CyberWire Daily

CISA and the FBI issue a joint Cybersecurity Advisory on exploitation of Microsoft Exchange Online. Implementing the US National Cybersecurity Strategy. FortiGuard discovers a new LokiBot campaign. Training code turns out to be malicious in a new proof-of-concept attack discovered on GitHub. Russia resumes its pursuit of a "sovereign Internet." The GRU's offensive cyber tactics. Chris Novak from Verizon discusses business email compromise and the 2023 DBIR. Our guest is Joy Beland of Summit 7 on the role of Managed Service Providers in the supply chain to the Defense Industrial Base. And a probable Ukrainian false-flag operation.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/132Selected reading.CISA and FBI Release Cybersecurity Advisory on Enhanced Monitoring to Detect APT Activity Targeting Outlook Online (Cybersecurity and Infrastructure Security Agency CISA)Enhanced Monitoring to Detect APT Activity Targeting Outlook Online (Cybersecurity and Infrastructure Security Agency CISA)How a Cloud Flaw Gave Chinese Spies a Key to Microsoft’s Kingdom (WIRED)Chinese hackers breached U.S. and European government email through Microsoft bug (Record)FACT SHEET: Biden-Harris Administration Publishes the National Cybersecurity Strategy Implementation Plan | The White House (The White House)National Cybersecurity Strategy Implementation Plan (White House)LokiBot Campaign Targets Microsoft Office Document Using Vulnerabilities and Macros (Fortinet Blog)New PoC Exploit Found: Fake Proof of Concept with Backdoor Malware (Uptycs)Russia Is Trying to Leave the Internet and Build Its Own (Scientific American)The GRU's Disruptive Playbook (Mandiant) Hack Blamed on Wagner Group Had Another Culprit, Experts Say (Bloomberg)  Learn more about your ad choices. Visit megaphone.fm/adchoices

A Chinese threat actor hits US organizations with a Microsoft cloud exploit. Open source tools allow threat actors to exploit a loophole in Microsoft's kernel driver authentication procedures. A RomCom update. Beamer phishbait, email extortion attacks and digital blackmail. A new report concludes companies allowing personal employee devices onto their network are opening themselves to attack. Tim Starks from the Washington Post looks at Microsoft’s recent woes. Our guest is Eyal Benishti from IRONSCALES with insights on business email compromise. And a July Patch Tuesday retrospective.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/131Selected reading.Mitigation for China-Based Threat Actor Activity (Microsoft On the Issues)Microsoft mitigates China-based threat actor Storm-0558 targeting of customer email (Microsoft Security Response Center)Chinese hackers breach U.S. government email through Microsoft cloud (Washington Post) U.S. Government Emails Hacked in Suspected Chinese Espionage Campaign (Wall Street Journal)Old certificate, new signature: Open-source tools forge signature timestamps on Windows drivers (Cisco Talos Blog)Storm-0978 attacks reveal financial and espionage motives (Microsoft Security) Microsoft: Unpatched Office zero-day exploited in NATO summit attacks (BleepingComputer) Diplomats Beware: Cloaked Ursa Phishing With a Twist (Unit 42)Russian hackers lured embassy workers in Ukraine with ad for a cheap BMW (Reuters)Threat spotlight: Extortion attacks (Barracuda)The SpyCloud Malware Readiness And Defense Report (SpyCloud)July 2023 Security Updates (Security Update Guide - Microsoft Security Response Center)Microsoft Releases July 2023 Security Updates (Cybersecurity and Infrastructure Security Agency CISA) Microsoft July 2023 Patch Tuesday warns of 6 zero-days, 132 flaws (BleepingComputer) Fortinet Releases Security Update for FortiOS and FortiProxy (Cybersecurity and Infrastructure Security Agency CISA)Adobe Releases Security Updates for ColdFusion and InDesign (Cybersecurity and Infrastructure Security Agency CISA) Apple's Rapid Security Response Patches Causing Website Access Issues (SecurityWeek) SAP Security Patch Day – July 2023 (SAP)Return of the ICMAD Critical Vulnerabilities in 2023 (Onapsis) Learn more about your ad choices. Visit megaphone.fm/adchoices

