CyberWire Daily

Bar Block, Threat Intelligence Researcher at Deep Instinct, joins Dave to discuss their work on "ChatGPT and Malware - Making Your Malicious Wishes Come True." Deep Instinct goes into depth on just how dangerous ChatGPT can be in the wrong hands as well as how artificial intelligence is better at creating malware than providing ways to detect it.Researchers go on to explain how the AI app can be used in the wrong hands saying "Examples of malicious content created by the AI tool, such as phishing messages, information stealers, and encryption software, have all been shared online."The research can be found here:ChatGPT and Malware: Making Your Malicious Wishes Come True Learn more about your ad choices. Visit megaphone.fm/adchoices

BianLian gang’s pivot. HinataBot is a Go-based threat. The US Social Security Administration is impersonated in attempted vishing attacks. BlackSnake in the RaaS criminal market. More Silicon Valley Bank-themed phishing. Caleb Barlow from Cylete on security implications you need to consider now about Chat GPT. Our guest is Isaac Roth from LeakSignal with advice on securing the microservices application layer. And Russian operators exploit an Outlook vulnerability.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/52Selected reading.BianLian Ransomware Gang Continues to Evolve ([redacted])Uncovering HinataBot: A Deep Dive into a Go-Based Threat (Akamai)Social InSecurity: Armorblox Stops Attack Impersonating Social Security Administration (Armorblox)Netskope Threat Coverage: BlackSnake Ransomware (Netskope) Fresh Phish: Silicon Valley Bank Phishing Scams in High Gear (INKY)Outlook zero day linked to critical infrastructure attacks (Cybersecurity Dive)CVE-2023-23397: Exploitations in the Wild – What You Need to Know (Deep Instinct) Everything We Know About CVE-2023-23397 (Huntress)Microsoft Mitigates Outlook Elevation of Privilege Vulnerability (Microsoft Security Response Center) Learn more about your ad choices. Visit megaphone.fm/adchoices

Telerik exploited, for carding (probably) and other purposes. Cloud storage re-up attacks. Cybercriminals use new measures to avoid detection of phishing campaigns. "Winter Vivern" seems aligned with Russian objectives. Microsoft warns of a possible surge in Russian cyber operations. Boss Sandworm. Johannes Ullrich from SANS talking about malware spread through Google Ads. Our guest is David Anteliz from Skybox Security with thoughts on federal government cybersecurity directives. And don't fear the Reaper.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/51Selected reading.Threat Actors Exploited Progress Telerik Vulnerability in U.S. Government IIS Server (Cybersecurity and Infrastructure Security Agency CISA)Threat Actors Exploit Progress Telerik Vulnerability in U.S. Government IIS Server | CISA (Cybersecurity and Infrastructure Security Agency CISA)CISA: Federal civilian agency hacked by nation-state and criminal hacking groups (CyberScoop) US govt web server attacked by 'multiple' criminal gangs (Register)The Cloud Storage Re-Up Attack (Avanan)Threat Spotlight: 3 novel phishing tactics (Barracuda)Winter Vivern | Uncovering a Wave of Global Espionage (SentinelOne)Is Russia regrouping for renewed cyberwar? (Microsoft On the Issues) A year of Russian hybrid warfare in Ukraine (Microsoft Threat Intelligence)Russian hackers preparing new cyber assault against Ukraine - Microsoft report (Reuters)Microsoft Warns Russia May Plan More Ransomware Attacks Beyond Ukraine (Bloomberg)This Is the New Leader of Russia's Infamous Sandworm Hacking Unit (WIRED) What's known and not about US drone-Russian jet encounter (AP NEWS)Russia tries to retrieve downed US drone in Black Sea (The Telegraph)Downed U.S. drone points to cyber vulnerabilities (Washington Post) Learn more about your ad choices. Visit megaphone.fm/adchoices

CISA, FBI, and the Multi-State Information Sharing and Analysis Center are releasing this joint Cybersecurity Advisory to provide IT infrastructure defenders with TTPs, IOCs, and methods to detect and protect against recent exploitation against Microsoft Internet Information Services web servers.AA23-074A Alert, Technical Details, and MitigationsAA23-074A STIX XMLMAR-10413062-1.v1 Telerik Vulnerability in U.S. Government IIS ServerTelerik: Exploiting .NET JavaScriptSerializer Deserialization (CVE-2019-18935)ACSC Advisory 2020-004Bishop Fox CVE-2019-18935: Remote Code Execution via Insecure Deserialization in Telerik UIVolexity Threat Research: XE GroupGitHub: Proof-of-Concept Exploit for CVE-2019-18935Microsoft: Configure Logging in IISGitHub: CVE-2019-18935No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment.See CISA Insights Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses for guidance on hardening MSP and customer infrastructure.U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email dib_defense@cyber.nsa.gov To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov, or call (888) 282-0870, or report incidents to your local FBI field office. Learn more about your ad choices. Visit megaphone.fm/adchoices

