POPULARITY
CISA braces for widespread staffing cuts. Russian hackers target a Western military mission in Ukraine. China acknowledges Volt Typhoon. The U.S. signs on to global spyware restrictions. A lab supporting Planned Parenthood confirms a data breach. Threat actors steal metadata from unsecured Amazon EC2 instances. A critical WordPress plugin vulnerability is under active exploitation. A new analysis details a critical unauthenticated remote code execution flaw affecting Ivanti products. Joining us today is Johannes Ullrich, Dean of Research at SANS Technology Institute, with his take on "Vibe Security." Does AI understand, and does that ultimately matter? Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you'll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Joining us today is Johannes Ullrich, Dean of Research at SANS Technology Institute, discussing "Vibe Security," similar to “Vibe Coding” where security teams overly rely on AI to do their job. Selected Reading Trump administration planning major workforce cuts at CISA (The Record) Cybersecurity industry falls silent as Trump turns ire on SentinelOne (Reuters) Russian hackers attack Western military mission using malicious drive (Bleeping Computer) China Admitted to US That It Conducted Volt Typhoon Attacks: Report (SecurityWeek) US to sign Pall Mall pact aimed at countering spyware abuses (The Record) US lab testing provider exposed health data of 1.6 million people (Bleeping Computer) Amazon EC2 instance metadata targeted in SSRF attacks (SC Media) Vulnerability in OttoKit WordPress Plugin Exploited in the Wild (SecurityWeek) Ivanti 0-day RCE Vulnerability Exploitation Details Disclosed (Cyber Security News) Experts Debate: Do AI Chatbots Truly Understand? (IEEE Spectrum) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here's our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
A joint advisory labels Fast Flux a national security threat. Europol shuts down a major international CSAM platform. Oracle verifies a data breach. A new attack targets Apache Tomcat servers. The Hunters International group pivots away from ransomware. Hackers target Juniper routers using default credentials. A controversy erupts over a critical CrushFTP vulnerability. Johannes Ullrich, Dean of Research at SANS Technology Institute unpacks Next.js. Abracadabra, alakazam — poof! Your credentials are gone. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you'll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Johannes Ullrich, Dean of Research at SANS Technology Institute, is discussing Next.js and how similar problems have led to vulnerabilities recently. Selected Reading Fast Flux: A National Security Threat (CISA) Don't cut CISA personnel, House panel leaders say, as they plan legislation giving the agency more to do (CyberScoop) CSAM platform Kidflix shut down by international operation (The Record) AI Image Site GenNomis Exposed 47GB of Underage Deepfakes (Hackread) Oracle tells clients of second recent hack, log-in data stolen, Bloomberg News reports (Reuters) Hackers Exploiting Apache Tomcat Vulnerability to Steal SSH Credentials & Gain Server Control (Cyber Security News) Hunters International Ransomware Gang Rebranding, Shifting Focus (SecurityWeek) Hackers Actively Scanning for Juniper's Smart Router With Default Password (Cyber Security News) Details Emerge on CVE Controversy Around Exploited CrushFTP Vulnerability (SecurityWeek) New Malware Attacking Magic Enthusiasts to Steal Login Credentials (Cyber Security News) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here's our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Merry Christmas and Happy Holidays from the CyberWire and our friends! Enjoy our rendition of the 12 Days of Malware created by Dave Bittner and performed by Dave and friends: Rachel Tobac, Jayson Street, Ron Eddings & Chris Cochran, Ray [Redacted], Dinah Davis, Camille Stewart, Rick Howard, Michelle Dennedy, Jack Rhysider, Johannes Ullrich, and Charity Wright. Ba dum bum bum. Sing along if you are game! Check out our video for the full effect! The 12 Days of Malware lyrics On the first day of Christmas, my malware gave to me: A keylogger logging my keys. On the second day of Christmas, my malware gave to me: 2 Trojan Apps... And a keylogger logging my keys. On the third day of Christmas, my malware gave to me: 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the fourth day of Christmas, my malware gave to me: 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the fifth day of Christmas, my malware gave to me: 5 Zero Days! 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the sixth day of Christmas, my malware gave to me: 6 Passwords spraying... 5 Zero Days! 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the seventh day of Christmas, my malware gave to me: 7 Scripts a scraping... 6 Passwords spraying... 5 Zero Days! 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the eighth day of Christmas, my malware gave to me: 8 Worms a wiping... 7 Scripts a scraping... 6 Passwords spraying... 5 Zero Days! 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the ninth day of Christmas, my malware gave to me: 9 Rootkits rooting... 8 Worms a wiping... 7 Scripts a scraping... 6 Passwords spraying... 5 Zero Days! 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the tenth day of Christmas, my malware gave to me: 10 Darknet markets... 9 Rootkits rooting... 8 Worms a wiping... 7 Scripts a scraping... 6 Passwords spraying... 5 Zero Days! (Bah-dum-dum-dum!) 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the eleventh day of Christmas, my malware gave to me: 11 Phishers phishing... 10 Darknet markets... 9 Rootkits rooting... 8 Worms a wiping... 7 Scripts a scraping... 6 Passwords spraying... 5 Zero Days! (Bah-dum-dum-dum!) 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the twelfth day of Christmas, my malware gave to me: 12 Hackers hacking... 11 Phishers phishing... 10 Darknet markets... 9 Rootkits rooting... 8 Worms a wiping... 7 Scripts a scraping... 6 Passwords spraying... 5 Zero Days! 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. Learn more about your ad choices. Visit megaphone.fm/adchoices
A new OpenSSH vulnerability affects Linux systems. The Supreme Court sends social media censorship cases back to the lower courts. Chinese hackers exploit a new Cisco zero-day. HubSpot investigates unauthorized access to customer accounts. Japanese media giant Kadokawa confirmed data leaks from a ransomware attack. FakeBat is a popular malware loader. Volcano Demon is a hot new ransomware group. Google launches a KVM hypervisor bug bounty program. Johannes Ullrich from SANS Technology Institute discusses defending against API attacks. Goodnight, Sleep Tight, Don't Let the Hackers Byte! Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you'll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Guest is Johannes Ullrich from SANS Technology Institute talking about defending against attacks affecting APIs and dangerous new attack techniques you need to know about. This conversation is based on Johannes' presentations at the 2024 RSA Conference. You can learn more about them here: Attack and Defend: How to Defend Against Three Attacks Affecting APIs The Five Most Dangerous New Attack Techniques You Need to Know About Selected Reading New regreSSHion OpenSSH RCE bug gives root on Linux servers (Bleeping Computer) US Supreme Court sidesteps dispute on state laws regulating social media (Reuters) China's ‘Velvet Ant' hackers caught exploiting new zero-day in Cisco devices (The Record) HubSpot accounts breach under investigation (SC Media) Japanese anime and gaming giant admits data leak following ransomware attack (The Record) Exposing FakeBat loader: distribution methods and adversary infrastructure (Sekoia.io blog) Halcyon Identifies New Ransomware Operator Volcano Demon Serving Up LukaLocker (Halcyon) Google launches Bug Bounty Program for KVM Hypervisor (Stack Diary) How to Get Root Access to Your Sleep Number Bed (Dillan Mills) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show. Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here's our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices
Guests: Ed Skoudis, President at SANS Technology Institute [@SANS_EDU]On LinkedIn | https://www.linkedin.com/in/edskoudis/At RSAC | https://www.rsaconference.com/experts/ed-skoudisHeather Mahalik Barnhart, Faculty Fellow & DFIR Curriculum Lead at SANS, Sr Dir of Community Engagement at Cellebrite [@Cellebrite]On LinkedIn | https://www.linkedin.com/in/heather-mahalik-cellebrite/On Twitter | https://twitter.com/HeatherMahalikAt RSAC | https://www.rsaconference.com/experts/heather-mahalikJohannes Ullrich, Dean of Research at SANS Technology Institute [@sansforensics]On LinkedIn | https://www.linkedin.com/in/johannesullrich/On Twitter | https://twitter.com/sans_iscOn Mastodon | https://infosec.exchange/@jullrichAt RSAC | https://www.rsaconference.com/experts/johannes-ullrich____________________________Hosts: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/sean-martinMarco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society PodcastOn ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli____________________________Episode NotesIn this new episode of the On Location Podcast with Sean and Marco, listeners were treated to an in-depth preview of the RSA Conference SANS Keynote, featuring engaging dialogues with industry luminaries Ed Skoudis, Heather Mahalik Barnhart, and Johannes Ullrich. Each brought to the fore their unique perspectives and expertise, providing a fascinating glimpse into the current state and future direction of cybersecurity.Ed Skoudis, President of the SANS Technology Institute College, stands at the forefront of cybersecurity education, guiding the future of the field through his leadership and vision. As moderator of the RSA Conference keynote panel, Skoudis emphasized the panel's history and its focus on burgeoning cybersecurity threats and innovations. His dual role as a SANS fellow and the founder of CounterHack challenges underscores a commitment to practical, real-world applications of cybersecurity knowledge.Heather Mahalik Barnhart brings a wealth of experience as the Curriculum Lead at SANS and a Senior Director of Community Engagement at Celebrite. Her expertise in mobile threats and digital intelligence is pivotal in an era where mobile devices are ubiquitous. Barnhart's focus on the escalation of mobile security threats underscores the critical need for continuous vigilance and advanced protective measures in cybersecurity practices.Johannes Ullrich, Dean of Research for the SANS Technology Institute College, brings his profound insights into web application security to the discussion. His leadership at the Internet Storm Center provides him with a unique vantage point on the latest cyber threats and defensive strategies. Ullrich's work exemplifies the essential nature of forward-looking research in developing effective cybersecurity defenses.The conversation highlights not just individual achievements but also the collective effort of the panel to address current cyber threats while preparing for future challenges. The keynote panelists discussed their approach to selecting topics that not only resonate with current issues but also anticipate future threats. This proactive approach is a testament to their deep understanding of the cybersecurity landscape and their commitment to equipping professionals with the knowledge to stay one step ahead.Terrence Williams, a new addition to the panel and a notable figure in cloud security from Amazon, and Steve Sims, an authority on offensive security curriculum at SANS, were also mentioned as key contributors to the upcoming keynote session. Their inclusion promises to bring fresh insights and a broader perspective to the discussions, enriching the discourse on cybersecurity's most pressing and complex issues.Key Questions AddressedHow does SANS choose the five topics for the RSA Conference SANS Keynote?What are the key cybersecurity trends and threats for the future?How can individuals and organizations mitigate these identified threats?Be sure to follow our Coverage Journey and subscribe to our podcasts!____________________________Follow our RSA Conference USA 2024 coverage: https://www.itspmagazine.com/rsa-conference-usa-2024-rsac-san-francisco-usa-cybersecurity-event-infosec-conference-coverageOn YouTube:
