have collaborated on a killswitch for the Sunburst backdoor’s initial command and control. HPE discloses a zero day in its SIM software. ODNI will delay its report on Chinese election influence ops. Thomas Etheridge from CrowdStrike on their Services Front Lines report. Our guest is Derek Manky from Fortinet with 2021 threat insights. And, of course, some predictions. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/242 Learn more about your ad choices. Visit megaphone.fm/adchoices

SolarWinds breach reportedly affected parts of the Pentagon. Microsoft and partners seize and sinkhole command-and-control domain used by Sunburst malware. The threat actor behind the breach used a novel technique to bypass multi factor authentication at a think tank. Facebook takes down competing inauthentic networks focused on Africa. Joe Carrigan has insights on Amnesia 33. Our guest, Greg Edwards from CryptoStopper, shares his experience getting back online after a Derecho. And the execution of the FCC’s rip-and-replace plan will likely fall to the next US administration. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/241 Learn more about your ad choices. Visit megaphone.fm/adchoices

SolarWinds’ 8-K suggests the possible scope of the Sunburst incident. CISA leads the US Federal post-attack mopping up as more agencies are known to have been affected. How FireEye found the SolarWinds backdoor. GCHQ is looking for possible signs of Sunburst in the UK. Operation Earth Kitsune is attributed to North Korea. Google explains yesterday’s outage. Ben Yelin looks at retail privacy issues. Our guest is Jasson Casey from Beyond Identity on going passwordless. And if you have trouble getting things done while working from home, maybe blame it on the dogs. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/240 Learn more about your ad choices. Visit megaphone.fm/adchoices

FireEye traces its breach to a compromised SolarWinds update to its Orion Platform. CISA issues an Emergency Directive to get control of an attack that is known to have affected at least two Federal Departments. Rick Howard shares lessons from season three of CSO Perspectives. Betsy Carmelite from Booz Allen continues her analysis of their 2021 Cyber Threat Trends Report. And while reports attribute the supply chain attack to Russia’s SVR, Moscow says Cozy Bear didn’t do nuthin’. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/239 Learn more about your ad choices. Visit megaphone.fm/adchoices

For many years, public and private sector cybersecurity experts have warned of a large-scale, massively impactful cyber attack on critical infrastructure (CI). Whether you call it a cyber doomsday, a cyber extinction, or as former Defense Secretary Leon Panetta termed it, a “Cyber Pearl Harbor,” the message is clear: it's not a matter of if, it's a matter of when, and it's not just critical infrastructure that's vulnerable. More recently, experts have started to raise the alarm around not just CI, but other systems as well, notably position, navigation and timing (PNT) services. PNT includes things like GPS devices -- extensions of IT systems which are widely used by both private and public sector organizations, and particularly vulnerable to attack thanks to their open source origins and lack of native security controls. While there is no magic bullet to solve the cybersecurity challenge, there's growing consensus that an effective strategy is going to require large-scale cooperation and coordination between the public and private sectors. While the government is uniquely equipped to source and promulgate guidelines and standards like the Federal Information Processing Standards (FIPS) and NIST Special Publication 800 Series, private sector partners have the expertise to implement these standards across industries. The private sector is also a major driver of innovation in security, making use of sophisticated analytics, AI, and other tools to improve not only native security controls but also hygiene, threat detection, and response. In this episode of Cyberwire-X, guests will discuss the benefits of public/private partnership for cybersecurity, the roles of each, and how the threat of a "Cyber Pearl Harbor" informs the priorities of both. Joining us today are Keith Mularski from EY, Rob Lee from Dragos, and Egon Rinderer from Tanium. Learn more about your ad choices. Visit megaphone.fm/adchoices

Computational Social Scientist Andrea Little Limbago shares her journey as a social scientist in cybersecurity. Andrea laments that she wishes she'd known there is no straight line between what you think you want to do and then where you end up going. Beginning her career in international relations and courted by the Department of Defense's Joint Warfare Analysis Center while teaching at New York University, Andrea began her work in cybersecurity. Her team was one of the first to start thinking about the intersection of cybersecurity and geopolitics and quantitative modeling. Andrea reminds us there are many paths and skills needed in cybersecurity and hopes she opened some doors for others. We thank Andrea for sharing her story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

