CyberWire Daily

Joint advisory warns of remote monitoring and management software abuse. Iranian threat actors reported active against a range of targets. UK's NCSC warns of increased risk of Russian and Iranian social engineering attacks. A look at trends, as seen by CIOs. Carole Theriault ponders health versus privacy with former BBC guru Rory Cellan Jones. Kyle McNulty, host of the Secure Ventures podcast shares lessons from the cybersecurity startup community. And the DRAGONBRIDGE spam network is disrupted.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/17Selected reading.CISA, NSA, and MS-ISAC Release Advisory on the Malicious Use of RMM Software (CISA)Protecting Against Malicious Use of Remote Monitoring and Management Software (CISA)CISA: Federal agencies hacked using legitimate remote desktop tools (BleepingComputer)'Malicious' cyber attacks launched by groups connected to Iran's regime (ABC) Abraham's Ax Likely Linked to Moses Staff (Secureworks)SEABORGIUM and TA453 continue their respective spear-phishing campaigns against targets of interest (NCSC)NCSC: Russian and Iranian hackers targeting UK politicians, journalists (Computing)State of the CIO Study 2023: CIOs cement leadership role (Foundry)U.S. says it 'hacked the hackers' to bring down ransomware gang, helping 300 victims (Reuters)Over 50,000 instances of DRAGONBRIDGE activity disrupted in 2022 (Google TAG) Learn more about your ad choices. Visit megaphone.fm/adchoices

CISA, NSA, and the MS-ISAC are releasing this alert to warn network defenders about malicious use of legitimate remote monitoring and management software. AA23-025A Alert, Technical Details, and MitigationsFor a downloadable copy of IOCs, see AA23-025.stixSilent Push uncovers a large trojan operation featuring Amazon, Microsoft, Geek Squad, McAfee, Norton, and Paypal domainsNo-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment.See CISA Insights Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses for guidance on hardening MSP and customer infrastructure.U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email dib_defense@cyber.nsa.gov To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov, or call (888) 282-0870, or report incidents to your local FBI field office. Learn more about your ad choices. Visit megaphone.fm/adchoices

How do the North Koreans get away with it? They do run their cyber ops like a creepy start-up business. A spoofing vulnerability is discovered in Windows CryptoAPI. Python-based malware is distributed via phishing. MacOS may have a reputation for threat-resistance, but users shouldn't get cocky. DevSecOps survey results show tension between innovation and security. Russian hacktivist auxiliaries hit German targets. Tim Starks from the Washington Post Cyber 202 shares insights from his interview with Senator Warner. Our guest is Keith McCammon of Red Canary to discuss cyber accessibility. And Private sector support for Ukraine's cyber defense.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/16Selected reading.TA444: The APT Startup Aimed at Acquisition (of Your Funds) (Proofpoint)Exploiting a Critical Spoofing Vulnerability in Windows CryptoAPI (Akamai) Securonix Security Advisory: Python-Based PY#RATION Attack Campaign Leverages Fernet Encryption and Websockets to Avoid Detection (Securonix)BlackBerry's Inaugural Quarterly Threat Intelligence Report Reveals Threat Actors Launch One Malicious Threat Every Minute (BlackBerry)Global CIO Report Reveals Growing Urgency for Observability and Security to Converge (Dynatrace)Russian 'hacktivists' briefly knock German websites offline (Reuters)How Microsoft is helping Ukraine’s cyberwar against Russia (Computerworld)CISA Releases Two Industrial Control Systems Advisories (CISA)  Learn more about your ad choices. Visit megaphone.fm/adchoices

At the 2022 Cyber Marketing Con, the CyberWire presented a CISO Q&A panel session on how to help cyber marketers reach CISOs and other security executives in the industry. The panel included Rick Howard, CSO of N2K Networks, Jaclyn Miller, Head of InfoSec and IT at DispatchHealth, Ted Wagner, CISO of SAP NS2, and was moderated by board director & and operating partner, Michelle Perry.Listen in as the panel discusses: What works and doesn’t work in getting a security executive’s attention. Message trust, message fatigue, and what you can do about it. Trusted information sources and how security executives use them. Positioning and messaging that is actually meaningful to decision makers. The security executive’s purchasing behavior and why skepticism is the driving force. Stay tuned until the end to hear us answer some additional bonus questions submitted by attendees. Learn more about your ad choices. Visit megaphone.fm/adchoices

