CyberWire Daily

This week, our guest is Reece Baldwin from Kasada discussing their work on "No Honour Amongst Thieves: Unpacking a New OpenBullet Malware Campaign." The Kasada Threat Intelligence team has recently identified a malware campaign targeting users of OpenBullet, a tool popular within criminal communities to conduct credential stuffing attacks.This malware campaign was first uncovered when the team was digging around in a Telegram channel setup to share OpenBullet configurations. Reading through a few of the configurations they identified a function, ostensibly designed to bypass Google’s reCAPTCHA anti-bot solution. Th research states "While the versatility of OpenBullet’s configuration files enable complex attacks, they can also make it difficult for inexperienced attackers to fully understand what requests are being created and what data is being retrieved."The research can be found here:No Honour Amongst Thieves: Unpacking a New OpenBullet Malware Campaign Learn more about your ad choices. Visit megaphone.fm/adchoices

Apple issues emergency patches. "Multiple nation-state actors" target the aerospace sector. The DPRK targets security researchers. SpaceX interrupted service to block a Ukrainian attack against Russian naval units last year. The International Criminal Court will prosecute cyber war crimes. Operation KleptoCapture extends to professional service providers. Malek Ben Salem of Accenture ponders the long-term reliability of LLM-powered applications. Our guest is Elliott Champion from CSC on how cybercriminals are taking advantage of the Threads platform. And congratulations to the SINET 16.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/172Selected reading.BLASTPASS: NSO Group iPhone Zero-Click, Zero-Day Exploit Captured in the Wild (The Citizen Lab) Apple issues software updates after spyware discoveries (Washington Post)Apple patches two zero-days under attack (CVE-2023-41064, CVE-2023-41061) (Help Net Security)CISA, FBI, and CNMF Release Advisory on Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475 | CISA (Cybersecurity and Infrastructure Security Agency CISA)Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475 (Cybersecurity and Infrastructure Security Agency CISA) AA23-250A: Multiple Nation-State Threat Actors Exploit CVE-2022-47966 and CVE-2022-42475 (Tenable®) CISA Warning: Nation-State Hackers Exploit Fortinet and Zoho Vulnerabilities (The Hacker News)Active North Korean campaign targeting security researchers (Google)Rigged Software and Zero-Days: North Korean APT Caught Hacking Security Researchers (SecurityWeek)Musk 'switched off Starlink in Ukraine over nuclear fears' (Computing)CNN Exclusive: 'How am I in this war?': New Musk biography offers fresh details about the billionaire's Ukraine dilemma | CNN Politics (CNN) Ukraine, US Intelligence Suggest Russia Cyber Efforts Evolving, Growing (Voice of America)The International Criminal Court Will Now Prosecute Cyberwar Crimes (WIRED)Technology Will Not Exceed Our Humanity (Digital Front Lines) Justice Department’s Oligarch Hunters Widen Scope to Include Facilitators (Wall Street Journal) Apple issues emergency patches. APTs target aerospace sector. DPRK targets security researchers. New BEC phishing kit. Notes from the hybrid war. ICC will prosecute cyber war crimes. SINET 16 announced. (CyberWire) Learn more about your ad choices. Visit megaphone.fm/adchoices

Microsoft releases results of their investigation into cloud email compromise. A vulnerability affects a resort booking service. Adversary emulation for OT networks. Identity protection and identity attack surfaces. Sanctioning privateers (with a bonus on vacation ideas). Rob Boyce from Accenture Security tracks new trends in ransomware. Our Threat Vector segment features Mastering IR Sniping A Deliberate Approach to Cybersecurity Investigations with Chris Brewer. And Estonia warns of ongoing cyber threats.On this segment of Threat Vector, Chris Brewer, a Director at Unit 42 and expert in digital forensics and incident response, joins host David Moulton discussing Mastering IR Sniping: A Deliberate Approach to Cybersecurity Investigations.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/171Threat Vector links.Sniper Incident Response from Cactus Con on GitHubSniper Incident Response presentation by Chris Brewer on YouTubeSelected reading.Results of Major Technical Investigations for Storm-0558 Key Acquisition (Microsoft Security Response Center)Check-Out With Extra Charges - Vulnerabilities in Hotel Booking Engine Explained (Bitdefender)Deep Dive into Supply Chain Compromise: Hospitality's Hidden Risks (Bitdefender) MITRE and CISA release Caldera for OT attack emulation (Security Affairs) MITRE Caldera for OT now available as extension to open-source platform (Help Net Security)Silverfort and Osterman Research Report Exposes Critical Gaps in Identity Threat Protection (Silverfort) United States and United Kingdom Sanction Additional Members of the Russia-Based Trickbot Cybercrime Gang (US Department of the Treasury)Estonian PM: cyberspace is Ukraine war frontline (Euromaidan Press)Cyberwar and Conventional Warfare in Ukraine (19FortyFive) Learn more about your ad choices. Visit megaphone.fm/adchoices

