CyberWire Daily

C2-as-a-service with APTs as the customers. Cyberespionage activity by Indian APTs. Gamers under attack. StarLink limits Ukrainian access to its systems. The EU levies new sanctions against “digital information manipulation.” Ukraine's Security Service takes down money-laundering exchanges. Ben Yelin unpacks fediverse security risks. Our guests are Mike Marty, CEO of The Retired Investigators Guild, & Tom Brennan, executive director of CREST, discussing their efforts on cybercrime investigation and cold case resolution. And Nozomi's OT IoT security report, sees a lot of opportunistic, low-grade whacking at industrial organizations.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/145Selected reading.Cloudzy with a Chance of Ransomware: Unmasking Command-and-Control Providers (C2Ps) (Halcyon) APT Bahamut Targets Individuals with Android Malware Using Spear Messaging - CYFIRMA (CYFIRMA) Hackers steal Signal, WhatsApp user data with fake Android chat app (BleepingComputer)Patchwork Hackers Target Chinese Research Organizations Using EyeShell Backdoor (The Hacker News)Hackers exploit BleedingPipe RCE to target Minecraft servers, players (BleepingComputer) Call of Duty Self-Spreading Worm Takes Aim at Player Lobbies (Dark Reading) Call of Duty worm malware used to hack players exploits years-old bug  (TechCrunch) Elon Musk 'refuses to turn on Starlink' for Crimea drone attack (The Telegraph)How Elon Musk Was Able to Exert Control in Ukraine War (The Street)EU strikes Russia again as digital infowar rages on (Cybernews) Ukraine Cracks Down on Illicit Financing Network (Gov Info Security) Unpacking the OT & IoT Threat Landscape with Unique Telemetry Data (Nozomi Networks) China's Volt Typhoon APT Burrows Deeper Into US Critical Infrastructure (Dark Reading) Learn more about your ad choices. Visit megaphone.fm/adchoices

The US issues a National Cyber Workforce and Education strategy. Hunting Chinese malware staged in US networks. CISA warns of Barracuda backdoor. WikiLoader malware is discovered. P2Pinfect is a malware botnet targeting publicly-accessible Redis servers. Johannes Ullrich from SANS describes attacks against YouTube content creators. Rick Howard previews his conversation with AWS Ciso CJ Moses. And Russia’s SVR continues cyberespionage against Ukrainian and European diplomatic services.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/144Selected reading.FACT SHEET: Biden-Harris Administration Announces National Cyber Workforce and Education Strategy, Unleashing America’s Cyber Talent (The White House) National Cyber Workforce and Education Strategy: Unleashing America’s Cyber Talent (The White House)The White House releases the US National Cyber Workforce and Education Strategy. (CyberWire)US hunts Chinese malware staged to interfere with US military operations. (CyberWire)U.S. Hunts Chinese Malware That Could Disrupt American Military Operations (New York Times)CISA Releases Malware Analysis Reports on Barracuda Backdoors (Cybersecurity and Infrastructure Security Agency CISA)CISA: New Submarine malware found on hacked Barracuda ESG appliances (BleepingComputer) Out of the Sandbox: WikiLoader Digs Sophisticated Evasion (Proofpoint) Cado Security Labs Encounter Novel Malware, Redis P2Pinfect (Cado Security) P2PInfect: The Rusty Peer-to-Peer Self-Replicating Worm (Unit 42)BlueBravo Adapts to Target Diplomatic Entities with GraphicalProton Malware (Recorded Future)BlueBravo Adapts to Target Diplomatic Entities with GraphicalProton Malware (Recorded Future Insikt Group) BlueBravo Deploys GraphicalProton Backdoor Against European Diplomatic Entities (The Hacker News) Learn more about your ad choices. Visit megaphone.fm/adchoices

