CyberWire Daily

Another pentesting tool may soon be abused by threat actors. Cyberattack disrupts Guadeloupe. Ducktail evolves and expands. Warning of the potential disruption cyberattacks might work against European ports. CISA releases eight industrial control system advisories. Patrick Tiquet, VP of Security and Architecture at Keeper Security, talks about the FedRAMP authorization process. Bryan Vorndran of the FBI Cyber Division with reflections on ransomware. And stay safe on Black Friday (and Cyber Monday, and Panic Saturday, and…you get the picture.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/225Selected reading.Nighthawk: An Up-and-Coming Pentest Tool Likely to Gain Threat Actor Notice (Proofpoint)Making Cobalt Strike harder for threat actors to abuse (Google Cloud Blog)Guadeloupe government fights 'large-scale' cyberattack (AP NEWS)Vietnam-Based Ducktail Cybercrime Operation Evolving, Expanding (SecurityWeek)Cyber as important as missile defences - ex-NATO general (Reuters)CISA Releases Eight Industrial Control Systems Advisories (CISA) Black Friday and Cyber Monday risks. (CyberWire) Learn more about your ad choices. Visit megaphone.fm/adchoices

Daixin Team claims ransomware attack against AirAsia. DraftKings users suffer credential harvesting and paycard theft. Assessing cyber risk in the US pharmaceutical industry. Killnet claims successes few others can discern. In Ukraine, kinetic attacks on IT infrastructure eclipse cyberattacks. Carole Theriault on digital echo chambers and what's in it for us. Nancy Wang from Forta's Alert Logic discusses how she is helping more young women get into the STEM field and leadership positions. Google seeks to render Cobalt Strike less useful to threat actors.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/224Selected reading.Daixin Team claims AirAsia ransomware attack with five million customer records leaked (Tech Monitor)Daixin Ransomware Gang Steals 5 Million AirAsia Passengers' and Employees' Data (The Hacker News)DraftKings Users Hacked, Money In Account "Cashed Out" (Action Network)DraftKings says no evidence systems were breached following report of a hack (CNBC)Assessing cyber risk in the US pharmaceutical industry. (CyberWire)Killnet DDoS hacktivists target Royal Family and others (ComputerWeekly.com) Ukraine Data Centers Became Physical Targets When Cyber Attacks Failed (Meritalk)Making Cobalt Strike harder for threat actors to abuse (Google Cloud Blog)Google seeks to make Cobalt Strike useless to attackers (Help Net Security) Google Releases YARA Rules to Disrupt Cobalt Strike Abuse (Dark Reading)Google releases 165 YARA rules to detect Cobalt Strike attacks (BleepingComputer) Learn more about your ad choices. Visit megaphone.fm/adchoices

Luna Moth's callback phishing offers an unpleasant and less familiar form of social engineering. New activity by China's Mustang Panda is reported. DEV0569 is using malvertising to distribute Royal ransomware. US indicts 10 in a business email compromise case. Developing a cyber auxiliary. Dave Bittner sits down with AJ Nash from ZeroFox to discuss holiday scams. Our own Rick Howard speaks with us about cloud security. And beware of Black Friday scams.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/223Selected reading.Threat Assessment: Luna Moth Callback Phishing Campaign (Unit 42) DEV-0569 finds new ways to deliver Royal ransomware, various payloads (Microsoft Security) Earth Preta Spear-Phishing Governments Worldwide (Trend Micro) EXCLUSIVE: Rounding up a cyber posse for Ukraine (The Record by Recorded Future) Tech for good: How the IT industry is helping Ukraine (Computing) 10 Charged in Business Email Compromise and Money Laundering Schemes Targeting Medicare, Medicaid, and Other Victims (US Department of Justice) Black Friday and Cyber Monday risks. (CyberWire) Learn more about your ad choices. Visit megaphone.fm/adchoices

Omer Singer, Lead Cybersecurity Strategist from Snowflake, sits down to share his experience getting into the cybersecurity field. Growing up, he knew he wanted to work with computers, but he just didn't know what he wanted to do within the field. His college gave him great hands-on experience to then transition into the workforce. He's played both on the offense and defense of cybersecurity, and he says that experience showed him and he "kind of saw firsthand, uh, what a well funded and motivated, uh, team of cybersecurity experts can do and it's pretty scary." In addition, Omer is a big advocate for encouraging other security professionals to learn data skills, and strongly stands by the belief that the future of cybersecurity is in borrowing from modern data analytics tools and techniques that enable consistent risk reduction. He also makes it a priority to invest in his people, believing that this unlocks intrinsic motivation that enables a ton of personal growth and accomplishment, and is a big believer in the OKR system for enabling security operations and avoiding burnout. We thank Omer for sharing his story. Learn more about your ad choices. Visit megaphone.fm/adchoices

Larry Cashdollar, Principal Security Intelligence Response Engineer from Akamai Technologies, joins Dave to talk about their research on "KmsdBot: The Attack and Mine Malware." Akamai's Security Research team has found a new malware that infected their honeypot, which they have dubbed KmsdBot. The research states "The malware attacks using UDP, TCP, HTTP POST, and GET, along with a command and control infrastructure (C2), which communicates over TCP." The botnet targets weak login credentials and then infects systems via an SSH connection.The research can be found here:KmsdBot: The Attack and Mine Malware Learn more about your ad choices. Visit megaphone.fm/adchoices

