POPULARITY
7 episodes with apt28
4 episodes with apt28
6 episodes with apt28
2 episodes with apt28
5 episodes with apt28
2 episodes with apt28
2 episodes with apt28
3 episodes with apt28
4 episodes with apt28
V nové epizodě CCTV NEWS se podíváme na mezinárodní operaci FBI a českého Vojenského zpravodajství proti infrastruktuře ruské skupiny APT28 napojené na GRU, která zneužívala kompromitované routery po celém světě. Rozebereme také rozhodnutí společnosti Meta ukončit end-to-end šifrování chatů na Instagramu, novou malware kampaň zneužívající Google reklamy a sdílené chaty na Claude.ai k útokům na uživatele macOS, znepokojivý průzkum o prodeji firemních hesel zaměstnanci a novou Linux kernel zranitelnost Dirty Frag, která umožňuje získání root oprávnění napříč hlavními distribucemi Linuxu.
Parce que… c'est l'épisode 0x2F3! Shameless plug 9 au 17 mai 2026 - NorthSec 2026 3 au 5 juin 2026 - SSTIC 2026 24 et 25 juin 2026 - Troopers 26 et 27 juin 2026 - leHACK 19 septembre 2026 - Bsides Montréal 1 au 3 décembre 2026 - Forum INCYBER - Canada 2026 24 et 25 février 2027 - SéQCure 2027 Description Présentation des invités Dans cet épisode technique de Polysécure, l'animateur reçoit deux analystes de l'équipe TDR (Threat Detection and Research) de Sekoya. Charles Meslay se spécialise en reverse engineering et en analyse de malware, tandis que Félix Aimé se concentre sur l'étude de campagnes liées à des États — cyberespionnage, sabotage — et joue un rôle central dans le développement d'outils internes pour mener les investigations. L'épisode prend appui sur un billet de blog récemment publié par l'équipe portant sur une campagne d'APT28, groupe étatique lié à la Russie, pour élargir la discussion à l'ensemble du tooling utilisé en CTI. Du reverse engineering manuel à l'automatisation Le point de départ concret est l'analyse d'un malware écrit en .NET, attribué à APT28 et découvert début 2025. Initialement, le travail reposait sur des outils classiques comme dnSpy : une interface graphique permettant de décompiler le code, de renommer les fonctions et de comprendre progressivement leur logique. Ce processus, bien que relativement accessible, est extrêmement chronophage — de une à trois semaines par binaire et par analyste. Avec l'émergence des LLM, Charles a d'abord commencé à copier-coller manuellement des portions de code dans ChatGPT pour accélérer l'analyse. Cette pratique l'a conduit à une idée d'automatisation : la création d'un serveur MCP (Model Context Protocol), un protocole permettant à un LLM d'interagir avec des outils externes via une interface de type API. Ce serveur, mis en open source, est en réalité une brique d'un outil plus large développé en interne : Sara. sarA : un orchestrateur d'analyse automatisée Sara est présentée comme le cœur de l'écosystème d'analyse de Sekoya. Son fonctionnement est le suivant : on lui soumet un fichier, le LLM identifie le type de fichier et sélectionne les outils adaptés — qu'il s'agisse de Ghidra, d'IDA Pro ou d'outils maison en ligne de commande — pour procéder à l'analyse. À l'issue du processus, Sara génère un rapport structuré comprenant la description du comportement du binaire, les différentes couches d'obfuscation détectées, des scripts de désobfuscation si nécessaire, et une liste explicite des angles morts de l'analyse, notamment en cas de limitations liées aux tokens ou au nombre de passes effectuées. Le gain est spectaculaire : le temps d'analyse est passé de plusieurs semaines à quelques minutes. Au-delà du gain de vitesse, Sara a également élargi le cercle des analystes capables de contribuer au reverse engineering, y compris ceux qui n'avaient pas de formation approfondie dans ce domaine. Les analystes spécialisés, comme Charles, continuent quant à eux à intervenir sur les cas complexes que l'outil ne résout pas seul. Un écosystème d'outils progressivement construit Félix retrace l'histoire du tooling interne, développé de façon itérative au fil des années. Au départ, l'équipe disposait d'un simple serveur de cache connecté à des API tierces comme VirusTotal, permettant de limiter la consommation de quotas. Ce serveur a ensuite été refondu pour gérer de manière transparente les clés d'API, simplifiant ainsi la vie des développeurs internes. L'équipe a ensuite créé un ensemble d'API maison pour automatiser des tâches courantes : requêtes DNS, récupération de plages d'IP sur des AS, etc. Ces briques ont permis de construire 150 transformes pour Maltego, un logiciel d'analyse permettant d'appliquer des micro-opérations sur des entités (adresses IP, noms de domaine, etc.) afin d'enrichir les investigations. Aujourd'hui, l'équipe envisage de migrer vers Flosint, une solution open source française au fonctionnement similaire. Pour le suivi dans le temps des infrastructures malveillantes, deux outils ont été développés. Tracker interroge des services comme Shodan, Censys ou VirusTotal avec des règles précises pour surveiller en quasi-temps réel des infrastructures ou des malwares. Irma, plus orientée vers le hunting, permet d'initier des investigations à partir d'heuristiques poussées — par exemple, détecter un nom de domaine enregistré chez un registraire douteux qui résout vers un routeur potentiellement compromis en France. L'ergonomie au cœur du développement Un principe philosophique fort ressort de l'échange : l'ergonomie prime sur la complexité technique. Félix insiste sur le fait que les outils en ligne de commande, aussi puissants soient-ils, finissent par être abandonnés si leur utilisation requiert de consulter le manuel à chaque fois. L'objectif est que l'intégralité des outils soit accessible depuis un navigateur web, via des sous-domaines dédiés, avec une interface de recherche permettant de trouver un outil par mot-clé (par exemple, taper « LLM » pour lister tous les outils liés à l'intelligence artificielle). Cette centralisation présente plusieurs avantages : harmonisation des dépendances, déploiement automatisé via des pipelines CI/CD, et adoption effective par l'ensemble de l'équipe. Comme le résument les deux invités, un outil que personne n'utilise ne vaut rien — peu importe ses capacités techniques. L'IA comme accélérateur transversal L'arrivée des LLM a transformé deux autres facettes du travail. D'abord, le prototypage : là où il fallait parfois des semaines pour valider une preuve de concept, quelques heures suffisent aujourd'hui pour déterminer si une idée mérite d'être poursuivie ou abandonnée. Ensuite, la capitalisation du renseignement. L'équipe ingère des rapports publics d'éditeurs tiers, les modélise au format STIX — un standard structuré d'objets liés (campagnes, groupes d'attaquants, indicateurs de compromission) — et enrichit sa base de connaissance. Ce travail, autrefois fastidieux et manuel, est aujourd'hui en grande partie automatisé grâce aux LLM, avec une revue humaine finale. L'analyste se retrouve alors libéré des tâches répétitives pour se concentrer sur ce qui reste hors de portée de l'IA : la création de règles YARA, le développement de trackers d'infrastructure, et l'identification de détails techniques fins qui nécessitent encore un vrai jus de cerveau. Conclusion Cet épisode offre un regard rare et concret sur le quotidien d'une équipe CTI de pointe. Entre automatisation intelligente, philosophie d'ergonomie et intégration progressive de l'IA, Charles et Félix décrivent un métier en pleine mutation — où l'analyste humain reste indispensable, mais se concentre désormais sur ce qu'il fait le mieux. Notes APT28, sarA Is watching you! Collaborateurs Nicolas-Loïc Fortin Charles Meslay Félix Aimé Crédits Montage par Intrasecure inc Locaux virtuels par Riverside.fm
SANS Internet Stormcenter Daily Network/Cyber Security and Information Security Stormcast
Today's Odd Web Requests https://isc.sans.edu/diary/Today%27s%20Odd%20Web%20Requests/32934 Incomplete Patch of APT28's Zero-Day Leads to CVE-2026-32202 https://www.akamai.com/blog/security-research/2026/apr/incomplete-patch-apt28s-zero-day-cve-2026-32202 Assess Secure Boot status with Microsoft Defender https://techcommunity.microsoft.com/blog/MicrosoftDefenderATPBlog/assess-secure-boot-status-with-microsoft-defender/4510356 Deprecating Legacy TLS and Endpoints for POP and IMAP in Exchange Online https://techcommunity.microsoft.com/blog/exchange/deprecating-legacy-tls-and-endpoints-for-pop-and-imap-in-exchange-online/4515201 SAP Related npm Packages Compromised https://www.stepsecurity.io/blog/a-mini-shai-hulud-has-appeared
Twee grote verhalen, één rode draad: de infrastructuur die je dagelijks gebruikt wordt tegen je ingezet — door staten én door commerciële partijen die aan staten verkopen. Deel 1 – APT28 FrostArmada: De FBI ontmantelt een Russische GRU-operatie (Operatie Masquerade) waarbij 18.000 SOHO-routers in 120 landen — MikroTik en TP-Link — zonder malware werden overgenomen. DNS-instellingen omgezet, en Microsoft 365 OAuth-tokens gestolen via een adversary-in-the-middle aanval. Court-authorized reset door de FBI. Historische parallel: MIVD/Cyclops Blink 2022 op Nederlandse routers. Deel 2 – Webloc/Penlink: Citizen Lab legt bloot hoe het Israëlische bedrijf Penlink via advertentiedata van 500 miljoen mobiele devices real-time locatie, Wi-Fi-netwerken, app-inventaris en gedragsprofielen verkoopt aan ICE, NYPD, het Amerikaanse leger en anderen — zonder rechterlijke toets. Inclusief uitleg van de RTB-bidstream en SDK-sourcing. Nieuwtjes: Cyberbeveiligingswet door de Tweede Kamer, Privacy Adviseur Binnenlandse Zaken over de Solvinity/Kyndryl/DigiD-overname, prompt injection via GitHub-comments in AI coding agents. BRONNEN Deel 1, APT28 FrostArmada > KrebsOnSecurity, “Russia hacked routers to steal Microsoft Office tokens” (7 april 2026): https://krebsonsecurity.com/2026/04/russia-hacked-routers-to-steal-microsoft-office-tokens/ > FBI/DOJ persbericht (7 april 2026): https://www.ic3.gov/PSA/2026/PSA260407 > Lumen Black Lotus Labs, technische rapportage FrostArmada: [URL checken] Context: eerdere APT28 router-campagnes (VPNFilter 2018, Cyclops Blink 2022, Jaguar Tooth 2023) Volkskrant / Huib Modderkolk, “MIVD verstoort Russische digitale aanval op routers van Nederlandse burgers” (3 maart 2022): NL-historische precedent, Sandworm/eenheid 74455 gebruikte Cyclops Blink op tientallen NL-routers, MIVD ging er publiek mee naar buiten via directeur Jan Swillens Deel 2, Webloc / Penlink > Citizen Lab, “Analysis of Penlink's ad-based geolocation surveillance tech” (11 april 2026): https://citizenlab.ca/research/analysis-of-penlinks-ad-based-geolocation-surveillance-tech/ > Context: Carpenter v. United States (2018), SCOTUS-uitspraak over locatiedata en Fourth Amendment > Context: eerdere Locate X / Venntel onthullingen (Vice/Motherboard 2020-2022) Nieuwtjes > Cyberbeveiligingswet: https://www.rijksoverheid.nl/actueel/nieuws/2026/04/15/tweede-kamer-stemt-in-met-wetsvoorstellen-cyberbeveiligingswet-en-wet-weerbaarheid-kritieke-entiteiten > Volkskrant, "Privacy-adviseur Binnenlandse Zaken: overname van DigiD bedreigt veiligheid van Nederland" (16 april 2026): https://www.volkskrant.nl/tech/privacy-adviseur-binnenlandse-zaken-overname-van-digid-bedreigt-veiligheid-van-nederland~b6be96c0 > Aonan Guan, "Command and Control: ..." (15 april 2026): https://oddguan.com/blog/comment-and-control-prompt-injection-credential-theft-claude-code-gemini-cli-github-copilot/
In this episode of The Cybersecurity Defenders Podcast, we discuss some intel being shared in the LimaCharlie community.Intercept and control AI agent activity with Viberails by LimaCharlie: viberails.ioAPT41, a China-linked threat group is deploying a previously undetected backdoor targeting Linux based cloud workflows.Fancy bear, also known as APT28 or Forest Blizzard, is a Russian cyber espionage group believed to operate on behalf of the country's military intelligence services, the GRU. Trend Micro research here.Anthropic's Model Control Protocol widely used in agentic AI systems to connect AI agents with data sources, contains a design flaw that would enable large-scale supply chain attacks. Report here.There's a critical vulnerability in nginx-UI, a web-based management interface for Nginx servers, which is being actively exploited and could allow attackers to take full control affected systems.Support our show by sharing your favorite episodes with a friend, subscribe, give us a rating or leave a comment on your podcast platform.This podcast is brought to you by LimaCharlie, maker of the SecOps Cloud Platform, infrastructure for SecOps where everything is built API first. Scale with confidence as your business grows. Start today for free at limacharlie.io.