From US Department of Justice: "On Oct. 15, 2020, a federal grand jury in Pittsburgh returned an indictment charging six computer hackers, all of whom were residents and nationals of the Russian Federation (Russia) and officers in Unit 74455 of the Russian Main Intelligence Directorate (GRU), a military intelligence agency of the General Staff of the Armed Forces. These GRU hackers and their co-conspirators engaged in computer intrusions and attacks intended to support Russian government efforts to undermine, retaliate against, or otherwise destabilize: (1) Ukraine; (2) Georgia; (3) elections in France; (4) efforts to hold Russia accountable for its use of a weapons-grade nerve agent, Novichok, on foreign soil; and (5) the 2018 PyeongChang Winter Olympic Games after Russian athletes were banned from participating under their nation’s flag, as a consequence of Russian government-sponsored doping effort. Their computer attacks used some of the world’s most destructive malware to date, including: KillDisk and Industroyer, which each caused blackouts in Ukraine; NotPetya, which caused nearly $1 billion in losses to the three victims identified in the indictment alone; and Olympic Destroyer, which disrupted thousands of computers used to support the 2018 PyeongChang Winter Olympics. The indictment charges the defendants with conspiracy, computer hacking, wire fraud, aggravated identity theft, and false registration of a domain name." Returning to Research Saturday this week to discuss their research of NotPetya and Olympic Destroyer are Cisco Talos' Craig Williams and Matt Olney. The indictment and Cisco's research can be found here: Six Russian GRU Officers Charged in Connection with Worldwide Deployment of Destructive Malware and Other Disruptive Actions in Cyberspace New Ransomware Variant "Nyetya" Compromises Systems Worldwide The MeDoc Connection Who Wasn’t Responsible for Olympic Destroyer? Olympic Destroyer Takes Aim At Winter Olympics Learn more about your ad choices. Visit megaphone.fm/adchoices

Tracking OceanLotus. US advisory warns of cyberthreats active against schools trying to deliver distance learning. Adrozek joins credential harvesting and adware. MountLocker’s criminal affiliate program. The FCC takes action against Chinese companies deemed security risks. Predictions, and holiday advice. Johannes Ullrich from the SANS technology institute wonders what’s in your clipboard? Our guest is Nina Jankowicz from Wilson Center on her new book - How to Lose the Information War - Russia, Fake News, and the Future of Conflict. And internship opportunities at CISA. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/238 Learn more about your ad choices. Visit megaphone.fm/adchoices

Facebook faces a US antitrust suit. Cyberespionage hits the European Medicines Agency, apparently looking for COVID-19 vaccine information. Emissary Panda is out and about. A simple ransomware campaign goes for success through volume. Stolen SQL databases are offered for sale back to their owners. React to the FireEye breach, but don’t over-react. We welcome Kevin McGee from Microsoft Canada to the show. Our guest is Liviu Arsene from Bitdefender with insights Business Threat Landscape report for 2020. Flash nears its end-of-life. Predictions for 2020, and another guilty plea in the Mirai case. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/237 Learn more about your ad choices. Visit megaphone.fm/adchoices

Norway calls out the GRU for espionage against the Storting. The SVR (probably) hacks FireEye. Huawei tested recognition software designed to spot Uighurs. 2021 predictions from Avast hold that next year might be the year deepfakes come into their own. CISA issues a long list of industrial control system alerts. Joe Carrigan looks at the iOS zero-click radio proximity vulnerability. Our guest is Matt Drake, director of cyber intelligence at SAIC on what the recents elections can tell us about threat intelligence. And yesterday was Patch Tuesday--do you know where your vulnerabilities are? For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/236 Learn more about your ad choices. Visit megaphone.fm/adchoices

AMNESIA:33 vulnerabilities infest the IoT supply chain. Lawful intercept spyware allegedly finds its way from Mexican police into the hands of drug cartels. Finland’s parliament approves exclusion of telecom equipment on security grounds. The US National Defense Authorization Act’s cyber provisions. Online fraud seems to have become a side hustle. Ben Yelin responds to Supreme Court arguments in a Computer Fraud and Abuse Act case. Our guest is Darren Mar-Elia from Semperis on group policy security. And Moscow police are looking for the crooks who hacked secure delivery lockers. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/235 Learn more about your ad choices. Visit megaphone.fm/adchoices

