CyberWire Daily

Pascal Ackerman, OT Security Strategist from Guidepoint Security, joins Dave to discuss his work on discovering a vulnerability in the integrity of common HMI client-server protocol. This research is a Proof of Concept (PoC) attack on the integrity of data flowing across the industrial network with the intention of intercepting, viewing, and even manipulating values sent to (and from) the HMI, ultimately trying to trick the user into making a wrong decision, ultimately affecting the proper operation of the process.In this research, they are targeting Rockwell Automation’s FactoryTalk View SE products, trying to highlight the lack of integrity and confidentiality on the production network and the effect that has on the overall security of the production environment.The research can be found here:GuidePoint Security researcher discovers vulnerability in the integrity of common HMI client-server protocol Learn more about your ad choices. Visit megaphone.fm/adchoices

US and Republic of Korea agencies outline the DPRK ransomware threat. Reddit is breached. CISA releases six ICS advisories. Flaws are found in IIoT devices. Dinah Davis from Arctic Wolf shares cybersecurity stats every IT professional should know. Our guest is Kayla Williams from Devo autonomous SOCs. And, it’s almost Valentine’s Day. Have you noticed? (The hoods have.)For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/28Selected reading.#StopRansomware - Ransomware Attacks on Critical Infrastructure Fund DPRK Espionage Activities (CISA)#StopRansomware: Ransomware Attacks on Critical Infrastructure Fund DPRK Malicious Cyber Activities (CISA) U.S., South Korean Agencies Partner to #StopRansomware Threat from DPRK (National Security Agency/Central Security Service)US and South Korea accuse North Korea of using hospital ransoms to fund more hacking (The Record from Recorded Future News)North Korea using healthcare ransomware attacks to fund further cybercrime, feds say (SC Media) U.S., South Korea Warn of North Korean Ransomware Threats (Bank Info Security) r/reddit - We had a security incident. Here’s what we know. (reddit) Hackers breach Reddit to steal source code and internal data (BleepingComputer) Reddit Breached With Stolen Employee Credentials (Dark Reading) Reddit Says It Was Hacked But That You Don't Need to Worry. Probably. (Gizmodo)Control By Web X-400, X-600M (CISA) LS ELECTRIC XBC-DN32U (CISA) Johnson Controls System Configuration Tool (SCT) (CISA)Horner Automation Cscape Envision RV (CISA) Omron SYSMAC CS/CJ/CP Series and NJ/NX Series (CISA)ARC Informatique PcVue (CISA)Industrial Wireless IoT - The direct path to your Level 0 (Otorio)Critical Infrastructure at Risk from New Vulnerabilities Found in Wireless IIoT Devices (The Hacker News)Romance scammers’ favorite lies exposed (Federal Trade Commission)New FTC Data Reveals Top Lies Told by Romance Scammers (Federal Trade Commission)Romance scammers could cause unhappy Valentine’s Day (Washington Post)Love Bytes (Georgia State News Hub)As V-Day nears: Romance scams cost victims $1.3B last year (Register)Michigan AG warns of cybersecurity risks after data breach of gaming sites (mlive) Learn more about your ad choices. Visit megaphone.fm/adchoices

CISA, NSA, FBI, the US Department of Health and Human Services, the Republic of Korea National Intelligence Service, and the Republic of Korea Defense Security Agency are issuing this alert to highlight ongoing ransomware activity against Healthcare and Public Health Sector organizations and other critical infrastructure sector entities.AA23-040A Alert, Technical Details, and MitigationsCISA’s North Korea Cyber Threat Overview and Advisories webpage.Stairwell provided a YARA rule to identify Maui ransomware, and a Proof of Concept public RSA key extractor at the following link: https://www.stairwell.com/news/threat-research-report-maui-ransomware/See Stopransomware.gov, a whole-of-government approach, for ransomware resources and alerts.No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment.See CISA Insights Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses for guidance on hardening MSP and customer infrastructure.U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email dib_defense@cyber.nsa.gov To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov, or call (888) 282-0870, or report incidents to your local FBI field office. Learn more about your ad choices. Visit megaphone.fm/adchoices

