CyberWire Daily

Apple patches its software. Reviewing the cyber phase of a hybrid war. The return of the (ShadowPad) alumni. Phishing from the Static Expressway. The state of cloud security. Overconfidence comes at a cost. Ann Johnson of Afternoon Cyber Tea speaks with Dr. Josephine Wolff from the Fletcher School about cyber insurance past. My conversation with FBI special agents Tom Sobocinski and Tom Breeden. And Charming Kitten and group-think in social engineering.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/176Selected reading.Apple security updates (Apple Support)Ukraine Cyber War Update September 2022 (CyberCube)New Wave of Espionage Activity Targets Asian Governments (Broadcom Software Blogs)Chinese gov’t hackers using ‘diverse’ toolset to target Asian prime ministers, telecoms (The Record by Recorded Future)Leveraging Facebook Ads to Send Credential Harvesting Links (Avanan)Unpatched and Outdated Medical Devices Provide Cyber Attack Opportunities (FBI) CFO Cyber Security Survey: Over-Confidence is Costly (Kroll) Snyk’s State of Cloud Security Report Reveals 80% of Organizations Have Experienced a Severe Cloud Security Incident in Past Year (Snyk) Look What You Made Me Do: TA453 Uses Multi-Persona Impersonation to Capitalize on FOMO (Proofpoint)Iranian military using spoofed personas to target nuclear security researchers (The Record by Recorded Future)Alleged cyber commander of Iran’s Revolutionary Guard named by opposition outlet (Times of Israel) Learn more about your ad choices. Visit megaphone.fm/adchoices

Albania reports additional cyberattacks from Iran over the weekend. RaidForums has a new successor. A look at threat actor reconnaissance in the contemporary Internet. Kinetic strikes hit Ukraine’s infrastructure. Rick Howard calculates risk with classic mathematical theorems. Tim Eades from Cyber Mentor Fund on the dynamic nature of the attack surface. And a look into the cyber phase of the hybrid war.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/175Selected reading.Albania blames Iran for second cyberattack since July (CNN)Treasury Sanctions Iranian Ministry of Intelligence and Minister for Malign Cyber Activities (US Department of the Treasury)Iran strongly condemns US sanctions over Albania hacking (Al Arabiya)Six months into Breached: The legacy of RaidForums? (KELA)2022 State of the Internet Report (Censys)Ukraine hails snowballing offensive, blames Russia for blackouts (Reuters)Ukraine says Russia is retaliating by hitting critical infrastructure, causing blackouts. (New York Times)Last reactor at Ukraine’s Zaporizhzhia nuclear plant stopped (Associated Press)Ukraine Warns Russian Cyber Onslaught Is Coming (Voice of America)Montenegro wrestles with massive cyberattack, Russia blamed (ABC News)CyberCube: Russia’s Sovereign Internet Creates Security Risks With Implications for Cyber (Re)Insurance While War in Ukraine Develops (Associated Press) Learn more about your ad choices. Visit megaphone.fm/adchoices

Mark Logan, CEO of One Identity, sits down to share his story, explaining how he fit into different roles growing up in different companies. Mark has nearly two decades of C-Suite experience at an array of different organizations, finally landing on his current position as the CEO at One Identity. Sharing his different roles, he also gives a quote from Steve Jobs, saying "it's not what I say yes to, it's what I say no to." He believes that's a key area for his workers because when he is able to make up his mind, his team and his customers have someone they can rely on. Mark says that as a CEO he wants to share the advice of always marching towards your goals, and identifying that different people have different goals because they work in different fields, but that's what makes a company work best. He says "I've found that the more you can delegate, provided you've got the right folks in place the better." We thank Mark for sharing his story. Learn more about your ad choices. Visit megaphone.fm/adchoices

Deepen Desai from Zscaler ThreatLabz joins Dave to discuss their work on "Return of the Evilnum APT with updated TTPs and new targets." Zscaler’s ThreatLabz team recently caught a new Evilnum APT attack campaign that uses the document template on MS Office Word to inject malicious payload to the victim's machine. There are three new instances used of the campaign, including updated tactics, techniques, and procedures.Researchers have been closely monitoring Evilnum APT’s activity. They ssay ThreatLabz identified several domains associated with the Evilnum APT group. Which has led them to discover that the "group has been successful at flying under the radar and has remained undetected for a long time."The research can be found here:Return of the Evilnum APT with updated TTPs and new targets Learn more about your ad choices. Visit megaphone.fm/adchoices

Nation-states are expected to target the US midterm elections. North Korea’s Lazarus Group is targeting energy companies. The Ukraine’s Ministry of Digital Transformation on cyber lessons learned from Russia’s hybrid war against Ukraine. CISA flags twelve known exploited vulnerabilities for attention and remediation. Vulnerable anti-cheat engines used for malicious purposes. Steve Carter from Nucleus Security has thoughts on AI in cybersecurity. Roland Cloutier, former CSO of TikTok, discusses working around the changing career field, needs, and how enterprise executives are developing and finding talent. And a look at top gaming-related malware lures.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/174Selected reading.Mandiant ‘highly confident’ foreign cyberspies will target US midterm elections (The Register)What to Expect When You’re Electing: Preparing for Cyber Threats to the 2022 U.S. Midterm Elections (Mandiant)North Korea’s Lazarus hackers are exploiting Log4j flaw to hack US energy companies (TechCrunch)Lazarus and the tale of three RATs (Cisco Talos)How Gaming Cheats Are Cashing in Below the Operating System (Eclypsium)Good game, well played: an overview of gaming-related cyberthreats in 2022 (Securelist)Cybercriminals target games popular with kids to distribute malware (The Register)CISA Adds Twelve Known Exploited Vulnerabilities to Catalog  (CISA) Learn more about your ad choices. Visit megaphone.fm/adchoices

