CyberWire Daily

Deepen Desai from Zscaler shares ransomware trends. Topics discussed in the podcast include attempted cyber attack on joint military exercises, potential breach of Australian Domain Administrator, tech support scam, and cyber threats to space systems. The podcast also covers Russian disinformation campaigns, threatening texts in Ukraine, and the implementation of zero trust in organizations.

Luke Vander Linden, Vice President of Membership & Marketing from RH-ISAC and host of the RH-ISAC podcast, shares his journey from child model to working in the cyber industry. He discusses his passion for marketing, branching out to different areas, and finding enjoyment in working with individuals who support organizations. Luke wears many hats, working in the podcast business and on the leadership team at RH-ISAC. He advises people to not be afraid to fail and give it a shot. The podcast also emphasizes the importance of transparency, learning from failures, and the impact of their organization on the industry.

Dmitry Bestuzhev from Blackberry discusses RomCom Resurfaces, a threat team targeting politicians in Ukraine. They use phishing emails to direct victims to Trojanized software. The group focuses on gathering secrets for geopolitical purposes, rather than financial gain. The podcast explores tactics used by RomCom, including social engineering and typo squatting techniques. It also discusses the use of deceptive domains and implant detection methods.

Phishing for Zimbra credentials. PlayCrypt ransomware described. The Cuba ransomware group adopts new tools. #NoFilter. Cyber criminals threaten security researchers. Our guest is Kevin Paige from Uptycs with thoughts on the Blackhat conference. Eric Goldstein, Executive Assistant Director at CISA joins us discussing next steps on the Secure by Design journey. And Russian disinformation takes on "Anglo-Saxonia."For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/158Selected reading.Mass-spreading campaign targeting Zimbra users (We Live Security)PlayCrypt Ransomware Group Wreaks Havoc in Campaign Against Managed Service Providers (Adlumin SaaS Security)Cuba Ransomware Deploys New Tools: Targets Critical Infrastructure Sector in the U.S. and IT Integrator in Latin America (BlackBerry)NoFilter Attack: Sneaky Privilege Escalation Method Bypasses Windows Security (The Hacker News)Cyber security researchers become target of criminal hackers (Financial Times)Britain plotting to assassinate pro-Russian leaders in Africa, says Moscow (The Telegraph) Ukraine at D+540: Russification and disinformation. (CyberWire)  Learn more about your ad choices. Visit megaphone.fm/adchoices

Experts Robert M. Lee and Steve Leeper discuss industry layoffs and mitigating risks with illegal data on networks. Other topics include a proxy botnet with over 400,000 exit nodes, PowerShell Gallery vulnerabilities, a cyber incident at Clorox, and scams targeting mobile beta-testers. Lessons from the Russian cyberattack on Viasat and cyber updates on Starlink are also covered.

China accuses the US of installing backdoors in a Wuhan lab. NetScaler backdoors are found. A Phishing scam targets executives. LinkedIn sees a surge in account hijacking. Raccoon Stealer gets an update. Cryptocurrency recovery scams. We kick off our new Learning Layer segment with N2K’s Sam Meisenberg. And a Moscow court fines Reddit and Wikipedia, for unwelcome content about Russia's war.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/156Selected reading.Ministry warns of data security risks after US agencies identified behind cyberattack on Wuhan Earthquake Monitoring Center (Global Times)China accuses U.S. intelligence agencies as source behind Wuhan cybersecurity attack (ZDNET) China teases imminent exposé of seismic US spying scheme (Register) 2,000 Citrix NetScaler Instances Backdoored via Recent Vulnerability (SecurityWeek) Cloud Account Takeover Campaign Leveraging EvilProxy Targets Top-Level Executives at over 100 Global Organizations (Proofpoint)LinkedIn Accounts Under Attack (Cyberint)LinkedIn faces surge of account hijacking (Computing)LinkedIn accounts hacked in widespread hijacking campaign (BleepingComputer)Raccoon Stealer malware returns with new stealthier version (BleepingComputer)FBI warns of increasing cryptocurrency recovery scams (BleepingComputer) Russia slaps Reddit, Wikipedia with fines (Cybernews) Learn more about your ad choices. Visit megaphone.fm/adchoices

