CyberWire Daily

SentinelSneak is out in the wild. XLLs for malware delivery. CERT-UA warns of attacks against the DELTA situational awareness system. FSB cyber operations against Ukraine. Trends in the cyber phases of Russia's hybrid war. Mr. Security Answer Person John Pescatore offers his sage wisdom. Microsoft’s Ann Johnson from Afternoon Cyber Tea speaks with Dr. Chenxi Wang from Rain Capital. And an unusually unpleasant sextortion campaign.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/242Selected reading.SentinelSneak is not a legitimate SDK. (CyberWire)SentinelSneak: Malicious PyPI module poses as security software development kit (ReversingLabs)Malicious Python Trojan Impersonates SentinelOne Security Client (Dark Reading)Malicious ‘SentinelOne’ PyPI package steals data from developers (BleepingComputer)Cisco research on XLL Abuse. (CyberWire)Threat Spotlight: XLLing in Excel - threat actors using malicious add-ins (Cisco Talos Blog) Ukraine at D+299: Cyber operations 300 days into the war. (CyberWire)Cyber Dimensions of the Armed Conflict in Ukraine (CyberPeace Institute)Ukraine's DELTA military system users targeted by info-stealing malware (BleepingComputer)Ukraine's Delta Military Intel System Hit by Attacks (Infosecurity Magazine)Russia’s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine (Unit 42)FBI and Partners Issue National Public Safety Alert on Financial Sextortion Schemes | Federal Bureau of Investigation (Federal Bureau of Investigation)HSI, federal partners issue national public safety alert on sextortion schemes (US Immigration and Customs Enforcement) Learn more about your ad choices. Visit megaphone.fm/adchoices

BEC takes aim at physical goods (including food). BlackCat ransomware activity increases. Epic Games settles an FTC regulatory case. The InfraGard database was pulled from a dark web auction site. CISA releases forty-one ICS advisories. Rick Howard interviews author Andy Greenberg. Rob Boyce from Accenture examines holiday cyber threats. The growing value of open source intelligence. Twitter says vox populi, vox dei.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/241Selected reading.FBI, FDA OCI, and USDA Release Joint Cybersecurity Advisory Regarding Business Email Compromise Schemes Used to Steal Food (CISA)Colombian energy supplier EPM hit by BlackCat ransomware attack (BleepingComputer)Events D.C. data published online in apparent ransomware attack (Washington Post) Fortnite Video Game Maker Epic Games to Pay More Than Half a Billion Dollars over FTC Allegations of Privacy Violations and Unwanted Charges (Federal Trade Commission) Hacker Halts Sale of FBI's High-Profile InfraGard Database (HackRead) CISA Releases Forty-One Industrial Control Systems Advisories (Cybersecurity and Infrastructure Security Agency) Russia’s Wartime Cyber Operations in Ukraine: Military Impacts, Influences, and Implications (Carnegie Endowment for International Peace) How open-source intelligence has shaped the Russia-Ukraine war (GOV.UK)Front-line video makes Ukrainian combat some of history’s most watched (Washington Post) Elon Musk Polls Twitter Users, Asking Whether He Should Step Down (Wall Street Journal)Musk asks: Should I stay as CEO? (Computing)Elon Musk’s Twitter Poll Shows Users Want Him to Step Down (Wall Street Journal) Elon Musk’s Twitter poll: 10 million say he should step down (the Guardian) Learn more about your ad choices. Visit megaphone.fm/adchoices

Don Pezet, CTO of ACI Learning, sits down to share his over 25 years of experience in the industry. Don previously spent time as a field engineer in the financial and insurance industries supporting networks around the world. He co-founded ITProTV in 2012 to help create the IT training that he wished he had when he got started in his IT career. He also shares insights for anyone else wishing to pursue IT, no matter their age or past experience. Don explains how important stepping stones are as you get into this field, stating "know that that first job you get is probably not going to be the job you want to have your whole life, but it's a stepping stone that leads to where you want to get." Don started teaching on the side as well as working in the IT field and explains how much his teaching skills come in handy to help him with his leadership skills, which in turn helps him to be a better CTO, helping his customers. We thank Don for sharing his story. Learn more about your ad choices. Visit megaphone.fm/adchoices

With a recession looming, many business leaders are looking for ways to cut spending wherever possible. And while tool bloat affects many security teams, it can be a challenging problem to tackle for a couple of reasons. First, there’s the fear that security will be lost if a tool is removed. Second, there’s the daunting task of unraveling complex systems. And finally, there’s the perennial talent shortage. Like all challenges in security, they’re made even worse by the fact that there’s not enough people able to tackle them. During this CyberWire-X episode, host Rick Howard, the CyberWire’s CISO, Chief Analyst and Senior Fellow, speaks with Hash Table member Ted Wagner, the CSO of SAP National Security Services, and host Dave Bittner speaks with sponsor ExtraHop Senior Technical Marketing Manager Jamie Moles. They discuss solutions to help business and security leaders to not just address these challenges, but to get more out of their tooling as they do. They discuss strategies for how to determine which tools you actually need and which you can get rid of, as well as the step-change benefits that can be realized when you consolidate, automate, and integrate your security solutions.   Learn more about your ad choices. Visit megaphone.fm/adchoices

