CyberWire Daily

Anonymous Sudan responds to remarks from the US Secretary of State by targeting Lyft and American hospitals. NSA releases an advisory on North Korean spearphishing campaigns. The US government’s Moonlighter satellite will test cybersecurity in orbit. "Operation Triangulation" offers an occasion for Russia to move closer to IT independence. The SEC drops cases over improper access to Adjudication Memoranda. Executives and board members are easy targets for threat actors trolling for sensitive information. Rick Howard targets Zero Trust. The FBI’s Deputy Assistant Director for Cyber Cynthia Kaiser shares trends from the IC3 Annual Report. And KillNet seems to say it's disbanding…or is it?For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/107Selected reading.U.S. Measures in Response to the Crisis in Sudan (US Department of State)U.S., ROK Agencies Alert: DPRK Cyber Actors Impersonating Targets to Collect Intelligence (US National Security Agency)North Korea Using Social Engineering to Enable Hacking of Think Tanks, Academia, and Media (Joint Cybersecurity Advisory)CISA Adds One Known Exploited Vulnerability to Catalog (Cybersecurity and Infrastructure Security Agency)CVE-2023-34362 Detail (National Institute of Standards and Technology)Zero-Day Vulnerability in MOVEit Transfer Exploited for Data Theft (Mandiant)SpaceX launch sends upgraded solar arrays to International Space Station (Spaceflight Now)Moonlighter Fact Sheet (The Aerospace Corporation)Uncle Sam wants DEF CON hackers to pwn this Moonlighter satellite in space (The Register)Russia wants 2 million phones with home-grown Aurora OS for use by officials (The Record)Russia accuses U.S. of hacking thousands of iPhones (Axios)Operation Triangulation: iOS devices targeted with previously unknown malware (Kaspersky)Operation Triangulation: Mysterious attack on iPhones (ComputerBild)Killnet hacktivists say they’re disbanding (Cybernews)Second Commission Statement Relating to Certain Administrative Adjudications (US Securities and Exchange Commission)Ponemon: Understanding the Serious Risks to Executives’ Personal Cybersecurity & Digital Lives (BlackCloak) Learn more about your ad choices. Visit megaphone.fm/adchoices

Galit Lubetzky Sharon, Co-Founder and CTO of Wing Security sits down to share her story and how years in the business lead her to be where she is now. Galit shares her insights from her experiences co-founding her company and bringing it out of stealth mode in early 2022, including why she saw the need for Wing Security and what lessons she learned in the process of founding and launching the company. She started her career as a Colonel in the 8200 Unit gives her a unique perspective on the cyber industry. Galit also shares what she does when things get stressful to help calm her down in the moment and help her clear her head. She says "I think it's very important to do things that you love. It should be something that you come and you bring yourself and your passion and, uh, finding yourself the occupation, the chores, the, the tasks that you love to do brings the, the best out of you." We thank Galit for sharing her story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

Brigid O Gorman from Symantec joins Dave to discuss their research, “Lancefly: Group Uses Custom Backdoor to Target Orgs in Government, Aviation, Other Sectors." Researchers discovered in 2020 that Lancefly, an APT group, is using a custom-written backdoor in attacks targeting government, aviation, educations, and telecoms organizations in South and Southeast Asia.The research states "The backdoor is used very selectively, appearing on just a handful of networks and a small number of machines over the years, with its use appearing to be highly targeted." These targets, though observed in some activity in 2020 and 2021, started in 2022 and have continued into 2023.The research can be found here:Lancefly: Group Uses Custom Backdoor to Target Orgs in Government, Aviation, Other Sectors Learn more about your ad choices. Visit megaphone.fm/adchoices

