CyberWire Daily

Cyber agencies warn of BianLian ransomware. There’s a new gang using leaked Baduk-based ransomware. Chinese government-linked threat actors target TP-link routers with custom malware. ChatGPT-themed fleeceware is showing up in online stores. Ukraine is now a member of NATO's Cyber Centre. Tim Starks from the Washington Post shares insights on section 702 renewal. Our guest is Ismael Valenzuela from BlackBerry sharing the findings from their Global Threat Intelligence Report. And the CIA's offer to Russian officials may have had some takers.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/95Selected reading.#StopRansomware: BianLian Ransomware Group (Cybersecurity and Infrastructure Security Agency CISA) Newly identified RA Group compromises companies in U.S. and South Korea with leaked Babuk source code (Cisco Talos Blog) The Dragon Who Sold His Camaro: Analyzing Custom Router Implant (Check Point Research)Fake ChatGPT Apps Scam Users Out of Thousands of Dollars, Sophos Reports (GlobeNewswire News Room) Ukraine joins NATO Cyber Centre (Computing) Russian Officials Unnerved by Ukraine Bloodshed Are Contacting CIA, Agency Says (Wall Street Journal) Learn more about your ad choices. Visit megaphone.fm/adchoices

In today’s world, conventional cyber thinking remains largely focused on perimeter-centric security controls designed to govern how identities and endpoints utilize networks to access applications and data that organizations possess internally. Against this backdrop, a group of innovators and security thought leaders are exploring a new frontier and asking the question: shouldn’t there be a standard way to protect sensitive data regardless of where it resides or who it’s been shared with? It’s called “data-centric” security and it’s fundamentally different from “perimeter-centric” security models. Practicing it at scale requires a standard way to extend the value of “upstream” data governance (discovery, classification, tagging) into “downstream” collaborative workflows like email, file sharing, and SaaS apps.In this episode of CyberWire-X, the CyberWire’s Rick Howard and Dave Bittner explore modern approaches for applying and enforcing policy and access controls to sensitive data which inevitably leaves your possession but still deserves just as much security as the data that you possess internally. Rick and Dave are joined by guests Bill Newhouse, Cybersecurity Engineer at National Institute of Standards and Technology (NIST) National Cybersecurity Center of Excellence (NCCoE), and Dana Morris, Senior Vice President for Product and Engineering of our episode sponsor Virtru.  Learn more about your ad choices. Visit megaphone.fm/adchoices

DDoS "carpet bombing." Lancefly infests Asian targets. Cyber insurance trends. Infostealers in the C2C market. A Russian espionage service is masquerading as a criminal gang. KillNet’s running a psyop radio station of questionable quality. Joe Carrigan describes baiting fraudsters with fake crypto. Our guest is Gemma Moore of Cyberis talking about how red teaming can upskill detection and response teams. And geopolitical DDoS.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/94Selected reading.2023 DDoS Threat Intelligence Report (Corero)Lancefly: Group Uses Custom Backdoor to Target Orgs in Government, Aviation, Other Sectors (Symantec)2023 Cyber Claims Report (Coalition)The Growing Threat from Infostealers (Secureworks)Cybercriminals who targeted Ukraine are actually Russian government hackers, researchers say (TechCrunch)DDoS Attacks Targeting NATO Members Increasing (Netscout)Following the long-running Russian aggression against Ukraine. (The CyberWire) Learn more about your ad choices. Visit megaphone.fm/adchoices

Discord sees a third-party data breach. Black Basta conducts a ransomware attack against technology company ABB. Intrusion Truth returns to dox APT41. Anonymous Sudan looks like a Russian front operation. Attribution and motivation of "RedStinger" remain murky. CISA summarizes Russian cyber offensives. Remote code execution exploits Ruckus in the wild. Our guest is Dave Russell from Veeam with insights on data protection. Matt O'Neill from the US Secret Service on their efforts to thwart email compromise and romance scams. And espionage by way of YouTube comments.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/93Selected reading.Discord discloses data breach after support agent got hacked (Bleeping Computer)Discord suffered a data after third-party support agent was hacked (Security Affairs)Multinational tech firm ABB hit by Black Basta ransomware attack (Bleeping Computer)Breaking: ABB confirms cyberattack; work underway to restore operations (ET CISO)Black Basta conducts ransomware attack against Swiss technology company ABB (The CyberWire)They dox Chinese hackers. Now, they’re back. (Washington Post)What’s Cracking at the Kerui Cracking Academy? (Intrusion Truth)Posing as Islamists, Russian Hackers Take Aim at Sweden (Bloomberg)Anonymous Sudan: Threat Intelligence Report (TrueSec)Uncovering RedStinger - Undetected APT cyber operations in Eastern Europe since 2020 (Malwarebytes)Russian ‘Red Stealer’ cyberattacks target breakaway territories in Ukraine (Cybernews)Russia Cyber Threat Overview and Advisories (CISA)Known Exploited Vulnerabilities Catalog (CISA)CISA Adds Seven Known Exploited Vulnerabilities to Catalog (CISA)CISA warns of critical Ruckus bug used to infect Wi-Fi access points (Bleeping Computer)Security Bulletins (Ruckus)ROK union leaders charged with spying for North Korea in ‘movie-like’ scheme (NK News) Learn more about your ad choices. Visit megaphone.fm/adchoices

Steve Benton, Vice President at Anomali Threat Research & GM Belfast, sits down to share his story as a cybersecurity expert with a surplus of strategic leadership experience across cyber and physical security rooted in substantial operational directorship and accountability. Steve shares his beginnings, where he wanted to grow up to be a rockstar, slowly moving into the world of tech with his first ever computer and falling in love with it. After graduating from Queens University with a degree in information technology, he joined British Telecommunications or BT, where he got to put his new found skills to use. Steve mentions how his job is kind of like being a DJ almost and says " a typical day for me is looking at the intelligence that we're bringing in, mixing it as it were to think of a slight, like DJs with a set of headphones on creating the right kind of mixes of intelligence for our clients." We thank Steve for sharing his story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

Aleksandar Milenkoski and Juan Andres Guerrero-Saade from SentinelOne's SentinelLabs join Dave to discuss their research "Operation Tainted Love | Chinese APTs Target Telcos in New Attacks." Researchers found initial phases of attacks against telecommunication providers in the Middle East in Q1 in 2023.The research states "We assess that this activity represents an evolution of tooling associated with Operation Soft Cell." While the exact grouping is unclear, researchers think it is highly likely that the threat actor is a Chinese cyberespionage group in the nexus of Gallium and APT41.The research can be found here:Operation Tainted Love | Chinese APTs Target Telcos in New Attacks Learn more about your ad choices. Visit megaphone.fm/adchoices

FBI and CISA are releasing this joint Cybersecurity Advisory in response to the active exploitation of CVE-2023-27350. This vulnerability occurs in certain versions of PaperCut NG and PaperCut MF, software applications that help organizations manage printing services, and enables an unauthenticated actor to execute malicious code remotely without credentials. AA23-131A Alert, Technical Details, and MitigationsPaperCut: URGENT | PaperCut MF/NG vulnerability bulletin (March 2023)Huntress: Critical Vulnerabilities in PaperCut Print Management SoftwareNo-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment.See CISA Insights Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses for guidance on hardening MSP and customer infrastructure.U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email dib_defense@cyber.nsa.gov To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov, or call (888) 282-0870, or report incidents to your local FBI field office. Learn more about your ad choices. Visit megaphone.fm/adchoices

Babuk source code provides criminal inspiration. CISA and FBI release a joint report on PaperCut. There are more bad bots out there than anyone would like. Phishing-as-a-service tools in the C2C market. CISA’s Eric Goldstein advocates the adoption of strong controls, defensible networks and coordination of strategic cyber risks. Our cyberwire producer Liz Irvin speaks with Crystle-Day Villanueva, Learning and Development Specialist for Lumu Technologies. And KillNet’s short-lived venture, with a dash of regret.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/92Selected reading.Babuk code used by 9 ransomware gangs to encrypt VMWare ESXi servers (Bleeping Computer)Ransomware actors adopt leaked Babuk code to hit Linux systems (Decipher)Hypervisor Ransomware | Multiple Threat Actor Groups Hop on Leaked Babuk Code to Build ESXi Lockers (SentinelOne)Malicious Actors Exploit CVE-2023-27350 in PaperCut MF and NG (CISA)CVE-2023-27350 Detail (NIST)Proofpoint Emerging Threats Rules (Proofpoint)2023 Imperva Bad Bot Report (Imperva)New phishing-as-a-service tool “Greatness” already seen in the wild (Cisco Talos)Ukraine at D+442: Russians say the Ukrainian counteroffensive has begun. (CyberWire) Learn more about your ad choices. Visit megaphone.fm/adchoices

A Ransomware report highlights targeting and classification. Phishing remains a major threat. Cisco addresses an expired certificate issue. LockBit and Medusa hit school districts with ransomware. US and Canadian cyber units wrap up a hunt-forward mission in Latvia. Ben Yelin on NYPD surveillance. Our CyberWire producer Liz Irvin interviews Damien Lewke, a graduate student at MIT. And an unknown threat actor is collecting against both Russia and Ukraine.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/91Selected reading.GRIT Ransomware Report: April 2023 (GuidePoint Security)DNSFilter State of Internet Security - Q1 2023 (DNSFilter)Identify vEdge Certificate Expired on May 9th 2023 (Cisco)The State of Ransomware Attacks in Education 2023: Trends and Solutions (Veriti)US Cyber Command 'Hunts Forward' in Latvia (Voice of America)US cyber team unearths malware during ‘hunt-forward’ mission in Latvia (C4ISRNET)Uncovering RedStinger - Undetected APT cyber operations in Eastern Europe since 2020 (Malwarebytes)Bad magic: new APT found in the area of Russo-Ukrainian conflict (Kaspersky) Learn more about your ad choices. Visit megaphone.fm/adchoices

The Snake implant is considered the most sophisticated cyber espionage tool designed and used by Center 16 of Russia’s Federal Security Service, or FSB, for long-term intelligence collection on sensitive targets.AA23-129A Alert, Technical Details, and MitigationsFor more information on FSB and Russian state-sponsored cyber activity, please see the joint advisory Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure and CISA’s Russia Cyber Threat Overview and Advisories webpage.No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment.See CISA Insights Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses for guidance on hardening MSP and customer infrastructure.U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email dib_defense@cyber.nsa.gov To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov, or call (888) 282-0870, or report incidents to your local FBI field office. Learn more about your ad choices. Visit megaphone.fm/adchoices