CyberWire Daily

Tom Bonner and Eoin Wickens from HiddenLayer's SAI Team to discuss their research on weaponizing machine learning models with ransomware. Researchers at HiddenLayer’s SAI Team have developed a proof-of-concept attack for surreptitiously deploying malware, such as ransomware or Cobalt Strike Beacon, via machine learning models.The attack uses a technique currently undetected by many cybersecurity vendors and can serve as a launchpad for lateral movement, deployment of additional malware, or the theft of highly sensitive data. In this research the team raising awareness by demonstrate how easily an adversary can deploy malware through a pre-trained ML model.The research can be found here:WEAPONIZING MACHINE LEARNING MODELS WITH RANSOMWARE Learn more about your ad choices. Visit megaphone.fm/adchoices

CISA has released six ICS Advisories. A look at a North Korean cyberespionage campaign. ChatGPT and its attack potential. A new Python-based supply chain attack. There’s traffic on the Static Expressway: ClickFunnels seen in use for redirection. KillNet continues its campaign against hospitals. Ransomware as misdirection for cyberespionage. Part two of my conversation with Kathleen Smith of ClearedJobs.Net discussing trends in the cleared space. Our guest is Eric Bassier of Quantum talking about the multi-layered approach to ransomware protection. And Russian surveillance extends to Telegram chats.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/23Selected reading.Delta Electronics DIAScreen (CISA)Mitsubishi Electric GOT2000 Series and GT SoftGOT2000 (CISA)Baicells Nova (CISA) Delta Electronics DVW-W02W2-E2 (CISA)Delta Electronics DX-2100-L1-CN (CISA)Mitsubishi Electric GT SoftGOT2000 (CISA)No Pineapple! –DPRK Targeting of Medical Research and Technology Sector (WithSecure)Hackers linked to North Korea targeted Indian medical org, energy sector (The Record from Recorded Future News)North Korean hackers stole research data in two-month-long breach (BleepingComputer)ChatGPT May Already Be Used in Nation State Cyberattacks, Say IT Decision Makers in BlackBerry Global Research (BlackBerry)Supply Chain Attack by New Malicious Python Package, “web3-essential” ((Frotinet)Leveraging ClickFunnels to Bypass Security Services (Avanan)Report: 'KillNet' targeting hospitals in countries helping Ukraine in war efforts (Becker’s Hospital Review)Intelligence agency says ransomware group with Russian ties poses 'an enduring threat' to Canada (CBC)  Les ransomwares, couverture des groupes APT pour du cyber-espionnage (Le Monde Informatique)The Kremlin Has Entered the Chat (WIRED) Learn more about your ad choices. Visit megaphone.fm/adchoices

Cisco patches a command injection vulnerability. NIST issues antiphishing guidance. HeadCrab malware's worldwide distribution campaign. The Gamaredon APT is more interested in collection than destruction. Kathleen Smith of ClearedJobs.Net looks at hiring trends in the cleared community. Bennett from Signifyd describes the fraud ring that’s launched a war on commerce against U.S. merchants. And trends in cyberattacks by state-sponsored actors.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/22Selected reading.Command-Injection Bug in Cisco Industrial Gear Opens Devices to Complete Takeover (Dark Reading)Phishing Resistance – Protecting the Keys to Your Kingdom (NIST) OneNote Documents Increasingly Used to Deliver Malware | Proofpoint UK (Proofpoint)HeadCrab: A Novel State-of-the-Art Redis Malware in a Global Campaign (Aquasec) Another UAC-0010 Story (The State Cyber Protection Centre of the State Service of Special Communication and Information Protection of Ukraine)Russia-backed hacker group Gamaredon attacking Ukraine with info-stealing malware (The Record from Recorded Future News)City of London traders hit by Russia-linked cyber attack (The Telegraph)ChristianaCare recovers from cyberattack, restores website service (6abc Philadelphia) Nation-State Threats and the Rise of Cyber Mercenaries: Exploring the Microsoft Digital Defense Report (CSO Online)Microsoft Digital Defense Report 2022 (Microsoft Security) Learn more about your ad choices. Visit megaphone.fm/adchoices