Or Katz from Akamai sits down with Dave to discuss research on highly sophisticated phishing scams and how they are abusing holiday sentiment. This particular threat, most recently has focused on Halloween deals, enticing victims with the chance to win a free prize, including from Dick’s Sporting Goods or Tumi Backpacks. It then requests credit card details to cover the cost of shipment.From mid-September to the end of October 2022, Akamai's research were able uncover and track this threat. This kit mimics well known retail stores in hopes to hijack credit card information, feeding off of people's holiday spirit.The research can be found here:Highly Sophisticated Phishing Scams Are Abusing Holiday Sentiment Learn more about your ad choices. Visit megaphone.fm/adchoices

A predatory loan app is discovered embedded in mobile apps. Facebook phishing. GPS disruptions are reported in Russian cities. NSA warns against dismissing Russian offensive cyber capabilities. Farewell, SHA-1. Kevin Magee from Microsoft looks at cyber signals. Our guest is Jason Witty of USAA to discuss the growing risk from quantum computing. And welcome to the world, Leviathans.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/240Selected reading.Zimperium teams discover new malware in Flutter developed apps (SecurityBrief Asia) Meta-Phish: Facebook Infrastructure Used in Phishing Attack Chain (Trustwave)GPS Signals Are Being Disrupted in Russian Cities (WIRED) NSA cyber director warns of Russian digital assaults on global energy sector (CyberScoop)Russia's cyber war machine in Ukraine hasn't lived up to Western hype. Report analyses why (ThePrint)NIST Retires SHA-1 Cryptographic Algorithm (NIST)Historic activation of the U.S. Army’s 11th Cyber Battalion (DVIDS)  Learn more about your ad choices. Visit megaphone.fm/adchoices

Trojanized Windows 10 installers are deployed against Ukraine. Alleged booters have been collared, and their sites disabled. A progress report on US anti-ransomware efforts. Suspicion in a cyberattack against India turns toward China. Bryan Vorndran from the FBI’s Cyber Division talks about deep fakes. Our guest is Lisa Plaggemier from the National Cybersecurity Alliance (NCA) on the launch of their Historically Black Colleges and Universities Career Program. And hybrid war and fissures in the underworld.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/239Selected reading.Trojanized Windows 10 Operating System Installers Targeted Ukrainian Government (Mandiant)Federal Prosecutors in Los Angeles and Alaska Charge 6 Defendants with Operating Websites that Offered Computer Attack Services (US Department of Justice)Global crackdown against DDoS services shuts down most popular platforms | Europol (Europol) Readout of Second Joint Ransomware Task Force Meeting (Cybersecurity and Infrastructure Security Agency)US finds its ‘center of gravity’ in the fight against ransomware (The Record by Recorded Future) AIIMS cyber attack may have originated in China, Hong Kong (The Times of India) AIIMS Delhi Servers Were Hacked By Chinese, Damage Contained: Sources (NDTV.com)Russia-Ukraine war reaches dark side of the internet (Al Jazeera) Learn more about your ad choices. Visit megaphone.fm/adchoices

