CyberWire Daily

The Five Eyes, alongside a couple of allies, issue a LockBit advisory. AI aids in proofreading phishing attacks. Anonymous Sudan mounts nuisance-level DDoS attacks against US companies. France alleges a disinformation campaign conducted by Russian actors. KillNet says it's partnered with the less-well-known Devil Sec. The private cybersecurity industry's effect on the war in Ukraine. Carole Theriault ponders oversharing on social media. Our guest is Duncan Jones from Quantinuum on the threats of Harvest Now, Decrypt Later tactics. And a note on this month’s Patch Tuesday.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/114Selected reading.Understanding Ransomware Threat Actors: LockBit (Joint Cybersecurity Advisory)U.S. Measures in Response to the Crisis in Sudan (US Department of State)Generative AI Enables Threat Actors to Create More (and More Sophisticated) Email Attacks (Abnormal Security)France Accuses Russia of Online Disinformation Campaign (Bloomberg)The Private Sector’s Evolving Role in Conflict—From Cyber Assistance to Intelligence (R Street)Microsoft Patches Critical Windows Vulns, Warns of Code Execution Risks (SecurityWeek)Patch Tuesday: Critical Flaws in Adobe Commerce Software (SecurityWeek)Patch Tuesday fixes 4 critical RCE bugs, and a bunch of Office holes (Naked Security) Learn more about your ad choices. Visit megaphone.fm/adchoices

CISA issues a new Binding Operational Directive. An update on CosmicEnergy. Hackers’ homage to fromage in attacks against the Swiss government. Ukraine's Cyber Police shut down a pro-Russian bot farm. Clothing and footwear retailers see impersonation and online fraud. A 2021 ransomware attack contributed to a hospital closing. A proof-of-concept exploit of a patched MOVEit vulnerability. An industry letter calls for a new framework on the White House cybersecurity strategy. Joe Carrigan examines a ChatGPT fueled phishing scam. Our guest is Neha Rungta, Applied Science Director at AWS Identity discussing Amazon Verified Permissions. And trends in cyber risks for small and medium businesses.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/113Selected reading.Binding Operational Directive 23-02 (US Cybersecurity and Infrastructure Security Agency)COSMICENERGY: New OT Malware Possibly Related To Russian Emergency Response Exercises (Mandiant)Dragos Analysis Determines COSMICENERGY Is Not an Immediate Threat (Dragos)More than 4,000 bots to discredit the Defense Forces of Ukraine and spread propaganda in favor of Russia: the police of Vinnytsia eliminated a large-scale bot farm (Ukraine Cyber Police)Ukraine police raid social media bot farm accused of pro-Russia propaganda (The Record)Widespread Brand Impersonation Scam Campaign Targeting Hundreds of the Most Popular Apparel Brands (Bolster)An Illinois hospital is the first health care facility to link its closing to a ransomware attack (NBC News)Ransomware attack causes Illinois hospital to close (Becker’s Hospital Review)New BlackFog research: 61% of SMBs were victims of a cyberattack in the last year (BlackFog)Switzerland warns that a ransomware gang may have accessed government data (The Record)Swiss government warns of ongoing DDoS attacks, data leak (BleepingComputer)Swiss Government Targeted by Series of Cyber-Attacks (Infosecurity Magazine)DDoS attack on Federal Administration: various Federal Administration websites and applications unavailable (The Federal Council of the Swiss Government) Learn more about your ad choices. Visit megaphone.fm/adchoices

Attacks against unpatched versions of Visual Studio and win32k continue. Progress Software patches two MOVEit vulnerabilities. The Cyber Anarchy Squad claims to have taken down a Russian telecommunications provider's infrastructure. RomCom resumes its activity in the Russian interest. Deepen Desai of Zscaler describes Nevada ransomware. Our guest is Clarke Rodgers from Amazon Web services with insights on what CISOs say to each other when no one else is listening?. And the Mt. Gox hacking indictment has been unsealed.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/112Selected reading.Online muggers make serious moves on unpatched Microsoft bugs (The Register)Analysis of CVE-2023-29336 Win32k Privilege Escalation Vulnerability (with POC) (Numen)MOVEit Transfer and MOVEit Cloud Vulnerability (Progress Software)MDE Affected by Global Data Breach (Minnesota Department of Education)Hackers Use Stolen Student Data Against Minneapolis Schools in Brazen New Threat (The 74)Ofcom statement on MOVEit cyber attack (Ofcom)Ukrainian hackers take down service provider for Russian banks (BleepingComputer)Pro-Ukraine hackers claim to take down Russian internet provider (The Record)Pro-Ukraine Cyber Anarchy Squad claims the hack of the Russian telecom provider Infotel JSC (Security Affairs)RomCom Resurfaces: Targeting Politicians in Ukraine and U.S.-Based Healthcare Providing Aid to Refugees from Ukraine (BlackBerry)Mt. Gox's Hackers Are 2 Russian Nationals, U.S. DOJ Alleges in Indictment (CoinDesk)Russian nationals accused of Mt. Gox bitcoin heist, shifting stolen funds to BTC-e (The Record)Russian Nationals Charged With Hacking One Cryptocurrency Exchange and Illicitly Operating Another (US Department of Justice) Learn more about your ad choices. Visit megaphone.fm/adchoices