The House extends Section 702, for now. Mythos raises fresh cyber risk concerns. CISA warns of reduced capacity. ZionSiphon targets Israeli water systems. Operation PowerOFF hits DDoS-for-hire networks. CISA flags an actively exploited ActiveMQ flaw. WordPress plugin supply chain attacks spread. China tests deep-sea cable-cutting tech. Our guest is Arvind Nithrakashyap, CTO and Co-Founder of Rubrik, discussing AI as the next frontier. Tim Starks from CyberScoop takes us Inside the FBI's recent router takedown. A DraftKings data dealer meets his downfall. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you'll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. Industry Voices On today's Industry Voices segment, we are joined by Arvind Nithrakashyap, CTO and Co-Founder of Rubrik, discussing AI as the next frontier. If you enjoyed this conversation, check out the full interview here. CyberWire Guest Today we have Tim Starks from CyberScoop discussing Inside the FBI's router takedown that cut off APT28's ‘tremendous access'. Selected Reading House extends surveillance powers for 10 days (NPR) White House Works to Give US Agencies Anthropic Mythos AI (Bloomberg) Lawmakers Gathered Quietly to Talk About AI. Angst and Fears of ‘Destruction' Followed (SecurityWeek) How Anthropic Discovered Mythos AI Was Too Dangerous For Release (Bloomberg) CISA Warns of 'Detrimental Capacity Impacts' Amid Shutdown (BankInfo Security) New ZionSiphon Malware Discovered Targeting Israeli Water Systems (Hackread) Europol-supported global operation targets over 75 000 users engaged in DDoS attacks (Europol) CISA flags Apache ActiveMQ flaw as actively exploited in attacks (Bleeping Computer) 30+ WordPress plugins bought on Flippa and backdoored in supply chain attack (TNW) New undersea cable cutter risks Internet's backbone (Ars Technica) Man gets 30 months for selling thousands of hacked DraftKings accounts (Bleeping Computer) Share your feedback. What do you think about CyberWire Daily? Please take a few minutes to share your thoughts with us by completing our brief listener survey. Thank you for helping us continue to improve our show. Want to hear your company in the show? N2K CyberWire helps you reach the industry's most influential leaders and operators, while building visibility, authority, and connectivity across the cybersecurity community. Learn more at sponsor.thecyberwire.com. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Nový AI model od Anthropicu vyvolává otázky, kam až se posouvají schopnosti umělé inteligence v kyberbezpečnosti. V této epizodě CCTV NEWS se podíváme na Project Glasswing, zneužívání routerů skupinou APT28, nové zabezpečení od Google proti krádeži a bezpečnostní incident u OpenAI.
(Presented by TLPBLACK: A cybersecurity intelligence platform focused on sharing curated, high-sensitivity threat insights and research with trusted security professionals.) Three Buddy Problem - Episode 93: We discuss Anthropic's release of Claude Mythos Preview (an AI model so capable and dangerous they won't release it publicly) and debate the looming patching crisis, bug bounty extinction, possible US government nationalization of frontier labs, and why the NSA might not be thrilled about all this bug-fixing. Plus, North Korea's six-month Drift Protocol con job, APT28's retro DNS hijacking campaign, and Microsoft's driver signing mess hitting WireGuard and VeraCrypt. Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu. 00:00 — Opening banter 01:36 — Anthropic Mythos Preview + Project Glasswing 06:17 — USG reaction + Wall Street emergency meeting 10:54 — Mythos capabilities vs hype (technical reality check) 13:44 — PR stunt? Skepticism of Anthropic narrative 20:42 — The patching crisis + “defender advantage” 27:41 — Bug bounty model under threat from AI 33:37 — Mythos practical workflows 45:09 — Geopolitics, NSA angle, and nationalization discussion 01:40:18 — Fortinet zero-day + ongoing failures 01:42:39 — Drift Protocol heist ($285M) + long-term social engineering 01:44:07 — Revisiting XZ Utils / Jia Tan attribution 01:54:07 — Crypto security gaps + need for real CTI in blockchain 02:04:22 — APT28 DNS hijacking + router compromise campaign 02:18:57 — Microsoft driver signing meltdown + ecosystem impact
Ransomware knocks Dutch healthcare vendor offline APT28 is keeping busy CIA quietly elevated its cyber espionage division Check out our show notes here: https://cisoseries.com/cybersecurity-news-chipsoft-popped-apt28-updates-cia-cyber-espionage-elevation/ Huge thanks to our episode sponsor, Vanta Risk and regulation ramping up—and customers expect proof of security just to do business. Vanta's automation brings compliance, risk, and customer trust together on one AI-powered platform. So whether you're prepping for a SOC 2 or running an enterprise GRC program, Vanta keeps you secure—and keeps your deals moving. Learn more at vanta.com/ciso.
(Presented by TLPBLACK: High-fidelity threat intelligence and research tools for modern security teams. From curated Passive DNS and real-time C2 monitoring to actionable IOC feeds and daily malware samples, we help defenders detect, hunt, and disrupt threats faster, with seamless integration into SIEM and SOAR workflows.) Three Buddy Problem - Episode 89: We discuss Iran hacktivist group 'Handala' wiper attacks against US medical device maker Stryker, Microsoft Intune MDM tool abuse, and whether Iran's cyber retaliation is as scary as the headlines suggest. Plus, ESET's discovery that Russia's APT28 original implant developers are back after years of silence, Dutch intelligence warnings on Russian campaigns targeting Signal and WhatsApp accounts, Apple finally patching Coruna exploit kit vulnerabilities for older iPhones, and Google sharing Coruna samples that raise new questions about the exploit kit's proliferation chain. Cast: Juan Andres Guerrero-Saade, Ryan Naraine and Costin Raiu.
This week's news includes a reappearance by an old favorite, APT28, aka Fancy Bear, which is back with some nasty new implants and tools it is deploying against targets in Ukraine (2:10), and we also have another law enforcement disruption of a residential proxy network, this one known as SocksEscort, which had victims all over the globe (7:45). Lastly, we talk about some of the upcoming episodes, including a new hacker movie podcast and our RSA preview that's coming next week. LinksAPT28 reappears: https://decipher.sc/2026/03/10/apt28-reemerges-with-modern-espionage-arsenal-code-tied-to-2010s-operations/SocksEscort takedown: https://decipher.sc/2026/03/12/us-europol-crack-down-on-socksescort-residential-proxy-network/
Top Headlines: Group-IB | Operation Olalampo: Inside MuddyWater's Latest Campaign: https://www.group-ib.com/blog/muddywater-operation-olalampo/ Point Wild | Remcos Revisited: Inside the RAT's Evolving Command-and-Control Techniques: https://www.pointwild.com/threat-intelligence/remcos-revisited-inside-the-rats-evolving-command-and-control-techniques/ Lab 52 | Operation MacroMaze: new APT28 campaign using basic tooling and legit infrastructure: https://lab52.io/blog/operation-macromaze-new-apt28-campaign-using-basic-tooling-and-legit-infrastructure/ therecord.media | Researchers warn Volt Typhoon still embedded in US utilities and some breaches may never be found: https://therecord.media/researchers-warn-volt-typhoon-still-active-critical-infrastructure?&web_view=true ----------Stay in Touch!Twitter: https://twitter.com/Intel471IncLinkedIn: https://www.linkedin.com/company/intel-471/YouTube: https://www.youtube.com/channel/UCIL4ElcM6oLd3n36hM4_wkgDiscord: https://discord.gg/DR4mcW4zBrFacebook: https://www.facebook.com/Intel471Inc/
In deze aflevering bespreken we drie opvallende nieuwsitems uit de cybersecuritywereld. Allereerst de hack bij Odido, waarbij maar liefst 6,2 miljoen klantrecords mogelijk zijn gecompromitteerd. Daarnaast duiken we in het verhaal rondom Starlink en de Russen: hoe zij Oekraïense identiteiten proberen te misbruiken, en hoe hacktivisten op hun beurt inspelen op die wanhoop. Tot slot bespreken we de opmerkelijke uitspraak van Gijs Tuinman over het jailbreaken van de F-35. In de deepdive van deze week zoomen we in op APT28 (Fancy Bear), de beruchte Russische threat actor die in staat is om binnen 24 tot 48 uur na publicatie patches te reverse engineren en om te zetten in werkende exploits. Hoe doen ze dat, en wat betekent dit voor je patchmanagement? Bronnen: - Odido: https://www.odido.nl/veiligheid - Starlink: https://x.com/256CyberAssault/status/2021900627916267946 - F-35 Jailbreak: https://www.bnr.nl/nieuws/nieuws-politiek/10594302/uitspraak-gijs-tuinman-over-f-35-jaagt-amerikanen-op-de-kast-stoere-taal-niet-handig - APT28, Operation Neusploit: https://www.zscaler.com/blogs/security-research/apt28-leverages-cve-2026-21509-operation-neusploit
*Threat Hunting Workshop: Hunting for Privilege Escalation - Level 2February 11, 2026 | 12:00 - 1:00 PM ETSign Up: https://www.intel471.com/resources/webinars/threat-hunting-workshop-hunting-for-privilege-escalation-level-2Top Headlines: VulnCheck | Metro4Shell: Exploitation of React Native's Metro Server in the Wild: https://www.vulncheck.com/blog/metro4shell_eitw Notepad | Notepad++ Hijacked by State-Sponsored Hackers: https://notepad-plus-plus.org/news/hijacked-incident-info-update/ ThreatLabz | Operation Neusploit: APT28 Uses CVE-2026-21509: https://www.zscaler.com/blogs/security-research/apt28-leverages-cve-2026-21509-operation-neusploit CERT-UA | "Danger Bulletin": UAC-0001 (APT28) carries out cyberattacks against Ukraine and EU countries using the CVE-2026-21509 exploit (CERT-UA#19542): https://cert.gov.ua/article/6287250 ----------Stay in Touch!Twitter: https://twitter.com/Intel471IncLinkedIn: https://www.linkedin.com/company/intel-471/YouTube: https://www.youtube.com/channel/UCIL4ElcM6oLd3n36hM4_wkgDiscord: https://discord.gg/DR4mcW4zBrFacebook: https://www.facebook.com/Intel471Inc/
Russian-state hackers, identified as APT28, exploited a Microsoft Office vulnerability, CVE-2026-21509, within 48 hours of a security update, compromising devices in diplomatic, maritime, and transport organizations across several countries. The attack used encrypted exploits and payloads executed in memory to evade detection. The campaign began on January 28, targeting organizations in nine countries, including Poland, Slovenia, and Ukraine, affecting defense ministries, transportation operators, and diplomatic entities.Learn more on this news by visiting us at: https://greyjournal.net/news/ Hosted on Acast. See acast.com/privacy for more information.
