The CyberWire Daily

By CyberWire, Inc.

Listen to a podcast, please open Podcast Republic app. Available on Google Play Store.


Category: Tech News

Open in Apple Podcasts


Open RSS feed


Open Website


Rate for this podcast

Subscribers: 1005
Reviews: 5

CyberGirl
 Oct 28, 2020
An excellent resource for the cyber news of the day, without the extra "fluff". NOTE: this is NOT an educational podcast, it is strictly distilled news.

Matt Aguirre
 Mar 10, 2019


 Jan 16, 2019

Average Joe
 Dec 12, 2018
This is a great source for a daily overview of what happened in Cyber Security and IT!

Mikey
 Nov 11, 2018
Although I enjoy listening, it's like a new language which I'm slowly learning. I wish some more time was given to background regarding malware.

Description

The daily cybersecurity news and analysis industry leaders depend on. Published each weekday, the program also includes interviews with a wide spectrum of experts from industry, academia, and research organizations all over the world.

Episode Date
More on that Solorigate threat actor, especially its non-SolarWinds activity. Chimera’s new target list. Executive Order on reducing IaaS exploitation. The case of the stolen laptop.
1382
Another security company discloses a brush with the threat actor behind Solorigate. Advice on hardening Microsoft 365 against that same threat actor. Chimera turns out to be interested in airlines as well as semiconductor manufacturing intellectual property. Former President Trump’s last Executive Order addresses foreign exploitation of Infrastructure-as-a-Service products. Joe Carrigan looks at a hardware key vulnerability. Our guest is Chris Eng from Veracode with insights from their State of Software Security report. And investigation of that laptop stolen from the Capitol continues. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/12
Jan 20, 2021
EMA emails altered before release in apparent disinformation effort. Vishing rising. Another backdoor found in SolarWinds supply chain campaign. An arrest and a stolen laptop.
1385
The European Medicines Agency says stolen emails about vaccine development were altered before being dumped online. Another backdoor is found associated with the SolarWinds supply chain campaign. DNS cache poisoning vulnerabilities are described. FBI renews warnings about vishing. Iran’s “Enemies of the People” disinformation campaign. Vishing is up. Rick Howard previews his hashtable discussion on Solarigate. Verizon’s Chris Novak looks at cyber espionage. And the FBI makes an arrest in connection with a laptop taken during the Capitol Hill riot. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/11
Jan 19, 2021
Encore: You will pay for that one way or another. [Caveat]
2169
Dave's got the story of a landlord who may run afoul of the Computer Fraud and Abuse Act, Ben wonders if the big tech CEOs could be held liable for contact tracking apps, and later in the show my conversation with Joseph Cox. He is a Senior Staff Writer at Motherboard and will be discussing his recent article How Big Companies Spy on Your Emails. While this show covers legal topics, and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney.  Links to stories: Apple and Google CEOs should be held responsible for protecting coronavirus tracking data, says GOP Sen. Hawley The twitter thread from Dave's story Got a question you'd like us to answer on our show? You can send your audio file to caveat@thecyberwire.com or simply leave us a message at (410) 618-3720. Hope to hear from you.
Jan 18, 2021
Ann Johnson: Trying to make the world safer. [Business Development] [Career Notes]
407
Microsoft's Corporate Vice President of Cybersecurity Business Development Ann Johnson brings us on her career journey from aspiring lawyer to cybersecurity executive. After pivoting from studying law, Ann started working with computers and found she had a deep technical aptitude for technology and started earning certifications landing in cybersecurity because she found an interest in PKI. At Microsoft, Ann says she solves some of the hardest problems every day. She recommends getting a mentor and finding your area of expertise. She leaves us with three dimensions she hopes to be her legacy: 1. diversity in more than just gender, 2. bringing a human aspect to the industry, and 3. being empathetic to the user experience. We thank Ann for sharing her story with us.
Jan 17, 2021
Manufacturing sector is increasingly a target for adversaries. [Research Saturday]
1547
Guest Selena Larson, senior cyber threat analyst at Dragos, Inc., joins us to discuss their research into recent observations of ICS-targeting threats to manufacturing organizations.  Cyber risk to the manufacturing sector is increasing, led by disruptive cyberattacks impacting industrial processes, intrusions enabling information gathering and process information theft, and new activity from Industrial Control Systems (ICS)-targeting adversaries. Dragos currently publicly tracks five ICS-focused activity groups targeting manufacturing: CHRYSENE, PARISITE, MAGNALLIUM, WASSONITE, and XENOTIME in addition to various ransomware activities capable of disrupting operations.  Manufacturing relies on ICS to scale, function, and ensure consistent quality control and product safety. It provides crucial materials, products, and medicine and is classified as critical infrastructure. Due to the interconnected nature of facilities and operations, an attack on a manufacturing entity can have ripple effects across the supply chain that relies on timely and precise production to support product fulfillment, health and safety, and national security objectives.  Ransomware adversaries are adopting ICS-aware functionality with the ability to stop industrial related processes and cause disruptive – and potentially destructive – impacts. Dragos has not observed ICS-specific malware targeting manufacturing operations on the same scale or sophistication as that used in the disruptive TRISIS and CRASHOVERRIDE malware attacks that targeted energy operations in Saudi Arabia and Ukraine, respectively. However, known and ongoing threats to manufacturing can have direct and indirect impact to operations. This report provides a snapshot of the threat landscape as of October 2020 and is expected to change in the future as adversaries and their behaviors evolve.  The research can be found here: ICS Threat Activity on the Rise in Manufacturing Sector
Jan 16, 2021
Charming Kitten’s smishing and phishing. Solorigate updates. Supply chain attacks and the convergence of espionage and crime. Greed-bait. Ring patches bug. Best practices from NSA, CISA.
1561
Well-constructed phishing and smishing are reported out of Tehran. Estimates of SolarWinds compromise insurance payouts. Notes from industry on the convergence of criminal and espionage TTPs. Social engineering hooks baited with greed. Ring patches a bug that could have exposed users’ geolocation (and their reports of crime). Advice on cyber best practices from CISA and NSA. Robert M. Lee has thoughts for the incoming Biden administration. Our guest is Sir David Omand, former Director of GCHQ, on his book, How Spies Think: Ten Lessons in Intelligence. And an ethics officer is accused of cyberstalking. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/10
Jan 15, 2021
SideWinder and South Asian cyberespionage. Project Zero and motivation to patch. CISA’s advice for cloud security. Classiscam in the criminal-to-criminal market. SolarLeaks misdirection?
1519
There are other things going on besides Solorigate and deplatforming. There’s news about the SideWinder threat actor and its interest in South Asian cyberespionage targets. Google’s Project Zero describes a complex and expensive criminal effort. CISA discusses threats to cloud users, and offers some security recommendations. A scam-as-a-service affiliate network spreads from Russia to Europe and North America. Awais Rashid looks at shadow security. Our own Rick Howard speaks with Christopher Ahlberg from Recorded Future on Cyber Threat Intelligence. And SolarLeaks looks more like misdirection, Guccifer 2.0-style. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/9
Jan 14, 2021
Looking for that threat actor “likely based in Russia.” SolarLeaks and a probably bogus offer of stolen files. Notes on Patch Tuesday.
1341
Speculation grows that the Solarigate threat actors were also behind the Mimecast compromise. SolarLeaks says it has the goods taken from FireEye and SolarWinds, but caveat emptor. Notes on Patch Tuesday. Joe Carrigan has thoughts on a WhatsApp ultimatum. Our guest is Andrew Cheung of 01 Communique with an update on quantum computing. And farewell to an infosec good guy. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/8
Jan 13, 2021
Cyberespionage campaign hits Colombia. New malware found in the SolarWinds incident. Mimecast certificates compromised. Ubiquiti tells users to reset passwords. Two wins for the good guys.
1466
A cyberespionage campaign, so far not attributed to any threat actor, continues to prospect government and industry targets in Colombia. A new bit of malware is found in the SolarWinds backdoor compromise. Mimecast certificates are compromised in another apparent software supply chain incident. Ubiquiti tells users to reset their passwords. A brief Capitol Hill riot update. Bidefender releases a free DarkSide ransomware decryptor. Ben Yelin revisits racial bias in facial recognition software. Our guest is Jessi Marcoff from Privitar on trend toward Chief People Officers. And Europol announces the takedown of the DarkMarket. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/7
Jan 12, 2021
More (ambiguous) evidence for attribution of Solorigate. CISA expands incident response advice. Inspiration, investigation, and deplatforming: notes from the Capitol Hill riot.
1652
Similarities are found between Sunburst backdoor code and malware used by Turla. CISA expands advice on dealing with Solorigate. Courts revert to paper...and USB drives. More members of the US Congress report devices stolen during last week’s riot. Online inspiration for violence seems distributed, not centralized. Caleb Barlow examines protocols for handling inbound intel. Rick Howard looks at Solorigate through the lens of first principles. And platforms as publishers? For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/6
Jan 11, 2021
Tom Gorup: Fail fast and fail forward. [Operations] [Career Notes]
389
Vice President of Security and Support Operations of Alert Logic Tom Gorup shares how his career path led him from tactics learned in Army infantry using machine guns and claymores to cybersecurity replacing the artillery with antivirus and firewalls. Tom built a security automation solution called the Grunt (in recollection of his role in the Army) that automated firewall blocks. He credits his experience in battle-planning for his expertise in applying strategic thinking to work in cybersecurity, noting that communication is key in both scenarios. Tom advises that those looking into a new career shouldn't shy away from failure as failure is just another opportunity to learn. We thank Tom for sharing his story with us.
Jan 10, 2021
Emotet reemerges and becomes one of most prolific threat groups out there. [Research Saturday]
1550
Deep Instinct's Shimon Oren joins us to talk about his team's research on "Why Emotet's latest wave is harder to catch than ever before - Part 2." Emotet appears to have reemerged more evasive than before, this time with a payload delivered from a loader that security tools aren’t equipped to handle. Emotet, the largest malware botnet today, started in 2014 and continues to be one of the most challenging threats in today’s landscape. This botnet causes huge damage by spreading ransomware and info stealers to its infected systems. Recently, a rise in the number of Emotet infections was observed in France, Japan, and New Zealand. The high number of infections shows the effectiveness of the Emotet malware at staying undetected. Shimon joins us to discuss how Deep Instinct investigated the payload that was encrypted inside the loader, analyzes the next steps in the infection process, and discovers the techniques used to make this malware difficult to analyze. The original blog post and updated post on the research can be found here: Emotet Analysis: Why Emotet’s Latest Wave is Harder to Catch than Ever Before Why Emotet's latest wave is harder to catch than ever before - Part 2
Jan 09, 2021
The Solorigate cyberespionage campaign and sensitive corporate data. The cybersecurity implications of physical access during the Capitol Hill riot. Ransomware’s successful business model.
1536
Solorigate and its effect on sensitive corporate information. The DC riots show the cybersecurity consequences of brute physical access to systems. A North Korean APT resurfaces with the RokRat Trojan. Ransomware remains very lucrative, and why? Because people continue to pay up. Thomas Etheridge from CrowdStrike on The Role of Outside Counsel in the IR Process.Our guest is Larry Lunetta from Aruba HPE on how enterprises can bolster security in the era of hybrid work environments. And a criminal hacker gets twelve years in US Federal prison. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/8
Jan 08, 2021
CISA updates its alerts and directives concerning Solorigate as the investigation expands. Rioting, social media, and cybersecurity.
1421
CISA updates its guidance on Solorigate, and issues an alert that the threat actor may have used attack vectors other than the much-discussed SolarWinds backdoor. Some reports suggest that a widely used development tool produced by a Czech firm may have been compromised. The cyberespionage campaign is now known to have extended to the Department of Justice and the US Federal Courts. Robert M. Lee shares lessons learned from a recent power grid incident in Mumbai. Our guest is Yassir Abousselham from Splunk on how attackers find new ways to exploit emerging technologies. Cyber implications of the Capitol Hill riot. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/4
Jan 07, 2021
Who worked through SolarWinds? An APT “likely Russian in origin,” says the US. Rattling backdoors, rifling cryptowallets, and asking victims if they’re ensured. No bail for Mr. Assange.
1482
The US Cyber Unified Coordination Group says the Solorigate APT is “likely Russian in origin.” Threat actors are scanning for systems potentially vulnerable to exploitation through a Zyxel backdoor. ElectroRAT targets crypto wallets. Babuk Locker is called the first new ransomware strain of 2021. The New York Stock Exchange re-reconsiders delisting three Chinese telcos. Joe Carrigan from Johns Hopkins joins us with the latest clever exploits from Ben Gurion University. Our guest is Jens Bothe from OTRS Group the importance of the US establishing standardized data privacy regulations. And Julain Assange is denied bail. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/3
Jan 06, 2021
It’s not Kates and Vals over Ford Island, but it’s not just a tourist under diplomatic cover taking pictures of Battleship Row, either. Another APT side hustle? To delist or not to delist.
1448
More assessments of the Solorigate affair, with an excursus on Pearl Harbor. Shareholders open a class action suit against SolarWinds, but no signs of an enforcement action for speculated insider trading. Emissary Panda seems to be working an APT side hustle. Kevin Magee has insights from the Microsoft Digital Defense Report. Our guest is Jason Passwaters from Intel 471 with a look at the growing range of ransomware as a service offerings. And to-ing and fro-ing on Chinese telecoms at the New York Stock Exchange. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/2
Jan 05, 2021
Threat actors were able to see Microsoft source code repositories. Zyxel closes a backdoor. Kawasaki discloses data exposure. Slack’s troubles. Julian Assange escapes extradition to the US.
1482
Updates on the spreading consequences of Solorigate, including Microsoft’s disclosure that threat actors gained access to source code repositories. A hard-coded backdoor is found in Zyxel firewalls and VPNs. Kawasaki Heavy Industries says parties unknown accessed sensitive corporate information. Slack has been having troubles today. Andrea Little Limbago from Interos on democracies aligning against global techno-dictators. Our guest is Drew Daniels from Druva with a look at the true value of data. And a British court declines to extradite WikiLeaks’ Julian Assange to the United States. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/10/1
Jan 04, 2021
Ellen Sundra: Actions speak louder than words. [Engineering] [Career Notes]
424
Vice President of Global Systems Engineering Ellen Sundra shares her career path from life as a college grad who found her niche by creating a training program to a leader in cybersecurity. She realized that training and educating people was her passion. Ellen sees her value in providing soft skills as a natural balance to her technical team at Forescout Technologies. Being a woman in a male-dominated world proved to be a challenge and gaining her confidence to share her unique point of view helped her excel in it. Ellen recommends keeping your eyes open for how your skill set fits into cybersecurity. Find your perspective and really embrace it! We thank Ellen for sharing her story with us.
Jan 03, 2021
Encore: Unpacking the Malvertising Ecosystem. [Research Saturday]
1797
Researchers at Cisco's Talos Unit recently published research exploring the tactics, technics and procedures of the global malvertising ecosystem. Craig Williams is head of Talos Outreach at Cisco, and he guides us through the life cycle of malicious online ads, along with tips for protecting yourself and your organization. The research can be found here:  https://blog.talosintelligence.com/2019/07/malvertising-deepdive.html
Jan 02, 2021
Andy Greenberg on the Sandworm Indictments.
1030
This interview from November 6th, 2020 originally aired as a shortened version on the CyberWire Daily Podcast. In this extended interview, Rick Howard speaks with Andy Greenberg on the Sandworm Indictments.
Jan 01, 2021
SOAR – a first principle idea.
1006
Rick explains the network defender evolution from defense-in-depth in the 1990s, to intrusion kill chains in 2010, to too many security tools and SOAR in 2015, and finally to devsecops somewhere in our future.
Dec 31, 2020
Security operations centers: around the Hash Table.
1626
Four members of the CyberWire’s Hash Table of experts: Don Welch: Interim CIO of Penn State University Helen Patton: CISO for Ohio State University Bob Turner: CISO for the University of Wisconsin at Madison Kevin Ford: CISO for the State of North Dakota discuss SOC Operations in terms of intrusion kills chains, defensive adversary campaigns, insider threats, cyber threat intelligence, zero trust, SOC automation, and SOC analyst skill sets.
Dec 30, 2020
Security operations centers: a first principle idea.
975
The idea of operations centers has been around as far back as 5,000 B.C. This show covers the history of how we got from general purpose operations centers to the security operations centers today, the limitations of those centers, and what we need to do as a community make them more useful in our infosec program.
Dec 29, 2020
Cybersecurity First Principles: DevSecOps.
1205
This is the fifth episode in a planned series that discusses the development of a general purpose cybersecurity strategy for all network defender practitioners-- be they from the commercial sector, government enterprise, or academic institutions-- using the concept of first principles.
Dec 28, 2020
Encore: Selena Larson: The Green Goldfish and cyber threat intelligence. [Analyst] (Career Notes]
430
Cyber threat intelligence analyst Selena Larson takes us on her career journey from being a journalist to making the switch to industrial security. As a child who wrote a book about a green goldfish who dealt with bullying, Selena always liked investigating and researching things. Specializing in cybersecurity journalism led to the realization of how closely aligned or similar skills are required from an investigative journalist and a cyber threat intelligence analyst. Our thanks to Selena for sharing her story with us. 
Dec 27, 2020
Encore: Seedworm digs Middle East intelligence. [Research Saturday]
1227
Researchers at Symantec have been tracking Seedworm, a cyber espionage group targeting the Middle East as well as Europe and North America. The threat group targets government agencies, oil & gas facilities, NGOs, telecoms and IT firms. Al Cooley is director of product management at Symantec, and he joins us to share their findings. The original research can be found here: https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group
Dec 26, 2020
Encore: Separating fools from money. [Hacking Humans]
1802
Dave shares a story of airport penetration testing with high degree of yuck-factor. Joe explores research on protecting passwords from social engineering. The catch-of-the-day comes courtesy of Graham Cluley's email spam box. Dave interviews Wired's Security Staff Writer Lily Hay Newman on her article tracking Nigerian email scammers.  Have a Catch of the Day you'd like to share? Email it to us at hackinghumans@thecyberwire.com or hit us up on Twitter.
Dec 25, 2020
Encore: Technology that allows cops to track your phone. [Caveat]
2948
