CyberWire Daily

Daggerfly APT targets an African telecommunications provider. EvilExtractor is an alleged teaching tool apparently gone bad. A Chinese speaking threat group is active against Taiwan and South Korea. Europe’s air traffic control is under attack. Cecilia Marinier from RSAC and Barmak Meftah, a judge of ISB, discuss the RSA innovation sandbox. Awais Rashid from University of Bristol on the cybersecurity of smart farming. Forget about those evil maids. What about these evil sys admins? For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/77Selected reading.Daggerfly: APT Actor Targets Telecoms Company in Africa (Symantec)EvilExtractor – All-in-One Stealer (Fortinet Blog)Chinese-language threat group targeted a dozen South Korean institutions (Record) Xiaoqiying/Genesis Day Threat Actor Group Targets South Korea, Taiwan (Recorded Future) WSJ News Exclusive | Europe’s Air-Traffic Agency Under Attack From Pro-Russian Hackers (Wall Street Journal) Intelligence Leaks Cast Spotlight on a Recurring Insider Threat: Tech Support (Wall Street Journal)Russia’s invasion of Ukraine is also being fought in cyberspace (Atlantic Council) CFP European Cybersecurity Seminar 2023-2024 (European Cyber Conflict Research Initiative)#CYBERUK23: Russian Cyber Offensive Exhibits ‘Unprecedented’ Speed and Agility (Infosecurity Magazine) Learn more about your ad choices. Visit megaphone.fm/adchoices

The 3CX compromise involved a two-stage supply-chain attack. Impersonating ChatGPT. Russia's security organs say they're cracking down on leaks. Updates on the Discord Papers case. Belarus arrests a pro-Russian hacktivist. Rob Boyce from Accenture Security on Dark Web cyber criminals targeting CRM systems. Our guest is Mike Loewy from the Tide Foundation, with an innovative approach to distributed key security. And, is Minsk going wobbly on Moscow?For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/76Selected reading.3CX Software Supply Chain Compromise Initiated by a Prior Software Supply Chain Compromise; Suspected North Korean Actor Responsible (Mandiant)ChatGPT-Themed Scam Attacks Are on the Rise (Palo Alto Networks Unit 42)Russian Offensive Campaign Assessment, April 19, 2023 (Institute for the Study of War)Belarus-linked hacking group targets Poland with new disinformation campaign (Record)Killnet Ostracizes Leader of Anonymous Russia, Adding New Chapter to Pro-Kremlin Hacktivist Drama (Flashpoint)Belarus-linked hacking group targets Poland with new disinformation campaign (Record) Learn more about your ad choices. Visit megaphone.fm/adchoices

The UK National Cyber Security Centre (NCSC), NSA, CISA, and FBI are releasing this joint advisory to provide TTPs associated with APT28’s exploitation of Cisco routers in 2021.AA23-108A Alert, Technical Details, and MitigationsMalware Analysis ReportResource to mitigate a ransomware attack: CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide.No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment.See CISA Insights Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses for guidance on hardening MSP and customer infrastructure.U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email dib_defense@cyber.nsa.gov To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov, or call (888) 282-0870, or report incidents to your local FBI field office. Learn more about your ad choices. Visit megaphone.fm/adchoices

Play ransomware's new tools. Fancy Bear is out and about. Updates on Sandworm. Ransomware in Russia's war against Ukraine. The US Air Force opens an investigation into the alleged leaker's Air National Guard wing. The Washington Post’s Tim Starks joins us with insights on the Biden administration's attempts to better secure the water supply. Carole Theriault chats with Cisco Talos' Vanja Svacjer about the threat landscape, now and tomorrow. And KillNet’s in the education business with a new hacker course: “Dark School.” For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/75Selected reading.Play Ransomware Group Using New Custom Data-Gathering Tools (Symantec)NCSC-UK, NSA, and Partners Advise about APT28 Exploitation of Cisco Routers (National Security Agency/Central Security Service)APT28 exploits known vulnerability to carry out reconnaissance and deploy malware on Cisco routers (NCSC)State-sponsored campaigns target global network infrastructure (Cisco Talos Blog) Ukraine remains Russia’s biggest cyber focus in 2023 (Google)Fog of War: How the Ukraine Conflict Transformed the Cyber Threat Landscape (Google Threat Analysis Group)M-Trends 2023: Cybersecurity Insights From the Frontlines (Mandiant)Faltering against Ukraine, Russian hackers resort to ransomware: Researchers (Breaking Defense) Air Force unit in document leaks case loses intel mission (AP NEWS)Pentagon Details Review of Policies for Handling Classified Information (New York Times) Ukraine at D+419: GRU cyber ops scrutinized. (CyberWire) Learn more about your ad choices. Visit megaphone.fm/adchoices