Referências do EpisódioAPT28 Leverages CVE-2026-21509 in Operation NeusploitAI-assisted cloud intrusion achieves admin access in 8 minutesMetro4Shell: Exploitation of React Native's Metro Server in the WildRoteiro e apresentação: Carlos CabralEdição de áudio: Paulo Arruzzo Narração de encerramento: Bianca Garcia
OpenClaw targets ClawHub users Notepad++ update delivers malware APT28 attackers abuse Microsoft Office zero-day Get the show notes here: https://cisoseries.com/cybersecurity-news-openclaw-targets-clawhub-users-notepad-update-delivers-malware-apt28-attackers-abuse-microsoft-office-zero-day/ Huge thanks to our sponsor, Strike48 It's no secret that AI is only as good as the data available to it. Strike48 unifies agentic AI with unmatched log visibility while avoiding the typical hefty price tag. Build and deploy agents for phishing detection, alert triage, threat correlation and more. Queries existing logs where they currently live, so you can keep the technology you already have. Learn more at Strike48.com.
If you like what you hear, please subscribe, leave us a review and tell a friend!
In this week's Security Sprint, Dave and Andy covered the following topics:Opening:• Cyber Insights 2026: Information Sharing (SecurityWeek, 16 Jan 2026)• ICYMI: Homeland Republicans underscore importance of strong public-private sector partnerships to deter cyber threats — House Homeland Security Committee (Majority) | Jan 17, 2026 Main Topics:Pro-Russia hacktivist activity continues to target UK organisations & NCSC warns of hacktivist groups disrupting UK online services (UK National Cyber Security Centre, Jan 2026). The NCSC reports sustained, low-sophistication but high-volume hacktivist campaigns—primarily DDoS and website defacements—linked to pro-Russia narratives and opportunistic targeting of UK public- and private-sector organizations. While technically unsophisticated, the activity is persistent, media-aware, and designed to generate disruption, reputational harm, and psychological impact rather than deep network compromise. The NCSC emphasizes preparedness measures including DDoS resilience, clear incident communications, and executive awareness that “noise” activity can still impose real operational cost. • Russia-linked APT28 targets energy and defense groups tied to NATO • UAT-8837 targets critical infrastructure sectors in North America • A Day Without ICS: The real impact of ICS/OT security threats Ransomware• Worldwide ransomware roundup: 2025 end-of-year report • Global ransomware attacks rose 32% in 2025, as manufacturers emerged as top target• 2025 Shattered Records: Key takeaways from the GRIT 2026 Ransomware & Cyber Threat Report• DeadLock Ransomware: Smart Contracts for Malicious Purposes Domestic Operations: Joint Interagency Task Force-Counter Cartel (JIATF-CC) established & US Northern Command establishes JTF-GOLD Quick Hits:• (TLP:CLEAR) Assessing Terrorism Trends on the Horizon in 2026 — WaterISAC — Jan 15, 2026 • UK NCSC: Designing safer links: secure connectivity for operational technology• NCSC UK: Secure connectivity principles for OT (collection) • FBI: Secure Connectivity Principles for Operational Technology (OT) (PDF)• ACSC (Australia): New publication for small businesses managing cyber risks from AI • Artificial intelligence for small business: Managing cyber security risks• Developing your IT recovery plan (Canadian Centre for Cyber Security, Jan 2026)• Improving cyber security resilience through emergency preparedness planning (Canadian Centre for Cyber Security, Jan 2026)• Developing your incident response plan (Canadian Centre for Cyber Security, Jan 2026)• Developing your business continuity plan (Canadian Centre for Cyber Security, Jan 2026)
Parce que… c'est l'épisode 0x6xx! Shameless plug 25 et 26 février 2026 - SéQCure 2026 CfP 31 mars au 2 avril 2026 - Forum INCYBER - Europe 2026 14 au 17 avril 2026 - Botconf 2026 28 et 29 avril 2026 - Cybereco Cyberconférence 2026 9 au 17 mai 2026 - NorthSec 2026 3 au 5 juin 2026 - SSTIC 2026 19 septembre 2026 - Bsides Montréal Description Introduction Ce deuxième épisode sur la Cyber Threat Intelligence (CTI) réunit Nicolas, Alexis Dorais-Joncas et Jordan Theodore pour approfondir les mécanismes de production et de consommation de l'intelligence sur les menaces. La conversation explore les défis techniques, organisationnels et éthiques auxquels font face les professionnels de la sécurité dans ce domaine en constante évolution. Les deux univers de la CTI Alexis établit une distinction fondamentale entre deux « clusters » dans l'écosystème de la CTI. D'un côté, les producteurs : entreprises de réponse d'incident et fournisseurs de services de cybersécurité comme CrowdStrike, Microsoft, Kaspersky ou Proofpoint, qui observent directement les attaques chez leurs clients et génèrent des rapports détaillés. De l'autre, les consommateurs : organisations qui utilisent ces rapports pour comprendre leurs risques et se protéger contre les attaques potentielles. Cette dichotomie se reflète même dans les rôles professionnels. Un analyste CTI chez un vendeur dispose d'une visibilité globale sur des milliers de clients, tandis qu'un analyste en entreprise se concentre sur son propre environnement. Les mindsets et les résultats sont fondamentalement différents, bien que les compétences de base soient similaires. L'ampleur du défi : naviguer dans l'océan de données Les chiffres partagés par Alexis illustrent l'échelle impressionnante du problème. Chez ESET, environ 300 000 fichiers exécutables malveillants ou suspects uniques arrivent chaque jour. Chez Proofpoint, ce sont 3,5 milliards d'emails quotidiens, avec 50 millions de pièces jointes et 90 millions d'URL à analyser. Face à ce déluge, les équipes de recherche doivent développer des heuristiques sophistiquées et des règles de tri pour identifier ce qui mérite une attention particulière. L'art du clustering : trouver l'aiguille dans la botte de foin Le cœur du travail de CTI réside dans la capacité à regrouper des attaques apparemment distinctes en « clusters » attribuables à un même acteur. Alexis explique que cette attribution repose sur la recherche d'éléments uniques ou de combinaisons uniques d'éléments observables. L'exemple du certificat SSL avec une coquille typographique illustre parfaitement ce concept : un seul détail peut permettre de lier des dizaines de domaines entre eux et de découvrir toute une infrastructure d'attaque. Les indicateurs utilisés pour le clustering sont multiples : similarité de code source, exploits modifiés, choix d'hébergeurs et de registraires, mais aussi des éléments plus « soft » comme le ciblage. Un professeur spécialisé sur l'Iran qui se fait soudainement cibler peut indiquer l'implication de groupes iraniens, même si les indicateurs techniques sont nouveaux. Les niveaux de confidentialité : une cascade d'information Alexis révèle que 95% ou plus de la CTI produite par les vendeurs n'est jamais rendue publique. L'information suit une cascade : d'abord partagée uniquement avec les clients directement ciblés, puis avec l'ensemble des clients payants, et enfin, pour une fraction seulement, avec le public. Cette dernière étape implique des choix délicats : révéler certains indicateurs peut aider la défense, mais aussi alerter l'attaquant et compromettre la capacité à le tracker à l'avenir. La qualité variable de la CTI secondaire Un point de frustration majeur émerge concernant la couverture médiatique et les analyses secondaires. Alexis estime que 80% de la couverture secondaire n'apporte aucune valeur ajoutée, 5% apporte une vraie perspective informée, et 10-15% est carrément nuisible en véhiculant des erreurs ou des exagérations. Cette désinformation force les analystes en entreprise à perdre des journées entières à remonter aux sources originales et à désamorcer les inquiétudes injustifiées des dirigeants. La course à la publication et ses nuances Bien qu'il existe une certaine compétition entre vendeurs pour être le premier à publier sur une nouvelle menace, Alexis nuance fortement ce phénomène. La collaboration informelle entre analystes de différentes entreprises est courante. De plus, même si un concurrent publie en premier, il reste possible d'apporter une valeur complémentaire en confirmant les découvertes depuis une perspective différente ou en ajoutant des observations uniques. L'exemple de Kaspersky et Proofpoint sur un APT illustre comment deux entreprises peuvent enrichir mutuellement la compréhension d'une menace. L'attribution : utile pour qui ? L'attribution géopolitique des attaques s'avère principalement pertinente pour les grandes organisations et les entités gouvernementales ciblées de manière spécifique. Pour la majorité des entreprises victimes d'attaques opportunistes, savoir qu'un ransomware vient de tel ou tel groupe importe peu. L'essentiel est de comprendre les techniques d'attaque et les prochaines étapes possibles. Alexis souligne qu'environ 95% des attaques ciblées chez Proofpoint touchent moins de 5 clients avec moins de 60 emails – un volume extrêmement faible qui contraste avec les attaques opportunistes massives. Le casse-tête des noms de groupes Un problème persistant dans l'industrie concerne la prolifération de noms différents pour les mêmes groupes. APT28 peut être appelé Fancy Bear, Pawn Storm, TA422, ou une quinzaine d'autres noms selon le vendeur. Cette situation s'explique par les différences de visibilité : Proofpoint observe l'infrastructure email, tandis qu'un EDR voit le comportement post-compromission. Chaque vendeur nomme ce qu'il peut observer, créant une confusion considérable pour les praticiens en réponse d'incident. Alexis confirme cependant qu'aucune pression marketing n'a jamais été exercée pour créer des noms propriétaires, et qu'il est inacceptable de renommer un groupe découvert par un autre sans l'avoir observé soi-même. Conclusion Ce podcast met en lumière la complexité et les nuances du monde de la CTI. Entre volumes de données massifs, décisions éthiques sur ce qu'il faut publier, collaboration et compétition entre acteurs, et défis d'attribution, les professionnels naviguent dans un écosystème en constante évolution. La clé réside dans la compréhension que chaque vendeur apporte une perspective unique basée sur sa visibilité spécifique, et que la véritable valeur de la CTI se trouve dans la capacité à corréler ces différentes sources pour obtenir une image complète des menaces. Collaborateurs Nicolas-Loïc Fortin Jordan Theodore Alexis Dorais-Joncas Crédits Montage par Intrasecure inc Locaux virtuels par Riverside.fm
From early 2022 through late 2024, a group of threat actors publicly known as APT28 exploited known vulnerabilities, such as CVE-2022-38028, to remotely and wirelessly access sensitive information from a targeted company network. This attack did not require any hardware to be placed in the vicinity of the targeted company's network as the attackers were able to execute remotely from thousands of miles away. With the ubiquity of Wi-Fi, cellular networks, and Internet of Things (IoT) devices, the attack surface of communications-related vulnerabilities that can compromise data is extremely large and constantly expanding. In the latest podcast from the Carnegie Mellon University Software Engineering Institute (SEI) Joseph McIlvenny, a senior research scientist, and Michael Winter, vulnerability analysis technical manager, both with the SEI's CERT Division, discuss common radio frequency (RF) attacks and investigate how software and cybersecurity play key roles in preventing and mitigating these exploitations.