There’s a new Agent Tesla variant. Lost credentials and crypto wallet hacks. Tension between DevSecOps and AI. Fancy Bear makes an attempt on Ukrainian energy infrastructure. A look at NoName057(16). Tim Starks from the Washington Post's Cybersecurity 202. Simone Petrella and Helen Patton discuss People as a security first principle. And cybersecurity jobs seem to be getting tougher (say the people who are doing them).For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/170Selected reading.New Agent Tesla Variant Being Spread by Crafted Excel Document (Fortinet Blog) World's Largest Cryptocurrency Casino Stake Hacked for $41 Million (Hackread) Crypto casino Stake.com loses $41 million to hot wallet hackers (BleepingComputer) Experts Fear Crooks are Cracking Keys Stolen in LastPass Breach (KrebsOnSecurity) Global DevSecOps Report on AI Shows Cybersecurity and Privacy Concerns Create an Adoption Dilemma (GitLab)APT28 cyberattack: msedge as a bootloader, TOR and mockbin.org/website.hook services as a control center (CERT-UA#7469) (CERT-UA)Ukraine's CERT Thwarts APT28's Cyberattack on Critical Energy Infrastructure (The Hacker News)Ukraine says an energy facility disrupted a Fancy Bear intrusion (Record)What's in a NoName? Researchers see a lone-wolf DDoS group (Record) New Research from TechTarget’s Enterprise Strategy Group and the ISSA Reveals Continuous Struggles within Cybersecurity Professional Workforce - ISSA International (ISSA International) Life and Times 2023 Download Landing Page (ISSA International) E-book: The Life and Times of Cybersecurity Professionals Volume VI (ESG Global) Layoffs list extended by Malwarebytes, Fortinet, Veriff, SecureWorks (Cybernews)  Learn more about your ad choices. Visit megaphone.fm/adchoices

A New variant of Chae$ malware is described. A "Smishing Triad" impersonates postal services. A MinIO storage exploit reported. Okta warns of attackers seeking senior admin privileges. LockBit compromises a UK security contractor. DDoS takes down a German financial regulator's site. Infamous Chisel as GRU combat support. Joe Carrigan on Meta uncovering a Chinese influence effort. Our guest is Connie Stack, CEO of Next DLP, discussing data breach notification procedure. And please -PLEASE- remember to change your default passwords.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/169Selected reading.Threat Profile: Chae$ 4 Malware (Morphisec)"Smishing Triad" Targeted USPS and US Citizens for Data Theft (Resecurity) 'Smishing Triad' Targeted USPS and US Citizens for Data Theft (Security Affairs) New Attack Vector In The Cloud: Attackers caught exploiting Object Storage Services (Security Joes)Hackers exploit MinIO storage system to breach corporate networks (BleepingComputer) Okta Warns of Social Engineering Attacks Targeting Super Administrator Privileges (The Hacker News) More Okta customers trapped in Scattered Spider's web (Register) Cross-Tenant Impersonation: Prevention and Detection (Okta Security)Breaking: UK MoD attacked by LockBit (Computing)German financial agency site disrupted by DDoS attack since Friday (BleepingComputer) LogicMonitor customers hacked in reported ransomware attacks (BleepingComputer)LogicMonitor customers hit by hackers, because of default passwords (TechCrunch) Learn more about your ad choices. Visit megaphone.fm/adchoices

This interview from August 25th, 2023 originally aired as a shortened version on the CyberWire Daily Podcast. In this extended interview, Dave Bittner sits down with Jeff Welgan, Chief Learning Officer at N2K Networks, to expand on the NICE framework in strategic workforce intelligence. Learn more about your ad choices. Visit megaphone.fm/adchoices