Dave has an update on Baltimore’s spyplane, Ben describes concerns over violations by the FBI, CIA, NSA of FISA court rules, and later in the show our conversation with Kim Zetter on her recent article in The Intercept, titled “How Cops Can Secretly Track Your Phone.” It’s all about stingrays and dirtboxes, so stick around for that. While this show covers legal topics, and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney.  Links to stories: Elizabeth Goitein on Twitter In appeals court, Baltimore surveillance plane suit gets a mixed reaction Got a question you'd like us to answer on our show? You can send your audio file to caveat@thecyberwire.com or simply leave us a message at (410) 618-3720. Hope to hear from you.  Thanks to our sponsor, KnowBe4.
Dec 24, 2020
Cozy Bear: quiet and patient. Counting the costs of cyberespionage. Iranian influence campaign sought to inspire post-US-election violence.
1585
Cozy Bear lived up to its reputation for quiet patience. Counting the cost of the SVR cyberespionage campaign. What do intelligence services do with all the data they collect? An Iranian influence campaign sought to foment US post-election violence. Joe Carrigan looks at social engineering aimed at domain registrars. Our guest is John Worrall from ZeroNorth on the importance of security champions. And a last look ahead at 2021.
Dec 23, 2020
Bear tracks all over the US Government’s networks. Pandas and Kittens and Bears, oh my... Emotet’s back. Spyware litigation. A few predictions.
1649
The US continues to count the cost of the SVR’s successful cyberespionage campaign. Attribution, and why it’s the TTPs and not the org chart that matters. Emotet makes an unhappy holiday return. It seems unlikely that NSA and US Cyber Command will be separated in the immediate future. Big Tech objects, in court, to NSO Group and its Pegasus spyware (or lawful intercept product, depending on whether you’re in the plaintiff’s or the respondent’s corner). Ben Yelin looks at hyper realistic masks designed to thwart facial recognition software. Our guest Neal Dennis from Cyware wonders if there really isn't a cybersecurity skills gap. And a quick look at some more predictions. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/245
Dec 22, 2020
Sunburst looks worse: bad Bears in US networks, and that’s not just right at all. “Evil mobile emulator farm.” Report: Pegasus used against journalists.
1500
Cozy Bear’s big sweep through US networks gets bigger, longer, more carefully prepared, and worse in every way. IBM uncovers a big, conventionally criminal “evil mobile emulator farm,” and that’s no good, either. Citizen Lab finds more to complain about with respect to alleged abuse of NSO Group’s Pegasus tools. Awais Rashid from Bristol University on taking a risk-based approach to security. Rick Howard speaks with Cyral CEO Manav Mital on infrastructure as code. And tech executives are worried about Pandas and Bears and Kittens, oh my. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/244
Dec 21, 2020
Robert Lee: Keeping the lights on. [ICS] [Word Notes]
424
CEO and co-founder of Dragos Robert Lee talks about how he came to cybersecurity through industrial control systems. Growing up with parents in the Air Force, Robert's father tried to steer him away from military service. Still Rob chose to attend the Air Force Academy where he had greater exposure to computers through ICS. Robert finds his interest lies in things that impact the physical world around us. In his work, Dragos focuses on identifying what people are doing bad and helping people understand how to defend against that. Rob describes the possibility of making a jump to control system security from another area recommending you bring something to the table. Rob talks about the world he would like to leave to his son and his hopes for the future. We thank Rob for sharing his story with us.
Dec 20, 2020
Advertising Software Development Kit (SDK): serving up more than just in-app ads and logging sensitive data. [Research Saturday]
1586
On August 24, 2020, Snyk announced the discovery of suspicious behaviors in the iOS version of a popular advertising SDK known as Mintegral. At that time, they had confirmed with partners in the advertising attribution space that at minimum, Mintegral appeared to be using this functionality to gather large amounts of data and commit ad attribution fraud. Their research showed that Mintegral was using code obfuscation and method swizzling to modify the functionality of base iOS SDK methods without the application owner’s knowledge. Further, their research proved that Mintegral was logging all HTTP requests including its headers which could even contain authorization tokens or other sensitive data. Since that time Mintegral announced that they were opening the source of their SDK to the market. While the SDK can only be downloaded by registered partners, a major game publisher shared the source code with Snyk for further analysis. They also continued their research by digging deeper into the Android versions of the SDK in which they hadn’t found similar behaviors at the time of the initial disclosure.  This has resulted in some significant discoveries that necessitate an update to the previous disclosure. Additionally, Mintegral and the community at large have responded to the situation, and Snyk felt a summary of the events was a good way to finalize their research into this SDK. Joining us on Research Saturday to discuss their research is Snyk's Alyssa Miller. The original blog and Snyk's update can be found here: SourMint: malicious code, ad fraud, and data leak in iOS SourMint: iOS remote code execution, Android findings, and community response
Dec 19, 2020
Cozy Bear has been very successful at being very bad. Advice on dealing with the supply chain compromise. Joker’s Stash has its problems. And a few thoughts on the near future.
1878
Cozy Bear’s software supply chain compromise and its massive cyberespionage effort against the US Government and the associated private sector, is still being untangled. But it’s very extensive, very bad, and very tough to remediate. Both CISA and NSA have advice about the incident, and we check in with Robert M. Lee from Dragos for his thoughts. John Pescatore from SANS advocates renewing our focus on information security. Iran may be running a ransomware campaign for influence purposes. The Joker’s Stash criminal souk appears to have taken a hit. And don’t let your guard down during the holidays. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/243
Dec 18, 2020
The SVR’s exploitation of the SolarWinds software supply chain proves a very damaging cyberespionage campaign. HPE zero-day. Report on China’s influence ops delayed.
1378
The SolarWinds supply chain compromise may not have been an act of war, but it was certainly a very damaging espionage effort. The FBI, CISA, and ODNI are leading a whole-of-government response to the incident. Three companies have collaborated on a killswitch for the Sunburst backdoor’s initial command and control. HPE discloses a zero day in its SIM software. ODNI will delay its report on Chinese election influence ops. Thomas Etheridge from CrowdStrike on their Services Front Lines report. Our guest is Derek Manky from Fortinet with 2021 threat insights. And, of course, some predictions. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/242
Dec 17, 2020
SolarWinds breach updates. Microsoft sinkholes Sunburst's C&C domain. Facebook takes down inauthentic networks.
1338
SolarWinds breach reportedly affected parts of the Pentagon. Microsoft and partners seize and sinkhole command-and-control domain used by Sunburst malware. The threat actor behind the breach used a novel technique to bypass multi factor authentication at a think tank. Facebook takes down competing inauthentic networks focused on Africa. Joe Carrigan has insights on Amnesia 33. Our guest, Greg Edwards from CryptoStopper, shares his experience getting back online after a Derecho. And the execution of the FCC’s rip-and-replace plan will likely fall to the next US administration. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/241
Dec 16, 2020
SolarWinds compromise scope grows clearer. DPRK’s Earth Kitsune. Google’s authentication issue. A look at the near future of cybersecurity.
1518
SolarWinds’ 8-K suggests the possible scope of the Sunburst incident. CISA leads the US Federal post-attack mopping up as more agencies are known to have been affected. How FireEye found the SolarWinds backdoor. GCHQ is looking for possible signs of Sunburst in the UK. Operation Earth Kitsune is attributed to North Korea. Google explains yesterday’s outage. Ben Yelin looks at retail privacy issues. Our guest is Jasson Casey from Beyond Identity on going passwordless. And if you have trouble getting things done while working from home, maybe blame it on the dogs. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/240
Dec 15, 2020
A few predictions, but today’s news is dominated by Cozy Bear’s supply chain attack on Solar Winds’ Orion Platform.
1409
FireEye traces its breach to a compromised SolarWinds update to its Orion Platform. CISA issues an Emergency Directive to get control of an attack that is known to have affected at least two Federal Departments. Rick Howard shares lessons from season three of CSO Perspectives. Betsy Carmelite from Booz Allen continues her analysis of their 2021 Cyber Threat Trends Report. And while reports attribute the supply chain attack to Russia’s SVR, Moscow says Cozy Bear didn’t do nuthin’.  For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/239
Dec 14, 2020
Can public/private partnerships prevent a Cyber Pearl Harbor? [CyberWire-X]
1973
For many years, public and private sector cybersecurity experts have warned of a large-scale, massively impactful cyber attack on critical infrastructure (CI). Whether you call it a cyber doomsday, a cyber extinction, or as former Defense Secretary Leon Panetta termed it, a “Cyber Pearl Harbor,” the message is clear: it's not a matter of if, it's a matter of when, and it's not just critical infrastructure that's vulnerable. More recently, experts have started to raise the alarm around not just CI, but other systems as well, notably position, navigation and timing (PNT) services. PNT includes things like GPS devices -- extensions of IT systems which are widely used by both private and public sector organizations, and particularly vulnerable to attack thanks to their open source origins and lack of native security controls.  While there is no magic bullet to solve the cybersecurity challenge, there's growing consensus that an effective strategy is going to require large-scale cooperation and coordination between the public and private sectors. While the government is uniquely equipped to source and promulgate guidelines and standards like the Federal Information Processing Standards (FIPS) and NIST Special Publication 800 Series, private sector partners have the expertise to implement these standards across industries. The private sector is also a major driver of innovation in security, making use of sophisticated analytics, AI, and other tools to improve not only native security controls but also hygiene, threat detection, and response. In this episode of Cyberwire-X, guests will discuss the benefits of public/private partnership for cybersecurity, the roles of each, and how the threat of a "Cyber Pearl Harbor" informs the priorities of both. Joining us today are Keith Mularski from EY, Rob Lee from Dragos, and Egon Rinderer from Tanium.
Dec 14, 2020
Andrea Little Limbago: Look at the intersection of the of humans and technology. [Social Science] [Career Notes]
421
Computational Social Scientist Andrea Little Limbago shares her journey as a social scientist in cybersecurity. Andrea laments that she wishes she'd known there is no straight line between what you think you want to do and then where you end up going. Beginning her career in international relations and courted by the Department of Defense's Joint Warfare Analysis Center while teaching at New York University, Andrea began her work in cybersecurity. Her team was one of the first to start thinking about the intersection of cybersecurity and geopolitics and quantitative modeling. Andrea reminds us there are many paths and skills needed in cybersecurity and hopes she opened some doors for others. We thank Andrea for sharing her story with us.
Dec 13, 2020
Following DOJ indictment, a look back on NotPetya and Olympic Destroyer research. [Research Saturday]
2043
From US Department of Justice: "On Oct. 15, 2020, a federal grand jury in Pittsburgh returned an indictment charging six computer hackers, all of whom were residents and nationals of the Russian Federation (Russia) and officers in Unit 74455 of the Russian Main Intelligence Directorate (GRU), a military intelligence agency of the General Staff of the Armed Forces.  These GRU hackers and their co-conspirators engaged in computer intrusions and attacks intended to support Russian government efforts to undermine, retaliate against, or otherwise destabilize: (1) Ukraine; (2) Georgia; (3) elections in France; (4) efforts to hold Russia accountable for its use of a weapons-grade nerve agent, Novichok, on foreign soil; and (5) the 2018 PyeongChang Winter Olympic Games after Russian athletes were banned from participating under their nation’s flag, as a consequence of Russian government-sponsored doping effort.  Their computer attacks used some of the world’s most destructive malware to date, including: KillDisk and Industroyer, which each caused blackouts in Ukraine; NotPetya, which caused nearly $1 billion in losses to the three victims identified in the indictment alone; and Olympic Destroyer, which disrupted thousands of computers used to support the 2018 PyeongChang Winter Olympics. The indictment charges the defendants with conspiracy, computer hacking, wire fraud, aggravated identity theft, and false registration of a domain name." Returning to Research Saturday this week to discuss their research of NotPetya and Olympic Destroyer are Cisco Talos' Craig Williams and Matt Olney. The indictment and Cisco's research can be found here: Six Russian GRU Officers Charged in Connection with Worldwide Deployment of Destructive Malware and Other Disruptive Actions in Cyberspace New Ransomware Variant "Nyetya" Compromises Systems Worldwide The MeDoc Connection Who Wasn’t Responsible for Olympic Destroyer? Olympic Destroyer Takes Aim At Winter Olympics
Dec 12, 2020
OceanLotus tracked. Threats to K-12 distance education. Adrozek is credential-harvesting adware. MountLocker gains criminal affiliates. FCC acts against Chinese companies. CISA internships.
1529
Tracking OceanLotus. US advisory warns of cyberthreats active against schools trying to deliver distance learning. Adrozek joins credential harvesting and adware. MountLocker’s criminal affiliate program. The FCC takes action against Chinese companies deemed security risks. Predictions, and holiday advice. Johannes Ullrich from the SANS technology institute wonders what’s in your clipboard? Our guest is Nina Jankowicz from Wilson Center on her new book - How to Lose the Information War - Russia, Fake News, and the Future of Conflict. And internship opportunities at CISA. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/238
Dec 11, 2020
Facebook faces anti-trust suit. COVID-19 vaccine cyberespionage. Emissary Panda spotting. SQL databases for sale. Notes on the FireEye breach, the end of Flash, and the Mirai botnet.
1498
Facebook faces a US antitrust suit. Cyberespionage hits the European Medicines Agency, apparently looking for COVID-19 vaccine information. Emissary Panda is out and about. A simple ransomware campaign goes for success through volume. Stolen SQL databases are offered for sale back to their owners. React to the FireEye breach, but don’t over-react. We welcome Kevin McGee from Microsoft Canada to the show. Our guest is Liviu Arsene from Bitdefender with insights Business Threat Landscape report for 2020. Flash nears its end-of-life. Predictions for 2020, and another guilty plea in the Mirai case. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/237
Dec 10, 2020
Bear prints in Oslo and Silicon Valley. Deepfakes may be finally coming... maybe... CISA issues ICS alerts, some having to do with AMNESIA:30. A quick trip through Patch Tuesday.
1450
Norway calls out the GRU for espionage against the Storting. The SVR (probably) hacks FireEye. Huawei tested recognition software designed to spot Uighurs. 2021 predictions from Avast hold that next year might be the year deepfakes come into their own. CISA issues a long list of industrial control system alerts. Joe Carrigan looks at the iOS zero-click radio proximity vulnerability. Our guest is Matt Drake, director of cyber intelligence at SAIC on what the recents elections can tell us about threat intelligence. And yesterday was Patch Tuesday--do you know where your vulnerabilities are? For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/236
Dec 09, 2020
IoT supply chain vulnerabilities described. Spyware in the hands of drug cartels. National security and telecom equipment. US NDAA includes many cyber provisions. Fraud as a side hustle.
1390
AMNESIA:33 vulnerabilities infest the IoT supply chain. Lawful intercept spyware allegedly finds its way from Mexican police into the hands of drug cartels. Finland’s parliament approves exclusion of telecom equipment on security grounds. The US National Defense Authorization Act’s cyber provisions. Online fraud seems to have become a side hustle. Ben Yelin responds to Supreme Court arguments in a Computer Fraud and Abuse Act case. Our guest is Darren Mar-Elia from Semperis on group policy security. And Moscow police are looking for the crooks who hacked secure delivery lockers. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/235
Dec 08, 2020
NSA warns that Russia is actively exploiting patched VMware vulnerabilities. CISA alert also a warning to Iran. DeathStalker update. Market pressures in the Darknet. Greetings from Pyongyang.
1353
NSA warns that Russian state-sponsored actors are actively exploiting patched VMware vulnerabilities in the wild. A CISA alert puts Iran on notice. DeathStalker hired guns are now active in North America. Darknet contraband markets are experiencing the sort of pressure and consolidation legitimate markets undergo. Rick Howard checks in with the hash table on CSO and CISO roles. My continued conversation with Betsy Carmelite from Booz Allen on their 2021 Cyber Threat Trends Report. And a weird shift in North Korean propaganda...is Pyongyang having a Hallmark moment? For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/234
Dec 07, 2020
Ron Brash: Problem fixer in critical infrastructure. [OT] [Career Notes]
471
Director of Cyber Security Insights at Verve Industrial aka self-proclaimed industrial cybersecurity geek Ron Brash shares his journey through the industrial cybersecurity space. From taking his parents 286s and 386s to task to working for the "OG of industrial cybersecurity," Ron has pushed limits. Starting off in technical testing, racing through university at 2x speed, and taking a detour through neuroscience with machine learning, Ron decided to return to critical infrastructure working with devices that keep the lights on and the water flowing. Ron hopes his work makes an impact and his life is memorable for those he cares about. We thank Ron for sharing his story with us.
Dec 06, 2020
SSL-based threats remain prevalent and are becoming increasingly sophisticated. [Research Saturday]
1031
While SSL/TLS encryption is the industry standard for protecting data in transit from prying eyes, encryption has, itself, become a threat. It is often leveraged by attackers to sneak malware past security tools that do not fully inspect encrypted traffic. As the percentage of traffic that is encrypted continues to grow, so do the opportunities for attackers to deliver threats through encrypted channels. To better understand the use of encryption and the volume of encrypted traffic that is inspected, Zscaler's research team, ThreatLabZ, analyzed encrypted traffic across the Zscaler cloud for the first nine months of 2020, assessing its use within specific industries. The study also set out to analyze the types of attacks that use encryption and the extent of the current risk.  Returning to Research Saturday this week to discuss the report is Zscaler's CISO and VP of Security Research, Deepen Desai. The research can be found here: 2020: The State of Encrypted Attacks Blog 2020: The State of Encrypted Attacks Report
Dec 05, 2020
2021 may look a lot like 2020 in cyberspace, only moreso. Cold chain cyberespionage. Cybercriminals are also interested in COVID-19 vaccines. And beware of online dog fraud.
1567
Predictions for 2021 focus on ransomware: it’ll be better, more aggressive, bigger, and a greater problem in every way. Cyberespionage and the cold chain. Cybercriminal interest in COVID-19 vaccines extends to both theft and fraud. Johannes Ullrich on the .well-known Directory. Our guest is Michael Magrath from OneSpan on what the financial sector needs to consider now that we’re post-election season. And what’s one effect of the pandemic? Dog fraud. Ask the Better Business Bureau. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/233
Dec 04, 2020
Cyberespionage and influence operations against prospective members of the incoming US Administration. Cold chain attacks. TrickBoot. Vasya, what do you do for a living?
1516
Chinese intelligence services are prospecting think tanks and prospective members of the next US Administration. Spearphishing the vaccine cold chain. Expect vaccine-themed phishing. After a temporary, pre-US election suppression, TrickBot’s back. Holiday shopping season is bot-season. Consumers are thought likely to get upset about smart device privacy in 2021. Awais Rashid from Bristol University on privacy at scale. Our guest is JP Perez-Etchegoyen from Onapsis on the risk associated with interconnected cloud and SaaS apps. And suppose you’re a cybercriminal...we know, but suppose. What do you tell your sweetie you do for a living? For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/232
