CyberWire Daily

Ian Ahl from Permiso's PØ Labs joins Dave to discuss their research on "Unmasking GUI-Vil: Financially Motivated Cloud Threat Actor." First observing the group in 2021, they discovered GUI-vil is a financially motivated threat group primarily focused on unauthorized cryptocurrency mining activities.The research states "the group has been observed exploiting Amazon Web Services (AWS) EC2 instances to facilitate their illicit crypto mining operations." This group is dangerous because unlike many groups focused on crypto mining, GUI-Vil apply a personal touch when establishing a foothold in an environment.The research can be found here:Unmasking GUI-Vil: Financially Motivated Cloud Threat Actor Learn more about your ad choices. Visit megaphone.fm/adchoices

An update on Barracuda ESG exploitation. Camaro Dragon’s current cyberespionage tools spread through infected USB drives. The Mirai botnet is spreading through new vectors. Midnight Blizzard is out and about . Ukraine is experiencing a "wave" of cyberattacks during its counteroffensive. Karen Worstell from VMware shares her experience with technical debt. Rick Howard speaks with CJ Moses, CISO of Amazon Web Services. And Anonymous Sudan turns out to be no more anonymous or Sudanese than your Uncle Louie.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/120Selected reading.Barracuda ESG exploitation (Proofpoint)Beyond the Horizon: Traveling the World on Camaro Dragon’s USB Flash Drives (Check Point Research)Chinese malware accidentally infects networked storage (Register)Akamai SIRT Security Advisory: CVE-2023-26801 Exploited to Spread Mirai Botnet Malware (Akamai).Mirai botnet targets 22 flaws in D-Link, Zyxel, Netgear devices (BleepingComputer) Neuberger: Ukraine experiencing a ‘surge’ in cyberattacks as it executes counteroffensive (Record) Microsoft warns of rising NOBELIUM credential attacks on defense sector (HackRead).Anonymous Sudan: neither anonymous nor Sudanese (Cybernews) Learn more about your ad choices. Visit megaphone.fm/adchoices

North Korea's APT37 deploys FadeStealer to steal information from its targets. Apple patches vulnerabilities under active exploitation. Access to a US satellite is being hawked in a Russophone cybercrime forum. Russian hacktivist auxiliaries say they’ve disrupted IFC.org. Unmasking pig-butchering scams. Social engineering as a method of account takeover. Fraudsters seen abusing generative AI. Sergey Medved from Quest Software describes the “Great Cloud Repatriation”. Mark Ryland of AWS speaks with Rick Howard about software defined perimeters. And embedded URLs in malware.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/119Selected reading.RedEyes Group Wiretapping Individuals (APT37) (Ahn Lab)Apple fixes iPhone software flaws used in widespread hacks of Russians (The Washington Post)Apple issues emergency patch to address alleged spyware vulnerability (Cyberscoop)Apple patch fixes zero-day kernel hole reported by Kaspersky – update now! (Sophos)Military Satellite Access Sold on Russian Hacker Forum for $15,000 (HackRead)Well done. Russian hackers shut down the IMF (Dzen.ru)Why Malware Crypting Services Deserve More Scrutiny (KrebsOnSecurity)Unmasking Pig-Butchering Scams And Protecting Your Financial Future (Trend Micro)Classic Account Takeover via the Direct Deposit Change (Avanan)Q2 2023 Digital Trust & Safety Index (Sift)Compromised Domains account for over 50% of Embedded URLs in Malware Phishing Campaigns (Cofense) Learn more about your ad choices. Visit megaphone.fm/adchoices

The Flea APT sets its sights on diplomatic targets. An update on the Cl0p gang’s exploitation of a MOVEit vulnerability. Unpatched TP-Link Archer routers are meeting their match in the Condi botnet. The Muddled Libra threat group compromises companies in a variety of industries. A look into passwordless authentication. Derek Manky of Fortinet describes the Global Threat Landscape. Rick Howard speaks with Rod Wallace from AWS about data lakes. And Fancy Bear noses its way into Ukrainian servers.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/118Selected reading.Graphican: Flea Uses New Backdoor in Attacks Targeting Foreign Ministries (Symantec)Ke3chang (MITRE)Third MOVEit vulnerability raises alarms as US Agriculture Department says it may be impacted (The Record)PwC and EY impacted by MOVEit cyber attack (Cybersecurity Hub)Norton Parent Says Employee Data Stolen in MOVEit Ransomware Attack (SecurityWeek)MOVEit hack: Gang claims not to have BBC, BA and Boots data (BBC)US govt offers $10 million bounty for info on Clop ransomware (BleepingComputer)Condi DDoS Botnet Spreads via TP-Link's CVE-2023-1389 (Fortinet)CVE-2023-1389 Detail (NIST)Download for Archer AX21 V3 (TP-Link)Threat Group Assessment: Muddled Libra (Unit 42)Axiad and ESG Survey: 82% of Respondents Indicate Passwordless Authentication is a Top Five Priority (PR Newswire)APT28 group used three Roundcube exploits (CVE-2020-35730, CVE-2021-44026, CVE-2020-12641) during another espionage campaign (CERT-UA#6805) (CERT-UA)BlueDelta Exploits Ukrainian Government Roundcube Mail Servers to Support Espionage Activities (The Record)CVE-2020-35730 Detail (NIST)CVE-2023-23397 Detail (NIST) Learn more about your ad choices. Visit megaphone.fm/adchoices

