CyberWire Daily

China's Volt Typhoon snoops into US infrastructure, with special attention paid to Guam. Iranian cybercriminals are seen conducting ops against Israeli targets. A new ransomware gang uses recycled ransomware. A persistent Brazilian campaign targets Portuguese financial institutions. A new botnet targets the gaming industry. Phishing attempts impersonate OpenAI. Pro-Russian geolocation graffiti. Andrea Little Limbago from Interos addresses the policy implications of ChatGPT. Our guest is Jon Check from Raytheon Intelligence & Space, on cybersecurity and workforce strategy for the space community. And KillNet says no to slacker hackers.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/101Selected reading.People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection (Joint Advisory)Volt Typhoon targets US critical infrastructure with living-off-the-land techniques (Microsoft)Chinese hackers spying on US critical infrastructure, Western intelligence says (Reuters)Agrius Deploys Moneybird in Targeted Attacks Against Israeli Organizations (Check Point)Iran-linked hackers Agrius deploying new ransomware against Israeli orgs (The Record)Iranian Hackers Set Sights On Israeli Shipping & Logistics Firms (Information Security Buzz)Fata Morgana: Watering hole attack on shipping and logistics websites (ClearSky Security)Iran suspect in cyberattack targeting Israeli shipping, financial firms (Al-Monitor)Buhti: New Ransomware Operation Relies on Repurposed Payloads (Symantec)Operation Magalenha | Long-Running Campaign Pursues Portuguese Credentials and PII (SentinelOne)The Dark Frost Enigma: An Unexpectedly Prevalent Botnet Author Profile (Akamai)Fresh Phish: ChatGPT Impersonation Fuels a Clever Phishing Scam (INKY) Learn more about your ad choices. Visit megaphone.fm/adchoices

Cybersecurity authorities are issuing this joint Cybersecurity Advisory to highlight a recent cluster of activity associated with a People’s Republic of China state-sponsored cyber actor, also known as Volt Typhoon. AA23-144A Alert, Technical Details, and MitigationsActive Directory and domain controller hardening: Best Practices for Securing Active Directory | Microsoft LearnCISA regional cyber threats: China Cyber Threat Overview and AdvisoriesMicrosoft Threat Intelligence blog: Volt Typhoon targets US critical infrastructure with living-off-the-land techniques | Microsoft Security BlogNo-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment.U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email dib_defense@cyber.nsa.gov To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov, or call (888) 282-0870, or report incidents to your local FBI field office. Learn more about your ad choices. Visit megaphone.fm/adchoices

Kimsuky's tailored reconnaissance tools. GoldenJackal is an APT quietly active since 2019. Criminals target Youtube viewers with free cracked software. Rheinmetall’s data was posted to BlackBasta's extortion site. The "Cuba" gang claims credit for the attack on the Philadelphia Inquirer. CERT-UA identifies a probable Russian cyberespionage campaign. Ireland views cyber assistance to Ukraine as a contribution to collective security. Ann Johnson from Afternoon Cyber Tea speaks with Tyrance Billingsley about Black Tech. Our guest is Oz Alashe from CybSafe on raising VC money amidst a down economy. And KillNet's underperforming hacktivists.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/100Selected reading.Kimsuky | Ongoing Campaign Using Tailored Reconnaissance Toolkit (SentinelOne)North Korean Kimsuky Hackers Strike Again with Advanced Reconnaissance Malware (The Hacker News)Meet the GoldenJackal APT group. Don’t expect any howls (Kaspersky)Follina — a Microsoft Office code execution vulnerability (DoublePulsar)YouTube Pirated Software Videos Deliver Triple Threat: Vidar Stealer, Laplas Clipper, XMRig Miner (FortiGuard Labs)Arms maker Rheinmetall confirms BlackBasta ransomware attack (Bleeping Computer)Inquirer and forensics team investigating computer disruptions to publishing (Philadelphia Inquirer)Cuba ransomware claims cyberattack on Philadelphia Inquirer (Bleeping Computer)Espionage activity UAC-0063 in relation to Ukraine, Kazakhstan, Kyrgyzstan, Mongolia, Israel, India (CERT-UA#6549) (CERT-UA)Ukraine Identifies Central Asian Cyberespionage Campaign (BankInfoSecurity)Ireland’s cyber security agency has been providing ‘non-lethal aid’ to Ukraine (Irish Times) Learn more about your ad choices. Visit megaphone.fm/adchoices