Dans un rapport rendu public début novembre, Google Threat Intelligence tire la sonnette d'alarme : les cybercriminels industrialisent désormais des malwares dopés à l'intelligence artificielle. Ce ne sont plus de simples programmes statiques, mais des menaces autonomes et adaptatives — capables de modifier leur comportement à la demande pour échapper aux défenses traditionnelles.Parmi les familles identifiées, PromptFlux illustre la mutation : ce malware interroge une API d'IA pour réécrire son propre code et générer, à chaque activation, une nouvelle variante indétectable par les antivirus. Résultat : une chasse au caméléon où les signatures classiques perdent toute efficacité. Autre cas préoccupant, PromptSteal, déployé en Ukraine et attribué à APT28 (le groupe lié à la Russie connu sous le nom de Fancy Bear). Là, l'IA génère à la volée des commandes pour extraire des données ciblées — le logiciel ne contient plus des instructions figées, il les fabrique en temps réel. Une première opérationnelle, selon Google. Enfin, QuietVault mène la chasse aux secrets : après avoir exfiltré des jetons d'accès, il utilise des outils d'IA locaux pour fouiller le système et récupérer d'autres identifiants, automatisant une traque qui, hier, demandait des analystes humains. L'autonomie atteint un seuil inédit et dangereux.La firme de Mountain View souligne aussi la facilité avec laquelle les modèles peuvent être manipulés : de faux prétextes — « exercice académique », « projet étudiant » — suffisent parfois à pousser un assistant IA à livrer des conseils d'exploitation. L'ingénierie sociale migre ainsi vers les modèles de langage : au lieu d'abuser d'un humain, l'attaquant abuse d'une IA. Le tableau se complète côté marché noir : des services nommés sur le modèle des chatbots proposent désormais des malwares « clé en main », abonnements et assistance compris. Le cybercrime se professionnalise, se banalise, et abaisse ses barrières d'entrée. Que faire ? Les chercheurs encouragent une stratégie en profondeur : durcir les modèles, renforcer la traçabilité des appels API, et surtout maintenir une vigilance permanente. Hébergé par Acast. Visitez acast.com/privacy pour plus d'informations.
Parce que… c'est l'épisode 0x656! Shameless plug 8 et 9 novembre 2025 - DEATHcon 17 au 20 novembre 2025 - European Cyber Week 25 et 26 février 2026 - SéQCure 2026 14 au 17 avril 2026 - Botconf 2026 28 et 29 avril 2026 - Cybereco Cyberconférence 2026 9 au 17 mai 2026 - NorthSec 2026 3 au 5 juin 2025 - SSTIC 2026 Description Ce podcast technique réunit Nicolas, l'animateur, avec Maxime Arquillière et Amaury-Jacques Garçon, deux analystes en cybermenace de sekoia., une société française spécialisée dans le renseignement sur les menaces informatiques (CTI - Cyber Threat Intelligence). Leur discussion porte sur une investigation approfondie d'une campagne de cyberespionnage sophistiquée baptisée “Double Tap”, probablement liée au groupe APT28 du renseignement militaire russe. Le contexte et la méthodologie Maxime et Amaury expliquent d'abord leur approche du travail de CTI, qui repose largement sur une veille continue des publications d'organismes spécialisés (CERT français, américains, canadiens) et de chercheurs en cybersécurité. Cette collecte systématique d'informations en source ouverte leur permet de modéliser les menaces et de créer des règles de détection, notamment des règles Yara pour identifier les fichiers malveillants. Leur équipe dispose de quatre spécialités : le tracking d'infrastructure, les règles de détection, le reverse engineering de malware, et l'analyse stratégique qui vise à comprendre les objectifs géopolitiques derrière les attaques étatiques. Cette approche multidimensionnelle permet une compréhension globale des cybermenaces. La découverte initiale L'investigation démarre à partir d'un article publié fin juillet 2024 par le CERT-UA (l'autorité ukrainienne de réponse aux incidents), qui documente des attaques ciblant régulièrement l'Ukraine. À partir de ces informations, l'équipe a créé des règles de détection, dont certaines volontairement plus souples pour capturer d'éventuelles variantes. Mi-octobre, une de ces règles Yara a détecté un document Word malveillant sur VirusTotal, une plateforme où sont analysés des millions de fichiers suspects. Ce document contenait une macro et semblait être issu du ministère des Affaires étrangères du Kazakhstan. Cette alerte a déclenché une investigation approfondie qui a permis de découvrir au total 18 documents similaires, dont une dizaine n'avaient jamais été publiés auparavant. L'analyse technique : la chaîne d'infection “Double Tap” Amaury détaille la sophistication technique de cette attaque. Les documents malveillants utilisent une technique de social engineering : ils apparaissent floutés ou déformés à l'ouverture, incitant la victime à cliquer sur “Activer les macros” pour les rendre lisibles. Cette action déclenche une chaîne d'infection particulièrement élaborée. La particularité qui a donné son nom à la campagne est l'utilisation d'un double mécanisme : le premier document Word crée un second document contenant des macros malveillantes dans un répertoire temporaire du système. Cette approche en plusieurs étapes vise à contourner les systèmes de détection. Une fois activé, le malware modifie les paramètres de sécurité du système pour permettre l'exécution automatique de macros futures, établit une persistance qui se réactive toutes les quatre minutes, et contacte un serveur de commande et contrôle (C2). Le code, largement obfusqué, construit progressivement une troisième macro qui communique avec un serveur externe pour transmettre des informations sur la machine compromise (nom d'utilisateur, nom du PC) et potentiellement déployer un backdoor Python appelé “Cherry Spy” pour l'exfiltration de données. La dimension géopolitique L'analyse de Maxime révèle que les dix documents découverts étaient tous rédigés en kazakh et concernaient des sujets diplomatiques : câbles d'ambassades kazakhes en Belgique et Afghanistan, comptes-rendus de visites présidentielles, et notamment une déclaration diplomatique conjointe entre l'Allemagne et le Kazakhstan datant de septembre 2024, lors d'une visite du chancelier Olaf Scholz visant à diversifier les approvisionnements énergétiques allemands. Ces documents, datés entre 2021 et 2024, semblent être des documents légitimes récupérés lors d'opérations antérieures et réutilisés comme appâts pour cibler des diplomates et officiels kazakhs. Le Kazakhstan, bien qu'allié traditionnel de la Russie, adopte une politique de plus en plus indépendante, ce qui expliquerait l'intérêt du renseignement russe. Le lien avec APT28 et Zebrocy L'équipe établit des connexions avec APT28 (également connu sous le nom de Fancy Bear), un groupe de cyberespionnage du renseignement militaire russe (GRU). Ils identifient également des similitudes avec Zebrocy, un mode opératoire actif entre 2015 et 2020 qui ciblait spécifiquement l'Asie centrale et utilisait des techniques similaires de “double tap”. L'importance du partage Les chercheurs soulignent l'importance de publier leurs découvertes en source ouverte. Bien que cela puisse alerter les attaquants et les pousser à modifier leur infrastructure, cette transparence contribue à l'amélioration de la cybersécurité globale, permettant à d'autres chercheurs de construire sur leurs travaux. De manière remarquable, quelques jours après la publication de leur rapport, un média kazakh a annoncé qu'une inspection imprévue du ministère des Affaires étrangères serait menée suite aux révélations sur cette cyberattaque. L'équipe avait d'ailleurs tenté de contacter le gouvernement kazakh avant publication, sans recevoir de réponse. Cette investigation illustre parfaitement la complexité du travail en CTI : combiner expertise technique, compréhension géopolitique et éthique du partage pour protéger efficacement contre les menaces étatiques sophistiquées qui peuvent s'étendre sur plusieurs années. Notes Double-Tap Campaign - Russia-nexus APT possibly related to APT28 conducts cyber espionage on Central Asia and Kazakhstan diplomatic relations Collaborateurs Nicolas-Loïc Fortin Maxime Arquillière Amaury-Jacques Garçon Crédits Montage par Intrasecure inc Locaux virtuels par Riverside.fm
If you like what you hear, please subscribe, leave us a review and tell a friend!
In this episode of Cybersecurity Today, host David Shipley discusses several pressing cybersecurity issues. First, popular NPM Linter packages were hijacked via phishing to spread malware, affecting millions of downloads. Concurrently, Ukrainian CERT uncovers new phishing campaigns tied to APT28 using large language models for command and control. Microsoft discontinues the use of China-based engineers for US Department of Defense systems following a controversial report. Lastly, social engineering, facilitated by AI, becomes a greater threat than zero-day exploits. The episode emphasizes the need for stronger maintainer security, multifactor authentication, and a comprehensive understanding of social engineering risks. 00:00 Introduction - 10 Million Downloads 01:30 NPM Linter Packages Hijacked 05:05 Social Engineering and AI in Cybersecurity 08:57 Microsoft's China-Based Engineers Controversy 12:15 The Real Threat: Social Engineering 16:39 Conclusion and Call to Action
Cybersecurity warnings about possible Iranian retaliation have surged. A potential act of sabotage disrupts the NATO Summit in The Hague. Canadian cybersecurity officials discover Salt Typhoon breached a major telecom provider. The U.S. House bans WhatsApp from all government devices. APT28 uses Signal chats in phishing campaigns targeting Ukrainian government entities. A China-linked APT has built a covert network of over 1,000 compromised devices for long-term espionage. FileFix is a new variant of the well-known ClickFix method. SparkKitty targets Android and iOS users for image theft. Scammers steal $4 million from Coinbase users by posing as support staff. On today's Threat Vector, host David Moulton sits down with Tyler Shields, Principal Analyst at ESG, to discuss the fine line between thought leadership and echo chambers in the industry. War Thunder gamers just can't resist state secrets. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you'll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. Threat Vector Segment In this segment of Threat Vector, host David Moulton sits down with Tyler Shields, Principal Analyst at ESG, entrepreneur, and cybersecurity marketing expert, to discuss the fine line between thought leadership and echo chambers in the industry. You can hear David and Tyler's full discussion on Threat Vector here and catch new episodes every Thursday on your favorite podcast app. Selected Reading Warnings Ratchet Over Iranian Cyberattack (BankInfoSecurity) NATO Summit in The Hague hit by potential sabotage as rail cables set on fire (The Record) Canada says Salt Typhoon hacked telecom firm via Cisco flaw (BleepingComputer) Scoop: WhatsApp banned on House staffers' devices (Axios) APT28 hackers use Signal chats to launch new malware attacks on Ukraine (Bleeping Computer) Chinese APT Hacking Routers to Build Espionage Infrastructure (SecurityWeek) FileFix - A ClickFix Alternative (mr.d0x) Photo-Stealing Spyware Sneaks Into Apple App Store, Google Play (SecurityWeek) Hackers Impersonate Coinbase User Support To Scam Victims of $4,000,000 Before Blowing Most of Money on Gambling: ZachXBT (The Daily Hodl) Reset the clock! War Thunder fan posts restricted Harrier data to game forum (Cyber Daily) Audience Survey Complete our annual audience survey before August 31. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here's our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Three Buddy Problem - Episode 47: We unpack a multi-agency report on Russia's APT28/Fancy Bear hacking and spying on Ukraine war supply lines, CISA's sloppy YARA rules riddled with false positives, the ethics of full-disclosure after Akamai dropped Windows Server “BadSuccessor” exploit details, and Sekoia's discovery of thousands of hijacked edge devices repurposed as honeypots. The back half veers into Microsoft's resurrected Windows Recall, Signal's new screenshot-blocking countermeasure, Japan's fresh legal mandate for pre-emptive cyber strikes, and why appliance vendors like Ivanti keep landing in the headlines. Along the way you get hot takes on techno-feudalism, Johnny Ive's rumored AI gadget, and a lively debate over whether publishing exploit code ever helps defenders. Cast: Juan Andres Guerrero-Saade (https://twitter.com/juanandres_gs), Ryan Naraine (https://twitter.com/ryanaraine) and Costin Raiu (https://twitter.com/craiu).
Millions of Apple Airplay-Enabled Devices Can Be Hacked via Wi-Fi Google tracked 75 zero days exploited in the wild in 2024 France ties Russian APT28 hackers to 12 cyberattacks on French orgs Thanks to today's episode sponsor, ThreatLocker ThreatLocker® is a global leader in Zero Trust endpoint security, offering cybersecurity controls to protect businesses from zero-day attacks and ransomware. ThreatLocker operates with a default deny approach to reduce the attack surface and mitigate potential cyber vulnerabilities. To learn more and start your free trial, visit ThreatLocker.com/CISO.
[LIVE] Out of the Woods Podcast January 30, 2025 | 12:00 - 1:30 PM ET Sign Up --> https://intel471.com/resources/podcasts/the-art-of-the-hunt-turning-intel-into-action Top Headlines: Truffle Security | Millions of Accounts Vulnerable due to Google's OAuth Flaw: https://trufflesecurity.com/blog/millions-at-risk-due-to-google-s-oauth-flaw Halcyon | Abusing AWS Native Services: Ransomware Encrypting S3 Buckets with SSE-C: https://www.halcyon.ai/blog/abusing-aws-native-services-ransomware-encrypting-s3-buckets-with-sse-c Horizon3 | Critical Vulnerabilities in SimpleHelp Remote Support Software: https://www.horizon3.ai/attack-research/disclosures/critical-vulnerabilities-in-simplehelp-remote-support-software/ Sekoia | Double-Tap Campaign: Russia-nexus APT possibly related to APT28 conducts cyber espionage on Central Asia and Kazakhstan diplomatic relations: https://blog.sekoia.io/double-tap-campaign-russia-nexus-apt-possibly-related-to-apt28-conducts-cyber-espionage-on-central-asia-and-kazakhstan-diplomatic-relations/ ---------- Stay in Touch! Twitter: https://twitter.com/Intel471Inc LinkedIn: https://www.linkedin.com/company/intel-471/ YouTube: https://www.youtube.com/channel/UCIL4ElcM6oLd3n36hM4_wkg Discord: https://discord.gg/DR4mcW4zBr Facebook: https://www.facebook.com/Intel471Inc/
In this episode of The Cybersecurity Defenders Podcast, we discuss some cutting-edge intel coming out of LimaCharlie's community Slack channel.In recent months, cybersecurity researchers have observed a surge in the use of a social engineering technique known as "ClickFix." This method involves threat actors presenting users with deceptive error messages that prompt them to manually execute malicious commands, often by copying and pasting scripts into their systems.Raspberry Robin, also known as Roshtyak, is a highly obfuscated malware first discovered in 2021, notable for its complex binary structure and advanced evasion techniques. It primarily spreads via infected USB devices and employs multi-layered execution to obscure its true purpose. A China-linked Advanced Persistent Threat (APT) group, Gelsemium, has been observed targeting Linux systems for the first time, deploying previously undocumented malware in an espionage campaign. Historically known for targeting Windows platforms, this new activity signifies a shift towards Linux, possibly driven by the increasing security of Windows systems.Russia's APT28 hacking group, also known as Fancy Bear or Unit 26165, has developed a novel technique dubbed the “nearest neighbor attack” to exploit Wi-Fi networks remotely.Hackers linked to the Chinese government, known as Salt Typhoon, have deeply infiltrated U.S. telecommunications infrastructure, gaining the ability to intercept unencrypted phone calls and text messages. The group exploited vulnerabilities in the wiretap systems used by U.S. authorities for lawful interception, marking what Senator Mark Warner has called "the worst telecom hack in our nation's history."
What's the new "nearest neighbor" attack and how do you defend against it? Let's Encrypt just turned 10. What changes has it wrought? Now the Coast Guard is worried about Chinese built ship-to-shore cranes. Pakistan becomes the first country to block Bluesky. There's a new way to get Git repos "swatted" and removed. Who's to blame for Palo Alto Networks' serious new 0-day vulnerabilities? If you have any of these six D-Link VPN routers, unplug them immediately! It turns out that VPN apps are against Shariah Law. Who knew? The Return of Windows Recall. What are we learning now? How many of today's systems remain vulnerable to last year's most popular exploits? We share and respond to a bunch of terrific feedback from our listeners. What are Microsoft's "Connected Experience" and why might you choose to disconnect from them? Show Notes - https://www.grc.com/sn/SN-1002-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: e-e.com/twit bitwarden.com/twit threatlocker.com for Security Now flashpoint.io
What's the new "nearest neighbor" attack and how do you defend against it? Let's Encrypt just turned 10. What changes has it wrought? Now the Coast Guard is worried about Chinese built ship-to-shore cranes. Pakistan becomes the first country to block Bluesky. There's a new way to get Git repos "swatted" and removed. Who's to blame for Palo Alto Networks' serious new 0-day vulnerabilities? If you have any of these six D-Link VPN routers, unplug them immediately! It turns out that VPN apps are against Shariah Law. Who knew? The Return of Windows Recall. What are we learning now? How many of today's systems remain vulnerable to last year's most popular exploits? We share and respond to a bunch of terrific feedback from our listeners. What are Microsoft's "Connected Experience" and why might you choose to disconnect from them? Show Notes - https://www.grc.com/sn/SN-1002-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: e-e.com/twit bitwarden.com/twit threatlocker.com for Security Now flashpoint.io
What's the new "nearest neighbor" attack and how do you defend against it? Let's Encrypt just turned 10. What changes has it wrought? Now the Coast Guard is worried about Chinese built ship-to-shore cranes. Pakistan becomes the first country to block Bluesky. There's a new way to get Git repos "swatted" and removed. Who's to blame for Palo Alto Networks' serious new 0-day vulnerabilities? If you have any of these six D-Link VPN routers, unplug them immediately! It turns out that VPN apps are against Shariah Law. Who knew? The Return of Windows Recall. What are we learning now? How many of today's systems remain vulnerable to last year's most popular exploits? We share and respond to a bunch of terrific feedback from our listeners. What are Microsoft's "Connected Experience" and why might you choose to disconnect from them? Show Notes - https://www.grc.com/sn/SN-1002-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: e-e.com/twit bitwarden.com/twit threatlocker.com for Security Now flashpoint.io
What's the new "nearest neighbor" attack and how do you defend against it? Let's Encrypt just turned 10. What changes has it wrought? Now the Coast Guard is worried about Chinese built ship-to-shore cranes. Pakistan becomes the first country to block Bluesky. There's a new way to get Git repos "swatted" and removed. Who's to blame for Palo Alto Networks' serious new 0-day vulnerabilities? If you have any of these six D-Link VPN routers, unplug them immediately! It turns out that VPN apps are against Shariah Law. Who knew? The Return of Windows Recall. What are we learning now? How many of today's systems remain vulnerable to last year's most popular exploits? We share and respond to a bunch of terrific feedback from our listeners. What are Microsoft's "Connected Experience" and why might you choose to disconnect from them? Show Notes - https://www.grc.com/sn/SN-1002-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: e-e.com/twit bitwarden.com/twit threatlocker.com for Security Now flashpoint.io
What's the new "nearest neighbor" attack and how do you defend against it? Let's Encrypt just turned 10. What changes has it wrought? Now the Coast Guard is worried about Chinese built ship-to-shore cranes. Pakistan becomes the first country to block Bluesky. There's a new way to get Git repos "swatted" and removed. Who's to blame for Palo Alto Networks' serious new 0-day vulnerabilities? If you have any of these six D-Link VPN routers, unplug them immediately! It turns out that VPN apps are against Shariah Law. Who knew? The Return of Windows Recall. What are we learning now? How many of today's systems remain vulnerable to last year's most popular exploits? We share and respond to a bunch of terrific feedback from our listeners. What are Microsoft's "Connected Experience" and why might you choose to disconnect from them? Show Notes - https://www.grc.com/sn/SN-1002-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: e-e.com/twit bitwarden.com/twit threatlocker.com for Security Now flashpoint.io
