CyberWire Daily

An international operation takes down Qakbot. Chinese threat actors anticipated Barracuda remediations. A look at adversary-in-the-middle attacks, making phishbait more effective and the emergence of a new ransomware threat. Narrative themes in Russian influence operations. My conversation with Natasha Eastman from (CISA), Bill Newhouse from (NIST), and Troy Lange from (NSA) to discuss their recent joint advisory on post-quantum readiness. Microsoft’s Ann Johnson from Afternoon Cyber Tea speaks with Cyber Threat Alliance President and CEO Michael Daniel about the current state of cybercrime. And when toilet bowls are outlawed, only outlaws will have toilet bowls.Listen to the full conversation with Natasha Eastman, Bill Newhouse, and Troy Lange here: A joint advisory on post-quantum readiness.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/165Selected reading.Operation Duck Hunt bags Qakbot. (CyberWire)FBI, Partners Dismantle Qakbot Infrastructure in Multinational Cyber Takedown (Federal Bureau of Investigation)Qakbot Malware Disrupted in International Cyber Takedown (US Department of Justice)Law Enforcement Takes Down Qakbot (Secureworks)Qakbot: Takedown Operation Dismantles Botnet Infrastructure (Symantec) Chinese APT Was Prepared for Remediation Efforts in Barracuda ESG Zero-Day Attack (SecurityWeek) Phishing-as-a-Service Gets Smarter: Microsoft Sounds Alarm on AiTM Attacks (The Hacker News)The Lure of Subject Lines in Phishing Emails - How Threat Actors Utilize Dates to Trick Victims (Cofense)The Emergence of Ransomed: An Uncertain Cyber Threat in the Making (Flashpoint)Cancelled flights: Air traffic disruption caused by flight data issue (BBC News)Russian Offensive Campaign Assessment, August 29, 2023 (Institute for the Study of War) Learn more about your ad choices. Visit megaphone.fm/adchoices

In this extended interview, Dave Bittner sits down with Natasha Eastman from the Cybersecurity and Infrastructure Security Agency (CISA), Bill Newhouse from the National Institute of Standards and Technology (NIST), and Troy Lange from the National Security Agency (NSA) to discuss their their recent joint advisory on post-quantum readiness and how to prepare for post-quantum cryptography.You can find the joint advisory here: Quantum-Readiness: Migration to Post-Quantum Cryptography Quantum computing: A threat to asymmetric encryption. Learn more about your ad choices. Visit megaphone.fm/adchoices

Name collision as a DNS risk. A LockBit derivative is active against targets in Spain. QR codes as phishbait. Cybersecurity trends in Healthcare. A Russian hacktivist auxiliary hits Polish organizations, while investigation of railroad incidents in Poland continues. Ben Yelin looks at the SEC cracking down on NFTs. Mr. Security Answer Person John Pescatore opens up the listener mail bag. And a look at a probably accidental glitch affecting air travel in the UK.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/164Selected reading.What's in a name? Strange behaviors at top-level domains creates uncertainty in DNS (Cisco Talos) Spain warns of LockBit Locker ransomware phishing attacks (BleepingComputer) Think Before You Scan: The Rise of QR Codes in Phishing (Trustwave SpiderLabs)78% of Healthcare Organizations Experienced Cyber Incidents in Past Year, 60% of Which Impacted Patient Care (Claroty) Polish stock exchange, banks knocked offline by pro-Russian hackers (Cybernews) Two Men Arrested Following Poland Railway Hacking (SecurityWeek) Century-old technology hack brought 20 trains to a halt in Poland (Cybernews) Poland investigates train mishaps for possible Russian connection (Washington Post) Flight chaos ‘to last for days’ after air traffic control failure (The Telegraph) UK flight chaos could last for days, airline passengers warned (the Guardian) Government can’t rule out cyber attack caused air traffic chaos (MSN) Learn more about your ad choices. Visit megaphone.fm/adchoices

