CyberWire Daily

A wormable version of the PlugX USB malware is found. Compromised webcams as a security threat. Emotet botnet out of hibernation. Proof-of-concept: AI used to generate polymorphic keylogger. Turning to alternatives as conventional tactics fail. Dave Bittner speaks with Eve Maler of ForgeRock to discuss how digital identity can help create a more secure connected car experience. Johannes Ullrich from SANS on configuring a proper time server infrastructure. And Phishing messages via legitimate Google notifications.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/46Selected reading.A border-hopping PlugX USB worm takes its act on the road (Sophos News)BitSight identifies thousands of global organizations using insecure webcams and other IoT devices, finding many susceptible to eavesdropping (BitSight) Emotet malware attacks return after three-month break (BleepingComputer)BlackMamba: Using AI to Generate Polymorphic Malware (HYAS) Russian Cyberwar in Ukraine Stumbles Just Like Conventional One (Bloomberg)Australian official demands Russia bring criminal hackers ‘to heel’ (The Record by Recorded Future)Russia will have to rely on nukes, cyberattacks, and China since its military is being thrashed in Ukraine, US intel director says (Business Insider) BEC 3.0 - Legitimate Sites for Illegitimate Purposes  (Avanan) Learn more about your ad choices. Visit megaphone.fm/adchoices

CISA adds three known exploited vulnerabilities to its Catalog. A data breach at Acer exposes intellectual property. Sharp Panda deploys SoulSearcher malware in cyberespionage campaigns. US Cyber Command’s head warns against underestimating Russia in cyberspace. Dave Bittner sits down with Simone Petrella of N2K Networks to discuss the recently-released Defense Cyber Workforce Framework. Betsy Carmelite from Booz Allen Hamilton speaks about CISA's year ahead. And are large language models what the lawyers call an attractive nuisance.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/45Selected reading.CISA Adds Three Known Exploited Vulnerabilities to Catalog (Cybersecurity and Infrastructure Security Agency CISA)March 7 CISA KEV Breakdown | Zoho, Teclib, Apache (Nucleus Security)Acer Confirms Breach After Hacker Offers to Sell Stolen Data (SecurityWeek)Acer confirms breach after 160GB of data for sale on hacking forum (BleepingComputer)“Sharp Panda”: Check Point Research puts a spotlight on Chinese origined espionage attacks against southeast asian government entities (Check Point Software)Pandas with a Soul: Chinese Espionage Attacks Against Southeast Asian Government Entities (Check Point Research)What can security teams learn from a year of cyber warfare? (Computer Weekly)Russian cyberattacks could intensify during spring offensives in Ukraine, US Cyber Command general says (Stars and Stripes)US Bracing for Bolder, More Brazen Russian Cyberattacks (VOA)Russia remains a ‘very capable’ cyber adversary, Nakasone says (C4ISRNet)Employees Are Feeding Sensitive Business Data to ChatGPT (Dark Reading) Learn more about your ad choices. Visit megaphone.fm/adchoices

HiatusRAT exploits business-grade routers. International law enforcement action against the DoppelPaymer gang. Ransomware hits a major Barcelona hospital. Productivity suites are increasingly attractive as phishing grounds. Transparent Tribe’s romance scams. Cyberattacks briefly disrupt Russian websites and media outlets. Ashley Leonard, CEO of Syxsense, sits down with Dave to discuss their "Advancing Zero Trust Priorities'' report. Joe Carrigan on a warning from Microsoft about a surge in token theft. And trolling for disinfo raw material.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/44Selected reading.Black Lotus Labs uncovers another new malware that targets compromised routers (Lumen Newsroom)Germany and Ukraine hit two high-value ransomware targets | Europol (Europol)European Police, FBI Bust International Cybercrime Gang (VOA)German police lift lid on worldwide cyber blackmail gang (Deutsche Welle)Europol Hits Alleged Members of DoppelPaymer Ransomware Group (Decipher) An international sting brings another win against ransomware gangs (Washington Post)European police move in on DoppelPaymer (Computing)Police Looking for Russian Suspects Following DoppelPaymer Ransomware Crackdown (SecurityWeek)Cyberattack hits major hospital in Spanish city of Barcelona (AP NEWS).Cyberattack Hits Major Hospital in Spanish City of Barcelona (SecurityWeek)Barcelona's Hospital Clinic hit by ransomware cyberattack 'from outside Spain' (Euro Weekly News)Phishers’ Favorites 2022 Year-in-Review (Vade)Kremlin Website Down Amid Reports of Cyber Attacks on Russia (The Daily Beast) Russian diplomat blames West for recruiting hackers for operations against Moscow (TASS)Don’t Answer That! Russia-Aligned TA499 Beleaguers Targets with Video Call Requests (Proofpoint) Learn more about your ad choices. Visit megaphone.fm/adchoices

