CyberWire Daily

Teresa Rothaar, a governance, risk, and compliance (GRC) analyst at Keeper Security sits down to share her story, from performer to cyber. She fell in love with writing as a young girl, she experimented with writing fanfiction which made her want to grow up to be in the arts. After attending college she found that she was good at math, lighting the way for her to start her cyber career. Teresa moved to being a writer at Keeper, finding she wanted to spread out and try more, so she ended up becoming an analyst while still doing writing on the side. She quotes David Duchovny in an interview once, explaining how sometimes you need to keep your head down and outwork others. Teresa said this resonated with her, saying, "that's how I went from a foreclosure box on the porch to where I am now. I have a good job and, and I have a career and I have a really good career and I absolutely love it." We thank Teresa for sharing her story. Learn more about your ad choices. Visit megaphone.fm/adchoices

Marisa Atkinson, an analyst from Flashpoint, joins Dave to discuss a new blog post from Flashpoint’s research team about “RisePro” Stealer, malware from Russia, and Pay-Per-Install Malware “PrivateLoader.” “RisePro” is written in C++ and appears to possess similar functionality to the stealer malware “Vidar.” It's also a newly identified stealer, that began appearing as a stealer source for log credentials on the illicit log shop Russian Market on December 13, 2022.The research states, "Samples that Flashpoint analysts identified indicate that RisePro may have been dropped or downloaded by the pay-per-install malware downloader service “PrivateLoader” in the past year." Analysts identified several sets of logs uploaded to the illicit underground Russian Market, which listed their source as “RisePro.”The research can be found here:“RisePro” Stealer and Pay-Per-Install Malware “PrivateLoader” Learn more about your ad choices. Visit megaphone.fm/adchoices

Security vulnerabilities in automobiles. CircleCI customers should "rotate their secrets." CISA Director Easterly notes Russian failures, but warns that shields should stay up. Attempted cyberespionage against US National Laboratories. Turla effectively recycles some commodity malware infrastructure. Robert M. Lee from Dragos shares his outlook on ICS for the new year. Our CyberWire Space correspondent Maria Varmazis interviews Diane Janosek from NSA about her research on space-cyber. And the Guardian continues to recover from last month's ransomware attack.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/4Selected reading.Hitachi Energy UNEM (CISA)Hitachi Energy FOXMAN-UN (CISA)Hitachi Energy Lumada Asset Performance Management (CISA) Web Hackers vs. The Auto Industry: Critical Vulnerabilities in Ferrari, BMW, Rolls Royce, Porsche, and More (Sam Curry)Toyota, Mercedes, BMW API flaws exposed owners’ personal info (BleepingComputer)16 Car Makers and Their Vehicles Hacked via Telematics, APIs, Infrastructure (SecurityWeek)Ferrari, BMW, Rolls Royce, Porsche and more fix vulnerabilities giving car takeover capabilities (The Record by Recorded Future)CircleCI security alert: Rotate any secrets stored in CircleCI (CircleCI).CircleCI warns of security breach — rotate your secrets! (BleepingComputer)CircleCI Urges Customers to Rotate Secrets Following Security Incident (The Hacker News)CISA director: US needs to be vigilant, ‘keep our shields up’ against Russia (The Hill)Exclusive-Russian Hackers Targeted U.S. Nuclear Scientists (Reuters via US News) Notorious Russian Spies Piggybacked on Other Hackers' USB Infections (WIRED) Turla: A Galaxy of Opportunity | Mandiant (Mandiant) Fallout from Guardian cyber attack to last at least a month (ComputerWeekly)State of Ransomware Preparedness (Axio) Learn more about your ad choices. Visit megaphone.fm/adchoices

The PurpleUrchin freejacking campaign. Bluebottle activity against banks in Francophone Africa. The PyTorch framework sustains a supply-chain attack. 2022's ransomware leaderboard. Cellphone traffic as a source of combat information. FBI Cyber Division AD Bryan Vorndran on the interaction and collaboration of federal agencies in the cyber realm. Our guest Jerry Caponera from ThreatConnect wonders if we need more "Carrots" Than "Sticks" In Cybersecurity Regulation. And two incommensurable views of information security.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/3Selected reading.An analysis of the PurpleUrchin campaign. (CyberWire)PurpleUrchin Bypasses CAPTCHA and Steals Cloud Platform Resources (Unit 42)Bluebottle observed in the wild. (CyberWire)Bluebottle: Campaign Hits Banks in French-speaking Countries in Africa (Symantec)PyTorch incident disclosed, assessed. (CyberWire)PyTorch dependency poisoned with malicious code (Register)Compromised PyTorch-nightly dependency chain between December 25th and December 30th, 2022. (PyTorch)Most active, impactful ransomware groups of 2022. (CyberWire)2022 Year in Review: Ransomware (Trustwave)Russia says phone use allowed Ukraine to target its troops (AP NEWS)For Russian Troops, Cellphone Use Is a Persistent, Lethal Danger (New York Times)Kremlin blames own soldiers for Himars barracks strike as official death toll rises (The Telegraph) No Water’s Edge: Russia’s Information War and Regime Security (Carnegie Endowment for International Peace) Learn more about your ad choices. Visit megaphone.fm/adchoices