NSA warns that Russian state-sponsored actors are actively exploiting patched VMware vulnerabilities in the wild. A CISA alert puts Iran on notice. DeathStalker hired guns are now active in North America. Darknet contraband markets are experiencing the sort of pressure and consolidation legitimate markets undergo. Rick Howard checks in with the hash table on CSO and CISO roles. My continued conversation with Betsy Carmelite from Booz Allen on their 2021 Cyber Threat Trends Report. And a weird shift in North Korean propaganda...is Pyongyang having a Hallmark moment? For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/234 Learn more about your ad choices. Visit megaphone.fm/adchoices

Director of Cyber Security Insights at Verve Industrial aka self-proclaimed industrial cybersecurity geek Ron Brash shares his journey through the industrial cybersecurity space. From taking his parents 286s and 386s to task to working for the "OG of industrial cybersecurity," Ron has pushed limits. Starting off in technical testing, racing through university at 2x speed, and taking a detour through neuroscience with machine learning, Ron decided to return to critical infrastructure working with devices that keep the lights on and the water flowing. Ron hopes his work makes an impact and his life is memorable for those he cares about. We thank Ron for sharing his story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

While SSL/TLS encryption is the industry standard for protecting data in transit from prying eyes, encryption has, itself, become a threat. It is often leveraged by attackers to sneak malware past security tools that do not fully inspect encrypted traffic. As the percentage of traffic that is encrypted continues to grow, so do the opportunities for attackers to deliver threats through encrypted channels. To better understand the use of encryption and the volume of encrypted traffic that is inspected, Zscaler's research team, ThreatLabZ, analyzed encrypted traffic across the Zscaler cloud for the first nine months of 2020, assessing its use within specific industries. The study also set out to analyze the types of attacks that use encryption and the extent of the current risk. Returning to Research Saturday this week to discuss the report is Zscaler's CISO and VP of Security Research, Deepen Desai. The research can be found here: 2020: The State of Encrypted Attacks Blog 2020: The State of Encrypted Attacks Report Learn more about your ad choices. Visit megaphone.fm/adchoices

Predictions for 2021 focus on ransomware: it’ll be better, more aggressive, bigger, and a greater problem in every way. Cyberespionage and the cold chain. Cybercriminal interest in COVID-19 vaccines extends to both theft and fraud. Johannes Ullrich on the .well-known Directory. Our guest is Michael Magrath from OneSpan on what the financial sector needs to consider now that we’re post-election season. And what’s one effect of the pandemic? Dog fraud. Ask the Better Business Bureau. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/233 Learn more about your ad choices. Visit megaphone.fm/adchoices

Chinese intelligence services are prospecting think tanks and prospective members of the next US Administration. Spearphishing the vaccine cold chain. Expect vaccine-themed phishing. After a temporary, pre-US election suppression, TrickBot’s back. Holiday shopping season is bot-season. Consumers are thought likely to get upset about smart device privacy in 2021. Awais Rashid from Bristol University on privacy at scale. Our guest is JP Perez-Etchegoyen from Onapsis on the risk associated with interconnected cloud and SaaS apps. And suppose you’re a cybercriminal...we know, but suppose. What do you tell your sweetie you do for a living? For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/232 Learn more about your ad choices. Visit megaphone.fm/adchoices

The Shadow Academy prospects universities in a domain shadowing campaign. Notes on Turla’s Crutch, an information-stealing backdoor. Bismuth was using crytpojacking as misdirection. CISA and the FBI warn think tanks that cyberspies are after them. North Korean cyberespionage is interested in COVID-19 treatments. Our guest is Carey O’Connor Kolaja from AU10TIX on combating fraud in the financial services and payment industry. David Dufour from Webroot has 2021 predictions. And a member of the Apophis Group gets eight years in prison. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/231 Learn more about your ad choices. Visit megaphone.fm/adchoices