Dec 03, 2020
The Shadow Academy schools anglophone universities. Turla’s Crutch. Cryptojacking as misdirection. Cyberespionage against think tanks. DPRK tries to steal COVID-19 treatment data.
1586
The Shadow Academy prospects universities in a domain shadowing campaign. Notes on Turla’s Crutch, an information-stealing backdoor. Bismuth was using crytpojacking as misdirection. CISA and the FBI warn think tanks that cyberspies are after them. North Korean cyberespionage is interested in COVID-19 treatments. Our guest is Carey O’Connor Kolaja from AU10TIX on combating fraud in the financial services and payment industry. David Dufour from Webroot has 2021 predictions. And a member of the Apophis Group gets eight years in prison. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/231
Dec 02, 2020
Cryptojacking cyberspies sighted. Crooks mix banking Trojans and ransomware. Conti ransomware hits industrial IoT company. SCOTUS reviews CFAA. And predictions.
1360
Cryptojacking from Hanoi. Dormant networks rise again, for no easily discernible reason (but it doesn’t look good). A gang is hitting German victims with the Gootkit banking Trojan, and sometimes mixing it up with a REvil ransomware payload. Conti ransomware hits IoT chipmaker. SCOTUS reviews the Computer Fraud and Abuse Act. A few predictions for 2021. Ben Yelin on Congress passing an IoT security bill. Our guest is Stephen Harvey from BitSight, who’s tracking the correlation between companies with strong cybersecurity and financial success. And it may be back to school tomorrow in Baltimore County. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/230
Dec 01, 2020
Phishing for COVID-19 vaccine data. Bandook is back, and mercenaries have it. School’s out for ransomware. Skepticism about foreign election manipulation. The forever sales.
1557
North Korean operators phish a major pharma company. The Bandook backdoor is back, and probably being distributed by mercenaries. A school district cancels classes after a ransomware attack. Man U continues to work on recovering its systems. Former CISA Director says there are no signs of foreign manipulation of US elections. Rick Howard wonders what exactly all those CISOs do. Betsy Carmelite from Booz Allen with insights from their 2021 Cyber Threat Trends Report. And Cyber shopping and the forever sales. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/229
Nov 30, 2020
Camille Stewart: Technology becomes more of an equalizer. [Legal] [Career Notes]
443
Cybersecurity attorney Camille Stewart shares how her childhood affinity for making contracts pointed to her eventual career as an attorney. Having a computer scientist father contributed to Camille's technical acumen and desire to include technology in her life's work. Camille has worked various facets of cybersecurity law from the private sector, federal government, on the Hill and in the Executive Branch, and now as part of Big Tech as Head of Security Policy and Election Integrity for Google Play and Android where she creates policy geared towards making sure users are safe on their platform and equipped to make informed decisions.. We thank Camille for sharing her story with us.
Nov 29, 2020
Encore: Using global events as lures for malicious activity.
1372
The goal of malicious activity is to compromise the system to install some unauthorized software. Increasingly that goal is tied to one thing: the user. Over the past several years, we as an industry improved exploit mitigation and the value of working exploits has increased accordingly. Together, these changes have had an impact on the threat landscape. We still see large amounts of active exploitation, but enterprises are getting better at defending against them. This has left adversaries with a couple of options, develop or buy a working exploit that will defeat today's protections, which can be costly, or pivot to enticing a user to help you. In today's threat landscape, adversaries are always trying to develop and implement the most effective lures to try and draw users into their infection path. They've tried a multitude of different tactics in this space, but one always stands out — current events. Joining us on this week's Research Saturday from Craig Williams from Cisco's Talos Outreach team to walk us through how current events are used as lures. The research and blog post can be found here:  Adversarial use of current events as lures
Nov 28, 2020
Influence the gullible, and maybe others will follow. Event site sustains a data breach. Contact tracing and privacy protection. Ransomware, again. Social media used to intimidate witnesses.
1434
Observers see a shift in Russia’s influence tactics, but prank calls are (probably) not among those tactics. An event site suffers a data breach, and warns customers to be alert for spoofing. COVID-19 contact tracing continues to arouse privacy concerns. Joe Carrigan has tips for safe online shopping during the holidays. Our guest is Dmitry Volkov from Group-IB with insights from their latest Hi-Tech Crime Trends report. Ransomware hits another US school district, and social media are being used to intimidate cooperating witnesses. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/228
Nov 25, 2020
Mustang Panda needs to repent. Not the FBI. Dodgy consumer routers and smart doorbells. Prospective Presidential appointees and cyber. Crime and investigation.
1372
Mustang Panda goes to church, but not in a good way. Hoods are trying to spoof the FBI with Bureau-themed domains. Dodgy routers and suspect smart doorbells. A quick look at the incoming US Administration, from a cybersecurity point of view. Someone’s allegedly swapping iPads for concealed carry permits--say it ain’t so, Santa Clara County. DHS investigates Windows help desk scammers. Ben Yelin on a Massachusetts ballot initiative involving connected cars. Our guest is Larry Roshfeld from AffirmLogic on the pros and cons of a Treasury Dept advisory that could put companies who facilitate ransomware payments in legal jeopardy. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/227
Nov 24, 2020
Ups and downs in the cyber underworld. Enduring effects of COVID-19 in cyberspace. Safer online shopping. “Take me home, United Road, to the place I belong, to Old Trafford, to see United…”
1494
Qbot is dropping Egregor ransomware, and RagnarLocker continues its recent rampage. Cryptocurrency platforms troubled by social engineering at a third party. TrickBot reaches version 100. Stuffed credentials exposed in the cloud. COVID-19 practices may endure beyond the pandemic. Advice for safer online shopping over the course of the week. Malek Ben Salem from Accenture Labs has methods for preserving privacy when using machine learning. Rick Howard digs deeper into SOAR. And someone’s hacking a Premier League side. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/226
Nov 23, 2020
James Hadley: Spend time on what interests you. [CEO] [Career Notes]
394
Founder and CEO of Immersive Labs James Hadley takes us through his career path from university to cybersecurity startup. James tells us about his first computer and how he liked to push it to its limits and then some. He joined GCHQ after college and consulted across government departments. Teaching in GCHQ's cyber summer school was where James felt a shift in his career. As a company founder, he shares that he is very driven, very fast and also very caring. James offers advice to those looking to get into the industry recommending they chase what interests them rather than certifications. We thank James for sharing his story with us.
Nov 22, 2020
Misconfigured identity and access management (IAM) is much more widespread. [Research Saturday]
1256
Identity and access are intrinsically connected when providing security to cloud platforms. But security is only effective when environments are properly configured and maintained. In the 2H 2020 edition of the biannual Unit 42 Cloud Threat Report, researchers conducted Red Team exercises, scanned public cloud data and pulled proprietary Palo Alto Networks data to explore the threat landscape of identity and access management (IAM) and identify where organizations can improve their IAM configurations. During a Red Team exercise, Unit 42 researchers were able to discover and leverage IAM misconfigurations to obtain admin access to a customer’s entire Amazon Web Services (AWS) cloud environment – a potentially multi-million dollar data breach in the real-world. These examples highlight just how serious the failure to secure IAM can be for an organization. Joining us in this week's Research Saturday to discuss the report for Palo Alto Networks' Unit 42 is CSO of Public Cloud, Matt Chiodi. The research can be found here: Highlights from the Unit 42 Cloud Threat Report, 2H 2020
Nov 21, 2020
Prime Minister Johnson tells Parliament about the National Cyber Force. Vietnam squeezes Facebook. Chinese cyberespionage. SEO poisoning. Printing ransom notes. CISA leadership.
1592
Her Majesty’s Government discloses the existence of a National Cyber Force. Hanoi tells Facebook to crack down on posts critical of Vietnam’s government. Chinese cyberespionage campaign targets Japanese companies. Egregor ransomware prints its extortion notes in hard copy. SEO poisoning with bad reviews. Mike Benjamin from Lumen on credential stuffing and password spraying. Our guest is Mark Forman from SAIC with a look at government agencies' COVID-19 response. And CISA may have a permanent director inbound. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/225
Nov 20, 2020
Haunted virtual meetings. AWS APIs share vulnerabilities. US Intelligence Community conducts a post mortem on 2020 foreign election interference. Meet the future (a lot like the present, only moreso).
1474
Ghosts in the virtual machines. Cloudbursts in the forecast. The US Intelligence Community is preparing a report on foreign election interference. CISA has a new interim director. A view of the threat landscape from Canada. Caleb Barlow from Cynergistek on reclassifying the internet as critical infrastructure. Our guests are Shai Cohen and Brooke Snelling from TransUnion on building trust in a digital consumer landscape. And a look into the near future. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/224
Nov 19, 2020
Dream a FunnyDream of me. US CISA Director dismissed. Facebook, Twitter CEOs virtually visit the US Senate. Huawei CFO extradition update. Bad passwords.
1439
FunnyDream? No, it’s real: a cyberespionage crew operating against Southeast Asian governments. President Trump fires US CISA Director Krebs. Twitter and Facebook CEOs testify before the Senate as legislators consider Section 230. The extradition hearing for Huawei’s CFO continues in Vancouver. Joe Carrigan looks at fleeceware on the Google Play store. Rick Howard speaks with Tenable’s Steve Vintz on communication between C-Suites and security teams. And the most common passwords in 2020 are now out, and “password” only comes in at Number 4. We’re not sure that really represents progress, because wait ‘til you hear Number 1. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/223
Nov 18, 2020
Hidden Cobra’s new tricks. Notes from the criminal underground. Draft EU data transfer regulations. And the coming ape-man disinformation.
1380
Hidden Cobra inserts Lazarus malware into security management chains. Malsmoke malvertizing doesn’t need exploit kits, anymore. Ransomware operators shift toward social engineering as the ransomware-as-a-service criminal market flourishes. Draft EU data transfer regulations implement the Schrems II decision. Robert M. Lee from Dragos shares a little love for the lesser-known areas of ICS security. Our guest is Greg Smith from CAMI with insights on promoting cyber capabilities at the state level. And the next thing in disinformation? No surprises here: it’s COVID-19 vaccines. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/222
Nov 17, 2020
Cyberespionage and international norms of conduct in cyberspace. DarkSide establishes storage options for its affiliates. TroubleGrabber in Discord. Unapplied patches.
1536
Nation-states continue to probe COVID-19 vaccine researchers. The Global Commission on the Stability of Cyberspace proposes international norms for promoting stability in cyberspace. DarkSide ransomware-as-a-service operators sweeten their offer with storage options. TroubleGrabber is stealing credentials via Discord. SAD DNS code pulled from GitHub. Betsy Carmelite from Booz Allen with a forward-looking view of 5G. Rick Howard takes a look at SOAR. Many patches remain unapplied, and CMMS wants US Defense contractors to move toward positive security.  For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/221
Nov 16, 2020
Malek Ben Salem: Taking those challenges. [R&D] [Career Notes]
351
Americas Security R&D Lead for Accenture Malek Ben Salem shares how she pivoted from her love of math and background in electrical engineering to a career in cybersecurity R&D. Malek talks about her interest in astrophysics as a young girl, and how her affinity for math and taking on challenges lead her to a degree in electrical engineering. She grew her career using math for data mining and forecasting eventually pursuing a masters and PhD in computer science where she shifted her focus to cybersecurity. Malek now develops and applies new AI techniques to solve security problems at Accenture. We thank Malek for sharing her story with us.
Nov 15, 2020
That first CVE was a fun find, for sure. [Research Saturday]
1731
In the late 90s, hackers who discovered vulnerabilities would sometimes send an email to Bugtraq with details. Bugtraq was a notification system used by people with an interest in network security. It was also a place that might have been monitored by employees of software companies looking for reports of vulnerabilities pertaining to their software. The problem was - there wasn't an easy way to track specific vulnerabilities in specific products.  It was May 1999. Larry Cashdollar was working as a system administrator for Bath Iron Works under contract by Computer Sciences Corporation. Specifically, he was a UNIX Systems Administrator, level one. His team managed over 3,000 UNIX systems across BIW's campuses. Most of these were CAD systems used for designing AEGIS class destroyers. This position gave me access to over 3,000 various flavors of UNIX ranging from Sun Solaris to IBM AIX. Joining us in this week's Research Saturday to discuss his journey from finding that first CVE through the next 20 years and hundreds of CVEs is Akamai Senior Response Engineer Larry Cashdollar. The research can be found here:  MUSIC TO HACK TO: MY FIRST CVE AND 20 YEARS OF VULNERABILITY RESEARCH
Nov 14, 2020
CISA offers its assessment (high) of US election security. An alleged GRU front media group is fingered. Notes on cybercrime, and one cheap proof-of-concept.
1525
CISA says US elections were secure, that recounts are to be expected in tight races. (But election-themed malspam continues, of course.) A news platform is flagged as a GRU front. A new ransomware strain takes payment through an Iranian Bitcoin exchange. The Jupyter information-stealer is out and active. David Dufour on detecting deepfakes and misinformation. Dr. Jessica Barker on her new book Confident Cyber Security - How to Get Started in Cyber Security and Futureproof Your Career. And PlunderVolt is a $30 proof-of-concept. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/220
Nov 13, 2020
An overview of threat actors, two proofs of concept, and an IoT botnet bothers the cloud. Patch Tuesday notes. And control yourself, sir.
1461
BlackBerry tracks a mercenary group providing cyberespionage services. A rundown from Dragos on threat actors engaging with industrial targets. An Iot botnet is active in the cloud. A research team offers a new proof-of-concept for DNS cache poisoning, and another group of researchers demonstrates a novel power side-channel attack. Patch Tuesday notes. Joe Carrigan wonders if you’re likely to get your money’s worth when paying baddies. Our guest is Michael Daniel from the CTA on the merging fields of cybersecurity and information operations. And a pro-tip: you do know that they can usually see you on Zoom, right? For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/219
Nov 12, 2020
remote access Trojan or RAT (noun) [Word Notes]
252
As we are not publishing in observance of Veterans Day, we thought you might like to check out a couple of episodes of our weekly Word Notes short form podcast that comes out on Tuesdays. Check it out and subscribe today! From the intrusion kill chain model, a program that provides command and control services for an attack campaign. While the first ever deployed RAT is unknown, one early example is Back Orifice made famous by the notorious hacktivist group called “The Cult of the Dead Cow,” or cDc, Back Orifice was written by the hacker, Sir Dystic AKA Josh Bookbinder and released to the public at DEFCON in 1998.
Nov 11, 2020
shadow IT (noun) [Word Notes]
264
As we are not publishing in observance of Veterans Day, we thought you might like to check out a couple of episodes of our weekly Word Notes short form podcast that comes out on Tuesdays. Check it out and subscribe today! Technology, software and hardware deployed without explicit organizational approval. In the early days of the computer era from the 1980s through the 2000s security and information system practitioners considered shadow IT as completely negative. Those unauthorized systems were nothing more than a hindrance that created more technical debt in organizations that were already swimming in it with the known and authorized systems. 
Nov 11, 2020
A look at what’s up in some of the criminal markets. The continued resilience of TrickBot. What you can buy for $155,000.
1442
Criminals get the news like everyone else, and online crime continues to follow current events. It’s up, it’s down, it’s up again--forget it: it’s TrickBot. A cyber incident affects computer maker Compal. Zoom settles an FTC complaint. Price check in the criminal markets. Ben Yelin on a Canadian shopping mall's collection of over 5 million shopper's images. Our guest is Ben Brook from Transcend with best practices in privacy and data protections.And spare a thought for a veteran tomorrow. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/218
Nov 10, 2020
Supply chain security. New cyberespionage from OceanLotus. Data breaches expose customer information. And GCHQ has had quite enough of this vaccine nonsense, thank you very much.
1497
Alerts and guidelines on securing the software supply chain (and the hardware supply chain, too). OceanLotus is back with its watering holes. Two significant breaches are disclosed. Malek Ben Salem from Accenture Labs explains privacy attacks on machine learning. Rick Howard brings the Hash Table in on containers. And, hey, we hear there’s weird stuff out there about vaccines, but GCHQ is on the case. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/217
Nov 09, 2020
Richard Clarke: From presidential inspiration to cybersecurity policy pioneer. [Policy] [Career Notes]
404
CEO and consultant Richard Clarke took his inspiration from President John F Kennedy and turned it into the first cybersecurity position in federal government. Determined to help change the mindset of war, Richard went to work for the Department of Defense at the Pentagon following college during the Vietnam War. From Assistant Secretary of the State Department, he moved to the White House to work for President George W. Bush's administration where he kept an eye on Al-Qaeda and was tasked to take on cybersecurity. Lacking any books or courses to give him a basic understanding of cybersecurity, Richard made it his mission to raise the level of cybersecurity knowledge. Currently as Chairman and CEO at Good Harbor Security Risk Management, Richard advises CISOs. We thank Richard for sharing his story with us.
Nov 08, 2020
PoetRAT: a complete lack of operational security. [Research Saturday]
1335
Cisco Talos discovered PoetRAT earlier this year. Since then, they observed multiple new campaigns indicating a change in the actor's capabilities and showing their maturity toward better operational security. They assess with medium confidence this actor continues to use spear-phishing attacks to lure a user to download a malicious document from temporary hosting providers. They currently believe the malware comes from malicious URLs included in the email, resulting in the user clicking and downloading a malicious document. These Word documents continue to contain malicious macros, which in turn download additional payloads once the attacker sets their sites on a particular victim. As the geopolitical tensions grow in Azerbaijan with neighboring countries, this is no doubt a stage of espionage with national security implications being deployed by a malicious actor with a specific interest in various Azerbajiani government departments. Joining us in this week's Research Saturday to discuss the research from Cisco's Talos Outreach is Craig Williams. The research can be found here:  PoetRAT: Malware targeting public and private sector in Azerbaijan evolves
Nov 07, 2020
IRGC domains taken down. A look at 2021’s threatscape. Russia says its didn’t do anything (others see Bears.) Forfeiture of Silk Road’s hitherto unaccounted for billion-plus dollars.
1548
The US Justice Department takes down twenty-seven domains being used by Iran’s Islamic Revolutionary Guard Corps. Booz Allen offers its take on the 2021 threatscape. Russia declares itself innocent of bad behavior in cyberspace, but many remain skeptical. Johannes Ullrich from SANS looks at Supply Chain Risks and Managed Service Providers. Our own Rick Howard speaks with Wired’s Andy Greenberg about the recent Sandworm indictments. Silk Road’s mission billion dollars appear to have been found, and the US Government is working on a forfeiture action. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/216
Nov 06, 2020
CISA’s happy but still wary. Election-themed criminal malspam. New ransomware goes after VMs. Why it makes no sense to trust extortionists.
1417
CISA declares a modest but satisfying victory for election security, but cautions that it’s not over yet. Criminal gangs are using election-themed phishbait in malspam campaigns. A new strain of ransomware attacks virtual machines. Robert M. Lee from Dragos on the impact climate change could have on ICS security. Our guest is Kelly White of RiskRecon on healthcare organizations managing risk across extensive third party relationships. And if you wondered if the criminals who offered to securely destroy the data they stole if the victims paid the ransom, well, signs point to “no.” For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/215
Nov 05, 2020
US elections: CISA calls security success, but reminds all that it’s not over yet. Notes from the cyber underground. Two more indictments in cyberstalking case.
1417
Election security, hunting forward, rumor control, and the value of preparation. Maze may be gone (so its proprietors say) but its affiliate market has moved on to Egregor ransomware-as-a-service. An illicit forum has leaked large repositories of personal information online. Joe Carrigan shares thoughts on hospital systems getting hit by ransomware. Our guest is Alan Radford from One Identity who wonders whether robots should have identities. And two more ex-eBayers are indicted in the Massachusetts cyberstalking case.  For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/214
Nov 04, 2020
Election security updates from CISA. Maze says it’s out of business (and never really existed). Edward Snowden wants dual Russian-US citizenship. A botmaster goes up river.
1407
Notes on Election Day security, from CISA. The Maze gang finally releases its press release announcing that it’s going out of business. Mr. Snowden applies for dual Russian-American citizenship. Ben Yelin shares his thoughts on Mark Zuckerberg’s recent Senate testimony. Our guest is Karlo Zanki from Reversing Labs on Hidden Cobra. And a botmaster gets eight years after copping a US Federal guilty plea to conspiracy. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/213
Nov 03, 2020
Another look at North Korean cyberespionage. Phishing with Google Docs. How Iran obtained US voter information. Election security enters its endgame.
1551
Another look at Pyongyang’s Kimsuky campaign. Phishing with bogus Google Docs. How Tehran got its hands on voter information. Rick Howard looks at containers and serverless functions. Malek Ben Salem shares the results of Accenture’s 2020 Cyber Threatscape report. And looking ahead to the election influence endgame. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/212
Nov 02, 2020
David Sanger on the HBO documentary based off his book, "The Perfect Weapon". [Special Edition]
1440
On this Special Edition, our extended conversation with author and New York Times national security correspondent David E. Sanger. The Perfect Weapon explores the rise of cyber conflict as the primary way nations now compete with and sabotage one another. ‌
Nov 01, 2020
Carole Theriault: Constantly learning new things. [Media] [Career Notes]
464
Communications consultant and podcaster Carole Theriault always loved radio and through her career dabbled in many areas .She landed in a communications and podcasting role where she helps technical firms create audio and digital content. In fact, Carole is the CyberWire's UK Correspondent. She says cybersecurity is good place to go because of the many different avenues available and "you don't even have to be a tech head" (though Carole has quite a technical pedigree). Our thanks to Carole for sharing her story with us. 
Nov 01, 2020
Leveraging for a bigger objective. [Research Saturday]
1559
The U.S. government has charged seven men in relation to hundreds of cyber attacks against organizations in the U.S. and multiple other countries in Asia and Europe. Two of the men, who were based in Malaysia, were arrested and their extradition to the U.S. has been requested. The other five are based in China and remain at large. The attacks were attributed to a China-linked organization dubbed APT41 and involved a combination of intellectual property theft and financially motivated cyber crime. While some of our peers monitor APT41 as a single operation, Symantec regards it as two distinct actors: Grayfly and Blackfly. Joining us in this week's Research Saturday to discuss the research from Symantec's Threat Hunter Team is Jon DiMaggio. The research can be found here:  APT41: Indictments Put Chinese Espionage Group in the Spotlight
Oct 31, 2020
Ransomware epidemic during the pandemic. Cyber insurance and state actors. Cyberstalking. Don’t exaggerate election meddling. Reflections on National Cybersecurity Awareness Month.
1620
Ransomware becomes endemic in the healthcare sector. Cyber metaphors--we read a good one this morning. Does your cyber insurance indemnify you against state-sponsored attacks? More guilty pleas in the ex-eBayers’ cyberstalking case. US Cyber Command and others advise everyone not to see foreign election meddling where it isn’t. David Defour looks at the spookiest malware of 2020. Our guest is Travis Leblanc from Cooley on the European court Invalidating the EU-US Privacy Shield. And what do we make of National Cybersecurity Awareness Month as it recedes into our collective rearview mirror? For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/211
Oct 30, 2020
The Malware Mash!
185
Oct 30, 2020
Familiar threat actors are back in the news. Big Tech’s testimony on Capitol Hill had less to do with Section 230 than many had foreseen.
1327
Some familiar threat actors--both nation-states and criminal gangs--return to the news: Venomous Bear, Charming Kitten, Wizard Spider, and Maze. Mike Benjamin from Lumen looks at the Mozi malware family. Our guest is Neal Dennis from Cyware on why it's time for organizations to step up their data sharing. And Big Tech’s day on Capitol Hill involved more discussion of censorship and bias than it did Section 230 of the Communications Decency Act. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/210
Oct 29, 2020
Warnings about the DPRK’s Kimsuky Group. Election security in the US during the endgame. Section 220 and Big Tech. Another guilty plea in the eBay-related cyberstalking case.
1454
US authorities warn that North Korea’s Kimsuky APT is out and about and bent on espionage, with a little cryptojacking on the side. As the US elections enter their endgame, observers point out that the appearance of hacking can be just as effective for foreign influence operations as the reality. CISA continues to tweet rumor control and election reassurance. Joe Carirgan share developments in end-to-end encryption. Our guest is Bilyana Lilly from RAND on Russia’s strategic messaging on social media (and the disinformation that may be a part of it). Big Tech returns to Capitol Hill. And another guilty plea in the strange case of eBay-related cyberstalking. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/209
Oct 28, 2020
Election phishing, without hook, but with line and sinker? Data breaches, and the importance of prompt disclosure. Misplaced hacktivist sympathy.
1505
EI-ISAC reports a curious election-related phishing campaign, widespread, but indifferently coordinated and without an obvious motive. Nitro discloses a “low impact security incident.” A breach at a law firm affects current and former Googlers. Finnish psychological clinic Vastaamo dismisses its CEO for not disclosing a breach promptly. Ben Yelin looks at a controversial White House to divvy up 5G spectrum. Carole Theriault shares results from Panaseer’s 2020 GRC Peer Report. And a terrorist murder finds support online. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/208
Oct 27, 2020
Russian research institute sanctioned for its role in Triton/Trisis. Coordinated inauthenticity in Myanmar. Clean Network program update. Major data breach in Finland.
1581
The US Treasury Department sanctions a Russian research institute for its role in the Triton/Trisis ICS malware attacks. Coordinated inauthenticity with a commercial as well as a political purpose. The Clean Network project gains ground in Central and Eastern Europe. Rob Lee from Dragos on insights on the recent DOJ indictments of Russians allegedly responsible for the Sandworm campaign. Rick Howard explores SD-WANs. Data breaches afflict a large Finnish psychiatric institute. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/207
Oct 26, 2020
Sal Aurigemma: How things work. [Education] [Career Notes]
437
Associate Professor of Computer Information Systems at the University of Tulsa Sal Aurigemma shares how his interest in how things worked shaped his career path in nuclear power and computers, Being introduced to computers in high school and learning about the Chernobyl event led Sal to study nuclear engineering followed by time in the Navy as a submarine officer. On the submarine, Sal had to understand how systems worked from soup to nuts and that let him back to IT. As a computer engineer, Sal spent a lot of time on network troubleshooting and was eventually introduced to cybersecurity. Following 9/11, cybersecurity took on greater importance. Sal's research focuses on behavioral cybersecurity. To newcomers, he suggests heading into things with an open mind and doesn't recommend giving users 24-character passwords that have two upper, two lower, and two special characters that cannot be written down. We thank Sal for sharing his story with us.
Oct 25, 2020
Just saying there are attacks is not enough. [Research Saturday]
1673
Ben-Gurion University researchers have developed a new artificial intelligence technique that will protect medical devices from malicious operating instructions in a cyberattack as well as other human and system errors. Complex medical devices such as CT (computed tomography), MRI (magnetic resonance imaging) and ultrasound machines are controlled by instructions sent from a host PC. Abnormal or anomalous instructions introduce many potentially harmful threats to patients, such as radiation overexposure, manipulation of device components or functional manipulation of medical images. Threats can occur due to cyberattacks, human errors such as a technician's configuration mistake or host PC software bugs. As part of his Ph.D. research, Tom Mahler has developed a technique using artificial intelligence that analyzes the instructions sent from the PC to the physical components using a new architecture for the detection of anomalous instructions. Joining us in this week's Research Saturday to discuss his research is CBG - Cyber@Ben Gurion University's Tom Mahler. The research can be found here:  A Dual-Layer Architecture for the Protection of Medical Devices from Anomalous Instructions
Oct 24, 2020
Energetic Bear’s battlespace preparation. Selling voter and consumer personal data. GRU, Qods Force sanctioned. How they knew that Iran dunnit.
1539
Energetic Bear is back, and maybe getting ready to go berserk in a network near you, Mr. and Mrs. United States. Someone’s selling publicly available voter and consumer information on the dark web. Sanctions against the GRU for the Bundestag hack. The US sanctions Qods Force and associated organizations for disinformation efforts. Johannes Ullrich has tips for preventing burnout. Our Rick Howard speaks with author David Sanger about his new HBO documentary The Perfect Weapon. How Iran was caught in the emailed voter threat campaign. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/205
Oct 23, 2020
Recent email threats to US voters appear to be an Iranian operation. Notes on cyberespionage and influence operations. Hold the “blatant Russophobia,” TASS?
1350
Emailed election threats to US voters are identified as an Iranian influence operation, disruptive, and so more in the Russian style. Both Iran and Russia appear to be preparing direct marketing influence campaigns. Cyber criminals are also exploiting US election news as phishbait. Seedworm is said to be ‘retooling.” Caleb Barlow from Cynergistek on contact tracing and privacy as students head back to school. Our guest is Jadee Hanson from Code 42 on juggling priorities and protecting her organization as external and internal threats constantly take aim. And TASS deplores the “blatant Russophobia” of recent Five Eyes’ official remarks. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/205
Oct 22, 2020
TrickBot’s return is interrupted. Election rumor control. Supply chain security. Securing the Olympics. NSS Labs closes down.
1365
TrickBot came back, but so did its nemesis from Redmond--Microsoft and its partners have taken down most of the new infrastructure the gang reestablished. CISA publishes election rumor control. The Cyberspace Solarium Commission has a white paper on supply chain security. Japan says it will take steps to secure next summer’s Olympics. Joe Carrigan takes issue with Twitter and Facebook limiting the spread of published news stories. Our guest is Carolyn Crandall from Attivo with a look at the market for cyber deception tools. And a familiar name exits the industry. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/204
Oct 21, 2020
International cyberespionage: China and Russia versus the Five Eyes and others. Google faces an anti-trust suit. Abandonware.
1475
America’s NSA reviews twenty-five vulnerabilities under active exploitation by Chinese intelligence services. The UK’s NCSC accuses the GRU of more international cyberattacks. The US Justice Department brings its long-expected anti-trust suit against Google. Ben Yelin examines overly invasive company Zoom policies. Our guest is Jessica Gulick from Katczy with a visit to the Cyber Carnival Games. And a warning on “abandonware.” For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/203
Oct 20, 2020
Influence operations and cyber probes of presidential campaigns. TrickBot’s recovery. Remote learning woes. Port facilities in Iran reported to have been targeted in cyberattacks.
1669
Updates on influence ops and campaign hacking show that the opposition has its troubles, too. TrickBot operators seem to have returned to business. Schools’ remote learning programs are providing attractive targets for cybercriminals. Iranian news outlets say ports were the targets of last week’s cyberattacks. David Dufour explains how phishing campaigns capitalized on a global crisis. And Charlie Tibor says, “hello world” (we paraphrase). For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/202
Oct 19, 2020
Rosa Smothers: Secure the planet. [Career Notes]
407
Senior VP of Cyber Operations at KnowBe4, Rosa Smothers, talks about her career as an early cybersecurity professional in what she describes as the Wild, Wild West to her path through government intelligence work. Rosa shares how she always knew she wanted to be involved with computers and how being a big Star Trek nerd and fan particularly of Spock and Uhura helped shape her direction. Following 9/11, Rosa wanted to work for the government and pursue the bad guys and she did just that completing her bachelor's degree and starting in the Defense Intelligence Agency as a cyber threat analyst focusing on extremist groups. She joined the CIA and worked on things you see in the movies, things that are science fictionesque. Rosa recommends talking with people to get your feet wet to find your passion. We thank Rosa for sharing her story with us.
Oct 18, 2020
Intentionally not drawing attention. [Research Saturday]
1554
Bitdefender researchers recently uncovered a sophisticated APT-style attack targeting an international architectural and video production company. The attack shows signs of industrial espionage, similar to another of Bitdefender’s recent investigations of the StrongPity APT group. The real-estate industry is highly competitive, and information exfiltrated by APT mercenary group can give negotiation advantages to other players in high-profile real-estate contracts. While APT groups traditionally could only be afforded by governments or were financially motivated purely out of self-interest, they recently appear to have become a commodity. Joining us in this week's Research Saturday to discuss the research is Global Cybersecurity Researcher Liviu Arsene from Bitdefender. The research can be found here:  APT Hackers for Hire Used for Industrial Espionage
Oct 17, 2020
Misdirection and redirection. Content moderation, influence operations, and Section 230. Money-laundering gang taken down. And no wolves in Nova Scotia.
1517
Phishing through redirector domains. Content moderation, influence operations, and Section 230. A Twitter outage is due to an error, not an attack. QQAAZZ money-laundering gang members indicted. Johannes Ullrich tracks Mirai Bots going after Amanda backups. Our guest is Richard Hummel from Netscout with research on cybersecurity trends and forecasts. And some ruminations about range safety for cyber exercises.  For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/201
Oct 16, 2020
Disinformation, foreign and domestic. Content moderation, always harder than it seems. US Cyber Command’s defend forward doctrine.
1537
Tehran says this week’s cyberattacks are under investigation. Silent Librarian returns to campus for academic year 2020-2021. Crooks are posing as nation-state hackers. Domestic disinformation reported in Guinea and Ghana. Disinformation, content moderation, and the difficulties presented by both. US Cyber Command’s forward engagement campaign. Mike Benjamin from Lumen on how bad actors reuse infrastructure. Our guest is Ralph Sita from Cybrary with a look at their "Skills Gap" research report. And an extended meditation on the Scunthorpe Problem. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/200
Oct 15, 2020
Cyber conflict and cyberespionage. Social engineering as a turnstile business. Inside a social engineering campaign. A warning about fraudulent unemployment claims.
1400
Reports of cyberattacks against Iranian government and, possibly, economic targets, are circulating, but details are sparse. Norway accuses Russia of hacking parliamentary emails. A cybercriminal gang’s secret is volume. A social engineering campaign singles out victims with US IP addresses. Joe Carrigan on a million dollar REvil recruitment offer. Our guest is Paul Nicholson from A10 Networks with a look at the "State of DDoS Weapons". And the US Treasury Department warns banks to be on the lookout for signs of unemployment fraud. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/199
Oct 14, 2020
Suppressing Trickbot: cyber warfare and cyber lawfare. Chaining vulnerabilities. An intergovernmental call for backdoors in the aid of law enforcement.
1479
Trickbot gets hit by both US Cyber Command and an industry team led by Microsoft. CISA and the FBI warn that an unnamed threat actor is chaining vulnerabilities, including Zerologon, to gain access to infrastructure and government targets. Ben Yelin shares his thoughts on the US House’s report on monopoly status for some of tech's biggest players. Our guest is David Higgins from CyberArk on how work from home has put a light on privilege access security. And the Five Eyes plus two call for legal access to encrypted communications. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/198
Oct 13, 2020
Rigging the game. [Caveat]
2500
Ben describes a decades-long global espionage campaign alleged to have been carried out by the CIA and NSA, Dave shares a story about the feds using cell phone location data for immigration enforcement, and later in the show our conversation with Drew Harwell from the Washington Post on his article on how Colleges are turning students’ phones into surveillance machines. Links to stories: ‘The intelligence coup of the century’ RIGGING THE GAME Spy sting Federal Agencies Use Cellphone Location Data for Immigration Enforcement Got a question you'd like us to answer on our show? You can send your audio file to caveat@thecyberwire.com or simply leave us a message at (410) 618-3720. Hope to hear from you.
Oct 12, 2020
Geoff White: Suddenly all of the pieces start to line up. [Career Notes]
451
Investigative journalist and author Geoff White talks about tracing a line through the dots of his career covering technology. Geoff shares that he has always been "quite geeky," but came to covering technology after several roles in the journalism industry. Newspapers, magazines and television were all media Geoff worked in before covering technology. Geoff got into journalism not due to the glamour sometimes associated with it, but because he wanted to fight for the public to cover stories that helped those who didn't have massive amounts of money, power or a huge lobbying campaign in political circles. When writing his book, Crime Dot Com, Geoff reflected on the cybercrime and cybersecurity stories he's covered and saw how things started falling into place. Our thanks to Geoff for sharing his story with us. 
Oct 11, 2020
It's still possible to find ways to break out. [Research Saturday]
1214
Containers offer speed, performance, and portability, but do they actually contain? While they try their best, the shared kernel is a disturbing attack surface: a mere kernel vulnerability may allow containerized processes to escape and compromise the host. This issue prompted a new wave of sandboxing tools that use either unikernels, lightweight VMs or userspace-kernels to separate the host OS from the container's OS. One of these solutions is Kata Containers, a container runtime that spawns each container inside a lightweight VM, and can function as the underlying runtime in Docker and Kubernetes. Kata's virtualized containers provide two layers of isolation: even if an attacker breaks out of the container, he is still confined to the microVM. Joining us in this week's Research Saturday to discuss the research is Yuval Avrahami from Palo Alto Networks Unit 42. The research presented at Black Hat USA 2020 can be found here:  Escaping Virtualized Containers
Oct 10, 2020
A Parliamentary report alleges active Huawei cooperation with Chinese intelligence. Coordinated inauthenticity, mostly focused on domestic opinion. Guilty pleas from former eBayers.
1502
A Parliamentary committee issues a scathing report on Huawei’s connection to the Chinese government and the Communist Party of China. Facebook takes down coordinated inauthenticity with a domestic focus in four countries. Twitter goes after influence operators in four other countries. Betsy Carmelite addresses threats to telehealth platforms. Our guests are the FBI’s Herb Stapleton and the US Secret Service’s Greg McAleer new multi-agency mission center to tackle the highest priority cyber criminal threats facing the US. And two of the former eBayers charged in a cyber-stalking case have taken their expected guilty pleas. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/197
Oct 09, 2020
Bahamut’s hackers-for-hire. SlothfulMedia looks made-in-China. Domains run by IRGC seized. Phishbait uses current events as chum. Who dunnit? Not us, or rather, prove it, says Moscow.
1411
Add the Bahamut cyber mercenaries to the shadow armies for hire in cyberspace. Reports associate the SlothfulMedia RAT with Chinese intelligence services, and claim that it’s being used against India and China. The US takes down domains the Islamic Revolutionary Guard Corps uses to push disinformation. Trends in phishbait. Caleb Barlow rethinks a TED talk he gave a while back, given what we’ve learned from COVID-19. Our guest is Dr. Greg Rattray from Next Peak on 'Advanced Persistent Threats' a term, by the way, that he coined. And Moscow says, hey, we don’t meddle in anyone’s elections. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/196
Oct 08, 2020
Cyber conflict in the Caucasus. Zerologon exploited in the wild. Emotet rising. The Four Horsemen of Silicon Valley. Alt-coin regulation. DDoS in Honolulu.
1401
Cyber ops accompany fighting in the Caucasus. Iranian threat group exploits Zerologon in the wild. The Kraken gets unleashed in Southeast Asia, of all places. Emotet is back, and it’s after state and local governments. The US House identifies the Four Horsemen of Silicon Valley. Monero gains criminal market share. The US Comptroller of the Currency moves for clarity in alt-coin regulation. Joe Carrigan takes a look at ransomware trends. Our guest is Mathew Newfield from Unisys with remote school safety tips for students and parents. And a cyberattack from Waikiki. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/195
Oct 07, 2020
New, Mirai-based threat in the wild. PLA told to steer clear of US election stories. Big data in small spreadsheets. John McAfee arrested. A hackable marital (or something) aid.
1416
Spyware version of Mirai detected in the wild. The People’s Liberation Army is told, by its government, to lighten up on US election stories. Centripetal wins a major patent lawsuit. Excel is not a big data tool. John McAfee is arrested on US tax charges. Our guest is Roger Barranco from Akamai on tracking increased DDoS attacks. Ben Yelin on a case involving warrants for Wifi location data. And an aid to chastity is found to be hackable, but at least it errs on the side of continence. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/194
Oct 06, 2020
Maritime shipping hacks remind observers of NotPetya. Spyware through the firmware. New ransomware strain. Huawei in Europe. Go ahead, Lefty, give ‘em your fingerprints.
1436
Attacks on maritime shipping organizations raise concerns about global supply chains. Someone’s pushing spyware through the firmware. Someone else is messing with the heads of Trickbot’s masters. A new ransomware strain, Egregor, shows again that a ransomware attack amounts to a data breach. Huawei may be losing ground in Europe. Mike Benjamin from Lumen on DDoS ransoms. Scott Algeier from IT-ISAC looks back on 20 years of information sharing. And criminals give their fingerprints to police, virtually. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/193
Oct 05, 2020
Diane M. Janosek: It's only together that we are going to rise. [Career Notes]
439
Commandant for the National Security Agency's National Cryptologic School Diane M. Janosek shares the story of her career going global Diane explains how she's always been drawn to doing things that could help and raise the nation. From a position as a law clerk during law school, to the role of a judicial clerk, and joining the White House Counsel's office, Diane was exposed to many things and felt she experienced the full circle. Moving on to the Pentagon and finally, the NSA, Diane transitioned into her current role where she orchestrates the educational environment for military and civilian cyber and cryptologists worldwide for the nation. Diane encourages those who love to learn to join the multidisciplinary cybersecurity field. Our thanks to Diane for sharing her story with us. 
Oct 04, 2020
Smaug: Ransomware-as-a-service drag(s)on. [Research Saturday]
1432
Threat actors and cybercriminals that don’t have the ability to develop their own ransomware for malicious campaigns can turn to the Smaug Ransomware as a Service (RaaS) offering, which is available via a Dark Web Onion site. At least two threat actors are operating the site, providing ransomware that can be used to target Windows, macOS, and Linux machines. The site is built with ease of use in mind. To launch an attack, threat actors simply need to sign up, create a campaign, and then start distributing the malware. The site also handles decryption key purchasing and tracking for victims. Joining us in this week's Research Saturday to discuss the research is Anomali's Joakim Kennedy and Rory Gould. The research can be found here:  Anomali Threat Research Releases First Public Analysis of Smaug Ransomware as a Service
Oct 03, 2020
CISA and Cyber Command describe a new RAT. Emotet spams Team Blue. Spyware campaigns described. Maritime sector hacks. And another reason not to pay the ransom.
1612
SlothfulMedia is the new RAT in town. Emotet spam counts on political commitments. ESET describes two distinct spyware campaigns in the Middle East and Eastern Europe. Hackers are paying more attention than usual to the maritime sector. Awais Rashid from the University of Bristol on privacy concerns of contact tracing apps. Our guest is Krystle Portocarrero from Juniper Networks on the continued rise of encryption and the technical and privacy challenges that come with it. And the US Treasury Department cautions all that paying up in a ransomware attack might land you in sanctions hot water. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/192
Oct 02, 2020
Ransomware incidents: worse than feared. And some of them pose a threat to patient safety. A Fancy Bear sighting? Glitch suspends trading in Tokyo.
1410
Two ransomware incidents now seem worse than originally believed. Hacking hospitals raises concerns for patient safety. It appears Fancy Bear was the group that hacked the US Federal agency CISA warned about recently. Chris Novak from Verizon considers whether investigations should be performed under attorney client privilege and if that privilege will hold. Alex Mosher from MobileIron explains how yours truly got phished. With Cookies. And interruptions to trading on Japan’s exchanges seem to be due to technical problems, and not to cyberattack. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/191
Oct 01, 2020
Opportunistic paydays and soft targets. Crooks use captchas and padlocks, too. Protecting against Zerologon. A microelectronics strategy.
1413
Ransomware gangs continue to look for an opportunistic payday. Another exposed database is found, and secured. Captchas and padlock icons have their place, but they’re not a guarantee of security. Microsoft explains how to reduce exposure to Zerologon. The US looks to reduce dependence on foreign microelectronics. Joe Carrigan has thoughts on Facebook running SuperPAC ads. Our guest is Sanjay Gupta from Mitek on how online marketplaces can balance security with biometrics. And there’s just one shopping day before National Cybersecurity Month. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/190
Sep 30, 2020
Ransomware versus shipping, hospitals, and schools. Cyberattacks’ growing sophistication. An interim rule enables implementation of the US Defense Department’s CMMC program.
1473
Three (count ‘em) three big ransomware attacks are in progress. One of them has moved into its doxing phase. Microsoft resolves authentication problems that briefly disrupted services yesterday. Tracking trends in cyberattacks--the sophistication seems to lie in the execution. The US Defense Department now has an interim rule implementing its CMMC program. Ben Yelin describes the extensive use of facial recognition software by the LAPD. Our guest is Christy Wyatt from Absolute on their Endpoint Resilience report. And why do hackers hack? To a large extent it seems they do so...because they can. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/189
Sep 29, 2020
Will no one rid me of this turbulent newsletter? US court delays TikTok ban. Microsoft takes down cyberespionage operation. Huawei’s CFO gets another day in court. REvil recruits.
1367
The TikTok ban has been delayed; the November goal for the company’s change in ownership still stands, at least for now. Microsoft takes down infrastructure used by a Chinese cyberespionage group. Huawei’s CFO returns to court in Vancouver. The UK shows some of its cyber offensive hand. DDoS in Hungary; malware in Texas. The strange and sad case of eBay and a newsletter. Rick Howard shares lessons learned from his CSO Perspectives podcast. Our guest is Thomas Etheridge from CrowdStrike on mitigating the risk of public cloud key compromises. And REvil wants to recruit more criminal affiliates. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/188
Sep 28, 2020
Richard Torres: Getting that level of experience is going to be crucial. [Career Notes]
464
Director of security operations at Syntax Richard Torres talks about his path leading him working in juvenile justice to becoming a private investigator to physical security at a nuclear power plant to cybersecurity presently. Always a fan of police shows, Richard became a member of the Air Force Junior ROTC in high school and began his path there. Richard shares the challenges of working in several facets of the security industry including his transition from SWAT team member to cybersecurity. He notes the role that diplomacy plays when you're trying to get honesty and be steered in the right direction. Our thanks to Richard for sharing his story with us. 
Sep 27, 2020
What came first, the Golden Chickens or more_eggs? [Research Saturday]
1191
Throughout March and April, QuoIntelligence (QuoINT) observed four attacks (i.e. sightings) utilizing various tools from the Golden Chickens (GC) Malware-as-a-Service (MaaS) portfolio – they recently declassified their findings, after first notifying their clients. Further, during their analysis of the sightings, QuoIntelligence confirmed the GC MaaS Operator, Badbullzvenom, released improved variants with code updates to three tools in the service portfolio. Joining us in this week's Research Saturday to discuss the research is QuoIntelligence's Vice President of Threat Intelligence, Chaz Hobson.  The research can be found here:  Latest Golden Chickens MaaS Tools Updates and Observed Attacks
Sep 26, 2020
Lots of coordinated inauthenticity, but a small return in influence. Confidence building in cyberspace? CISA reports finding that a Federal agency was hacked. Cyberattacks on hospitals are up.
1559
Facebook takes down three Russian networks for coordinated inauthenticity: a lot of activity but not much evident ROI. Russia calls for confidence-building measures in cyberspace. CISA detects a successful incursion into an unnamed Federal agency. Governments warn of heightened rates of cyberattacks against medical organizations. Mike Benjamin from Lumen joins us with details on Alina malware. Our guest is James Dawson with insights on how to best calibrate your security budget. And there’s a not-guilty plea in the case of the attempted bribery of a Tesla insider. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/187
Sep 25, 2020
Not the Gremlin from the Kremlin. Zerologn exploited in the wild. Cyberespionage phishing in NATO’s pond. US Treasury announces sanctions. Four guilty pleas coming in eBay cyberstalking case.
1376
Zerologon is being actively exploited in the wild. The OldGremlin ransomware gang picks on Russian targets. Thought Fancy Bear was done with NATO? (Think again.) The US Treasury Department sanctions more organizations and individuals for malign influence operations. Betsy Carmelite from BAH on vaccine laboratory cybersecurity. Our guest is Shena Tharnish from Comcast Business with insights for small businesses concerned with COVID-19 related phishing. And four of the defendants indicted in the eBay cyberstalking case have chosen their pleas. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/186
Sep 24, 2020
Naval Gazing around the South China Sea, and other disinformation. LokiBot is back in a big way. Darknet merchants busted. Cyber rioting along the Blue Nile.
1412
Facebook takes down coordinated inauthenticity. A ransomware-involved death is attributed to DoppelPaymer. CISA and the FBI warn of coming election disinformation. LokiBot is back in a big way. Operation DisrupTor collars a hundred-seventy Darknet contraband merchants. Joe Carrigan comments on the botched ransomware attack in Germany that led to a woman's death. Our guest is Matt Davey from 1Password on why single sign on isn’t a silver bullet for enterprise security. And patriotic hacktivism flares along the Blue Nile. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/185
Sep 23, 2020
Bing backend exposed, for a bit. CIA thinks Russian influence ops are top-directed. TikTok Global spin-off may not be enough. Destination automation. Hacks that weren’t, and one big guilty plea.
1420
In an unusual lapse, Microsoft briefly left a Bing backend server exposed online--now fixed. Sources say the CIA has concluded that Russian President Putin is personally involved in setting the direction of operations designed to influence the US elections, The deal to spin out TikTok Global to avoid a US ban may not be enough, Europe looks for more control over tech companies. Activision’s hack seems to be a mere rumor. Ben Yelin on section 230 of the communications decency act. Our guest is Ramon Pinero from Blackberry on the challenges of coordinating public services during the pandemic. And a Dark Overlord cops a plea. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/184
Sep 22, 2020
Patch by midnight, and reply by endorsement. Cerberus is howling; Rampant Kitten is yowling. TikTok and WeChat both get reprieves. German police want ransomware operators for homicide.
1501
CISA tells the Feds to patch Zerologon by midnight tonight. Cerberus surges after its source code is released. Rampant Kitten, an Iranian surveillance operation, is described. The US bans on WeChat and TikTok were both postponed. Justin Harvey from Accenture marks three years since wannacry with a look at ransomware. Our own Rick Howard on red and blue team operations. And police in Germany are looking for ransomware attackers on a homicide charge. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/183
Sep 21, 2020
The cybersecurity paradox. [CyberWire-X]
2171
The cybersecurity space is nothing if not crowded. Yet despite all the fantastic offers and promises being made by vendors, the sober reality persists that spending has not equated to improved security. Did you know that 80% of IT security budgets are focused on detection and containment controls, even though 70% of security experts believe that a greater focus on prevention would strengthen their security posture? Joining the conversation are Bob Olsen from Ankura giving his insight on the many options out there when buying cyber security systems and platforms. Later, we will be joined by Steve Salinas, Head of Product Marketing at Deep Instinct, as he addresses this paradox of why organizations are spending their scarce budget in ways that are contrary to their interests.
Sep 20, 2020
Monica Ruiz: Moving ahead when not many look like you. [Career Notes]
431
Cyber Initiative and Special Projects Fellow at the Hewlett Foundation Monica Ruiz shares her career development from aspirations of being a weather woman to her current role as a grantmaker and connector in cybersecurity. Monica discusses how her international study experience changed her outlook and brought her to the field of security. She shares the difficulties she faced as a woman of color when when not that many people look like you, and how she used that as her reason to move forward and better the cybersecurity field through her work. Our thanks to Monica for sharing her story with us. 
Sep 20, 2020
Election 2020: What to expect when we are electing. [Research Saturday]
1503
After the 2016 General Election, the talk was all around foreign meddling. Rumors swirled that some votes may have been changed or influenced by state-sponsored actors. Sanctions and accusations followed. Four years later, is the U.S. any more prepared to protect the results of its largest elections? More than you may realize. Talos researchers take a deep dive into election security after spending the past four years talking to local, state and national officials, performing their own independent research and even watching one state plan an election in real-time. Joining us in this week's Research Saturday to discuss the report on this timely topic is Cisco Talos' Matt Olney.  The research can be found here:  What to expect when you’re electing: Talos’ 2020 election security primer.
Sep 19, 2020
Sunday looks like sanction day for WeChat and TikTok. Grayfly and Blackfly (and APT41). Maze hides payloads in VMs. Ransomware is implicated in a death. Google Play housecleaning. Fox, chickencoop.
1576
The US Commerce Department announces a clampdown on TikTok and WeChat, to begin Sunday. An overview of the Grayfly and Blackfly units of APT41. Maze begins delivering payloads inside a VM. A ransomware attack on a Düsseldorf hospital is implicated in the death of a patient. Google wants less stalkerware and misrepresentation in the Play store. Caleb Barlow from Cynergistek on the Military's CMMC program. Our guest Galina Antova from Claroty highlights importance of secure remote access in industrial systems during times of crisis. And an alleged fox was allegedly guarding the henhouse. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/182
Sep 18, 2020
Criminal markets and the criminals who shop there. Elections may be safe and secure, but influence operations seem here to stay. TikTok’s state of play. Indictments and extraditions.
1477
Cerberus is available for free, the Empire Market’s old and betrayed customers are probably looking for another marketplace where English is spoken, and it seems the Russian mob is selling access to North Korea’s Lazarus Group. NSA thinks US elections will be safe and secure, but that influence operations are probably here to stay. Betsy Carmelite from BAH on medical device security, our guest is Jonathan Langer from Medigate on lessons to help clinical and IT leaders at institutions heavily affected by COVID-19. Two Iranians are indicted for espionage and theft, and more evidence allegedly surfaces of Huawei’s role in sanctions evasion.  For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/181
Sep 17, 2020
VPNs in Tehran’s crosshairs. US indictments of foreign cyber threat actors. Strife exacerbated by social media. ByteDance’s plan for TikTok.
1404
CISA and the FBI warn of extensive Iranian cyberattacks that exploit flaws in widely used VPNs. The US indicts two men for website defacements undertaken for the benefit of Iran, and in retribution for the US drone strike that killed Quds Force commander Soleimani. The US has also indicted seven in a cybercrime and cyberespionage wave conducted in conjunction with Wicked Panda. Ethiopian strife made worse by social media. Joe Carrigan describes scammers using fake alerts on web sites. Our guest is Kevin Ford, CISO of the state of North Dakota on their move to offer free anti-malware to all state k-12 institutions. And ByteDance’s plans for TikTok grow clearer. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/180
Sep 16, 2020
Zerologon: hey, patch already. CISA describes China’s cyberespionage techniques (and, hey, patch already). A data breach at the US Department of Veterans Affairs.
1377
Details of the Zerologon vulnerability are published, and it seems a serious one indeed. CISA describes Chinese cyberespionage practices--they’re not exotic, but they’re effective. What’s the difference between highly targeted market research and intelligence collection against individuals? Better commercials? Ben Yelin explains a 9th circuit court opinion with 4th amendment implications. Our guest is Exabeam’s Richard Cassidy on why when it comes to insider risk, context is everything. And there’s been a data breach at the VA. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/179
Sep 15, 2020
Turning good words into bad. Crooks push those exploits through aging software while they still can. A big OSINT DB out of Shenzehn. TikTok’s fate grows narrower but murkier. Wildfire misinformation.
1522
Social engineers use text from legitimate recent warnings. Cybercrooks go for whatever they can get from software about to reach the end of its life. A big database filled with individual information is leaked from a Chinese government contractor. In the race to do whatever it is US companies hope to do with TikTok, Microsoft is apparently out, but Oracle is apparently in. Rick Howard looks at red versus blue. Our gust is Colby Prior, Infrastructure Engineer for AusCERT, on running honeypots. And the FBI wants you to know, contrary what you may have seen online, that Oregon wildfires are not extremist arson. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/178
Sep 14, 2020
Ode to Wealthy Elite. [Shadowspeak]
167
A reading of “Ode to Wealthy Elite”, written circa August 16, 2016. From “The collected works of the Shadow Brokers, volume I,” read by D.W. Bittner, compiled and edited by the CyberWire. The Shadow Brokers represent themselves as hackers who sell stolen exploits, hacking tools, and other scandalous material online to the detriment of Wealthy Elite, whose hidden hands the ShadowBrokers wish to convince you secretly move the world's events. Their online auctions have been notorious fizzles, finding few takers, but they continue to reappear with their offers from time to time. The smart money bets that the Brokers are a Russian intelligence service operation. They communicate in Hollywood scriptwriter broken English as opposed to any known natural language.
Sep 14, 2020
Brandon Robinson: Built from the ground up. [Career Notes]
390
Cybersecurity Sales Engineer Brandon Robinson shares how he built his career in technology and the barriers he experienced along the way. He talks about how his job involves him interacting with customers at the highest levels making sure their solution is meeting needs. In addition, Brandon describes how as a black man and a trailblazer, he's been met with resistance. His positive spin on moving ahead involves relying on himself. Brandon's advice: find your passion, don't be intimidated and you will be met with success. Our thanks to Brandon for sharing his story with us. 
Sep 13, 2020
Leveraging legitimate tools. [Research Saturday]
1943
Researchers at Symantec spotted a Sodinokibi targeted ransomware campaign in which the attackers are also scanning the networks of some victims for credit card or point of sale (PoS) software. It is not clear if the attackers are targeting this software for encryption or because they want to scrape this information as a way to make even more money from this attack. Joining us in this week's Research Saturday to discuss the report is Jon DiMaggio of Symantec.  The research can be found here:  Sodinokibi: Ransomware Attackers also Scanning for PoS Software, Leveraging Cobalt Strike
Sep 12, 2020
Elemental election meddling spooks US campaigns. CISA’s email advice. Remote workers behaving badly. Momentum Cyber’s state of the Sector. The SINET 16. And remember 9/11.
1672
Kittens and Pandas and Bears, oh my. Ransomware gets its skates on, but it still has loose idiomatic control. CISA has some advice on email. While at home on pandemic lockdown, a lot of people (not you) are spending too much time on unedifying sites. Momentum Cyber looks at the state of the cybersecurity sector in 2020. The SINET 16 have been announced. Chris Novak from Verizon on understanding the complexities of PFI breach investigations. Our guest is Steve Vintz from Tenable on why CFOs should lean into cybersecurity issues. And, finally, take a moment today to remember 9/11. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/177
Sep 11, 2020
Ransomware hits Equinix. Tools for vandalism for sale. Stealing VoIP call data records. ByteDance negotiates for TikTok. EU clamps down on Facebook data handling. A high-profile Twitter hijacking.
1377
Ransomware hits a major data center provider, but appears to have left service unaffected. There’s a thriving criminal market for website defacement tools: vandals can be consumers, too. CDRThief does what its name implies. ByteDance tried negotiating TikTok’s American future. Ireland’s Data Protection Commission starts enforcing Schrems II against Facebook. Awais Rashid outlines software development security pitfalls. Our guest is John Morello from Palo Alto with insights from their new State of Cloud Native Security report. And China’s ambassador to the UK has his Twitter account hacked. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/176
Sep 10, 2020
Ransomware slows down many students’ return to school, even virtually. Hacking gamers. Patch Tuesday. Notes on election security from CISA.
1387
Back to school time for everyone...or it would be, if it weren’t for all that ransomware. The sad criminal underworld stealing from online gamers. Notes on Patch Tuesday. Joe Carrigan considers digital comfort zones. Our guest is Sandra Wheatley from Fortinet with key findings from their new report on the cybersecurity skills shortage. And some thoughts on election security and disinformation from the US Cybersecurity and Infrastructure Security Agency. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/175
Sep 09, 2020
Ransomware or wiper? Emotet’s resurgence. Updates on Services NSW breach. COVID-19 cyberespionage. BTS replaces Guy Fawkes?
1576
Thanos is back, but as ransomware or a wiper? Cyber agencies in France, Japan, and New Zealand warn of a spike in Emotet infections. Australian authorities say 186,00 were affected by the breach at Services NSW. Georgia decries cyberespionage at its Lugar Lab. COVID-19 cyberespionage efforts have been intense, as have counterintelligence efforts designed to defend labs and supply chains. Rick Howard looks at identity management. Ben Yelin covers tightened surveillance of political advisors. And Anonymous may have a successor: K-pop stans. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/174
Sep 08, 2020
Exploring the cultural values of personal privacy. [Caveat]
2933
Dave shares a story about our own state of Maryland trying to crack down on ransomware, Ben shares a New York Times story about facial recognition software, and later in the show our conversation with Stuart Thompson from the New York Times on the article, Twelve Million Phones, One Dataset, Zero Privacy. Links to stories: How ransomware bill would tighten focus on the threat in Maryland The Secretive Company That Might End Privacy As We Know It Got a question you'd like us to answer on our show? You can send your audio file to caveat@thecyberwire.com or simply leave us a message at (410) 618-3720. Hope to hear from you.
Sep 07, 2020
Elizabeth Wharton: Strong shoulders for someone else to stand on. [Career Notes]
403
Technology attorney and startup chief of staff Elizabeth Wharton shares her experiences and how she came to work with companies in technology. Elizabeth talks about how she always liked solving problems and Nancy Drew mysteries, but not litigation. These morphed finding into her home in the policy legal world and some time later, technology law. Elizabeth describes how she loves planning and strategy in her work and encourages others to ask questions and absorb all of the information. Our thanks to Elizabeth for sharing her story with us. 
Sep 06, 2020
Going after the most valuable data. [Research Saturday]
1596
A look at the realities of ransomware from Sophos, including an industry-first detailed look at new detection evasion techniques in WastedLocker ransomware attacks that leverage the Windows Cache Manager and memory-mapped I/O to encrypt files. A complementary article examines the evasion-centric arms race of ransomware, providing a months-long review of how cybercriminals have been escalating and markedly changing evasion techniques, tactics and procedures (TTPs) since Snatch ransomware in December 2019.  The research also breaks down the five early warning signs organizations are about to be attacked by ransomware and why ransomware attacks continue to occur. Joining us on this week's Research Saturday to walk us through the research and share their findings is Sophos' Principal Research Scientist Chet Wisniewski and EVP & Chief Product Officer Dan Schiappa. The media alert and research articles can be found here:  Media Alert: Sophos Reports on the Realities of Ransomware WastedLocker’s techniques point to a familiar heritage Ransomware’s evasion-centric arms race 5 signs you’re about to be hit by ransomware The realities of ransomware: extortion goes social Ransomware: why it’s not just a passing fad
Sep 05, 2020
Ransom DDoS is now a widespread problem. Phishing campaign stages malicious payloads in legitimate file-sharing services. Back to school? Back with a new cyber risk.
1673
Ransom DDoS: it’s been around for awhile, but now it’s become a much bigger thing. Phishing campaigns are putting malicious payloads into legitimate file-sharing services. Malek Ben Salem from Accenture on proactive "alpha innovator" organizations. Our guest is Joseph Marks from The Washington Post on his recent coverage of election security. And it’s time to go back to school, at least virtually, with all the attendant cyber risk. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/173
Sep 04, 2020
Cyberattacks in Norway under investigation. Developments in the criminal marketplace. Scammers do TikTok. Disrupting school, from Florida to Northumberland.
1393
Updates on cyberattacks against Norway’s parliament and the Hedmark region. A popular TikTok page is infested with scammers. Magecart’s Inter scanner gains criminal market share. Thomas Etheridge from CrowdStrike on the many potential benefits of outsourced threat hunting. Our guest is Lauren Bean Buitta from Girl Security on closing the gender gap in national security. Heading back to school in Miami? Not so fast, kids. And in Northumberland? Same goes there. (That’s Northumberland, England, by the way, not Northumberland, Pennsylvania.) For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/172
Sep 03, 2020
Facebook’s latest takedowns reach Pakistan, Russia, and the US. Election meddling. Chinese espionage looks inward, again. New alt-coin stealer. NZX DDoS update. That Twitter hack.
1393
Facebook’s August takedowns included coordinated inauthenticity from Pakistan, Russia (that’s St. Petersburg, with a waystation in DC), and a US strategic communication firm. CISA and the FBI say nope, the Russians weren’t in voter databases. A Chinese APT turns its attention from Europe back to Tibet. A new cryptocurrency stealer is active in Central Europe. New Zealand DDoS attacks may be an extortion attempt. Joe Carrigan has the story of a reporter's stolen Facebook account. Our guest is Ophir Harpaz from Guardicore Labs with their Botnet Encyclopedia. And there may be another teenage mastermind behind last month’s Twitter hack. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/171
Sep 02, 2020
The difference between a breach and, well, a public record. Pioneer Kitten’s lucrative bycatch. Malware gets past Gatekeeper. A gamer’s bandit economy. And happy birthday, Cyber Branch.
1376
An election hack that wasn’t. More DDoS in New Zealand’s stock exchange. A look at how Iranian cyber contractors make money as a byproduct of cyberespionage. Malware sneeks past Apple’s notarization process. The bandit economy that’s grown up around Fortnite. Ben Yelin looks at how the upcoming US elections could direct the nation’s cybersecurity strategies. Our guest is Julian Waits from Devo with highlights from their 2nd annual SOC performance report. And the US Army’s youngest branch celebrates a birthday. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/170
Sep 01, 2020
DDoS continues to trouble New Zealand’s stock exchange. A glitch, not an attack. New Chinese export controls. Oversharing agencies? Who’s the bank robber? A botnet serving ad fraud.
1509
New Zealand’s stock exchange continues to fight through offshore DDoS attacks. Sunday’s Internet outage was a glitch, not an attack. China enacts new technology export controls that may impede the sale of TikTok. Danish authorities investigate allegations of data sharing with NSA. North Korea says it doesn’t rob banks, but Americans do. Caleb Barlow looks at security validation and how it can help manage vendors and SOCs. Rick Howard has the CSO Perspective on Identity Management. And a look at Terracotta, a botnet serving up ad fraud. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/169
Aug 31, 2020
Jack Rhysider: Get your experience points in everything. [Career Notes]
444
Host of Darknet Diaries podcast Jack Rhysider shares his experiences from studying computer engineering at university to his strategy of using gamification on his career that led to him landing in the security space. Jack talks about how his wide experiences came together in security and what prompted him to learn podcasting. Jack endeavors to share the whole story through his podcasts while making them entertaining, enlightening and inspirational. Our thanks to Jack for sharing his story with us. 
Aug 30, 2020
They fooled a lot of people. [Research Saturday]
927
Docker containers have been gaining popularity over the past few years as an effective way of packaging software applications. Docker Hub provides a strong community-based model for users and companies to share their software applications. This is also attracting the attention of malicious actors intending to make money by cryptojacking within Docker containers and using Docker Hub to distribute these images. Palo Alto Networks' Unit 42 researchers identified a malicious Docker Hub account, azurenql, active since October 2019 that was hosting six malicious images intended to mine the cryptocurrency, Monero. The images hosted on this account have been collectively pulled more than two million times. Additionally, when last checked minexmr.com for this wallet ID, Palo Alto's team saw recent activity indicating that it’s still being used. Joining us on this week's Research Saturday is Jen Miller-Osborn from Palo Alto Networks' Unit 42 group to share the research and findings. The research and blog post can be found here:  Attackers Cryptojacking Docker Images to Mine for Monero
Aug 29, 2020
Stock exchange DDoS continues. Another criminal market exits. Pyongyang cybercrooks face criminal forfeiture. Instagram hijacking. Old malware returns. Treason’s motives. An attempt to hack Tesla.
1564
Denial-of-service attacks continue to cripple New Zealand’s NZX stock exchange. The Empire criminal market has exited, and done so with its users funds. US authorities have filed for civil forfeiture of Hidden Cobra’s stolen crytpo assets. An Instagram hijacking campaign is under way. Qbot and Emotet are back, and together again. The former Green Beret who allegedly spied for the GRU offers an insight into his (alleged) motives. We welcome our newest partner to the show, Betsy Carmelite from BAH. Our guest is Mark Calandra from CSC on their 2020 domain security report that revealed shortfalls among the Forbes Global 2000. And the unnamed company cited in the arrest of a Russian national this week has now been named: it’s Tesla.  For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/168
Aug 28, 2020
Cybercrime pays, criminal tools are commodities, and some cyber gangs get sophisticated. The skid market for booters. Pyongyang unleashes the BeagleBoyz.
1398
Several Magecart campaigns turn out to be the work of one gang. The unfortunate persistence of DDoS-for-hire services. Ransomware’s growing sophistication as a class of criminal enterprise. Andrea Little Limbago from Interos on supply chain attacks & risks. Our guest is Mark Testoni from SAP's NS2 on how Covid-19 reshaped classified work. And hey kids: the BeagleBoyz are on a crime spree. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/167
Aug 27, 2020
New Zealand stock exchange sustains DDoS attacks. Flash alert on GoldenSpy. Cyber mercenaries and industrial espionage. Lèse-majesté online. Offering $1 million to a potential co-conspirator?
1377
New Zealand’s stock exchange has sustained two distributed denial-of-service attacks this week. CISA and FBI issue an alert about GoldenSpy. Two cyber mercenary groups are engaged in industrial espionage for hire. Thailand decides to crack down on sites that host content the government deems illegal. Joe Carrigan looks at new types of crimes made possible by AI. Our guest is Shane Harris from The Washington Post on an Elite CIA unit which failed to secure its own systems. And a Russian national faces US charges of conspiracy to damage a computer. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/166
Aug 26, 2020
The pandemic and trends in cybersecurity. The secret to the handset’s low, low price? Fleeceware and adware. TikTok’s lawsuit. Influence ops. Bogus Bitcoin exchange.
1382
Security trends during the pandemic include shifts in underworld markets and some enduring changes in the way organizations approach cybersecurity. Discount phones come preloaded with adware and fleeceware. TikTok files its lawsuit. Ben Yelin on the Massachusetts Attorney General creating a data privacy office. Our guest is Nitzan Miron from Barracuda Networks on how brick & mortar shops have accelerated their shift online. And spoofing a Bitcoin exchange to spread malware.  For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/165
Aug 25, 2020
Crooks and spies, together again? Hiding ad-fraud malware in an SDK. A turn to the DarkSide.
1379
Iranian wannabes successfully use Dharma ransomware against soft targets. SourMint hid an ad-fraud and info-stealing package in an SDK. A former US Army officer and sometime Government contractor is charged with working for the GRU. DarkSide ransomware rises as affiliates go into business on their own. Awais Rashid from the University of Bristol on aligning cyber security metrics with business goals. Rick Howard talks data loss prevention with members of the Hash Table. And copycat DDoS extortionists pretend to be, who else? Fancy Bear. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/164
Aug 24, 2020
Kiersten Todt: Problem solving and building solutions. [Career Notes]
416
Managing director of the Cyber Readiness Institute Kiersten Todt shares how she came to be in the cybersecurity industry helping to provide free tools and resources for small businesses through a nonprofit. She describes how her work on the Hill prior to and just after 9/11 changed. Kiersten talks about the diversity of skills that benefit work in cybersecurity and offers her advice on going after what you want to do. Our thanks to Kiersten for sharing her story with us. 
Aug 23, 2020
Using global events as lures. [Research Saturday]
1372
The goal of malicious activity is to compromise the system to install some unauthorized software. Increasingly that goal is tied to one thing: the user. Over the past several years, we as an industry improved exploit mitigation and the value of working exploits has increased accordingly. Together, these changes have had an impact on the threat landscape. We still see large amounts of active exploitation, but enterprises are getting better at defending against them. This has left adversaries with a couple of options, develop or buy a working exploit that will defeat today's protections, which can be costly, or pivot to enticing a user to help you. In today's threat landscape, adversaries are always trying to develop and implement the most effective lures to try and draw users into their infection path. They've tried a multitude of different tactics in this space, but one always stands out — current events. Joining us on this week's Research Saturday from Craig Williams from Cisco's Talos Outreach team to walk us through how current events are used as lures. The research and blog post can be found here:  Adversarial use of current events as lures The CyberWire's Research Saturday is presented by Juniper Networks. Thanks to our sponsor Enveil, closing the last gap in data security.
Aug 22, 2020
Transparent Tribe upgrades Crimson RAT. More countries interested in influencing US elections. University pays ransom.
1517
Transparent Tribe upgrades Crimson RAT. Cuba, North Korea, and Saudi Arabia are also interested in influencing the upcoming US election. The University of Utah restored from backups after a ransomware attack, but paid the ransom to prevent the crooks from publishing stolen data. Uber’s former CSO has been charged with allegedly covering up a hack the company sustained in 2016. Justin Harvey from Accenture on how the pandemic has affected Incident Response. Gerald Beuchelt from LogMeIn on how secure remote access may or may not be. And a popular fertility app was found to be sharing data with advertisers without users’ permission. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/163
Aug 21, 2020
Gamaredon Group is phishing ahead of Ukraine’s independence day. North Korea blamed for BLINDINGCAN RAT. Google patches Gmail flaw.
1386
Ukraine warns that Russia’s Gamaredon Group is running a phishing campaign ahead of Ukraine’s independence day. CISA and the FBI publish details on a North Korean remote access Trojan. Google patches a serious Gmail flaw. Marriott faces another lawsuit over its 2018 data breach. The WannaRen ransomware operators have released a decryption key. Rob Lee from Dragos with lessons learned from recent virtual conferences. Our guest is Rachel Tobac from SocialProof with her insights on social engineering and the Twitter hack.  For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/162
Aug 20, 2020
Phone spearphishing is catching on after the Twitter hack. Taiwan blames China for hacking government agencies. FritzFrog botnet is cryptomining, for now.
1408
Phone spearphishing is catching on after the Twitter hack. Taiwan blames China for hacking government agencies. FritzFrog botnet is cryptomining, for now. Whoever’s behind GoldenSpy is trying to cover their tracks. WastedLocker ransomware is successful without stealing data. The US Senate Select Committee on Intelligence releases its final report on Russian interference with the 2016 election. Joe Carrigan looks at shady SIM cards. Our guest is Nathan Jones from WhiteCanyon Software on secure data destruction. And an AI company exposes millions of medical records. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/161
Aug 19, 2020
Patriotic hacktivism? Cryptomining worm steals AWS credentials. Carnival discloses data incident.
1355
Suspected patriotic hacktivists are defacing websites. A cryptomining worm is stealing AWS credentials. Cruise company Carnival suffered a ransomware attack that involved data theft. US measures against Huawei are expected to make things much more difficult for the Chinese company. Ben Yelin on new tools tracking cyber data on US borders. Our guest is Jesse Rothstein from ExtraHop on what happens to enterprise security when the network goes dark. And a look at the organizational structure of North Korea’s hacking units. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/160
Aug 18, 2020
North Korea harasses defectors. Researchers exploited Emotet bug for six months. RedCurl APT conducts corporate espionage.
1595
North Korea harasses defectors. Researchers have been exploiting a bug in Emotet to inoculate systems against the malware for the past six months. CISA warns of KONNI spearphishing. RedCurl APT conducts corporate espionage. The US announces more restrictions on Huawei’s access to US-made chips. Chris Novak from Verizon on the evolving role of cyber insurance. Rick Howard on data loss prevention. And Australian schools are without email after an unpleasant experience with Reply-All. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/159
Aug 17, 2020
Trying for a win, win, win game. [Career Notes]
326
Founder and CEO Stu Sjouwerman takes us on a journey of how his career developed from starting a software service company to currently focusing on the infosec side of the business where his team essentially helps to create human firewalls. Stu talks about learning all aspects of the business while creating startups and suggests you learn to speak the language of the area you are looking to get into. He even touches on predicting the future and taking over the world. Our thanks to Stu for sharing his story with us. 
Aug 16, 2020
The ABCs of cybersecurity for the education sector. [CyberWire-X]
1697
Teachers, students, admin, parents: The education sector has possibly the most diverse user base, each requiring its own user privileges, access requirements, and behavioral trends. Yet besides this, there are a number of unique challenges to securing an educational environment, including ensuring broad attack surface protection, minimal false positives, and maintaining a cost-effective security posture. Join us in as we chat with Kevin Ford, Chief Information Security Officer for the state of North Dakota, about these challenges for securing statewide educational institutions and their networks. Later, we will be joined by Steve Salinas, Head of Product Marketing at Deep Instinct and Matthew Fredrickson, Director of IT at Council Rock School District, in what should be a steep learning curve on protecting educational environments.
Aug 16, 2020
Waiting for their victims. [Research Saturday]
1477
Bitdefender researchers have recently found the APT group StrongPity has been targeting victims in Turkey and Syria. Using watering hole tactics to selectively infect victims and deploying a three-tier C&C infrastructure to thwart forensic investigations, the APT group leveraged Trojanized popular tools, such as archivers, file recovery applications, remote connections applications, utilities, and even security software, to cover a wide range of options that targeted victims might be seeking. Joining us on this week's Research Saturday to discuss the research is Bitdefender's Liviu Arsene.  You can find the research here: StrongPity APT – Revealing Trojanized Tools, Working Hours and Infrastructure
Aug 15, 2020
Bad Woodcutter is still bad, but not invincible. CactusPete is in Eastern European networks. Exploiting COVID-19. Celebrity endorsements (not).
1520
An update on Fancy Bear and its Drovorub rootkit. Karma Panda, a.k.a. CactusPete, is scouting Eastern European financial and military targets with the latest version of a venerable backdoor. How criminals and terrorists exploit COVID-19, and how law enforcement tracks them down. Caleb Barlow from Cynergistek covers security assessments and HIPAA data. Our guest is Ryan Olson from Palo Alto Networks on the 10th Anniversary of Stuxnet. And those celebrity endorsed investment scams aren’t actually endorsed by celebrities, and they’re not actually good investments. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/158
Aug 14, 2020
This Woodcutter’s no Railsplitter. Operation Dream Job. COVID-19 phishing.
1342
NSA and FBI release a detailed report on a GRU toolset. North Korea’s Operation Dream Job phishes in Israeli waters. CISA warns of COVID-19 loan relief scams. Malek Ben Salem from Accenture with highlights from their 2020 Security Vision report. Our guest is Mike Hamilton from CI Security, who clears the air on election security and the shift to absentee status. And crooks are using infection and job loss as retail phishbait. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/157
Aug 13, 2020
Domestic cyber squabbling in Belarus and Iran. Pakistan accuses India of a cyber offensive. More on Papua’s data center. More privacy questions for TikTok. Parental control or stalker’s tool?
1355
Regional rivals tussle in cyberspace, and governments have it out with dissidents and the opposition. Market penetration as an instrument of state power. TikTok gets more unwelcome scrutiny over its privacy practices. Joe Carrigan on a credential harvesting phishing scheme using Zoom as bait. Our guest is Avi Shua from Orca Security on accidental vulnerabilities. And suppressing creepware is apparently harder than it looks. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/156
Aug 12, 2020
Internet blackout in Belarus. Papua New Guinea’s insecure National Data Centre. Chrome and CSP rule bypass. Zoom gets sued in DC. Patch Tuesday. Go Spartans.
1472
Belarus shuts down its Internet after its incumbent president’s surprising, perhaps implausible, no...really implausible landslide reelection. Papua New Guinea undergoes buyer’s remorse over that Huawei-built National Data Centre it sprung for a couple of years ago. Versions of Chrome found susceptible to CSP rule bypass. Zoom is taken to court over encryption. Patch Tuesday notes. Ben Yelin looks at mobile surveillance in a Baltimore criminal case. Carole Theriault returns to speak with our guest, Alex Guirakhoo from Digital Shadows with a look at dark web travel agencies. And card-skimmers hit a university’s online store. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/155
Aug 11, 2020
NMAP (noun) [Word Notes]
203
A network mapping tool that pings IP addresses looking for a response and can discover host names, open communications ports, operating system names and versions. Written and maintained by Gordon Lyon, a.k.a. Fyodor, it is a free and open source software application used by both system admins and hackers alike and has been a staple in the security community for well over two decades.
Aug 11, 2020
What are the adversaries’ goals in election interference? A case study in the ransomware-as-a-service market. Untangling TikTok, as the clock ticks toward September 15th.
1547
The US Office of the Director of National Intelligence has released an appreciation of the goals of election interference among three principal US adversaries, Russia, China and Iran. Anomali offers a look at the ransomware-as-a-service market with its research on Smaug. The CyberWire’s Rick Howard continues his exploration of incident response. Andrea Little Limbago from Interos on cyber regionalism. And the tangles that need to be untangled in the TikTok affair, with a deadline looming less than a month from now. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/154
Aug 10, 2020
The Green Goldfish and cyber threat intelligence. [Career Notes]
430
Cyber threat intelligence analyst Selena Larson takes us on her career journey from being a journalist to making the switch to industrial security. As a child who wrote a book about a green goldfish who dealt with bullying, Selena always liked investigating and researching things. Specializing in cybersecurity journalism led to the realization of how closely aligned or similar skills are required from an investigative journalist and a cyber threat intelligence analyst. Our thanks to Selena for sharing her story with us. 
Aug 09, 2020
Like anything these days, you have to disinfect it first. [Research Saturday]
1645
“Cyberbunker” refers to a criminal group that operated a “bulletproof” hosting facility out of an actual military bunker. “Bullet Proof” hosting usually refers to hosting locations in countries with little or corrupt law enforcement, making shutting down criminal activity difficult. Cyberbunker, which is also known as “ZYZtm” and “Calibour”, was a bit different in that it actually operated out of a bulletproof bunker. In September of last year, German police raided this actual Cyberbunker and arrested several suspects. While most of the group's assets were seized during the initial raid, the IP address space remained and was later sold to Legaco Networks. Before being shut down, Legaco Networks temporarily redirected the traffic to the SANS Internet Storm Center honeypots for examination. Joining us on this week's Research Saturday from SANS Technology Institute is graduate student Karim Lalji and Dean of Research Johannes Ullrich to discuss their experiences.  The research and blog post can be found here:  Real-Time Honeypot Forensic Investigation on a German Organized Crime Network Cyberbunker 2.0: Analysis of the Remnants of a Bullet Proof Hosting Provider
Aug 08, 2020
US Executive Orders against TikTok, WeChat. Chimera takes chip IP. Intel data leaked. Texting Rewards for Justice. Coordinated inauthenticity. Magecart’s homoglyph attacks.
1486
President Trump issues Executive Orders restricting TikTok and WeChat in the US. A Chinese APT has been active in industrial espionage against Taiwan’s semiconductor industry. Intel sustains a leak of sensitive company intellectual property. Rewards for Justice communicated to Russian and Iranian individuals by text message. Coordinated inauthenticity from Romanian actors, probably criminals. Magecart moves to homoglyph attacks. Craig Williams from Cisco Talos on ransomware campaigns making use of Maze and Snake malware. Our guest is Monica Ruiz from the Hewlett Foundation Cyber Initiative on the potential for a volunteer cyber workforce. And, sorry Fort Meade--there are limits to telework. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/153
Aug 07, 2020
US Clean Network program outlines measures against Chinese operations. $10 million reward offered for info on election interference. Australia’s cyber strategy is out. Grand larceny and petty lulz.
1480
The US announces five new lines of effort for the Clean Network program, and none of them are exactly mash notes for Beijing. The US is also offering rewards of up to ten million dollars for information about foreign computer crimes aimed at interfering with US elections. Australia’s new cybersecurity strategy is out. Maze may have hit Canon. Rob Lee from Dragos addresses speculation of an ICS supply chain back door. Our guest is Theresa Lanowitz from AT&T Cybersecurity on 5G security threats to businesses. And a bail hearing is disrupted by Zoom-bombing. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/152
Aug 06, 2020
Privacy, Fort Meade style. Interpol looks at cybercrime. Oilrig gets DNSExfiltrator. Please move on from Windows 7. Updates on the Twitter hack.
1336
NSA, yes, NSA, has some privacy advice. Interpol offers its take on where cybercrime is going during the time of the pandemic. Iran’s Oilrig is getting clever with its data exfiltration. The FBI would like to know when you’re finally going to move on from Windows 7--like, c’mon people. Joe Carrigan looks at pesky ads from the Google Play store. Our guest is Bobby McLernon from Axonius on how federal cybersecurity is particularly vulnerable during the shutdown. And a not-guilty plea from one of the three alleged Twitter hackers, along with some notes on how whoever dunnit dunnit. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/151
Aug 05, 2020
US attributes Taidoor RAT to China’s government. Pegasus spyware in Togo. The TikTok affair. More fallout from the Blackbaud ransomware incident.
1327
The US attributes the Taidoor remote access Trojan to the Chinese government. Sources tell Reuters that documents used in an attempt to influence the last British general election were taken from the compromised email account of the trade minister. Pegasus spyware is found deployed against churchmen and political opposition figures in Togo. China denounces the American smash-and-grab of TikTok. Ben Yelin looks at international law and attribution. Our guest is Ameesh Divatia from Baffle on misconfigured databases being attacked within just hours after coming online. And the Blackbaud ransomware attack continues to affect new victims. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/150
Aug 04, 2020
Microsoft considers acquiring TikTok. The US considers other Chinese companies as potential security threats. Charges in the Twiter hack. DDoS turns out to be a glitch. Garmin hack update.
1414
Microsoft is in talks to acquire TikTok as the US hints that it may be considering action against other Chinese software companies. Three young men have been charged in the Twitter hack. An apparent distributed denial-of-service attack turns out to have been a glitch. We welcome Verizon’s Chris Novak to the show. Rick Howard talks incident response. And updates on the Garmin hack suggest shifts in the ransomware threat. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/149
Aug 03, 2020
Rely on your strengths in the areas of the unknown. [Career Notes]
417
Director of Security Engineering at Marqeta and Host of Hacker Valley Studio podcast Chris Cochran describes his transitions throughout the cybersecurity industry, from an intelligence job with the Marine Corps, to starting the intelligence apparatus for the House of Representatives, then on to leading Netflix's threat intelligence capability. Chris points out that when pivoting to different roles and responsibilities, you must rely on your own strengths to move forward and bring value to your work Our thanks to Chris for sharing his story with us.
Aug 02, 2020
Detecting Twitter bots in real time. [Research Saturday]
1495
NortonLifeLock Research Group (NRG) released a prototype browser extension called BotSight that leverages machine learning to detect Twitter bots in real-time. The tool is intended to help users understand the prevalence of bots and disinformation campaigns within their Twitter feeds, particularly with the increase in disinformation of COVID-19. Joining us on this week's Research Saturday to discuss this tool is Daniel Kats from NortonLifeLock Research Group. You can find the research here: Introducing BotSight
Aug 01, 2020
Social engineering at Twitter. Phishing kits and hackers for hire. Cyberespionage. The EU sanctions actors for Cloudhopper, WannaCry, and NotPetya. And security advice from NSA and NIST.
1565
An update on social engineering at Twitter. A quick look at the phishing kit criminal market. The European Union sanctions individuals and organizations in Russia, China, and North Korea for involvement in notorious hacking campaigns. North Korea’s North Star campaign is back and dangling bogus job offers in front of its marks. Deceptikons snoop into European law firms. Zully Ramzan from RSA on Digital Contact Tracing. Our guest is Tom Kellermann from Vmware Carbon Black on top financial CISOs analyzing the 2020 attack landscape. And both NSA and NIST have some advice on shoring up your security. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/148
Jul 31, 2020
A quick look at Big Tech’s antitrust testimony. BootHole may be tough to patch. Fake COVID contact tracers. Netwalker warning. And Chinese espionage against the Vatican and the United Kingdom.
1306
Yesterday’s antitrust hearings in the US House of Representatives focus on Big Tech’s big data as something open to use in restraint of trade. And there are questions about community standards as well. The BootHole vulnerability may not represent an emergency, but it will be tough to fix. Android malware masquerades as COVID-19 contact-tracers. The FBI warns against Netwalker ransomware. China says it didn’t hack the Vatican. Justin Harvey from Accenture demystifies red teaming. Our guest is Christopher Ahlberg from Recorded Future on trends in threat intelligence. And somebody’s spoofing a British MP: he’s looking at you, Peoples Liberation Army. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/147
Jul 30, 2020
Alleged Russian disinformation campaigns. Beijing’s cyberespionage hits the Vatican. Costly PII losses. VPNs and OT security. Big Tech’s day with Congress. Online bar exams. Snooping for the Saudis.
1366
Alleged Russian influence operations described by US intelligence services. “Ghostwriter” targets the Baltic region with anti-NATO false narratives. Chinese intelligence is said to have compromised Vatican networks. Loss of customer PII seems the costliest kind of data breach. VPN bugs represent a risk to OT networks. Big Tech comes to Capitol Hill, virtually. Michigan’s online bar exam knocked offline, briefly, by a cyber attack. Joe Carrigan on password stealers targeting gaming. Our guests are Troy Smith and Mike Koontz from Raytheon on defending communications operations across cloud platforms. And a superseding indictment for two ex-Twitterati charged with snooping for Saudi Arabia. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/146
Jul 29, 2020
Data breaches and responsibility. Where do you get a decryptor for WastedLocker? Third-party risk. Misconfigured databases. Follow-up on the Twitter hack.
1372
Cloudflare says that reported Ukrainian breaches aren’t its issue. Trend Micro describes a new and unusually capable strain of malware. Garmin is reported to have obtained a decryptor for WastedLocker ransomware. Third-party risk continues in the news, as do misconfigured databases that expose personal information. Huawei’s CFO alleges misconduct by Canadian police and intelligence agencies. Ben Yelin examines the EFF's online Atlas of Surveillance. Dave DeWalt with SafeGuard Cyber on the evolving threat landscape as folks return to the workplace. And the Twitter incident seems to have been a problem waiting to appear. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/145
Jul 28, 2020
Vigilante action against Emotet. Third-party risks and data breaches. Cerberus is for sale. And WastedLocker ransomware and the fortunes of crime.
1345
A vigilante appears to be interfering with Emotet’s payloads. A fintech breach is blamed on a third-party service provider. A list of Cloudflare users is dumped online. There’s a going-out-of-business sale over at the Cerberus cybergang. Malek ben Salem from Accenture Labs on DeepFake detection. Our own Rick Howard gathers the Hash Table to sort some SOCs. And Garmin, restoring its services after last week’s attack, may have been the victim of Evil Corp’s WastedLocker ransomware. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/144
Jul 27, 2020
No matter the statistic, even if against the odds, focus on what you want. [Career Notes]
389
Privacy and data security lawyer, Dominique Shelton Leipzig shares that she has always wanted to be a lawyer, ever since she was a little girl. She talks about what her role is with clients in protecting and managing their data, sometimes adhering to up to 134 different data protection laws for global companies. Learn that not a lot has changed for an African-American woman partner at an Amlaw 100 firm as far as diversity during Dominique's career, and how Dominique suggests young lawyers should address those odds. Our thanks to Dominque for sharing her story with us. 
Jul 26, 2020
It was only a matter of time. [Research Saturday]
973