Microsoft tallies more than a hundred ransomware gangs. Sandworm's NikoWiper hits Ukraine's energy sector. Mobilizing cybercriminals in a hybrid war. Firebrick Ostrich and business email compromise. Telegram is used for sharing stolen data and selling malware. Crypto scams find their way into app stores. Bryan Vorndran of the FBI Cyber Division outlines the services the FBI provides during an incident response. Ann Johnson from Afternoon Cyber Tea speaks with actor producer Tim Murck about the intersection of cyber awareness and storytelling. And we are shocked - shocked! - that there are fraudulent cyber professional credentials circulating online.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/21Selected reading.Microsoft: Over 100 threat actors deploy ransomware in attacks (BleepingComputer) SocGholish: A Tale of FakeUpdates (Reliaquest)ESET APT Activity Report T3 2022 (WeLiveSecurity) Pro-Russian DDoS attacks raise alarm in Denmark, U.S. (The Record from Recorded Future News)ChristianaCare's website restored after attack; pro-Russia 'hacktivist' group takes credit (Delaware News Journal)Univ. of Iowa Hospitals website possibly hit by cyberattack (KCRG)Cyber attack causes problems with UM Health websites (The Detroit News)How the war in Ukraine has strengthened the Kremlin's ties with cybercriminals (The Record from Recorded Future News)Dark Covenant 2.0: Cybercrime, the Russian State, and War in Ukraine (Recored Future)Russia’s cyberwar against Ukraine offers vital lessons for the West (Atlantic Council) BEC Group Uses Secondary Personas & Lookalike Domains in Third-Party… (Abnormal Intelligence)Telegram's place in the cyber underworld. (CyberWire)Crypto scams found in the App Store. (CyberWire)Exposure to third-party risk. (CyberWire)Cyber certification deceit. (CyberWire) Learn more about your ad choices. Visit megaphone.fm/adchoices

Some perspective on the cybercriminal labor market. DocuSign is impersonated in a credential-harvesting campaign. Social engineering pursues financial advisors. Killnet is active against the US healthcare sector. Mr. Security Answer Person John Pescatore has thoughts on cryptocurrency. Ben Yelin and I debate the limits of section 230. And, hey, who’s the real victim in cyberspace? A hint: probably not you, Mr. Putin.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/20Selected reading.Perspectives on the cybercriminal labor market. (CyberWire).IT specialists search and recruitment on the dark web (Securelist)Cybercrime job ads on the dark web pay up to $20k per month (BleepingComputer) Report on hackers' salaries shows poor wages for developers (Register)Cybercrime groups offer six-figure salaries, bonuses, paid time off to attract talent on dark web (CyberScoop)Application security risks. (CyberWire)Survey gives insight into new app security challenges (Cisco App Dynamics)DocuSign impersonated in credential phishing attack. (CyberWIre)Breaking the Impersonation: Armorblox Stops DocuSign Attack (Armorblox)"Pig butchering" and financial advisor impersonation scams. (CyberWire)No Blocking, No Issue: The Curious Ecosystem of Financial Advisor Impersonation Scams (Domain Tools)Ukraine at D+341: Killnet hits US hospitals.(CyberWire)HC3 TLP Clear Analyst Note: Pro-Russian Hacktivist Group Threat to HPH Sector (American Hospital Association)HHS, AHA Warn of Surge in Russian DDoS Attacks on Hospitals (Gov Info Security) Russian hackers allegedly take down Duke University Hospital’s website (Carolina Journal)The Evolution of DDoS: Return of the Hacktivist (FSISAC)Russia becomes target of West’s coordinated aggression in cyberspace — MFA (TASS) Learn more about your ad choices. Visit megaphone.fm/adchoices

Gootloader's evolution. Yandex source code leaked (and Yandex blames a rogue insider). New GRU wiper malware is active against Ukraine. Latvia reports cyberattacks by Gamaredon. Russia and the US trade accusations of malign cyber activity. A hacktivist auxiliary's social support system. Deepen Desai from Zscaler describes the Lilithbot malware. Rick Howard looks at chaotic simians. And wannabes can be a nuisance, too: LockBit impersonators are seen operating in northern Europe.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/19Selected reading.Welcome to Goot Camp: Tracking the Evolution of GOOTLOADER Operations (Mandiant) Yandex denies hack, blames source code leak on former employee (BleepingComputer) Hackers use new SwiftSlicer wiper to destroy Windows domains (BleepingComputer) Sandworm APT targets Ukraine with new SwiftSlicer wiper (Security Affairs) Ukraine: Sandworm hackers hit news agency with 5 data wipers (BleepingComputer)Ukraine Links Media Center Attack to Russian Intelligence (BankInfoSecurity) Latvia confirms phishing attack on Ministry of Defense, linking it to Russian hacking group (The Record from Recorded Future News) Russia knows US recruits hackers, trains Ukrainian IT-army — Deputy Foreign Minister (TASS)Taking down the Hive ransomware gang. (CyberWire)US puts a $10m bounty on Hive while Russia shuts down access (Register) Exploring Killnet’s Social Circles (Radware)Copycat Criminals mimicking Lockbit gang in northern Europe (Security Affairs) Learn more about your ad choices. Visit megaphone.fm/adchoices

