Podcasts about Mandiant

Guest: Steve Ledzian, APAC CTO, Mandiant at Google Cloud Topics: We've seen a shift in how boards engage with cybersecurity. From your perspective, what's the most significant misconception boards still hold about cyber risk, particularly in the Asia Pacific region, and how has that impacted their decision-making? Cybersecurity is rife with jargon. If you could eliminate or redefine one overused term, which would it be and why? How does this overloaded language specifically hinder effective communication and action in the region? The Mandiant Attack Lifecycle is a well-known model. How has your experience in the East Asia region challenged or refined this model? Are there unique attack patterns or actor behaviors that necessitate adjustments? Two years post-acquisition, what's been the most surprising or unexpected benefit of the Google-Mandiant combination? M-Trends data provides valuable insights, particularly regarding dwell time. Considering the Asia Pacific region, what are the most significant factors reducing dwell time, and how do these trends differ from global averages? Given your expertise in Asia Pacific, can you share an observation about a threat actor's behavior that is often overlooked in broader cybersecurity discussions? Looking ahead, what's the single biggest cybersecurity challenge you foresee for organizations in the Asia Pacific region over the next five years, and what proactive steps should they be taking now to prepare? Resources: EP177 Cloud Incident Confessions: Top 5 Mistakes Leading to Breaches from Mandiant EP156 Living Off the Land and Attacking Critical Infrastructure: Mandiant Incident Deep Dive EP191 Why Aren't More Defenders Winning? Defender's Advantage and How to Gain it!  

Exploring Statistical Measures to Predict URLs as Legitimate or Intrusive Using frequency analysis, and training the model with honeypot data as well as log data from legitimate websites allows for a fairly simple and reliable triage of web server logs to identify possible malicious activity. https://isc.sans.edu/diary/Exploring%20Statistical%20Measures%20to%20Predict%20URLs%20as%20Legitimate%20or%20Intrusive%20%5BGuest%20Diary%5D/31822 Critical Unexploitable Ivanti Vulnerability Exploited CVE-2025-22457 In February, Ivanti patched CVE-2025-22457. At the time, the vulnerability was not considered to be exploitable. Mandiant now published a blog disclosing that the vulnerability was exploited as soon as mid-march https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-exploiting-critical-ivanti-vulnerability/ WinRAR MotW Vulnerability CVE-2025-31334 WinRAR patched a vulnerability that would not apply the Mark of the Web correctly if a compressed file included symlinks. This may make it easier to trick a victim into executing code downloaded from a website. https://nvd.nist.gov/vuln/detail/CVE-2025-31334 Microsoft Warns of Tax-Related Scam With the US personal income tax filing deadline only about a week out, Microsoft warns of commonly deployed scams that they are observing related to income tax filings https://www.microsoft.com/en-us/security/blog/2025/04/03/threat-actors-leverage-tax-season-to-deploy-tax-themed-phishing-campaigns/ Oracle Breach Update https://www.bloomberg.com/news/articles/2025-04-02/oracle-tells-clients-of-second-recent-hack-log-in-data-stolen

Three Buddy Problem - Episode 41: Costin and Juanito join the show from Black Hat Asia in Singapore. We discuss Bunnie Huang's keynote on hardware supply chains and a classification system to establish a grounded perspective on trust in hardware, Ivanti's misdiagnosis of a critical VPN applicance flaw and Mandiant reporting on a Chinese APT exploiting Ivanti devices. Plus, breaking news on the sudden firing of NSA director and head of Cyber Command Tim Haugh. We also discuss Microsoft touting AI's value in finding open-source bootloader bugs, Silent Push report on a RUssian APT impersonating the CIA, a backdoor in a popular Chinese robot dog, and Chinese dominance of the robotics market. Cast: Juan Andres Guerrero-Saade (https://twitter.com/juanandres_gs), Costin Raiu (https://twitter.com/craiu) and Ryan Naraine (https://twitter.com/ryanaraine).

Send us a textIn this episode of Relating to DevSecOps, Ken Toler and Mike McCabe dive deep into Google's blockbuster acquisition of Wiz.io for a reported $32 billion. They explore the implications for cloud security, the consolidation of the DevSecOps tooling landscape, and how this move compares to Google's previous acquisitions like Mandiant and Chronicle. The duo debates the future of multi-cloud strategies, platform fatigue, and whether Wiz will remain the darling of the security community—or get lost in the labyrinth of Google Cloud products. With sharp insights and a dash of hot takes, they paint a picture of a cloud security ecosystem at a pivotal turning point

Alphabet (het moederbedrijf van Google) deed vorige week de grootste overname uit het bestaan van het bedrijf. Het is bereid om niet minder dan 32 miljard dollar te betalen voor het jonge en relatief kleine Wiz. Cloud security is hip, zoveel is duidelijk. Maar is het ook een zinnige overname? We bespreken het in deze aflevering van Techzine Talks.Vorig jaar was Alphabet ook al in de markt voor Wiz, maar toen vonden de oprichters en eigenaren van het Israëlische cloud-security bedrijf 23 miljard niet voldoende. Dat is op zich al opvallend, want zo hoog was en is de omzet van Wiz in absolute zin niet. Het bedrijf verwacht in de loop van dit jaar op een ARR (Annual Recurring Revenue) van 1 miljard dollar te komen. Dat is weliswaar erg knap gezien de jonge leeftijd van Wiz (5 jaar oud), maar een overnamebod van 23 en nu dus 32 miljard dollar is op het eerste gezicht erg stevig.Wiz is echter best een bijzonder bedrijf, dat zich in zeer korte tijd naar de toplijstjes heeft gewerkt binnen de CNAPP (Cloud-Native Application Protection Platform)-wereld. Dit heeft het vooral gedaan met het Cloud Security Posture Management (CSPM)-onderdeel van het aanbod. Dat is volgens wie je er ook over spreekt of wat je er ook over leest echt heel erg goed. Het is in ieder geval de voornaamste reden geweest voor de snelle opkomst. Inmiddels zijn er naast Wiz Cloud ook nog Wiz Code en Wiz Defend. Deze onderdelen richten zich respectievelijk op code security en detectie en respons.Wat wil Alphabet (Google) met Wiz?De belangrijkste vraag is uiteraard wat de plannen zijn vanuit Google Cloud Platform (GCP) met Wiz. Wil het Wiz volledig integreren in GCP en als een uniek onderdeel van de Google public cloud aanbieden? Of laat het Wiz min of meer zelfstandig opereren en gaat het daarmee voor multi-cloud security. Dat laatste is altijd het doel van Wiz geweest. Het zou vervelend zijn voor klanten van Wiz als dit nu zou veranderen. De overname van Wiz zorgt er in ieder geval voor dat GCP het security-aanbod een stuk completer maakt. Met Chronicle en Mandiant was er al SIEM, threat intelligence en incident respons, nu komt daar ook cloud security bij. Alphabet en Google moesten toch juist kleiner worden?Met 32 miljard is de overname van Wiz zoals al aangegeven met afstand de grootste ooit voor Alphabet. Hiervoor was dat de 12,5 miljard die het betaalde voor Motorola. Laten we in ieder geval hopen voor de klanten van Wiz dat deze overname beter afloopt dan die van Motorola. Daar heeft Google een beetje een potje van gemaakt. Het verkocht dat onderdeel vrij snel door aan Lenovo met een stevig verlies. Het is naast een zeer grote overname ook best wel een merkwaardige overname wat ons betreft. Google ligt op andere vlakken toch best onder vuur vanwege de dominantie die het heeft. Zo gaan er geluiden dat Google de Chrome-tak moet verkopen en gaat het ook tussen de EU en Google bepaald niet soepel, met name rondom Search. Dan is het best bijzonder dat een ander onderdeel van hetzelfde bedrijf een enorme overname doet. Luister snel naar Techzine Talks om alles te weten te komen over deze mega-overname, wat deze betekent voor Google Cloud, de markt en de klanten die in de markt zijn voor cloud security.

Three Buddy Problem - Episode 38: On the show this week, we look at a hefty batch of Microsoft zero-days exploited in the wild, iOS 18.3.2 fixing an exploited WebKit bug, a mysterious Unpatched.ai being credited with Microsoft Access RCE flaws, and OpenAI lobbying for the US to ban China's DeepSeek. Plus, discussion on a Binarly technical paper with new approach to finding UEFI bootkits, Mandiant flagging custom backdoors on Juniper routers, and MEV 'sandwich attacks' front-running cryptocurrency transactions. Cast: Juan Andres Guerrero-Saade (https://twitter.com/juanandres_gs), Costin Raiu (https://twitter.com/craiu) and Ryan Naraine (https://twitter.com/ryanaraine).

Breaking down silos while securing the cloud and leveraging secure-by-design advancements.The challenges facing the industrial OT landscape that emanate from external sources are … varied, complex and constantly evolving. Smarter hacking groups, AI-driven phishing schemes and deceptive malware viruses head the list of concerns.And while these factors show no signs of fading, the reality is that there are just as many challenges facing industrial cybersecurity that are embedded within the very foundation of our operations. These legacy dynamics have created internal battles that absorb valuable resources, waste precious talent and help the bad guys stay a step ahead. With this in mind, we're going to tap into two key industry leaders to get their take on pressing, internal liabilities that are ensuring key production assets remain exposed. We'll hear from Silverfort's Rob Larsen, as he discusses the ongoing struggles created by IT/OT silos, as well secure-by-design initiatives. Mandiant's Paul Shaver will also offer his take on these silos, and how decisions related to cloud networking are impacting the security stature of key data, assets and network connections.As a go-to podcast for our listeners, we want to help you align your brand with our expertise. By sponsoring our podcast, your brand will build trust, and your message will stand out to an audience searching for tools to assist their cybersecurity efforts. Click Here to Become a Sponsor.Promoguy Talk PillsAgency in Amsterdam dives into topics like Tech, AI, digital marketing, and more drama...Listen on: Apple Podcasts SpotifyTo catch up on past episodes, you can go to Manufacturing.net, IEN.com or MBTmag.com. You can also check Security Breach out wherever you get your podcasts, including Apple, Amazon and Overcast. If you have a cybersecurity story or topic that you'd like to have us explore on Security Breach, you can reach me at jeff@ien.com. To download our latest report on industrial cybersecurity, The Industrial Sector's New Battlefield, click here.

The cybersecurity landscape gets more complicated every year, with emerging technologies such as AI and the shifting geopolitical landscape bringing extra chaos to any CISO's desk.Though automated defense systems are a welcome feather in cap for any company, it's not just the good guys who have access to the latest tools. Off-the-shelf frameworks to launch attacks are becoming more common and businesses can't rely on any single service to be a silver bullet.What are the individual forces at play here? And how can security teams keep up?In this episode, Rory speaks with Kevin Mandia, founder and former CEO at Mandiant and current board member at cybersecurity firm Expel, and Dave ‘Merk' Merkel, co-founder and CEO at Expel, to learn more about the current global cybersecurity landscape and what the future holds for security teams.Read more:State-sponsored cyber attacks: The new frontierThe new ransomware groups worrying security researchers in 2025Stopping cyber attackers from targeting the weakest links in securityStealthy malware: The threats hiding in plain sightWhy attacks against critical national infrastructure (CNI) are such a threat – and how governments are respondingWhy vendor breaches still haunt enterprise IT leadersLondon council claims it faces 20,000 cyber attacks per dayI love magic links – why aren't more services using them?How to create a secure password policyMajority of firms using generative AI experience related security incidents – even as it empowers security teams

Three Buddy Problem - Episode 32: In this episode, we rummage through the DeepSeek hype and break down what makes it different from OpenAI's models, why it's stirring up existential controversies, and what it means for the broader tech landscape. We get into the privacy concerns, the geo-political implications, how AI models handle data, the ongoing debate over IP theft and innovation, and the challenges that come with a Chinese company shipping an open-source alternative. Beyond AI, we dig into some of the latest headlines; from a Chinese ‘backdoor' in medical devices, problems with CISA's backdoor bulletin, the risks of insecure IoT, phishing attacks on influencers, and ongoing battles over censorship in the VPN space. We also touch on WhatsApp catching spyware vendor Paragon Solutions and potential shifts in U.S. government policy on commercial mercenary hacking and surveillance companies. Cast: Juan Andres Guerrero-Saade (https://twitter.com/juanandres_gs), Costin Raiu (https://twitter.com/craiu) and Ryan Naraine (https://twitter.com/ryanaraine).