Nadir Izrael, co-founder and CTO from Armis, sits down to share his story. Nadir started his love of cyber when he became a software developer at the age of 12. He always had a passion for making things work better and asking questions. Once he joined the 8200 unit in Israel, he was able to focus his interests on physics, which led him to making the discovery of wanting to start his own business. After he started building his company is when he learned to take smart and innovative risks at work and making it a way of life. Nadir shares advice, saying "Playing to your strengths, maximizes the odds of success and every other consideration lowers them inevitably, or at least, uh, um, kind of shrinks, I guess the, the probability space for success." He thinks playing to ones strengths is the best a leader can do to create the most success for their team. We thank Nadir for sharing his story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

Our guest, Allen West from Akamai's SIRT team, joins Dave to discuss their research on "The Dark Frost Enigma: An Unexpectedly Prevalent Botnet Author Profile." Akamai found this new botnet was targeting the gaming industry, modeled after Qbot, Mirai, and other malware strains. The botnet has expanded to encompass hundreds of compromised devices.The research states "through reverse engineering and patching the malware binary, our analysis determined the botnet's attack potential at approximately 629.28 Gbps with its UDP flood attacks." Akamai researchers do a deep dive into the motives behind the attacks, the effectiveness of the attack, and how the law has been handling similar cases.The research can be found here:The Dark Frost Enigma: An Unexpectedly Prevalent Botnet Author Profile Learn more about your ad choices. Visit megaphone.fm/adchoices

Barracuda Networks urges replacement of their gear. Fractureiser infects Minecraft mods. ChatGPT sees a court date over hallucinations and defamation. Asylum Ambuscade engages in both crime and espionage. The US delivers Ukraine Starlink connectivity. DDoS attacks hit the Swiss parliament's website. My conversation with Eric Goldstein, Executive Assistant Director for Cybersecurity at CISA. Our guest is Delilah Schwartz from Cybersixgill discussing how the Dark Web is evolving with new technologies like ChatGPT. And BEC crooks see their day in court.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/111Selected reading.Barracuda Email Security Gateway Appliance (ESG) Vulnerability (Barracuda)CVE-2023-2868 (MITRE)ACT government falls victim to Barracuda’s ESG vulnerability (CSO Online)CVE-2023-2868: Total Compromise of Physical Barracuda ESG Appliances (Rapid7)CVE-2023-2868 Detail (National Institute of Standards and Technology)Infected Minecraft Mods Lead to Multi-Stage, Multi-Platform Infostealer Malware (Bitdefender)New Fractureiser malware used CurseForge Minecraft mods to infect Windows, Linux (BleepingComputer)IN THE SUPERIOR COURT OF FULTON COUNTY (Superior Court of Fulton County)OpenAI Hit With First Defamation Suit Over ChatGPT Hallucination (Bloomberg Law) Learn more about your ad choices. Visit megaphone.fm/adchoices

FBI and CISA are releasing this joint CSA to disseminate known CL0P ransomware IOCs and TTPs identified through FBI investigations as recently as June 2023.AA23-158A Alert, Technical Details, and MitigationsStopransomware.gov is a whole-of-government approach that gives one central location for ransomware resources and alerts.Resource to mitigate a ransomware attack: CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide.Zero-Day Vulnerability in MOVEit Transfer Exploited for Data Theft | MandiantMOVEit Transfer Critical Vulnerability (May 2023) - Progress CommunityMOVEit Transfer Critical Vulnerability CVE-2023-34362 Rapid Response (huntress.com)No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment.U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email dib_defense@cyber.nsa.gov To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov, or call (888) 282-0870, or report incidents to your local FBI field office. Learn more about your ad choices. Visit megaphone.fm/adchoices