NATO considers Article 5 in cyberspace, while Cyberattacks conducted in the Russian interest target the NATO summit. Anonymous Sudan remains a nuisance-level irritant. Cl0p's surprising use of MOVEit exploits. Asylum Ambuscade is a case study in privateering. There are reports of a breach at Razer. An indictment in a cyber incident at a California water treatment facility. Genesis Market's fire sale. Carole Theriault on the data Amazon customers provide with some suggestions on curbing it. Our guest is Dmitry Bestuzhev, senior director in Cyber Threat Intelligence for Blackberry. And Amazon Prime Day is upon us–the crooks have noticed.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/130Selected reading.A Cybersecurity Wish List Ahead of NATO Summit (SecurityWeek)NATO’s Christian-Marc Lifländer on how the alliance can take a ‘proactive’ cyber stance (Record)Ukraine has set the standard on software power (POLITICO)RomCom Threat Actor Suspected of Targeting Ukraine's NATO Membership Talks at the NATO Summit (BlackBerry)Threat group testing more sophisticated DDoS hacks, authorities warn (Cybersecurity Dive)Move It on Over: Reflecting on the MOVEit Exploitation (Huntress)Cl0p has yet to deploy ransomware while exploiting MOVEit zero-day (SC Media) Asylum Ambuscade: crimeware or cyberespionage? (WeLiveSecurity)Crimeware Group Asylum Ambuscade Ventures Into Cyber-Espionage (Infosecurity Magazine)Razer investigates data breach claims, resets user sessions (BleepingComputer) Razer Data Breach: Alleged Database and Backend Access Sold for $100k (HackRead)Alleged Razer data breach: Hacker demands US$100K in crypto in exchange for stolen data (Vulcan Post)Razer gets pwned as hackers steal source code (Cyber Security Connect) Razer Cyber Attack: Gaming Hardware Giant Faces Data Breach (The Cyber Express) Amazon Prime Day: Buyers Beware of Phishing Campaigns Targeting Online Shoppers (Veriti)Tracy Resident Charged With Computer Attack On Discovery Bay Water Treatment Facility (US Attorney for the Northern District of California)Tracy man indicted for illegally accessing water treatment network (CBS News)Technician Indicted for Hacking California Water Treatment Facility (HackRead)Tracy Man Charged With Computer Attack On Discovery Bay Water Treatment Facility (Contra Costa News) Genesis Market gang tries to sell platform after FBI disruption (Record) Amazon Prime Day: Buyers Beware of Phishing Campaigns Targeting Online Shoppers (Veriti)  Learn more about your ad choices. Visit megaphone.fm/adchoices

New phishing campaigns afflict users of Microsoft 365 and Adobe. An analysis of Big Head ransomware. Multichain reports a crypto heist with over $100 million stolen. CISA makes an addition to the Known Exploited Vulnerability Catalog. Progress Software issues additional MOVEit patches. The FBI’s Deputy Assistant Director for Cyber Cynthia Kaiser joins us with examples of the agency’s technical disruption operations. Our guest is Scott Piper Principal Cloud Security Researcher at Wiz sharing findings of their State of the Cloud 2023 report. And Telegram's role in news about Russia's war.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/129Selected reading.M365 Phishing Email Analysis – eevilcorp (Vade Secure)New Phishing Attack Spoofs Microsoft 365 Authentication System (HackRead)Tailing Big Head Ransomware’s Variants, Tactics, and Impact (Trend Micro)New ‘Big Head’ ransomware displays fake Windows update alert (BleepingComputer)Unfolding Cybersecurity Crisis: Aptos Network and Multichain Face Cyber-Attacks (CryptoMode)More than $125 million taken from crypto platform Multichain (Record)Exploit of Fantom, Moonriver and Dogechain Crypto Bridges Confirmed by Multichain Team (CoinDesk)CISA Adds One Known Vulnerability to Catalog (CISA)Google patches 43 Android Vulnerabilities Including 3 actively exploited zero-days (Cyber Security News) Progress Software Releases Service Pack for MOVEit Transfer Vulnerabilities (CISA)After Zero-Day Attacks, MOVEit Turns to Security Service Packs (SecurityWeek)Killnet as a private military hacking company? For now, it's probably just a dream (Record)Telegram has become a window into war (The Verge) Learn more about your ad choices. Visit megaphone.fm/adchoices