What's the new "nearest neighbor" attack and how do you defend against it? Let's Encrypt just turned 10. What changes has it wrought? Now the Coast Guard is worried about Chinese built ship-to-shore cranes. Pakistan becomes the first country to block Bluesky. There's a new way to get Git repos "swatted" and removed. Who's to blame for Palo Alto Networks' serious new 0-day vulnerabilities? If you have any of these six D-Link VPN routers, unplug them immediately! It turns out that VPN apps are against Shariah Law. Who knew? The Return of Windows Recall. What are we learning now? How many of today's systems remain vulnerable to last year's most popular exploits? We share and respond to a bunch of terrific feedback from our listeners. What are Microsoft's "Connected Experience" and why might you choose to disconnect from them? Show Notes - https://www.grc.com/sn/SN-1002-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: e-e.com/twit bitwarden.com/twit threatlocker.com for Security Now flashpoint.io
What's the new "nearest neighbor" attack and how do you defend against it? Let's Encrypt just turned 10. What changes has it wrought? Now the Coast Guard is worried about Chinese built ship-to-shore cranes. Pakistan becomes the first country to block Bluesky. There's a new way to get Git repos "swatted" and removed. Who's to blame for Palo Alto Networks' serious new 0-day vulnerabilities? If you have any of these six D-Link VPN routers, unplug them immediately! It turns out that VPN apps are against Shariah Law. Who knew? The Return of Windows Recall. What are we learning now? How many of today's systems remain vulnerable to last year's most popular exploits? We share and respond to a bunch of terrific feedback from our listeners. What are Microsoft's "Connected Experience" and why might you choose to disconnect from them? Show Notes - https://www.grc.com/sn/SN-1002-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: e-e.com/twit bitwarden.com/twit threatlocker.com for Security Now flashpoint.io
What's the new "nearest neighbor" attack and how do you defend against it? Let's Encrypt just turned 10. What changes has it wrought? Now the Coast Guard is worried about Chinese built ship-to-shore cranes. Pakistan becomes the first country to block Bluesky. There's a new way to get Git repos "swatted" and removed. Who's to blame for Palo Alto Networks' serious new 0-day vulnerabilities? If you have any of these six D-Link VPN routers, unplug them immediately! It turns out that VPN apps are against Shariah Law. Who knew? The Return of Windows Recall. What are we learning now? How many of today's systems remain vulnerable to last year's most popular exploits? We share and respond to a bunch of terrific feedback from our listeners. What are Microsoft's "Connected Experience" and why might you choose to disconnect from them? Show Notes - https://www.grc.com/sn/SN-1002-Notes.pdf Hosts: Steve Gibson and Leo Laporte Download or subscribe to Security Now at https://twit.tv/shows/security-now. Get episodes ad-free with Club TWiT at https://twit.tv/clubtwit You can submit a question to Security Now at the GRC Feedback Page. For 16kbps versions, transcripts, and notes (including fixes), visit Steve's site: grc.com, also the home of the best disk maintenance and recovery utility ever written Spinrite 6. Sponsors: e-e.com/twit bitwarden.com/twit threatlocker.com for Security Now flashpoint.io
Forecast: Stormy skies with APT28's Wi-Fi exploits and rough seas in the Baltics as undersea cables are mysteriously cut. In this episode of Storm⚡️Watch, we review the fascinating poll results that reveal communication with non-technical leaders as the most undervalued skill in modern security, garnering 220 votes across three social media platforms and significantly outpacing other critical abilities like incident report writing, OSINT, and threat hunting. The crew then examines a groundbreaking cyber attack technique dubbed the "Nearest Neighbor Attack," executed by Russian APT28. This sophisticated operation allowed attackers to breach a U.S. organization's network by exploiting nearby Wi-Fi networks through a series of calculated steps, including password spraying and compromising adjacent organizations. The attack, occurring just before Russia's invasion of Ukraine, showcases a novel vector that combines the advantages of physical proximity with remote operation capabilities. Maritime security takes center stage as we explore two major undersea cable cuts in the Baltic Sea this November. The BSC East-West Interlink between Sweden and Lithuania and the C-Lion1 connecting Finland and Germany were severed, causing notable network latency increases. A Chinese vessel, Yi Peng 3, has drawn attention in the investigation, with German Defense Minister Boris Pistorius suggesting these incidents were deliberate hybrid actions rather than accidents. We round out the episode with updates from our respective organizations, including Censys's 2024 State of the Internet Report, VulnCheck's analysis of CISA's top exploited vulnerabilities, and GreyNoise's latest insights on critical infrastructure risks and technical challenges involving null bytes. Storm Watch Homepage >> Learn more about GreyNoise >>
APT28 uses a novel technique to breach organizations via nearby WiFi networks. Your Apple ID is (not) suspended. UK highlighting Russian threats at NATO Cyber Defence Conference. US senators request an audit of TSA's facial recognition technology. Supply chain software company sustains ransomware attack. Critical QNAP vulnerability could allow remote code execution. Outdated Avast Anti-Rootkit driver exploited. No more internet rabbit holes for China. Guest Lesley Carhart from Dragos on "The Shifting Landscape of OT Incident Response." Stop & Shop turns cyber oops into coffee and cookies. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you'll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Our guest is Lesley Carhart, Technical Director at Dragos, speaking with Dave Bittner about "The Shifting Landscape of OT Incident Response." You can find the blog here. Selected Reading Russian Cyberspies Hacked Building Across Street From Target for Wi-Fi Attack (SecurityWeek) The Nearest Neighbor Attack: How A Russian APT Weaponized Nearby Wi-Fi Networks for Covert Access (Volexity) New Warning For 2 Billion iPhone, iPad, Mac Users—Your Apple ID Is Suspended (Forbes) Russia plotting to use AI to enhance cyber-attacks against UK, minister will warn (The Guardian) Britain, NATO must stay ahead in 'new AI arms race', says UK minister (Reuters) Senators call for audit of TSA's facial recognition tech as use expands in airports (The Record) Blue Yonder ransomware attack disrupts supply chains across UK and US (Tech Monitor) Critical QNAP Vulnerability Let Attackers Execute Remote Code (Cyber Security News) Malware campaign abused flawed Avast Anti-Rootkit driver (Security Affairs) When Guardians Become Predators: How Malware Corrupts the Protectors (Trellix report) Imagine a land where algorithms don't ruin the Internet (The Register) Stop & Shop recovers from 'cybersecurity issue,' will give out free food, coffee (WTNH) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here's our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Cybersecurity Today: Palo Alto Firewalls Breached, APT28's Wi-Fi Hack, Meta Fights Scams In today's episode, over 2,000 Palo Alto firewalls were hacked via patched zero-day vulnerabilities; a Russian group, APT28, exploited Wi-Fi networks in a novel 'Nearest Neighbor Attack' to breach a U.S. firm; Meta removed more than 2 million accounts linked to pig butchering scams; and Google launched a free cybersecurity certificate on Coursera to prepare students for entry-level jobs in six months. Host Jim Love provides in-depth analysis and the latest updates in the world of cybersecurity. 00:00 Introduction and Headlines 00:29 Palo Alto Firewalls Hacked 02:43 Nearest Neighbor Wi-Fi Attack 05:09 Meta's Crackdown on Pig Butchering Scams 07:10 Google's Free Cybersecurity Certificate 08:52 Conclusion and Resources
Česko a Německo jsou dlouhodobě cílem kybernetických útoků ruské skupiny APT28, která je financována ruským státem. Nyní NATO vydalo prohlášení, ve kterém vyzývá členské státy ke spolupráci. Proč až nyní? A jde se vůbec proti ruským útokům bránit?
This week we talk about APT28, spoofing, and hybrid warfare.We also discuss the Baltics, Tartu airport, and hacking.Recommended Book: The Middle Passage by James HollisTranscriptIn early May of 2024, the German government formally blamed a Russian hacking group called APT28 for hacking members of the governing German Social Democratic Party in 2023, and warned of unnamed consequences.Those consequences may apply just to APT28, which is also sometimes called "Fancy Bear," or they may apply to the Russian government, as like many Russia-based hacking groups, APT28 often operates hand-in-glove with the Russian military intelligence service, which allows the Russian government to deny involvement in all sorts of attacks on all sorts of targets, while covertly funding and directing the actions of these groups.APT28 reportedly also launched attacks against German defense, aerospace, and information technology companies, alongside other business entities and agencies involved, even tangentially, with Ukraine and its defense measures against Russia's invasion.This hacking effort allegedly began in early 2022, shortly after Russia began its full-scale invasion of Ukraine, and the head of the Russian embassy in Germany has been summoned to account for these accusations—though based on prior attacks and allegations related to them by Russia's intelligence agencies, and the hacking groups it uses as proxies, that summoning is unlikely to result in anything beyond a demonstration of anger on the part of the German government, formally registered with Russia's representative in Berlin.For its part, Russia's government has said that it was in no way involved in any incidents of the kind the German government describes, though Germany's government seems pretty confident in their assessment on this, at this point, having waited a fair while to make this accusation, and utilizing its partnerships with the US, UK, Canada, and New Zealand to confirm attribution.This accusation has been leveled amidst of wave of similar attacks, also allegedly by Russia and its proxies, against other targets in the EU and NATO—including but not limited to the Czech Republic, Lithuania, Poland, Slovakia, and Sweden.Many of these attacks have apparently made use of an at-the-time unknown security flaw in Microsoft software that gave them access to compromised email accounts for long periods of time, allowing them to, among other things, scoop up intelligence reports from folks in the know in these countries, sifting their messages for data that would help Russia's forces in Ukraine.This group, and other Russia GRU, their intelligence service, proxies, have reportedly targeted government and critical infrastructure targets in at least 10 NATO countries since the fourth quarter of 2023, alone, according to analysis by Palo Alto Networks, and experts in this space have said they're concerned these sorts of attacks, while often oriented toward intelligence-gleaning and at times embarrassing their targets, may also be part of a larger effort to weaken and even hobble intelligence, military, and critical infrastructure networks in regional nations, which could, over time, reduce stability in these countries, increase extremism, and possibly prevent them from defending themselves and their neighbors in the event of a more formal attack by Russian forces.What I'd like to talk about today is another sort of attack, allegedly also launched by Russia against their neighbors in this part of the world, but this one a little less well-reported-upon, at this point, despite it potentially being even more broadly impactful.