CISA and its partners issue a Joint Advisory on the Hive ransomware-as-a-service operation. Ransomware continues to trouble governments, internationally and at all levels. The US Defense Department may see enhanced authority to conduct offensive cyber operations. Russian attacks on Ukrainian infrastructure remain kinetic, as missiles show up, but cyberattacks don’t. Kevin Magee from Microsoft about leveraging cybersecurity apprentices. Our guest is Paul Giorgi from XM Cyber describing creative attack path in enterprise networks.And, hey, glupost’ [GLUE-post]–don’t mess with Google’s lawyers.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/222Selected reading.CISA Alert AA22-321A – #StopRansomware: Hive Ransomware. (CyberWire)#StopRansomware: Hive Ransomware (CISA)Vanuatu: Hackers strand Pacific island government for over a week (BBC News)Ransom attack cripples Vanuatu government systems, forces staff to use pen and paper (The Sydney Morning Herald)Ransomware incidents now make up majority of British government’s crisis management COBRA meetings (The Record by Recorded Future)Suffolk County, N.Y., Hack Shows Ransomware Threat to Municipalities (Wall Street Journal) Biden set to approve expansive authorities for Pentagon to carry out cyber operations (CyberScoop)Red Lion Crimson (CISA)Cradlepoint IBR600 (CISA)A ruling in our legal case against the Glupteba botnet (Google) Learn more about your ad choices. Visit megaphone.fm/adchoices

The FBI, CISA, and the Department of Health and Human Services are releasing this alert to disseminate known Hive Ransomware Group indicators of compromise and TTPs identified through FBI investigations.AA22-321A Alert, Technical Details, and MitigationsStopransomware.gov is a whole-of-government approach that gives one central location for ransomware resources and alerts.Resource to mitigate a ransomware attack: CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide.No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment.U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email dib_defense@cyber.nsa.gov To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov, or call (888) 282-0870, or report incidents to your local FBI field office. Learn more about your ad choices. Visit megaphone.fm/adchoices

Meta employees, contractors compromised customer accounts. Nemesis Kitten found in US Government network. Unpatched Magento instances hit with "TrojanOrders." Emotet has returned after three quiet months. DDoS attacks in game servers by RapperBot. Carole Theriault looks at long term lessons learned from the 2019 Capital One breach. FBI Cyber Division AD Bryan Vorndran updates us on cyber threats. And an alleged "Zeus" cybercrime boss has been arrested in Switzerland.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/221Selected reading.Meta Employees, Security Guards Fired for Hijacking User Accounts (Wall Street Journal)CISA Alert AA22-320A – Iranian government-sponsored APT actors compromise federal network, deploy crypto miner, credential harvester. (CyberWire)Iranian Government-Sponsored APT Actors Compromise Federal Network, Deploy Crypto Miner, Credential Harvester (CISA)Iranian government-linked hackers got into Merit Systems Protection Board’s network (Washington Post)Iranian hackers compromise US government network in cryptocurrency generating scheme, officials say (CNN)Magento stores targeted in massive surge of TrojanOrders attacks (BleepingComputer) A Comprehensive Look at Emotet’s Fall 2022 Return (Proofpoint) Notorious Emotet botnet returns after a few months off (Register) Updated RapperBot malware targets game servers in DDoS attacks (BleepingComputer) Russia’s cyber forces ‘underperformed expectations’ in Ukraine: senior US official (The Hill)Suspected Zeus cybercrime ring leader ‘Tank’ arrested by Swiss police (BleepingComputer) Learn more about your ad choices. Visit megaphone.fm/adchoices

Blockchains and cryptocurrency exchanges, and the risks they present. Vulnerabilities in Amazon RDS may expose PII. A study of the language of fraud. Tim Starks from Washington Post's Cybersecurity 202 on a lagging DHS cyber doomsday report. Our guest is Ashif Samnani of Cenovus Energy with insights from the world of OT cyber. And President Zelenskyy offers the benefit of Ukraine's experience with cyber warfare to the "G19”.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/220Selected reading.Cryptocurrency sector vulnerabilities. (CyberWire)Oops, I Leaked It Again — How Mitiga Found PII in Exposed Amazon RDS Snapshots (Mitiga)Amazon RDS may expose PII. (CyberWire)The specious language of fraud. (CyberWire)Zelensky offers G20 leaders to use Ukrainian experience in cyber defense (Ukrinform) Ukraine at D+265: A missile campaign punctuates diplomacy. (CyberWire) Learn more about your ad choices. Visit megaphone.fm/adchoices

From mid-June through mid-July 2022, CISA conducted an incident response engagement at a Federal Civilian Executive Branch organization where CISA observed suspected advanced persistent threat activity. In the course of incident response activities, CISA determined that cyber threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server, installed XMRig crypto mining software, moved laterally to the domain controller, compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence.AA22-320A Alert, Technical Details, and MitigationsMalware Analysis Report MAR 10387061-1.v1For more information on Iranian government-sponsored Iranian malicious cyber activity, see CISA’s Iran Cyber Threat Overview and Advisories webpage and FBI’s Iran Threats webpage.CISA offers several no-cost scanning and testing services to help organizations reduce their exposure to threats by taking a proactive approach to mitigating attack vectors. See www.cisa.gov/cyber-hygiene-servicesU.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email dib_defense@cyber.nsa.gov To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov, or call (888) 282-0870, or report incidents to your local FBI field office. Learn more about your ad choices. Visit megaphone.fm/adchoices