The DPRK's Lazarus Group exploits ManageEngine issues. A Data breach at Kroll is traced to SIM swapping. Unusually destructive ransomware hits CloudNordic. Spawn of LockBit. Polish trains are disrupted by hacktivists. Rick Howard looks at the MITRE attack framework. Our guests are Andrew Hammond and Erin Dietrick from the International Spy Museum. And Influence laundering as a long-term disinformation tactic.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/163Selected reading.North Korean APT Hacks Internet Infrastructure Provider via ManageEngine Flaw (SecurityWeek)Lazarus Group exploited ManageEngine vulnerability to target critical infrastructure (Help Net Security)Cyber scams keep North Korean missiles flying (Radio Free Asia)Claimant Data Breached in Genesis, FTX and BlockFi Bankruptcy Cases (Wall Street Journal)Kroll data breach exposes info of FTX, BlockFi, Genesis creditors (BleepingComputer)Crypto investor data exposed by a SIM swapping attack against a Kroll employee (Security Affairs)Kroll Employee SIM-Swapped for Crypto Investor Data (KrebsOnSecurity)Kroll Suffers Data Breach: Employee Falls Victim to SIM Swapping Attack (The Hacker News)FTX bankruptcy handler Kroll discloses data breach (The Stack)CloudNordic Faces Severe Data Loss After Ransomware Attack (Hackread) CloudNordic loses most customer data after ransomware attack | TechTarget (Security) Lockbit leak, research opportunities on tools leaked from TAs (SecureList)LockBit 3.0 Ransomware Builder Leak Gives Rise to Hundreds of New Variants (The Hacker News)Poland investigates cyber-attack on rail network (BBC News)Poland investigates hacking attack on state railway network (Reuters)Hackers bring down Poland’s train network in massive cyber attack (Ticker News) The Cheap Radio Hack That Disrupted Poland's Railway System (WIRED)Russia Pushes Long-Term Influence Operations Aimed at the U.S. and Europe (New York Times)Newly declassified US intel claims Russia is laundering propaganda through unwitting Westerners (CNN Politics) Learn more about your ad choices. Visit megaphone.fm/adchoices

This week, we welcome Dina Haines, an Industry Partnership Manager with the National Security Agency's Cybersecurity Collaboration Center. Dina found from a young age, she was always interested in the field, taking after her father who worked in the space industry, paving the way for her to fall in love with the field. She worked in the private sector for a bit, moving around every now and again, eventually landing the position she works now. Dina says her day to day job is helping the NSA to bend and protect cyberspace by bringing in private industry. She says "I try to spend a lot of time listening and seeing where people, where they're coming from, where they're at, you know, potentially in their career, where they're at in their job that day, and then try to, um, support them and bring them up and, and float the entire boat." We thank Dina for sharing her story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

Tal Skverer from Astrix Security joins to discuss their work on "GhostToken – Exploiting GCP application infrastructure to create invisible, unremovable trojan app on Google accounts." Astrix’s Security Research Group revealed a 0-day flaw in Google’s Cloud Platform (GCP) on June 19, 2022, which was found to affect all Google users.The research states "The vulnerability, dubbed “GhostToken”, could allow threat actors to change a malicious application to be invisible and unremovable, effectively leaving the victim’s Google account infected with a trojan app forever." Google issued a patch to this vulnerability in April of this year, but researchers explain why this can be severe.The research can be found here:GhostToken – Exploiting GCP application infrastructure to create invisible, unremovable trojan app on Google accounts Learn more about your ad choices. Visit megaphone.fm/adchoices

Telekopye and the rise of commodified phishing kits. Lazarus Group fields new malware. Implications of China's campaign against vulnerable Barracuda appliances. Abhubllka ransomware's targeting and low extortion demands. Malek Ben Salem of Accenture outlines generative AI Implications to spam detection. Jeff Welgan, Chief Learning Officer at N2K Networks, unpacks the NICE framework and strategic workforce intelligence. And a new hacktivist group emerges, and takes a particular interest in NATO members.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/162Selected reading.eBay Users Beware Russian 'Telekopye' Telegram Phishing Bot (Dark Reading)Telekopye: Hunting Mammoths using Telegram bot (ESET)Lazarus Group's infrastructure reuse leads to discovery of new malware (Cisco Talos Blog) FBI fingers China for attacks on Barracuda email appliances (Register)Suspected PRC Cyber ActorsContinue to Globally Exploit Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868) (FBI)Identifying ADHUBLLKA Ransomware: LOLKEK, BIT, OBZ, U2K, TZW Variants (Netenrich)Ransomware ecosystem targeting individuals, small firms remains robust (Record) Ransomware With an Identity Crisis Targets Small Businesses, Individuals (Dark Reading) Hacking group KittenSec claims to 'pwn anything we see' to expose corruption (CyberScoop) Learn more about your ad choices. Visit megaphone.fm/adchoices