Morgan Adamski from the National Security Agency (NSA) sits down to talk about her path to getting into cybersecurity. Remembering back to when she was a kid, she recalls using old technology to chat with friends online, that's where it all began for Morgan. She shares how in high school she fell in love with the concept of debating and being on a team. During her high school career, 9/11 occurred, and she became fascinated with who was behind the biggest attack America had seen in the 21st century, driving her to pursue a degree in National Security. Coming out of college, she was able to get a job in the DIA, after working there for two years, she found herself at the NSA, where she is now. Morgan shares how her leadership style helps her to not only connect dots on problems, but also see around corners, saying "it's not just about connecting the dots, it's about seeing around the corners and so that helps me better predict, um, how do I build an organization that's successful three to five years down the road." We thank Morgan for sharing her story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

Ashlee Benge from ReversingLabs discussing their research titled "Operation Brainleeches: Malicious npm packages fuel supply chain and phishing attacks." Researchers recently discovered over a dozen malicious packages published to the npm open source repository. These packages are targeting Microsoft 365 users and appear to target application end users while also supporting email phishing campaigns.Research supports that the malicious campaign encompassed more than a dozen files designed to steal sensitive user credentials. The research states "This most recent campaign caught our attention because of a number of features and characteristics in related npm packages that correlate with malicious intent."The research can be found here:Operation Brainleeches: Malicious npm packages fuel supply chain and phishing attacks Learn more about your ad choices. Visit megaphone.fm/adchoices

A joint warning on IDOR vulnerabilities. IcedID’s BackConnect protocol evolves over one year. Cl0p claims to have accessed data from another Big Four accounting firm. Ransomware victims increased significantly in 2023. Cyberattacks support influence operations. Deputy National Security Advisor for Cyber and Emerging Technology Anne Neuberger joins us to discuss the Biden Administration's recent cyber initiatives. Eric Goldstein, Executive Assistant Director at CISA, looks at cybersecurity performance goals. And spelling counts.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/143Selected reading.Preventing Web Application Access Control Abuse (Joint Cybersecurity Advisory: ACSC, NSA, CISA) Inside the IcedID BackConnect Protocol (Part 2) (Team Cymru) Deloitte denies Cl0p data breach impacted client data in wake of MOVEit attack (ITPro) Ransomware Report: Q2 2023 (ReliaQuest)Kenya ICT minister admits cyber-attack on eCitizen portal, insists data secure (The East African)Anonymous Sudan: the group behind recent anti-Kenya cyberattacks (TechCabal) Kenya President Ruto to skip Russia-Africa Summit (The East African)UK accidentally sent military emails meant for US to Russian ally (POLITICO) Learn more about your ad choices. Visit megaphone.fm/adchoices

The Mirai botnet afflicts Tomcat. CardioComm services are downed by cyberattack. Uptycs calls infostealers “organization killers" as related security incidents double in a year. Legacy third-party risk management practices meet with dissatisfaction. Cyber skill gaps reported in the UK's workforce. Our guest is George Prichici of OPSWAT with a look at a Microsoft Teams vulnerability. Our new Threat Vector segment features a conversation with David Moulton and Michael Sikorski on the potential threats from LLMs and AI. And SiegedSec hits NATO sites.On this first segment of Threat Vector, Michael "Siko" Sikorski, CTO & VP of Engineering for Unit 42, joins host David Moulton to discuss LLMs & AI and the impacts to expect on social engineering, phishing, and more.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/142Threat Vector links.Palo Alto Networks Unit 42Selected reading.Tomcat Under Attack: Exploring Mirai Malware and Beyond (Aquasec)CardioComm, a provider of ECG monitoring devices, confirms cyberattack downed its services (TechCrunch) Detecting the Silent Threat: 'Stealers are Organization Killers' (Uptycs)Cyber security skills in the UK labour market 2023 (DSIT)NATO investigates alleged data theft by SiegedSec hackers (BleepingComputer)NATO investigating apparent breach of unclassified information sharing platform (CyberScoop) SiegedSec Compromise NATO (Cyberint) Learn more about your ad choices. Visit megaphone.fm/adchoices