Eric Tillman, Chief Intelligence Officer at N2K Networks sits down and shares his incredibly creative journey. Eric loved being creative from a young age. When he started to think about a career he wanted to incorporate his love of creativity into his love for tech and turn it into an intelligence career. Eric started by joining the Navy, which set him on this path to work in cyber where he shared his talents with several big companies, including, Booz Allen Hamilton, Lockheed Martin, and Okta, eventually ending up at our very own N2K Networks. Eric shares the advice that there is something for everyone in this field, and even though he wanted to start his journey in a creative way, he found that combining his love for tech and art helped him to pave the way to where he is now. He says " A lot of people get here from a very technical background and um, it really almost doesn't matter um, where you came from, there is something in cybersecurity that takes advantage of the skills that you bring to the table and, um, either way, there's plenty of room here for everyone." We thank Eric for sharing his story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

Moez Kamel, Threat Management Specialist at IBM Security, joins us on T-Minus Deep Space for a special edition all about the cybersecurity ecosystem in the New Space industry.You can follow Moez on LinkedIn and his work at IBM’s Security Intelligence blog.Remember to leave us a 5-star rating and review in your favorite podcast app.Miss an episode? Sign-up for our weekly intelligence roundup, Signals and Space, and you’ll never miss a beat. And be sure to follow T-Minus on Twitter and LinkedIn.Selected ReadingCybersecurity in the Next-Generation Space Age, Pt. 1: Introduction to New SpaceCybersecurity in the Next-Generation Space Age, Pt. 2: Cybersecurity Threats in the New SpaceCybersecurity in the Next-Generation Space Age, Pt. 3: Securing the New Space Cybersecurity in the Next-Generation Space Age, Pt. 4: New Space Future Development and Challenges    Audience SurveyWe want to hear from you! Please complete our 4 question survey. It’ll help us get better and deliver you the most mission-critical space intel every day.Want to hear your company in the show?You too can reach the most influential leaders and operators in the industry. Here’s our media kit. Contact us at space@n2k.com to request more info.Want to join us for an interview?Please send your pitch to space-editor@n2k.com and include your name, affiliation, and topic proposal.T-Minus is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

Thomas Etheridge from CrowdStrike sits down to discuss their work on "Business as Usual: Falcon Complete MDR Thwarts Novel VANGUARD PANDA (Volt Typhoon) Tradecraft" In May of 2023, industry and government sources detailed China-nexus activity where they found the threat actor dubbed Volt Typhoon targeted U.S. based critical infrastructure entities. CrowdStrike's Intelligence team tracked this actor as VANGUARD PANDA. With CISA’s advisory on VANGUARD PANDA and its link to Chinese adversaries who are increasingly targeting US businesses and critical infrastructure, CrowdStrike’s blog dives deeper into the risks of VANGUARD PANDA. The research says "One specific VANGUARD PANDA incident stands out to review in detail. Falcon Complete responded to a detection that was triggered by suspicious reconnaissance commands executed under an Apache Tomcat web server running ManageEngine ADSelfService Plus."The research can be found here:Business as Usual: Falcon Complete MDR Thwarts Novel VANGUARD PANDA (Volt Typhoon) Tradecraft Learn more about your ad choices. Visit megaphone.fm/adchoices

US and Canadian agencies warn of Truebot. A look at "Operation Brainleaches." Jumpcloud resets API keys. An update on the MOVEit vulnerability exploitation. Andrea Little Limbago from Interos shares insights on rising geopolitical instability. Our guest is Mike Hamilton from Critical Insight discussing what you need to know about NIST 2.0. OSCE trains Ukrainian students in cybersecurity.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/128Selected reading.CISA and Partners Release Joint Cybersecurity Advisory on Newly Identified Truebot Malware Variants (Cybersecurity and Infrastructure Security Agency CISA)Increased Truebot Activity Infects U.S. and Canada Based Networks | CISA (Cybersecurity and Infrastructure Security Agency CISA) Operation Brainleeches: Malicious npm packages fuel supply chain and phishing attacks (ReversingLabs)Mandatory JumpCloud API Key Rotation (JumpCloud)JumpCloud resets admin API keys amid ‘ongoing incident’ (BleepingComputer)JumpCloud Says All API Keys Invalidated to Protect Customers (SecurityWeek)More organizations confirm MOVEit-related breaches as hackers claim to publish stolen data (TechCrunch)Important information about MOVEit Transfer cyber security incident | Shell Global (Shell Global)Shell Confirms MOVEit-Related Breach After Ransomware Group Leaks Data (SecurityWeek)OSCE helps future generation of Ukraine’s law enforcers and emergency personnel build skills for safe work in cyberspace (OSCE) Learn more about your ad choices. Visit megaphone.fm/adchoices