DragonSpark conducts "opportunistic" cyberattacks in East Asia. ProxyNotShell and OWASSRF exploit chains target Microsoft Exchange servers. The IoT supply chain is threatened by exploitation of Realtek Jungle SDK vulnerability. CISA adds an entry to its Known Exploited Vulnerabilities Catalog. A Cisco study finds organizations see positive returns from investment in privacy. What's the hacktivist's postwar future? Joe Carrigan tracks a romance scam targeting seniors. Our guest is Pete Lund of OPSWAT to discuss the security of removable media devices. And a retired G-Man is indicted on multiple charges.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/15Selected reading.DragonSpark | Attacks Evade Detection with SparkRAT and Golang Source Code Interpretation (SentinelOne)Technical Advisory: Proxy*Hell Exploit Chains in the Wild  (Bitdefender)Realtek SDK Vulnerability Attacks Highlight IoT Supply Chain Threats (Unit 42)CISA Adds One Known Exploited Vulnerability to Catalog (CISA)  2023 Data Privacy Benchmark Study (Cicso)Hacktivism Is a Risky Career Path (WIRED)Retired FBI Executive Charged With Concealing $225,000 In Cash Received From An Outside Source (Department of Justice, U.S. Attorney’s Office, District of Columbia) Former Special Agent In Charge Of The New York FBI Counterintelligence Division Charged With Violating U.S. Sanctions On Russia (Department of Justice, U.S. Attorney’s Office, Southern District of New York)Former Senior F.B.I. Official in New York Charged With Aiding Oligarch (New York Times) Learn more about your ad choices. Visit megaphone.fm/adchoices

The FAA attributes its January NOTAM outage. Malicious OneNote attachments are appearing in phishing campaigns. The Vastflux ad campaign has been disrupted. Ukraine moves toward closer cybersecurity collaboration with NATO. Rick Howard considers the best of 2022. Deepen Desai from Zscaler looks at VPN Risk. And, finally, we’re betting you want alerts for sports book customers and online gamers.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/14Selected reading.FAA Says Contractor Unintentionally Caused Outage That Disrupted Flights (Wall Street Journal)Not a cyberattack, but an IT failure: the FAA's NOTAM outage. (CyberWire)Hackers now use Microsoft OneNote attachments to spread malware (BleepingComputer)Traffic signals: The VASTFLUX Takedown (HUMAN Security)Ukraine signs agreement to join NATO cyber defense center (The Record from Recorded Future News) FanDuels warns of data breach after customer info stolen in vendor hack (BleepingComputer)Industry looks at the MailChimp data incident. (CyberWire)PSA: Don’t play GTA Online on PC right now (Video Games)You might not want to play GTA Online right now due to security vulnerabilities (RockPaperShotgun)Riot Games hacked, delays game patches after security breach (BleepingComputer)Riot hit by ‘social engineering attack’ that will affect patch cadence for multiple titles (Dot Esports) Learn more about your ad choices. Visit megaphone.fm/adchoices

Miriam Wugmeister, co-chair of Morrison & Foerster’s Privacy and Data Security practice, sits down to share her in-depth experience and understanding of privacy and data security laws, obligations, and practices across a wide range of industries. She talks about how she grew up not knowing exactly what she wanted to get into as a profession, starting off as a chemical engineering major in college before switching to philosophy. She then got asked to work on a project relating to a company’s privacy and fell in love with the subject matter, deciding then to pursue it as a career. Miriam mentions how technology is not as complicated as tech people might have you think. She hopes she can advertise a tech degree for young women and men looking to get into the field, as well as making sure she "encourages women and diverse lawyers to, uh, come into this area to thrive." We thank Miriam for sharing her story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

