CyberWire Daily

Blockchains and cryptocurrency exchanges, and the risks they present. Vulnerabilities in Amazon RDS may expose PII. A study of the language of fraud. Tim Starks from Washington Post's Cybersecurity 202 on a lagging DHS cyber doomsday report. Our guest is Ashif Samnani of Cenovus Energy with insights from the world of OT cyber. And President Zelenskyy offers the benefit of Ukraine's experience with cyber warfare to the "G19”.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/220Selected reading.Cryptocurrency sector vulnerabilities. (CyberWire)Oops, I Leaked It Again — How Mitiga Found PII in Exposed Amazon RDS Snapshots (Mitiga)Amazon RDS may expose PII. (CyberWire)The specious language of fraud. (CyberWire)Zelensky offers G20 leaders to use Ukrainian experience in cyber defense (Ukrinform) Ukraine at D+265: A missile campaign punctuates diplomacy. (CyberWire) Learn more about your ad choices. Visit megaphone.fm/adchoices

From mid-June through mid-July 2022, CISA conducted an incident response engagement at a Federal Civilian Executive Branch organization where CISA observed suspected advanced persistent threat activity. In the course of incident response activities, CISA determined that cyber threat actors exploited the Log4Shell vulnerability in an unpatched VMware Horizon server, installed XMRig crypto mining software, moved laterally to the domain controller, compromised credentials, and then implanted Ngrok reverse proxies on several hosts to maintain persistence.AA22-320A Alert, Technical Details, and MitigationsMalware Analysis Report MAR 10387061-1.v1For more information on Iranian government-sponsored Iranian malicious cyber activity, see CISA’s Iran Cyber Threat Overview and Advisories webpage and FBI’s Iran Threats webpage.CISA offers several no-cost scanning and testing services to help organizations reduce their exposure to threats by taking a proactive approach to mitigating attack vectors. See www.cisa.gov/cyber-hygiene-servicesU.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email dib_defense@cyber.nsa.gov To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov, or call (888) 282-0870, or report incidents to your local FBI field office. Learn more about your ad choices. Visit megaphone.fm/adchoices

Fangxiao works ad scams enroute to other compromises. Killnet claims to have defaced a US FBI site. CISA registers another Known Exploited Vulnerability. Difficulties with Twitter's SMS 2FA system. Zendesk vulnerability discovered. Joe Carrigan explains registration bombing for email addresses. Our guest is Miles Hutchinson from Jumio with insights on defense against sophisticated ransomware attackers. And Billbug romps through Asian government agencies.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/219Selected reading.Fangxiao: a Chinese threat actor (Cyjax)Fangxiao: A Phishing Threat Actor (Tripwire) Russian hackers claim cyber attack on FBI website (Newsweek) CISA Has Added One Known Exploited Vulnerability to Catalog (CISA)Twitter’s SMS Two-Factor Authentication Is Melting Down (WIRED)Varonis Threat Labs Discovers SQLi and Access Flaws in Zendesk (Varonis)Billbug: State-sponsored Actor Targets Cert Authority, Government Agencies in Multiple Asian Countries (Symantec)Chinese hackers target government agencies and defense orgs (BleepingComputer) Researchers Say China State-backed Hackers Breached a Digital Certificate Authority (The Hacker News) Learn more about your ad choices. Visit megaphone.fm/adchoices

