CyberWire Daily

With the relentless advancements in technology and a workforce more digitally-enabled than ever before, businesses today face an unprecedented challenge of protecting their sensitive information from cybercriminals. Infostealer malware, often disguised as innocuous files or hidden within legitimate-looking emails, stealthily infiltrate employee and contractor devices – managed and unmanaged – exfiltrating all manner of data for the purposes of executing follow-on attacks including ransomware. The data at risk includes customer details, financial information, intellectual property, and R&D plans stolen from compromised applications that were accessed from infostealer-exfiltrated authentication data like credentials and active session cookies/tokens. This episode digs into the proliferation of infostealers and provides actionable steps for businesses of any size or industry to mitigate the threat.In this episode of CyberWire-X, N2K’s CSO, Chief Analyst, and Senior Fellow, Rick Howard, is joined in the first half by Hash Table member Rick Doten to discuss the early days of incident response and the current thinking of post-infection remediation (PIR) actions. In the second half of the show, CyberWire podcast host Dave Bittner talks with our episode sponsor SpyCloud’s Director of Security Research, Trevor Hilligoss. They chat about the challenges for enterprises and security leaders to identify what was stolen from malware-infected devices and how proper post-infection remediation implemented into existing incident response workflows can help prevent this data from causing ransomware. Trevor shares highlights from an industry report of over 300+ security leaders from North America and the UK on where they stand on malware identification and remediation, and what additional work can be done to minimize cybercriminals' access and impact. Learn more about your ad choices. Visit megaphone.fm/adchoices

Joshua Miller from Proofpoint joins Dave to discuss findings on "Welcome to New York: Exploring TA453's Foray into LNKs and Mac Malware." In mid May, TA453, also known as Charming Kitten, APT42, Mint Sandstorm, and Yellow Garuda, was found sending a benign conversation lure masquerading as a senior fellow with the Royal United Services Institute (RUSI) to the public media contact for a nuclear security expert at a US-based think tank focused on foreign affairs.The research states that "the email solicited feedback on a project called “Iran in the Global Security Context” and requested permission to send a draft for review." Proofpoint shares it's findings and what you can expect from the threat group.The research can be found here:Welcome to New York: Exploring TA453's Foray into LNKs and Mac Malware Learn more about your ad choices. Visit megaphone.fm/adchoices

The Lazarus Group targets developers. Threat actors target the banking sector with fake LinkedIn profiles and open source supply chain attacks. Vulnerabilities reported in OpenMeetings. HTML smuggling is sold in the C2C market. Johannes Ullrich from SANS describes attacks against niche web apps. Our guest is Damir Brecic of Inversion6 discussing the privacy and security concerns of Meta's new Threads app. And Romania's SVR reports a pattern of Russian cyberattacks.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/138Selected reading.GitHub warns of Lazarus hackers targeting devs with malicious projects (BleepingComputer)Cyberattack on GitHub customers linked to North Korean hackers, Microsoft says (Record)Security alert: social engineering campaign targets technology industry employees (The GitHub Blog)First Known Targeted OSS Supply Chain Attacks Against the Banking Sector (Checkmarx)A Twist in the Code: OpenMeetings Vulnerabilities through Unexpected Application State (Sonar) Fresh Phish: HTML Smuggling Made Easy, Thanks to a New Dark Web Phish Kit (INKY) KillNet Showcases New Capabilities While Repeating Older Tactics (Mandiant).Pro-Russian hacktivists increase focus on Western targets. The latest is OnlyFans. (CyberScoop).Anonymous Sudan DDoS strikes dominate attacks by KillNet collective (SC Media)Romanian Intelligence General: All Russian secret services attempted cyber attacks against Romania (ACTMedia) Learn more about your ad choices. Visit megaphone.fm/adchoices

Sophos analyzes malvertising through purchased Google Ads. The MOVEit vulnerability is remediated faster than most. The DeliveryCheck backdoor is used against Ukrainian targets. SORM is under stress. Ukrainian police roll up another bot farm working in support of Russian influence operations. AJ Nash from ZeroFox provides insights on the White House cybersecurity labeling program. David Moulton from Palo Alto Networks Unit 42 introduces his new segment "Threat Vector." And we bid farewell to Kevin Mitnick.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/137Selected reading.Bad ad fad leads to IcedID, Gozi infections (Sophos News)New research reveals rapid remediation of MOVEit Transfer vulnerabilities (Bitsight) GRIT Ransomware Report-2023-Q2 (Guidepoint Security) Russia’s Turla hackers target Ukraine’s defense with spyware (Record) Russian Hackers Probe Ukrainian Defense Sector With Backdoor (Bank Info Security) Russia’s vast telecom surveillance system crippled by withdrawal of Western tech, report says (Record) Ukraine’s cyber police dismantled a massive bot farm spreading propaganda (Security Affairs)Kevin David Mitnick, August 6, 1963 - July 16, 2023. (Dignity Memorial) Learn more about your ad choices. Visit megaphone.fm/adchoices