LockBit 3.0 claims responsibility for Nagoya ransomware attack. Charming Kitten sighting. Spyware infested apps found in Google Play. Threats and risks to electric vehicle charging stations. Solar panels and cyberattacks. Dave Bittner speaks with Eric Goldstein, Executive Assistant Director for Cybersecurity at CISA, to talk about CISA’s effort for companies to build safety into tech products.Rick Howard sits down with Clarke Rodgers of AWS to discuss the mechanics of CISO roundtables. And Hacktivist auxiliaries remain active in Russia's hybrid war.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/127Selected reading.Pro-Russian hackers target Port of Nagoya, disrupting loading of Toyota parts (The Japan Times) Port of Nagoya resumes operations later than planned after Russian hack (The Japan Times) Ransomware Halts Operations at Japan's Port of Nagoya (Dark Reading) Nagoya Port Faces Disruption After Ransomware Attack (Infosecurity Magazine) Welcome to New York: Exploring TA453's Foray into LNKs and Mac Malware | Proofpoint US (Proofpoint)Two spyware tied with China found hiding on the Google Play Store (Pradeo)EV Charger Hacking Poses a ‘Catastrophic’ Risk (WIRED) Exploited Solar Power Product Vulnerability Could Expose Energy Organizations to Attacks (SecurityWeek)The Continued Expansion of Cyber Incidents by Non-State Actors in the War in Europe (OODA Loop).  Russian railway site allegedly taken down by Ukrainian hackers (Record) Learn more about your ad choices. Visit megaphone.fm/adchoices

Chinese cyberespionage campaign against European governments. The Port of Nagoya closes over ransomware attack. BlackCat and SEO poisoning. LockBit seeks to extort a semiconductor manufacturer. Professionals in the cyber underworld. CISA issued a DDoS alert for US companies and government agencies. Microsoft debunks claims of data theft by Anonymous Sudan. Matt O'Neill from the US Secret Service speaks with Dave Bittner about sextortion. Rick Howard sits down with Michael Fuller of AWS to talk about the kill chain. And Avast releases a free decryptor for Akira.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/126Selected reading.Chinese Threat Actors Targeting Europe in SmugX Campaign - Check Point Research (Check Point Research)Hackers target European government entities in SmugX campaign (BleepingComputer)Chinese hackers target European embassies with HTML smuggling technique (Record)Japan’s largest port stops operations after ransomware attack (BleepingComputer) BlackCat ransomware pushes Cobalt Strike via WinSCP search ads (BleepingComputer)BlackCat Operators Distributing Ransomware Disguised as WinSCP via Malvertising (The Hacker News)TSMC Says Supplier Hacked After Ransomware Group Claims Attack on Chip Giant (SecurityWeek)TSMC confirms data breach after LockBit cyberattack on third-party supplier (TechCrunch)Taiwan Semiconductor Denies LockBit's $70M Hack Claim (Bank Info Security)Semiconductor giant says IT supplier was attacked; LockBit makes related claims (Record)DoS and DDoS Attacks against Multiple Sectors (Cybersecurity and Infrastructure Security Agency CISA)CISA issues DDoS warning after attacks hit multiple US orgs (BleepingComputer)Microsoft denies data breach, theft of 30 million customer accounts (BleepingComputer)Microsoft Denies Major 30 Million Customer-Breach (Infosecurity Magazine)Decrypted: Akira Ransomware (Avast Threat Labs) Learn more about your ad choices. Visit megaphone.fm/adchoices