Software supply chain risk. Cyber risk across sectors. CISA releases Stakeholder Specific Vulnerability Categorization (SSVC). Sandworm is back in Russia's hybrid war. Another wiper campaign from a Russian cyber auxiliary. Malek Ben Salem from Accenture shares thoughts on future-proofing cloud security. Rick Howard previews the latest CSO Perspectives show. And the Australian Federal Police say they know who hacked Medibank. (and the AFP says they have a good track record getting international criminals).For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/218Selected reading.Exclusive: Russian software disguised as American finds its way into U.S. Army, CDC apps (Reuters) Industries boost cyber defenses against growing number of attacks (Moodys) CISA Releases SSVC Methodology to Prioritize Vulnerabilities (CISA)Transforming the Vulnerability Management Landscape (CISA)Russian Sandworm hackers deployed malware in Ukraine and Poland (Washington Post)New “Prestige” ransomware impacts organizations in Ukraine and Poland (Microsoft)Microsoft links Russia’s military to cyberattacks in Poland and Ukraine (Ars Technica)Microsoft attributes ‘Prestige’ ransomware attacks on Ukraine and Poland to Russian group (The Record by Recorded Future)Wipe it or exfiltrate? How Russia exploits edge infrastructure to disrupt and spy during wartime (SC Media)Russia’s New Cyberwarfare in Ukraine Is Fast, Dirty, and Relentless (WIRED)Russian military hackers linked to ransomware attacks in Ukraine (BleepingComputer) Information on cyberattacks of the group UAC-0118 (FRwL) using the Somnia malware (CERT-UA#5185) (CERT-UA)Ukraine says Russian hacktivists use new Somnia ransomware (BleepingComputer) Russian hacktivists hit Ukrainian orgs with ransomware - but no ransom demands (Help Net Security)Development of the Ukrainian Cyber Counter-Offensive (Trustwave) Australian Federal Police say cybercriminals in Russia behind Medibank hack (The Record by Recorded Future)Australia tells Medibank hackers: 'We know who you are' (TechCrunch) Learn more about your ad choices. Visit megaphone.fm/adchoices

Lauren Campanara, a SOC Analyst from ThreatX shares her story as she made the decision to break into cybersecurity after spending twelve years in the cosmetology field. She worked her way through college in a job she did not enjoy and felt trapped in while competing her online degree. She found ThreatX and fell in love with the work she is doing now. Lauren hopes to inspire others, especially women, to consider a challenging and rewarding career in cybersecurity. She shares what it's like to be in a field she was not happy in and how she was the only one standing in her way to achieve her goals. She says "Another huge obstacle worth mentioning is learning to get out of my own way. You are your own worst critic. I learned to be more forgiving of myself." She hopes her story will inspire others to follow their dreams and stop holding themselves back. Learn more about your ad choices. Visit megaphone.fm/adchoices

Deepen Desai from Zscaler sits down with Dave to talk about the Crytox ransomware family. First observed in 2020, Crytox is a ransomware family consisting of several stages of encrypted code that has fallen under the radar compared to other ransomware families. While other groups normally use double extortion attacks where data is both encrypted and held for ransom, Crytox does not perform this way.The research says "The modus operandi of the group is to encrypt files on connected drives along with network drives, drop the uTox messenger application and then display a ransom note to the victim." It also shares how you may be compromised with this ransomware and goes through each stage in depth.The research can be found here:Technical Analysis of Crytox Ransomware Learn more about your ad choices. Visit megaphone.fm/adchoices

There’s no sign that cyberattacks affected US vote counts. NATO meets to discuss the Atlantic Alliance’s Cyber Defense Pledge. A new APT41 subgroup has been identified. FSB phishing impersonates Ukraine's SSCIP. A look at Cozy Bear's use of credential roaming. Caleb Barlow shares tips on removing implicit bias from your hiring process. Our guests are Valerie Abend and Lisa O'Connor from Accenture with a look at the difference in how women and men pursue the top cyber leadership roles. And an update on Phishing trends and API threats.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/217Selected reading.Statement from CISA Director Easterly on the Security of the 2022 Elections (Cybersecurity and Infrastructure Security Agency):No ‘Specific or Credible’ Cyber Threats Affected Integrity of Midterms, CISA Says (Nextgov.com)U.S. vote counting unaffected by cyberattacks, officials say (PBS NewsHour) What's 'Putin's chef' cooking up with talk on US meddling? (AP NEWS)NATO’s 2022 Cyber Defense Pledge Conference - United States Department of State (United States Department of State)Japan joins NATO cyber defense centre (Telecoms Tech News)China casts wary eye as Japan signs up for Nato cybersecurity platform (South China Morning Post) Hack the Real Box: APT41’s New Subgroup Earth Longzhi (Trend Micro)New hacking group uses custom 'Symatic' Cobalt Strike loaders (BleepingComputer)They See Me Roaming: Following APT29 by Taking a Deeper Look at Windows Credential Roaming (Mandiant)APT29 Exploited a Windows Feature to Compromise European Diplomatic Entity Network (The Hacker News)CAUTION‼️ russian hackers are sending emails with malicious links from the SSSCIP (State Service of Special Communications and Information Protection of Ukraine) Russian hackers send out emails under the name of Ukraine's State Service of Special Communications and Information Protection (Yahoo)Research Report | The State of Email Security 2022 (Tessian) DevOps Tools & Infrastructure Under Attack (Wallarm) Learn more about your ad choices. Visit megaphone.fm/adchoices