The public web data domain is a fancy way to say that there is a lot of information sitting on websites around the world that is freely available to anybody who has the initiative to collect it and use it for some purpose. When you do that collection, intelligence groups typically refer to it as open source intelligence, or OSINT. Intelligence groups have been conducting OSINT operations for over a century if you consider books and newspapers to be one source of this kind of information. In the modern day, hackers conduct OSINT operations in order to recon their potential victims by collecting email addresses, personal information, IP addresses, software versions, network configurations, and, if they are lucky, login credentials for websites and social media platforms. The question is, how can the good guys use these techniques to improve their security posture or maybe help the business in some kind of material way?On this episode of CyberWire-X, the CyberWire’s Rick Howard and Dave Bittner discuss OSINT operations to improve your security posture with guests Steve Winterfeld, Hash Table member and Advisory CISO for Akamai, and Or Lenchner, CEO at our episode sponsor Bright Data.  Learn more about your ad choices. Visit megaphone.fm/adchoices

Brigid O. Gorman from Symantec's Threat Hunter Team joins Dave to discuss their report "Billbug - State-sponsored Actor Targets Cert Authority and Government Agencies in Multiple Asian Countries." The team has discovered that state-sponsored actors compromised a digital certificate authority in an Asian country during a campaign in which multiple government agencies were also targeted.The research states they believe Billbug, which is a long-established advanced persistent threat (APT) group has been active since about 2009. They say "In activity documented by Symantec in 2019, we detailed how the group was using a backdoor known as Hannotog (Backdoor.Hannotog) and another backdoor known as Sagerunex (Backdoor.Sagerunex). Both these tools were also seen in this more recent activity."The research can be found here:Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries Learn more about your ad choices. Visit megaphone.fm/adchoices

Ransomware hits Costa Rican government systems, again. A Chinese threat actor deploys the BOLDMOVE backdoor against unpatched FortiOS. Credential stuffing afflicts PayPal users. T-Mobile discloses a data breach. A cyberattack hits a remote Canadian utility. The Wagner Group sponsors a hackathon. Malek Ben Salem from Accenture describes prompt injection for chatbots. Our guest is Paul Martini of iboss with insights on Zero Trust. And the FSB’s Gamaredon APT runs a hands-on Telegraph phishing campaign against Ukrainian targets.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/13Selected reading.Bolster Your Company Defenses With Zero Trust Edge (Forrester)MICITT detecta incidente informático en el MOPT, el cual ya se encuentra contenido (MICITT)MOPT mantiene habilitados todos los servicios de manera presencial (MICITT)Costa Rica’s Ministry of Public Works and Transport crippled by ransomware attack (Record)Suspected Chinese Threat Actors Exploiting FortiOS Vulnerability (CVE-2022-42475) (Mandiant) Attackers Crafted Custom Malware for Fortinet Zero-Day (Dark Reading)Chinese hackers used recently patched FortiOS SSL-VPN flaw as a zero-day in October (Security Affairs) PayPal accounts breached in large-scale credential stuffing attack (BleepingComputer)PayPal Confirms Over 34,000 Customer Accounts Were Breached (EcommerceBytes)35,000 PayPal accounts hacked, and users could've prevented it (PCWorld)Thousands Of PayPal Accounts Hacked—Is Yours One Of Them? (Forbes)Nearly 35,000 PayPal users had SSNs, tax info leaked during December cyberattack (The Record from Recorded Future News)T-Mobile Says Hacker Stole Data for 37 Million Customers (Bloomberg)T-Mobile Says Hackers Stole Data on About 37 Million Customers (Wall Street Journal)T-Mobile Says Hackers Used API to Steal Data on 37 Million Accounts (SecurityWeek)Cyberattack hits Nunavut's Qulliq Energy Corp. (CBC News) Nunavut power utility’s servers hit by cyber attack | IT World Canada News (IT World Canada)Russian War Report: Russian hacker wanted by the FBI reportedly wins Wagner hackathon prize  (Atlantic Council)Gamaredon (Ab)uses Telegram to Target Ukrainian Organizations (Blackberry)Gamaredon Group Launches Cyberattacks Against Ukraine Using Telegram (The Hacker News) Hitachi Energy PCU400 (CISA) Bolster Your Company Defenses With Zero Trust Edge (iBoss) Learn more about your ad choices. Visit megaphone.fm/adchoices