The BlackCat gang crosses Reddit’s path, threatening to leak stolen data. Mystic Stealer malware evades and creates a feedback loop in the C2C market. RDStealer is a new cyberespionage tool, seen in the wild. The United States offers a reward for information on the Cl0p ransomware gang. KillNet, REvil, and Anonymous Sudan form a "DARKNET Parliament" and “sanction” the European banking system. The British Government commits £25 million in cybersecurity aid to Ukraine. Ben Yelin explains cyber disclosure rules proposed by the SEC. Rick Howard speaks with Nancy Wang of AWS about the importance of backups and restores. And what researchers are turning up in cloud honeypots.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/117Selected reading.Reddit: Hackers demand $4.5 million and API policy changes (Computing)Mystic Stealer – Evolving “stealth” Malware (Cyfirma)Mystic Stealer: The New Kid on the Block (Zscaler)Unpacking RDStealer: An Exfiltration Malware Targeting RDP Workloads (Bitdefender)MOVEit Transfer and MOVEit Cloud Vulnerability (Progress Software)CVE-2023-35708 Detail (NIST)U.S. Energy Dept gets two ransom notices as MOVEit hack claims more victims (Reuters)US govt offers $10 million bounty for info on Clop ransomware (BleepingComputer)Ransomware Group Starts Naming Victims of MOVEit Zero-Day Attacks (SecurityWeek)A bear in wolf’s clothing: Insights into the infrastructure used by Anonymous Sudan to attack Australian organisations (CyberCX)Anonymous Sudan: Religious Hacktivists or Russian Front Group? (Trustwave)UK to give Ukraine major boost to mount counteroffensive (UK Government)2023 Honeypotting in the Cloud Report: Attackers Discover and Weaponize Exposed Cloud Assets and Secrets in Minutes (Orca Security) Learn more about your ad choices. Visit megaphone.fm/adchoices

Major General Lorna Mahlock, Deputy Director for Combat Support from the National Security Agency (NSA) sits down with Dave to discuss her long and impressive career leading up to he working for one of the most prestigious security agencies. Originally born in Kingston, Jamaica, Lorna immigrated to Brooklyn, New York and enlisted in the United States Marine Corps as a field radio operator. She shares how eye opening the military was for her, moving through ranks, and eventually landing into working at the Pentagon for the Chairman of the Joint Chiefs of staff. She moved around widening her array of paths, landing in her current role. Lorna shares some wisdom, mentioning how she likes to talk about ladders and how useful creating ladders in life can be, she says "I think about ladders in terms of horizontal component, in that you can create bridges, right? And, um, ways over obstacles, uh, for, for not only, uh, for yourself, but for others and an entire organization." We thank Lorna for sharing her story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

Our guest, Johannes Ullrich from SANS Institute, joins Dave to discuss their research on "Machine Learning Risks: Attacks Against Apache NiFi." Using their honeypot network, researchers were able to collect some interesting data about a threat actor who is currently going after exposed Apache NiFi servers.Researchers state “On May 19th, our distributed sensor network detected a notable spike in requests for ‘/nifi.’” Investigating further, they instructed a subset of their sensors to forward requests to an actual Apache NiFi instance and within a couple of hours the honeypot was completely compromised.The research can be found here:Machine Learning Risks: Attacks Against Apache NiFi Learn more about your ad choices. Visit megaphone.fm/adchoices