ChatGPT takes an unexpectedly human turn in having its own version of hallucinations. Updates on Cl0p’s ransom note, background, and recent promises. Researchers look at Instagram’s role in promoting CSAM. A look at KillNet's reboot. Andrea Little Limbago from Interos shares insight on cyber’s human element. Our guest is Aleksandr Yampolskiy from SecurityScorecard on how CISOs can effectively communicate cyber risk to their board. And a hacktivist auxiliary’s stellar advice for protecting your data.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/110Selected reading.Can you trust ChatGPT’s package recommendations? (Vulcan)Ransomware group Clop issues extortion notice to ‘hundreds’ of victims (The Record)MOVEit cyber attack: Cl0p sparks speculation that it’s lost control of hack (ITpro)Responding to the Critical MOVEit Transfer Vulnerability (CVE-2023-34362) (Kroll)MOVEit Transfer Critical Vulnerability (May 2023) (Progress)Cybergang behind N.S. breach says it erased stolen data, but experts urge caution (CBC Canada)Most SMBs admit to paying ransomware demands - here's why (TechRadar)Instagram Connects Vast Pedophile Network (Wall Street Journal)Addressing the distribution of illicit sexual content by minors online (Stanford University)Rebooting Killnet, a New World Order and the End of the Tesla Botnet (Radware) Learn more about your ad choices. Visit megaphone.fm/adchoices

A new PowerShell remote access tool targets a US defense contractor. Current Russian cyber operations against Ukraine are honing in on espionage. CISA and its partners have released a Joint Guide to Securing Remote Access Software. A bug has been reported in Visual Studio’s UI. Awais Rashid from University of Bristol discussing Privacy in health apps. Our guest is Jim Lippie of SaaS Alerts with insights on software as a service Application Security. And are there disconnects between cybersecurity and the legal profession?For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/109Selected reading.PowerDrop: A New Insidious PowerShell Script for Command and Control Attacks Targets U.S. Aerospace Defense Industry (Adlumin)UAC-0099: cyberespionage against state organizations and media representatives of Ukraine (CERT-UA#6710) (CERT-UA)Guide to Securing Remote Access Software (Joint Guide)Imposter Syndrome: UI Bug in Visual Studio Lets Attackers Impersonate Publishers (Varonis)Press Release | ILTA and Conversant Group Release First Cybersecurity Benchmarking Survey of the Legal Industry (International Legal Technology Association) Learn more about your ad choices. Visit megaphone.fm/adchoices

The Cl0p gang claims responsibility for the MOVEit file transfer vulnerability. Verizon’s DBIR is out. Palo Alto Networks takes a snapshot of last year’s threat trends. A new criminal campaign targets Android users wishing to install modified apps. A smishing campaign is expanding into the Middle East. Cisco observes compromised vendor and contractor accounts as an access point for network penetration. Cyclops ransomware acts as a dual threat. Anonymous Sudan demands $1 million to stop attacks on Microsoft platforms. Ben Yelin explains a groundbreaking decision on border searches. Our guest is Matt Caulfield of Oort with insights on identity security. And a deepfaked martial law announcement airs on Russian provincial radio stations.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/108Selected reading.Clop ransomware claims responsibility for MOVEit extortion attacks (BleepingComputer)CVE-2023-34362 Detail (National Institute of Standards and Technology)Microsoft links Clop ransomware gang to MOVEit data-theft attacks (BleepingComputer)BA, BBC and Boots hit by cyber security breach with contact and bank details exposed (Sky News)2023 Data Breach Investigations Report (Verizon)2023 Unit 42 Network Threat Trends Research Report (Unit 42)Tens of Thousands of Compromised Android Apps Found by Bitdefender Anomaly Detection Technology (Bitdefender)Chinese-speaking phishing ring behind latest fake fee scam targeting Middle East; another campaign exposed (Group-IB)Adversaries increasingly using vendor and contractor accounts to infiltrate networks (Cisco Talos)Cyclops Ransomware and Stealer Combo: Exploring a Dual Threat (Uptycs)U.S. Measures in Response to the Crisis in Sudan (US Department of State)Microsoft's Outlook.com is down again on mobile, web (BleepingComputer)Kremlin: fake Putin address broadcast on Russian radio stations after 'hack' (Reuters)Deep fake video of Putin declaring martial law is broadcast in parts of Russia (Semafor)Peskov called "Putin's emergency appeal" shown on some TV networks as a hack (TASS)Proceedings of the 2023 U.S.-Ukraine Cyber Dialogue (US Department of State) Learn more about your ad choices. Visit megaphone.fm/adchoices