MOVEit Transfer software sees exploitation. A website skimmer has been employed against targets in the Americas and Europe. A look into XeGroup's recent criminal activity. Apple denies the FSB’s allegations of collusion with NSA. Kaspersky investigates compromised devices. Johannes Ullrich from SANS describes phony YouTube "live streams". Our guest is Sherry Huang from William and Flora Hewlett Foundation to discuss their grants funding cyber policy studies. And the US Department of Defense provides Starlink services to Ukraine.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/106Selected reading.MOVEit Transfer Critical Vulnerability (May 2023) (Progress Software)Rapid7 Observed Exploitation of Critical MOVEit Transfer Vulnerability (Rapid7)New MOVEit Transfer zero-day mass-exploited in data theft attacks (BleepingComputer)Hackers use flaw in popular file transfer tool to steal data, researchers say (Reuters)New Magecart-Style Campaign Abusing Legitimate Websites to Attack Others (Akamai)Not your average Joe: An analysis of the XeGroup’s attack techniques (Menlo Security)Unmasking XE Group: Experts Reveal Identity of Suspected Cybercrime Kingpin (The Hacker News)Apple denies surveillance claims made by Russia's FSB (Reuters)FSB uncovers US intelligence operation via malware on Apple mobile phones (TASS)Kaspersky Says New Zero-Day Malware Hit iPhones—Including Its Own (WIRED)Operation Triangulation: iOS devices targeted with previously unknown malware (Kaspersky)Lithuania becomes first to designate Russia as terrorist state (CSCE)Pentagon confirms SpaceX deal for Ukraine Starlink services (C4ISRNET) Learn more about your ad choices. Visit megaphone.fm/adchoices

A backdoor-like issue has been found in Gigabyte firmware. A credential harvesting campaign impersonates Adobe. The Dark Pink gang is active in southeastern Asia. Mitiga discovers a “significant forensic discrepancy” in Google Drive. "Spyboy" is for sale in the C2C market. A look at Cuba ransomware. Ukrainian hacktivists target the Skolkovo Foundation. The FSB says NSA breached iPhones in Russia. Carole Theriault examines Utah's social media bills aimed at kids online. Our guest is Tucker Callaway of Mezmo to discuss the rise of telemetry pipelines. And spoofing positions and evading sanctions.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/105Selected reading.Supply Chain Risk from Gigabyte App Center backdoor (Eclypsium)Ado-be-gone: Armorblox Stops Adobe Impersonation Attack (Armorblox)Dark Pink back with a bang: 5 new organizations in 3 countries added to victim list (Group-IB)Southeast Asian hacking crew racks up victims, rapidly expands criminal campaign (CyberScoop)Suspected State-Backed Hackers Hit Series of New Targets in Europe, SE Asia (Insurance Journal)Mitiga Security Advisory: Lack of Forensic Visibility with the Basic License in Google Drive (Mitiga)2023-05-31 // SITUATIONAL AWARENESS // Spyboy Defense Evasion Tool Advertised Online (Reddit)An In-Depth Look at Cuba Ransomware (Avertium)Russia’s ‘Silicon Valley’ hit by cyberattack; Ukrainian group claims deep access (The Record)Russia says U.S. accessed thousands of Apple phones in spy plot (Reuters)Fake Signals and American Insurance: How a Dark Fleet Moves Russian Oil (The New York Times Learn more about your ad choices. Visit megaphone.fm/adchoices

SeroXen is a new elusive evolution of the Quasar RAT that seems to live up to its hype, and DogeRAT is a cheap Trojan targeting Indian Android users. Salesforce ghost sites see abuse by malicious actors. A look into identity security trends. People may be overconfident in their ability to detect deepfakes. Deepen Desai from Zscaler describes a campaign targeting Facebook users. CW Walker from Spycloud outlines identity exposure in the Fortune 1000. And a blurring of the lines between criminal, hacktivist, and strategic motivations.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/104Selected reading.SeroXen RAT for sale (AT&T Cybersecurity)Sneaky DogeRAT Trojan Poses as Popular Apps, Targets Indian Android Users (The Hacker News)DogeRAT: The Android Malware Campaign Targeting Users Across Multiple Industries (CloudSek)Ghost Sites: Stealing Data From Deactivated Salesforce Communities (Varonis)2023 Trends in Securing Digital Identities (Identity Defined Security Alliance)Jumio 2023 Online Identity Consumer Study (Jumio)Void Rabisu’s Use of RomCom Backdoor Shows a Growing Shift in Threat Actors’ Goals (Trend Micro)Ukraine's DELTA Military System Users Under Attack from Info Stealing Malware (The Hacker News) Learn more about your ad choices. Visit megaphone.fm/adchoices