The FBI’s InfraGard user data shows up for sale. An update on Iranian cyber operations. NSA warns of Chinese cyber threats. Challenges in sharing data for threat detection and prevention. Legitimately signed drivers are used in targeted attacks. Patch Tuesday addressed a lot of actively exploited issues. Tim Starks from the Washington Post Cybersecurity 202 shares his reporting on ICS vulnerabilities. Our guest is Mike Fey from Island with an introduction to the enterprise browser space. And the US indicts five Russian nationals on sanctions-evasion charges.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/238Selected reading.FBI’s Vetted Info Sharing Network ‘InfraGard’ Hacked (KrebsOnSecurity)Would’ve, Could’ve, Should’ve…Did: TA453 Refuses to be Bound by Expectations (Proofpoint) APT5: Citrix ADC Threat Hunting Guidance (NSA)U.S. agency warns that hackers are going after Citrix networking gear (Reuters)NSA Outs Chinese Hackers Exploiting Citrix Zero-Day (SecurityWeek) Effect of data on Federal agencies' policies. (CyberWire)I Solemnly Swear My Driver Is Up to No Good: Hunting for Attestation Signed Malware (Mandiant)Driving Through Defenses | Targeted Attacks Leverage Signed Malicious Microsoft Drivers (SentinelOne)SAP Security Patch Day December 2022 (Onapsis)December 2022 Security Updates (Microsoft Security Response Center)December Patch Tuesday Updates | 2022 - Syxsense Inc (Syxsense Inc)Microsoft December 2022 Patch Tuesday fixes 2 zero-days, 49 flaws (BleepingComputer)Microsoft Squashes Zero-Day, Actively Exploited Bugs in Dec. Update (Dark Reading) Microsoft fixes exploited zero-day, revokes certificate used to sign malicious drivers (CVE-2022-44698) (Help Net Security)Microsoft Releases December 2022 Security Updates (CISA)Apple security updates (Apple Support)We finally know why Apple pushed out that emergency 16.1.2 update (Macworld) Why You Should Enable Apple’s New Security Feature in iOS 16.2 Right Now (Wirecutter)Apple Releases Security Updates for Multiple Products (CISA)Citrix ADC and Citrix Gateway Security Bulletin for CVE-2022-27518 (Citrix)State-sponsored attackers actively exploiting RCE in Citrix devices, patch ASAP! (CVE-2022-27518) (Help Net Security) Citrix Releases Security Updates for Citrix ADC, Citrix Gateway (CISA)VMware Patches VM Escape Flaw Exploited at Geekpwn Event (SecurityWeek) Experts detailed a previously undetected VMware ESXi backdoor (Security Affairs)VMware Releases Security Updates for Multiple products (CISA)Mozilla Releases Security Updates for Thunderbird and Firefox (CISA)Adobe Patches 38 Flaws in Enterprise Software Products (SecurityWeek)CISA Releases Three Industrial Control Systems Advisories (CISA)Five Russian Nationals, Including Suspected FSB Officer, and Two U.S. Nationals Charged with Helping the Russian Military and Intelligence Agencies Evade Sanctions (US Department of Justice)Russian Military and Intelligence Agencies Procurement Network Indicted in Brooklyn Federal Court (US Department of Justice) Learn more about your ad choices. Visit megaphone.fm/adchoices

Uber sustains a third-party breach. A phishing campaign hits Ukrainian in-boxes. The enduring riddle of why Russian offensive cyber operations have failed in Ukraine. Joe Carrigan on credit card skimming. Carole Theriault describes a UK food store chain that uses facial recognition technology to track those with criminal or antisocial behavior. And 2023’s ransomware-as-a-service leader board.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/237Selected reading.Uber suffers new data breach after attack on vendor, info leaked online (BleepingComputer)Uber has been hacked yet again with code and employee data released online (SiliconANGLE)Uber hit by new data breach — what you need to know (Tom's Guide)Uber’s data breach. (CyberWire)Ukrainian railway, state agencies allegedly targeted by DolphinCape malware (The Record by Recorded Future)Cyber Operations in Ukraine: Russia’s Unmet Expectations (Carnegie Endowment for International Peace) The most prolific ransomware groups of 2022 (Searchlight Security) Learn more about your ad choices. Visit megaphone.fm/adchoices

TrueBot found in Cl0p ransomware attacks. Royal ransomware targets the healthcare sector. Recent Iranian cyber activity. A night at the opera: an update on the cyberattack against the Metropolitan Opera. New Cloud Atlas activity reported. Europe looks to the cybersecurity of its power grid. Rob Boyce from Accenture describes Dark web actors diversifying their toolsets. Rick Howard explains fractional CISOs. And international support for Ukrainian cyber defense continues, more extensively and increasingly overt.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/236Selected reading.Breaking the silence - Recent Truebot activity (Cisco Talos Blog)New TrueBot Malware Variant Leveraging Netwrix Auditor Bug and Raspberry Robin Worm (The Hacker News) TrueBot infections were observed in Clop ransomware attacks (Security Affairs) Clop ransomware uses TrueBot malware for access to networks (BleepingComputer) Royal Ransomware (US Department of Health and Human Services)US Dept of Health warns of ‘increased’ Royal ransomware attacks on hospitals (The Record by Recorded Future) Iran-Backed MuddyWater's Latest Campaign Abuses Syncro Admin Tool (Dark Reading)MuddyWater Hackers Target Asian and Middle East Countries with Updated Tactics (The Hacker News)New MuddyWater Campaign Uses Legitimate Remote Administration Tools to Deploy Malware (Cyber Security News)Shows will go on at Met Opera despite cyber-attack that crashed network (ABC7 New York)Cyberattack disrupts Metropolitan Opera (SC Media)Cloud Atlas targets entities in Russia and Belarus amid the ongoing war in Ukraine (Check Point Research)APT Cloud Atlas: Unbroken Threat (Positive Technologies)European Electricity Sector Lacks Cyber Experts as Ukraine War Raises Hacking Risks (Wall Street Journal)How the US has helped counter destructive Russian cyberattacks amid Ukraine war (The Hill) The Australian company training Ukrainian veterans in cybersecurity (Australian Financial Review)How Proton intends to thwart Russian cybercensorship with its VPN (HiTech Wiki) Cyber Lessons Learned from the War in Ukraine (YouTube) War in Ukraine Dominated Cybersecurity in 2022 (CNET) Learn more about your ad choices. Visit megaphone.fm/adchoices