Guests: Ed Skoudis, President at SANS Technology Institute [@SANS_EDU]On LinkedIn | https://www.linkedin.com/in/edskoudis/At RSAC | https://www.rsaconference.com/experts/ed-skoudisHeather Mahalik Barnhart, Faculty Fellow & DFIR Curriculum Lead at SANS, Sr Dir of Community Engagement at Cellebrite [@Cellebrite]On LinkedIn | https://www.linkedin.com/in/heather-mahalik-cellebrite/On Twitter | https://twitter.com/HeatherMahalikAt RSAC | https://www.rsaconference.com/experts/heather-mahalikJohannes Ullrich, Dean of Research at SANS Technology Institute [@sansforensics]On LinkedIn | https://www.linkedin.com/in/johannesullrich/On Twitter | https://twitter.com/sans_iscOn Mastodon | https://infosec.exchange/@jullrichAt RSAC | https://www.rsaconference.com/experts/johannes-ullrich____________________________Hosts: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/sean-martinMarco Ciappelli, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining Society PodcastOn ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/marco-ciappelli____________________________Episode NotesIn this new episode of the On Location Podcast with Sean and Marco, listeners were treated to an in-depth preview of the RSA Conference SANS Keynote, featuring engaging dialogues with industry luminaries Ed Skoudis, Heather Mahalik Barnhart, and Johannes Ullrich. Each brought to the fore their unique perspectives and expertise, providing a fascinating glimpse into the current state and future direction of cybersecurity.Ed Skoudis, President of the SANS Technology Institute College, stands at the forefront of cybersecurity education, guiding the future of the field through his leadership and vision. As moderator of the RSA Conference keynote panel, Skoudis emphasized the panel's history and its focus on burgeoning cybersecurity threats and innovations. His dual role as a SANS fellow and the founder of CounterHack challenges underscores a commitment to practical, real-world applications of cybersecurity knowledge.Heather Mahalik Barnhart brings a wealth of experience as the Curriculum Lead at SANS and a Senior Director of Community Engagement at Celebrite. Her expertise in mobile threats and digital intelligence is pivotal in an era where mobile devices are ubiquitous. Barnhart's focus on the escalation of mobile security threats underscores the critical need for continuous vigilance and advanced protective measures in cybersecurity practices.Johannes Ullrich, Dean of Research for the SANS Technology Institute College, brings his profound insights into web application security to the discussion. His leadership at the Internet Storm Center provides him with a unique vantage point on the latest cyber threats and defensive strategies. Ullrich's work exemplifies the essential nature of forward-looking research in developing effective cybersecurity defenses.The conversation highlights not just individual achievements but also the collective effort of the panel to address current cyber threats while preparing for future challenges. The keynote panelists discussed their approach to selecting topics that not only resonate with current issues but also anticipate future threats. This proactive approach is a testament to their deep understanding of the cybersecurity landscape and their commitment to equipping professionals with the knowledge to stay one step ahead.Terrence Williams, a new addition to the panel and a notable figure in cloud security from Amazon, and Steve Sims, an authority on offensive security curriculum at SANS, were also mentioned as key contributors to the upcoming keynote session. Their inclusion promises to bring fresh insights and a broader perspective to the discussions, enriching the discourse on cybersecurity's most pressing and complex issues.Key Questions AddressedHow does SANS choose the five topics for the RSA Conference SANS Keynote?What are the key cybersecurity trends and threats for the future?How can individuals and organizations mitigate these identified threats?Be sure to follow our Coverage Journey and subscribe to our podcasts!____________________________Follow our RSA Conference USA 2024 coverage: https://www.itspmagazine.com/rsa-conference-usa-2024-rsac-san-francisco-usa-cybersecurity-event-infosec-conference-coverageOn YouTube:
Johannes Ullrich, dean of research at the SANS Technology Institute, offers healthcare CISOs, CIOs and other security leaders advice on how best to protect their organizations from the vulnerabilities that lie within web apps.
Johannes Ullrich from SANS talking about the Internet Storm Center and how they do research. Internet Storm Center was created as a mix of manual reports submitted by security analysts during Y2K and automated firewall collection started by DShield. The research shares how SANS used their "agile honeypots" to "zoom in" on events to more effectively collect data targeting specific vulnerabilities. Internet Storm Center has been noted on three separate attacks that were observed. The research can be found here: Jenkins Brute Force Scans Scans for Ivanti Connect "Secure" VPN Vulnerability (CVE-2023-46805, CVE-2024-21887) Scans/Exploit Attempts for Atlassian Confluence RCE Vulnerability CVE-2023-22527 Learn more about your ad choices. Visit megaphone.fm/adchoices
Johannes Ullrich from SANS talking about the Internet Storm Center and how they do research. Internet Storm Center was created as a mix of manual reports submitted by security analysts during Y2K and automated firewall collection started by DShield. The research shares how SANS used their "agile honeypots" to "zoom in" on events to more effectively collect data targeting specific vulnerabilities. Internet Storm Center has been noted on three separate attacks that were observed. The research can be found here: Jenkins Brute Force Scans Scans for Ivanti Connect "Secure" VPN Vulnerability (CVE-2023-46805, CVE-2024-21887) Scans/Exploit Attempts for Atlassian Confluence RCE Vulnerability CVE-2023-22527 Learn more about your ad choices. Visit megaphone.fm/adchoices
Dean of Research, Johannes Ullrich, relays his experiences from studying the hard sciences to his career shift to cybersecurity. Basic principles, superhero origin stories, physics labs and radiation all figure in. And there's a lot in common with network security best practices. Have a listen to what Johannes has learned and what he hopes to impart on his students. Our thanks to Johannes for sharing his story with us.
Dean of Research, Johannes Ullrich, relays his experiences from studying the hard sciences to his career shift to cybersecurity. Basic principles, superhero origin stories, physics labs and radiation all figure in. And there's a lot in common with network security best practices. Have a listen to what Johannes has learned and what he hopes to impart on his students. Our thanks to Johannes for sharing his story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices
Merry Christmas and Happy Holidays from the CyberWire and our friends! Enjoy our rendition of the 12 Days of Malware created by Dave Bittner and performed by Dave and friends: Rachel Tobac, Jayson Street, Ron Eddings & Chris Cochran, Ray [Redacted], Dinah Davis, Camille Stewart, Rick Howard, Michelle Dennedy, Jack Rhysider, Johannes Ullrich, and Charity Wright. Ba dum bum bum. Sing along if you are game! Check out our video for the full effect! The 12 Days of Malware lyrics On the first day of Christmas, my malware gave to me: A keylogger logging my keys. On the second day of Christmas, my malware gave to me: 2 Trojan Apps... And a keylogger logging my keys. On the third day of Christmas, my malware gave to me: 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the fourth day of Christmas, my malware gave to me: 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the fifth day of Christmas, my malware gave to me: 5 Zero Days! 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the sixth day of Christmas, my malware gave to me: 6 Passwords spraying... 5 Zero Days! 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the seventh day of Christmas, my malware gave to me: 7 Scripts a scraping... 6 Passwords spraying... 5 Zero Days! 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the eighth day of Christmas, my malware gave to me: 8 Worms a wiping... 7 Scripts a scraping... 6 Passwords spraying... 5 Zero Days! 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the ninth day of Christmas, my malware gave to me: 9 Rootkits rooting... 8 Worms a wiping... 7 Scripts a scraping... 6 Passwords spraying... 5 Zero Days! 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the tenth day of Christmas, my malware gave to me: 10 Darknet markets... 9 Rootkits rooting... 8 Worms a wiping... 7 Scripts a scraping... 6 Passwords spraying... 5 Zero Days! (Bah-dum-dum-dum!) 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the eleventh day of Christmas, my malware gave to me: 11 Phishers phishing... 10 Darknet markets... 9 Rootkits rooting... 8 Worms a wiping... 7 Scripts a scraping... 6 Passwords spraying... 5 Zero Days! (Bah-dum-dum-dum!) 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the twelfth day of Christmas, my malware gave to me: 12 Hackers hacking... 11 Phishers phishing... 10 Darknet markets... 9 Rootkits rooting... 8 Worms a wiping... 7 Scripts a scraping... 6 Passwords spraying... 5 Zero Days! 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys.
