CyberWire Daily

"Read the Manual" and the ransomware-as-a-service market. Bitter APT may be targeting Asia-Pacific energy companies. A Cozy Bear sighting. Hacktivist auxiliaries hit Canadian targets. Deepen Desai of Zscaler describes job scams following tech layoffs. Our guest is Kelly Shortridge from Fastly with insights on the risks from bots. And there’s been an arrest in the Discord Papers case.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/72Selected reading.Read The Manual Locker: A Private RaaS Provider (Trellix)Phishing Campaign Targets Chinese Nuclear Energy Industry (Intezer)Espionage campaign linked to Russian intelligence services (Baza wiedzy)Russian cyberspies hit NATO and EU organizations with new malware toolset (CSO Online)Pro-Russia hackers say they were behind Hydro-Quebec cyberattack (Montreal CTV News - 04-13-2023)Cyberattack knocks out website and mobile app for Quebec’s hydro utility (Toronto Star)F.B.I. Arrests National Guardsman in Leak of Classified Document (New York Times)DOD Calls Document Leak 'a Criminal Act' (U.S. Department of Defense) Learn more about your ad choices. Visit megaphone.fm/adchoices

Transparent Tribe expands its activity against India's education sector. A Lazarus sub-group is after defense sector targets. The FBI's Denver office warns of potential juicejacking. Legion: a Python-based credential harvester. The source of leaked US intelligence may be closer to identification. Johannes Ullrich from SANS explains upwork scams. Our guest is Charlie "Tuna" Moore of Vanderbilt University on the cyber lessons from Russia’s war on Ukraine. Canada responds to claims of Russian cyberattacks.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/71Selected reading.Transparent Tribe (APT36) | Pakistan-Aligned Threat Actor Expands Interest in Indian Education Sector (SentinelOne)Following the Lazarus group by tracking DeathNote campaign (Securelist)DPRK threat actors target C3X and defense sector at large. (CyberWire)FBI office warns against using public phone charging stations at airports or malls, citing malware risk (CBS News)The FBI warns of juicejacking and other risks of public tech. (CyberWire)Legion: an AWS Credential Harvester and SMTP Hijacker (Cado Security) The Legion credential harvester. (CyberWire)Leaker of U.S. secret documents worked on military base, friend says (Washington Post)U.S. may change how it monitors the web after missing leaked documents for weeks (NBC News)Cyberattacks on Canada’s gas infrastructure left ‘no physical damage,’ Trudeau says (Global News)Russian attacks on Ukrainian infrastructure cause internet outages, cutting off a valuable wartime tool (CyberScoop)US Warns Russia Getting Creative in Cyberspace (VOA)APT Winter Vivern Resurfaces (Avertium) Learn more about your ad choices. Visit megaphone.fm/adchoices

Patch Tuesday update. Another commercial surveillance company is outed. Voice security and the challenge of fraud. CISA updates its Zero Trust Maturity Model. Effects of the US intelligence leaks. Our guest Eric Goldstein, Executive Assistant Director for Cybersecurity at CISA, outlines CISA's role in the cybersecurity community. André Keartland of Netsurit makes the case for DevSecOps. Russian cyber auxiliaries believed responsible for disrupting the Canadian PM's website.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/70Selected reading.Patch Tuesday overview. (CyberWire)DEV-0196: QuaDream’s “KingsPawn” malware used to target civil society in Europe, North America, the Middle East, and Southeast Asia (Microsoft Threat Intelligence) Threat Report on the Surveillance-for-Hire Industry (Meta)Sweet QuaDreams: A First Look at Spyware Vendor QuaDream’s Exploits, Victims, and Customers (The Citizen Lab)Voice Intelligence and Security Report (Pindrop)CISA Releases updated Zero Trust Maturity Model (Cybersecurity and Infrastructure Security Agency)CISA Releases Zero Trust Maturity Model Version 2 (Cybersecurity and Infrastructure Security Agency CISA)A leak of files could be America’s worst intelligence breach in a decade (The Economist)Interagency Effort Assessing Impact of Leaked Documents, Strategizing Way Forward (U.S. Department of Defense)What we know about the Pentagon document leak (Axios)The ongoing scandal over leaked US intel documents, explained (Vox)Pentagon leak threatens Biden's foreign policy doctrine ahead of overseas trip (Axios)Schumer calls for all-senator briefing on leaked Ukraine documents (The Hill)The key countries and revelations from the Pentagon document leak (Washington Post) Exclusive: Leaked U.S. intel document claims Serbia agreed to arm Ukraine (Reuters) Up to 50 UK special forces present in Ukraine this year, US leak suggests (the Guardian)Egypt denies leak about supplying Russia with 40,000 rockets (Al Jazeera)DDoS attacks block PM Trudeau’s web site (IT World Canada) Learn more about your ad choices. Visit megaphone.fm/adchoices