While we're still in the infancy of 2025, the New Year has proven to have no issues in welcoming in a number of pre-existing challenges – whether we're talking about cybersecurity or … other social topics.So, in continuing this trend, we tapped into a unique collection of voices to discuss a topic that has, and will continue to be, vital to industrial cybersecurity efforts – Artificial Intelligence. First, we'll hear from Mandiant's Paul Shaver as he discusses the legacy dynamics of industrial cybersecurity, including ongoing obstacles associated with inventory, visibility and segmentation strategies – and the impact AI could have on all of them. Then we'll transition to HackerOne's Will Kapcio for his take on AI and the ongoing evolution of cybersecurity tools. We'll wrap up with instructor and the author of the Hack is Back as he discusses what drove his desire to write the book, the impact AI is having on the next generation of cybersecurity specialists, and the evolving vulnerabilities they can expect to face.As a go-to podcast for our listeners, we want to help you align your brand with our expertise. By sponsoring our podcast, your brand will build trust, and your message will stand out to an audience searching for tools to assist their cybersecurity efforts. Click Here to Become a Sponsor.Everyday AI: Your daily guide to grown with Generative AICan't keep up with AI? We've got you. Everyday AI helps you keep up and get ahead.Listen on: Apple Podcasts SpotifyTo catch up on past episodes, you can go to Manufacturing.net, IEN.com or MBTmag.com. You can also check Security Breach out wherever you get your podcasts, including Apple, Amazon and Overcast. If you have a cybersecurity story or topic that you'd like to have us explore on Security Breach, you can reach me at jeff@ien.com. To download our latest report on industrial cybersecurity, The Industrial Sector's New Battlefield, click here.

Three Buddy Problem - Episode 29: Another day, another Ivanti zero-day being exploited in the wild. Plus, China's strange response to Volt Typhoon attribution, Japan blames China for hacks, a Samsung 0-click vulnerability found by Project Zero, Kim Zetter's reporting on drone sightings and a nuclear scare. Plus, hijacking abandoned .gov backdoors and Ukrainian hacktivists wiping a major Russian ISP. Cast: Juan Andres Guerrero-Saade (https://twitter.com/juanandres_gs), Costin Raiu (https://twitter.com/craiu) and Ryan Naraine (https://twitter.com/ryanaraine).

A critical zero-day is confirmed by a Japanese router maker. Romania annuls the first round of its 2024 presidential election over concerns of Russian interference. A sophisticated malware campaign targets macOS users. Mandiant uncovers a method to bypass browser isolation using QR codes. Belgian and Dutch authorities arrest eight individuals linked to online fraud schemes. A medical device company discloses a ransomware attack. A community hospital in Massachusetts confirms a ransomware attack affecting over three hundred thousand. The Termite ransomware gang claims responsibility for the attack on Blue Yonder. Synology patches multiple vulnerabilities in its Router Manager (SRM) software. The head of U.S. Cyber Command outlines the challenges of keeping decision makers up to date. Our guest is Anna Pobletts, Head of Passwordless at 1Password, discussing the state of passkeys and what she sees on the road to a truly passwordless future. Robot rats join the mischief.  Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you'll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Our guest is Anna Pobletts, Head of Passwordless at 1Password, discussing the state of passkeys and what she sees on the road to a truly passwordless future.  Selected Reading I-O Data Confirms Zero-Day Attacks on Routers, Full Patches Pending (SecurityWeek) Romania's top court annuls presidential election result (CNN) MacOS Passwords Alert—New Malware Targets Keychain, Chrome, Brave, Opera (Forbes) QR codes bypass browser isolation for malicious C2 communication (Bleeping Computer) Eight Suspected Phishers Arrested in Belgium, Netherlands (SecurityWeek) Medical Device Maker Artivion Scrambling to Restore Systems After Ransomware Attack (SecurityWeek) Anna Jaques Hospital ransomware breach exposed data of 300K patients (Bleeping Computer) Blue Yonder SaaS giant breached by Termite ransomware gang (Bleeping Computer) Synology Router Vulnerabilities Let Attackers Inject Arbitrary Web Script (Cyber Security News) Cyber Command Chief Discusses Challenges of Getting Intel to Users (Defense.gov) Robot Rodents: How AI Learned To Squeak And Play (Hackaday) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show.  Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here's our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

Podcast: PrOTect It All (LS 24 · TOP 10% what is this?)Episode: Enhancing OT Cybersecurity: From Legacy Systems to Cloud Solutions with Paul ShaverPub date: 2024-11-18Get Podcast Transcript →powered by Listen411 - fast audio-to-text and summarizationIn this episode, Aaron is joined by Paul Shaver, an experienced OT security consultant from Mandiant, part of Google Cloud. Together, they navigate the nuanced landscape of operational technology (OT) cybersecurity.   The episode begins with Aaron recalling a critical incident at a power plant that underscores the potential pitfalls in OT environments. This sets the stage for a rich discussion on the evolution of OT technology, with Aaron and Paul reminiscing about primary domain controllers and early NT workstations.   The conversation shifts to the future of OT in the cloud, where Paul highlights the benefits of cloud solutions, including enhanced resiliency, security, and data optimization through AI. A compelling customer case study illustrates modern technology adoption with web-based HMIs and Chromeboxes.   Paul offers a detailed analysis of the current OT cybersecurity landscape, addressing the persistent legacy system challenges and the need for a cohesive IT-OT security strategy. He discusses the evolving threat landscape influenced by global geopolitical tensions and the rise of zero-day vulnerabilities.   Listeners will gain practical insights into foundational cybersecurity measures, such as network segmentation, asset inventory management, and robust access control..   Key Moments:    04:14 Connecting IT and OT optimizes processes securely. 09:54 Lost production severely impacts manufacturing revenue recovery. 14:06 Ensure network notifications; control access, separate credentials. 17:10 Engineers need secure access to adjust parameters. 21:55 Endpoint detection on older systems is critical. 28:47 Resilience is crucial in CrowdStrike incident response effectiveness. 32:11 Limited resources for global incident response efforts.= 39:22 Rebuilt domain controller caused authentication issues. 42:37 Focus on resiliency and cloud opportunities, leveraging multi-cloud. 44:59 Improve grid operations using cloud and hyper-converged technology. 48:38 Local cloud provides redundancy for remote sites. 51:15 Critical for acquisition process and problem-solving.   About the guest :  Paul Shaver has dedicated more than two decades to various roles in Operational Technology (OT), primarily within the oil and gas industry. His expertise spans OT architecture, design, and build, along with run and maintaining responsibilities as an asset owner.  Before transitioning into cybersecurity, Paul served as a Technology Director for an oil and gas company in California. Driven by a burgeoning interest in security, he joined Mandiant nearly five years ago. At Mandiant, now part of Google, Paul relishes the mission of enhancing security postures in OT and critical infrastructure, contributing to significant advancements in the field. How to connect Paul: https://www.linkedin.com/in/pbshaver/ Connect With Aaron Crow: Website: www.corvosec.com  LinkedIn: https://www.linkedin.com/in/aaronccrow   Learn more about PrOTect IT All: Email: info@protectitall.co  Website: https://protectitall.co/  X: https://twitter.com/protectitall  YouTube: https://www.youtube.com/@PrOTectITAll  FaceBook:  https://facebook.com/protectitallpodcast  To be a guest or suggest a guest/episode, please email us at info@protectitall.coThe podcast and artwork embedded on this page are from Aaron Crow, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.

In this episode of The Cybersecurity Defenders Podcast, we discuss some cutting-edge intel coming out of LimaCharlie's community Slack channel.Apple's release of macOS 15, or Sequoia, has caused significant disruptions for several security tools and software vendors, including CrowdStrike, SentinelOne, Microsoft, and others.Attackers are exploiting GitHub notifications for phishing by sending legitimate-looking alerts with malicious URLs.Truffle Security's research exposes a significant issue in GitHub's handling of deleted and private repository data via Cross Fork Object Reference (CFOR).AhnLab's report details Supershell, a malware targeting Linux SSH servers via brute-force attacks.Since 2022, Mandiant has tracked DPRK IT workers infiltrating global organizations by posing as non-North Koreans to fund the regime's weapons programs and evade sanctions.In August 2024, Telegram CEO Pavel Durov was arrested in France, facing charges for allowing criminal activities to proliferate on the platform, including the distribution of illegal content such as child sexual abuse material.

Josh Fleischer, Principal Security Analyst with Mandiant's Managed Defense organization sits down with host Luke McNamara to discuss trends in MFA bypass and how threat actors are conducting adversary in the middle (AiTM) attacks to gain access to targeted organizations. Josh walks through a case study of MFA bypass, how token theft occurs, the increasing amount of AiTM activity with more features being added to phishing kits, and more. 

Guest: Dan Nutting, Manager - Cyber Defense,  Google Cloud Topics: What is the Defender's Advantage and why did Mandiant decide to put this out there? This is the second edition. What is different about DA-II? Why do so few defenders actually realize their Defender's Advantage?  The book talks about the importance of being "intelligence-led" in cyber defense. Can you elaborate on what this means and how organizations can practically implement this approach? Detection engineering is presented as a continuous cycle of adaptation. How can organizations ensure their detection capabilities remain effective and avoid fatigue in their SOC?   Many organizations don't seem to want to make detections at all, what do we tell them? What is this thing called “Mission Control”- it sounds really cool, can you explain it? Resources: Defender's Advantage book The Defender's Advantage: Using Artificial Intelligence in Cyber Defense supplemental paper “Threat-informed Defense Is Hard, So We Are Still Not Doing It!” blog Mandiant blog  

Google Cloud AI Security InsightsThe Big Themes:Google's ecosystem-driven security approach: Google Cloud's partner ecosystem, consisting of entities such as managed security service providers (MSSPs) and global systems integrators, helps deliver top-notch security services. While Google maintains a small in-house service capability, partners are key to scaling and extending innovations to customers. Google provides AI tools to partners, who enhance their product offerings to better serve end customers. This model ensures that the latest security advancements, such as AI integration, are accessible.Transitioning from assisted to autonomous security: Google Cloud envisions a future where AI will evolve from assistive to fully autonomous security workflows. Currently, AI plays an assistive role by providing actionable insights to security teams, helping them prioritize threats and respond more effectively. However, the goal is to transition these capabilities into semi-autonomous workflows, with the potential for fully autonomous security systems in the future.Enhancing CISOs' efficiency with AI: One of the key problems CISOs face today is the overwhelming number of security alerts, which makes it challenging to identify and act on the most critical threats. Google Cloud addresses this issue by leveraging AI to sift through thousands of alerts, helping CISOs quickly identify the most significant risks. AI can provide real-time insights, suggesting actions to mitigate potential threats and reduce the noise from less pressing alerts.The Big Quote: “AI is only as good as the data that the model is trained on and, in the world of security, we happen to have probably the world's most high quality and quantitative data set in threat intelligence."

A major American chipmaker discloses a cyberattack. Cybercriminals exploit Progressive Web Applications (PWAs) to bypass iOS and Android defenses. Mandiant uncovers a privilege escalation vulnerability in Microsoft Azure Kubernetes Services. ALBeast hits ALB. Microsoft's latest security update has caused significant issues for dual-boot systems. The DOE's new SolarSnitch program aims to sure up solar panel security. Researchers uncover LLM poisoning techniques. An Iranian-linked group uses a fake podcast to lure a target. Our guest is Parya Lotfi, CEO of DuckDuckGoose, discussing the increasing problem of deepfakes in the cybersecurity landscape. Return to sender - AirTag edition.  Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you'll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Our guest Parya Lotfi, CEO of DuckDuckGoose, discusses the increasing relevance of deepfakes in the cybersecurity landscape. Selected Reading Microchip Technology discloses cyberattack impacting operations (Bleeping Computer) Android and iOS users targeted with novel banking app phishing campaign (Cybernews) Azure Kubernetes Services Vulnerability Exposed Sensitive Information (SecurityWeek) ALBeast: Misconfiguration Flaw Exposes 15,000 AWS Load Balancers to Risk (HACKREAD) Microsoft's latest security update has ruined dual-boot Windows and Linux PCs (The Verge) DOE debuts SolarSnitch technology to boost cybersecurity in solar energy systems (Industrial Cyber) Researchers Highlight How Poisoned LLMs Can Suggest Vulnerable Code (Dark Reading) Best Laid Plans: TA453 Targets Religious Figure with Fake Podcast Invite Delivering New BlackSmith Malware Toolset | Proofpoint US (Proofpoint) Serial mail thieves thwarted when victim sends herself an AirTag (Apple Insider)  Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show.  Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here's our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