The MGM Resorts incident is now believed to be ransomware, and how does that inform our view of Materiality of a cyber incident? MetaStealer targets businesses. Cloud access with stolen credentials. The cloud as an expansive attack surface. Johannes Ullrich from SANS describes malware in dot-inf files. In our Industry Voices segment Dave speaks with Oliver Tavakoli, CTO at Vectra, on the complexity and challenges of cloud service security. And welcome back, or not, Your Highness the Large Language Model, Prince of Nigeria. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/176 Selected reading. Caesars Entertainment Paid Millions to Hackers in Attack (Bloomberg) Caesars Paid Ransom After Suffering Cyberattack (Wall Street Journal) The Cyberattack That Sent Las Vegas Back in Time (Wall Street Journal) Pro Take: MGM Casino Hack Shows Challenge in Defending Connected Tech (Wall Street Journal) ALPHV Ransomware Used Vishing to Scam MGM Resorts Employee, Researchers (Hackread) FBI probing MGM Resorts cyber incident as some casino systems still down (Reuters) MGM Resorts says cyberattack could have material effect on company (NBC News) MGM Resorts cybersecurity breach could cost millions, expert says (KLAS) MGM Resorts shuts down some systems because of a “cybersecurity issue.” (Updated.) (CyberWire) macOS Info-Stealer Malware 'MetaStealer' Targeting Businesses (SecurityWeek) “Authorized” to break in: Adversaries use valid credentials to compromise cloud environments (Security Intelligence) Unit 42 Attack Surface Threat Report (Palo Alto Networks) The Nigerian Prince is Alive and Well: Cybercriminals Use Generative… (Abnormal) Learn more about your ad choices. Visit megaphone.fm/adchoices
The US issues a National Cyber Workforce and Education strategy. Hunting Chinese malware staged in US networks. CISA warns of Barracuda backdoor. WikiLoader malware is discovered. P2Pinfect is a malware botnet targeting publicly-accessible Redis servers. Johannes Ullrich from SANS describes attacks against YouTube content creators. Rick Howard previews his conversation with AWS Ciso CJ Moses. And Russia's SVR continues cyberespionage against Ukrainian and European diplomatic services. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/144 Selected reading. FACT SHEET: Biden-Harris Administration Announces National Cyber Workforce and Education Strategy, Unleashing America's Cyber Talent (The White House) National Cyber Workforce and Education Strategy: Unleashing America's Cyber Talent (The White House) The White House releases the US National Cyber Workforce and Education Strategy. (CyberWire) US hunts Chinese malware staged to interfere with US military operations. (CyberWire) U.S. Hunts Chinese Malware That Could Disrupt American Military Operations (New York Times) CISA Releases Malware Analysis Reports on Barracuda Backdoors (Cybersecurity and Infrastructure Security Agency CISA)CISA: New Submarine malware found on hacked Barracuda ESG appliances (BleepingComputer) Out of the Sandbox: WikiLoader Digs Sophisticated Evasion (Proofpoint) Cado Security Labs Encounter Novel Malware, Redis P2Pinfect (Cado Security) P2PInfect: The Rusty Peer-to-Peer Self-Replicating Worm (Unit 42) BlueBravo Adapts to Target Diplomatic Entities with GraphicalProton Malware (Recorded Future) BlueBravo Adapts to Target Diplomatic Entities with GraphicalProton Malware (Recorded Future Insikt Group) BlueBravo Deploys GraphicalProton Backdoor Against European Diplomatic Entities (The Hacker News)
The Lazarus Group targets developers. Threat actors target the banking sector with fake LinkedIn profiles and open source supply chain attacks. Vulnerabilities reported in OpenMeetings. HTML smuggling is sold in the C2C market. Johannes Ullrich from SANS describes attacks against niche web apps. Our guest is Damir Brecic of Inversion6 discussing the privacy and security concerns of Meta's new Threads app. And Romania's SVR reports a pattern of Russian cyberattacks. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/138 Selected reading. GitHub warns of Lazarus hackers targeting devs with malicious projects (BleepingComputer) Cyberattack on GitHub customers linked to North Korean hackers, Microsoft says (Record) Security alert: social engineering campaign targets technology industry employees (The GitHub Blog) First Known Targeted OSS Supply Chain Attacks Against the Banking Sector (Checkmarx) A Twist in the Code: OpenMeetings Vulnerabilities through Unexpected Application State (Sonar) Fresh Phish: HTML Smuggling Made Easy, Thanks to a New Dark Web Phish Kit (INKY) KillNet Showcases New Capabilities While Repeating Older Tactics (Mandiant). Pro-Russian hacktivists increase focus on Western targets. The latest is OnlyFans. (CyberScoop). Anonymous Sudan DDoS strikes dominate attacks by KillNet collective (SC Media) Romanian Intelligence General: All Russian secret services attempted cyber attacks against Romania (ACTMedia)
Our guest, Johannes Ullrich from SANS Institute, joins Dave to discuss their research on "Machine Learning Risks: Attacks Against Apache NiFi." Using their honeypot network, researchers were able to collect some interesting data about a threat actor who is currently going after exposed Apache NiFi servers. Researchers state “On May 19th, our distributed sensor network detected a notable spike in requests for ‘/nifi.'” Investigating further, they instructed a subset of their sensors to forward requests to an actual Apache NiFi instance and within a couple of hours the honeypot was completely compromised. The research can be found here: Machine Learning Risks: Attacks Against Apache NiFi
Our guest, Johannes Ullrich from SANS Institute, joins Dave to discuss their research on "Machine Learning Risks: Attacks Against Apache NiFi." Using their honeypot network, researchers were able to collect some interesting data about a threat actor who is currently going after exposed Apache NiFi servers. Researchers state “On May 19th, our distributed sensor network detected a notable spike in requests for ‘/nifi.'” Investigating further, they instructed a subset of their sensors to forward requests to an actual Apache NiFi instance and within a couple of hours the honeypot was completely compromised. The research can be found here: Machine Learning Risks: Attacks Against Apache NiFi Learn more about your ad choices. Visit megaphone.fm/adchoices
MOVEit Transfer software sees exploitation. A website skimmer has been employed against targets in the Americas and Europe. A look into XeGroup's recent criminal activity. Apple denies the FSB's allegations of collusion with NSA. Kaspersky investigates compromised devices. Johannes Ullrich from SANS describes phony YouTube "live streams". Our guest is Sherry Huang from William and Flora Hewlett Foundation to discuss their grants funding cyber policy studies. And the US Department of Defense provides Starlink services to Ukraine. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/106 Selected reading. MOVEit Transfer Critical Vulnerability (May 2023) (Progress Software) Rapid7 Observed Exploitation of Critical MOVEit Transfer Vulnerability (Rapid7) New MOVEit Transfer zero-day mass-exploited in data theft attacks (BleepingComputer) Hackers use flaw in popular file transfer tool to steal data, researchers say (Reuters) New Magecart-Style Campaign Abusing Legitimate Websites to Attack Others (Akamai) Not your average Joe: An analysis of the XeGroup's attack techniques (Menlo Security) Unmasking XE Group: Experts Reveal Identity of Suspected Cybercrime Kingpin (The Hacker News) Apple denies surveillance claims made by Russia's FSB (Reuters) FSB uncovers US intelligence operation via malware on Apple mobile phones (TASS) Kaspersky Says New Zero-Day Malware Hit iPhones—Including Its Own (WIRED) Operation Triangulation: iOS devices targeted with previously unknown malware (Kaspersky) Lithuania becomes first to designate Russia as terrorist state (CSCE) Pentagon confirms SpaceX deal for Ukraine Starlink services (C4ISRNET)
CosmicEnergy is OT and ICS malware from Russia, maybe for red teaming, maybe for attack. Updates on Volt Typhoon, China's battlespace preparation in Guam and elsewhere. In the criminal underworld, Legion malware has been upgraded for the cloud. Johannes Ullrich from SANS examines time gaps in logging. Our guest is Kevin Kirkwood from LogRhythm with a look at extortion attempts and ransomware. And Atlantic hurricane season officially opens next week: time to batten down those digital hatches. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/102 Selected reading. COSMICENERGY: New OT Malware Possibly Related To Russian Emergency Response Exercises (Mandiant) People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection (Joint Advisory) Volt Typhoon targets US critical infrastructure with living-off-the-land techniques (Microsoft) China hits back at 'the empire of hacking' over Five Eyes US cyber attack claims (ABC) Updates to Legion: A Cloud Credential Harvester and SMTP Hijacker (Cado) Legion Malware Upgraded to Target SSH Servers and AWS Credentials (Hacker News) CISA Warns of Hurricane/Typhoon-Related Scams (Cybersecurity and Infrastructure Security Agency CISA)
BellaCiao is malware from Iran's IRGC, while PingPull is malware used by the Chinese government affiliated Tarus Group. Ransomware continues to be a pervasive international threat. An overview of hacktivism. Our guest is CyberMindz founder Peter Coroneos, discussing the importance of mental health in cybersecurity. Johannes Ullrich shares insights from his RSAC panel discussions. And Ukraine continues to collect evidence of Russian war crimes. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/80 Selected reading. Unpacking BellaCiao: A Closer Look at Iran's Latest Malware (Bitdefender Blog) Chinese Alloy Taurus Updates PingPull Malware (Unit 42) Abuse of the Service Location Protocol May Lead to DoS Attacks (Cybersecurity and Infrastructure Security Agency CISA) #RSAC: Ransomware Poses Growing Threat to Five Eyes Nations (Infosecurity Magazine) Hacktivism Unveiled, April 2023 Insights into the footprints of hacktivists (Radware) FBI aiding Ukraine in collection of digital and physical war crime evidence (CyberScoop)