New Mirai malware uses low-complexity exploits to expand its botnet in IoT devices. The latest on Volt Typhoon. DDoS hits government sites in Senegal. The Pentagon's cyber strategy incorporates lessons from Russia's war, while the EU draws lessons from Ukraine's performance against Russia. Joe Carrigan explains Mandiant research on URL obfuscation. Mr. Security Answer Person John Pescatore plays security whack-a-mole. And NoName disrupts a British airport.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/103Selected reading.Old Wine in the New Bottle: Mirai Variant Targets Multiple IoT Devices (Unit 42)US officials believe Chinese hackers may still have access to key US computer networks (CNN)Chinese state-sponsored hackers infiltrated U.S. naval infrastructure, secretary of the Navy says (CNBC)US military intelligence also targeted by Chinese hackers behind critical infrastructure compromise (SC Magazine)Senegalese government websites hit with cyber attack (Reuters)DOD Transmits 2023 Cyber Strategy (US Department of Defense)Fact Sheet: 2023 DOD Cyber Strategy (US Department of Defense)Lessons from the war in Ukraine for the future of EU defence (European Union External Action)Investigation Launched After London City Airport Website Hacked (Simple Flying)Maryland high school listed on Zillow for $42K in ‘creative’ senior prank (New York Post) Learn more about your ad choices. Visit megaphone.fm/adchoices

Stacy Dunn, a Senior Solutions Engineer from the SANS Institute sits down and shares what it is like to work through her own adversity to get to be where she is today. Stacy shares some of her experiences as a woman with ADHD working in an IT career and explains her tips for other neurodiverse people in the field. After working in a wide array of positions in different fields, she wanted to go back to school to get her degree in management information systems and information assurance. Eventually she started working her way up the ladder, and became a very successful woman in the IT world. She shares her struggles with ADHD as she was making the climb and says "It's both a superpower and kryptonite because I think something that is a fundamental misunderstanding of most people, and maybe even some people that do have ADHD, is that it's not just the aspect of not being able to focus, it's also an aspect of focusing too much." We thank Stacy for sharing her story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

This week, our guests are Emily Austin and Himaja Motheram from Censys and their sharing their research - "Months after first GoAnywhere MFT zero-day attacks, Censys still sees about 180 public admin panels." In early February 2023, Censys researchers discovered a zero-day RCE vulnerability in Fortra’s “GoAnywhere MFT” (Managed File Transfer) software.After finding this the Clop ransomware gang claimed that they exploited this vulnerability to breach the data of 130 organizations and Censys found other ransomware groups were jumping on the bandwagon. They said " A single vulnerable instance has the potential to serve as a gateway to a data breach that could potentially impact millions of individuals."The research can be found here:Months after first GoAnywhere MFT zero-day attacks, Censys still sees ~180 public admin panels Learn more about your ad choices. Visit megaphone.fm/adchoices

CosmicEnergy is OT and ICS malware from Russia, maybe for red teaming, maybe for attack. Updates on Volt Typhoon, China’s battlespace preparation in Guam and elsewhere. In the criminal underworld, Legion malware has been upgraded for the cloud. Johannes Ullrich from SANS examines time gaps in logging. Our guest is Kevin Kirkwood from LogRhythm with a look at extortion attempts and ransomware. And Atlantic hurricane season officially opens next week: time to batten down those digital hatches. For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/102Selected reading.COSMICENERGY: New OT Malware Possibly Related To Russian Emergency Response Exercises (Mandiant)People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection (Joint Advisory)Volt Typhoon targets US critical infrastructure with living-off-the-land techniques (Microsoft) China hits back at 'the empire of hacking' over Five Eyes US cyber attack claims (ABC)Updates to Legion: A Cloud Credential Harvester and SMTP Hijacker (Cado)Legion Malware Upgraded to Target SSH Servers and AWS Credentials (Hacker News)CISA Warns of Hurricane/Typhoon-Related Scams (Cybersecurity and Infrastructure Security Agency CISA) Learn more about your ad choices. Visit megaphone.fm/adchoices