Vulnerabilities are identified and patched in Citrix Netscaler products and Adobe Coldfusion. The banking sector should be monitoring the dark web for leaked credentials and insider threats. Spyware vendors are added to the US Entity List. WhatsApp accounts may be at risk. Verizon’s Chris Novak shares insights on Log4j from this year’s DBIR. Our guest is Candid Wüest of Acronis discussing the findings of their Year-end Cyberthreats Report. Skirmishes in the cyber phases of Russia's war. And how do you demobilize cyber forces (especially the auxiliaries) once the war is over?For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/136Selected reading.Exploited 0-days, an incomplete fix, and a botched disclosure: Infosec snafu reigns New critical Citrix ADC and Gateway flaw exploited as zero-day (BleepingComputer) Citrix alerts users to critical vulnerability in Citrix ADC and Gateway (Computing)Adobe, Microsoft and Citrix vulnerabilities draw warnings from CISA (Record)Active Exploitation of Multiple Adobe ColdFusion Vulnerabilities (Rapid7)Dark Web Threats Against The Banking Sector › Searchlight Cyber (Searchlight Cyber)WhatsApp Remote Deactivation Warning For 2 Billion Users (Forbes)The United States Adds Foreign Companies to Entity List for Malicious Cyber Activities - United States Department of State (United States Department of State) Commerce Adds Four Entities to Entity List for Trafficking in Cyber Exploits (Bureau of Industry and Security) Russian hackers may be behind 'DDoS' attack on NZ Parliament website (Stuff) Russian medical lab suspends some services after ransomware attack (Record) If you want peace, prepare for… cyberwar - Friends of Europe (Friends of Europe)  Learn more about your ad choices. Visit megaphone.fm/adchoices

The US Federal government issues voluntary security guidelines. Possible privilege escalation within Google Cloud. An APT compromises JumpCloud. FIN8 reworks its Sardonic backdoor and continues its shift to ransomware. Ben Yelin looks at privacy legislation coming out of Massachusetts. Our guest is Alastair Parr of Prevalent discussing GDPR and third party risk. And some noteworthy Russian cyber crime–they don’t seem to be serving any political masters; they just want to get paid.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/135Selected reading.Biden-Harris Administration Announces Cybersecurity Labeling Program for Smart Devices to Protect American Consumers (The White House)The Biden administration announces a cybersecurity labeling program for smart devices (AP News)CISA Develops Factsheet for Free Tools for Cloud Environments (Cybersecurity and Infrastructure Security Agency CISA)Free Tools for Cloud Environments (CISA)NSA, CISA Release Guidance on Security Considerations for 5G Network Slicing (Cybersecurity and Infrastructure Security Agency CISA)ESF Members NSA and CISA Publish Second Industry Paper on 5G Network Slicing (National Security Agency/Central Security Service)Bad.Build: A Critical Privilege Escalation Design Flaw in Google Cloud Build Enables a Supply Chain Attack (Orca Security)Orca: Google Cloud design flaw enables supply chain attacks (Security | TechTarget) Google fixes ‘Bad.Build’ vulnerability affecting Cloud Build service (Record)JumpCloud discloses breach by state-backed APT hacking group (BleepingComputer)JumpCloud: A 'state-sponsored threat actor' compromised our systems (Computing) JumpCloud says nation-state hackers breached its systems | TechCrunch (TechCrunch)JumpCloud, an IT firm serving 200,000 orgs, says it was hacked by nation-state (Ars Technica)[Security Update] Incident Details - JumpCloud (JumpCloud)July 2023 Incident Indicators of Compromise (IoCs) (JumpCloud)FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware (Symantec by Broadcom)RedCurl hackers return to spy on 'major Russian bank,' Australian company (Record)  Learn more about your ad choices. Visit megaphone.fm/adchoices