Guests: Katie Nickels, Certified Instructor and Director of Intelligence Operations at SANS Institute [@sansforensics] and Red Canary [@redcanary]On LinkedIn | https://www.linkedin.com/in/katie-nickels/On Twitter | https://twitter.com/likethecoinsOn Mastodon | https://infosec.exchange/@likethecoinsJohannes Ullrich, Dean of Research at SANS Technology Institute [@sansforensics]On LinkedIn | https://www.linkedin.com/in/johannesullrich/On Twitter | https://twitter.com/sans_iscOn Mastodon | https://infosec.exchange/@jullrich____________________________Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin____________________________This Episode's SponsorsBlackCloak | https://itspm.ag/itspbcwebBrinqa | https://itspm.ag/brinqa-pmdpSandboxAQ | https://itspm.ag/sandboxaq-j2en____________________________Episode NotesIn this new RSA Conference Coverage podcast episode with ITSPmagazine, cybersecurity experts and SANS instructors, Katie Nickels and Johannes Ullrich, delve into the "Five Most Dangerous New Attack Techniques" panel, a discussion they've been part of for the past few years. They shed light on how they identify these top techniques by examining their increasing prevalence and potential impact. Joined by an outstanding panel of experts, including Heather Mahalik, a mobile technology specialist, and Steve Sims, an offensive security guru, they offer unique insights from different sides of the industry while also highlighting the importance of practical, hands-on advice and defense strategies against these threats.The panel emphasizes the importance of practical, hands-on advice and defense strategies to combat these emerging threats. Furthermore, Johannes shares valuable information about the Internet Storm Center's role in monitoring attacks and disseminating knowledge within the cybersecurity community.Tune in to this must-listen episode for a sneak peek of the latest attack techniques, evolving defense mechanisms, and the collaborative efforts of the cybersecurity community that will be presented during the panel so you can stay one step ahead of the attackers.Don't forget to share and subscribe to ITSPmagazine's RSA Conference Coverage to keep up with the latest trends in technology and cybersecurity.____________________________ResourcesSession | The Five Most Dangerous New Attack Techniques: https://www.rsaconference.com/USA/agenda/session/The%20Five%20Most%20Dangerous%20New%20Attack%20TechniquesInternet Storm Center Diaries: https://isc.sans.edu/Learn more, explore the agenda, and register for RSA Conference: https://itspm.ag/rsa-cordbw____________________________For more RSAC Conference Coverage podcast and video episodes visit: https://www.itspmagazine.com/rsa-conference-usa-2023-rsac-san-francisco-usa-cybersecurity-event-coverageAre you interested in telling your story in connection with RSA Conference by sponsoring our coverage?
Guests: Katie Nickels, Certified Instructor and Director of Intelligence Operations at SANS Institute [@sansforensics] and Red Canary [@redcanary]On LinkedIn | https://www.linkedin.com/in/katie-nickels/On Twitter | https://twitter.com/likethecoinsOn Mastodon | https://infosec.exchange/@likethecoinsJohannes Ullrich, Dean of Research at SANS Technology Institute [@sansforensics]On LinkedIn | https://www.linkedin.com/in/johannesullrich/On Twitter | https://twitter.com/sans_iscOn Mastodon | https://infosec.exchange/@jullrich____________________________Host: Sean Martin, Co-Founder at ITSPmagazine [@ITSPmagazine] and Host of Redefining CyberSecurity Podcast [@RedefiningCyber]On ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/sean-martin____________________________This Episode's SponsorsBlackCloak | https://itspm.ag/itspbcwebBrinqa | https://itspm.ag/brinqa-pmdpSandboxAQ | https://itspm.ag/sandboxaq-j2en____________________________Episode NotesIn this new RSA Conference Coverage podcast episode with ITSPmagazine, cybersecurity experts and SANS instructors, Katie Nickels and Johannes Ullrich, delve into the "Five Most Dangerous New Attack Techniques" panel, a discussion they've been part of for the past few years. They shed light on how they identify these top techniques by examining their increasing prevalence and potential impact. Joined by an outstanding panel of experts, including Heather Mahalik, a mobile technology specialist, and Steve Sims, an offensive security guru, they offer unique insights from different sides of the industry while also highlighting the importance of practical, hands-on advice and defense strategies against these threats.The panel emphasizes the importance of practical, hands-on advice and defense strategies to combat these emerging threats. Furthermore, Johannes shares valuable information about the Internet Storm Center's role in monitoring attacks and disseminating knowledge within the cybersecurity community.Tune in to this must-listen episode for a sneak peek of the latest attack techniques, evolving defense mechanisms, and the collaborative efforts of the cybersecurity community that will be presented during the panel so you can stay one step ahead of the attackers.Don't forget to share and subscribe to ITSPmagazine's RSA Conference Coverage to keep up with the latest trends in technology and cybersecurity.____________________________ResourcesSession | The Five Most Dangerous New Attack Techniques: https://www.rsaconference.com/USA/agenda/session/The%20Five%20Most%20Dangerous%20New%20Attack%20TechniquesInternet Storm Center Diaries: https://isc.sans.edu/Learn more, explore the agenda, and register for RSA Conference: https://itspm.ag/rsa-cordbw____________________________For more RSAC Conference Coverage podcast and video episodes visit: https://www.itspmagazine.com/rsa-conference-usa-2023-rsac-san-francisco-usa-cybersecurity-event-coverageAre you interested in telling your story in connection with RSA Conference by sponsoring our coverage?
Transparent Tribe expands its activity against India's education sector. A Lazarus sub-group is after defense sector targets. The FBI's Denver office warns of potential juicejacking. Legion: a Python-based credential harvester. The source of leaked US intelligence may be closer to identification. Johannes Ullrich from SANS explains upwork scams. Our guest is Charlie "Tuna" Moore of Vanderbilt University on the cyber lessons from Russia's war on Ukraine. Canada responds to claims of Russian cyberattacks. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/71 Selected reading. Transparent Tribe (APT36) | Pakistan-Aligned Threat Actor Expands Interest in Indian Education Sector (SentinelOne) Following the Lazarus group by tracking DeathNote campaign (Securelist) DPRK threat actors target C3X and defense sector at large. (CyberWire) FBI office warns against using public phone charging stations at airports or malls, citing malware risk (CBS News) The FBI warns of juicejacking and other risks of public tech. (CyberWire) Legion: an AWS Credential Harvester and SMTP Hijacker (Cado Security) The Legion credential harvester. (CyberWire) Leaker of U.S. secret documents worked on military base, friend says (Washington Post) U.S. may change how it monitors the web after missing leaked documents for weeks (NBC News) Cyberattacks on Canada's gas infrastructure left ‘no physical damage,' Trudeau says (Global News) Russian attacks on Ukrainian infrastructure cause internet outages, cutting off a valuable wartime tool (CyberScoop) US Warns Russia Getting Creative in Cyberspace (VOA) APT Winter Vivern Resurfaces (Avertium)
Genesis Market gets taken down. Proxyjackers exploit Log4j vulnerabilities. Fast-encrypting Rorschach ransomware uses DLL sideloading. Killnet attempts DDoS attacks against the German ministry. Carole Theriault ponders AI assisted cheating. Johannes Ullrich tracks malware injected in a popular tax filing website. Soft power and Russia's hybrid war. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/65 Selected reading. 'Operation Cookie Monster': International police action seizes dark web market (Reuters) Stolen credential warehouse Genesis Market seized by FBI (Register) FBI Seizes Bot Shop ‘Genesis Market' Amid Arrests Targeting Operators, Suppliers (KrebsOnSecurity) Genesis Market, one of world's largest platforms for cyber fraud, seized by police (Record) 'Operation Cookie Monster': FBI seizes popular cybercrime forum used for large-scale identity theft (CNN) Cybercrime marketplace Genesis Market shut by FBI, international law enforcement (CNBC) FBI seizes stolen credentials market Genesis in Operation Cookie Monster (BleepingComputer) Notorious Genesis Market cybercrime forum seized in international law enforcement operation (CyberScoop) Proxyjacking has Entered the Chat (Sysdig) Rorschach – A New Sophisticated and Fast Ransomware (Check Point Research) Russian hackers attack German ministry's website (TVP World) Zimbra Flaw Exploited by Russia Against NATO Countries Added to CISA 'Must Patch' List (SecurityWeek) Zimbra vulnerability exploited by Russian hackers targeting Nato countries - CISA (Tech Monitor) CISA Adds One Known Exploited Vulnerability to Catalog (Cybersecurity and Infrastructure Security Agency CISA) NVD - CVE-2022-27926 (National Vulnerability Database) The Interview - Russian cyber weapons 'could do a lot of damage' in the US: Former counterterrorism czar (France 24) Biden cybersecurity chief 'surprised' Russia has not hit US targets amid Ukraine war (Washington Examiner) Ukrainian Cyber War Confirms the Lesson: Cyber Power Requires Soft Power (Council on Foreign Relations)