In today's episode, we explore the critical challenges to AI adoption revealed by CISOs, including data privacy concerns, insufficient staff skills, and misaligned organizational priorities, as highlighted in a new survey by Tines. We also discuss how security leaders can address these blockers by leveraging automation, strategic alignment, and continuous training. Additionally, we delve into the rise of malware such as FakeBat, recent data breaches affecting FlightAware and National Public Data, and necessary steps for individuals to secure their personal information. Video Episode: https://youtu.be/HQt1nCHKgxI 00:00 - Intro 01:14 - NPD Hack Exposes Billions of User's Data 04:01 - FlightAware Configuration Error Exposed User Data 07:35 - FakeBat Malware Targets Brave, Zoom, Notion Users 09:45 - Top AI Adoption Challenges and CISO Solutions Articles referenced: https://www.cybersecuritydive.com/spons/the-biggest-blockers-to-ai-adoption-according-to-cisos-and-how-to-remove/723672/ https://thehackernews.com/2024/08/cybercriminals-exploit-popular-software.html https://www.bleepingcomputer.com/news/security/flightaware-configuration-error-leaked-user-data-for-years/ https://www.cbsnews.com/news/social-security-number-leak-npd-breach-what-to-know/ Sign up for digestible cyber news delivered to your inbox: https://news.thedailydecrypt.com Thanks to Jered Jones for providing the music for this episode. https://www.jeredjones.com/ Logo Design by https://www.zackgraber.com/ Tags: Tines, Generative AI, Security, CISOs, FakeBat, malvertising, MSIX, Mandiant, FlightAware, Configuration, Cybersecurity, Data Leak, Data breach, Cybercriminals, Social Security, National Public Data Search Phrases: What are today's top cybersecurity news stories?, Tines generative AI security risks, FakeBat malware protection, FlightAware data breach user impact, Cybersecurity measures for CISOs, Understanding malvertising threats, How to safeguard against data leaks, Mandiant findings on malware, Protecting personal information from breaches, Addressing skill shortages in cybersecurity -- Transcript: Aug20 You probably heard about the data breach that alleged the compromised, the personal information of nearly every American citizen exposing social security numbers addresses. And so much more to the dark web cybercriminals. And so today we're going to talk about how this happened, what data was impacted and what you can do to make sure you stay safe. With your social security number on the dark web. Thousands of flight aware, users are now urged to reset their passwords after a configuration error, exposed, sensitive, personal data. For over three years. How did this FlightAware configuration error managed to leak user data for such an extended period of time. Cyber criminals are exploiting popular software searches to spread the fake bat malware using malvertising campaigns and Trojan ISED M S I. X installers to infect unsuspecting users. And finally a recent survey by tines shows that 98% of large tech executives have halted their generative AI projects due to security risks. What strategic measures are CSOs employing to overcome the biggest blockers to AI implementation in their organization. You're listening to the daily decrypt.. Hackers have allegedly infiltrated, a company known as national public data or NPD to steal un-encrypted personal information of billions of people, including social security numbers addresses. And family member names. This breach attributed to the hacker group, U S D O D in April of 2024, puts almost everyone at risk of identity theft. If your data was a part of this breach, which it likely is. People can access it or bid on it on the dark web. So if they could open new financial accounts or take out loans in your name. Luckily, this type of fraud is very preventable. All you have to do is contact the three major credit bureaus and place freezes on your accounts. And even before this breach, this is something that I would recommend to everybody. Unless they're in the process of buying a new home. Or opening up a new credit card. You don't need your credit accounts to be unfrozen. And this is something that I actually didn't do until about a year ago during the, at T and T breach. Where my social security number was also linked to the dark web. And I was very shocked to see how quickly it could be done. They all have web based interfaces where you can go sign up for an account. And click a button to place a freeze on your credit. It's also important to know that once your information is out there, it's out there forever. There's no company that can go and scrub your data from the dark web. If any company is selling you that service? It's not a real service. It's a scam. Or if you purchase the services of a specific company, Uh, under the impression that they can do that. Maybe they're not actually selling that, but maybe that's what you're thinking they're going to do. They're not going to be able to do that. What they are going to be able to do is coach you through the process of placing these credit freezes and help inform you about what that will actually prevent. Alternatively, you can listen to this episode of the daily decrypt and continue to for these tips for free. But placing these freezes on your credit. Essentially just prevents people or entities from running soft or hard credit checks. Against your credit. Which is the barrier for most lines of credit, like new credit cards or home loans. And so by proxy, it prevents new home loans and new credit cards from being opened in your name, which is one of the biggest risks for having your social security number out there. Now if an attacker is really motivated to get you personally, they can use that information to do all kinds of damage, primarily in information gathering about you. To craft more effective phishing campaigns against you. Which is the secondary risk of this type of data breach. So besides placing these credit checks, just be extra vigilant when you're looking at and clicking links through texts or emails. Knowing that this information can help craft more effective phishing emails. Look at everything skeptically. And you should be good to go. Very similarly to that last story. There's an app called FlightAware, which is the world's largest flight tracking platform. That has just revealed a major security data incident. FlightAware discovered a configuration error dating back to January of 2021, which exposed user data for over three years. This data that it exposed can include your user ID, password, email address. And possibly even more sensitive information like your full name, billing and shipping address, social media accounts, phone number, and even social security number. The error was fixed by flight aware on July 25th, 2024. So just a few weeks ago. But the breaches duration leaves significant room for potential misuse of your data. As we talked about in that last story. So if you have a FlightAware account, you'll need to reset your password immediately. If you log into the platform, it will prompt you to do so on your next login. But what they're not going to tell you is that you also need to change. The password to every account that uses the password to your FlightAware account. And that's because the username and combo that was leaked in the FlightAware data breach. We'll now be entered into every one of your accounts automatically. It's not a personal target. They're just going to. Try their luck and see if you may be reuse that username, Cabo password, if that's ringing any bells for you. PEI go change your password. To all of those accounts, and if it sounds too daunting to do that task manually. Or you're not even sure what accounts share passwords. It's time to start using a password manager. I personally use one password as do all of my friends. And I have almost a thousand accounts in there just for myself alone. Managing that amount of passwords is impossible, especially trying to maintain unique passwords. Across all of them. Nobody's memory can handle that. It will also create secure random passwords for you. So you don't have to use your creativity to come up with them or just changing the. The characters that follow the password. Which, by the way, if you use a password, even similar to the one. That was leaked in your FlightAware bridge. That too is considered compromised because attackers will do manipulations common manipulations to all passwords and just use those to try to log into your accounts as well. It's all automated. So, yeah, if you want more information about a password manager, Check out one password. There's also a blog on our website@thedailydecrypt.com that will outline. A simple three-step process to converting over to a password manager. It doesn't have to be as daunting as it may sound. FlightAware is also offering a free 24 month identity protection package through Equifax. So given these two stories back to back. Whoever is listening is likely impacted. Go take advantage of that. That will actually. Monitor for any credit inquiries to Equifax. In addition to you placing those freezes. Like I highly don't. I highly recommend against. Simply monitoring because by the time you get that alert, it's a little too late, right. Place the freeze, and then sign up for that free monitoring. And if you can't tell. Passwords are getting breached every day. I don't like talking about data breaches on this platform. I don't like hearing about them because they happen so frequently. I don't consider it cybersecurity news. The only reason this one made the cut is because they were so long standing. This one has been going on for three years. But if you're hearing this and you still don't use a password manager and you don't change your passwords, the implications are pretty bad. Go do that. Reach out to us on Instagram or YouTube, if you want any help or guidance along that process. It really is a lot simpler of a workflow as well. Like it's a quality of life improvement and a security improvement. I promise you it's worth it. Cyber criminals are using popular Google searches. To help them craft more effective info stealing campaigns. So, what does this mean? They're letting Google tell them what people are searching for specifically around business-related softwares. So for example, if you're going to Google and you're looking for a software that will help you manage personnel. Or manage your tasks or store your documents, et cetera. You're going to go to Google and you say, what are the best softwares? For this type of business task. Well, Google will happily give you the information. If you look for it about what is the most common things to search for around this space, right? So hackers are taking that information. And they're creating fake websites that will offer you services. Inline with what you're searching for. These websites might be carbon copies of actual services. That you could find on the web that would satisfy your search. Or they could be new services. After they've created these imitation websites, they purchase Google ads to get those websites at the top of the search results specifically. For what you're searching for. Then within those websites. You're going to click a link. That's going to download a malware called fake bat. This malware will live in the installer for the software. You're trying to find and download such as brave, like the browser. Key pass, which I'm assuming is a password manager notion, which is like a confluence style thing. Steam for games and zoom for business meetings online. It's important to know that even if you know the software you're searching for like, ah, I'm looking for notion, someone recommended it, you Google the words, notion. That first link. If it's an ad, can still be malicious. So not everyone is searching for what's a business software I can use to hold all my documents. Some of them are just searching for, Hey, where do I go to download notion? That download link. You click from Google. If it's a paid advertisement, could be malicious. And we always say it on this podcast. Just don't click ads. If you don't have to. That's one of the best ways you can avoid this type of thing. And finally 98% of large tech executives have paused AI initiatives due to security risks. This was discovered by an automation from tines during a recent survey and reveals the top barriers to AI adoption. 66% of CSOs, worry about losing control over this sensitive information. This can be anything from customer data, employee data. All the way down to proprietary code, you're feeding into AI to have it help you fix. 60% of the CSOs report lacking AI expertise. 51% find friction between departments from cross-functional teams to align on AI priorities and risks. 49% face issues without dated systems. So choose AI tools to integrate seamlessly with your existing tech stacks. This survey by times can be very valuable, especially if you're someone who's trying to get your CSO to allow you to use AI. AI. Has a lot of potential for automating a lot of work. And freeing up capacity for more impactful work. But. If you have a good CSO. They're going to try to push back on the security risks. Check out the article linked in the show notes below for more information on how and what statistics you can use to help combat your CSOs fears. And start using AI in your workplace. This has been the Daily Decrypt. If you found your key to unlocking the digital domain, show your support with a rating on Spotify or Apple Podcasts. It truly helps us stand at the frontier of cyber news. Don't forget to connect on Instagram or catch our episodes on YouTube. Until next time, keep your data safe and your curiosity alive.

On this week's show, Patrick Gray and Adam Boileau discuss the week's security news, including: The insurance industry's reaction to CrowdStrike's mess Google's Workspace email validation flaw and its consequences for OAuth'd applications Is the VMWare ESX group membership feature a CVE or an FYI? Secureboot continues to under-deliver North Korea's revenue neutral intelligence services And much, much more This episode is sponsored by allowlisting software vendor Airlock Digital. Airlock uses a kernel driver on Windows, so Chief Executive David Cottingham joined to discuss what the CrowdStrike kernel driver bug drama means for security vendors. This episode is also available on Youtube. If you want to ruin the magic of radio and see the faces behind the show, well, now you can! Show notes Business interruption claims will drive insurance losses linked to CrowdStrike IT disruption | Cybersecurity Dive Delta hires David Boies to seek damages from CrowdStrike, Microsoft CrowdStrike disruption direct losses to reach $5.4B for Fortune 500, study finds | Cybersecurity Dive (1145) Why CrowdStrike's Baffling BSOD Disaster Was Avoidable - YouTube CrowdStrike offers a $10 apology gift card to say sorry for outage | TechCrunch Crooks Bypassed Google's Email Verification to Create Workspace Accounts, Access 3rd-Party Services – Krebs on Security Hackers exploit VMware vulnerability that gives them hypervisor admin | Ars Technica Microsoft calls out apparent ESXi vulnerability that some researchers say is a ‘nothing burger' | CyberScoop AMI Platform Key leak undermines Secure Boot on 800+ PC models Chrome will now prompt some users to send passwords for suspicious files | Ars Technica Google Online Security Blog: Improving the security of Chrome cookies on Windows A Senate Bill Would Radically Improve Voting Machine Security | WIRED U.S. told Philippines it made ‘missteps' in secret anti-vax propaganda effort | Reuters Cyber firm KnowBe4 hired a fake IT worker from North Korea | CyberScoop North Korean hacker used hospital ransomware attacks to fund espionage | CyberScoop North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regime's Military and Nuclear Programs North Korean hacking group makes waves to gain Mandiant, FBI spotlight | CyberScoop ServiceNow spots sales opportunities post-CrowdStrike outage | Cybersecurity Dive Chaining Three Bugs to Access All Your ServiceNow Data Cyber Supply Chain Risk Management Conference (CySCRM) 2024 | Conference | PNNL

Three Buddy Problem - Episode 6: As the dust settles on the CrowdStrike incident that blue-screened 8.5 million Windows computers worldwide, we dig into CrowdStrike's preliminary incident report, the lack of transparency in the update process and the need for more robust testing and validation. We also discuss Microsoft's responsibility to avoid infinite BSOD loops, risks of deploying EDR agents on critical systems, and how an EU settlement is being blamed for EDR vendors having access to the Windows kernel. Other topics on the show include Mandiant's attribution capabilities, North Korea's gov-backed hacking teams launching ransomware on hospitals, KnowBe4 hiring a fake North Korean IT worker, and new developments in the NSO Group surveillance-ware lawsuit. Hosts: Costin Raiu (Art of Noh), Juan Andres Guerrero-Saade (SentinelLabs), Ryan Naraine (SecurityWeek)

A North Korean hacking group, newly designated as APT45 by the FBI and Mandiant, has broadened its ransomware operations to target healthcare providers, financial institutions, and energy companies. Previously known as Andariel or UNC614, the group has been active since at least 2009 and supports the interests of the North Korean government. Mandiant, a subsidiary of Google Cloud, emphasizes the group's rising sophistication and expanding target range, which now includes advanced technologies and critical infrastructure. The FBI is expected to release an advisory following Mandiant's report, detailing the group's tactics and historical focus on intelligence gathering from defense and research sectors. Additionally, the U.S. Agency for International Development (USAID) reports over 1,300 electronic devices, including iPhones, iPads, and computers, missing over the past three years. With two-thirds of its workforce based overseas, device security remains a critical challenge for the agency, reflecting a broader issue of mobile device management across federal agencies. Despite the losses, USAID remains committed to responsible stewardship of taxpayer dollars and rigorous digital asset security, particularly in challenging global environments. The Daily Scoop Podcast is available every Monday-Friday afternoon. If you want to hear more of the latest from Washington, subscribe to The Daily Scoop Podcast on on Apple Podcasts, Soundcloud, Spotify and YouTube.