There’s a new sophistication in BEC campaigns. Trends in brand impersonation–crooks still like to pretend they’re from Redmond. The future of Russian influence operations in the post-Prigozhin era. Andrea Little Limbago from Interos shares insights on the new cyber workforce strategy. In our latest Threat Vector segment David Moulton of Palo Alto Networks is joined by Stephanie Ragan, Senior Consultant at Unit 42 to discuss Muddled Libra. And more on the doxing of a deputy Duma chair, who seems to have been selling hot iPhones as a side hustle (maybe). And the growing problem of Synthetic identity fraud.On this segment of Threat Vector, Stephanie Ragan, Senior Consultant at Unit 42, joins host David Moulton to discuss Muddled Libra.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/162Selected reading.BEC Trends: Payroll Diversion Dominates and Sneaky Multi-Persona Attacks Emerge (Trustwave)Q2 2023 Threat Landscape Report: All Roads Lead to Supply Chain Infiltrations (Kroll)Microsoft Impersonated Most in Phishing Attacks Among Nearly 350 Brands (Abnormal Security)TransUnion Analysis Finds Synthetic Identity Fraud Growing to Record Levels (TransUnion)Ukraine at D+546: Yevgeny Prigozhin dies in a plane crash. (CyberWire)Without Prigozhin, expect some changes around the edges on Russian influence operations (Washington Post)2023 H1 Global Threat Analysis Report (Radware)Lapsus$: Court finds teenagers carried out hacking spree (BBC News)British court convicts two teen Lapsus$ members of hacking tech firms (Record) Treasury Designates Roman Semenov, Co-Founder of Sanctioned Virtual Currency Mixer Tornado Cash (U.S. Department of the Treasury) Tornado Cash Founders Charged With Money Laundering And Sanctions Violations (U.S. Attorney for the Southern District of New York) Russian Duma leader’s emails hacked and leaked (Cybernews)Ukrainian hackers expose money laundering and sanction evasion by senior Russian politician (teiss)  Learn more about your ad choices. Visit megaphone.fm/adchoices

The Smoke Loader botnet has a creepy new payload. Ransomware gets faster. How AI has evolved in malicious directions. The Snatch ransomware gang threatens to snitch. The FSB continues to use both USBs and phishing emails as attack vectors. A ransomware attack shutters Belgian social service offices. Tim Starks from the Washington Post explains a Biden administration win in a DC court. Our guest Ben Sebree of CivicPlus describes how the public sector could combat cybercrime during cloud adoption. And the deadline for comment on US cybersecurity regulations? It’s been extended.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/161Selected reading.Smoke Loader Drops Whiffy Recon Wi-Fi Scanning and Geolocation Malware (SecureWorks) Time keeps on slippin’ slippin’ slippin’: The 2023 Active Adversary Report for Tech Leaders (Sophos News) HP Wolf Security Threat Insights Report Q2 2023 | HP Wolf Security (HP Wolf Security) Barracuda XDR Insights: How AI learns your patterns to protect you (Barracuda)Deep Instinct Study Finds Significant Increase in Cybersecurity Attacks Fueled by Generative AI (Deep Instinct) Cyberattack on Belgian social service centers forces them to close (Record)Ukraine’s Military Hacked by Russian Backed USB Malware (Ophtek)Request for Information on Cyber Regulatory Harmonization; Request for Information: Opportunities for and Obstacles To Harmonizing Cybersecurity Regulations (Federal Register) Learn more about your ad choices. Visit megaphone.fm/adchoices

HiatusRAT shifts its targets. Ecuador's difficulties with voting is attributed to cyberattacks. Carderbee is an APT targeting Hong Kong. auDA (OOO-duh) turns out not to have been breached. Ukrainian hacktivists claim to dox a senior member of Russia's Duma. Russian influence operations take aim at NATO's July summit. Joe Carrigan describes attacks on LinkedIn accounts. Our guest is John Hernandez from Quest to discuss why he believes the MOVEit flaw is a wakeup call for CISOs. Security, not by obscurity, but by typo.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/160Selected reading.HiatusRAT Malware Resurfaces: Taiwan Firms and U.S. Military Under Attack (The Hacker News) New HiatusRAT campaign targets Taiwan and U.S. military procurement system (Security Affairs)HiatusRAT Returns after a Hiatus in a Fresh Wave of Attacks (Cyware Labs)No rest for the wicked: HiatusRAT takes little time off in a return to action (Lumen)Ecuador’s national election agency says cyberattacks caused absentee voting issues (Record)Carderbee: APT Group use Legit Software in Supply Chain Attack Targeting Orgs in Hong KongResolution of cyber incident (auDA) Ukrainian hackers claim to leak emails of Russian parliament deputy chief (Record) Summit Old, Summit New (Graphika)Summit Old, Summit New: Russia-Linked Actors Leverage New and Old Tactics in Influence Operations Targeting Online Conversations About NATO Summit (Graphika)The simple typo that stopped bank robbers from stealing $1 billion (LAD Bible) Learn more about your ad choices. Visit megaphone.fm/adchoices