CyberWire Daily

Buhtrap moves from financial crime to cyber espionage. There may have been as many as three distinct US cyber operations against Iran late last month. The US legislative and executive branches continue to try to sort out Constitutional issues surrounding cyber conflict. The US Intelligence Community tell Congress that there are “active threats” to upcoming elections. One city’s cyber woes will be expressed in water bills. And WannaCry may ride again, if you don’t patch. Mike Benjamin from CenturyLink on DNS scanning they’re tracking. Guest is Martha Saunders, President of the University of West Florida, on how her institution is adapting to meet the workforce needs for cyber security professionals. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/July/CyberWire_2019_07_12.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices

GDPR fines and their implications. A reminder about Magecart, and some notes on its recent interest in scanning for unprotected AWS S-3 buckets. Agent Smith (of Guangzhou, not the Matrix) is infesting Android stores with evil twins of legitimate apps. FinSpy is out and about in the wild again. “Daniel Drunz” is the catphish face of a gang that stung a US Government contractor for millions in goods. Justin Harvey from Accenture on the recent GDPR fines. Carole Theriault speaks with Michael Covington from Wandera on the risks facing financial services firms. Learn more about your ad choices. Visit megaphone.fm/adchoices

Zoom agrees to change what it still sort of regards as a feature and not a bug. Industrial control system vulnerabilities are reported and patched. Microsoft issues seventy-seven fixes on Patch Tuesday. Adobe has a relatively light month for patches. Marriott is hit with a large fine from the UK’s Information Commissioner’s Office. An investigative report traces disinformation about a 2016 Washington murder to Russia’s SVR foreign intelligence service. Craig Williams from Cisco Talos with info on the Spelevo exploit kit. Tamika Smith speaks with Myke Lyons, CISO for Collibra, on new industry regulations based on GDPR. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/July/CyberWire_2019_07_10.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices

Zoom user security appears to have been sacrificed on the altar of user experience. The fileless Astaroth Trojan is again in circulation, mostly, for now, in Brazil. Torrents are distributing the GoBot2 backdoor. The UK’s Information Commissioner’s Office clobbers British Airways with a record fine under GDPR, probably to encourage all the rest of us. Croatian government offices are spearphished. Iran says it’s now got an attack-proof comms system. And NSA’s IG reports. Joe Carrigan from JHU ISI on security issues with D-Link routers. Guest is Martin Mckeay from Akamai on their most recent State of the Internet report. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/July/CyberWire_2019_07_09.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices

Another ransomware victim pays up. Privilege escalation comes to ransomware. Vendor impersonation scams hit cities, and government impersonation scams hit citizens: be wary of both. Former NSA contractor Hal Martin will be sentenced later this month, with suspected connections with the ShadowBrokers still unresolved. An exploit supply chain is described. The Silence gang is suspected in Bangladeshi bank heists. And a bad message can brick a phone. Ben Yelin from UMD CHHS on privacy concerns with a shared bar patron database. Guest is Derek E. Weeks from Sonotype on supply chain security. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/July/CyberWire_2019_07_08.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices

US Cyber Command warns that an Outlook vulnerability is being actively exploited in the wild. Other sources see a connection with Iran. GPS signals are being jammed near Tel Aviv, and Russian electronic activity in Syria is suspected as the cause. A look at the consequences of satellite cyber vulnerabilities. The TA505 gang changes some of its tactics. Yesterday’s brief Internet outages are traced to a Cloudflare glitch. Facebook and YouTube continue to grapple with content moderation. Mike Benjamin from CenturyLink on Emotet’s C2 behavior. Guest is Avital Grushcovski from Source Defense on the risk posed by third party web site tools. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/July/CyberWire_2019_07_03.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices

Tensions between the US and Iran are likely to find further expression in cyberspace. OceanLotus’s Ratsnif kit isn’t up to the threat actors normally high standards of coding, but it’s plenty good enough. Cyberattacks in the states of Florida and Georgia. Utilities are urged to go lower tech where possible. Magecart skimmer “Inter” is being hawked on the dark web. And no, they haven’t videoed you using EternalBlue: just dump that email. Johannes Ullrich from the SANS Technology Institute and the ISC Stormcast podcast on Weblogic exploits. Guest is Nick Jovanovic from Thales on cloud security in the federal space. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/July/CyberWire_2019_07_02.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices

Huawei gets to buy some products from US companies, again. CISA reiterates warnings about the risk of cyberattack from Iran. Considerations about power grid security. Cryptocurrencies draw criminals, and some of the scammers are looking ahead. Australia and New Zealand will conduct a simulation to study ways of removing “abhorrent content” from the Web. The Senate likes Hack the Pentagon. And tech enthusiasm or voyeurism? You decide. Justin Harvey from Accenture on ways attackers are bypassing 2-factor authentication on mobile devices. Guest is Gretel Egan from Proofpoint on the shift toward human-centric security. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/July/CyberWire_2019_07_01.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices

Synopsys recently published the 2019 edition of their Open Source Security and Risk Analysis (OSSRA) Report, providing an in-depth look at the state of open source security, compliance, and code quality risk in commercial software. Tim Mackey is principal security strategist within the Synopsys Cyber Research Center, and he joins us to share their findings. The research can be found here: https://www.synopsys.com/software-integrity/resources/analyst-reports/2019-open-source-security-risk-analysis.html Learn more about your ad choices. Visit megaphone.fm/adchoices

Yandex says it was hacked with Regin spyware. The Golang cryptominer is spreading, again. And the ShadowGate ransomware crew is newly active with a dangerous drive-by. Three data exposures are reported. London’s Metropolitan Police are in trouble with the Information Commissioner’s Office. A look as tracker behavior. The Verified Badge as a phishing lure. And congratulations to a Loeb Award winner. Micahel Sechrist from BAH on Deep Fakes and data integrity. Deloitte’s new head of cyber Deborah Golden shares her leadership philosophy. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/June/CyberWire_2019_06_28.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices

The US cyberattack against Iranian targets remains only indistinctly visible in the information fog of cyberwar. Iran’s APT33 seems to have altered its tactics after its operations against Saudi targets were described by Symantec at the end of March. An insurer and provider of vision and dental benefits investigates a “data incident.” Skids-on-skids, kids. Facebook talks information operations, and teases plans concerning identity. Notes on the labor market. Johannes Ullrich from the SANS Technology Institute and the ISC Stormcast podcast on malware C&C channels making use of TLS. Tamika Smith speaks with Harrison Van Riper from Digital Shadows about their recent report, “Too Much Information: The Sequel,” outlining the increase in data exposure over the past year. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/June/CyberWire_2019_06_27.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices

Sources name a Shi’ite militia aligned with Iran as one target of last week’s US cyberattacks. Myanmar shuts down mobile networks in its Rakhine province, where the Buddhist insurgents of the Arakan Army have been using Facebook for coordination and inspiration. A major spam campaign is distributing LokiBot and NanoCore. Finite State finds bugs in Huawei gear. Election security notes. And paying the ransom to ransomware extortionists. David Dufour from Webroot on the different trends they are tracking in Europe vs. the US. Guest is David Politis from BetterCloud with a warning about information sprawl. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/June/CyberWire_2019_06_26.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices

Operation Soft Cell was low, slow, patient, and focused, and apparently run from China. Washington and Tehran are woofing at each other, with more exchanges in cyberspace expected. Cyber due diligence is taken increasingly seriously during mergers and acquisitions. Short-sighted design choices affect app security. The US security clearance process gets an overhaul. Shimmers replace skimmers. And yesterday’s US Internet outage explained. Sergio Caltagirone from Dragos on the growing tensions between the US, Russia and Iran and how providers of critical infrastructure can prepare. Tamika Smith interviews Danielle Gaines, a reporter for Maryland Matters, on MD Gov. Hogan’s response to the Baltimore ransomware incident, the creation of the Maryland Cyber Defense Initiative. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/June/CyberWire_2019_06_25.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices

The US is said to have conducted cyberattacks against Iranian targets related to recent Iranian moves in the Gulf. They cyber operations are also said to have been a covert alternative to conventional military strikes. The Atlantic Council describes “Secondary Infektion,” a Russian disinformation campaign that begins obscurely, then depends upon amplification. And a case of cyber stalking in Minnesota goes to court. Joe Carrigan from JHU ISI on the escalating calls to patch the BlueKeep vulnerability. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/June/CyberWire_2019_06_24.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices

Researchers at Cloudflare have been examining HTTPS interception, a technique that weakens security, and have developed tools to help detect it. Nick Sullivan is head of cryptography at Cloudflare, and he joins to us share their findings. The research can be found here: https://blog.cloudflare.com/monsters-in-the-middleboxes/ Learn more about your ad choices. Visit megaphone.fm/adchoices

Tensions between the US and Iran over tanker attacks, nuclear ambitions, and the downing of a Global Hawk drone seem to be finding expression in cyberspace: Refined Kitten sees to be pawing for some American phish. Facebook tries friction as an alternative to content moderation in damping its abuse in fomenting South Asian violence. Cryptomining campaigns are showing some renewed vigor. And a look at lead generation for Nigerian prince scams. Mike Benjamin from CenturyLink on RDP scanning and the GoldBrute campaign. Guest is Michael Coates, former CISO for Twitter and former head of security for Mozilla, from Altitude Networks on better addressing the needs of CISOs and improving the sales process. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/June/CyberWire_2019_06_21.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices

Call it Waterbug or call it Turla, the Russian cyber operation has been hijacking Iran’s OilRIg cyber espionage infrastructure. Other cyber campaigns also afflict Middle Eastern targets. A US panel convened by CISA has some recommendations for supply chain security. An ad agency inadvertently exposes sensitive personal data. A bankruptcy filing in the AMCA breach. And Riviera Beach, Florida, decides to pay $600,000 in ransom to decrypt its files. Johannes Ullrich from SANS and the ISC Stormcast podcast on DNS security issues. Carole Theriault returns with an interview with ethical hacker Zoe Rose, who shares her advice for woman working in cyber security. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/June/CyberWire_2019_06_20.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices

More advice to patch BlueKeep, already. Facebook announces its planned launch of a cryptocurrency, Libra, to the accompaniment of considerable acclaim and at least as much skepticism. Updates on alleged power grid cyber operations. Catphishing and the adaptation of traditional espionage craft in the digital age. And cheap sunglasses turn up as phishbait in compromised social media accounts. Justin Harvey from Accenture with thoughts on tabletop exercises. Guest is Tom Hickman from Edgewise Networks on access control and zero trust. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/June/CyberWire_2019_06_19.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices

Investigation into Argentina’s power failure continues, with preliminary indications suggesting “operational and design errors were responsible for the outage. Russia reacts to reports that the US staged malware in its power grid. Iran says it stopped US cyberespionage. ISIS worries about its vulnerability to BlueKeep. A breach at EatStreet illustrates some of the features of third-party risk. Ben Yelin from UMD CHHS on a Virginia license plate reader ban. Guest is Jack Danahy from Alert Logic on the troubling issue of adversary dwell time and the IT vigilance gap. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/June/CyberWire_2019_06_18.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices

The New York Times reports that the US has staged malware in Russia’s power grid, presumably as deterrence against Russian cyberattacks against the US. South America has largely recovered from a large-scale power outage that seems, so far, to have been accidental. An EU report claims that Russian information operations against the EU are increasing. Twitter takes down more inauthentic sites. The Target outage over the weekend seems to have been caused by glitches, not hacking. Joe Carrigan from JHU ISI on the GDPR fine of a Spanish soccer league for a spying app. Tamika Smith speaks with Britt Paris from the Data & Society Research Institute on the weaponization of AI. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/June/CyberWire_2019_06_17.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices

Researchers at Zscaler have been tracking look-alike apps in third-party Android app stores that carry malicious code. Deepen Desai is VP of security research and operations and Zscaler, and he joins us to share their findings. The original research can be found here: https://www.zscaler.com/blogs/research/third-party-android-store-sms-trojan Learn more about your ad choices. Visit megaphone.fm/adchoices

Xenotime is detected snooping around the North American power grid. Hacking groups exploit the Return of the Wizard vulnerability in Exim servers. Hearings on the extradition of WikiLeaks’ Julian Assange have begun. Online gamers are being chased with credential stuffing attacks: they’re after your skins, your accounts, your credit cards. And some LinkedIn catphish seem to be going to AI charm school. Justin Harvey from Accenture with advice for job-hunting grads. Guest is Dr. Matthew Dunlop, Vice President and Chief Information Security Officer for Under Armour, on the challenges of protecting one of the world’s most well-known brands. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/June/CyberWire_2019_06_14.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices

Telegram recovers from a distributed denial-of-service attack. No attribution yet, but all the circumstantial evidence points to the Chinese security services. Operation Fishwrap, conducted by parties unknown, is an influence campaign that substitutes olds for news. Aircraft component manufacturer ASCO’s production is hit by ransomware. Hacking back is back, in Congress. Why don’t people patch? And a tip on fact-checking. Ben Yelin from UMD CHHS on NYPD cellphone surveillance. Guest is Dave Aitel from Cyxtera on offense oriented security and the INFILTRATE conference. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/June/CyberWire_2019_06_13.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices

TA505 and Fin8 are both up to their old ways, with some new tricks in their criminal bag. A reminder about social engineering and Google Calendar. A new assertiveness is promised in US cyber operations, as the Administration “widens the aperture.” Updates on the security concerns that surround Huawei and ZTE. And Radiohead takes a different approach to online extortion--just render what they’re holding for ransom valueless. Craig Williams from Cisco Talos on the Jasper Loader. Guest is Lisa Sotto from Hunton Andrews Kurth LLP on the report Seeking Solutions: Aligning Data breach Notification rules across borders. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/June/CyberWire_2019_06_12.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices

Russia says shrapnel from America’s war on that nice company Huawei is “destroying the world.” Russia also tells Tinder to fork over user pictures and messages. A Recorded Future study outlines the case for regarding Huawei as a security risk. US Customs and Border Protection discloses a breach of images collected at a border-crossing point. Crooks are taking advantage of Gmail features. Notes on recent mergers. And the top ten bugs bug hunters are finding. Johannes Ullrich from SANS and the ISC Stormcast podcast on the GoldBrute botnet. Guest is Tim Woods from FireMon reflecting on the past year under GDPR. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/June/CyberWire_2019_06_11.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices

MuddyWater shows renewed activity--no zero-days and no exotic malware, just clever approaches and determined social engineering. Spam is serving up payloads that exploit an old Microsoft Office vulnerability. Russian-sponsored disinformation has been romping freely through YouTube. Some back-and-forth over Huawei: Washington isn’t relenting, but some relief for US companies may be forthcoming. And Beijing rumbles about retaliation. United Technologies has agreed to acquire Raytheon. Joe Carrigan from JHU ISI on Apple’s newly announced secure sign-in service and it’s focus on privacy. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/June/CyberWire_2019_06_10.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices

Researchers at AT&T Alien Labs have been tracking a new malware family they've named "Xwo" that's scanning systems for default credentials and vulnerable web services. Tom Hegel is security researcher with AT&T Alien Labs, and he share their findings. The original research is here: https://www.alienvault.com/blogs/labs-research/xwo-a-python-based-bot-scanner Learn more about your ad choices. Visit megaphone.fm/adchoices

The Australian National University hack and data loss look to many observers like the work of Chinese intelligence services. The GoldBrute botnet is scanning vulnerable RDP servers. MuddyWater is back, undeterred by leaks and learning from the best. The RIG exploit kit is delivering Buran ransomware. Achilles says he’s got the goods. The Nuclear Regulatory Commission IG looks at cyber inspections. And Big Tech prepares for big antitrust. Robert M. Lee from Dragos on natural gas infrastructure security. Guest is Frank Downs from ISACA on the challenges educators face preparing the cyber security workforce. Learn more about your ad choices. Visit megaphone.fm/adchoices

BlueKeep proof-of-concept exploits have been developed, and people are urged to patch. An annoying, disruptive advertising plug-in comes bundled with a couple of hundred Android apps in the Play Store. The EU’s Moscow embassy seems to have been the focus of Russian cyber espionage since 2017. Influence operations feature a small core of sites surrounded by many amplifying accounts. A possible motive for GPS spoofing. Johannes Ullrich from SANS and the ISC Stormcast podcast on Google throwing their weight behind MTA-STS, a protocol to make e-mail more secure. Guest is Josh Stella from Fugue on security and compliance in cloud infrastructure. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/June/CyberWire_2019_06_06.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices

Another medical testing firm is hit by the third-party breach at AMCA. More officials say there’s no EternalBlue involved in Baltimore’s ransomware attack. (And that attack may have involved some doxing, too--investigation is underway.) Real hacking isn’t like the movies. It’s alive: Frankenstein malware, that is. Huawei offers a no-spy agreement. The draft US Data Strategy is out. Really, you should patch for BlueKeep. A university’s donor list exposed online. Ben Yelin from UMD CHHS on secret tracking pixels in emails to the Navy Times in a controversial legal case. Tamika Smith speaks with Ariana Mirian from UC San Diego on research on the Hacker for Hire market. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/June/CyberWire_2019_06_05.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices

Jason, an Iranian brute-forcing tool, has been leaked. A third-party breach affects customer and patient data held by Quest Diagnostics. Eurofins Scientific is recovering from a ransomware attack. A look at Baltimore City’s ransomware infestation shows no signs of EternalBlue, security firm Armor says. Instead, it looks like “vanilla ransomware.” And the prospect of antitrust investigations drives down Big Tech stock prices, tipping the Nasdaq into a correction. Emily Wilson from Terbium Labs on dark web fraud guide pricing. Guest is Jordan Blake from BehavioSec on digital transformations. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/June/CyberWire_2019_06_04.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices

Google’s cloud services recover from network congestion. GandCrab’s proprietors say they’re retiring rich at the end of the month. BlackSquid delivers the XMRig Monero miner. Updates on the Baltimore ransomware incident. Too many machines not yet patched against BlueKeep. CEO sentenced for providing criminals crypto. The US Justice Department is said to be preparing an antitrust investigation of Google. And “The Persistence of Chaos” has been sold for $1.3 million. Joe Carrigan from JHU ISI on Google restricting ad-blocking in upcoming versions of Chrome. Tamika Smith speaks with Washington Post writer Geoffrey Fowler on his recent article “It’s the middle of the night. Do you know who your iPhone is talking to?” For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/June/CyberWire_2019_06_03.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices

Adrian Bednarek is a senior research analyst at Independent Security Evaluators. He and his colleagues looked at weak private cryptocurrency keys on the Ethereum blockchain in an attempt to discover how and why they are being generated as well as how bad actors are taking advantage of them. The original research is here: https://www.securityevaluators.com/casestudies/ethercombing/ Learn more about your ad choices. Visit megaphone.fm/adchoices

Malicious misdirection served up from unpatched WordPress sites. A big, big set of dating site records has been found exposed online--it’s in China, but the records seem to belong to anglophones. Many other files are exposed elsewhere, too, so it’s not a single problem. Turla’s back, and still after diplomats. The International Red Cross proposes rules for cyber conflict. And Baltimore City calculates the cost of not patching. It’s a lot higher than the cost of patching. Craig Williams from Cisco Talos with his take on a critical Microsoft vulnerability, CVE-2019-0708. Guest is Matt Aldridge from Webroot on the San Francisco facial recognition ban. Justin Harvey from Accenture on the dramatic increase in targeted ransomware. Guest is NSA’s Diane M. Janosek, celebrating the 20th year of their Centers of Academic Excellence in Cybersecurity program. Learn more about your ad choices. Visit megaphone.fm/adchoices

Malicious misdirection served up from unpatched WordPress sites. A big, big set of dating site records has been found exposed online--it’s in China, but the records seem to belong to anglophones. Many other files are exposed elsewhere, too, so it’s not a single problem. Turla’s back, and still after diplomats. The International Red Cross proposes rules for cyber conflict. And Baltimore City calculates the cost of not patching. It’s a lot higher than the cost of patching. Craig Williams from Cisco Talos with his take on a critical Microsoft vulnerability, CVE-2019-0708. Guest is Matt Aldridge from Webroot on the San Francisco facial recognition ban. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/May/CyberWire_2019_05_30.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices

Special Counsel Mueller makes his first public statement about the results of his investigation into influence operations surrounding the 2016 US Presidential campaign. He says his first statement will also be his last. FireEye identifies Iranian coordinated inauthenticity in US 2018 midterm elections, and Twitter and Facebook take down the offending accounts. Notes on the BlueKeep exploit. More Pegasus infestations. Reality Winner revisited. Updates on Baltimore ransomware. Ben Yelin from UMD CHHS reacts to allegations that NSA may have some culpability in the Baltimore ransomware incident. Guests are Julie Bernard from Deloitte and John Carlson from the FS-ISAC on the recent report, “Pursuing cybersecurity maturity at financial institutions.” For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/May/CyberWire_2019_05_29.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices

First American Financial suffers a data exposure, with hundreds of millions of mortgage-related documents left open to the Internet. Someone is scanning Tor for signs of BlueKeep RDP vulnerabilities. China complains about US complaints against Huawei as some major German firms rethink their dealings with Shenzhen. And no, NSA did not hold Baltimore for ransom, but Baltimore wants Washington to pick up its remediation and recovery tab. Malek Ben Salem from Accenture Labs on NIST transitioning some crypto algorithms. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/May/CyberWire_2019_05_28.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices

Chronicle researchers Juan Andres Guerrero Saade and Silas Cutler recently published research tracking the development of the Stuxnet family of malware, which ultimately led them to the GOSSIPGIRL Supra Group of threat actors. Juan Andres Guerrero Saade joins us to share their findings. The research can be found here: https://medium.com/chronicle-blog/who-is-gossipgirl-3b4170f846c0 Learn more about your ad choices. Visit megaphone.fm/adchoices

Stone Panda is distributing the Quasar RAT. A new strain of Mirai is out. Bitcoin prices are up, and so is the incidence of malicious cryptocurrency apps in Google Play. The US charges Wikileaks’ Julain Assagne with seventeen new counts under the Espionage Act. UK political parties are said to have poor security. Huawei’s charm offensive. Russia points with sad alarm to NATO cyber deterrence policy. Bogus law firm emails prove effective phishbait. Joe Carrigan from JHU ISI on recent research from Google on the effectiveness of basic security hygiene. Guest is Nate Lesser from Cypient Black on “entangled enterprise risk.” For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/May/CyberWire_2019_05_24.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices

The UK and NATO send Moscow a pointed message about the consequences of meddling with either infrastructure or elections. More companies, including ARM, decide they won’t be working with Huawei. Other Chinese companies seem headed for US blacklisting. Moody’s cuts Equifax’s rating over its 2017 breach. Notes from last week’s Cyber Investing Summit. And we may not know much about art, but we know what we like. Justin Harvey from Accenture on the ongoing threat of USB devices. Tamika Smith speaks with Sydney Freedberg Jr. from Breaking Defense about his article, “Can NSA Stop China Copying Its Cyber Weapons?” For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/May/CyberWire_2019_05_23.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices

Fancy Bear’s latest campaign is using malware reported to Virus Total by US Cyber Command. IBM’s X-Force looks at cybersecurity for travelers, and shares a bunch of horror stories. Security Scorecard looks at the online security of political parties in the US and Europe: some are better than others, but all could use some help. Updates on Huawei and other Chinese companies facing US sanctions. And if you’re listening to this in the US, you may believe you know more than you in fact do. Johannes Ullrich from SANS and the ISC Stormcast podcast on website vulnerabilities due to third party tools. Guest is Inga Goddijn from Risk Based Security on their Q1 Data Breach Report and cyber insurance issues. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/May/CyberWire_2019_05_22.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices

BlackWater is snooping around the Middle East. It’s evasive, and it looks a lot like the more familiar MuddyWater threat actor. TeamViewer turns out to have been hacked, and the perpetrators look like the proprietors of the Winnti backdoor. An Android app is behaving badly. Another unsecured database is found hanging out on the Internet. There’s a free decryptor out for a strain of ransomware, but also it won’t help Baltimore. And the market’s look at the Huawei ban. Craig Williams from Cisco Talos discussing honeypots on Elasticsearch. Guest is Dave Venable from Masergy on cyber vulnerabilities at the infrastructure level. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/May/CyberWire_2019_05_21.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices

Huawei is on the US Entity List, and US exporters have been quick to notice and cut the Shenzhen company off. Security concerns are now expected to shift to the undersea cable market. Hacktivism seems to have gone into eclipse. The EU enacts a sanctions regime to deter election hacking. Facebook shutters inauthentic accounts targeting African politics. Salesforce is restoring service after an unhappy upgrade. OGuser forum hacked. And don’t worry about a hacker draft. Jonathan Katz from UMD on encryption for better security at border crossings. Tamika Smith reports on the Baltimore City government ransomware situation. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/May/CyberWire_2019_05_20.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices

Researchers at Symantec have been tracking an espionage group known as Elfin (aka APT 33) that has targeted dozens of organizations over the past three years, primarily focusing on Saudi Arabia and the United States. Alan Neville is a principal threat intelligence analyst at Symantec, and he joins us to share their findings. The research can be found here: https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage Learn more about your ad choices. Visit megaphone.fm/adchoices

A Slack vulnerability is disclosed and fixed. And this is not as seen on TV: a real NCIS investigation is likely to occupy real JAGs for some time to come, with implications for military and civilian cyber law. The US is moving rapidly on Huawei and its associated companies: it’s now much harder for US companies to do business with them, and there’s likely to be fallout in other countries as well. An exposed database affords an instructive case of responsible disclosure. Joe Carrigan from JHU ISI on USB device encryption and best practices. Guest is Mike Kijewski from MedCrypt on security for new and legacy medical devices. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/May/CyberWire_2019_05_17.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices

President Trump declares a state of emergency over the threat from foreign adversaries and the companies they control. (And yes, Huawei, he’s looking at you.) Dutch intelligence is said to be investigating the possibility of backdoors in telecommunications networks. Concerns about spyware proliferation rise. Cipher stunting is observed in the wild. Titan security keys are spoofable. Meaconing airliners. And misconfigurations expose PII in Russia. Emily Wilson from Terbium Labs on the surprisingly open nature of online sales of elicit goods and services. Guest is Kris Beevers from NS1 on DNS security and management technology. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/May/CyberWire_2019_05_16.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices

Chinese domestic and foreign intelligence services are cooperating more closely in cyberspace. Another set of speculative execution issues is found in Intel chips. This month’s Patch Tuesday was a big one. CrowdStrike files for its long-anticipated IPO. WhatsApp, spyware, and zero-days. Apple may be required to open its devices to apps from third-party stores. The Cyber Solarium is ready to get started, and Russia offers a helpful hand. Baltimore continues to suffer from ransomware. Malek Ben Salem from Accenture Labs with an overview of the Accenture Technology Vision report. Guest is Tom Pedersen from OneLogin on password use trends. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/May/CyberWire_2019_05_15.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices

Russian operators breached two Florida counties’ voting systems, but without altering vote counts. Symantec, McAfee and Trend Micro are thought to be the security vendors hit by Fxmsp cybercrminals. WhatApp patches a flaw exploited to install spyware. The Equifax breach seems to have cost the company $1.4 billion. Companies are increasingly aware of data’s potential toxicity. Cisco patches two flaws. And Endless Mayfly peddled fake news on behalf of Iran. Daniel Prince from Lancaster University on asymmetric information and attacker/defender dynamics. Tamika Smith debuts on our show with her story on Hackground, a STEM and robotics club. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/May/CyberWire_2019_05_14.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices

Fxmsp criminals are now said to have code from a fourth security company, but none of the claimed victims have been publicly identified. A SharePoint vulnerability is being exploited against unpatched servers in the wild. The G7 are preparing a major exercise to evaluate the financial system’s ability to withstand a major cyberattack. No one is saying what the Anthem hackers were after. Amnesty takes NSO Group to court. And the Pentagon takes a security look at VCs. Jonathan Katz from UMD on differential privacy, a technique for providing privacy for individuals taking part in studies. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2019/May/CyberWire_2019_05_13.html Support our show Learn more about your ad choices. Visit megaphone.fm/adchoices

Researchers at Blackberry Cylance have been tracking payload obfuscation techniques employed by OceanLotus (APT32), specifically steganography used to hide code within seemingly benign image files. Tom Bonner is director of threat research at Blackberry Cylance, and he joins us to share their findings. The original research can be found here: https://www.cylance.com/en-us/lp/threat-research-and-intelligence/oceanlotus-steganography-malware-analysis-white-paper-2019.html Learn more about your ad choices. Visit megaphone.fm/adchoices