Rick Howard, The CSO, Chief Analyst, and Senior Fellow at N2K Cyber, discusses the current state of Cyber Threat Intelligence with CyberWire Hash Table guest John Hultquist, Mandiant's Chief Analyst. References: Andy Greenberg, 2022. Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency [Book]. Goodreads. Josephine Wolff, October 2023. How Hackers Swindled Vegas [Explainer]. Slate. Rick Howard, 2023. Cybersecurity First Principles Book Appendix [Book Support Page]. N2K Cyberwire. Staff, September 2023. mWISE Conference 2023 [Conference Website]. Mandiant. Staff, n.d. VirusTotal Submissions Page [Landing Zone]. VirusTotal. Learn more about your ad choices. Visit megaphone.fm/adchoices

Guests: Robin Shostack, Security Program Manager, Google Jibran Ilyas, Managing Director Incident Response, Mandiant, Google Cloud Topics: You talk about “teamwork under adverse conditions” to describe expedition behavior (EB). Could you tell us what it means? You have been involved in response to many high profile incidents, one of the ones we can talk about publicly is one of the biggest healthcare breaches at this time. Could you share how Expedition Behavior played a role in our response?   Apart from during incident response which is almost definitionally an adverse condition, how else can security teams apply this knowledge? If teams are going to embrace an expeditionary behavior mindset, how do they learn it? It's probably not feasible to ship every SOC team member off to the Okavango Delta for a NOLS course. Short of that, how do we foster EB in a new team? How do we create it in an existing team or an under-performing team?   Resources: EP174 How to Measure and Improve Your Cloud Incident Response Readiness: A New Framework EP103 Security Incident Response and Public Cloud - Exploring with Mandiant EP98 How to Cloud IR or Why Attackers Become Cloud Native Faster? “Take a few of these: Cybersecurity lessons for 21st century healthcare professionals” blog Getting More by Stuart Diamond book Who Moved My Cheese by Spencer Johnson  book

Guest: Wendi Whitmore, Palo Alto Networks [@PaloAltoNtwks]On Twitter | https://x.com/wendiwhitmoreOn LinkedIn | https://www.linkedin.com/in/wendiwhitmore2/______________________Host: MK Palmore, Host of The Leadership Student PodcastOn ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/mk-palmore______________________This Episode's SponsorsAre you interested in sponsoring an ITSPmagazine Channel?

Mandiant Consultants Trisha Alexander, Muhammed Muneer, and Pat McCoy join host Luke McNamara to discuss Mandiant's recently launched services for securing AI. They discuss how organizations can proactively approach securing the implementation of AI workloads, red-team and test these security controls protecting generative AI models in production, and then also employ AI within the security organization itself. For more, please see: https://cloud.google.com/security/solutions/mandiant-ai-consulting

In this episode of The Cybersecurity Defenders Podcast, we discuss some cutting-edge intel coming out of LimaCharlie's community Slack channel.SigmaHQ has introduced Sigma Correlations to enhance its rule-based detection capabilities, allowing for more sophisticated event correlation across multiple Sigma rules.Tyler Buchanan, a 22-year-old from the UK and alleged leader of the Scattered Spider hacking group, was arrested in Spain.Microsoft has issued an urgent update for all supported versions of Windows to address a critical Wi-Fi vulnerability, CVE-2024-30078.Three individuals— Yousef Selassie, Ugochukwu Emmanuel Nwosu, and David Gil—have been charged with operating Empire Market, a dark web marketplace that facilitated over $430 million in illegal transactions.In September 2022, Mandiant began investigating several intrusions conducted by UNC3886, a China-linked cyber espionage group, after discovering malware in ESXi hypervisors.

In today's episode, we delve into the recent surge of identity-based cyberattacks targeting Snowflake customers, with at least 100 companies confirmed impacted as disclosed by Mandiant and Pure Storage (https://www.cybersecuritydive.com/news/snowflake-customer-attacks-what-we-know/719056/). We also explore how attackers are leveraging social engineering to install malware through fake error messages, as outlined by Proofpoint researchers (https://www.helpnetsecurity.com/2024/06/17/social-engineering-malware-installation/). Finally, we discuss how legitimate websites are being exploited to deliver the BadSpace Windows backdoor, detailed by German cybersecurity company G DATA (https://www.gdatasoftware.com/blog/2024/06/37947-badspace-backdoor). 00:00 Introduction to Fake Cyber Attacks 01:11 Fake Error Messages 03:30 The Badspace Backdoor with Trae 06:54 Snowflake Breach: What Happened? Thanks to Jered Jones for providing the music for this episode. https://www.jeredjones.com/ Logo Design by https://www.zackgraber.com/ Tags: Snowflake, cyberattacks, identity-based, infiltrate, cybercriminals, malware, proofpoint, fake error messages, hackers, BadSpace, G DATA, cybersecurity, social engineering, cloud data security, Windows backdoor Search Phrases: Identity-based cyberattacks on Snowflake customers Protecting Snowflake accounts from cybercriminals Malware threats to cloud security Proofpoint cybercrime reports Steps to prevent fake error message scams BadSpace Windows backdoor protection measures How hackers use fake browser updates G DATA cybersecurity insights Social engineering defenses in cybersecurity Preventing identity-based infiltrations in cloud systems What we know about the Snowflake customer attacks https://www.cybersecuritydive.com/news/snowflake-customer-attacks-what-we-know/719056/ ---`Sure thing! Here's a flash briefing summarizing the key information about the Snowflake customer attacks: Widespread Impact: Over 100 Snowflake customers have been confirmed impacted by identity-based attacks utilizing stolen credentials from infostealer malware. Approximately 165 businesses remain potentially exposed. [Source: Mandiant] Key Entry Point: Attacks were not due to a vulnerability or breach within Snowflake's system but through stolen credentials from infostealer malware on non-Snowflake systems. Impacted accounts lacked multifactor authentication (MFA). [Source: Mandiant] Early Detection: The earliest unauthorized access to Snowflake customer instances was detected on April 14, with Mandiant beginning its investigation on April 19 and identifying the first confirmed connection to Snowflake on May 14. [Source: Mandiant's June 10 Threat Intelligence Report] Immediate Actions: Snowflake has been suspending user accounts showing signs of malicious activity, blocking suspicious IP addresses, and advising customers to enable MFA and configure network access policies. [Source: Snowflake CISO Brad Jones] Data Theft: The first known sale of stolen data from a Snowflake customer database was posted on May 24. Snowflake disclosed the attacks on May 30, providing indicators of compromise and recommended actions for companies to investigate. [Source: Mandiant] Ongoing Investigation: The investigation, assisted by Mandiant and CrowdStrike, is ongoing. The attacker, referred to as UNC5537, continues to extort victims with stolen data as of June 13. [Source: Mandiant] Malware peddlers love this one social engineering trick! https://www.helpnetsecurity.com/2024/06/17/social-engineering-malware-installation/ ---`- Key Information: Attackers increasingly use fake error messages to trick users into installing malware. Actionable Insight: Stay vigilant when encountering unexpected error messages prompting installations or updates. Key Information: These fake error messages often accompany HTML documents delivered via email attachments. Actionable Insight: Exercise caution when opening email attachments, especially HTML documents, and verify the sender's authenticity. Key Information: Users may be prompted to install root certificates, resolve issues, install extensions, or update DNS caches. Actionable Insight: Before following any such prompts, consult your IT department or perform a quick search to confirm the legitimacy of the request. Key Information: The attack chain requires significant user interaction but cleverly disguises malware installation as a problem-solving step. Actionable Insight: Always take a moment to consider the risk before performing any suggested actions from an error message. Key Information: Various attackers, including initial access brokers, use these techniques to deploy PowerShell scripts, installing malware like DarkGate and NetSupport. Actionable Insight: Familiarize yourself with the signs of PowerShell script execution and report any suspicious activity to your security team. Key Information: Detection is difficult because the malicious script is copied to the clipboard via JavaScript and manually run by the user. Actionable Insight: Be wary of any browser prompts to copy scripts or commands and avoid running them directly from your clipboard. Key Information: Users are the last line of defense if browsing protections and email filters fail. Actionable Insight: Engage in regular cybersecurity training to identify and report suspicious activities promptly. Hackers Exploit Legitimate Websites to Deliver BadSpace Windows Backdoor https://www.gdatasoftware.com/blog/2024/06/37947-badspace-backdoor Compromised Websites as Conduits: Hackers use legitimate websites, often built on platforms like WordPress, to deliver a Windows backdoor named BadSpace. They disguise the attack as fake browser updates, making it hard for users to detect. Multi-Stage Attack Chain: The attack begins with an infected website that checks if a user has visited before. On the first visit, the site collects device data, IP address, user-agent, and location, then sends it to a command-and-control (C2) server. The server responds with a fake Google Chrome update pop-up that either directly drops the malware or uses a JavaScript downloader to deploy BadSpace. Malware Capabilities: BadSpace can harvest system information, take screenshots, execute commands, read/write files, and delete scheduled tasks. It employs anti-sandbox techniques and sets up persistence using scheduled tasks. Connections to SocGholish: The C2 servers linked to BadSpace show connections to another malware known as SocGholish (aka FakeUpdates), which uses similar tactics. Current Threat Landscape: Organizations like eSentire and Sucuri report ongoing campaigns using fake browser updates to spread information stealers and remote access trojans.

Guests: Omar ElAhdan, Principal Consultant, Mandiant, Google Cloud Will Silverstone, Senior Consultant, Mandiant, Google Cloud Topics: Most organizations you see use both cloud and on-premise environments. What are the most common challenges organizations face in securing their hybrid cloud environments? You do IR so in your experience, what are top 5  mistakes organizations make that lead to cloud incidents? How and why do organizations get the attack surface wrong? Are there pillars of attack surface? We talk a lot about how IAM matters in the cloud.  Is that true that AD is what gets you in many cases even for other clouds? What is your best cloud incident preparedness advice for organizations that are new to cloud and still use on-prem as well? Resources: Next 2024 LIVE Video of this episode / LinkedIn version (sorry for the audio quality!) “Lessons Learned from Cloud Compromise” podcast at The Defender's Advantage “Cloud compromises: Lessons learned from Mandiant investigations” in 2023 from Next 2024 EP174 How to Measure and Improve Your Cloud Incident Response Readiness: A New Framework EP103 Security Incident Response and Public Cloud - Exploring with Mandiant EP162 IAM in the Cloud: What it Means to Do It 'Right' with Kat Traxler

In this episode of The Cybersecurity Defenders Podcast, we discuss some cutting-edge intel coming out of LimaCharlie's community Slack channel.Mandiant has linked a series of data breaches affecting hundreds of Snowflake instances to the use of infostealer malware, primarily targeting non-Snowflake systems to harvest credentials.Authorities have ramped up something they are calling Operation Endgame which is an effort to capture a fellow that goes by the handle "Odd," the alleged mastermind behind the Emotet botnet.McAfee has identified a fake Bahrain government Android app masquerading as the Labour Market Regulatory Authority app, and is designed to steal personal data for financial fraud.A technical deep-dive on Operation Crimson Palace performed by Sophos X-ops: the operation exposes a sophisticated cyberespionage campaign targeting a Southeast Asian government, attributed to Chinese state interests.