AhRat exfiltrates files and records audio on Android devices. The BlackCat ransomware group uses a signed kernel driver to evade detection. GUI-Vil in the cloud. Unwitting money mules. Ben Yelin unpacks the Supreme Court’s section 230 rulings. Our guest is Mike DeNapoli from Cymulate with insights on cybersecurity effectiveness. And a trio of commercial spyware cases.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/99Selected reading.Android app breaking bad: From legitimate screen recording to file exfiltration within a year (ESET)Love scam or espionage? Transparent Tribe lures Indian and Pakistani officials (ESET)BlackCat Ransomware Deploys New Signed Kernel Driver (Trend Micro)Unmasking GUI-Vil: Financially Motivated Cloud Threat Actor (Permiso)Uncle Sam strangles criminals' cashflow by reining in money mules (The Register)German prosecutors charge four over violating trade act to sell spyware to Turkey (Washington Post)Israel Torpedoed Morocco Spyware Deal - and NSO Competitor QuaDream Shut Down (Haaretz)He Was Investigating Mexico’s Military. Then the Spying Began. (New York Times) Learn more about your ad choices. Visit megaphone.fm/adchoices

The EU fines Meta for transatlantic data transfers. FIN7 returns, bearing Cl0p ransomware. Python Package Index temporarily suspends new registrations due to a spike in malicious activity. Typosquatting and TurkoRAT. UNC3944 uses SIM swapping to gain access to Azure admin accounts. A Turla retrospective. Rick Howard tackles workforce development. Our guest is Andrew Peterson of Fastly to discuss the intricate challenges of secure software development. And the FBI was found overstepping its surveillance authorities.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/98Selected reading.Meta Fined $1.3 Billion Over Data Transfers to U.S. (Wall Street Journal)Meta fined record $1.3 billion and ordered to stop sending European user data to US (AP News)Notorious Cyber Gang FIN7 Returns With Cl0p Ransomware in New Wave of Attacks (The Hacker News)Researchers tie FIN7 cybercrime family to Clop ransomware (The Record)Cybercrime gang FIN7 returned and was spotted delivering Clop ransomware (Security Affairs)PyPI new user and new project registrations temporarily suspended. (Python)PyPI repository restored after temporarily suspending new activity (Computing)RATs found hiding in the NPM attic (ReversingLabs)Legitimate looking npm packages found hosting TurkoRat infostealer (CSO Online)SIM Swapping and Abuse of the Microsoft Azure Serial Console: Serial Is Part of a Well Balanced Attack (Mandiant)Mozilla Explains: SIM swapping (Mozilla)The Underground History of Russia’s Most Ingenious Hacker Group (WIRED)Justice Department Announces Court-Authorized Disruption of Snake Malware Network Controlled by Russia’s Federal Security Service (US Department of Justice)Hunting Russian Intelligence “Snake” Malware (CISA)FBI misused intelligence database in 278,000 searches, court says (Reuters)FBI misused controversial surveillance tool to investigate Jan. 6 protesters (The Record)FBI broke rules in scouring foreign intelligence on Jan. 6 riot, racial justice protests, court says (AP News) Learn more about your ad choices. Visit megaphone.fm/adchoices

Dawn Cappelli, OT CERT Director at Dragos, sits down to share what she has learned after her 25+ year career in the industry. She recalls wanting to have been a rockstar when she grew up, now she refers to herself as the fairy godmother of security. She shares some of the amazing things she got to work on throughout her career, including working with the Secret Service when the Olympics came to Salt Lake City, Utah in 2002. She shares how she was able to rise through the ranks to get to where she is now. Dawn talks about how she wasn't ready to retire quite yet because she loved the industry so much, saying "I retired, but I knew I still loved security. I have this passion for protection and so Dragos came along and they offered me this role of Director of OT CERT. I feel like I'm the security fairy godmother." She shares words of wisdom for all trying to get into the industry, saying that you need to always take the risk like she did when she first started her career. We thank Dawn for sharing her story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

Willy R. Vasquez from The University of Texas at Austin discussing research on "The Most Dangerous Codec in the World - Finding and Exploiting Vulnerabilities in H.264 Decoders." Researchers are looking at the marvel that is modern video encoding standards such as H.264 for vulnerabilities and ultimately hidden security risks.The research states "We introduce and evaluate H26FORGE, domain-specific infrastructure for analyzing, generating, and manipulating syntactically correct but semantically spec-non-compliant video files." Using H26FORCE, they were able to uncover insecurities in depth across the video decoder ecosystem, including kernel memory corruption bugs in iOS and video accelerator and application processor kernel memory bugs in Android devices.The research can be found here:The Most Dangerous Codec in the World: Finding and Exploiting Vulnerabilities in H.264 Decoders Learn more about your ad choices. Visit megaphone.fm/adchoices

Section 230 survives SCOTUS. Lemon Group's pre-infected devices. The IRS is sending cyber attachés to four countries in a new pilot program. A Wisconsin man is charged with stealing DraftKings credentials. Russian hacktivists conduct DDoS attacks against Polish news outlets. An update on RedStinger. Grayson Milbourne from OpenText Cybersecurity discusses IoT and the price we pay for convenience. Our guest is Matthew Keeley with info on an open source domain spoofing tool, Spoofy. And war principles and hacktivist auxiliaries.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/97Selected reading.“Honey, I’m Hacked”: Ethical Questions Raised by Ukrainian Cyber Deception of Russian Military Wives (Just Security)A Mysterious Group Has Ties to 15 Years of Ukraine-Russia Hacks (Wired)CloudWizard APT: the bad magic story goes on (SecureList)Ukraine at D+441: Skirmishing along the line of contact, and in cyberspace. (The CyberWire)Russian dissident gets three years in prison colony for DDoS attacks on military website (Cybernews)Europe: The DDoS battlefield (Help Net Security)Russian hackers hit Polish news sites in DDoS attack (Cybernews)18-year-old charged with hacking 60,000 DraftKings betting accounts (Bleeping Computer)Garrison Complaint (Department of Justice)IRS-CI deploys 4 cyber attachés to locations abroad to combat cybercrime (IRS)IRS deploys cyber attachés to fight cybercrime abroad (The Hill)Cybercrime gang pre-infects millions of Android devices with malware (Bleeping Computer)This Cybercrime Syndicate Pre-Infected Over 8.9 Million Android Phones Worldwide (The Hacker News)Lemon Group’s Cybercriminal Businesses Built on Preinfected Devices (Trend Micro) Learn more about your ad choices. Visit megaphone.fm/adchoices

Business email compromise (BEC) exploits legitimate services. A hacktivist ransomware group demands charity donations for encrypted files. Trends and threats in API protection. The effects of hacktivism on Russia's war against Ukraine. Executive digital protection. Deepen Desai of Zscaler explains security risks in OneNote. Our guest is Ajay Bhatia of Veritas Technologies with advice for onboarding new employees. And news organizations as attractive targets.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/96Selected reading.Leveraging Dropbox to Soar Into Inbox (Avanan)MalasLocker ransomware targets Zimbra servers, demands charity donation (Bleeping Computer)Shadow API Usage Surges 900%, Revealing Alarming Lack of API Visibility Among Enterprises (Business Wire)APIs are Top Cybersecurity Priority for Most Organizations, Yet 40% Do Not Have an API Security Solution (PR Newswire)Evolving Cyber Operations and Capabilities (CSIS)Following the long-running Russian aggression against Ukraine. (The CyberWire)Executive Digital Protection whitepaper (Agency)The Philadelphia Inquirer’s operations continue to be disrupted by a cyber incident (The Philadelphia Inquirer)Cyberattack at the Philadelphia Inquirer. (The CyberWire) Learn more about your ad choices. Visit megaphone.fm/adchoices

FBI, CISA, and the Australian Cyber Security Centre are releasing this joint Cybersecurity Advisory to disseminate known BianLian ransomware and data extortion group IOCs and TTPs identified through FBI and ACSC investigations as of March 2023.AA23-136A Alert, Technical Details, and MitigationsAA23-136A.STIX_.xmlStopransomware.gov, a whole-of-government approach with one central location for U.S. ransomware resources and alerts.cyber.gov.au for the Australian Government’s central location to report cyber incidents, including ransomware, and to see advice and alerts. The site also provides ransomware advisories for businesses and organizations to help mitigate cyber threats.CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide for guidance on mitigating and responding to a ransomware attackNo-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment.See CISA Insights Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses for guidance on hardening MSP and customer infrastructure.U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email dib_defense@cyber.nsa.gov To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov, or call (888) 282-0870, or report incidents to your local FBI field office. Learn more about your ad choices. Visit megaphone.fm/adchoices