New targets of Chinese cyberespionage are uncovered. Monti ransomware is back. An evasive phishing campaign exposed. A Realtors' network taken down by cyberattack. A closer look at NoName057(16). Perspective on cyberwar - remember Pearl Harbor, but don’t see it everywhere. Ben Yelin on the Consumer Financial Protection Bureau’s plans to regulate surveillance tech. Microsoft’s Ann Johnson and Charlie Bell ponder the future of security. And scammers are targeting kids playing Fortnite and Roblox.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/155Selected reading.Chinese spies who read State Dept. email also hacked GOP congressman (Washington Post) Binary Ballet: China’s Espionage Tango with Microsoft (SecurityHQ)Microsoft Exchange hack to be investigated by US Cyber Safety Board (Computing)Monti ransomware targets VMware ESXi servers with new Linux locker (BleepingComputer) Evasive Phishing Campaign Steals Cloud Credentials Using Cloudflare R2 and Turnstile (Netskope)Cyberattack on Bay area vendor cripples real estate industry (The Real Deal)Intel insiders go undercover revealing fresh details into NoName hacktivist operations (Cybernews) Why the US Military Wants You To Rethink the Idea of 'Cyber War' (The Messenger) A Huge Scam Targeting Kids With Roblox and Fortnite 'Offers' Has Been Hiding in Plain Sight (WIRED) Learn more about your ad choices. Visit megaphone.fm/adchoices

An African power generator has been targeted by ransomware. The APT31 group is believed to be responsible for attacks on industrial systems in Eastern Europe. There have been arrests related to the takedown of LolekHosted. Ukraine's SBU has alleged that Russia's GRU is using specialized malware to attack Starlink. Microsoft has decided not to extend licenses for its products in Russia. Rick Howard opens his toolbox on DDOS. In our Solution Spotlight: Simone Petrella and Camille Stewart Gloster discuss the White House release of its cybersecurity workforce and education strategy. And the Cyber Safety Review Board will be investigating cases of cyberespionage against Exchange.Watch the full video of Simone and Camille here: Solution Spotlight: Simone Petrella and Camille Stewart GlosterFor links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/154Selected reading.DroxiDat-Cobalt Strike Duo Targets Power Generator Network (Infosecurity Magazine)New SystemBC Malware Variant Targets Southern African Power Company (The Hacker News)Power Generator in South Africa hit with DroxiDat and Cobalt Strike (Security Affairs) Southern African power generator targeted with DroxiDat malware (Record) Common TTPs of attacks against industrial organizations. Implants for uploading data (Kaspersky ICS CERT)APT31 Linked to Recent Industrial Attacks in Eastern Europe (Infosecurity Magazine) Researchers Shed Light on APT31's Advanced Backdoors and Data Exfiltration Tactics (The Hacker News) LOLEKHosted admin arrested for aiding Netwalker ransomware gang (BleepingComputer)Russian spy agencies targeting Starlink with custom malware, Ukraine warns (The Telegraph)Russia Bans iPhones And iPads For Official Use: Report (BW Businessworld)Microsoft Suspends Extending Licenses For Companies in Russia (RadioFreeEurope/RadioLiberty) Department of Homeland Security’s Cyber Safety Review Board to Conduct Review on Cloud Security (US Department of Homeland Security)Microsoft Exchange hack is focus of cyber board’s next review (Record) Microsoft is under scrutiny after a recent attack by suspected Chinese hackers (Windows Central) The DHS’s CSRB to review cloud security practices following the hack of Microsoft Exchange govt email accounts (Security Affairs)Microsoft's role in data breach by Chinese hackers to be part of US cyber inquiry (Firstpost) Learn more about your ad choices. Visit megaphone.fm/adchoices

Dr. Georgianna Shea, the Chief Technologist at the Transformative Cyber Innovation Lab at the Foundations for Defensive Democracies (FDD) sits down to share her incredible story, moving around to different roles and how that has lead her to where she is today. Her careers have taken her to many different states throughout the years, as she has learned and grew into the roles she took on, from Hawaii to D.C., Dr. Shea has done it all. Sharing some advice, Dr. Shea says "My words of wisdom are take advantage of every opportunity and don't wait for anybody. I try to mentor people and I talk to young people a lot, you know, trying to get into the field and, and I see a lot of waiting on other people." She explains that you are able to work on your own to become an expert, and taking that initiative will be the thing to get you to where you want to be. We thank Dr. Georgianna Shea for sharing her story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

Alex Delamotte from SentinelLabs joins Dave to discuss their work on "Cloudy With a Chance of Credentials | AWS-Targeting Cred Stealer Expands to Azure, GCP." As actors find more ways to profit from compromising services, SentinelLabs finds that cloud service credentials are becoming increasingly targeted.The lack of threats explicitly targeting Azure and GCP credentials up to this point means there are likely many fresh targets. The research states "These campaigns share similarity with tools attributed to the notorious TeamTNT cryptojacking crew. However, attribution remains challenging with script-based tools, as anyone can adapt the code for their own use."The research can be found here:Cloudy With a Chance of Credentials | AWS-Targeting Cred Stealer Expands to Azure, GCP Learn more about your ad choices. Visit megaphone.fm/adchoices