Our guest, Charlie Moore, is a recently retired USAF Lieutenant General who sits down to share his story from flying high in the air to becoming a bigwig in the cyber community. He was most recently the Deputy Commander of the United States Cyber Command, and also spent part of his career as a human factors engineer working on human interfaces for fighter aircraft. When he first began his Air Force career, he was a member of the last class entering into the Academy that was not issued desktop computers. Charlie discusses how this changed as the year went on and how that impacted his career both in and out of the military. Charlie worked for different companies over the years to further his career and his goals, and discusses how his flying career has helped him and says, "I was extremely passionate about the flying aspect of my career for 25 years and I became even more passionate about operating in this space." We thank Charlie for sharing his story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

Cybersecurity interview with ChatGPT.In part one of CyberWire’s Interview with the AI, Brandon Karpf interviews ChatGPT about topics related to cybersecurity. Rick Howard joins Brandon to analyze the conversation and discuss potential use cases for the cybersecurity community.ChatGPT is a chatbot launched by OpenAI and built on top of OpenAI’s GPT-3 family of large language models.Cyber questions answered by ChatGPT in part one of the interview. What were the most significant cybersecurity incidents up through 2021? What leads you to characterize these specific events as significant? What were the specific technical vulnerabilities associated with these incidents? Who were the cyber actors involved in each of these attacks? Do you think it's valuable to attribute cyber attacks to specific actors? Learn more about your ad choices. Visit megaphone.fm/adchoices

Roya Gordon from Nozomi Networks sits down with Dave to discuss their research on "Vulnerabilities in BMC Firmware Affect OT/IoT Device Security." Researchers at Nozomi Networks has revealed that there are thirteen vulnerabilities that affect BMCs of Lanner devices based on the American Megatrends (AMI) MegaRAC SP-X.The research states "By abusing these vulnerabilities, an unauthenticated attacker may achieve Remote Code Execution (RCE) with root privileges on the BMC, completely compromising it and gaining control of the managed host." As well as mentioning what patches could be in the future to help fix these vulnerabilities.The research can be found here:Vulnerabilities in BMC Firmware Affect OT/IoT Device Security – Part 1 Learn more about your ad choices. Visit megaphone.fm/adchoices

An update on the takedown of the Hive ransomware gang, plus insights from CrowdStrike’s Adam Meyers. If you say you’re going to unleash the Leopards, expect a noisy call from Killnet. Our guest is ExtraHop CISO Jeff Costlow talking about nation-state attackers in light of ongoing Russian military operations. CISA has released eight ICS advisories, and the agency has also added an entry to its Known Exploited Vulnerabilities Catalog.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/18Selected reading.Cybercriminals stung as HIVE infrastructure shut down (Europol)U.S. Department of Justice Disrupts Hive Ransomware Variant (U.S. Department of Justice)Director Christopher Wray’s Remarks at Press Conference Announcing the Disruption of the Hive Ransomware Group (Federal Bureau of Investigation)Taking down the Hive ransomware gang. (CyberWire)US hacks back against Hive ransomware crew (BBC News)Cyberattacks Target Websites of German Airports, Admin (SecurityWeek) Delta Electronics CNCSoft ScreenEditor (CISA) Econolite EOS (CISA) Snap One Wattbox WB-300-IP-3 (CISA) Sierra Wireless AirLink Router with ALEOS Software (CISA).Mitsubishi Electric MELFA SD/SQ series and F-series Robot Controllers (CISA) Rockwell Automation products using GoAhead Web Server (CISA)Landis+Gyr E850 (CISA) Mitsubishi Electric MELSEC iQ-F, iQ-R Series (CISA) CISA Has Added One Known Exploited Vulnerability to Catalog (CISA) Learn more about your ad choices. Visit megaphone.fm/adchoices