In today's episode, we delve into the latest cybersecurity incidents, including Cylance confirming old data sold by Sp1d3r for $750,000, ongoing disruptions in the NHS due to a Russian Qilin ransomware attack, and Google's takedown of coordinated influence campaigns linked to China, Russia, and Indonesia. We also highlight Snowflake account breaches connected to recent data compromises at Advance Auto Parts, Santander, and Ticketmaster. Join us as we explore the implications of these attacks and the latest reports from BleepingComputer, The Guardian, and The Hacker News. References: https://www.bleepingcomputer.com/news/security/cylance-confirms-data-breach-linked-to-third-party-platform/ https://thehackernews.com/2024/06/google-takes-down-influence-campaigns.html https://www.theguardian.com/society/article/2024/jun/11/cyber-attack-on-london-hospitals-to-take-many-months-to-resolve Thanks to Jered Jones for providing the music for this episode. https://www.jeredjones.com/ Logo Design by https://www.zackgraber.com/ Tags: Sp1d3r, Cylance, Snowflake, UNC5537, Google, YouTube, Blogger, Propaganda, Russian hackers, NHS, Disruption, Mitigate Search Phrases: Notorious hacker Sp1d3r data breach Cylance marketing data dark web Snowflake cybersecurity vulnerabilities UNC5537 Snowflake account security Google influence operation crackdown YouTube channel shutdown China propaganda Blogger blog purge misinformation Russia Russian hackers NHS disruption NHS cybersecurity breach recovery Mitigating hacker impact on NHS Cylance confirms data breach linked to 'third-party' platform https://www.bleepingcomputer.com/news/security/cylance-confirms-data-breach-linked-to-third-party-platform/ ---`Flash Briefing: Data Breach Disclosure: Cylance confirmed that data being sold on a hacking forum is legitimate but old, stolen from a third-party platform. The data allegedly includes 34 million customer and employee emails and personally identifiable information. Source: BleepingComputer. Threat Actor Activity: A hacker known as Sp1d3r is selling the stolen data for $750,000. Researchers indicated this data seems to be old marketing information. BlackBerry Cylance stated no current customers or sensitive data are impacted. Source: Dark Web Informer. Snowflake Links: The same threat actor, Sp1d3r, is also selling 3TB of data from Advance Auto Parts, allegedly breached through a Snowflake account. Other recent breaches at Santander, Ticketmaster, and QuoteWizard also link to Snowflake attacks. Source: BleepingComputer. Credential Theft: Attackers used stolen customer credentials to target Snowflake accounts without multi-factor authentication (MFA). Mandiant linked these attacks to a financially motivated threat actor, UNC5537, who has been active since at least 2020. Source: Mandiant. Recommendations: Ensure all accounts, particularly those related to third-party platforms, have MFA enabled. Regularly update and rotate credentials, and implement network allow lists to restrict access to trusted locations. Source: CrowdStrike, Mandiant. Ongoing Notifications: Snowflake and Mandiant have notified around 165 organizations about potential exposure to these attacks, emphasizing the importance of cybersecurity hygiene and proactive measures. Source: Snowflake. Google Takes Down Influence Campaigns Tied to China, Indonesia, and Russia https://thehackernews.com/2024/06/google-takes-down-influence-campaigns.html ---`- Google Takes Down Inauthentic Channels: Google dismantled a coordinated influence operation connected to the People's Republic of China, removing 1,320 YouTube channels and 1,177 Blogger blogs spreading content about China and U.S. foreign affairs. (Source: Google Threat Analysis Group) Influence Operations Linked to Indonesia: Google also terminated accounts linked to two influence operations from Indonesia that supported the ruling party, further showcasing the global nature of these coordinated efforts. (Source: Google Threat Analysis Group) Russian Influence Network Dismantled: Google removed 378 YouTube channels operated by a Russian consulting firm that spread pro-Russia and anti-Ukraine content, highlighting the ongoing digital battlegrounds. (Source: Google Threat Analysis Group) Monetary Motives Behind Fake Content: Financial incentives drove a network linked to individuals from the Philippines and India, spreading English and Norwegian content about food, sports, and lifestyle topics. (Source: Google Threat Analysis Group) Global Influence Campaigns: Networks from Pakistan, France, Russia, and Myanmar also faced shutdowns for spreading politically charged and nationalistic content, illustrating the diverse sources of disinformation. (Source: Google Threat Analysis Group) Meta and OpenAI Disrupt Tel Aviv-Based Operation: Meta and OpenAI disrupted a Tel Aviv-based influence operation dubbed Storm-1099, which targeted U.S. and Canadian audiences with content regarding the Israel-Hamas conflict. (Source: Meta via CyberScoop) Israel's Ministry of Diaspora Affairs Linked: The New York Times reported Israel's Ministry of Diaspora Affairs funded the covert influence campaign with around $2 million, marking another instance of state-sponsored disinformation. (Source: The New York Times) Microsoft Warns of Russian Disinformation: Microsoft warned of increasing Russian disinformation campaigns targeting the 2024 Summer Olympics in Paris, using AI-generated content to undermine the event and spread fear. (Source: Microsoft Threat Analysis Center) Olympics as a Cyber Threat Target: Google-owned Mandiant and Recorded Future identified the Paris Olympics as a high-risk target for cyber threats, including ransomware, espionage, and hacktivist attacks, emphasizing the need for robust cybersecurity measures. (Source: Mandiant and Recorded Future) Cyber-attack on London hospitals to take ‘many months' to resolve https://www.theguardian.com/society/article/2024/jun/11/cyber-attack-on-london-hospitals-to-take-many-months-to-resolve --- Cyber-attack Impact Duration: A senior NHS source warned that the cyber-attack disrupting hospitals and GP surgeries in London may take "many months" to resolve. Key recovery factors: understanding hacker access, affected records, and data retrievability. Scope and Perpetrators: Six NHS trusts and numerous GP practices in south-east London, serving 2 million patients, are affected. Russian Qilin gang believed responsible, using ransomware to lock systems and demand money for decryption keys. Service Disruptions: Critical incident declared due to inability to perform non-urgent operations, including cancer procedures and planned C-sections. Blood test analysis severely restricted, forcing rationing and cancellation of many medical procedures. Recovery Challenges: IT systems encrypted by attackers force victims to rebuild infrastructure, even if decrypted. Former NCSC head, Ciaran Martin, noted that recovery from such attacks often takes weeks or months. Mitigation Efforts: NHS London region employs "mutual aid" by redistributing tasks to unaffected trusts to mitigate care delivery impact. Example: Patients with heart issues transferred from affected hospitals to St George's hospital. Leadership Insights: NHS England's chief executive, Amanda Pritchard, emphasized the vulnerability to international events and the critical, often unseen, role of pathology services. Ongoing Threats: Qilin gang typically also steals data, posting it on the dark web for extortion if ransom isn't paid. No data has been posted yet.

Cyber assistance coming to rural hospitals UK and Canada launch investigation into 23andMe breach Mandiant and Snowflake sending out breach notices Thanks to today's episode sponsor, Vanta When it comes to ensuring your company has top-notch security practices, things can get complicated, fast. Vanta automates compliance for SOC 2, ISO 27001, and more, saving you time and money. With Vanta, you can unify your security program management and proactively manage security reviews with AI-powered security questionnaires.Our listeners get $1,000 off at vanta.com/headlines.  

In this episode of the 2 Minute Drill, Drex covers the latest cybersecurity news in healthcare. Ascension's cyber event transparency efforts receive praise and scrutiny while facing new lawsuits. The Department of Health and Human Services launches the UPGRADE program to bolster hospital cybersecurity. Kevin Mandia, founder of Mandiant, announces his retirement. Stay informed and stay secure with these updates!Contributions & Community:Become part of the conversation and help shape future episodes by contributing stories and insights. Visit thisweekhealth.com/news and click on "Become a Contributor."Stay Connected:Don't miss out on our upcoming episodes focused on hacking healthcare. Follow our podcast, like and share this post to spread the word, and join the new 229 cyber and risk community for more in-depth discussions and resources.Stay Informed, Stay Secure:Visit thisweekhealth.com/security for more information and resources to bolster your cybersecurity knowledge and defenses.Remember, Stay a little paranoid.

In this episode of the 2 Minute Drill, Drex delves into three pivotal cybersecurity reports from Verizon, Mandiant, and Baker Hostetler. Tune in as we explore key findings on detection tools, ransomware defenses, and the latest on privacy laws. Plus, discover what the "vulnerability era" means for cybersecurity strategies and how these insights can shape your approach to tech and data security.Contributions & Community:Become part of the conversation and help shape future episodes by contributing stories and insights. Visit thisweekhealth.com/news and click on "Become a Contributor."Stay Connected:Don't miss out on our upcoming episodes focused on hacking healthcare. Follow our podcast, like and share this post to spread the word, and join the new 229 cyber and risk community for more in-depth discussions and resources.Stay Informed, Stay Secure:Visit thisweekhealth.com/security for more information and resources to bolster your cybersecurity knowledge and defenses.Remember, Stay a little paranoid.

In today's episode, UnitedHealth CEO Andrew Witty testifies before the Senate Finance Committee about the ransomware attack on Change Healthcare, revealing that legacy tech at Change amplified the attack's impact. Stolen credentials and lack of multifactor authentication allowed attackers to move within Change's systems, leading to the deployment of ransomware. UnitedHealth's response included bringing in multiple incident response firms and cybersecurity experts to aid in recovery efforts. Original URLs: https://www.cybersecuritydive.com/news/unitedhealth-change-attack-tech-takeaways/715200/, https://thehackernews.com/2024/05/critical-tinyproxy-flaw-opens-over.html, https://www.bleepingcomputer.com/news/security/lockbits-seized-site-comes-alive-to-tease-new-police-announcements/#google_vignette Tags: UnitedHealth, ransomware, Change Healthcare, technology infrastructure, Tinyproxy, Remote code execution, Security flaw, Cyberattacks, LockBit, Law enforcement, Data leak site Search phrases: Preventing data breaches in healthcare systems Upgrade technology infrastructure in healthcare Protecting against ransomware attacks Tinyproxy security flaw solutions Remote code execution prevention Cybersecurity measures for critical security flaws LockBit ransomware impact on operations Law enforcement actions against ransomware gangs Data leak site revelations Identifying ransomware operators More than 50, 000 hosts are at risk of remote code execution due to a critical unpatched flaw in the TinyProxy service. How can users protect their devices from this critical tiny proxy flaw? Law enforcement has revived a seized LockBit ransomware data leak site, teasing new announcements to come including potential revelations about the identity of LockBit's operator. Is law enforcement bluffing or do they actually have this information? And finally, we've got the five key security takeaways from the Change Healthcare Ransomware Attack, as summarized by Cybersecurity Dive, to include outdated technology, stolen credentials, multifactor and more. You're listening to The Daily Decrypt. A critical unpatched security flaw in the TinyProxy service is leaving over 50, 000 hosts exposed to remote code execution threats. The vulnerability has a high CVSS score of 9. 8 out of 10 and affects versions 1. 10 and 1. 11. This vulnerability in the TinyProxy service allows attackers to execute malicious code through specially crafted HTTP an unauthenticated threat actor could exploit this flaw by sending a specific HTTP connection header, triggering memory corruption that could lead to remote code execution on vulnerable systems. Data from Census shows that approximately 57 percent of the 90, 000 publicly accessible hosts are running vulnerable versions, with a significant number of these hosts located in the United States, South Korea, China, France, and Germany. In order to mitigate this risk, it's recommended to upgrade to the most recent version of Tinyproxy. And, if at all possible, don't expose your tiny proxy service to the public facing internet. Law enforcement agencies, including the NCA, FBI, and Europol, have resurrected a previously seized lockbit ransomware data leak site, hinting at potential new revelations set to be disclosed today. During Operation Kronos on February 19th, authorities dismantled LockBit's infrastructure, taking down 34 servers hosting the DataLeak website, cryptocurrency addresses, decryption keys, and the affiliate panel. In a response to the disruption, the police repurposed one of the DataLeak sites into a platform for sharing insights gained during the operation, including details on affiliates, as well as LockBit's deceptive practices regarding stolen data deletion post ransom payment. One of the blog posts is titled, Who is LockBit Sup?, which is a reference to the individual or group of individuals who are running this ransomware organization. And this blog post posted by law enforcement left many people anticipating significant revelations about the ransomware operator, but they only received a cryptic message stating that law enforcement knows who he is, who they are, knows where they live, how much he is worth, and claiming that this individual has engaged with law enforcement. Which insinuates that this individual was discovered by law enforcement and then convinced to give them information about his affiliates. Now that post was after the law enforcement originally took over the site in late February, early March, and has since been taken down with no information. But the crux of this piece of news is that law enforcement has revived the site yet again with similar posts. including what have we learnt, more lockbit hackers exposed, what have we been doing, and the coup de gras titled who is lockbit sup yet again. All of this is anticipated to be released later today and if it turns out law enforcement doesn't actually have any information this is going to be quite the blunder for them and really show their hand that this is just a tactic to try to get people to turn against their affiliates. And finally, Change Healthcare, which is a subsidiary of United Healthcare Group, fell victim to a ransomware attack which compromised a significant amount of patient data and disrupted operations. And just recently, the CEO submitted a written testimony which fell short of lawmakers expectations but it did provide a lot of insight as to what went wrong, which is very interesting for us technical folks. And the purpose of this segment is just to cover five of the key technical takeaways from that testimony. The first key takeaway is that legacy technology at Change amplified the attack's impact. Stating that even though the company was founded in 2007, Some of the technology systems are over 40 years old, including payment systems and medical claims systems. UnitedHealthcare as a whole was undergoing an upgrade of all of their technologies before they acquired Change Healthcare, but the attack had the effect that it locked up the backups that were stored on premises at Change Healthcare's headquarters. which is one of the main causes for the delay in service. They weren't able to get their backups back up and running. They claim that in the rebuild after the attack, they're moving a lot of their backups to the cloud, which will hopefully be more secure, but the cloud isn't a fix all answer. It's going to take a lot of work, whether it's on premise or in the cloud, to make sure that you continually have access to those backups and establish redundancy, etc. Number two, stolen credentials unlocked the access, right? That's key in most attacks. It starts with stolen credentials. Don't allow password reuse. Implement a tool that checks the dark web for all passwords. And there really is no excuse for that because I get emails when my email is leaked on the dark web. And if you're a corporation, you can just scan the dark web for anything in any of your domains. You should get an email. You should immediately revoke the password to that account. This is a pretty quick section because yeah, that's pretty obvious. The third key takeaway is that UnitedHealth brought in at least seven incident response firms to help them recover from the attack and some of them will remain in place as full time response. UnitedHealth has even asked Mandiant to join its board as a permanent advisor to strengthen the company's cybersecurity oversight and strategy. The fourth key takeaway is the response, which is a positive one. UnitedHealthcare immediately disconnected Change Healthcare from all other systems when it became aware of the ransomware attack, Which is critical to preventing this ransomware from spreading to other subsidiaries of United Healthcare. And many months after the attack, we can see how well this worked because, to our knowledge, as of yet, no other subsidiaries have been hit like Change Healthcare was. So, even though the recovery took a lot longer, which was because of the backups failing and having to rebuild it from scratch, It could have been a lot worse had they not contained the blast radius just surrounding Change Healthcare. And finally, multi factor authentication wasn't turned on. Now, the CEO claims that it is company policy to have multi factor authentication turned on for every external facing service. And in his testimony, the CEO was very frustrated and does not know how they got away with not having this enabled. And it assures lawmakers and patrons of Change Healthcare that every external facing system has multi factor authentication turned on now. And it's impossible to say if having multi factor authentication turned on would have prevented this attack because even with multi factor authentication it is possible to bypass it. People are always the weakest link clicking except when they receive the ping. But it would have definitely slowed down the attackers.