Bronze President shows both enduring interests and adaptability. Iranian threat actor activity is reported. Cybersecurity and small-to-medium businesses. An initial access broker repurposes Conti's old playbook for use against Ukraine. Johannes Ullrich from SANS on Scanning for VoIP Servers. Our guest is Ian Smith from Chronosphere on observability. And Kyivstar as a case study in telco resiliency.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/173Selected reading.BRONZE PRESIDENT Targets Government Officials (Secureworks)APT42: Crooked Charms, Cons, and Compromises (Mandiant)Profiling DEV-0270: PHOSPHORUS’ ransomware operations (Microsoft)Albania cuts diplomatic ties with Iran over July cyberattack (The Washington Post)Initial access broker repurposing techniques in targeted attacks against Ukraine (Google)Unprecedented Shift: The Trickbot Group is Systematically Attacking Ukraine (IBM SecurityIntelligence)Ransomware gang's Cobalt Strike servers DDoSed with anti-Russia messages (BleepingComputer)Ukraine’s largest telecom stands against Russian cyberattacks (POLITICO) Learn more about your ad choices. Visit megaphone.fm/adchoices

The Albanian government attributes a disruptive cyber attack to Iran. TikTok says it’s found no evidence of a data breach. Researchers have discovered a new strain of Linux malware. US agencies warn of ransomware targeting the education sector. Finland prepares to increase its cybersecurity capacity. Deepen Desai from Zscaler on the latest updates to Raccoon Stealer. Our guest is Lance Spitzner from the SANS Institute with results of their recent Security Awareness Report. And a fond farewell to the father of Let’s Encrypt.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/172Selected reading.Albania cuts Iran ties over cyberattack, U.S. vows further action (Reuters)Statement by NSC Spokesperson Adrienne Watson on Iran’s Cyberattack against Albania (The White House)TikTok Data Breach Exposing 2B Records And Source Code May Not Have Happened After All (Hot Hardware)TikTok Denies Data Breach Reportedly Exposing Over 2 Billion Users' Information (The Hacker News)Shikitega - New stealthy malware targeting Linux (AT&T Alien Labs)#StopRansomware: Vice Society (CISA)Peter Eckersley, tech activist and founder of Let's Encrypt, dies at 43 (Techspot)Honoring Peter Eckersley, Who Made the Internet a Safer Place for Everyone (Electronic Frontier Foundation) Learn more about your ad choices. Visit megaphone.fm/adchoices

CISA, the FBI, and the Multi-State Information Sharing and Analysis Center, or MS ISAC, are releasing this advisory to disseminate indicators of compromise and TTPs associated with Vice Society actors and their ransomware campaigns. The FBI, CISA, and the MS-ISAC have recently observed Vice Society actors disproportionately targeting the education sector with ransomware attacks.AA22-249A Alert, Technical Details, and MitigationsStopransomware.gov is a whole-of-government approach that gives one central location for ransomware resources and alerts.Resource to mitigate a ransomware attack: CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide.No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment.All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov. Learn more about your ad choices. Visit megaphone.fm/adchoices

A Phishing-as-a-service offering on the dark web bypasses MFA. The Worok cyberespionage group is active in Central Asia and the Middle East. Prynt Stealer and the evolution of commodity malware. Sharkbot malware reemerged in Google Play. BlackCat/ALPHV claims credit for attack on the Italian energy sector. Joe Carrigan shares stats on social engineering. Our guest is Angela Redmond from BARR Advisory with six cybersecurity KPIs. And the Los Angeles Unified School District was hit with ransomware.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/171Selected reading.EvilProxy Phishing-As-A-Service With MFA Bypass Emerged In Dark Web (Resecurity)Worok: The big picture (WeLiveSecurity) Dev backdoors own malware to steal data from other hackers (BleepingComputer) The Prynt Stealer malware contains a secret backdoor. Crooks steal data from other cybercriminals (Security Affairs)Fake Antivirus and Cleaner Apps Caught Installing SharkBot Android Banking Trojan (The Hacker News)SharkBot malware sneaks back on Google Play to steal your logins (BleepingComputer) BlackCat ransomware claims attack on Italian energy agency (BleepingComputer)11.84GB of United States Military Contractor and Military Reserve data has been leaked. (vx-underground)Hackers honeytrap Russian troops into sharing location, base bombed: Report (Newsweek) LAUSD hit by hackers in apparent cyber attack (FOX 11 Los Angeles)Los Angeles Unified Targeted by Ransomware Atta (Los Angeles Unified School District) Learn more about your ad choices. Visit megaphone.fm/adchoices

Anjali Hansen, a senior privacy counselor from Noname Security shares her story as she climbed through the ranks to get to where she is toady. When Anjali started she wanted to do international law. She started working for the International Trade Commission after law school which is where she was able to gain most of her experience and gain real world abilities. Working with online fraud and abuse, she shares, concerned her because it felt like governments could not protect organizations from threats occurring, which is how she got interested in cyber crime. From there, she moved to Noname Security and working there she found that she is working with every group in the organization, creating a cross team collaboration and how much she admires that type of model. She says "We have to help other departments protect the data because the data's throughout an organization, it's in HR, it's in sales and marketing, it's in IT, it's in finance. So you have to be able to work with all these teams." We thank Anjali for sharing her story. Learn more about your ad choices. Visit megaphone.fm/adchoices