Key trends in Identity Access Management. RagnarLocker and critical infrastructure. Cyber criminals capitalize on the AI hype. Updates on the leaked US classified documents, and speculation of whether Russian hackers compromised a Canadian gas pipeline. Ben Yelin describes a multimillion dollar settlement over biometric data. Microsoft’s Ann Johnson from Afternoon Cyber Tea talking about cyber paradigm shifts with Samir Kapuria. And a welcome to GCHQ's new boss.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/69Selected reading.4 key trends from the Gartner IAM Summit 2023 (Venture Beat)Threat Actor Spotlight: Ragnarlocker Ransomware (Sygnia)From Chatgpt To Redline Stealer: The Dark Side Of Openai And Google Bard (Veriti)Biden administration doesn't know extent of classified Pentagon document leak (CBS News) Ukraine ‘alters counter-offensive plans’ after Pentagon leak (The Telegraph) Ukraine had to change military plans because of US Pentagon leak, source says (CNN) Leaked Pentagon documents claim that hackers breached a Canadian gas network. Here’s what to know. (Washington Post)Pro-Russia Hackers Say They Breached Canadian Pipeline, but Experts Are Skeptical (Wall Street Journal)Leaked US intel: Russia operatives claimed new ties with UAE (AP NEWS)Egypt secretly planned to supply rockets to Russia, leaked U.S. document says (Washington Post)How the Latest Leaked Documents Are Different From Past Breaches (New York Times)How U.S. friends and foes have responded to leaked Pentagon documents (Washington Post) Pentagon leaks: US seeks to mend ties after claims Washington spied on key allies (the Guardian)Pentagon Probe Under Way in Leaks Case (Wall Street Journal)Pentagon assessing damage after 'highly classified' US secrets leaked online (Breaking Defense) The Pentagon’s Purported Classified-Document Leak: The Biggest Takeaways and Questions So Far (Wall Street Journal)The ongoing scandal over leaked US intel documents, explained (Vox)Leaked documents a 'very serious' risk to security: Pentagon (AP NEWS)The Discord servers at the center of a massive US intelligence leak (CyberScoop) Social-Media Platform Discord Emerges at Center of Classified U.S. Documents Leak (Wall Street Journal)Why Leaked Pentagon Documents Are Still Circulating on Social Media (New York Times)Clues Left Online Might Aid Leak Investigation, Officials Say (New York TimesUkraine at D+411: US leaks remain under investigation. (CyberWire)New Director GCHQ announced (GCHQ) Learn more about your ad choices. Visit megaphone.fm/adchoices