In today's episode, we delve into the warning issued by the NSA and FBI regarding the APT43 North Korea-linked hacking group's exploitation of weak email DMARC policies to conduct spearphishing attacks. The podcast also covers a significant counterfeit operation involving fake Cisco gear infiltrating US military bases, creating a $100 million revenue stream. Lastly, we explore how Iranian hackers posing as journalists are utilizing social engineering tactics to distribute backdoor malware, breaching corporate networks and cloud environments. To read more about the topics discussed, visit https://www.bleepingcomputer.com/news/security/nsa-warns-of-north-korean-hackers-exploiting-weak-dmarc-email-policies/, and https://arstechnica.com/information-technology/2024/05/counterfeit-cisco-gear-ended-up-in-us-military-bases-used-in-combat-operations/, and https://www.bleepingcomputer.com/news/security/iranian-hackers-pose-as-journalists-to-push-backdoor-malware/ 00:00 Massive Counterfeit Scam Unveiled: A Decade of Deception 01:08 Deep Dive into the Counterfeit Cisco Gear Scandal 04:14 The Art of Social Engineering: A Hacker's Best Tool 07:05 Protecting Against Cyber Threats: Insights and Recommendations 08:46 Wrapping Up: Stay Informed and Secure Tags: North Korea, APT43, DMARC, spearphishing, hacking, group, email, policies, attacks, intelligence, journalists, academics, organizations, prevent, security, policy, configurations, counterfeit, scam, Florida resident, gear, revenue, networking gear, US military, security, Air Force, Army, Navy, officials, stop, operation, Iranian, APT42, Nicecurl, Tamecat, hackers, backdoor, malware, social engineering, tactics, custom, blend operations, evade detection. Search Phrases: How to prevent APT43 spearphishing attacks Counterfeit scam Florida military security risk Actions to stop massive counterfeit operation Iranian hackers impersonating journalists APT42 malware tactics Nicecurl and Tamecat backdoor malware Techniques to breach corporate networks and cloud environments Evading detection in cyber attacks North Korea hacking group APT43 US military response to counterfeit gear scam May6 A Florida man was just sentenced to six and a half years in prison for running a massive counterfeit scam that ran from 2013 to 2022 where he sold fake Cisco networking gear to the US military. This resulted in over 100 million of revenue for this man while also putting our US military operations at risk. How did he get away with this for so long? Iranian hackers are impersonating journalists to distribute backdoor malware known as APT42 in order to harvest both personal and corporate credentials in an attempt to infiltrate corporations at large. What social engineering tactics are they using to help blend in with normal operations and evade detection? And speaking of impersonating journalists, a North Korean hacking group is exploiting DMARC policies to conduct spear phishing attacks aimed at collecting sensitive intelligence, while impersonating journalists and academics to do so. What actions can organizations take to prevent these spear phishing attacks? You're listening to The Daily Decrypt. So just last week on Thursday, a Florida man named Onur Aksoy, who is also known by Ron Axoy and Dave Durden, which sounds almost like a Fight Club reference to me, was sentenced to 78 months, or 6 and a half years, for orchestrating a counterfeit scheme that generated over 100 million in revenue, all by selling fake Chinese Cisco networking gear to the US military. This clearly would pose a significant risk to the US military's security. Because it was utilized in critical applications, including combat operations and classified information systems. This man, who I'm going to refer to as Dave Durden because I like alliteration and I like Fight Club, has been partaking in this counterfeit operation starting in 2013 all the way to 2022, receiving multiple cease and desist letters throughout those years, yet still continued to get fake Cisco networking gear into the hands of the US military. So since this has been going on for so long, and so much money has been spent on this, these pieces of fake Cisco networking equipment have spread out across the country, across the world, and will be very difficult to remove from the US military as a whole. Because they've been integrated into critical systems. And anyone who works in IT knows that it's very hard to even patch one of these devices, let alone swap it out for something with different components, because this isn't an actual Cisco router. And as reported by Ars Technica, technica. Cisco estimates that their products being sold on the quote IT gray market is costing them about 1. 2 billion dollars, billion with a B, each year. Along with the unmeasurable reputational risks that go along with fake gear touting your brand name. And with a price tag that high, I would imagine Cisco should spin up a whole department that could cost less than 1. 2 billion dollars a year just to track down these counterfeit marketers. And who knows, maybe they do have that. If you work for one of these departments or you know of them, please leave a comment and let me know. But yeah, this really just highlights the need for more robust security measures in the military IT supply chain. By no means am I an expert in military spending, but I do know that there are actual laws, rules, and regulations that govern how the military spends money, and it involves opening up a bid for very large purchases where the lowest bidder wins the contract. So in this case, the gear that this man, Dave Durden, sold to the U. S. military was valued well over a billion dollars. Yet the reason he was so successful is he was willing to sell it for 80 90 percent off, making only 100 million off of this gear. And though that is the fiscally responsible thing to do with U. S. taxpayers money, You can see how this would sort of breed this environment for counterfeit gear, because you can't make the actual gear cost less than the counterfeit gear, so the counterfeit gear is going to win. And with the ease of spinning up eBay and Amazon Marketplace, I'm sure we'll see a lot more cases like this coming out in the near future. So in case you didn't know this, social engineering, which is the art of As it sounds, engineering other people to do what you want them to do is one of the most effective hacking techniques out there. And it doesn't involve writing a single line of code, or even using a computer at all, if you know what you're doing. It's just like it sounds, manipulating people into doing what you want them to do. So in this case, the Iranian state backed threat actor. known as APT42, has been using social engineering tactics, impersonating journalists and academics to breach corporate and cloud environments of Western and Middle Eastern targets. So they're essentially posing as these people to build trust and rapport with their targets. And then eventually they ask the target. to download a Dropbox document or article or something related to their conversations. But instead of a document, they'll be downloading some custom backdoors named Nice Curl or Tame Cat in order to gain command execution and data exfiltration capabilities. Now if you're curious to see what these accounts and fake journalists look like, check out the article by Bleeping Computer in the show notes. It contains some fun screenshots of profiles that are being used and they look very convincing. The documents that the targets will end up downloading often use what's called macros, which when opened up it's like Word asks you if you'd like to enable macros to Utilize the full potential of this document. And after having trust built with these threat actors, targets are much less likely to think twice when clicking accept. People, especially in corporate environments, are used to accepting security risks and accepting toggle boxes and all this stuff constantly throughout the day, so it's almost become mundane to do so. And this is just another example of that. But there is a good rule of thumb on this. If you download a document from the internet and you don't personally know someone who's sending it to you, don't enable macros, especially if it's just full of information. Macros are used to have more interactive documents because it allows these documents to open up applications and interact with other applications on your computer. You don't need that for journalistic articles or academic articles. Because, yeah, this allows for the document to do anything on your computer, depending on the permissions requested, such as launch custom backdoors and install malware. For the listeners who work in the InfoSec community, the article linked in the show notes by Bleeping Computer references a report by Google's Mandiant that contains some YARA rules in detecting these custom backdoors. So make sure to check those out and implement them in yours or your customers environments. And speaking of impersonating journalists, the NSA and FBI have issued a warning regarding the APT43 North Korea linked hacking group exploiting weak email, domain based message authentication, reporting, and confirmance DMARC policies to carry out spear phishing attacks. The attackers are able to utilize misconfigured DMARC policies to send spoof emails, posing as credible sources like journalists and academics specializing in East Asian affairs. The goal of these spear phishing campaigns orchestrated by the DPRK is to gather intelligence on geopolitical events, foreign policy strategies of adversaries, and any information impacting the DPRK interests by illicitly accessing targets private documents and communications. The primary mission of APT 43 operatives, which is also known as KimSuki, is to provide stolen data and valuable geopolitical insight to the North Korean regime by compromising policy analysts and experts. So I personally don't know any policy analysts or experts, especially in this type of realm, but if you happen to be listening to this and you happen to be somebody who might be affected by this, pay extra attention to the emails you receive validating their authenticity, especially from researchers. in eastern asian affairs again, if you work in information technology, the FBI recommends updating your DMARC security policies to utilize configurations outlined in another article by Bleeping Computer in the show notes below. This has been the Daily Decrypt. If you found your key to unlocking the digital domain, show your support with a rating on Spotify or Apple Podcasts. It truly helps us stand at the frontier of cyber news. Don't forget to connect on Instagram or catch our episodes on YouTube. Until next time, keep your data safe and your curiosity alive.

It's the most boring part of incident response. Skip it at your peril, however. In this interview, we'll talk to Joe Gross about why preparing for incident response is so important. There's SO MUCH to do, we'll spend some time breaking down the different tasks you need to complete long before an incident occurs. Resources 5 Best Practices for Building a Cyber Incident Response Plan This segment is sponsored by Graylog. Visit https://securityweekly.com/graylog to learn more about them!   It's the week before RSA and the news is PACKED. Everyone is trying to get their RSA announcements out all at once. We've got announcements about funding, acquisitions, partnerships, new companies, new products, new features... To make things MORE challenging, everyone is also putting out their big annual reports, like Verizon's DBIR and Mandiant's M-Trends! Finally, we've got some great essays that are worth putting on your reading list, including a particularly fun take on the Verizon DBIR by Kelly Shortridge. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-360

It's the most boring part of incident response. Skip it at your peril, however. In this interview, we'll talk to Joe Gross about why preparing for incident response is so important. There's SO MUCH to do, we'll spend some time breaking down the different tasks you need to complete long before an incident occurs. Resources 5 Best Practices for Building a Cyber Incident Response Plan This segment is sponsored by Graylog. Visit https://securityweekly.com/graylog to learn more about them!   It's the week before RSA and the news is PACKED. Everyone is trying to get their RSA announcements out all at once. We've got announcements about funding, acquisitions, partnerships, new companies, new products, new features... To make things MORE challenging, everyone is also putting out their big annual reports, like Verizon's DBIR and Mandiant's M-Trends! Finally, we've got some great essays that are worth putting on your reading list, including a particularly fun take on the Verizon DBIR by Kelly Shortridge. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-360

In this episode of The Cybersecurity Defenders Podcast, we discuss the GRU-backed cyber unit Sandworm which was recently promoted to APT44 by Mandiant.Sandworm is a notorious hacking group, believed to be linked to Russia's military intelligence agency, the GRU. Known for its destructive cyberattacks, Sandworm has targeted various sectors worldwide, including energy, media, and election systems. Their activities are marked by the use of sophisticated malware and tactics that not only seek to steal information but also to disrupt critical infrastructure. The group gained international prominence with attacks like NotPetya in 2017, which caused billions of dollars in damage across multiple countries, emphasizing their capability to impact global cyber stability.The name "Sandworm" is inspired by the monstrous creatures from Frank Herbert's science fiction novel "Dune," reflecting the group's elusive and destructive nature. Over the years, Sandworm's operations have evolved, showcasing their adaptability and the increasing complexity of their attacks. This evolution highlights the growing challenges in cybersecurity, making the understanding of such threat actors crucial for developing robust defense strategies against state-sponsored cyber warfare.YouTube video showing Sandworm attacking a Ukrainian power plant here.Episode #56 - When the lights went out in Ukraine (Part 1)Episode #74 - When the lights went out in Ukraine (Part 2)Episode #16 - NotPetya

The DOJ indicts four Iranian nationals on hacking charges. Legislation to ban or force the sale of TikTok heads to the President's desk. A Russian hack group claims a cyberattack on an Indiana water treatment plant. A roundup of dark web data leaks. Mandiant monitors dropping dwell times. Bcrypt bogs down brute-forcing. North Korean hackers target defense secrets. On our Learning Layer segment, host Sam Meisenberg and Joe Carrigan continue their discussion of Joe's ISC2 CISSP certification journey. On our Industry Voices segment, Tony Velleca, CEO of CyberProof, joins us to explore some of the pain points that CISOs & CIOs are experiencing today, and how they can improve their cyber readiness. Ransomware may leave the shelves in Sweden's liquor stores bare.  Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you'll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guests Learning Layer On our Learning Layer segment, host Sam Meisenberg and Joe Carrigan continue their discussion of Joe's ISC2 CISSP certification journey using N2K's comprehensive CISSP training course, CISSP practice test, and CISSP practice labs. Sam and Joe discuss content and study strategies for CISSP Domain 3 Security Architecture and Engineering, and discuss encryption and non-repudiation. Specifically they cover sub-domain 3.6, "Select and determine cryptographic solutions," which includes: Cryptographic life cycle Cryptographic method Public key infrastructure (PKI). Industry Voices On our Industry Voices segment, Tony Velleca, CEO of CyberProof, joins us to explore some of the pain points that CISOs & CIOs are experiencing today, and how they can improve their cyber readiness.  Selected Reading Rewards Up to $10 Million for Information on Iranian Hackers (GB Hackers) Congress passes bill that could ban TikTok after years of false starts (Washington Post) Russian hackers claim cyberattack on Indiana water plant (The Record) Major Data Leaks from Honda Vietnam, US Airports, and Chinese Huawei/iPhone Users (SOCRadar® Cyber Intelligence Inc.) Global attacker median dwell time continues to fall (Help Net Security) New Password Cracking Analysis Targets Bcrypt (SecurityWeek) North Korean Hackers Target Dozens of Defense Companies (Infosecurity Magazine) ​​Hackers hijack antivirus updates to drop GuptiMiner malware (Bleeping Computer) Sweden's liquor shelves to run empty this week due to ransomware attack (The Record) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show.  Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here's our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc.