Brace yourselves, it’s Space Symposium week! Wet dress rehearsal for Starship. UK launches the International Bilateral Fund. Orbit Fab gets a series A round. Boeing announces their anti-jam payload for WGS. The FAA wants to balance air travel and space travel. Our interview with Steve Luczynski, Board Chair of the Aerospace Village, on their mission, programs, and upcoming activities at the RSA Conference next week. All this and more.Remember to leave us a 5-star rating and review in your favorite podcast app.Miss an episode? Sign-up for our weekly intelligence briefing, Signals and Space, and you’ll never miss a beat.T-Minus GuestOur featured guest is Steve Luczynski, Board Chair of the Aerospace Village, on the Aerospace Village nonprofit, their mission, their programs, and their upcoming activities at the RSA Conference next week.You can follow Steve on LinkedIn and Twitter.Selected ReadingSpaceX's launch of Starship could remake space exploration | Washington Post UK Space Agency funding for international space partnerships | GOV.UK. SpaceX launches seventh Transporter rideshare mission | SpaceNews Exolaunch’s 21 rideshare smallsats deployed during the SpaceX Transporter-7 mission | SatNewsHawkEye 360’s nexgen Cluster 7 smallsats are successfully launched | SatNews   TrustPoint Announces Launch of First Commercially-Funded, Purpose-Built PNT Microsatellite | Business Wire China claims its Space Station has achieved 100% oxygen regeneration in orbit | Interesting Engineering Boeing Unveils Anti-Jam Payload For Next Space Force Wideband Global SATCOM Satellite | Via SatelliteAs counterspace weapons ‘proliferate,’ the new cold war for space races forward: studies | Breaking DefenseThe Moon is the Best Place to Transport Rocket Fuel | Universe Today US aviation authorities may delay some space launches to avoid air traffic disruption | Reuters NASA launches stadium-sized balloon from New Zealand | SpaceConnect  Audience SurveyWe want to hear from you! Please complete our wicked fast 4 question survey. It’ll help us get better and deliver you the most mission-critical space intel every day.Want to hear your company in the show?You too can reach the most influential leaders in the industry. Here’s a link to our media kit. Contact us at space@n2k.com to request more info about sponsoring T-Minus.Want to join us for an interview?Please send your interview pitch to space-editor@n2k.com and include your name, affiliation, and topic proposal, and our editor will get back to you for scheduling.T-Minus is a production of N2K Networks, your source for strategic workforce intelligence. © 2023 N2K Networks, Inc. Learn more about your ad choices. Visit megaphone.fm/adchoices

An Iranian threat actor exploits N-day vulnerabilities. CSC exposes subdomain hijacking vulnerabilities. More on the Discord Papers. An update on Russia’s NTC Vulkan. Joe Carrigan on the aftermath of a $98M online investment fraud. Our guest is Blake Sobczak from Synack , host of the podcast WE'RE IN! And threat actor nomenclature: a scorecard, and a Periodic Table no more.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/74Selected reading.Nation-state threat actor Mint Sandstorm refines tradecraft to attack high-value targets (Microsoft Security)An Iranian hacking group went on the offensive against U.S. targets, Microsoft says (Washington Post) New CSC Research Finds One in Five DNS Records are Susceptible to Subdomain Hijacking Due to Insufficient Cyber Hygiene | CSC (CSC)DOD Assessing Document Disclosures and Implementing Mitigation Measures (U.S. Department of Defense)After leak, Pentagon purges some users' access to classified programs, launches security review (Breaking Defense)Why Did a 21-Year-Old Guardsman Have Access to State Secrets? (Vice)U.S. officials have examined whether alleged doc leaker had foreign links (POLITICO) The Air Force Loves War Gamers Like Alleged Leaker Teixeira (Military.com) FBI Investigating Ex-Navy Noncommissioned Officer Linked to Pro-Russia Social-Media Account (Wall Street Journal)Pentagon leak suggests Russia honing disinformation drive – report (the Guardian)Dragos Analyzes Russian Programs Threatening Critical Civilian Infrastructure (Dragos) Microsoft shifts to a new threat actor naming taxonomy (Microsoft) Learn more about your ad choices. Visit megaphone.fm/adchoices

