CyberWire Daily

Guest Asheer Malhotra, Threat Researcher of Cisco Talos Intelligence Group, joins Dave to discuss his team's research "InSideCopy: How this APT continues to evolve its arsenal." Cisco Talos has observed an expansion in the activity of SideCopy malware campaigns, targeting entities in India. In the past, the attackers have used malicious LNK files and documents to distribute their staple C#-based RAT. We are calling this malware "CetaRAT." SideCopy also relies heavily on the use of Allakore RAT, a publicly available Delphi-based RAT.Recent activity from the group, however, signals a boost in their development operations. Talos has discovered multiple new RAT families and plugins currently used in SideCopy infection chains.Targeting tactics and themes observed in SideCopy campaigns indicate a high degree of similarity to the Transparent Tribe APT (aka APT36) also targeting India. These include using decoys posing as operational documents belonging to the military and think tanks and honeytrap-based infections.The research can be found here: InSideCopy: How this APT continues to evolve its arsenal blog post InSideCopy: How this APT continues to evolve its arsenal report Learn more about your ad choices. Visit megaphone.fm/adchoices

Smishing campaigns are seeking to exploit the unemployed. Initial access brokers seem not to have missed a beat, although some gangs are seeking to bypass them by trolling for rogue insiders. Are criminal enterprises vulnerable on the gig economy front? Criminal affiliates are disgruntled--good. Clearly, healthcare isn’t off the target list. Thomas Etheridge from CrowdStrike on eCrime Extortion. Chris Jacobs from ThreatQuotient joins us with a look back at BlackHat. Anup Gosh from Fidelis Cybersecurity, with insights on active defense.For links to all of today's stories check out our CyberWire daily news briefing:https://www.thecyberwire.com/newsletters/daily-briefing/10/151 Learn more about your ad choices. Visit megaphone.fm/adchoices

CISA announces a new public-private cybersecurity initiative. Prometheus TDS and Prophet Spider take their places in the C2C market. The money points to BlackMatter being a rebranded DarkSide. Andrea Little Limbago from Interos on Divergent trends of federal data privacy laws and government surveillance. Tonia Dudley from CoFense checks in from the BlackHat show floor. Our guest is Simon Maple from Snyk with a look at Cloud Native Application Security. And where some see naiveté, others see cautious optimism about putting fear in the hearts of ransomware gangs.For links to all of today's stories check out our CyberWire daily news briefing:https://www.thecyberwire.com/newsletters/daily-briefing/10/150 Learn more about your ad choices. Visit megaphone.fm/adchoices

APT31 casts its net into some waters that aren’t yet phished out. Vulnerabilities in the NicheStack TCP/IP stack are reported. LemonDuck may be outgrowing its beginnings as a cryptojacking botnet. A large marketing database is found exposed. NSA and CISA offer advice on securing Kubernetes clusters. Adam Darrah from ZeroFox checks in from the floor at BlackHat. Our guests are Nic Fillingham and Natalia Godyla from Microsoft’s Security Unlocked podcast. David Dufour from Webroot on the hidden costs of ransomware. And Huawei’s CFO returns to court as her extradition hearings enter their endgame.For links to all of today's stories check out our CyberWire daily news briefing:https://www.thecyberwire.com/newsletters/daily-briefing/10/149 Learn more about your ad choices. Visit megaphone.fm/adchoices

An apparent ransomware attack hits Italy’s online vaccine-scheduling service. A Chinese cyberespionage campaign hits Southeast Asian telcos enroute to high-value targets. Some strategic context for Beijing’s espionage. FatalRAT is spreading by Telegram. Crafty phishing spoofs SharePoint. Joe Carrigan has thoughts on HP's latest Threat Insights Report. Our guest is Marc Gaffan of Hysolate who reveals the “Enterprise Security Paradox”. Plus, Conversations with BlackMatter, and a look at the inside of ransomware negotiations.For links to all of today's stories check out our CyberWire daily news briefing:https://www.thecyberwire.com/newsletters/daily-briefing/10/148 Learn more about your ad choices. Visit megaphone.fm/adchoices

SVR may have compromised twenty-seven US Attorneys’ offices. Ransomware disruptions of a physical supply chain continue as South African ports reopen. EA hackers give up, and dump the source code they stole. Double extortion may not be paying off. A look at initial access brokers. Operation Top Dog yields indictments in an international fraud case. Rick Howard tackles enterprise backup strategies. Kevin Magee from Microsoft with lessons learned hiring multiple team members during COVID. And a decryptor for Prometheus ransomware is released.For links to all of today's stories check out our CyberWire daily news briefing:https://www.thecyberwire.com/newsletters/daily-briefing/10/147 Learn more about your ad choices. Visit megaphone.fm/adchoices

Historian and Curator at the International Spy Museum. Dr. Andrew Hammond, shares how he came to share the history of espionage and intelligence as a career. Starting out in the Royal Air Force when 9/11 happened, Andrew found himself trying to understand what was going on in the world. Studying history and international relations gave him some perspective and led him on his career path which included an introduction to museum industry at the 9/11 Museum. After a stint in academia in the UK, Andrew found his way back to the US and eventually ended up at the International Spy Museum in Washington, DC. He said one of the "greatest parts of the job being able to engage with the artifacts" and share their stories. We thank Andrew for sharing his story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

President Biden's Cyber Executive Order includes provision for a software bill of materials in government contracts. It's a critical and necessary first measure for protecting the software supply chain. To defend against cyber attacks like the ones that affected SolarWinds and Colonial Pipeline, organizations also need transparency about the way the software in their supply chain behaves–how, and with whom, that software engages in and outside of their networks.In this episode of CyberWire-X, we explore how behavior transparency can give organizations an advantage by distinguishing between expected noise and indications of compromise..Guest and CyberWire Podcast Partner Caleb Barlow shares his insights with the CyberWire's Rick Howard, and Ben Higgins and Ted Driggs from sponsor ExtraHop offer their thoughts to the CyberWire's Dave Bittner. Learn more about your ad choices. Visit megaphone.fm/adchoices

Guest Charity Wright, Cyber Threat Intelligence Expert in Recorded Future's Insikt Group, joins Dave to discuss her research "China’s Digital Colonialism: Espionage and Repression Along the Digital Silk Road". Through the Digital Silk Road Initiative (DSR), announced in 2015, the People’s Republic of China (PRC) is building an expansive global data infrastructure and exporting surveillance technologies to dictators and illiberal regimes throughout the developing world, in some cases trading technology for access to sensitive user data and facial recognition intelligence. Domestically, China uses this type of technology to assert authority over its citizens, censor the media, quell protests, and systematically oppress religious minorities. Now, over 80 countries are enabled to do the same with Chinese surveillance technology.The research can be found here:China’s Digital Colonialism: Espionage and Repression Along the Digital Silk Road Learn more about your ad choices. Visit megaphone.fm/adchoices

Cozy Bear’s active command-and-control servers are found, and people conclude that Moscow’s not too worried about American retaliation after all. Spyware found in an app for companies doing business in China. What to make (and not make) of the Iranian documents Sky News received. Phishing with Crimean bait. HTML smuggling may be enjoying a moderate surge. DoppelPaymer rebrands. Andrea Little Limbago from Interos on growing the next-gen of cyber. Our guest is Jamil Jaffer from IronNet Cybersecurity protecting the BlackHat Network Operations Center. And good news--that blackmailing bot really doesn’t know what you did this summer.For links to all of today's stories check out our CyberWire daily news briefing:https://www.thecyberwire.com/newsletters/daily-briefing/10/146 Learn more about your ad choices. Visit megaphone.fm/adchoices