This episode reports on the danger of using expired open-source packages, a tool used by a Russian hacking group and password advice

Today, we discuss the deceptive world of the "Financial Hardship Department Scam," where unsuspecting Americans are tricked into revealing personal data with the false promise of government aid. Explore the intricacies of this scam and how to protect yourself from becoming a victim. This episode also sheds light on the alarming strategies of Russian Sandworm hackers and global brute-force attacks targeting VPN and SSH services, revealing a complex cybersecurity landscape. Original URLs: Financial Hardship Department Scam: https://cyberguy.com/privacy/the-unsubscribe-email-scam-is-targeting-americans/, https://malwaretips.com/blogs/financial-hardship-department-email-scam-explained/ Russian Sandworm Hackers: https://www.bleepingcomputer.com/news/security/russian-sandworm-hackers-pose-as-hacktivists-in-water-utility-breaches/ Cisco Warning on Brute-Force Attacks: https://thehackernews.com/2024/04/cisco-warns-of-global-surge-in-brute.html Follow us on Instagram: https://www.instagram.com/the_daily_decrypt/ Thanks to Jered Jones for providing the music for this episode. https://www.jeredjones.com/ Logo Design by https://www.zackgraber.com/ Tags for the Episode: Financial Hardship Department Scam, cybersecurity, Russian Sandworm hackers, brute-force attacks, VPN, SSH, email scams, government subsidies scam, cyber threats, cyber protection, Mandiant, Cisco Search Phrases: How to protect against Financial Hardship Department Scam What is the Financial Hardship Department Scam Russian Sandworm hackers in US utilities Cisco alert on brute-force attacks Cybersecurity threats in 2024 Email scams involving government aid Preventing cyber attacks on VPN and SSH How Russian hackers disguise as hacktivists Identifying and preventing email scams Latest cybersecurity reports from Cisco and Mandiant Transcript Apr18 Americans are being targeted by a sophisticated scam from the Financial Hardship Department, which promises government subsidies and stimulus checks as a facade to steal personal information and money. Stick around cause we're gonna give them a call. Russian sandworm hackers, disguised as hacktivist groups, have infiltrated water utilities in the United States and Europe, executing sophisticated cyberattacks that manipulate public narratives in favor of Russia according to recent findings by Mandiant. And finally, Cisco has issued an alert on a sharp rise in global brute force attacks targeting VPN and SSH services, revealing a sophisticated threat landscape that exploits Tor exit nodes and various anonymizing proxies since March 18th of 2024. What steps can organizations take to protect their networks from these global brute force attacks? So in recent news, a concerning scam from the Financial Hardship Department is targeting Americans across the country. This was actually brought to my attention from my mother. She reported something suspicious to her IT department, which is me. She received an email with the subject that was her full name, and inside the email was a very compelling argument. That she was entitled to some sort of student loan forgiveness plan, and the money is available right away. And this specific scam isn't necessarily breaking news, but this type of scam, this category of scam, is very effective and very prevalent. And this is because of a thing called OSINT, or Open Source Intelligence, where people can use information they find online about you in order to get you to do things. So, if someone wrote you an email And they knew exactly how much student debt you had, and they knew your full name, and they knew you ran to school. You might be more enticed to give them a call, respond to the email, or even click a link. If you're interested in seeing this email and walking through all of the key indicators that this is not a legit email, and it is in fact a scam, I'm going to be posting a reel a little bit later today on our Instagram that we'll have the email and we're going to go through each one of the indicators that this is a scam so that you can help protect yourself against this scam. But just a high level, the email came from someone at hotmail. com. Nobody with any clout is going to email you from a personal email address. Step one. All right. Number two, there's a sense of urgency. It says that you have a case open, but for only one more day. So give us a call back at this number. And just for fun, I went ahead and gave this number a call using my google voice number and was ready to record it and talk to them and see what they were gonna try to get out of me and maybe give them some fake information. The email was received yesterday and since then the number has been decommissioned. Calling the scammer. Bummer. There are also some weird formatting issues with this email. And then at the bottom, it says you opted into advertising services, provides an address, and then it provides a URL to unsubscribe. This specific email is formatted so poorly that the URL doesn't even become clickable. But they're trying to get you on two directions here. They're trying to get you to call and give up your information. And they're trying to get you to click this unsubscribe link. Now that kind of gets your wheels turning, doesn't it? Most emails have unsubscribe links, and most of them are from emails you might not even recognize. You just want to get them out of your inbox. Now trust me, I am all for inbox sanitization and organization, but clicking unsubscribe links as a habit is a bad one. Clicking any links in an email is a bad habit. And yes, unsubscribe is URL that could take you wherever you want. And usually, when you're about to click it, you're kind of in a hurry, you're not really checking, you're not thinking about it. So attackers know this, and they're going to send you something you really don't want, and they're going to provide a link to unsubscribe. Probably don't click it. Instead, send it to spam. Send it to junk. Train your inbox to send that somewhere else where you don't have to worry about it. Even if the unsubscribe link isn't malicious, it can serve a different purpose. It can let attackers or scammers know that that email address is active. And might actually ramp up the amount of spam, scam emails, or newsletters you may get because people are interested in buying your email address if they know it's an active email address. So now you've just confirmed it, they might go sell it to some other people. It might actually increase the amount of spam you get. There is a service called unroll. me that can help consolidate and manage email subscriptions efficiently. It allows you to view all your subscriptions in one place and makes it easy to unsubscribe from them. Another thing you can do is use alias emails. So if you're an iPhone user, The iPhone will often prompt you to mask your email address. It's a good idea because you can delete that email address at any time. If you start getting spam from it, you can also use tools like fast mail or start mail, and just generate a new email address that forwards to your normal email address. This will also help protect you and your privacy online because they're not just mapping one email address to your identity. Now they have to map tons and tons to keep track of you. So it'll help reduce trackers on Google. It'll help reduce. The efficacy of certain attacks when your password is breached on the dark web. So for more tips and tricks, and for a further analysis on these scam emails, be Instagram later today. Cybersecurity firm Mandiant has exposed how the notorious Sandworm hacking group linked to Russian military intelligence, has camouflaged its cyberattacks by masquerading as hacktivist groups. The Russian ensemble, known by aliases such as Black Energy, Seashell Blizzard, and Voodoo Bear, has been active since 2009, and their operations are accredited to Unit 74455 of Russian's GRU. Mandian's latest findings suggest that Sandworm operates under several online personas to launch data leaks and disrupt operations. Notably, three hacktivist branded telegram channels named Zaxnet Team, Cyber Army of Russia Reborn, and SolSopec, that's Russian, have been instrumental in disseminating pro Russian narratives and misleading the audience about the origin of the cyberattacks. These personas act independently, yet share a common goal of aligning their activities with Russian interests. So, before we move on, just a quick note on hacktivism. There are a few main motivators for attackers when placing an attack. Money, power, fame. And activism is a pretty popular one. So to help give an idea of what a hacktivist organization would be like, it's maybe a pro Ukraine organization that's working to spread the truth about what's going on in a foreign war, and so they might be trying to actually hack the Russian government to help Ukraine, or something like that. Their motivation is not money, so they're not out there trying to get credentials to their bank accounts and stuff like that. They're trying to work towards their organization's mission, which is to spread the truth about foreign wars in favor of a certain country. So these Russian attackers that are responsible for many attacks on U. S. critical infrastructure, especially water utilities, are gaining footholds by pretending to be a hacktivist group. Maybe they're pro Russia, maybe they're pro Ukraine. They're doing what they can to try to sway public opinion in Russia's favor, which involves all sorts of propaganda that I'm not even aware of. But Mandiant's report extends beyond the facade of hacktivism. They have traced back multiple cyber incidents to Sandworm, including attacks on water utilities in the U. S. and Poland, and hydroelectric facilities in France. The authenticity of these intrusion remains under investigation, but confirmation of related malfunctions by U. S. utility officials lends proof. Furthermore, Sandworm's influence operations are designed to bolster Russian wartime objectives by seeding misinformation and creating an illusion of widespread support for the war. The sophistication of these tactics illustrates a strategic shift from direct sabotage in Ukraine, where they targeted critical infrastructure like state networks and the power grid, to a more nuanced cyber espionage and intrusion. influence operations. Mandiant also highlights APT44's activities over the past year including targeting NATO countries electoral systems and engaging in intelligence collection to aid Russian military efforts. The threat posed by APT44 is severe, with ongoing operations focused on Ukraine and an elevated risk of interference in upcoming national elections and significant political events worldwide. So this election season, especially in the United States, is going to be absolutely crazy. The simplicity of access that these foreign, quote, hacktivists or propaganda pushers have over the United States is huge. It's palpable. They can just create TikToks about something you're interested in, which is Ukraine and the things that are happening in this foreign war, and you share it, and the more it gets shared, the more validity it accumulates in people's eyes. And this rapid consumption of social media has almost completely forgotten about citing sources or doing any sort of further research into what you just saw on a 60 second video clip. So I encourage you personally to, I mean, first of all, don't spend too much time on social media. If you get, if you catch yourself doom scrolling, try to get off and go on a walk. And second of all, think about everything you watch as if it were a lie. How could this video be lying to you right now? How could this video be stretching the truth? You know, are these videos actually shot where they are? Are they in front of a green screen? What sources do these people have? to claim what they're saying. Is what they're saying promoting a specific narrative? Maybe for Russia, maybe for Ukraine. And if so, that increases the likelihood that what they're saying is stretched or slightly untrue. So just as we have to look at every email with a lot of scrutiny, make sure we don't click any bad links, we also have to look at everything we consume because our brains are very vulnerable to what we see. And the internet right now is just pushing what we already believe, further enforcing our misbeliefs. There's been a notable spike in brute force attacks globally, as reported by Cisco. Specifically targeting devices such as VPNs, or virtual private networks, web application authentication interfaces, and SSH services. Cisco Talos experts pinpointed that these attacks have been originating from Tor exit nodes and various anonymizing tunnels and proxies since at least March 18th of 2024. The implication of these attacks are serious, potentially leading to unauthorized network access, account lockouts, or even denial of service conditions. A range of devices have come under siege, including popular VPN solutions like Cisco Secure Firewall VPN, Checkpoint, Fortinet, SonicWall, along with RD web services and brands such as Mikrotik, Draytek, and Ubiquiti. Stomp's foot on Ubiquiti. Cisco Talos has identified that the brute forcing attempts not only utilize generic credentials, but Also valid usernames tied to specific organizations, indicating a methodical approach to this cybersecurity threat. The attack traffic, as analyzed, predominantly flows through known proxy services such as TOR, VPNgate, IPDEA proxy, BigMama proxy, SpaceProxies, NexusProxy, ProxyRack, etc. And details on the IP addresses and the credentials used in these attacks have been compiled and made accessible for the concerned parties to bolster their defenses. So check out the show notes if you want more IOCs of this, so that you can maybe set up some signature detections or behavior detections, etc. In parallel to these brute force incidents, Cisco has raised alarms about password spray attacks, etc. targeting remote access VPN services as well. This trend was highlighted alongside a recent disclosure from Fortinet FortiGuard labs reporting the exploitation of a patched vulnerability in TP Link Archer AX21 routers by DDoS botnet malware facilities. Which brings us back to our SoHo days, right? If you're running one of these routers, make sure it's patched. Make sure your home router is up to date. You don't want to be getting DDoS'd by a botnet. Or you don't want to be part of the botnet that does the de tossing, excuse me. Security researchers, Cara Lin and Vincent Lee from FortiGuard Labs underscore the continuous threat posed by botnets, which exploit IOT vulnerabilities relentlessly. They strongly advise users to remain vigilant against DDoS botnets and to apply patches promptly. Cisco has provided several recommendations to mitigate the risks associated with these type of cyberattacks. These include enabling logging, okay, securing default remote access VPN profiles, and blocking connection attempts from identified malicious sources. Specific guidance involves implementing interface level ACLs using the shun command and configuring control plane ACLs to further fortify network defenses against unauthorized access attempts. Moreover, Cisco suggests considering additional hardening implementations for RAVPN, such as adopting certificate based authentication to enhance the security posture against these ongoing cyber threats. So I will definitely be taking a. Much deeper look at these IOCs for my own personal network, because yeah, this can apply to enterprises and this can apply to tech enthusiasts who set up VPNs to access their own home network. So let's, uh, not to point any fingers at myself, but that's definitely something I want to avoid being compromised. So if you're hearing this, IOCs in the show notes and let's stay ahead of this. And that's all we got for you today. Tomorrow, we're going to be releasing just a discussion episode about the key takeaways from HackspaceCon, which occurred last weekend. The two co hosts from this podcast were lucky enough to be able to attend and boy, were we inspired. So if you're interested in hacking satellites or what kind of vulnerabilities satellites have. Or other things that I never considered from a non space background. Be sure to check that episode out tomorrow.