WormGPT is a new AI threat. TeamTNT seems to be back. Chinese intelligence services actively pursue British MPs. Gamaredon's quick info theft. Russia’s FSB bans Apple devices. The troll farmers of the Internet Research Agency may not yet be down for the count. Anonymous Sudan claims a "demonstration" attack against PayPal, with more to come. Carole Theriault looks at popular email lures. My conversation with N2K president Simone Petrella on the White House’s National Cybersecurity Strategy Implementation Plan. And, friends, don’t take this typo to Timbuktu.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/134Selected reading.WormGPT, an "ethics-free" text generator. (CyberWire)TeamTNT (or someone a lot like them) may be preparing a major campaign. (CyberWire)Chinese government hackers ‘frequently’ targeting MPs, warns new report (Record) Gamaredon hackers start stealing data 30 minutes after a breach (BleepingComputer) Russia-linked APT Gamaredon starts stealing data from victims between 30 and 50 minutes after the initial compromise (Security Affairs)Armageddon in Ukraine – how one Russia-backed hacking group operates (CyberSecurity Connect)Russian hacking group Armageddon increasingly targets Ukrainian state services (Record)Russia bans officials from using iPhones in U.S. spying row (Apple Insider)Prigozhin's Media Companies May Resume Work As Mutiny Fallout Dissipates, FT Reports (Radio Free Europe | Radio Liberty)Anonymous Sudan claims it hit PayPal with 'warning' DDoS cyberattack (Tech Monitor) Typo leaks millions of US military emails to Mali web operator (Financial Times) Learn more about your ad choices. Visit megaphone.fm/adchoices

Jennifer Addie, COO and CWO from VentureScope and MACH37 Cyber Accelerator sits down to share her incredible story, bringing creativity into the cyber community. Growing up Jennifer always loved the human side of things, and learning that she had a knack for computers helped her to realize what type of field she wanted to pursue as an adult. She started working jobs dealing in programming, database administration, product development, and it was there in the design of those products where she felt the deep need for security, emerging as critical in her consciousness. She shares how she likes to be on a personal level with the people she works with, always wondering where people came from and why they are passionate, being a very interactive leader. Jennifer also says that she believes bringing creativity into the field is what helps her solve any form of problem the best stating "I absolutely agree with the idea that, that creativity is far more than artistic capability. It is very much centered on problem solving and in fact, the master's degree that I received in creativity focuses on creative problem solving as a process." We thank Jennifer for sharing her story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

Michael Clark from Sysdig joins with Dave to discuss their research on SCARLETEEL 2.0: Fargate, Kubernetes, and Crypto. New research from Sysdig threat researchers found that the group continues to thrive with improved tactics. Most recently, they gained access to AWS Fargate, a more sophisticated environment to breach, thanks to their upgraded attack tools.The research states "In their most recent activities, we saw a similar strategy to what was reported in the previous blog: compromise AWS accounts through exploiting vulnerable compute services, gain persistence, and attempt to make money using cryptominers." Had Sysdig not thwarted SCARLETEEL's attack, they estimated that they would have mined $4,000 per day until they were stopped.The research can be found here:SCARLETEEL 2.0: Fargate,Kubernetes, and Crypto Learn more about your ad choices. Visit megaphone.fm/adchoices

Developments in the case of China's cyberespionage against government Exchange users. Industrial controller vulnerabilities pose a risk to critical infrastructure. USB attacks have risen three-fold in the first half of 2023. CISA adds two vulnerabilities to its Known Exploited Vulnerabilities Catalog. Ghostwriter's continued activity focuses on Poland and Ukraine. Hacktivist auxiliaries swap DDoS attacks. Awais Rashid from University of Bristol shares insights on threat modeling. Our guest is Chris Cochran from Huntress on the challenges small and medium sized businesses face with cyber security. And lessons learned from cyber warfare in Russia's war.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/133Selected reading.UK says it's working with Microsoft to understand impact of Chinese email hack (Reuters) What we know (and don’t know) about the government email breach (Washington Post)Yet Another MS CVE: Don’t Get Caught In The Storm! (Cynet)China Hacking Was Undetectable for Some Who Had Less Expensive Microsoft Services (Wall Street Journal)Security flaws in Honeywell devices could be used to disrupt critical industries (TechCrunch)APT Exploit Targeting Rockwell Automation Flaws Threatens Critical Infrastructure (SecurityWeek)Rockwell Automation ControlLogix Bugs Expose Industrial Systems to Remote Attacks (The Hacker News) USB drive malware attacks spiking again in first half of 2023 (BleepingComputer)CISA Adds Two Known Vulnerabilities to Catalog (Cybersecurity and Infrastructure Security Agency CISA)Malicious campaigns target government, military and civilian entities in Ukraine, Poland (Cisco Talos Blog)Belarus-linked hacks on Ukraine, Poland began at least a year ago, report says (Record)Crowdsourced Cyber Warfare: Russia and Ukraine Launch Fresh DDoS Offensives (CEPA).Cyber Operations during the Russo-Ukrainian War (CSIS) Learn more about your ad choices. Visit megaphone.fm/adchoices