War-floating. A phishing campaign pursues Ukrainian and Polish targets. Pakistan's navy is under cyberattack. A new criminal threat-actor uses screenshots for recon. ESXiArgs is widespread, but its effects are still being assessed. The UK and US issue joint sanctions against Russian ransomware operators. Robert M. Lee from Dragos addresses attacks to electrical substations. Our guest is Denny LeCompte from Portnox discussing IoT security segmentation strategies. And is LockBit next on law enforcement’s wanted list?For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/27Selected reading.Chinese Balloon Had Tools to Collect Communications Signals, U.S. Says (New York Times) UAC-0114 Campaign Targeting Ukrainian and Polish Gov Entitities (The State Cyber Protection Centre of the State Service of Special Communication and Information Protection of Ukraine)NewsPenguin, a Previously Unknown Threat Actor, Targets Pakistan with Advanced Espionage Tool (BlackBerry)Screentime: Sometimes It Feels Like Somebody's Watching Me (Proofpoint)Florida state court system, US, EU universities hit by ransomware outbreak (Reuters).No evidence global ransomware hack was by state entity, Italy says (Reuters)Ransomware campaign stirs worry despite uncertain impact (Washington Post)VMware Security Response Center (vSRC) Response to 'ESXiArgs' Ransomware Attacks (VMware Security Blog)CISA and FBI Release ESXiArgs Ransomware Recovery Guidance (CISA)United States and United Kingdom Sanction Members of Russia-Based Trickbot Cybercrime Gang (U.S. Department of the Treasury)Ransomware criminals sanctioned in joint UK/US crackdown on international cyber crime (National Crime Agency) Learn more about your ad choices. Visit megaphone.fm/adchoices

CISA and the FBI are releasing this alert in response to the ongoing ransomware campaign, known as “ESXiArgs.” Malicious actors are exploiting known vulnerabilities in VMware ESXi servers that are likely running unpatched and out-of-service or out-of-date versions of VMware ESXi software to gain access and deploy ransomware.AA23-039A Alert, Technical Details, and MitigationsCISA has released an ESXiArgs recovery script at github.com/cisagov/ESXiArgs-RecoverVMware Security Response Center (vSRC) Response to 'ESXiArgs' Ransomware Attack…Enes Sonmez and Ahmet Aykac, YoreGroup Tech Team: decrypt your crypted files in…See Stopransomware.gov, a whole-of-government approach, for ransomware resources and alerts.No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment.See CISA Insights Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses for guidance on hardening MSP and customer infrastructure.U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email dib_defense@cyber.nsa.gov To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov, or call (888) 282-0870, or report incidents to your local FBI field office. Learn more about your ad choices. Visit megaphone.fm/adchoices

CISA releases an ICS security advisory affecting a smart facility system. LockBit threatens to release Royal Mail data tomorrow. Cl0p ransomware expands to Linux-based systems. A vulnerability is identified in Toyota's GSPIMS. There’s an ESXiArgs update: new trackers and mitigation tools are available. Russia is running two new cyberespionage campaigns against Ukraine. Our guest is Roya Gordon from Nozomi Networks discusses the ICS Threat Landscape. And The Washington Post’s Tim Starks provides analysis on last night’s State of the Union.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/26Selected reading.CISA Releases One Industrial Control Systems Advisory (CISA) LockBit group threatens to publish stolen Royal Mail data tomorrow (Computing) Cl0p Ransomware Targets Linux Systems with Flawed Encryption | Decryptor Available (SentinelOne)Hacking into Toyota’s global supplier management network (Eaton Works)Researcher breaches Toyota supplier portal with info on 14,000 partners (BleepingComputer)Vulnerability Provided Access to Toyota Supplier Management Network (SecurityWeek)CISA Releases ESXiArgs Ransomware Recovery Script (CISA)ESXiArgs Ransomware Campaign Targets VMWare ESXi Vulnerability (SecurityScorecard)Graphiron: New Russian Information Stealing Malware Deployed Against Ukraine (Symantec)Remcos software deployed in spying attempt on Ukraine’s government, CERT says (The Record from Recorded Future News)The State of the Union was light on cybersecurity (Washington Post)Biden calls for action on privacy rights in State of the Union (CyberScoop) Learn more about your ad choices. Visit megaphone.fm/adchoices

VMware ESXi exploitations. Super Bowl cyber risks. Scalping bots. The curious case of the Moscow billboards. Joe Carrigan tracks pig butchering apps in online app stores. Our guest is David Liebenberg from Cisco Talos, to discuss incident response trends. And, in sportsball, it’s gonna be the Chiefs by a couple of hat tricks, or something.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/25Selected reading.Ransomware Hits Unpatched VMware Systems: 'Send Money Within 3 Days' (Virtualization Review) Massive ransomware attack targets VMware ESXi servers worldwide (CSO Online) CISA steps up to help VMware ESXi ransomware victims (SC Media)‘Massive’ new ESXiArgs ransomware campaign has compromised thousands of victims (The Record from Recorded Future News) Have you clicked “Report Junk” lately on your #mobile device? (Proofpoint) CyRC special report: Secure apps? Don’t bet on it (Synopsys)DataDome’s Inaugural E-Commerce Holiday Bot & Online Fraud Report Reveals the US as the Top Source of Bot Attacks (DataDome)Darknet drug market BlackSprut openly advertises on billboards in Moscow (The Record from Recorded Future News) Learn more about your ad choices. Visit megaphone.fm/adchoices