An Iranian APT MERCURY exploits known vulnerabilities. The US investigates apparent leaks of classified information about Russia's war against Ukraine. KillNet claims it has paralyzed NATO websites. More apparent doxing of the GRU. Britta Glade and Monica Koshgarian of RSA Conference talking about content curation. Grayson Milbourne from OpenText Cybersecurity hopes to remove shame from cyber attacks. And, finally, some notes on cloud security trends.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/68Selected reading.MERCURY and DEV-1084: Destructive attack on hybrid environment (Microsoft Threat Intelligence)Leaked US battlefield intelligence on Ukraine is fake, says Kyiv (The Telegraph) Russia Claims Leaked Pentagon Intelligence on Ukraine is U.S. Disinformation (US News and World Report) Leaked US secret NATO-Ukraine war docs likely altered, say experts (SC Media) Ukraine’s air defences could soon run out of missiles, apparent Pentagon leak suggests (the Guardian) Russia nearly shot down British spy plane near Ukraine, leaked document says (Washington Post) Justice Dept. will investigate leak of classified Pentagon documents (Washington Post) US investigating whether Ukraine war documents were leaked (Military Times)U.S. Reviewing Online Appearance Of Sensitive Documents Related To Ukraine, Pentagon Says (RadioFreeEurope/RadioLiberty) WSJ News Exclusive | Pentagon Investigates More Social-Media Posts Purporting to Include Secret U.S. Documents (Wall Street Journal) New Details on Intelligence Leak Show It Circulated for Weeks Before Raising Alarm (Wall Street Journal) Intelligence leak exposes U.S. spying on adversaries and allies (Washington Post) Secret US Documents on Ukraine War Plan Spill Onto Internet: Report (SecurityWeek) US hit by ‘worst leak of secret documents since Edward Snowden’ (The Telegraph)Ukraine at D+410: Static, sanguinary lines. (CyberWire)Report Finds 90% of IT Professionals Have Experienced a Cybersecurity Breach (Skyhigh Security) Learn more about your ad choices. Visit megaphone.fm/adchoices

Karen Worstell, Senior Cybersecurity Strategist from VMware sits down to share her journey and discusses her experience as a woman in cyber. Starting her career off as a chemist, after graduating with a bachelor's degree in chemistry and a bachelor's degree in molecular biology, she took some time off to be with her family, she came back to a science field that was far more advanced than before she had left. She decided to go in another direction which led her to cyber. She started teaching herself programming and found she was very good at it. Now that she works in cyber, she says "You, you have to know yourself, know what you want, and know where you're, know where you plant your feet. I used to use a phrase a lot that said, uh, don't be afraid to take a stand but know where your feet are planted." We thank Karen for sharing her story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

Sahar Abdelnabi from CISPA Helmholtz Center for Information Security sits down with Dave to discuss their work on "A Comprehensive Analysis of Novel Prompt Injection Threats to Application-Integrated Large Language Models." There is currently a large advance in the capabilities of Large Language Models or LLMs, as well as being integrated into many systems, including integrated development environments (IDEs) and search engines.The research states, "The functionalities of current LLMs can be modulated via natural language prompts, while their exact internal functionality remains implicit and unassessable." This could lead them to be susceptible to targeted adversarial prompting, as well as making them adaptable to even unseen tasks. Researchers demonstrated these said attacks to see if the LLMs needed new techniques for more defense.The research can be found here:More than you've asked for: A Comprehensive Analysis of Novel Prompt Injection Threats to Application-Integrated Large Language Models Learn more about your ad choices. Visit megaphone.fm/adchoices

Preventing abuse of the Cobalt Strike pentesting tool. US investigates a leak of sensitive documents related to the war in Ukraine. Hacktivist activity continues. Google's advice for boards. Electronic lockpicks for electronic locks. Nexx security devices may have security flaws. Tesla employees reportedly shared images and videos from Teslas in the wild. Matt O'Neill from US Secret Service discussing investment crypto scams. Our guest is James Campbell of Cado Security on the challenges of a cloud transition. And CISA releases seven ICS advisories.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/67Selected reading.Stopping cybercriminals from abusing security tools (Microsoft On the Issues) Microsoft leads effort to disrupt illicit use of Cobalt Strike, a dangerous hacking tool in the wrong hands (CyberScoop)Ukraine War Plans Leak Prompts Pentagon Investigation (New York Times)DDoS attacks rise as pro-Russia groups attack Finland, Israel (TechRepublic)Perspectives on Security for the Board (Google Cloud)Thieves Use CAN Injection Hack to Steal Cars (SecurityWeek)How thieves steal cars using vehicle CAN bus (Register) Own a Nexx “smart” alarm or garage door opener? Get rid of it, or regret it (Graham Cluley).Hack and enter! The “secure” garage doors that anyone can open from anywhere – what you need to know (Naked Security)Special Report: Tesla workers shared sensitive images recorded by customer cars (Reuters)CISA Releases Seven Industrial Control Systems Advisories (Cybersecurity and Infrastructure Security Agency CISA) Learn more about your ad choices. Visit megaphone.fm/adchoices