Patch Tuesday notes. Silicon Valley Bank's collapse and its effects on the cybersecurity sector. SVR's APT29 used a Polish state visit to the US as phishbait. Regularizing hacktivist auxiliaries. Our guest is Crane Hassold from Abnormal Security with a look at threats to email. Grayson Milbourne from OpenText Cybersecurity addresses chaos within the supply chain. And LockBit claims to have compromised an aerospace supply chain.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/50Selected reading.March 2023 Patch Tuesday: Updates and Analysis (CrowdStrike)Microsoft Releases March 2023 Security Updates (Cybersecurity and Infrastructure Security Agency CISA)Adobe Releases Security Updates for Multiple Products (Cybersecurity and Infrastructure Security Agency CISA)Mozilla Releases Security Updates for Firefox 111 and Firefox ESR 102.9 (Cybersecurity and Infrastructure Security Agency CISA)SAP Security Patch Day for March 2023 (Onapsis)March Patch Tuesday review. (CyberWire)What the collapse of Silicon Valley Bank means for cyber and the tech startup ecosystem. (CyberWire)NOBELIUM Uses Poland's Ambassador’s Visit to the U.S. to Target EU Governments Assisting Ukraine (BlackBerry)Ukraine Tracks Increased Russian Focus on Cyberespionage (Bank Info Security)Ukraine scrambles to draft cyber law, legalizing its volunteer hacker army (Newsweek) Ransomware Group Claims Theft of Valuable SpaceX Data From Contractor (SecurityWeek) Learn more about your ad choices. Visit megaphone.fm/adchoices

Expect phishing, BEC scams, and other social engineering to use Silicon Valley Bank lures. An "attack superhighway." Unauthorized software in the workplace. A new cyberespionage group emerges. Squad up (but not IRL). Ben Yelin unpacks the FBI director’s recent admission of purchasing location data. Ann Johnson from Afternoon Cyber Tea speaks with Jason Barnett from HCA Healthcare about cyber resilience. And, not that you’d consider a life of crime, but what are the gangs paying cyber criminals, nowadays?For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/49Selected reading.SVB's collapse and the potential for fraud. (CyberWire)State-of-the-Internet: malicious DNS traffic. (CyberWire)Unauthorized software in the workplace. (CyberWire)Talos uncovers espionage campaigns targeting CIS countries, including embassies and EU health care agency (Cisco Talos Blog)STALKER 2 game developer hacked by Russian hacktivists, data stolen (BleepingComputer)GSC Game World suffers Stalker 2 leak after latest cyber attack (GamesIndustry.biz)Threat Groups Offer $240k Salary to Tech Jobseekers (Security Intelligence) Learn more about your ad choices. Visit megaphone.fm/adchoices

Coping with Silicon Valley Bank's collapse. BatLoader's abusing Google Search Ads. More on Emotet’s re-emergence. Reflections on Medusa rising. An international law enforcement action against NetWire. Rob Shapland from Falanx Cyber on ethical hacking and red teaming. Bryan Ware from LookingGlass looks at exploited vulnerabilities in the US financial sector. And in Ukraine, it’s more-or-less quiet on the cyber front (but in Estonia and Georgia, not so much).For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/48Selected reading.One of Silicon Valley's top banks fails; assets are seized (AP NEWS)US, UK try to stem fallout from Silicon Valley Bank collapse (AP NEWS)In abrupt reversal, regulators to cover Silicon Valley Bank, Signature uninsured deposits (American Banker)Silicon Valley Bank collapse will not trigger new financial crisis, insists Sunak (The Telegraph)‘Banking system is safe’: Joe Biden reassures markets in address on Silicon Valley Bank collapse – live updates (the Guardian) BatLoader Continues to Abuse Google Search Ads to Deliver Vidar Stealer and Ursnif (eSentire) BATLOADER Malware Uses Google Ads to Deliver Vidar Stealer and Ursnif Payloads (The Hacker News) Emotet Again! The First Malspam Wave of 2023 (Deep Instinct) Emotet attempts to sell access after infiltrating high-value networks (SC Media) Medusa ransomware gang picks up steam as it targets companies worldwide (BleepingComputer)Alleged seller of NetWire RAT arrested in Croatia (Help Net Security)FBI and international cops catch a NetWire RAT (Register)How the FBI proved a remote admin tool was actually malware (TechCrunch)Estonia’s Election Was More Than Just a Win for Kallas (World Politics Review) Estonian official says parliamentary elections were targeted by cyberattacks (Record) Learn more about your ad choices. Visit megaphone.fm/adchoices