We evaluate the leaked specs for Sony's upcoming PS5 Pro. Plus power demand from data centers is holding back AI development. What are the solutions? And US cybersecurity firm and Google subsidiary Mandiant said Wednesday that a hacking group with ties to the GRU was behind the January cyberattack that caused a tank at a water facility in Muleshoe, TX, to overflow.Starring Tom Merritt, Sarah Lane, Scott Johnson, Roger Chang, Joe.Link to the Show Notes.

We evaluate the leaked specs for Sony's upcoming PS5 Pro. Plus power demand from data centers is holding back AI development. What are the solutions? And US cybersecurity firm and Google subsidiary Mandiant said Wednesday that a hacking group with ties to the GRU was behind the January cyberattack that caused a tank at a water facility in Muleshoe, TX, to overflow. Starring Tom Merritt, Sarah Lane, Scott Johnson, Roger Chang, Joe. To read the show notes in a separate page click here! Support the show on Patreon by becoming a supporter!

In this episode of The Cybersecurity Defenders Podcast we have an in-depth talk about the cyber threat from China, with Adam Kozy and Daniel Velasquez.Daniel started his career as a defender in the United States Marine Corps as an intelligence analyst where he served in Afghanistan - from there he went on to work with the Defense Intelligence Agency, Joint Special Operations Command and the CIA. After his service, he was a director at Mandiant and is now the Executive Vice President of OP[4] - a company providing security for critical devices and embedded systems.Adam began his career as an intelligence analyst working with the Federal Bureau of Investigation where he provided all-source analysis of Asia-Pacifc related cybersecurity issues. After the FBI, Adam was the principal intelligence analyst for the Asia cyber team at CrowdStrike. Currently, he is the founder of SinaCyber which is a boutique consulting firm combining native Chinese language research and cyber intelligence expertise to create bespoke reports for government officials, technology firms, and financial institutions under threat from China's rampant cyber espionage campaigns.The history of China and its people goes back to ancient times. It is a rich and beautiful culture that has given much to the world in the form of art, ideas and technology. When we talk about China or the Chinese in this podcast episode we are specifically talking about the Chinese Communist Party - or CCP - which are a group of elites offering an increasingly authoritarian world view and alternative model to Western ideals of democracy and freedom. The Chinese people themselves are not your enemy. Current laws in China make it easy for the CCP to co-opt its citizenry for use in intelligence operations, wittingly and unwittingly. Unnecessarily making this into a racial divide alienates the folks that can help us the most in the coming years and provides more ammunition for Beijing.It was an incredible honor to speak with these two, and I hope you enjoy this conversation full of valuable information.Adam's testimony before the U.S.-China Economic and Security Review Commission Hearing on, “China's Cyber Capabilities: Warfare, Espionage, and Implications for the United States” here.The Mandiant report on APT1 can be found here.

President Biden is set to sign an executive order restricting overseas sharing by data brokers. US Federal agencies warn of exploited Ubiquiti EdgeRouters. A new ransomware operator claims to have hacked Epic Games. A cross-site scripting issue leaves millions of Wordpress sites vulnerable. The Rhysida ransomware group posts a multi-million dollar ransom demand on a Children's Hospital in Chicago. Mandiant tracks Chinese threat actors targeting Ivanti VPNs. The former head of DHS weighs in on a federal cyber insurance backstop. Domain Registrars offer bulk name blocking for brands. Our guest is Magpie Graham, Principal Adversary Hunter Technical Director at Dragos, reviews the key findings of Dragos' Cybersecurity Year in Review report. Cameo celebrities are taken out of context for political gains. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you'll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Guest Magpie Graham, Principal Adversary Hunter Technical Director at Dragos, reviews the key findings of Dragos' Cybersecurity Year in Review report. You can download a copy of the report here. To hear the full interview with Magpie, check out Control Loop.  Selected Reading Biden Executive Order Targets Bulk Data Transfers to China (GovInfo Security) FBI Alert: Russian Hackers Target Ubiquiti Routers for Data, Botnet Creation (HACKREAD) Fortnite game developer Epic Games allegedly hacked (Cyber Daily) LiteSpeed Cache Plugin XSS Flaw Exposes 4M+ Million Sites to Attack (Cyber Security News) Ransomware gang seeks $3.4 million after attacking children's hospital (The Record) Chinese Cyberspies Use New Malware in Ivanti VPN Attacks (SecurityWeek) A Cyber Insurance Backstop (Schneier on Security) Cyberwar Podcast with Kate and Alex - Special Guest Michael Chertoff  Registrars can now block all domains that resemble brand names (BleepingComputer) Cameo is being used for political propaganda — by tricking the stars involved (NPR) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show.  Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here's our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

A zero-day hits Ivanti VPN customers. CISA highlights an active MS Sharepoint Server flaw. Cisco patches a critical vulnerability. Atomic Stealer gets updates. Sensitive school emergency planning documents are exposed online. The FCC reports on risky communications equipment. The White House will introduce new cybersecurity requirements for hospitals. Mandiant explains their X-Twitter hack. Our guest is Palo Alto Networks' Unit 42's David Moulton, host of the new Threat Vector podcast. And we are shocked - shocked! - to learn that an online sex for money scheme is a scam.  Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you'll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Guest David Moulton from Palo Alto Networks joins us to talk about Threat Vector. It's Unit 42's segment turned podcast on the N2K media network. Selected Reading Ivanti customers urged to patch vulnerabilities allegedly exploited by Chinese state hackers (The Record) CISA Urges Patching of Exploited SharePoint Server Vulnerability (SecurityWeek) Critical Cisco Unity Connection flaw gives attackers root privileges. Patch now! (CVE-2024-20272) (Help Net Security) Atomic Stealer Gets an Upgrade - Targeting Mac Users with Encrypted Payload (The Hacker News) FCC's Reimbursement Program shows progress in removing national security risks from communication networks (Industrial Cyber) After Barrage of Hacks, Hospitals Will Face New Federal Cybersecurity Rules Tied to Funding (The Messenger) US School Shooter Emergency Plans Exposed in a Highly Sensitive Database Leak (WIRED) Mandiant's X Account Was Hacked in Brute-Force Password Attack (Infosecurity Magazine) Believing they would be paid a fortune for having sex with women, hundreds of Indian men scammed out of cash  (Graham Cluely) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show.  Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here's our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc.

Media Forensics Hub of Clemson University uncovered a Chinese state-sponsored campaign to discredit scientists who say COVID originated from a lab in Wuhan – and escaped virologist Dr. Li-meng Yan is one of their top targets. By churning out thousands of offensive memes and spammy posts, the CCP government aims to discredit its critics and bury conversations under millions of bot accounts and fake profiles on Facebook, Twitter, and YouTube. The report says China organized “what is sometimes referred to as the 50 Cent Army, a collection of as many as two million social media users which make online comments at the direct behest of the state” and that the operation “has been called by different names by different analysts, including “Spamouflage Dragon“ (by the network analysis firm Graphika) and “Dragonbridge” (by the Google owned cybersecurity firm Mandiant) and has been operating continuously since, at least, April 2017.” Dr. Li-meng Yan (AKA Dr. Yan Limeng, 闫丽梦 or 閆麗夢) is a Chinese virologist known for her publications and interviews alleging that SARS-CoV-2 was made in a Chinese government laboratory. She came to the United States in 2020, where she has co-authored several preprint research papers that are intended to back up her claims. Follow Dr. Yan at https://x.com/DrLiMengYAN1 and listen to her show “The Voice of Dr. Yan” on America Out Loud Radio Network at https://www.americaoutloud.com/voice-of-dr-yan/ 「 SPONSORED BY 」 Find out more about the companies that make this show possible and get special discounts on amazing products at https://drdrew.com/sponsors • PROVIA - Dreading premature hair thinning or hair loss? Provia uses a safe, natural ingredient (Procapil) to effectively target the three main causes of premature hair thinning and hair loss. Susan loves it! Get an extra discount at https://proviahair.com/drew • PALEOVALLEY - "Paleovalley has a wide variety of extraordinary products that are both healthful and delicious,” says Dr. Drew. "I am a huge fan of this brand and know you'll love it too!” Get 15% off your first order at https://drdrew.com/paleovalley • GENUCEL - Using a proprietary base formulated by a pharmacist, Genucel has created skincare that can dramatically improve the appearance of facial redness and under-eye puffiness. Get an extra discount with promo code DREW at https://genucel.com/drew • COZY EARTH - Susan and Drew love Cozy Earth's sheets & clothing made with super-soft viscose from bamboo! Use code DREW for a huge discount at https://drdrew.com/cozy • THE WELLNESS COMPANY - Counteract harmful spike proteins with TWC's Signature Series Spike Support Formula containing nattokinase and selenium. Learn more about TWC's supplements at https://twc.health/drew 「 MEDICAL NOTE 」 Portions of this program may examine countervailing views on important medical issues. Always consult your personal physician before making any decisions about your health. 「 ABOUT THE SHOW 」 Ask Dr. Drew is produced by Kaleb Nation (https://kalebnation.com) and Susan Pinsky (https://twitter.com/firstladyoflove). This show is for entertainment and/or informational purposes only, and is not a substitute for medical advice, diagnosis, or treatment. 「 ABOUT DR. DREW 」 Dr. Drew is a board-certified physician with over 35 years of national radio, NYT bestselling books, and countless TV shows bearing his name. He's known for Celebrity Rehab (VH1), Teen Mom OG (MTV), The Masked Singer (FOX), multiple hit podcasts, and the iconic Loveline radio show. Dr. Drew Pinsky received his undergraduate degree from Amherst College and his M.D. from the University of Southern California, School of Medicine. Read more at https://drdrew.com/about Learn more about your ad choices. Visit megaphone.fm/adchoices

Sandworm was in Kyivstar's networks for months. Museums face online outages. Emsisoft suggests a ransomware payment ban. An ambulance service suffers a data breach. Mandiant's social media gets hacked. GXC Team's latest offerings in the C2C underground market. 23andMe blames their breach on password reuse. Lawyers are using outdated encryption.  On today's Threat Vector segment, David Moulton chats with Garrett Boyd,  senior consultant at Palo Alto Networks Unit 42  about the importance of internal training and mentorship in cybersecurity. And in Russia, holiday cheers turn to political jeers.  Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you'll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On today's Threat Vector segment with David Moulton features Garrett Boyd, a senior consultant at Unit 42 by Palo Alto Networks with a background as a Marine and professor, discusses the importance of internal training and mentorship in cybersecurity. He provides insights into how training prepares professionals for industry challenges and how mentorship fosters professional growth and innovation. Garrett emphasizes the need for a mentorship culture in organizations and the responsibility of both mentors and mentees in this dynamic. The episode highlights the transformative impact of mentorship through personal experiences and concludes with an invitation for listeners to share their stories and a reminder to stay vigilant in the digital world. Threat Vector To learn what is top of mind each month from the experts at Unit 42 sign up for their Threat Intel Bulletin.  Selected Reading Compromised accounts and C2C markets. Cyberespionage and state-directed hacktivism. (CyberWire) Exclusive: Russian hackers were inside Ukraine telecoms giant for months (Reuters) Hackers linked to Russian spy agency claim cyberattack on Ukrainian cell network (reuters) Museum World Hit by Cyberattack on Widely Used Software (The New York Times) The State of Ransomware in the U.S.: Report and Statistics 2023 (Emsisoft) Nearly 1 million affected by ambulance service data breach (The Record) Mandiant's account on X hacked to push cryptocurrency scam (Bleeping Computer) Cybercriminals Implemented Artificial Intelligence (AI) For Invoice Fraud (Resecurity) 23andMe tells victims it's their fault that their data was breached (TechCrunch+) The Curious Case of MD5 (katelynsills) Firmware prank causes LED curtain in Russia to display ‘Slava Ukraini' — police arrest apartment owner (The Record) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show.  Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here's our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc.