CyberWire Daily

Guest Yonatan Striem-Amit joins us from Cybereason to share their Nocturnus Team research into Kimsuky. The Cybereason Nocturnus Team has been tracking various North Korean threat actors, among them the cyber espionage group known as Kimsuky, (aka: Velvet Chollima, Black Banshee and Thallium), which has been active since at least 2012 and is believed to be operating on behalf of the North Korean regime. The group has a rich and notorious history of offensive cyber operations around the world, including operations targeting South Korean think tanks, but over the past few years they have expanded their targeting to countries including the United States, Russia and various nations in Europe.The research can be found here:Back to the Future: Inside the Kimsuky KGH Spyware Suite Learn more about your ad choices. Visit megaphone.fm/adchoices

Lebanon Cedar is quietly back, and running a cyberespionage campaign through vulnerable servers. Social engineering of vulnerability researchers is now attributed to the Lazarus Group. That “SolarWinds” incident is a lot bigger than SolarWinds. Notes on social media and the short squeeze. Verizon’s Chris Novak looks at the changing landscape of ransomware payments. Our guest Professor Brian Gant from Maryville University examines cybersecurity threats of the new U.S. administration. And the GAO thinks the US State Department should use “data and evidence.”For links to all of today's stories check out our CyberWire daily news brief:https://www.thecyberwire.com/newsletters/daily-briefing/10/19 Learn more about your ad choices. Visit megaphone.fm/adchoices

Updates from CISA on Supernova. US Cyber Command recommends patching Sudo quickly. US and Bulgarian authorities take down the NetWalker ransomware-as-a-service operation. Influencers drive a big short-squeeze in the stock market. Thomas Etheridge from CrowdStrike on Recovering from a ransomware event. Our guest Zack Schuler from Ninjio examines the security challenges of Work From Anywhere. And another influencer is charged with conspiracy to deprive people of their right to vote.For links to all of today's stories check out our CyberWire daily news brief:https://www.thecyberwire.com/newsletters/daily-briefing/10/18 Learn more about your ad choices. Visit megaphone.fm/adchoices

Europol leads an international, public-private, takedown of Emotet. Four security companies describe their brushes with the compromised SolarWinds Orion supply chain. Solorigate is one of the issues US President Biden raised in his first phone call with Russian President Putin. New vulnerabilities and threats described. Our guest Michael Hamilton of CI Security questions how realistic CISA's latest guidance on agency forensics may be. Joe Carrigan looks at bad guys taking advantage of Google Forms. And the Internet is back in business on the US East Coast.For links to all of today's stories check out our CyberWire daily news brief:https://www.thecyberwire.com/newsletters/daily-briefing/10/17 Learn more about your ad choices. Visit megaphone.fm/adchoices

Google reports North Korean social engineering of vulnerability researchers. Anonymous resurfaces, maybe, and tells Malaysia’s government it’s not happy with them. Notes on false credentialism and workforce development from the National Governors Association cyber summit. Kevin Magee from Microsoft Canada on the launch of the Rogers Cybersecurity Catalyst at Ryerson University to support Canadian Cybersecurity Startups. Our guest is James Stanger from CompTIA on their ultimate DDoS guide. And does America need a Cyber Force? Some think so.For links to all of today's stories check out our CyberWire daily news brief:https://www.thecyberwire.com/newsletters/daily-briefing/10/16 Learn more about your ad choices. Visit megaphone.fm/adchoices

Russia’s FSB warns businesses to be on the lookout for American cyberattacks after the White House says it’s reserving its right to respond to the Solorigate cyberespionage campaign. SonicWall investigates an apparent compromise of its systems. Senator asks the US DNI for an explanation of DIA purchases of geolocation data from commercial vendors. OPC issues described. Andrea Little Limbago from Interos on the tech "naughty list" of restricted or sanctioned companies. Rick Howard previews his first principles analysis of Microsoft Azure. And a happy birthday to the word “robot,” now one-hundred years young.For links to all of today's stories check out our CyberWire daily news brief:https://www.thecyberwire.com/newsletters/daily-briefing/10/15 Learn more about your ad choices. Visit megaphone.fm/adchoices

Program Director for Public Policy and External Affairs at the University of Maryland's Center for Health and Homeland Security Ben Yelin shares his journey from political junkie to Fourth Amendment specialist. Several significant life defining political developments like the disputed 2000 election, 9/11, and the Iraqi war occurred during his formative years that shaped Ben's interest in public policy and his desire to pursue a degree in law. An opportunity to be a teaching assistant turned out to be one of those sliding door scenarios that led Ben to where he is now, a lawyer in the academic and consulting worlds specializing in cybersecurity and digital privacy issues. Through his work, Ben hopes to elevate the course of the debate on these very important issues. And, we thank Ben for sharing his story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

Guest Mark Arena from Intel471 joins us to discuss his team's research into Trickbot and its evolution from a banking trojan to a long-standing, most likely well-resourced operation that was taken down last year. Mark shares some insight into Trickbot's order of operations and what went on behind the scenes that his team working with Brian Krebs were able to discover.Since the separate and independent actions taken against Trickbot, Intel471 has observed successful disruption of its command and control infrastructure. However, the actors linked to Trickbot have not ceased their criminal activities. These actors have continued engaging in ransomware activity, using BazarLoader instead of Trickbot. Intel471 is unable to assess the long-term impact of the Trickbot disruption activity or whether Trickbot will continue to be used by cybercrime groups. This analysis covers the period from Sept. 22, 2020 until Nov. 6, 2020.The research can be found here:Trickbot down, but is it out? Learn more about your ad choices. Visit megaphone.fm/adchoices

Twice, it’s maybe an indicator. Once, it’s nuthin’ at all...to the machines. The Reserve Bank of New Zealand works to clean up its data sources. Wormy student laptops. Daily Food Diary is a glutton for your data. Ransom DDoS. Caleb Barlow examines how we handle disinformation in our runbooks and response plans. Our guest Ron Gula from Gula Tech Adventures shares his thoughts on proper public cyber response to the SolarWinds attack. And should we worry about that White House Peloton?For links to all of today's stories check out our CyberWire daily news brief:https://www.thecyberwire.com/newsletters/daily-briefing/10/14 Learn more about your ad choices. Visit megaphone.fm/adchoices

Microsoft researchers detail the lengths to which the Solorigate threat actor went to stay undetected and establish persistence. LuckyBoy malvertising is described. Business email compromise as a reconnaissance technique? More reminders about the risks that accompany remote work. Ben Yelin looks at cyber policy issues facing the Biden administration. Rick Howard speaks with Frank Duff from Mitre on their ATT&CK Evaluation Program. And good riddance to the Joker’s Stash (we hope).For links to all of today's stories check out our CyberWire daily news brief:https://www.thecyberwire.com/newsletters/daily-briefing/10/13 Learn more about your ad choices. Visit megaphone.fm/adchoices