Ad practices draw a large EU fine (and may set precedents for online advertising). Updates on the LastPass breach, and on Russian cyber activity against Poland. Malek Ben Salem from Accenture explains smart deepfakes. Our guest is Leslie Wiggins, Program Director for Data Security at IBM Security on the role of the security specialist. And cellphones, opsec, and the Makiivka strike.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/2Selected reading.Meta’s Ad Practices Ruled Illegal Under E.U. Law (New York Times)Meta Fined More Than $400 Million in EU for Serving Ads Based on Online Activity (Wall Street Journal)Meta's New Year kicks off with $410M+ in fresh EU privacy fines (TechCrunch)LastPass data breach: notes and actions to take. (CyberWire)Poland warns of attacks by Russia-linked Ghostwriter hacking group (BleepingComputer) Russia says phone use allowed Ukraine to target its troops (AP NEWS)Russian soldier gave away his position with geotagged social media posts (Task & Purpose)Russian commanders blamed for heavy losses in New Year’s Day strike (Washington Post) Learn more about your ad choices. Visit megaphone.fm/adchoices

Recent DPRK cyber operations: spying and theft. Twitter’s data incident. 3Commas breached. Poland warns of increased Russian offensive cyber activity. Port of Lisbon hit by ransomware. DHS announces SBIR topics. New additions to the Known Exploited Vulnerabilities Catalog. Ben Yelin on the legal conundrum of AI generated code. Our guest is Tanya Janca from She Hacks Purple with insights on API security. And, news flash! LockBit says they have a conscience. (Yeah, right.)For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/12/1Selected reading.Recent DPRK cyber operations: spying and theft. (CyberWire)Twitter targeted in extortion hack. (CyberWire)3Commas' API compromised. (CyberWire)Russian cyberattacks (Special Services) LockBit activity over the holidays. (CyberWire)CISA Adds Two Known Exploited Vulnerabilities to Catalog (CISA) DHS Small Business Innovation Research (SBIR) Program FY23 Solicitation (SAM.gov)The SBIR and STTR Programs. (SBIR/STTR) Learn more about your ad choices. Visit megaphone.fm/adchoices

Between the emergence of sophisticated nation-state actors, the rise of ransomware-as-a-service, the increasing attack surface remote work presents, and much more, organizations today contend with more complex risk than ever. A “Secure-by-Design” approach can secure software environments, development processes and products. That approach includes increasing training for employees, adopting zero trust, leveraging Red Teams, and creating a unique triple-build software development process. SolarWinds calls its version of this process the "Next-Generation Build System," and offers it as a model for secure software development that will make supply chain attacks more difficult.On this episode of CyberWire-X, host Rick Howard, N2K’s CSO, and CyberWire’s Chief Analyst and Senior Fellow, discusses software supply chain lessons learned from the SolarWinds attack of 2020 with Hash Table members Rick Doten, the CISO for Healthcare Enterprises and Centene, Steve Winterfeld, Akamai's Advisory CISO, and Dawn Cappelli, Director of OT-CERT at Dragos, and in the second half of the show, Rick speaks with our episode sponsor, SolarWinds, CISO Tim Brown. Learn more about your ad choices. Visit megaphone.fm/adchoices

On Thursday October 20, 2022, the CyberWire was pleased to host the annual Women in Cybersecurity Reception at the International Spy Museum in Washington, DC. This annual event brought together almost 300 people to highlight and celebrate the value and successes of women in the cybersecurity industry. The reception included an industry-led panel discussion called “The Hidden Impact of Cybersecurity’s Talent Gap on the Cyber-Enabled Community,” discussing cyber-enabled professionals who aren’t usually included in conversations around the cybersecurity skills gap. The panel, moderated by Simone Petrella of CyberVista, included perspectives from experts including Davida Gray of MindPoint Group, Jennifer Walsmith of Northrop Grumman, Kyla Guru of Bits N’ Bytes, and Amy Mushahwar from Alston & Bird. Learn more about your ad choices. Visit megaphone.fm/adchoices

Scott Fanning from CrowdStrike's research team, joins Dave to discuss their work on "LemonDuck Targets Docker for Cryptomining Operations." LemonDuck is a well-known cryptomining botnet, and the research suggests attackers are attracted to the monetary gain from the recent boom in cryptocurrency.LemonDuck was caught trying to disguise its attack against Docker by running an anonymous mining operation by the use of proxy pools. Scott shares how its unknown which organizations have been targeted and just how much cryptocurrency has been stolen.The research can be found here:LemonDuck Targets Docker for Cryptomining Operations Learn more about your ad choices. Visit megaphone.fm/adchoices

SHOW NOTESThis interview from October 28th, 2022 originally aired as a shortened version on the CyberWire Daily Podcast. In this extended interview, Dave Bittner sits down with Nick Schneider of Arctic Wolf to discuss why he believes 2023 will see a resurgence of ransomware and why the decline of crypto will not deter future ransomware actors. Learn more about your ad choices. Visit megaphone.fm/adchoices