New phishing techniques. Arrests in the Genesis Market case. APT43’s Archipelago. Russia's turn in the Security Council chair immediately becomes an occasion for disinformation. Our guest is Nick Tausek from Swimlane to discuss supply chain attack trends. Tim Starks from the Washington Post has the latest on the DOJ’s attempts to disrupt cyber crime. And, make robo-love, not robo-war: nuisance-level hacktivism in the interest of Ukraine.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/66Selected reading.New Phishing Campaign Exploits YouTube Attribution Links, Cloudflare Captcha (Vade Security)Criminal Marketplace Disrupted in International Cyber Operation (U.S. Department of Justice)Takedown of notorious hacker marketplace selling your identity to criminals | Europol (Europol)Notorious criminal marketplace selling victim identities taken down in international operation (National Crime Agency)Check your hack (Politie)Carr Announces Investigation into Suspected Users of Genesis Dark Web Marketplace Following FBI Takedown of Illicit Site (Office of Attorney General of Georgia Chris Carr)U.S., European Police Shut Down Hacker Marketplace, Make 119 Arrests (Wall Street Journal)120 Arrested as Cybercrime Website Genesis Market Seized by FBI (SecurityWeek) International cops put the squeeze on Genesis Market users (Register) FBI obtained detailed database exposing 60,000 users of the cybercrime bazaar Genesis Market (CyberScoop)Genesis Black Market Dismantled, But Experts Warn of Potential Vacuum (Nextgov.com)How we’re protecting users from government-backed attacks from North Korea (Google) Google TAG Warns of North Korean-linked ARCHIPELAGO Cyberattacks (The Hacker News)‘Outrageous’: Russia Accused of Spreading Disinformation at U.N. Event (New York Times)Des hackers ont acheté 23.000 euros de sex-toys avec de l’argent russe (20 minutes)Thanks to Ukrainian hackers, war freak orders £20,000 worth drones for Russian soldiers, gets sex toys instead (First Post)Ukrainian hackers exchange Russian fighter’s drone order for dildos (New York Post)‘It’s bullshit’: Inside the weird, get-rich-quick world of dropshipping (WIRED) Learn more about your ad choices. Visit megaphone.fm/adchoices

Genesis Market gets taken down. Proxyjackers exploit Log4j vulnerabilities. Fast-encrypting Rorschach ransomware uses DLL sideloading. Killnet attempts DDoS attacks against the German ministry. Carole Theriault ponders AI assisted cheating. Johannes Ullrich tracks malware injected in a popular tax filing website. Soft power and Russia’s hybrid war.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/65Selected reading.'Operation Cookie Monster': International police action seizes dark web market (Reuters) Stolen credential warehouse Genesis Market seized by FBI (Register)FBI Seizes Bot Shop ‘Genesis Market’ Amid Arrests Targeting Operators, Suppliers (KrebsOnSecurity)Genesis Market, one of world’s largest platforms for cyber fraud, seized by police (Record)'Operation Cookie Monster': FBI seizes popular cybercrime forum used for large-scale identity theft (CNN)Cybercrime marketplace Genesis Market shut by FBI, international law enforcement (CNBC)FBI seizes stolen credentials market Genesis in Operation Cookie Monster (BleepingComputer)Notorious Genesis Market cybercrime forum seized in international law enforcement operation (CyberScoop)Proxyjacking has Entered the Chat (Sysdig)Rorschach – A New Sophisticated and Fast Ransomware (Check Point Research)Russian hackers attack German ministry’s website (TVP World)Zimbra Flaw Exploited by Russia Against NATO Countries Added to CISA 'Must Patch' List (SecurityWeek)Zimbra vulnerability exploited by Russian hackers targeting Nato countries - CISA (Tech Monitor) CISA Adds One Known Exploited Vulnerability to Catalog (Cybersecurity and Infrastructure Security Agency CISA)NVD - CVE-2022-27926 (National Vulnerability Database)The Interview - Russian cyber weapons 'could do a lot of damage' in the US: Former counterterrorism czar (France 24)Biden cybersecurity chief 'surprised' Russia has not hit US targets amid Ukraine war (Washington Examiner)Ukrainian Cyber War Confirms the Lesson: Cyber Power Requires Soft Power (Council on Foreign Relations) Learn more about your ad choices. Visit megaphone.fm/adchoices