This week's guest is Rick Doten, the VP of Information Security at Centene Corporation, he sits down to share his story and provide wise words of wisdom after conquering this industry for 30 years. Rick, like many others in the field started off not knowing what he wanted to do, so he tried out a few things, including doing in-user training and desktop support, eventually evolving to do systems analysis work and designing software. Rick shares that his main day to day roles are spending time helping out the corporate global CISO, CTO, and head of platform within the organization, he shares that his nickname is the neighborhood cat because he's everywhere. Rick shares advice for people getting into the industry for the first time, saying "There is a rainbow of different roles in cyber security, and I feel like I've done all of them in the last 30 years. So there are different things that, that you, the thing that like appeal to you the most because you're going to excel and want to hyper focus on the thing that you really, really are interested in and not the thing that you're not" We thank Rick for sharing his story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

Kristopher Russo and Stephanie Regan from Palo Alto Networks Unit 42 join Dave to talk about Threat Group Assessment: Muddled Libra. With an intimate knowledge of enterprise information technology, this threat group presents a significant risk even to organizations with well-developed legacy cyber defenses.Posing threats to organizations in the software automation, BPO, telecommunications and technology industries, Muddled Libra is a threat group that favors targeting large outsourcing firms serving high-value cryptocurrency institutions and individuals.The research can be found here:Threat Group Assessment: Muddled Libra Learn more about your ad choices. Visit megaphone.fm/adchoices

A VMConnect supply chain attack is connected to the DPRK. Reports of an aledgedly "fully undetectable information stealer." DB#JAMMER brute forces exposed MSSQL databases. A Cyberattack on a Canadian utility. The state of DevSecOps. A look at hacktivism, today and beyond. Betsy Carmelite from Booz Allen on threat intelligence as part of a third-party risk management program. Our guest is Adam Marré from Arctic Wolf Networks, with an analysis of Chinese cyber tactics. And a free decryptor is released for Key Group ransomware.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/168Selected reading.VMConnect supply chain attack continues, evidence points to North Korea (ReversingLabs) Securonix Threat Labs Security Advisory: Threat Actors Target MSSQL Servers in DB#JAMMER to Deliver FreeWorld Ransomware (Securonix)Montreal electricity organization latest victim in LockBit ransomware spree (Record)LockBit ransomware gang targets electrical infrastructure organization in Montreal (teiss)[Analyst Report] SANS 2023 DevSecOps Survey (Synopsys)SANS 2023 DevSecOps Survey (Application Security Blog)Government Agencies Report New Russian Malware Targets Ukrainian Military (National Security Agency/Central Security Service)Russian military hackers take aim at Ukrainian soldiers' battle plans, US and allies say (CNN)Ukraine: The First Cyber Lessons (AFCEA International)The Return of Hacktivism: A Temporary Reprise or Here for Good? (ReliaQuest)Decrypting Key Group Ransomware: Emerging Financially Motivated Cyber Crime Gang (EclecticIQ) Learn more about your ad choices. Visit megaphone.fm/adchoices

China deploys tools used against Uyghurs in broader espionage. The Five Eyes call out a GRU cyberespionage campaign. Russian hacktivist auxiliaries hit Czech banks and the platform formerly known as Twitter. A Spring-Kafka zero-day is discovered. Deepen Desai from Zscaler explains RedEnergy Stealer-as-a-Ransomware attacks. Luke Nelson of UHY Consulting on ransomware’s impact on schools. And, hey, go Wolverines: the University of Michigan overcomes a cyberattack that delayed the academic year.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/167Selected reading.BadBazaar espionage tool targets Android users via trojanized Signal and Telegram apps (We Live Security) Earth Estries Targets Government, Tech for Cyberespionage (Trend Micro) Infamous Chisel Malware Analysis Report (Cybersecurity and Infrastructure Security Agency CISA)UK and allies support Ukraine calling out Russia's GRU for new malware campaign (NCSC) Hackers Attack Czech Banks, Demanding End of Support For Ukraine (Brno Daily) More Russian attacks on Czech banks: Hackers call for end of support to Ukraine (Expats.cz)Anonymous Sudan hacks X to put pressure on Elon Musk over Starlink (BBC News) Contrast Assess uncovers Spring-Kafka deserialization zero day (Contrast Security)U. Michigan restores campus internet after cyberattack disrupts first week of classes (EdScoop)Internet restored on University of Michigan campus, ongoing issues still expected (mlive)University of Michigan isn't disclosing details of internet outage cyberattack (Detroit Free Press)Expert weighs in on school cyberattacks as University of Michigan makes progress on internet outages (CBS News) Learn more about your ad choices. Visit megaphone.fm/adchoices