Bat El Azerad, CEO and Co-founder of mobile phishing protection company novoShield, shares her personal account of her experience as a female leader in the cybersecurity field as well as some insights into how far the industry has come and where it is headed in terms of the gender gap. Bat El speaks about how she grew into her role of becoming a CEO, by sharing where she started and how she got involved with novoShield. She share's that being a woman in this industry can be tough and so she shares some advice, saying "so you have to be very focused and to find the right niche to bring something to the table because the competition in this industry and the level of innovation, um, is, is great." Bat El hopes that throughout her time in the industry she hopes people remember her for her vision, and the mission she is helping to create and maintain at her company. We thank Bat El for sharing her story. Learn more about your ad choices. Visit megaphone.fm/adchoices

Ron Masas of Imperva discusses their work, the "Google Chrome “SymStealer” Vulnerability. How to Protect Your Files from Being Stolen." By reviewing the ways the browser handles file systems, specifically searching for common vulnerabilities relating to how browsers process symlinks, the Imperva Red Team discovered that when files are dropped onto a file input, it’s handled differently.Dubbing it as CVE-2022-40764, researchers found a vulnerability that "allowed for the theft of sensitive files, such as crypto wallets and cloud provider credentials." In result, over 2.5 billion users of Google Chrome and Chromium-based browsers were affected.The research can be found here:Google Chrome “SymStealer” Vulnerability: How to Protect Your Files from Being Stolen Learn more about your ad choices. Visit megaphone.fm/adchoices

New IceFire version is out. A DUCKTAIL tale. Social engineering by Tehran. DPRK's LIGHTSHOW cyberespionage. The President's Budget and cybersecurity. The US Department of Defense issues its cyber workforce strategy. Remcos surfaces in attacks against Ukrainian government agencies. DDoS at a Ukrainian radio station. Dave Bittner sits down with Beth Robinson of Bishop Fox to share their 2023 Offensive Security Resolutions. Caleb Barlow from Cylete on the security implications of gigapixel images. And CISA releases five ICS advisories.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/47Selected reading.IceFire Ransomware Returns | Now Targeting Linux Enterprise Networks (SentinelOne) DUCKTAIL: Threat Operation Re-emerges with New LNK, PowerShell, and Other Custom Tactics to Avoid Detection (Deep Instinct) Iran-linked hackers used fake Atlantic Council-affiliated persona to target human rights researchers (CyberScoop)Iranian APT Targets Female Activists With Mahsa Amini Protest Lures (Dark Reading).Iran threat group going after female activists, analyst warns (Cybernews) Stealing the LIGHTSHOW (Part One) — North Korea's UNC2970 (Mandiant) Stealing the LIGHTSHOW (Part Two) — LIGHTSHIFT and LIGHTSHOW (Mandiant)Cybersecurity in the US President's Budget for Fiscal Year 2024. (CyberWire)Biden’s budget proposal underscores cybersecurity priorities (Washington Post) Biden Budget Proposal: $200M for TMF, CISA With 4.9% Budget Boost (Meritalk)Cybersecurity Poised for Spending Boost in Biden Budget (Gov Info Security)Deputy Secretary of Defense Signs 2023-2027 DoD Cyber Workforce Strategy (U.S. Department of Defense)In new cyber workforce strategy, DoD hopes 'bold' retention initiatives keep talent coming back (Breaking Defense)Remcos Trojan Returns to Most Wanted Malware List After Ukraine Attacks (Infosecurity Magazine)February 2023’s Most Wanted Malware: Remcos Trojan Linked to Cyberespionage Operations Against Ukrainian Government (Check Point Software)Radio Halychyna cyber-attacked following appeal by Russian hacker group (International Press Institute)CISA Releases Five Industrial Control Systems Advisories | CISA (Cybersecurity and Infrastructure Security Agency CISA) Learn more about your ad choices. Visit megaphone.fm/adchoices