—The Global Positioning System, or GPS, was originally developed in 1973 by the US Department of Defense. Its first satellite was launched in 1978, and its initial, complete constellation of 24 satellites were in orbit and functional in 1993.This satellite network's full functionality was only available to the US military until 2000, when then-President Bill Clinton announced that it would be opened up for civilian use, as well.This allowed aviation and similar industries to start using it on the vehicles and other assets, and normal, everyday people were thenceforth able to buy devices that tapped this network to help them figure out where they were in the world, and get to and from wherever they wanted to go.A high-level explanation of how GPS works is that all of these satellites contain atomic clocks that are incredibly stable and which remain synchronized with each other, all showing the exact same, very precise time. These satellites broadcast signals that indicate what time their clocks currently read.GPS devices, as long as they can connect to the signals broadcast by a few of these satellites, can figure out where they're located by noting the tiny differences in the time between these broadcasts: signals from satellites that are further away will take longer to arrive, and that time difference will be noted by a given device, which then allows it to triangulate a geolocation based on the distance between the device and those several satellites.This is a simple concept that has created in a world in which most personal electronic devices now contain the right hardware and software to tap these satellite signals, compute these distances, and casually place us—via our smartphones, cars, computers, watches, etc—on the world map, in a highly accurate fashion.This type of technology has proven to be so useful that even before it was made available for civilian use, catalyzing the world that we live in today, other governments were already investing in their own satellite networks, most predicated on the same general concept; they wanted to own their own constellation of satellites and technologies, though, just in case, because the GPS network could theoretically be locked down by the US government at some point, and because they wanted to make sure they had their own militarizable version of the tech, should they need it.There are also flaws in the US GPS system that make it less ideal for some use-cases and in some parts of the world, so some GPS copycats fill in the blanks on some of those flaws, while others operate better at some latitudes than vanilla GPS does.All of which brings us to recent troubles that the global aviation industry has had in some parts of the world, related to their flight tracking systems.Most modern aircraft use some kind of global navigation satellite system, which includes GPS, but also Europe's Galileo, Russia's GLONASS, and China's BeiDou, among other competitors.These signals can sometimes be interrupted or made fuzzy by natural phenomena, like solar flares and the weather, and all of these systems have their own peculiarities and flaws, and sometimes the hardware systems they use to lock onto these signals, or the software they use to compute a location based on them, will go haywire for normal, tech-misbehaving reasons.Beginning in the 1990s, though, we began to see electronic countermeasures oriented toward messing with these global navigation satellite system technologies.These technologies, often called satellite navigation deceivers, are used by pretty much every government on the planet, alongside a slew of nongovernment actors that engage in military or terrorist activities, and they operate using a variety of jamming methods, but most common is basically throwing out a bunch of signals that look like GPS or other navigation system signals, and this has the practical effect of rendering these gadgets unusable, because they don't know which signal is legit and which is garbage; a bit like blasting loud noises to keep people from talking to each other, messing with their communication capacity.It's also possible to engage in what's called GPS Spoofing, which means instead of throwing out gobs of garbage signals, you actually send just a few signals that are intended to look legit and to be accepted by, for instance, a plane's GPS device, which then makes the aircraft's navigation systems think the plane is somewhere other than it is—maybe just a little off, maybe on the other side of the planet.Notably, neither of these sorts of attacks are actually that hard to pull off anymore, and it's possible to build a GPS-jamming device at home, if you really want to, though spoofing is a fair bit more difficult. Also worth knowing is that while making your own jammer is absolutely frowned upon by most governments, and it's actually illegal in the US and UK, across most of the world it's kind of a Wild West in this regard, and you can generally get away with making one if you want to, though there's a chance you'd still be arrested if you caused any real trouble with it.And it is possible to cause trouble with these things: most pilots and crew are aware of how these devices work and can watch for their effects, using backup tools to keep tabs on their locations when they need to; but using those backup tools requires a lot more effort and attention, and there's a chance that if they're hit by these issues at a bad moment, when they're distracted by other things, or when they're coming in for a landing or attempting to navigate safely around another aircraft, that could present a dangerous situation.That's why, until May 31, at the minimum, Finnair will no longer be flying to Tartu airport—which is a very small airport in Estonia, but it's home to the Baltic Defense College, which is one of NATO's educational hubs, and losing a daily flight to Tartu (the only daily flight at this particular airport) from Helsinki, will disconnect this area, via plane, at least, from the rest of Europe, which is inconvenient and embarrassing.This daily flight was cancelled because of ongoing disruptions to the airport's GPS system, which was previously an on-and-off sort of thing, but which, since 2022, when Russia launched its full-scale invasion of Ukraine, has become a lot worse. And Tartu relies exclusively on GPS for planes landing at the airport, and thus doesn't have another fallback system, if GPS fails at a vital, dangerous moment.This is a running theme throughout the Baltic region, an area populated by now-democratic NATO members that were formerly part of the Soviet Union, and which are considered to be at risk of a Russian invasion or other sort of attack if the invasion of Ukraine goes Russia's way.Almost all aircraft flying through this area have experienced GPS-jamming issues since 2022, and though that Finnair flight is the only one to have been cancelled as a result of all this jamming, so far, there are concerns that this could really scramble travel and shipping in the region, as it's making all flying in the area that much more risky on a continuous basis.Finland's government is framing this jamming as part of a hybrid warfare effort on Russia's part—alongside other hybrid efforts, like bussing migrants to Finland's borders in order to strain national coffers and nudge politics toward reactionary extremes.Some other nations are thinking along the same lines, though there's a chance that, rather than this jamming representing an intentional assault on these neighboring nations, it may actually be something closer to overflow from other, nearby jamming activities: Russia jamming GPS signals in Ukraine, for instance, or the governance of the Kaliningrad region, which is a Russian enclave separated from the rest of Russia and surrounded by Poland and Lithuania, engaging in their own, localized jamming, and those signals are then picked up across national borders, because that's how these signals work—just like sound can travel further than you might intend.It's possible we're seeing a bit of both here, overflow from that huge regional conflict, but also intentional jabs meant to make life more difficult for NATO nations, stressing their systems and costing them money and other resources, while also maybe testing the region's capacity to cope with such GPS disruptions and blackouts in the event of a potential future conflict.Another point worth making here, though, is that we see a lot of this sort of behavior in conflict zones, globally.FlightRadar24 recently introduced a live GPS jamming map to keep track of this sort of thing, and as of the day I'm recording this, alongside these consistent irregularities in the Baltic region, Ukraine, and parts of Eastern Europe, there's jamming occurring in the Middle East, near Israel, throughout Turkey, which has ongoing conflicts with insurgents in the afflicted areas, a portion of Moldova that is attempting to break away with the support of Russia, similar to what happened in Ukraine back in 2014, a northern portion of India where the Indian government has an ongoing conflict with separatists, and in Myanmar, where the military government is embroiled in fighting with a variety of groups that have unified to overthrow them.This has become common in conflict zones over the past few decades, then, as those who want to deny this data, and the capabilities it grants, to their enemies tend to blanket the relevant airwaves with disruptive noise or incorrect location information, rendering the GPS and similar networks less useful or entirely useless thereabouts.In Ukraine, the military has already worked out ways around this noise and false information, incorporating alternative navigation systems into their infrastructure, allowing them to use whichever one is the most accurate at any given moment.And it's likely, especially if this dynamic continues, which it probably will, as again, this is a fairly easy thing to accomplish, it's likely that spreading out and becoming less reliant on just one navigation system will probably become more common, or possibly even the de facto setup, which will be beneficial in the sense that each of these systems has its own pros and cons, but perhaps less so in that more satellites will be necessary to keep that larger, multi-model network operating at full capacity, and that'll make it more expensive to operate these systems, while also creating more opportunities for satellite collisions up in the relevant orbit—an orbit that's becoming increasingly crowded, and which is already packed with an abundance of no longer operational craft that must be avoided and operated-around.Show Noteshttps://www.dw.com/en/gps-jamming-in-the-baltic-region-is-russia-responsible/a-68993942https://www.bbc.com/news/articles/cne900k4wvjohttps://www.economist.com/the-economist-explains/2024/04/30/who-is-jamming-airliners-gps-in-the-baltichttps://www.ft.com/content/37776b16-0b92-4a23-9f90-199d45d955c3https://www.reuters.com/business/aerospace-defense/what-is-gps-jamming-why-it-is-problem-aviation-2024-04-30/https://www.politico.eu/article/gps-jamming-is-a-side-effect-of-russian-military-activity-finnish-transport-agency-says/https://www.flightradar24.com/data/gps-jamminghttps://www.flightradar24.com/blog/types-of-gps-jamming/https://en.wikipedia.org/wiki/Aviaconversiyahttps://www.reuters.com/world/europe/russian-hackers-targeted-nato-eastern-european-militaries-google-2022-03-30/https://www.cnn.com/2023/12/07/politics/russian-hackers-nato-forces-diplomats/index.htmlhttps://www.reuters.com/technology/cybersecurity/russian-cyber-attacks-targeted-defence-aerospace-sectors-berlin-says-2024-05-03/https://www.aljazeera.com/news/2024/5/3/germany-accuses-russia-of-intolerable-cyberattack-warns-of-consequenceshttps://en.wikipedia.org/wiki/Fancy_Bear This is a public episode. If you'd like to discuss this with other subscribers or get access to bonus episodes, visit letsknowthings.substack.com/subscribe
durée : 00:03:06 - Un monde connecté - par : François Saltiel - Plusieurs entreprises, institutions et organes publiques européens ont été victimes de cyberattaques, menées par le groupe de hackers APT28, lié aux services de renseignement russes.
In today's podcast we cover four crucial cyber and technology topics, including: Finland discloses ongoing Android malware campaign Czechia, Germany say Russia abused Microsoft flaw to spy Wichita officials say public services limited following ransomware Illinois to review language of law protecting biometric data I'd love feedback, feel free to send your comments and feedback to | cyberandtechwithmike@gmail.com
The State Department puts visa restrictions on spyware developers. UnitedHealth says its recent breach could affect tens of millions of Americans. LockBit leaks data allegedly stolen from the DC government. Microsoft says APT28 has hatched a GooseEgg. The White House and HHS update HIPAA rules to protect private medical data. Keyboard apps prove vulnerable. A New Hampshire hospital suffers a data breach. Microsoft's DRM may be vulnerable to compromise. On our Industry Voices segment, Ian Leatherman, Security Strategist at Microsoft, discusses raising the bar for security in the software supply chain. GoogleTeller just can't keep quiet. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you'll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On our Industry Voices segment, Ian Leatherman, Security Strategist at Microsoft, discusses raising the bar for security in the software supply chain. Selected Reading U.S. Gov imposed Visa restrictions on 13 individuals linked to commercial spyware activity (Security Affairs) UnitedHealth Group Previews Massive Change Healthcare Breach (GovInfo Security) Ransomware Gang Leaks Data Allegedly Stolen From Government Contractor (SecurityWeek) Russian APT28 Group in New “GooseEgg” Hacking Campaign (Infosecurity Magazine) HHS strengthens privacy protections for reproductive health patients and providers (The Record) The not-so-silent type: Vulnerabilities across keyboard apps reveal keystrokes to network eavesdroppers (The Citizen Lab) Records of almost 2,800 CMC patients vulnerable in 'data security incident': hospital | Crime (Union Leader) Microsoft DRM Hack Could Allow Movie Downloads From Popular Streaming Services (SecurityWeek) The creepy sound of online trackers (Axbom) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here's our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc.