US midterm elections proceed without cyber disruption. Communications security lessons learned. CISA publishes new entries to its Known Exploited Vulnerabilities Catalog. Patch Tuesday notes. Carole Theriault examines cross border money laundering. The FBI’s Bryan Vorndran offers guidance on how companies should think about their exposure in china. And a recent study finds reasons to be concerned about off-boarding.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/216Selected reading.Taking a look at election security on US midterm Election Day. (CyberWire)Communications Security: Lessons Learned From Ukraine (BlackBerry)CISA Adds Seven Known Exploited Vulnerabilities to Catalog (CISA)Microsoft November 2022 Patch Tuesday (SANS Institute) November Patch Tuesday Updates | 2022 (Syxsense Inc) Microsoft Fixes Six Actively Exploited Flaws (Decipher) Microsoft fixes ProxyNotShell Exchange zero-days exploited in attacks (BleepingComputer)Microsoft Scrambles to Thwart New Zero-Day Attacks (SecurityWeek) Infrastructure access and security. (CyberWire) Learn more about your ad choices. Visit megaphone.fm/adchoices

Cybersecurity on US Election Day. Details on the OPERA1ER threat activity. Seasonal and secular trends in Insider threats. Hacktivist auxiliaries: influence operators in the hybrid war. Ben Yelin reviews election security and misinformation. Ann Johnson from Afternoon Cyber Tea speaks with Dr. Ryan Louie about the growing issue of mental illness among cybersecurity professionals. And, hey everybody, Mr. Hushpuppi is back in the news (and back in the slammer, the hoosgow, the big house…you get the picture…a sabbatical at Club Fed.)Disclaimer: The content and views expressed do not constitute medical advice and are not a substitute for professional medical advice, diagnosis, or treatment. If you need help, please contact your medical provider. For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/215Selected reading.Your Election Day cyber guide (Washington Post) Putin-linked businessman admits to US election meddling (AP NEWS)OPERA1OR: Playing god without permission (Group-IB) DTEX i3 Team Insider Risk Stats for 2022 (DTEX Systems Inc) Killnet targets Eastern Bloc government sites, but fails to keep them offline (The Record by Recorded Future)Ukrainian hacktivists claim to leak trove of documents from Russia’s central bank (The Record by Recorded Future)Notorious Nigerian influencer ‘Billionaire Gucci Master’ sentenced to 11 years in jail in the U.S. for fraud (Forbes)Hushpuppi: Notorious Nigerian fraudster jailed for 11 years in US (BBC) Learn more about your ad choices. Visit megaphone.fm/adchoices

Election security on the eve of the US midterms. US FBI rates hacktivist contributions to Russia's war as unimportant. Microsoft accuses China of using vulnerability disclosure to develop zero-days. Andrea Little Limbago from Interos addresses accountability for breaches. Our guest is Michelle Amante from the Partnership for Public Service on their Cybersecurity Talent Initiative. And, finally, remember SIlk Road? The Feds do.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/214Selected reading.Hacktivists Use of DDoS Activity Causes Minor Impacts (FBI)The government says it won’t flag election disinformation on Twitter and other social platforms (Washington Post)What to Expect When You are Expecting an Election (CISA)Hacktivists Use of DDoS Activity Causes Minor Impacts (FBI) Nation-state cyberattacks become more brazen as authoritarian leaders ramp up aggression (Microsoft On the Issues) U.S. Attorney Announces Historic $3.36 Billion Cryptocurrency Seizure And Conviction In Connection With Silk Road Dark Web Fraud (U.S. Attorney’s Office for the Southern District of New York) Learn more about your ad choices. Visit megaphone.fm/adchoices