The alleged Discord Papers leaker has been charged. We look at how the Papers spread online. A life lived online as a security risk. US tax season scams, at the 11th filing hour. Caleb Barlow from Cylete on the layoffs in security that many thought would never happen. Maria Varmazis and Brandon Karpf share the launch of the new space podcast, T-Minus. And KillNet says it’s open for business.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/73Selected reading.Inside the furious week-long scramble to hunt down a massive Pentagon leak (CNN Politics) Massachusetts Air National Guard’s Intelligence Mission in the Spotlight (New York Times) Leaker of U.S. secret documents worked on military base, friend says (Washington Post) WSJ News Exclusive | Social-Media Account Overseen by Former Navy Noncommissioned Officer Helped Spread Secrets (Wall Street Journal).A Russian Disinformation Empire in Oak Harbor, Washington (Malcontent News) Pro-Russia propagandist unmasked as New Jersey tropical fish seller (The Telegraph) Suspect charged in case involving leaked classified military documents (Washington Post) Jack Teixeira, suspect in Pentagon leaks, charged under Espionage Act (the Guardian)Leak suspect appears in court as US spells out its case (AP NEWS) Airman in Pentagon intel leak charged (Military Times) Airman charged in Pentagon intel leak regretted joining the military (Military Times) He’s from a military family — and allegedly leaked U.S. secrets (Washington Post)Jack Teixeira's alleged Discord leaks show why the US should stop showering Top Secret clearances on 21-year-old keyboard warriors (Business Insider).The military loved Discord for Gen Z recruiting. Then the leaks began. (Washington Post) A new kind of leaker: Spilling state secrets to impress online buddies (Washington Post) Was the Gen-Z Pentagon leaker motivated by social media clout? (the Guardian) Microsoft president claims Russian intelligence is trying to "penetrate gaming communities" (GamesIndustry.biz)How Gamers Eclipsed Spies as an Intelligence Threat (Foreign Policy)Crafty PDF link is part of another tax-season malware campaign (Record)Tax season scams. (CyberWire)Ukraine at D+414: Discord Papers arrest, cyberespionage, and hacktivist DDoS. (CyberWire) Learn more about your ad choices. Visit megaphone.fm/adchoices

Jack Chapman, VP of Threat Intelligence at Egress sits down to share his story on how he found his way into the cybersecurity field as well as his journey creating a cybersecurity company that was successfully acquired. Jack previously co-founded anti-phishing company Aquilai and served as its Chief Technology Officer, working closely with the UK’s intelligence and cyber agency GCHQ to develop cutting-edge product capabilities. Aquilai was acquired by Egress in 2021. Now he is working with Egress as what he calls their "chief bad guy," helping to shield his team from threats. He says "I'm probably what you call a servant leader, my mission is to enable and shield my teams from things that will prevent them from succeeding in their missions, whatever that might look like." Jack hopes to be remembered for making a meaningful impact to help drive the field forward. We thank Jack for sharing his story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

Scott Fanning, Senior Director of Product Management, Cloud Security at CrowdStrike, sits down to talk about the first-ever Dero cryptojacking operation targeting Kubernetes infrastructure. The research defines Dero as "a cryptocurrency that claims to offer improved privacy, anonymity and higher and faster monetary rewards compared to Monero, which is a commonly used cryptocurrency in cryptojacking operations."CrowdStrike was the first organization to discover Dero, and has been observing the cryptojacking operation since the beginning of February 2023. The operation focuses mainly on locating Kubernetes clusters with anonymous access enabled on a Kubernetes API and listening on non-standard ports accessible from the internet.The research can be found here:CrowdStrike Discovers First-Ever Dero Cryptojacking Campaign Targeting Kubernetes Learn more about your ad choices. Visit megaphone.fm/adchoices

"Read the Manual" and the ransomware-as-a-service market. Bitter APT may be targeting Asia-Pacific energy companies. A Cozy Bear sighting. Hacktivist auxiliaries hit Canadian targets. Deepen Desai of Zscaler describes job scams following tech layoffs. Our guest is Kelly Shortridge from Fastly with insights on the risks from bots. And there’s been an arrest in the Discord Papers case.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/72Selected reading.Read The Manual Locker: A Private RaaS Provider (Trellix)Phishing Campaign Targets Chinese Nuclear Energy Industry (Intezer)Espionage campaign linked to Russian intelligence services (Baza wiedzy)Russian cyberspies hit NATO and EU organizations with new malware toolset (CSO Online)Pro-Russia hackers say they were behind Hydro-Quebec cyberattack (Montreal CTV News - 04-13-2023)Cyberattack knocks out website and mobile app for Quebec’s hydro utility (Toronto Star)F.B.I. Arrests National Guardsman in Leak of Classified Document (New York Times)DOD Calls Document Leak 'a Criminal Act' (U.S. Department of Defense) Learn more about your ad choices. Visit megaphone.fm/adchoices