Cryptojacking from Hanoi. Dormant networks rise again, for no easily discernible reason (but it doesn’t look good). A gang is hitting German victims with the Gootkit banking Trojan, and sometimes mixing it up with a REvil ransomware payload. Conti ransomware hits IoT chipmaker. SCOTUS reviews the Computer Fraud and Abuse Act. A few predictions for 2021. Ben Yelin on Congress passing an IoT security bill. Our guest is Stephen Harvey from BitSight, who’s tracking the correlation between companies with strong cybersecurity and financial success. And it may be back to school tomorrow in Baltimore County. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/230 Learn more about your ad choices. Visit megaphone.fm/adchoices

North Korean operators phish a major pharma company. The Bandook backdoor is back, and probably being distributed by mercenaries. A school district cancels classes after a ransomware attack. Man U continues to work on recovering its systems. Former CISA Director says there are no signs of foreign manipulation of US elections. Rick Howard wonders what exactly all those CISOs do. Betsy Carmelite from Booz Allen with insights from their 2021 Cyber Threat Trends Report. And Cyber shopping and the forever sales. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/229 Learn more about your ad choices. Visit megaphone.fm/adchoices

Cybersecurity attorney Camille Stewart shares how her childhood affinity for making contracts pointed to her eventual career as an attorney. Having a computer scientist father contributed to Camille's technical acumen and desire to include technology in her life's work. Camille has worked various facets of cybersecurity law from the private sector, federal government, on the Hill and in the Executive Branch, and now as part of Big Tech as Head of Security Policy and Election Integrity for Google Play and Android where she creates policy geared towards making sure users are safe on their platform and equipped to make informed decisions.. We thank Camille for sharing her story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

The goal of malicious activity is to compromise the system to install some unauthorized software. Increasingly that goal is tied to one thing: the user. Over the past several years, we as an industry improved exploit mitigation and the value of working exploits has increased accordingly. Together, these changes have had an impact on the threat landscape. We still see large amounts of active exploitation, but enterprises are getting better at defending against them. This has left adversaries with a couple of options, develop or buy a working exploit that will defeat today's protections, which can be costly, or pivot to enticing a user to help you. In today's threat landscape, adversaries are always trying to develop and implement the most effective lures to try and draw users into their infection path. They've tried a multitude of different tactics in this space, but one always stands out — current events. Joining us on this week's Research Saturday from Craig Williams from Cisco's Talos Outreach team to walk us through how current events are used as lures. The research and blog post can be found here: Adversarial use of current events as lures Learn more about your ad choices. Visit megaphone.fm/adchoices

Observers see a shift in Russia’s influence tactics, but prank calls are (probably) not among those tactics. An event site suffers a data breach, and warns customers to be alert for spoofing. COVID-19 contact tracing continues to arouse privacy concerns. Joe Carrigan has tips for safe online shopping during the holidays. Our guest is Dmitry Volkov from Group-IB with insights from their latest Hi-Tech Crime Trends report. Ransomware hits another US school district, and social media are being used to intimidate cooperating witnesses. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/228 Learn more about your ad choices. Visit megaphone.fm/adchoices

Mustang Panda goes to church, but not in a good way. Hoods are trying to spoof the FBI with Bureau-themed domains. Dodgy routers and suspect smart doorbells. A quick look at the incoming US Administration, from a cybersecurity point of view. Someone’s allegedly swapping iPads for concealed carry permits--say it ain’t so, Santa Clara County. DHS investigates Windows help desk scammers. Ben Yelin on a Massachusetts ballot initiative involving connected cars. Our guest is Larry Roshfeld from AffirmLogic on the pros and cons of a Treasury Dept advisory that could put companies who facilitate ransomware payments in legal jeopardy. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/227 Learn more about your ad choices. Visit megaphone.fm/adchoices

Qbot is dropping Egregor ransomware, and RagnarLocker continues its recent rampage. Cryptocurrency platforms troubled by social engineering at a third party. TrickBot reaches version 100. Stuffed credentials exposed in the cloud. COVID-19 practices may endure beyond the pandemic. Advice for safer online shopping over the course of the week. Malek Ben Salem from Accenture Labs has methods for preserving privacy when using machine learning. Rick Howard digs deeper into SOAR. And someone’s hacking a Premier League side. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/226 Learn more about your ad choices. Visit megaphone.fm/adchoices