Threat group with novel malware operates in Southeast Asia. Data theft extortion on the rise. Key findings of Cisco's Cybersecurity Readiness Index. iPhones are no longer welcome in the Kremlin. Russian cyber auxiliaries and privateers devote increased attention to the healthcare sector. Chris Eng from Veracode shares findings of their Annual Report on the State of Application Security. Johannes Ullrich from SANS Institute discusses scams after the failure of Silicon Valley Bank. And BreachForums seems to be under new management. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/54 Selected reading. NAPLISTENER: more bad dreams from developers of SIESTAGRAPH (Elastic Blog) Unit 42 Ransomware and Extortion Report Highlights: Multi-Extortion Tactics Continue to Rise (Palo Alto Network) Ransomware and extortion trends. (CyberWire) Cisco Cybersecurity Readiness Index (Cisco) A look at resilience: companies' ability to fight off cyberattacks. (CyberWire) Putin to staffers: throw out your iPhones over security (Register) Black Basta, Killnet, LockBit groups targeting healthcare in force (SC Media) After BreachForums arrest, new site administrator says the platform will live on (Record)
Telerik exploited, for carding (probably) and other purposes. Cloud storage re-up attacks. Cybercriminals use new measures to avoid detection of phishing campaigns. "Winter Vivern" seems aligned with Russian objectives. Microsoft warns of a possible surge in Russian cyber operations. Boss Sandworm. Johannes Ullrich from SANS talking about malware spread through Google Ads. Our guest is David Anteliz from Skybox Security with thoughts on federal government cybersecurity directives. And don't fear the Reaper. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/51 Selected reading. Threat Actors Exploited Progress Telerik Vulnerability in U.S. Government IIS Server (Cybersecurity and Infrastructure Security Agency CISA) Threat Actors Exploit Progress Telerik Vulnerability in U.S. Government IIS Server | CISA (Cybersecurity and Infrastructure Security Agency CISA) CISA: Federal civilian agency hacked by nation-state and criminal hacking groups (CyberScoop) US govt web server attacked by 'multiple' criminal gangs (Register) The Cloud Storage Re-Up Attack (Avanan) Threat Spotlight: 3 novel phishing tactics (Barracuda) Winter Vivern | Uncovering a Wave of Global Espionage (SentinelOne) Is Russia regrouping for renewed cyberwar? (Microsoft On the Issues) A year of Russian hybrid warfare in Ukraine (Microsoft Threat Intelligence) Russian hackers preparing new cyber assault against Ukraine - Microsoft report (Reuters) Microsoft Warns Russia May Plan More Ransomware Attacks Beyond Ukraine (Bloomberg) This Is the New Leader of Russia's Infamous Sandworm Hacking Unit (WIRED) What's known and not about US drone-Russian jet encounter (AP NEWS) Russia tries to retrieve downed US drone in Black Sea (The Telegraph) Downed U.S. drone points to cyber vulnerabilities (Washington Post)
A wormable version of the PlugX USB malware is found. Compromised webcams as a security threat. Emotet botnet out of hibernation. Proof-of-concept: AI used to generate polymorphic keylogger. Turning to alternatives as conventional tactics fail. Dave Bittner speaks with Eve Maler of ForgeRock to discuss how digital identity can help create a more secure connected car experience. Johannes Ullrich from SANS on configuring a proper time server infrastructure. And Phishing messages via legitimate Google notifications. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/46 Selected reading. A border-hopping PlugX USB worm takes its act on the road (Sophos News) BitSight identifies thousands of global organizations using insecure webcams and other IoT devices, finding many susceptible to eavesdropping (BitSight) Emotet malware attacks return after three-month break (BleepingComputer) BlackMamba: Using AI to Generate Polymorphic Malware (HYAS) Russian Cyberwar in Ukraine Stumbles Just Like Conventional One (Bloomberg) Australian official demands Russia bring criminal hackers ‘to heel' (The Record by Recorded Future) Russia will have to rely on nukes, cyberattacks, and China since its military is being thrashed in Ukraine, US intel director says (Business Insider) BEC 3.0 - Legitimate Sites for Illegitimate Purposes (Avanan)
Implementing the US National Cybersecurity Strategy. The US National Cybersecurity Strategy was informed by lessons from Russia's war. Two threat actors from China up their game. Responding to a phishing campaign. #StopRansomware: Royal Ransomware. CISA releases five ICS advisories. Sameer Jaleel, Kent State University Associate CIO on closing functionality gaps and creating a safer digital environment for students.Johannes Ullrich from SANS on establishing an "End of Support" inventory.EPA issues a memo on water system cybersecurity. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/42 Selected reading. National Cybersecurity Strategy (The White House) US cyber leaders discuss the new National Cyber Strategy. (CyberWire) Biden vows to wield ‘all instruments' in fighting cyberthreats (Defense News) Chinese state-backed hackers Iron Tiger target Linux devices with new malware (Tech Monitor) Chinese hackers use new custom backdoor to evade detection (BleepingComputer) Scam alert: Trezor warns users of new phishing attack (Cointelegraph) FBI and CISA Release #StopRansomware: Royal Ransomware | CISA (Cybersecurity and Infrastructure Security Agency CISA) CISA Releases Five Industrial Control Systems Advisories | CISA (Cybersecurity and Infrastructure Security Agency CISA) EPA Takes Action to Improve Cybersecurity Resilience for Public Water Systems (US EPA)
Merry Christmas and Happy Holidays from the CyberWire and our friends! Enjoy our rendition of the 12 Days of Malware created by Dave Bittner and performed by Dave and friends: Rachel Tobac, Jayson Street, Ron Eddings & Chris Cochran, Ray [Redacted], Dinah Davis, Camille Stewart, Rick Howard, Michelle Dennedy, Jack Rhysider, Johannes Ullrich, and Charity Wright. Ba dum bum bum. Sing along if you are game! Check out our video for the full effect! The 12 Days of Malware lyrics On the first day of Christmas, my malware gave to me: A keylogger logging my keys. On the second day of Christmas, my malware gave to me: 2 Trojan Apps... And a keylogger logging my keys. On the third day of Christmas, my malware gave to me: 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the fourth day of Christmas, my malware gave to me: 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the fifth day of Christmas, my malware gave to me: 5 Zero Days! 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the sixth day of Christmas, my malware gave to me: 6 Passwords spraying... 5 Zero Days! 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the seventh day of Christmas, my malware gave to me: 7 Scripts a scraping... 6 Passwords spraying... 5 Zero Days! 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the eighth day of Christmas, my malware gave to me: 8 Worms a wiping... 7 Scripts a scraping... 6 Passwords spraying... 5 Zero Days! 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the ninth day of Christmas, my malware gave to me: 9 Rootkits rooting... 8 Worms a wiping... 7 Scripts a scraping... 6 Passwords spraying... 5 Zero Days! 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the tenth day of Christmas, my malware gave to me: 10 Darknet markets... 9 Rootkits rooting... 8 Worms a wiping... 7 Scripts a scraping... 6 Passwords spraying... 5 Zero Days! (Bah-dum-dum-dum!) 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the eleventh day of Christmas, my malware gave to me: 11 Phishers phishing... 10 Darknet markets... 9 Rootkits rooting... 8 Worms a wiping... 7 Scripts a scraping... 6 Passwords spraying... 5 Zero Days! (Bah-dum-dum-dum!) 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the twelfth day of Christmas, my malware gave to me: 12 Hackers hacking... 11 Phishers phishing... 10 Darknet markets... 9 Rootkits rooting... 8 Worms a wiping... 7 Scripts a scraping... 6 Passwords spraying... 5 Zero Days! 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys.
Merry Christmas and Happy Holidays from the CyberWire and our friends! Enjoy our rendition of the 12 Days of Malware created by Dave Bittner and performed by Dave and friends: Rachel Tobac, Jayson Street, Ron Eddings & Chris Cochran, Ray [Redacted], Dinah Davis, Camille Stewart, Rick Howard, Michelle Dennedy, Jack Rhysider, Johannes Ullrich, and Charity Wright. Ba dum bum bum. Sing along if you are game! Check out our video for the full effect! The 12 Days of Malware lyrics On the first day of Christmas, my malware gave to me: A keylogger logging my keys. On the second day of Christmas, my malware gave to me: 2 Trojan Apps... And a keylogger logging my keys. On the third day of Christmas, my malware gave to me: 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the fourth day of Christmas, my malware gave to me: 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the fifth day of Christmas, my malware gave to me: 5 Zero Days! 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the sixth day of Christmas, my malware gave to me: 6 Passwords spraying... 5 Zero Days! 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the seventh day of Christmas, my malware gave to me: 7 Scripts a scraping... 6 Passwords spraying... 5 Zero Days! 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the eighth day of Christmas, my malware gave to me: 8 Worms a wiping... 7 Scripts a scraping... 6 Passwords spraying... 5 Zero Days! 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the ninth day of Christmas, my malware gave to me: 9 Rootkits rooting... 8 Worms a wiping... 7 Scripts a scraping... 6 Passwords spraying... 5 Zero Days! 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the tenth day of Christmas, my malware gave to me: 10 Darknet markets... 9 Rootkits rooting... 8 Worms a wiping... 7 Scripts a scraping... 6 Passwords spraying... 5 Zero Days! (Bah-dum-dum-dum!) 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the eleventh day of Christmas, my malware gave to me: 11 Phishers phishing... 10 Darknet markets... 9 Rootkits rooting... 8 Worms a wiping... 7 Scripts a scraping... 6 Passwords spraying... 5 Zero Days! (Bah-dum-dum-dum!) 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the twelfth day of Christmas, my malware gave to me: 12 Hackers hacking... 11 Phishers phishing... 10 Darknet markets... 9 Rootkits rooting... 8 Worms a wiping... 7 Scripts a scraping... 6 Passwords spraying... 5 Zero Days! 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys.