The US Government discloses exploitations of MOVEit vulnerabilities, and the Department of Energy is targeted by the Cl0p gang. CISA releases an updated advisory for Telerik vulnerabilities affecting Government servers. Shampoo malware emerges with multiple persistence mechanisms. How the IT Army of Ukraine can exemplify a cyber auxiliary. Russophone gamers are being targeted with ransomware. An alleged LockBit operator has been arrested. The FBI’s Deputy Assistant Director for cyber Cynthia Kaiser joins us with cybercriminal trends and recent successes. Our guest is Will Markow from Lightcast, speaking with Simone Petrella about data-driven strategic workforce decisions. And a federal grand jury indicts the alleged Discord Papers leaker.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/116Selected reading.US government hit by Russia's Clop in MOVEit mass attack (The Register)Energy Department among ‘several’ federal agencies hit by MOVEit breach (Federal News Network)Threat Actors Exploit Progress Telerik Vulnerabilities in Multiple U.S. Government IIS Servers (CISA)CVE-2019-18935 Detail (NIST)CVE-2017-9248 Detail (NIST)Cryptographic Weakness (Telerik)Shampoo: A New ChromeLoader Campaign (HP)Cyber attacks on Rotterdam and Groningen websites (World Cargo News)The Dynamics of the Ukrainian IT Army’s Campaign in Russia (Lawfare)Watch: Why early failures in Ukraine's counter-offensive aren't Russian victories (The Telegraph)Russian War Report: Anti-Ukrainian counteroffensive narratives fail to go viral (Atlantic Council)Threat Actor Targets Russian Gaming Community With WannaCry-Imitator (Cyble)Hackers infect Russian-speaking gamers with fake WannaCry ransomware (The Record)Russian national arrested in Arizona, charged for alleged role in LockBit ransomware attacks (CyberScoop)Suspected LockBit ransomware affiliate arrested, charged in US (BleepingComputer)Russian national arrested in US for deploying LockBit ransomware (The Record)Guardsman indicted on charges of disclosing classified national defense information (AP News)Charges Against Alleged Pentagon Leaker Jack Teixeira Explained (Newsweek)Jack Teixeira, Pentagon leaks suspect, indicted by federal grand jury (The Guardian) Learn more about your ad choices. Visit megaphone.fm/adchoices

A Chinese threat actor exploits a Barracuda vulnerability. The upgraded version of the Android GravityRAT can exfiltrate WhatsApp messages. Cybercriminals pose as security researchers to propagate malware. Updates on the Vidar threat operation. A new Romanian hacking group has emerged. Shuckworm collects intelligence, and may support targeting. The Washington Post’s Tim Starks explains the section 702 debate. Our guest is Rotem Iram from At-Bay with insights on email security. And Russia's Cadet Blizzard.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/115Selected reading.Android GravityRAT goes after WhatsApp backups (ESET)Quarterly Adversarial Threat Report (Facebook)Barracuda ESG Zero-Day Vulnerability (CVE-2023-2868) Exploited Globally by Aggressive and Skilled Actor, Suspected Links to China (Mandiant)GravityRAT - The Two-Year Evolution Of An APT Targeting India (Cisco Talos)Fake Security Researcher GitHub Repositories Deliver Malicious Implant (VulnCheck)Darth Vidar: The Aesir Strike Back (Team Cymru)Tracking Diicot: an emerging Romanian threat actor (Cado Security)Shuckworm: Inside Russia’s Relentless Cyber Campaign Against Ukraine (Symantec)Cadet Blizzard emerges as a novel and distinct Russian threat actor (Microsoft)Destructive malware targeting Ukrainian organizations (Microsoft) Learn more about your ad choices. Visit megaphone.fm/adchoices

CISA, FBI, the MS-ISAC, and international partners are releasing this Cybersecurity Advisory to detail LockBit ransomware incidents and provide recommended mitigations to enable network defenders to proactively improve their organization’s defenses against this ransomware operation.AA23-165A Alert, Technical Details, and MitigationsStopransomware.gov is a whole-of-government approach that gives one central location for ransomware resources and alerts.See the Center for Internet Security (CIS) Critical Security Controls (CIS Controls) https://www.cisecurity.org/insights/white-papers/cis-community-defense-model-2-0 for information on strengthening an organization’s cybersecurity posture through implementing a prescriptive, prioritized, and simplified set of best.See the CIS Community Defense Model 2.0 (CDM 2.0) for the effectiveness of the CIS Controls against the most prevalent types of attacks and how CDM 2.0 can be used to design, prioritize, implement, and improve an organization’s cybersecurity program.See Blueprint for Ransomware Defense for a clear, actionable framework for ransomware mitigation, response, and recovery built around the CIS Controls.No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment.U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email dib_defense@cyber.nsa.gov To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov, or call (888) 282-0870, or report incidents to your local FBI field office. Learn more about your ad choices. Visit megaphone.fm/adchoices