EPISODE 106 | Suffer the Children – Pizzagate, Wayfair & the Seeds of QAnon "Without a clear indication of the author's intent, it is difficult or impossible to tell the difference between an expression of sincere extremism and a parody of extremism." In the world of the internet, this is known as Poe's Law, and it's especially applicable to the weird narrative Gordian Knot known as Pizzagate. The adage applies not just to how absurd some beliefs are, but also to the arguments made by people who hold these beliefs. First formulated in 2005 by Nathan Poe, it builds on a 2001 quote by Alan Morgan called Alan's 2nd Law of Newsgroups, which states, “Any sufficiently advanced troll is indistinguishable from a genuine kook.” And that is certainly the case for the wild story that “a hipster-heavy pizza parlor” (as they put it on their website) in the Chevy Chase neighborhood of Washington D.C. is not just a fun family place with pizza, ping pong and live music, but the nerve center for an diabolical child trafficking ring that operates out in the open because they are protected by highly-placed pedophiles in the Democratic party. As an article on Cracked.com puts it, “This is supported by lots of very stupid evidence”. The stakes of the fake narrative are so high that it's become more than just true believers review bombing the place. Workers have been harassed and, on December 4, 2016, a heavily armed man entered the restaurant and started firing guns. The story of Pizzagate is the story of how the conspirasphere went from harmless kookery to being actually, physically dangerous. TRIGGER WARNING: Some pretty disturbing things will be talked about in this episode, so if the subject of child sexual abuse and trafficking is deeply uncomfortable for you, perhaps you should not listen. I mean, it should be uncomfortable to anyone, but you know what I mean. Like what we do? Then buy us a beer or three via our page on Buy Me a Coffee. #ConspiracyClearinghouse #sharingiscaring #donations #support #buymeacoffee You can also SUBSCRIBE to this podcast. Review us here or on IMDb! SECTIONS 03:11 - A note, pedophilia is a mental disorder, victims suffer for many years, how do we handle this problem? 06:31 - How it all began: Hillary Clinton's emails, John Podesta, Anthony Weiner and Huma Abedin; "Carmen Katz" makes allegations, "David Goldberg" shares and extends these 08:46 - Side note: "Carmen Katz" is Cynthia Campbell, "David Goldberg" is an anti-Semitic fake profile; Amanda Rob finds Borce Pejcev in Macedonia, a fake news click bait ecosystem, it really all began with Doug Hagmann of Eerie, PA 12:35 - Russian hackers Fancy Bear, APT28 and Sofacy use "spear phishing " attacks 13:30 - Pedo codes on 4chan: pizza, cheese, hot dogs, dominos and handkerchief codes; Comet Ping Pong gets targeted 16:30 - DumbScribblyUnctious see all sorts of things - murals, art, logos, musical acts and more; Pizzagaters talks of aliens, the Illuminati, Satanic rituals and Arun Rao; Susan Alefantis knew a pedophile, Tony "pasta obsession" Podesta knew Dennis Hastert, another pedophile, and also collects art (including some by Rachel Rose); Amanda Kleinman (Majestic Ape) of Heavy Breathing performs at Sasha Lord's birthday party and "secret pizza" is maybe mentioned, the film "Automatic At Sea", the Clinton Foundation in Haiti, Alex Jones issues a "bulletin" 25:49 - #pizzagate soars, Comet Ping Pong gets hassled, Turkey's Erdoğan jumps on the story, InfoWars spearheads the narrative, fake images proliferate, artists and musicians also harassed, it might all have been coordinated; other businesses (especially pizza places) get targeted, like Roberta's in Brooklyn and East Side Pies in Austin, TX 30:33 - Edgar Maddison Welch storms Comet Ping Pong with guns, InfoWars apologizes, then retracts the apology; white supremacist Jack Posobiec says Welch is a crisis actor; neo-Nazi pubs the Daily Stormer, the Right Stuff and Smoloko News continue the Pizzagate narrative 35:07 - Canadian Andrew Richmond's ice cream shop Sweet Jesus gets the #PedoGate treatment 36:15 - Portland, Oregon's Voodoo Donuts gets the same treatment thanks to talentless poet VeganMikey (Michael Whelan); #donutgate starts trending, building on a previous #donutgate when Ariana Grande and Ricky Alvarez licked food at Wolfee Donuts; Big League Politics's "research organization" Pedo Takedown Crew funds a coordinated harassment campaign and expand the narrative, adding tunnels, schools, and child-smiggling submarines 41:35 - In England, recreational troll Oliver Redmond targets Paul Cheape's vape shop business 43:32 - Mattress Firm gets targeted 45:32 - Frazzledrip: a very nasty fake video (trigger warning - seriously, it's really nasty), QAnon terms "adrenochrome" and "spirit cooking" get added to the Pizzagate lexicon 47:56 - PrincessPeach1987 kicks of the Wayfair affair, the now combined Pizzagate and QAnon make a LOT of noise, it's all nonsense and yet there were real consequences for real people, iMGSRC.ru and US Army Staff Sgt. Richard Ciccarella 57:25 - Cybersteria and the very first QAnon 4chan post Music by Fanette Ronjat More Info Pedophilia defined on Psychology Today Crimes against Children Research Center Facts and Stats About Child Sexual Abuse The possible long-term effects of experiencing child sexual abuse Long-term Effects of Child Sexual Abuse and Molestation on Helping Survivors A review of the long-term effects of child sexual abuse on the National Library of Medicine website Child Molesters: A Behavioral Analysis paper Sexuality of Offenders on the Zero Abuse Project Facts About Homosexuality and Child Molestation by Gregory Herek Everything You Need To Know About Pizzagate (Is Insane) on Cracked.com Pizzagate on RationalWiki Pizzagate: A slice of fake news on Reveal Anatomy of a Fake News Scandal in Rolling Stone Anthony Weiner breaks down after he's sentenced to 21 months for sexting on ABC News How The Bizarre Conspiracy Theory Behind "Pizzagate" Was Spread on BuzzFeed How Hackers Broke Into John Podesta and Colin Powell's Gmail Accounts on Vice Comet Ping Pong - Pizzagate Summary by DumbScribblyUnctious How Pizzagate went from fake news to a real problem for a D.C. business on PolitiFact 'It's a form of addiction' - Tony Podesta's art addiction article in The Guardian Rachel Rose - Aubade: Grendel's Mother (live reading) video Pizzagate, the fake news conspiracy theory that led a gunman to DC's Comet Ping Pong, explained on Vox Pizzagate gunman recorded video for daughters, said he's standing up for children on CBS News Death threats, abuse, then a gunman: 'Pizzagate' businesses relive ordeal in The Guardian Pizzagate: Gunman fires in restaurant at centre of conspiracy on BBC News What to Know About Pizzagate, the Fake News Story With Real Consequences in Time 'Pizzagate' gunman pleads guilty as conspiracy theorist apologizes over case Is Comet Ping Pong Pizzeria Home to a Child Abuse Ring Led by Hillary Clinton? on Snopes Dissecting the #PizzaGate Conspiracy Theories in the New York Times A Moral Panic for the Age of Trump: “Pizzagate” is the latest in a long line of child-sex-ring myths on Slate The PizzaGate Gunman's Paranoid Rescue Fantasy Comes from a Long American Tradition on Reason 'There's Nothing You Can Do': The Legacy of #Pizzagate on SPLC Secret message board drives 'pizzagate'-style harassment campaign of small businesses on NBC News When Nerds Attack - Gamergate, Elevatorgate & Sad Puppies episode Voodoo Donuts website Voodoo Doughnut Gets Sucked Into Outrageous Far-Right Conspiracy Theory on Eater Wolfee Donuts Pressing Charges Against Ariana Grande Donut-Gate on Ariana Grande fandom wiki Vegan Mikey - bad poet and troll #Donutgate: How one Oregon donut shop became the target of online conspiracy theorists on Salon Connecting the Dots Between Donutgate and Pizzagate Man jailed for falsely branding a businessman a ‘dirty paedophile' The Great Mattress Conspiracy: Why Are There So Many Mattress Firm Stores Why Are There So Many Mattress Stores? A wildly popular conspiracy theory about why there are so many Mattress Firm stores is starting to sound less crazy Mattress Firm responds to the wild conspiracy theory about its business that people are going crazy over The Mattress Firm Conspiracy: An Analysis The Mattress Firm Money Laundering Conspiracy Theory on Snopes What Is Frazzledrip? Fake Hillary Clinton Video Builds on Pizzagate Conspiracy Theory in Newsweek Frazzledrip: Is a Hillary Clinton 'Snuff Film' Circulating on the Dark Web? on Snopes Hush Supper Club Full Frazzledrip video (WARNING) Claims that pizza listings on Etsy are selling child pornography are baseless Reddit post that kicked off Wayfair conspiracy theories Outrageously Priced Wayfair Cabinets Lead to Human Trafficking Conspiracy Kids Shipped in Armoires? The Person Who Started the Wayfair Conspiracy Speaks in Newsweek Wayfair: The false conspiracy about a furniture firm and child trafficking on BBC News Baseless Wayfair child-trafficking theory spreads online on AP The bizarre story of how internet conspiracy theorists convinced themselves Wayfair is trafficking children on CBC News A US soldier working at Mar-a-Lago uploaded photos of an underage girl to a Russian website — a closer look at the site reveals a horrific underworld A US Army soldier who worked at Trump's Mar-a-Lago resort uploaded photos of an underage girl to a Russian website, prosecutors say How a reporter found the true story behind a false story of sex trafficking Is Wayfair Trafficking Children Via Overpriced Items? on Snopes MISSING IN KANSAS: Anabel Wilson no longer missing How A QAnon Conspiracy Theory Involving A Wayfair Pillow Left A Metro Detroit Teen Struggling A girl falsely believed to be a victim of the fake Wayfair sex-trafficking ring says she had hives, lost sleep over the conspiracy theory A QAnon con: How the viral Wayfair sex trafficking lie hurt real kids Human Trafficking Rumors: Viral Stories That Do More Harm Than Good at the Polaris Project The Storm Is the New Pizzagate — Only Worse Follow us on social: Facebook Twitter Other Podcasts by Derek DeWitt DIGITAL SIGNAGE DONE RIGHT - Winner of a 2022 Gold Quill Award, 2022 Gold MarCom Award, 2021 AVA Digital Award Gold, 2021 Silver Davey Award, 2020 Communicator Award of Excellence, and on numerous top 10 podcast lists. PRAGUE TIMES - A city is more than just a location - it's a kaleidoscope of history, places, people and trends. This podcast looks at Prague, in the center of Europe, from a number of perspectives, including what it is now, what is has been and where it's going. It's Prague THEN, Prague NOW, Prague LATER
Host of the CyberWire Daily podcast segment Threat Vector, David Moulton sits down with Mike "Siko" Sikorski from Palo Alto Networks Unit 42 to discuss their research on "Fighting Ursa Aka APT28: Illuminating a Covert Campaign." Unit 42 just published new threat intelligence on Fighting Ursa (aka APT28), a group associated with Russia's military intelligence, on how they are exploiting a Microsoft Outlook vulnerability (CVE-2023-23397) to target organizations in NATO member countries, Ukraine, Jordan, and the UAE. These organizations are of strategic importance in defense, foreign affairs, economy, energy, transportation, and telecommunications. The research can be found here: Fighting Ursa Aka APT28: Illuminating a Covert Campaign
Host of the CyberWire Daily podcast segment Threat Vector, David Moulton sits down with Mike "Siko" Sikorski from Palo Alto Networks Unit 42 to discuss their research on "Fighting Ursa Aka APT28: Illuminating a Covert Campaign." Unit 42 just published new threat intelligence on Fighting Ursa (aka APT28), a group associated with Russia's military intelligence, on how they are exploiting a Microsoft Outlook vulnerability (CVE-2023-23397) to target organizations in NATO member countries, Ukraine, Jordan, and the UAE. These organizations are of strategic importance in defense, foreign affairs, economy, energy, transportation, and telecommunications. The research can be found here: Fighting Ursa Aka APT28: Illuminating a Covert Campaign Learn more about your ad choices. Visit megaphone.fm/adchoices
The UK National Cyber Security Centre (NCSC), NSA, CISA, and FBI are releasing this joint advisory to provide TTPs associated with APT28's exploitation of Cisco routers in 2021. AA23-108A Alert, Technical Details, and Mitigations Malware Analysis Report Resource to mitigate a ransomware attack: CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide. No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment. See CISA Insights Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses for guidance on hardening MSP and customer infrastructure. U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center's DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email dib_defense@cyber.nsa.gov To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov, or call (888) 282-0870, or report incidents to your local FBI field office.
© 2020-2026 Ivy Podcast Discovery LLC