New ransomware exploits a VMware ESXi vulnerability. Roasted 0ktapus squads up. LockBit says ION paid the ransom. Russian cyber auxiliaries continue attacks against healthcare organizations. Attribution on the Charlie Hebdo attack. Deepen Desai from Zscaler describes recent activity by Ducktail malware. Rick Howard looks at cyber threat intelligence. And the top US cyber diplomat says his Twitter account was hacked.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/24Selected reading.Ransomware Gang in Trading Hack Says Ransom Was Paid (Bloomberg)Regulators weigh in on ION attack as LockBit takes credit (Register)Russian hackers launch attack on City of London infrastructure (The Armchair Trader)Ransomware attack on data firm ION could take days to fix -sources (Reuters)Linux version of Royal Ransomware targets VMware ESXi servers (BleepingComputer)Ransomware scum attack old VMWare ESXi vulnerability (Register)Italy sounds alarm on large-scale computer hacking attack (Reuters)Italy's TIM suffers internet connection problems (Reuters)Italy sounds alarm on large-scale computer hacking attack (Jerusalem Post)Italian National Cybersecurity Agency (ACN) warns of massive ransomware campaign targeting VMware ESXi servers (Security Affairs)Campagne d’exploitation d’une vulnérabilité affectant VMware ESXi (CERT-FR)VMSA-2021-0002 (VMware)CERT-FR warns of a new wave of ransomware attacks targeting VMware ESXi servers (Security Affairs)‘0ktapus’ hackers are back and targeting tech and gaming companies, says leaked report (TechCrunch)Customizable new DDoS service already appears to have fans among pro-Russia hacking groups (The Record from Recorded Future News)Russian Hackers Take Down At Least 17 U.S. Health System Websites (MedCity News)Tallahassee Memorial HealthCare, Florida, has taken IT systems offline after cyberattack (Security Affairs)Iran responsible for Charlie Hebdo attacks - Microsoft On the Issues (Microsoft On the Issues)Piratage de « Charlie Hebdo » : un groupe iranien à la manœuvre, selon Microsoft (Le Monde)Iran behind hack of French magazine Charlie Hebdo, Microsoft says (Reuters)Microsoft attributes Charlie Hebdo data leak to Iran-linked NEPTUNIUM APT (Security AffairsAmerica's top cyber diplomat says his Twitter account was hacked (CNN) Learn more about your ad choices. Visit megaphone.fm/adchoices

Penetration testing is a vital part of a robust security program, but the traditional pentesting model is in a rut. Assessments happen infrequently, the scope is often very broad, and the report is usually overwhelming. What if you could increase the overall ROI of your pentesting program and avoid these limitations? Every penetration test should have specific goals. Coverage of the MITRE ATT&CK framework or the OWASP Top Ten is a great start, but a pentest could provide exponential value by applying a more strategic approach.In this episode of CyberWire-X, the CyberWire’s Rick Howard and Dave Bittner discuss what it means to "shift left" with your penetration testing by working on a threat-informed test plan with guests and Hash Table members Bob Turner, the Field CSO of Fortinet, Etay Maor, the Senior Director for Security Strategy at Cato Networks, and Dan DeCloss, the Founder and CEO of our episode sponsor PlexTrac.  Learn more about your ad choices. Visit megaphone.fm/adchoices

Yasmin Abdi, a Security Engineering Manager at Snapchat and the CEO and Founder of NoHack, sits down to share her story on how she got to be in her amazing current roles. From a young age, Yasmin was fascinated by the overlap of cybersecurity and crime and law. In her time in college, she was able to intern at big tech companies like Snapchat, Google, and Facebook. She decided to stick with Snapchat, which had the security aspect and security composure that she wanted. In her role at Snapchat, she gets to work with her team to help take down all kinds of bad content and keep up the platform’s integrity, and found she fell in love with the work along the way. Yasmin shares the sage advice to grow your community as much as you can, saying to"form a community of like-minded people. People that you can bounce ideas off of, people that can help support you when times are low. Find mentors, find people that you aspire to be like, and really find that community of people." We thank Yasmin for sharing her story. Learn more about your ad choices. Visit megaphone.fm/adchoices