FraudGPT is a chatbot with malign intent. Stealer logs in the C2C market. Signs in the blockchain that some Conti alumni are working with the Akira gang. Tim Starks from Washington Post's Cybersecurity 202 on the White House’s new National Cyber Director nominee. Maria Varmazis speaks with David Luber, Deputy Director of NSA's Cybersecurity Directorate, on space systems as critical infrastructure. And a kinetic strike against a cyber target: Ukrainian drones may have hit Fancy Bear’s Moscow digs.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/141Selected reading.FraudGPT: The Villain Avatar of ChatGPT (Netenrich) Stealer Logs & Corporate Access (Flare)Over 400,000 corporate credentials stolen by info-stealing malware (BleepingComputer)The Alarming Rise of Infostealers: How to Detect this Silent Threat (The Hacker News)Conti and Akira: Chained Together (Arctic Wolf)Ukraine-Russia war: Ukraine vows further drone strikes on Moscow and Crimea (The Telegraph)  Learn more about your ad choices. Visit megaphone.fm/adchoices

A zero-day attack of undetermined origin targets government offices in Norway. Russia accuses the US of cyber aggression. Data breaches exact a rising cost. 74% of survey respondents say their company would pay ransom to recover stolen or encrypted data. Executives and security teams differ in their perception of cyber threat readiness. Mr. Security Answer Person John Pescatore looks at risk metrics. Joe Carrigan on a new dark market AI tool called Worm GPT. And Apple issues urgent patches.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/140Selected reading.Norway says Ivanti zero-day was used to hack govt IT systems (BleepingComputer)Norway investigates cyberattack affecting 12 government ministries (Record)Norwegian government IT systems hacked using zero-day flaw (BleepingComputer)Putin ally accuses US of planning cyberattacks on Russian critical infrastructure (Al Arabiya English) Cost of a Data Breach Report 2023 (IBM Security)Ransom Monetization Rates Fall to Record Low Despite Jump In Average Ransom Payments (Coveware) 2023 Cyber Threat Readiness Report (Swimlane) Apple Releases Security Updates for Multiple Products (Cybersecurity and Infrastructure Security Agency CISA)Apple fixes 16 security flaws with iOS 16.6, two actively exploited (9to5Mac)Apple Rolls Out Urgent Patches for Zero-Day Flaws Impacting iPhones, iPads and Macs (The Hacker News)Apple fixes new zero-day used in attacks against iPhones, Macs (BleepingComputer) iOS 16.6: Apple Suddenly Releases Key iPhone Update With Urgent Fixes (Forbes)  Learn more about your ad choices. Visit megaphone.fm/adchoices

North Korea's increasingly supple cyber offensives. A look at Cl0p. The NetSupport RAT's fake update vectors. HotRat is a Trojan that accompanies illegally pirated software and games. Crackable radio encryption standard: a bug or a feature? Chris Novak from Verizon discusses ransomware through the lens of the DBIR. Carole Theriault describes a ransomware attack that hit close to home. And an alleged money-laundering crypto-rapper is back in the news.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/139Selected reading.North Korea Leverages SaaS Provider in a Targeted Supply Chain Attack | Mandiant (Mandiant)Ransomware Roundup - Cl0p (Fortinet Blog)FakeSG enters the 'FakeUpdates' arena to deliver NetSupport RAT (Malwarebytes)Researchers Find ‘Backdoor’ in Encrypted Police and Military Radios (Vice) Unmasking HotRat: The hidden dangers in your software downloads (Avast)Researchers Find ‘Backdoor’ in Encrypted Police and Military Radios (Vice) Crypto rapper 'Razzlekhan,' husband reach plea deal over Bitfinex hack laundering (Reuters) Learn more about your ad choices. Visit megaphone.fm/adchoices

Don Welch, Chief Information Officer from New York University sits down to share his exciting start into his cyber career. Much like many other people who started in this industry, Don went into the military, which is where it all started for him. He was told he needed to take two specialties, and so along with mechanical engineering, he decided to go into computer science as well. After taking his two crafts, he decided to leave the Army and go into the civilian world where he took a couple jobs in cyber. He landed a few jobs at different prestigious universities, including Penn State University, University of Michigan, and now New York University. He shares that being a good leader will take you far in life, saying "I will say that if you are a great leader, ultimately, you sit in your office and do nothing because you have developed your team and empowered them, and they're making all the decisions, everything runs like clockwork and you have nothing to do." We thank Don for sharing is story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices