CyberWire Daily

The Five Eyes disrupt Russia’s FSB Snake cyberespionage infrastructure. Shifting gears: from DDoS to cryptojacking. Trends in ransomware. Our guest is Steve Benton from Anomali with insights on potential industry headwinds. Ann Johnson from Afternoon Cyber Tea speaks with Roland Cloutier about risk and resilience in the modern era. And yesterday’s Patch Tuesday is now in the books, including a work-around for a patch from this past March.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/90Selected reading.Patch Tuesday notes. (The CyberWire)U.S. Agencies and Allies Partner to Identify Russian Snake Malware Infrastructure Worldwide (US National Security Agency)Hunting Russian Intelligence “Snake” Malware (Joint Cybersecurity Advisory)RapperBot DDoS Botnet Expands into Cryptojacking (Fortinet)The State of Ransomware 2023 (Sophos)From One Vulnerability to Another: Outlook Patch Analysis Reveals Important Flaw in Windows API (Akamai)Windows MSHTML Platform Security Feature Bypass Vulnerability (Microsoft) Learn more about your ad choices. Visit megaphone.fm/adchoices

An analysis of Royal ransomware. PaperCut vulnerability detection methods can be bypassed. Man-in-the-middle phishing attacks are on the rise. A new wave of BEC attacks from an unexpected source. Thomas Etheridge from CrowdStrike, has the latest threat landscape trends. Our guest is Dan Amiga of Island with insights on the enterprise browser category. And a look into recent Russian cyberattacks against Ukraine.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/89Selected reading.Threat Assessment: Royal Ransomware (Unit 42)PaperCut Exploitation - A Different Path to Code Execution (VulnCheck)New PaperCut RCE exploit created that bypasses existing detections (Bleeping Computer)Man-in-the-Middle (MitM) attacks reaching inboxes increase 35% since 2022 (Cofense)Exploring the Rise of Israel-Based BEC Attacks (Abnormal Security)Russians launch mass cyber attack on online service for queueing to cross border by trucks (Ukrainska Pravda)Reverting UAC-0006: Mass distribution of SmokeLoader using the "accounts" theme (CERT-UA#6613) (CERT-UA) Learn more about your ad choices. Visit megaphone.fm/adchoices

ALPHV claims responsibility for a cyberattack on Constellation Software. A new Akira ransomware campaign spreads. CACTUS is a new ransomware leveraging VPNs to infiltrate its target. Many organizations are still vulnerable to the Go-Anywhere MFT vulnerability. Russian hacktivists interfere with the French Senate's website. Keith Mularski from EY, details their "State of the Hack" report. Emily Austin from Censys discusses the State of the Internet. And ransomware gangs target local governments in Texas and California. For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/88Selected reading.ALPHV gang claims ransomware attack on Constellation Software (BleepingComputer) Constellation Software hit by cyber attack, some personal information stolen (IT World Canada) Press Release of Constellation Software Inc. (GlobeNewswire News Room)Meet Akira — A new ransomware operation targeting the enterprise (BleepingComputer)New Cactus ransomware encrypts itself to evade antivirus (BleepingComputer) Pro-Russian Hackers Claim Downing of French Senate Website (SecurityWeek)Dallas cyberattack highlights ransomware’s risks to public safety, health (Washington Post) Hacked: Dallas Ransomware Attack Disrupts City Services (Dallas Observer) City of Dallas Continues Battling Ransomware Attack for Third Day (NBC 5 Dallas-Fort Worth) San Bernardino County pays hackers $1.1 million ransom after cyber attack (Victorville Daily Press) San Bernardino County pays $1.1M ransom after cyberattack disrupts Sheriff's Department systems (ABC7 Los Angeles)Atomic Data devastated by the unexpected death of CEO and co-owner Jim Wolford (Atomic Data) Learn more about your ad choices. Visit megaphone.fm/adchoices

Shelley Ma, Incident Response Lead at Coalition sits down to share her story, starting all the way back when she was a kid and fell in love with playing the game "NeoPets" that ended up paving the way for her future in cybersecurity. After starting this journey, she shares how she became intrigued with crime and mystery shows, which ultimately spawned an interest in forensic science. She ended up signing up for an internship program that she was able to get into, which she says was a pivotal change for her that provided her the chance to begin her career. She shares the advice that if anyone is looking to get into this career, she highly recommends looking into the career before beginning. Following some advise given to her by a professor and mentor, she says that telling the truth helps her deal with adversity in the workplace. Shelley says "In our industry, there are so many opportunities for our opinions and testimonies to be coerced and swayed. I refuse to do that and every time I come back to what my professor said, if you don't want to spend the rest of your life looking over your shoulders, just simply tell the truth." We thank Shelley for sharing her story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

Ryan Robinson from Intezer to discuss his team's work on "Phishing Campaign Targets Chinese Nuclear Energy Industry." The research team discovered activity targeting the nuclear energy industry in China. Researchers attributed the activity to Bitter APT, a South Asian APT that is known to target the energy, manufacturing and government sectors, mainly in Pakistan, China, Bangladesh, and Saudi Arabia.The article states "We identified seven emails pretending to be from the Embassy of Kyrgyzstan, being sent to recipients in the nuclear energy industry in China. In some emails, people and entities in academia are also targeted, also related to nuclear energy." By luring recipients in, invites them to join conferences on subjects that are relevant to them, they are then able to social engineer the victims.The research can be found here:Phishing Campaign Targets Chinese Nuclear Energy Industry Learn more about your ad choices. Visit megaphone.fm/adchoices

Kimsuki has a new reconnaissance tool. The Biden administration shares plans for AI. Reports on the ransomware taskforce report. KillNet recommits to turning a profit. Deepen Desai from Zscaler has the latest stats on Phishing. Our guest is Karen Worstell from VMware with a conversation about inclusivity. And the former CSO at Uber is sentenced.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/87Selected reading.Kimsuky Evolves Reconnaissance Capabilities in New Global Campaign (SentinelOne)Ransomware Task Force Gaining Ground - May 2023 Progress Report (Ransomware Task Force)Influential task force takes stock of progress against ransomware (Washington Post)For Money and Attention: Killnet Apparently Reorganizes Again (Flashpoint)Killnet Ostracizes Leader of Anonymous Russia, Adding New Chapter to Pro-Kremlin Hacktivist Drama (Flashpoint)Former Uber CSO Joe Sullivan Avoids Prison Time Over Data Breach Cover-Up (Security Week)Former Uber security chief Sullivan avoids prison in data breach case (Washington Post) Learn more about your ad choices. Visit megaphone.fm/adchoices

An APT41 subgroup uses new techniques to bypass security products. Iranian cyberespionage group MuddyWater is using Managed Service Provider tools. Wipers reappear in Ukrainian networks. Meta observes and disrupts the new NodeStealer malware campaign. The City of Dallas is moderately affected by a ransomware attack. My conversation with Karin Voodla, part of the US State Department’s Cyber fellowship program. Lesley Carhart from Dragos shares Real World Stories of Incident Response and Threat Intelligence. And there’s been an indictment and a takedown in a major dark web carder case.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/86Selected reading.Attack on Security Titans: Earth Longzhi Returns With New Tricks (Trend Micro)APT groups muddying the waters for MSPs (ESET)Russian hackers use WinRAR to wipe Ukraine state agency’s data (BleepingComputer)WinRAR as a "cyberweapon". Destructive cyberattack UAC-0165 (probably Sandworm) on the public sector of Ukraine using RoarBat (CERT-UA#6550) (CERT-UA) The malware threat landscape: NodeStealer, DuckTail, and more (Engineering at Meta) Facebook disrupts new NodeStealer information-stealing malware (BleepingComputer)NodeStealer Malware Targets Gmail, Outlook, Facebook Credentials (Decipher)City of Dallas likely targeted in ransomware attack, city official says (Dallas News) Cybercriminal Network Fueling the Global Stolen Credit Card Trade is Dismantled (US Department of Justice)Secret Service, State Department Offer Up To $10 Million Dollar Reward For Information On Wanted International Fugitive (US Secret Service)Police dismantles Try2Check credit card verifier used by dark web markets (BleepingComputer) Learn more about your ad choices. Visit megaphone.fm/adchoices

Iran integrates influence and cyber operations. ChatGPT use and misuse. Phishing reports increased significantly so far in 2023, while HTML attacks double. An update on the Discord Papers. Cyberstrikes against civilian targets. My conversation with our own Simone Petrella on emerging cyber workforce strategies. Tim Starks from the Washington Post joins me with reflections on the RSA conference. And, turns out, a war clause cannot be invoked in denying damage claims in the NotPetya attacks (at least not in the Garden State).For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/85Selected reading.Rinse and repeat: Iran accelerates its cyber influence operations worldwide (Microsoft On the Issues)ChatGPT Confirms Data Breach, Raising Security Concerns (Security Intelligence) Samsung Bans Generative AI Use by Staff After ChatGPT Data Leak (Bloomberg) Malicious email campaigns abusing Telegram bots rise tremendously in Q1 2023, surpassing all of 2022 by 310% (Cofense)Threat Spotlight: Proportion of malicious HTML attachments doubles within a year (Barracuda)Zelensky says White House told him nothing about Discord intelligence leaks (Washington Post)Russia attacks civilian infrastructure in cyberspace just as it does on ground - watchdog (Ukrinform)Merck’s Insurers On the Hook in $1.4 Billion NotPetya Attack, Court Says (Wall Street Journal)Merck entitled to $1.4B in cyberattack case after court rejects insurers' 'warlike action' claim (Fierce Pharma) Learn more about your ad choices. Visit megaphone.fm/adchoices

LOBSHOT is a cryptowallet stealer abusing Google Ads. Coronation phishbait. A known CCTV vulnerability is currently being exploited. T-Mobile discloses another, smaller data breach. New Magecart exploits. Preliminary lessons from cyber operations during Russia's war. Rob Boyce from Accenture shares insights from RSA Conference. Our special guest is NSA Director of Cybersecurity Rob Joyce. And Europol announces a major dark web market takedown.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/84Selected reading.New LOBSHOT malware gives hackers hidden VNC access to Windows devices (BleepingComputer)New 'Lobshot' hVNC Malware Used by Russian Cybercriminals (SecurityWeek)Elastic Security Labs discovers the LOBSHOT malware (Elastic Blog)Researchers see surge in scam websites linked to coronation (Computer Weekly) TBK DVR Authentication Bypass Attack (FortiGuard) T-Mobile discloses second data breach since the start of 2023 (BleepingComputer) T-Mobile discloses 2nd data breach of 2023, this one leaking account PINs and more (Ars Technica) T-Mobile Announces Another Data Breach (CNET)Magecart threat actor rolls out convincing modal forms (Malwarebytes)Cyber lessons from Ukraine: Prepare for prolonged conflict, not a knockout blow (Breaking Defense)288 dark web vendors arrested in major marketplace seizure (Europol) Learn more about your ad choices. Visit megaphone.fm/adchoices

The FDA warns of a vulnerability affecting biomedical devices. Ransomware's effects continue to trouble the US Marshals Service. The US Justice Department shifts how it deals with large scale cybercrime. Fresh phish from the GRU. Caleb Barlow looks at unicorns and zombiecorns. Our guest Manoj Sharma from Symantec explains the differences between Zero Trust and SASE. And KillNet runs an ask-me-anything session.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/83Selected reading.Illumina cyber vulnerability may present risks for patient results (U.S. Food and Drug Administration)CISA, FDA warn of new Illumina DNA device vulnerability (RecordKey law enforcement computers still down 10 weeks after breach (Washington Post)Feds Prioritizing Disruptions Over Arrests in Cyberattack Cases (PCMAG) "Ashamed" LockBit ransomware gang apologises to hacked school, offers free decryption tool (Hot for Security) APT28 cyberattack: distribution of emails with "instructions" on "updating the operating system" (CERT-UA#6562) (CERT-UA)Hackers use fake ‘Windows Update’ guides to target Ukrainian govt (BleepingComputer) Ukraine at D+431: Drone strikes and phishing expeditions. (CyberWire) Learn more about your ad choices. Visit megaphone.fm/adchoices