The GRU's closely coordinating with cyber criminals. An unidentified threat actor deploys malicious NPM packets. Gootloader uses blogging and SEO poisoning to attract victims. Metador is a so-far unattributed threat actor. Johannes Ullrich from SANS on Resilient DNS Infrastructure. Maria Varmazis interviews Anthony Colangelo, host of spaceflight podcast Main Engine Cutoff, about the iPhone 14 “Emergency SOS via Satellite” feature. And having too much time on your hands while doing time is not a good thing. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/184 Selected reading. GRU: Rise of the (Telegram) MinIOns (Mandiant) Void Balaur | The Sprawling Infrastructure of a Careless Mercenary (SentinelOne) An unidentified threat actor deploys malicious NPM packets (CyberWire) Threat analysis: Malicious npm package mimics Material Tailwind CSS tool (ReversingLabs) A Multimillion Dollar Global Online Credit Card Scam Uncovered (ReasonLabs) Gootloader Poisoned Blogs Uncovered by Deepwatch's ATI Team (Deepwatch) The Mystery of Metador | An Unattributed Threat Hiding in Telcos, ISPs, and Universities (SentinelOne) SC inmate sentenced for ‘sextortion' scheme that targeted military (Stars and Stripes)
Bronze President shows both enduring interests and adaptability. Iranian threat actor activity is reported. Cybersecurity and small-to-medium businesses. An initial access broker repurposes Conti's old playbook for use against Ukraine. Johannes Ullrich from SANS on Scanning for VoIP Servers. Our guest is Ian Smith from Chronosphere on observability. And Kyivstar as a case study in telco resiliency. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/173 Selected reading. BRONZE PRESIDENT Targets Government Officials (Secureworks) APT42: Crooked Charms, Cons, and Compromises (Mandiant) Profiling DEV-0270: PHOSPHORUS' ransomware operations (Microsoft) Albania cuts diplomatic ties with Iran over July cyberattack (The Washington Post) Initial access broker repurposing techniques in targeted attacks against Ukraine (Google) Unprecedented Shift: The Trickbot Group is Systematically Attacking Ukraine (IBM SecurityIntelligence) Ransomware gang's Cobalt Strike servers DDoSed with anti-Russia messages (BleepingComputer) Ukraine's largest telecom stands against Russian cyberattacks (POLITICO)
Iranian APT data extraction tool described. LockBit gang comes under DDoS. Twitter whistleblower security claims made public. Poland and Ukraine conclude cybersecurity agreement. Greek national natural gas supplier under criminal cyberattack. Update to the Joint Alert on Zimbra exploitation. Addition to CISA's Known Exploited Vulnerabilities Catalog. Johannes Ullrich from SANS on Control Plane vs. Data Plane vulnerabilities. Our guest is David Nosibor, Platform Solutions Lead for UL to discuss SafeCyber Phase II. And, finally, targeting and trolling, with an excursus on Speedos. Really. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/159 Selected reading. New Iranian APT data extraction tool (Google) LockBit gang hit by DDoS attack after Entrust leaks (Register) Former security chief claims Twitter buried ‘egregious deficiencies' (Washington Post) Ex-Twitter exec blows the whistle, alleging reckless and negligent cybersecurity policies (CNN) Twitter's Ex-Security Head Files Whistleblower Complaint (Wall Street Journal) Deception, Bots, and Foreign Agents: The Twitter Whistleblower's Biggest Allegations (Time) The Ministry of Digital Transformation, State Service of Special Communication and Information Protection and the Council of Ministers of the Republic of Poland signed Memorandum of understanding in the cybersecurity field. (State Service of Special Communication and Information Protection) Greek natural gas operator suffers ransomware-related data breach (BleepingComputer) Greek gas operator refuses to negotiate with ransomware group after attack (The Record by Recorded Future) Announcement | (DESF) Threat Actors Exploiting Multiple CVEs Against Zimbra Collaboration Suite (CISA) US government really hopes you've patched your Zimbra server (Register) CISA Adds One Known Exploited Vulnerabilities to Catalog (CISA) Speedo-wearing Russian tourists leak defence secrets on Twitter (The Telegraph)
A criminal talent broker emerges. Developing threats to financial institutions. Phishing through PayPal. Lessons to be learned from LAPSUS$, post-flameout. More spearphishing of Ukrainian targets. US Cyber Command releases IOCs obtained from Ukrainian networks. Johannes Ullrich from SANS on the value of keeping technology simple. Our guests are Carla Plummer and Akilah Tunsill from the organization Black Girls in Cyber. And not really honor, but honor's self-interested first cousin. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/137 Selected reading. Atlas Intelligence Group (A.I.G) – The Wrath of a Titan (Cyberint) 'AIG' Threat Group Launches With Unique Business Model (Dark Reading) Buy, Sell, Steal, EvilNum Targets Cryptocurrency, Forex, Commodities (Proofpoint) Sending Phishing Emails From PayPal (Avanan) Brazen, Unsophisticated and Illogical: Understanding the LAPSUS$ Extortion Group (Tenable®) Evacuation and Humanitarian Documents used to Spear Phish Ukrainian Entities (Mandiant) Cyber National Mission Force discloses IOCs from Ukrainian networks (U.S. Cyber Command) The Evolution of Cybercrime: Why the Dark Web is Supercharging the Threat Landscape and How to Fight Back (HP Wolf Security)
An update on cyber operations in the hybrid war. NPM compromise updates. Free decryptors for AstraLocker and Yashma ransomware. Johannes Ullrich from SANS on attacks against Perimeter Security Devices. Our guest is Sonali Shah from Invicti Security with a look at DevSecOps anxiety. And who's the villain who hijacked the Instagram account of Disneyland? For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/130 Selected reading. Russia-Ukraine war: List of key events, day 135 (Al Jazeera) Russia-Ukraine war: Putin warns Moscow has 'barely started' its campaign (The Telegraph) Russian Cybercrime Trickbot Group is systematically attacking Ukraine (Security Affairs) US finance sector encouraged to stay vigilant against retaliatory Russian cyberattacks (SC Magazine) Someone may be prepping an NPM crypto-mining spree (Register) ICS CERT Advisories (CISA) Free decryptor released for AstraLocker, Yashma ransomware victims (BleepingComputer) Disneyland's Instagram Account Hacked With a Series of Profane, Racist Posts (Wall Street Journal)
Another hacked broadcast in a hybrid war. Hunting forward as an exercise in threat intelligence collection and sharing. Cyber threats to the US midterm elections. Phishing for cryptocurrency. FakeCrack delivers a malicious payload to the unwary. Vacations are back. So is travel-themed phishbait. Ann Johnson from Microsoft shares insights on the trends she's tracking here at RSA. Johannes Ullrich brings highlights from his RSA conference panel discussion. And Emotet returns, in the company of some old familiar criminal collaborators. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/111 Selected reading. Hacked Russian radio station broadcasts Ukrainian anthem (Washington Post) Ukraine Successfully Defends Its Cyberspace While Russia Leans Heavily on Guns, Bombs (CNET) Ukraine war: US cyber chief on Kyiv's advantage over Russia (Sky News) NSA Director Confirms Cyber Command 'Hunt Forward' Approach Applies to Russia (ClearanceJobs) Experts, NSA cyber director say ransomware could threaten campaigns in 2022 (CyberScoop) Ransomware, botnets could plague 2022 midterms, NSA cyber director says (The Record by Recorded Future) How Cyber Criminals Target Cryptocurrency (Proofpoint) Crypto stealing campaign spread via fake cracked software (Avast) Threat Actors Prepare Travel-Themed Phishing Lures for Summer Holidays (Hot for Security) Emotet Malware Returns in 2022 (Deep Instinct)
Moscow wants attention to be paid to its messengers. Western support for Ukraine in cyberspace. US remains on alert for Russian cyberattacks. Iran: anti-government hacktivism and Tehran-sponsored cyber ops. Rebranding as sanctions evasion. A gangland threat to firmware. Johannes Ullrich from SANS on security of browsers caching passwords. Dave Bittner sits down with Perry Carpenter to discuss his new book, "The Security Culture Playbook: An Executive Guide To Reducing Risk and Developing Your Human Defense Layer,''co-author was Kai Roer.. And CISA adds an Atlassian issue to its Known Exploited Vulnerabilities Catalog. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/107 Selected reading. Russia summons heads of U.S. media outlets, warns of 'stringent measures' (Reuters) US confirms military hackers have conducted cyber operations in support of Ukraine (CNN) Advancing security across Central and Eastern Europe (Google) US Justice Department Braces for More Russian Cyberattacks (VOA) Russia, backed by ransomware gangs, actively targeting US, FBI director says (Cybersecurity Dive) Exiled Iran Group Claims Tehran Hacking Attack (SecurityWeek) Exposing POLONIUM activity and infrastructure targeting Israeli organizations (Microsoft Security) To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions (Mandiant) Russia-Linked Ransomware Groups Are Changing Tactics to Dodge Crackdowns (Wall Street Journal) Conti Targets Critical Firmware (Eclypsium) Atlassian: Unpatched critical Confluence flaw under attack (Register) CISA Adds One Known Exploited Vulnerability (CVE-2022-26134) to Catalog (CISA)