Cranes as a security threat. EPA memo addresses cybersecurity risks to water systems. Oakland's ransomware incident becomes a data breach. Carding rises in the Russian underworld. Sandworm's record in Russia's war. Rick Howard sits down with Andy Greenberg from Wired to discuss how Ukraine suffered more data-wiping malware last year than anywhere, ever. Dave Bittner speaks with Kathleen Smith of ClearedJobs.Net to talk about hiring veterans and setting them (and yourself) up for success. And AI’s latest misuse: bogus investment schemes.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/43Selected reading.WSJ News Exclusive | Pentagon Sees Giant Cargo Cranes as Possible Chinese Spying Tools (Wall Street Journal)EPA Takes Action to Improve Cybersecurity Resilience for Public Water Systems (US EPA)EPA presses states to include cybersecurity in water safety reviews (SC Media) EPA Calls on States to Improve Public Water Systems’ Cybersecurity (Meritalk)EPA issues water cybersecurity mandates, concerning industry and experts (CyberScoop)City of Oakland Targeted by Ransomware Attack, Work Continues to… (City of Oakland).Ransomware gang leaks data stolen from City of Oakland (BleepingComputer)Ransomware hackers release some stolen Oakland data (CBS News)Oakland officials say ransomware group may release personal data on Saturday (The Record from Recorded Future News) Cybercrime site shows off with a free leak of 2 million stolen card numbers (The Record from Recorded Future News)A year of wipers: How the Kremlin-backed Sandworm has attacked Ukraine during the war (The Record from Recorded Future News)Bitdefender Labs warns of fresh phishing campaign that uses copycat ChatGPT platform to swindle eager investors (Hot for Security) Learn more about your ad choices. Visit megaphone.fm/adchoices

Gabriela Smith-Sherman, a former Federal agency CISO with over 15 years of experience in leading and implementing comprehensive enterprise cybersecurity programs and initiatives, sits down to share her journey. She is a U.S. combat disabled veteran who understands the importance of mission and is dedicated to delivering high-quality results and value to customers through innovative solutions. Gabriela shares about her time in the military and how her being apart of the service was one of the best decisions she made and dedicates all her hard work to her time in the military. She also shares how it was tough getting out of the routine of the military and being a civilian now was a hard transition, but she says that she thrives in the chaos of the IT world and that the military helped her to prepare for the cyber industry. She said "I think my military experience has prepared me, uh, to be in those kind of chaotic positions and be very calm about the approach." We thank Gabriela for sharing her story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

Dor Zvi, Co-Founder and CEO from Red Access to discuss their work on "New Chrome Exploit Lets Attackers Completely Disable Browser Extensions." A recently patched exploit is tricking Chrome browsers on all popular OSs to not only give attackers visibility of their targets’ browser extensions, but also the ability to disable all of those extensions.The research states the exploit consists of a bookmarklet exploit that allows threat actors to selectively force-disable Chrome extensions using a handy graphical user interface making Chrome mistakenly identify it as a legitimate request from the Chrome Web Store.The research can be found here:New Chrome Exploit Lets Attackers Completely Disable Browser Extensions Learn more about your ad choices. Visit megaphone.fm/adchoices

Implementing the US National Cybersecurity Strategy. The US National Cybersecurity Strategy was informed by lessons from Russia's war. Two threat actors from China up their game. Responding to a phishing campaign. #StopRansomware: Royal Ransomware. CISA releases five ICS advisories. Sameer Jaleel, Kent State University Associate CIO on closing functionality gaps and creating a safer digital environment for students.Johannes Ullrich from SANS on establishing an "End of Support" inventory.EPA issues a memo on water system cybersecurity.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/42Selected reading.National Cybersecurity Strategy (The White House)US cyber leaders discuss the new National Cyber Strategy. (CyberWire)Biden vows to wield ‘all instruments’ in fighting cyberthreats (Defense News)Chinese state-backed hackers Iron Tiger target Linux devices with new malware (Tech Monitor)Chinese hackers use new custom backdoor to evade detection (BleepingComputer) Scam alert: Trezor warns users of new phishing attack (Cointelegraph)FBI and CISA Release #StopRansomware: Royal Ransomware | CISA (Cybersecurity and Infrastructure Security Agency CISA)CISA Releases Five Industrial Control Systems Advisories | CISA (Cybersecurity and Infrastructure Security Agency CISA)EPA Takes Action to Improve Cybersecurity Resilience for Public Water Systems (US EPA) Learn more about your ad choices. Visit megaphone.fm/adchoices

CISA and FBI are releasing this joint advisory to disseminate known Royal ransomware IOCs and TTPs identified through recent FBI threat response activities.AA23-061A Alert, Technical Details, and MitigationsAA23-061A STIX XMLRoyal Rumble: Analysis of Royal Ransomware (cybereason.com)DEV-0569 finds new ways to deliver Royal ransomware, various payloads - Microsoft Security Blog2023-01: ACSC Ransomware Profile - Royal | Cyber.gov.auSee Stopransomware.gov, a whole-of-government approach, for ransomware resources and alerts.No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment.See CISA Insights Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses for guidance on hardening MSP and customer infrastructure.U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email dib_defense@cyber.nsa.gov To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov, or call (888) 282-0870, or report incidents to your local FBI field office. Learn more about your ad choices. Visit megaphone.fm/adchoices

The Cybersecurity and Infrastructure Security Agency is releasing this Cybersecurity Advisory detailing activity and key findings from a recent CISA red team assessment—in coordination with the assessed organization—to provide network defenders recommendations for improving their organization's cyber posture.AA23-059A Alert, Technical Details, and MitigationsNo-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment.See CISA Insights Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses for guidance on hardening MSP and customer infrastructure.U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email dib_defense@cyber.nsa.gov To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov, or call (888) 282-0870, or report incidents to your local FBI field office. Learn more about your ad choices. Visit megaphone.fm/adchoices

CyberWire Daily podcast host Dave Bittner is joined by CyberWire editor John Petrik for an extended discussion about the Russian invasion of Ukraine and its effect on cybersecurity at the one year anniversary. John and his team have covered the Ukrainian conflict with daily news stories since the invasion began, and in fact, had quite a lot of coverage prior to the invasion. They take stock of where things stand, what has happened, and what we expected versus reality. Learn more about your ad choices. Visit megaphone.fm/adchoices