Pro-Russian DDoS attacks. Sanctions and their effect on ransomware. BlackCat wants $5 million from Carinthia. A fraudster pressures Verizon. Spain will tighten judicial review of intelligence services. Johannes Ullrich looks at VSTO Office Files. Our guests are Cecilia Marinier and Niloo Howe with a preview of the RSAC Innovation Sandbox. CISA releases ICS advisories and with its partners issue guidelines for evaluating 5G implementation. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/103 Selected reading. Hacktivists Expanding DDoS Attacks as Part of International Cyber Warfare Strategy (Imperva) Cyberattacks against UK CNI increase amidst Russia-Ukraine war (Intelligent CIO Europe) A cyberwar is already happening in Ukraine, Microsoft analysts say (NPR.org) NSA: Sanctions on Russia Having a Positive Effect on Ransomware Attacks, Attempts Down Due to Difficulty Collecting Ransom Payments (CPO Magazine) BlackCat/ALPHV ransomware asks $5 million to unlock Austrian state (BleepingComputer) Hacker Steals Database of Hundreds of Verizon Employees (Vice) Drupal Releases Security Updates (CISA) Keysight N6854A Geolocation server and N6841A RF Sensor software (CISA) Horner Automation Cscape Csfont (CISA) Spain vows legal reforms in wake of spying allegations (MSN) Spain's PM vows to reform intelligence services following phone hacking scandal (The Record by Recorded Future) Spain set to strengthen oversight of secret services after NSO spying scandal (Times of Israel) CISA and DoD Release 5G Security Evaluation Process Investigation Study (CISA)
Was Conti's digital insurrection in Costa Rica misdirection? Google assesses a commercial spyware threat “with high confidence.” Continuing expectations of escalation in cyberspace. The limitations of an alliance of convenience. Fronton botnet shows versatility. Russian hacktivists hit Italian targets, again. Lazarus Group undertakes new SolarWinds exploitation. Crypters in the C2C market. CrateDepression supply chain attack. Johannes Ullrich describes an advance fee scam hitting crypto markets. Our guest is Marty Roesch, CEO of Netography and inventor of Snort. Canada to exclude Huawei from 5G networks on security grounds. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/97 Selected reading. Conti ransomware shuts down operation, rebrands into smaller units (BleepingComputer) Protecting Android users from 0-Day attacks (Google) Microsoft President: Cyber Space Has Become the New Domain of Warfare (Infosecurity Magazine) Twisted Panda: Chinese APT espionage operation against Russian's state-owned defense institutes (Check Point Research) Chinese Hackers Tried to Steal Russian Defense Data, Report Says (New York Times) China-linked Space Pirates APT targets the Russian aerospace industry (Security Affairs) This Russian botnet does far more than DDoS attacks - and on a massive scale (ZDNet) Pro-Russian hackers attack institutional websites in Italy, police say (Reuters) Lazarus hackers target VMware servers with Log4Shell exploits (BleepingComputer) ITG23 Crypters Highlight Cooperation Between Cybercriminal Groups (Security Intelligence) CrateDepression | Rust Supply-Chain Attack Infects Cloud CI Pipelines with Go Malware (SentinelOne) Canada to ban Huawei/ZTE 5G equipment, joining Five Eyes allies (Reuters)
All communication leaves the possibility for crossed wires. And as we become more connected, there's a chance for those with ill intentions to steal our information and meddle in our daily lives—with devastating results. Smriti Bhatt breaks down the complexity behind machine-in-the-middle attacks. Johannes Ullrich tells us why we shouldn't always trust that free WiFi. And the “father of SSL” Taher Elgamal notes that while cryptography can address the increasingly sophisticated nature of malware, there are no safe bets in security.If you want to read up on some of our research on machine in the middle attacks, you can check out all our bonus material over at redhat.com/commandlineheroes.Follow along with the episode transcript.
US National Security Advisor says atrocities were part of Russia's plan. Russian commanders seek to keep troops away from dangerous sections of the Internet. Cyberattacks in Finland may be a shot across Helsinki's bow. CERT-UA warns of a phishing campaign. Hacktivists hit Russian organizations. Mixed reviews for US preemptive measures against GRU botnets. Sharkbot-infested apps ejected from Google Play. Johannes Ullrich from SANS on malicious ISO files embedded in HTML. Our guest is Neal Dennis from Cyware on threat intel sharing with members of Auto-ISAC. What you should do when your Shields are Up. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/69 Selected reading. Russia Shuffles Command in Ukraine as Thousands Flee the East (New York Times) Sullivan: Intel indicates plan from ‘highest levels' of Russian government to target civilians (The Hill) Russian soldiers banned from social media as ‘uncomfortable truths' drain their morale (The Telegraph) West Seeks to Pierce Russia's Digital Iron Curtain (Foreign Policy) YouTube blocks Russian parliament channel, drawing ire from officials (Reuters) U.S. quietly paying millions to send Starlink terminals to Ukraine, contrary to SpaceX claims (Washington Post) Hackers use Conti's leaked ransomware to attack Russian companies (BleepingComputer) Державна служба спеціального зв'язку та захисту інформації України (GUR) How Russia's Invasion Triggered a US Crackdown on Its Hackers (Wired) The U.S. Opens a Risky New Front in Cyberdefense (Bloomberg) Meet the 1,300 librarians racing to back up Ukraine's digital archives (Washington Post) The Race to Save Posts That May Prove Russian War Crimes (Wired) Exclusive: Senior EU officials were targeted with Israeli spyware (Reuters) SharkBot Android Malware Continues Popping Up on Google Play (SecurityWeek) SharkBot Banking Trojan spreads through fake AV apps on Google Play (Security Affairs) Sharing Cyber Event Information: Observe, Act, Report (CISA)
Russian cyber operators collect against domestic targets. More details on the Viasat hack. Ukrainian hacktivists say they can interfere with Russian geolocation. Spring4shell is another remote-code-execution problem. The Remcos Trojan is seeing a resurgence. Malicious links distributed via Calendly. Johannes Ullrich from SANS on attack surface detection. Our guest is Fleming Shi from Barracuda on cybersecurity champions. Phishing with “emergency data requests.” Lapsus$ may be back from vacation. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/62 Selected reading. Vladimir Putin is being lied to by his advisers, says GCHQ (The Telegraph) U.S. intelligence suggests that Putin's advisers misinformed him on Ukraine. (New York Times) White House: Intel shows Putin misled by advisers on Ukraine (AP NEWS) Russian troops sabotaging their own equipment and refusing orders in Ukraine, UK spy chief says (CNBC) Phishing campaign targets Russian govt dissidents with Cobalt Strike (BleepingComputer) KA-SAT Network cyber attack overview (Viasat.com) Tracking cyber activity in Eastern Europe (Google) Ukrainian Hackers Take Aim at Russian Artillery, Navigation Signals (Defense One) Russian efforts in Ukraine have not yet spilled over into cyberattacks on US, says lawmaker (C4ISRNet) New Spring Framework RCE Vulnerability Confirmed - What to do? (Sonatype) New Spring4Shell Zero-Day Vulnerability Confirmed: What it is and how to be prepared (Contrast Security) Spring Core on JDK9+ is vulnerable to remote code execution (Praetorian) Spring4Shell: No need to panic, but mitigations are advised (Help Net Security) Remcos Trojan: Analyzing the Attack Chain (Morphisec) Apple and Meta Gave User Data to Hackers Who Used Forged Legal Requests (Bloomberg) Fresh Phish: Phishers Schedule Victims on Calendar App (INKY) Lapsus$ claims Globant as its latest breach victim (TechCrunch)
Hacktivism and other cyberattacks continue against Russian targets, but some hacktivism that affects software supply chains may go too far. An initial access broker in the criminal-to-criminal market. BlackMatter may be working with BlackCat. CISA offers a warning and advice to SATCOM operators. NIST offers some guidance on industrial control system security. Johannes Ullrich reminds us to patch our backup tools. Our guest is Armando Saey from MISI with insights on maritime port security. And Rear Admiral Mehoff, call your office. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/53 Selected reading. Popular NPM Package Updated to Wipe Russia, Belarus Systems to Protest Ukraine Invasion (The Hacker News) Software Supply Chain Weakness: Snyk Warns of 'Deliberate Sabotage' of NPM Ecosystem (SecurityWeek) Russian government websites face ‘unprecedented' wave of hacking attacks, ministry says (Washington Post) Ukraine's Digital Ministry Is a Formidable War Machine (Wired) Exposing initial access broker with ties to Conti (Google) Experts Find Some Affiliates of BlackMatter Now Spreading BlackCat Ransomware (The Hacker News) Strengthening Cybersecurity of SATCOM Network Providers and Customers (CISA) NIST SPECIAL PUBLICATION 1800-10 Protecting Information and System Integrity in Industrial Control System Environments: Cybersecurity for the Manufacturing Sector (NIST) Hoax caller claiming to be Ukrainian PM got through to UK defence secretary (the Guardian) Russians target Priti Patel and Ben Wallace with fake video calls (The Telegraph)
Propaganda engagements in Russia's hybrid war against Ukraine. ICANN will not block the Internet in Russia. Hacktivists, real and pretended, achieve a nuisance-level of success in Russia's war. Scams and misinformation circulate in Telegram. NVIDIA gets a most curious demand from a cyber gang. CISA's ICS advisories. Johannes Ullrich looks at phishing pages on innocent websites. Our guest is Chase Snyder from ExtraHop to discuss implications of the cyber talent shortage. And, hey, newsflash, no matter what the texts on your phone might say, there's no military draft in the US. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/43 Selected readings. Putin Thought Ukraine Would Fall Quickly. An Airport Battle Proved Him Wrong (Wall Street Journal) Russia's chaotic and confusing invasion of Ukraine is baffling military analysts (CNBC) Last Vestiges of Russia's Free Press Fall Under Kremlin Pressure (New York Times) Don't mention the war: Russian state media sells the lie of Ukrainians shelling their own cities (The Telegraph) Russian troops in disarray and ‘crying' in combat, radio messages reveal (The Telegraph) Demoralised Russian soldiers tell of anger at being ‘duped' into war (the Guardian) The propaganda war has eclipsed cyberwar in Ukraine (MIT Technology Review) Ukraine's request to cut off Russia from the global internet has been rejected (CNN) No, the Army isn't sending Ukraine draft notices via text (Army Times) Hackers Who Broke Into NVIDIA's Network Leak DLSS Source Code Online (Hacker News) Hackers warn Nvidia to open-source their GPU drivers or face data leak (Computing) Cybercriminals who breached Nvidia issue one of the most unusual demands ever (Ars Technica) BD Pyxis (CISA) BD Viper LT (CISA) IPCOMM ipDIO (CISA)
Merry Christmas and Happy Holidays from the CyberWire and our friends! Enjoy our rendition of the 12 Days of Malware created by Dave Bittner and performed by Dave and friends: Rachel Tobac, Jayson Street, Ron Eddings & Chris Cochran, Ray [Redacted], Dinah Davis, Camille Stewart, Rick Howard, Michelle Dennedy, Jack Rhysider, Johannes Ullrich, and Charity Wright. Ba dum bum bum. Sing along if you are game! Check out our video for the full effect! The 12 Days of Malware lyrics On the first day of Christmas, my malware gave to me: A keylogger logging my keys. On the second day of Christmas, my malware gave to me: 2 Trojan Apps... And a keylogger logging my keys. On the third day of Christmas, my malware gave to me: 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the fourth day of Christmas, my malware gave to me: 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the fifth day of Christmas, my malware gave to me: 5 Zero Days! 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the sixth day of Christmas, my malware gave to me: 6 Passwords spraying... 5 Zero Days! 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the seventh day of Christmas, my malware gave to me: 7 Scripts a scraping... 6 Passwords spraying... 5 Zero Days! 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the eighth day of Christmas, my malware gave to me: 8 Worms a wiping... 7 Scripts a scraping... 6 Passwords spraying... 5 Zero Days! 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the ninth day of Christmas, my malware gave to me: 9 Rootkits rooting... 8 Worms a wiping... 7 Scripts a scraping... 6 Passwords spraying... 5 Zero Days! 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the tenth day of Christmas, my malware gave to me: 10 Darknet markets... 9 Rootkits rooting... 8 Worms a wiping... 7 Scripts a scraping... 6 Passwords spraying... 5 Zero Days! (Bah-dum-dum-dum!) 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the eleventh day of Christmas, my malware gave to me: 11 Phishers phishing... 10 Darknet markets... 9 Rootkits rooting... 8 Worms a wiping... 7 Scripts a scraping... 6 Passwords spraying... 5 Zero Days! (Bah-dum-dum-dum!) 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the twelfth day of Christmas, my malware gave to me: 12 Hackers hacking... 11 Phishers phishing... 10 Darknet markets... 9 Rootkits rooting... 8 Worms a wiping... 7 Scripts a scraping... 6 Passwords spraying... 5 Zero Days! 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys.
Merry Christmas and Happy Holidays from the CyberWire and our friends! Enjoy our rendition of the 12 Days of Malware created by Dave Bittner and performed by Dave and friends: Rachel Tobac, Jayson Street, Ron Eddings & Chris Cochran, Ray [Redacted], Dinah Davis, Camille Stewart, Rick Howard, Michelle Dennedy, Jack Rhysider, Johannes Ullrich, and Charity Wright. Ba dum bum bum. Sing along if you are game! Check out our video for the full effect! The 12 Days of Malware lyrics On the first day of Christmas, my malware gave to me: A keylogger logging my keys. On the second day of Christmas, my malware gave to me: 2 Trojan Apps... And a keylogger logging my keys. On the third day of Christmas, my malware gave to me: 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the fourth day of Christmas, my malware gave to me: 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the fifth day of Christmas, my malware gave to me: 5 Zero Days! 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the sixth day of Christmas, my malware gave to me: 6 Passwords spraying... 5 Zero Days! 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the seventh day of Christmas, my malware gave to me: 7 Scripts a scraping... 6 Passwords spraying... 5 Zero Days! 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the eighth day of Christmas, my malware gave to me: 8 Worms a wiping... 7 Scripts a scraping... 6 Passwords spraying... 5 Zero Days! 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the ninth day of Christmas, my malware gave to me: 9 Rootkits rooting... 8 Worms a wiping... 7 Scripts a scraping... 6 Passwords spraying... 5 Zero Days! 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the tenth day of Christmas, my malware gave to me: 10 Darknet markets... 9 Rootkits rooting... 8 Worms a wiping... 7 Scripts a scraping... 6 Passwords spraying... 5 Zero Days! (Bah-dum-dum-dum!) 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the eleventh day of Christmas, my malware gave to me: 11 Phishers phishing... 10 Darknet markets... 9 Rootkits rooting... 8 Worms a wiping... 7 Scripts a scraping... 6 Passwords spraying... 5 Zero Days! (Bah-dum-dum-dum!) 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys. On the twelfth day of Christmas, my malware gave to me: 12 Hackers hacking... 11 Phishers phishing... 10 Darknet markets... 9 Rootkits rooting... 8 Worms a wiping... 7 Scripts a scraping... 6 Passwords spraying... 5 Zero Days! 4 Crypto scams... 3 Web shells... 2 Trojan Apps... And a keylogger logging my keys.
It seems that Fancy Bear may be interested in Log4shell after all. CISA issues Emergency Directive 22-02, which addressed Log4j. Huawei's reputation as a security risk may be traceable to a 2012 incident in an Australian telco's networks. Tropic Trooper is back, and interested in transportation. Meta kicks out seven “cyber mercenary” surveillance outfits. PseudoManusrypt looks curiously indiscriminate. Johannes Ullrich from SANS Technology Institute on making the great Chinese firewall work for you. Our guest is Terry Halvorsen from IBM on next-gen cybersecurity efforts to fix the cybersecurity inequity. And the US Commission on International Religious Freedom is reportedly hacked. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/241
Cyberespionage in support of Belt and Road, and of Beijing's claims in the South China Sea. Karakurt ransomware skips the encryption and goes right to the doxing. Black Cat ransomware is rising. Vulnerable MikroTik devices are bot-herders' favorites. The Log4Shell zero-day is being exploited in the wild, and will be a tough one to remediate. Julian Assange moves closer to extradition. Johannes Ullrich on changing user behavior. Our guest is Oliver Rochford of Securonix on the affordability of good security. And shoulder-surfing as a threat to Snapchat users. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/236
A reply-chain incident is reported at a major international furniture and housewares retailer. North Korean operators are phishing for South Korean marks using bogus Samsung recruiting emails as phishbait. Fancy Bear has been seen pawing at Gmail. A regional escalation to civilian targets in the cyber conflict between Iran and Israel. More organizations are added to the US Entity List. Johannes Ullrich looks at decrypting Cobalt Strike. Our own Rick Howard wonders if executive really need to know how to drive that tank. And tension between Russia and Ukraine continues to rise. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/227
Software supply chain incidents: FatPipe, PyPi, and IT services generally. A look at recent Iranian operations. The US Federal Reserve publishes its disclosure rules for banks sustaining cyber incidents. CISA issues a set of ICS advisories. Two of the Five Eyes announce plans for continued, even closer cooperation in cyberspace. Johannes Ullrich on attackers abusing "PAM" (Plug Authentication Modules). Our guest is Hatem Naguib, CEO at Barracuda Networks. And a real evil maid seems to have been out and about in Tel Aviv. For links to all of today's stories check out our CyberWire daily news briefing: https://www.thecyberwire.com/newsletters/daily-briefing/10/223