On April 29, 2020, the Salt management framework, authored by the IT automation company SaltStack, received a patch concerning two CVEs; CVE-2020-11651, an authentication bypass vulnerability, and CVE-2020-11652, a directory-traversal vulnerability. On April 30, 2020, researchers at F-Secure disclosed their vulnerability findings to the public, with an urgent warning for Salt users - patch now. Before the weekend was out, criminals were deploying malware and targeting vulnerable Salt installations, successfully affecting operations at Ghost, DigiCert, and LineageOS. The malware is a cryptominer, but there is an additional component, a Remote Access Tool written in Go called nspps. Researchers at Akamai have also observed in-the-wild attacks on Salt vulnerabilities.  Joining us on this week's Research Saturday is Larry Cashdollar, Senior Security Response Engineer at Akamai, to discuss this issue.  The research can be found here:  SaltStack Vulnerabilities Actively Exploited in the Wild
Jul 25, 2020
A warning for US critical infrastructure operators. Blackbaud extortion and data breach update. Who’s got the keys to Twitter? Sino-American cyber tensions.
1538
CISA and NSA warn of a foreign threat to US critical infrastructure. A look at what the Bears have been up to lately. The Blackbaud extortion incident shows its ripple effects. An awful lot of Twitter employees had access to powerful admin tools. China orders a US consulate closed in a tit-for-tat response to the closure of China’s consulate in Houston. Andrea Little Limbago on cyber in a re-globalized world system. Our guest is Dominique Shelton Leipzig from Perkins Coie LLP on the CA Consumer Privacy Act. And DJI drones may be a bit nosey. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/143
Jul 24, 2020
Twitter: hackers got a few accounts’ DMs. French policy toward Huawei hardens. Crooks against British sport. You and your boss should talk more.
1369
Twitter updates the news of last week’s incident: the attackers seem to have accessed some direct messages. France’s partial permission for Huawei to operate in that country now looks like a ban with a 2028 deadline. A quiet cryptominer. The cyber threat to British sport. Awais Rashid from the University of Bristol on cyber security and remote working. John Ford from IronNet Cybersecurity with updated 2020 predictions and cyber priorities. And bosses and employees see things differently, cyberwise. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/142
Jul 23, 2020
Meowing exposed databases. US indicts two Chinese nationals for hacking, and orders China to close its Houston consulate.
1343
“Meowing” is now a thing: the automated discovery and wiping of exposed and unprotected databases. The US indicts two Chinese nationals on eleven counts of hacking and reports evidence that Chinese intelligence services are now using cybercriminals as contractors. Mike Schaub from CloudCheckr on why COVID-19 has ignited modernization projects for government agencies. Joe Carrigan on counterfeit Cisco routers. The US State Department tells China to close its consulate in Houston. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/141
Jul 22, 2020
Parliament gets its report on Russian hacking. A look at the cyber criminal economy. Russia says it has no hackers.
1382
The Intelligence and Security Committee of Parliament has rendered its report on the Russian cyber threat. Trend Micro reports on the workings of the cyber criminal underground economy. Ben Yelin on U.S. Customs and Border Protection collecting license plate data. Our guest is Kevin O'Brien from GreatHorn on the role of business policies in security to keep users safe during high-risk events. And it turns out that Russia has no hackers whatsoever: Moscow’s Finance Minister says so, so you can take that to the bank. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/140
Jul 21, 2020
Following the spoor of the Twitter hackers, a couple of whom seem to be talking to the press. Marketing databases and intelligence collection. TikTok ban? Hacking biomedical research.
1206
Notes on last week’s Twitter hack, and on the allure of original gangster and other celebrity usernames. Using marketing databases for intelligence collection. The US Government mulls a ban on TikTok. Johannes Ullrich from SANS on Google Cloud storage becoming a more popular phishing platform. Our own Rick Howard on security operations centers, and a preview of the latest episode of his CSO Perspectives podcast. And more reaction to alleged Russian and Chinese attempts to hack COVID-19 biomedical research. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/139
Jul 20, 2020
Have to be able to communicate to everybody. [Career Notes]
431
Computer security writer, podcaster and public speaker Graham Cluley describes learning to program on his own from magazines, creating text adventure games for donations, and his journey from programming to presenting and writing with a bit of tap dancing on the side. Along the way, Graham collaborated with others and learned to communicate so that all could understand, not just techies. Our thanks to Graham for sharing his story with us. 
Jul 19, 2020
Every time we get smarter, the bad guy changes something. [Research Saturday]
2005
Researchers at Symantec spotted a Sodinokibi targeted ransomware campaign in which the attackers are also scanning the networks of some victims for credit card or point of sale (PoS) software. It is not clear if the attackers are targeting this software for encryption or because they want to scrape this information as a way to make even more money from this attack. Joining us in this week's Research Saturday to discuss the report is Jon DiMaggio of Symantec.  The research can be found here:  Sodinokibi: Ransomware Attackers also Scanning for PoS Software, Leveraging Cobalt Strike
Jul 18, 2020
High-grade grifter. Twitter’s disinformation potential. Hacking vaccine research and doxing trade talks. What Iran’s hackers are up to. And CISA says, for heaven’s sake, patch already.
1501
The Twitter hack is looking more like high-grade, low-end crime. It also worries people over the disinformation potential it suggests. People care, they really do, that someone hacked COVID-19 biomedical research (we’ll explain). Australia joins the UK, Canada, and the US in blaming Russia for Cozy Bear’s capers. Russia says it didn’t do nothin’. Rob Lee from Dragos with thoughts on the Ripple 20 vulnerabilities on industrial control systems. Our guest is Sal Aurigemma from University of Tulsa on fake ANTIFA twitter accounts. And CISA’s serious about getting the Feds to apply Tuesday’s Windows patch. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/138
Jul 17, 2020
Twitter takes down verified accounts after major hack (most service now restored). Russian influence operations. Cozy Bear’s biomedical intelligence collection. Spearphishing in Hong Kong.
1445
Twitter sustained a major incident in which celebrity accounts were hijacked yesterday. It seems to have been a social engineering caper, but it’s motivation, nominally financial, remains unclear. British authorities call out Russia for an influence campaign mounted during last year’s elections. Cozy Bear is back, and sniffing for COVID-19 biomedical intelligence. Craig Williams from Cisco Talos on Dynamic Data Resolver, a plugin that makes reverse-engineering malware easier. Our guest is Ashlee Benge, formerly from ZeroFox, on emerging and persistent digital attack tactics facing the financial services industry. And Chinese intelligence services are spearphishing Hong Kong Catholics. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/137
Jul 16, 2020
A 2018 Presidential finding authorized the CIA to conduct a broad range of offensive cyber ops. Data breaches and ransomware incidents. Sloppy VPNs. SEC warns, and China woofs.
1346
A 2018 Presidential finding authorized extensive CIA cyber operations against Russia, China, Iran, and North Korea. Wattpad may have been breached. The SEC asks its registrants to take steps to protect themselves against ransomware. Free VPNs’ databases found exposed. Joe Carrigan on privacy vs. security on Android devices. Our guest is Chris Deluzio from Pitt Cyber on election security. And Beijing woofs in the direction of London over the UK’s Huawei ban. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/136
Jul 15, 2020
Huawei to be closed out of UK’s 5G infrastructure. Spyware, ransomware, and botnets. The odd case of Data Viper. SAP has a major patch out.
1375
The British Government decides to ban Huawei. More on the malware associated with Golden Tax software package. The Molerats appear to be behind some spyware misrepresenting itself as a secure chat app. The Porphiex botnet is back distributing a new ransomware strain. The odd case of the Data Viper breach. Ben Yelin tracks a ruling from the DC circuit court on the release of electronic surveillance records. Our guest is Ann Johnson from Microsoft discussing her keynote at RSA APJ, The Rise of Digital Empathy. And SAP has a patch out--if you’re a user, CISA advises you to take this one seriously. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/135
Jul 14, 2020
Presidential authorization for US Cyber Command action. DPRK hacking and internal regime dynamics. TrickBot’s developers. Cybercriminals in the dock.
1364
President Trump says he authorized US Cyber Command’s retaliation against Russia’s Internet Research Agency for midterm election meddling. North Korean financially motivated hacking as a sign of internal power dynamics. TrickBot accidentally deploys a new module. TikTok, privacy, and security. LinkedIn hacker convicted. Justin Harvey from Accenture on what should and shouldn’t go in emails. Our guest is Matt Davey from 1password on the under-celebrated role of IT in the work from home transition. And advice to alleged criminals on the lam: give ‘em a low silhouette. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/134
Jul 13, 2020
Turn challenges into opportunities. [Career Notes]
415
Cybersecurity and disinformation researcher Bilyana Lilly shares her career path from studying where she was always a foreigner to an expert on the Russian perspective. While studying international law in Kosovo, Bilyana realized there are no winners in war. Through her work, she hopes to bring a greater understanding of Russia's strategic thinking. Our thanks to Bilyana for sharing her story with us. 
Jul 12, 2020
Are you running what you think you're running? [Research Saturday]
1044
Built into virtually every hardware device, firmware is lower-level software that is programmed to ensure that hardware functions properly. As software security has been significantly hardened over the past two decades, hackers have responded by moving down the stack to focus on firmware entry points. Firmware offers a target that basic security controls can’t access or scan as easily as software, while allowing them to persist and continue leveraging many of their tried and true attack techniques. Joining us on this week's Research Saturday is Maggie Jauregui, security researcher at Dell, to discuss this issue.  The research can be found here:  Three firmware blind spots impacting security
Jul 11, 2020
The importance of staying up-to-date. Conti ransomware gains as Ryuk fades. Germany warns of Chinese companies’ data collection. Huawei’s fortunes in Canada and UK. Hushpuppi update.
1533
Unpatched and beyond-end-of-life systems are (again) at risk. Conti ransomware appears to be steadily displacing its ancestor Ryuk in criminal markets. Are privacy laws as consumer friendly as they’re often taken to be? There may be some grounds for doubt. German security services warn of the espionage potential of Chinese companies’ data collection. Huawei skepticism grows in Germany, Canada, and the UK. Zully Ramzan from RSA on zero trust. Our guest is Conan Ward from QOMPLX on the unfortunate reality of cyber insurance in light of the 3rd anniversary of NotPetya. And Ray Hushpuppi says the Feds didn’t extradite him; they kidnapped him. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/133
Jul 10, 2020
Coordinated inauthenticity with a domestic bent. Preinstalled malware in discount phones. Evilnum and the Joker continue to evolve. Incidents at FreddieMac and RMC.
1359
Facebook takes down more coordinated inauthenticity. Preinstalled malware is found in discount phones available under the FCC’s Lifeline program. The Evilnum APT continues its attacks against fintech platforms and services. Joker Android malware adapts and overcomes its way back into the Play store. FreddieMac discloses a third-party databreach. Johannes Ullrich from SANS on defending against Evil Maids with glitter. Our guest is Rohit Ghai from RSA with a preview of his keynote, Reality Check: Cybersecurity’s Story. And the Royal Military College of Canada’s hack attack remains under investigation. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/132
Jul 09, 2020
Traditional sabotage at Natanz. CISA’s ICS strategy. DDoSecrets’ server seized by German police at the request of the US. COVID-19-themed phishing infrastructure taken down. Cyberespionage.
1388
The Natanz blast looks like traditional sabotage. CISA releases its strategy for securing industrial control systems. Authorities in Germany seize DDoSecrets’ server pursuant to a US request. Microsoft takes down COVID-19-themed BEC and phishing infrastructure. FBI Director denounces China’s cyberespionage. Joe Carrigan helps review personal privacy measures for ios and Android. Rick Howard speaks with Steve Moore from Exabeam with insights from a year spent interviewing CISOs. And some DDoS and ransomware attempts. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/131
Jul 08, 2020
Sabotage, not cyber? Cosmic Lynx pounces on some big companies with BEC. Purple Fox upgrade. Coordinated inauthenticity in the journalistic supply chain.
1401
Explosions at Iranian nuclear sites remain unexplained, but look increasingly like conventional sabotage as opposed to cyberattacks. The Cosmic Lynx gang sets a high bar for business email compromise. The Purple Fox exploit kit gets an upgrade. Ben Yelin describes a 5th amendment compelled decryption case that may be headed to the Supreme Court. Our guest is Hugh Thompson, Chairman of the RSA Conference Program, on the human element of cyber security and lessons learned shifting a conference online. And a network of coordinated inauthenticity and fictitious personae is found pushing an Emirati official line. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/130
Jul 07, 2020
Damage at Natanz, maybe cyber-induced but maybe not. Official Huawei skepticism spreads. Big European dragnet. Hushpuppi in custody.
1352
An Iranian nuclear installation may have been hacked. Or maybe not, but in any case it was damaged. Huawei gets more skeptical looks. European police round up hundreds of online contraband dealers. Thomas Etheridge from CrowdStrike on the increased need for speed, scale, and remote investigative and recovery services. Our guest is Tobias Whitney from Fortress Information Security on the Asset to Vendor Network (A2V). And an accused Nigerian money-launderer (and an admitted influencer) is now in US custody, facing Federal charges. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/129
Jul 06, 2020
Solving hard problems and pursuing your passions. [Career Notes]
438
CEO, Matt Devost, describes many firsts in his career including hacking into systems on an aircraft carrier at sea. He shares how he enjoys solving hard problems and the red teamer perspective, and how he was able to translate those into a career. For those interested in cybersecurity, Matt advises opportunities for self-directed learning including heading down to your basement and building your own lab. Our thanks to Matt for sharing his story with us. 
Jul 05, 2020
Evil Corp versus newspapers. Trolling for unprotected MongoDB. Taurus in the criminal souks. Law and security. Loot boxes as gambling items.
1360
Evil Corp seems to have been shuffling through some newspaper sites. Don’t take the gangs’ communiqués at face value, but some appear to be trolling for unprotected MongoDB databases. A look at Taurus, an information-stealer being sold in criminal-to-criminal markets. Chinese law and online security. The EARN-IT Act is being debated. Justin Harvey on “Smishing”. Our guest is Jeff Styles from FireMon on COVID-19 increasing misconfiguration risks. And there’s trouble in Tilted Towers. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/128
Jul 02, 2020
EvilQuest ransomware identified. Out-of-band patches. The scope of Chinese surveillance of Uighurs. Hong Kong and the National Security Law. FCC finds against Huawei, ZTE.
1351
EvilQuest ransomware found in pirated versions of Little Snitch app. Out-of-band patches from Microsoft and Oracle. Extensive Chinese surveillance of Uighurs described. Hong Kong and the world react to China’s new National Security Law. The US FCC finds both Huawei and ZTE are threats to national security. Joe Carrigan on password stealers that target gaming. Our guest is Kiersten Todt from the Cyber Readiness Institute on how COVID-19 has changed small business security and what to expect going forward. And Britain rethinks its position on Huawei and 5G infrastructure. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/127
Jul 01, 2020
Critical bug disclosed in Palo Alto products (a fix is available). StronPity (a.k.a. Promethium) is back. A big Bitcoin scam. Lots of PII newly offered in the dark web. Australia and India look to their defenses.
1335
NSA and CISA agree: take Palo Alto’s advisory about its PAN-OS operating system seriously. StrongPity is back and active against targets in Turkey and Syria. A big Bitcoin scam is using spoofed news outlets and bogus celebrity endorsements to lure victims. A large trove of PII has appeared in the dark web. Ben Yelin from UMD CHHS on whether or not the EARN IT Act violates the constitution, our guest is Brad Stone with Booz Allen Hamilton on how technology is changing the battlefield and why cyber is becoming so important in the DoD space. Finally, both Australia and India look to shore up their defenses against cyber threats from China. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/126
Jun 30, 2020
Ransomware pays, in California. Kashmir utility recovers from cyberattack. Update on hacktivism vs. Ethiopia. Another misconfigured AWS account. Guilt and sentencing in high-profile cybercrime.
1329
The University of California San Francisco pays Netwalker extortionists nearly a million and a half to recover its data. A Kashmir utility restores business systems after last week’s cyberattack. The website defacements in Ethiopia continue to look more like hacktivism than state-sponsored activity. Our own Rick Howard talks about wrapping up his first season of CSO Perspectives. Our guest is Sanjay Gupta from Mitek discussing how online marketplaces can balance security with biometrics. Data are exposed at an e-learning platform. Three prominent cyber-hoods go down in US Federal courts. And Lion says the beer is flowing, post ransomware. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/125
Jun 29, 2020
Get your foot in the door and prove your worth. [Career Notes]
396
Vice President of Marketing, Kathleen Booth, shares her career path from political science and international development to marketing for a cybersecurity company. Early dreams of acting morphed into goals of making the world a better place. Chief marketer and podcaster Kathleen is doing just that. She shares how proving your worth can lead to success. Listen for Kathleen's advice on getting your foot in the door. Our thanks to Kathleen for sharing her story with us. 
Jun 28, 2020
Enter the RAT. [Research Saturday]
1490
A new report examines how five related APT groups operating in the interest of the Chinese government have systematically targeted Linux servers, Windows systems and Android mobile devices while remaining undetected for nearly a decade. The report comes on the heels of the U.S. Department of Justice announcing several high-profile indictments from over 1,000 open FBI investigations into economic espionage as part of the DOJ’s China Initiative. Joining us in this week's Research Saturday to discuss the report is Eric Cornelius of Blackberry.  The research can be found here:  Decade of the RATs: Novel APT Attacks Targeting Linux, Windows and Android
Jun 27, 2020
Patch Exchange already, will ya? GoldenSpy lurks in tax software Chinese banks prefer their foreign clients to use. Magecart gets cleverer. Another unsecured AWS S3 bucket, and this one’s not funny.
1592
Microsoft urges Exchange server patching. Sure it does your taxes, but it’s got another agenda, too: the GoldenSpy backdoor may be in your tax software if you do business in China. Magecart ups its game. DDoSecrets says they’re not going to roll over for Twitter’s “Nixonian” schtick. Camille Stewart from Google and Lauren Zabierek from Harvard’s Belfer Center on the #Sharethemicincyber event and why systemic racism is a threat to cybersecurity. Rick Howard wraps up cybersecurity canon week with guests Richard Clarke and Robert Knake, authors of The Fifth Domain. And there’s another unsecured Amazon S3 bucket, and this exposure could present a serious risk to some people who already have trouble enough. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/124 - More info on the #Sharethemicincyber event. - Camille Stewart's essay on systemic racism in cyber.
Jun 26, 2020
Big big DDoS. Evolving malware families. (More) privacy by default. A superseding indictment in the US case against Julian Assange. The EU reviews two years of GDPR.
1346
Akamai’s report on the record-setting DDoS attack it stopped this week. Glupteba GLOOP-tib-yeh and Lucifer malware strains described. Apple and Google move their defaults in the direction of greater privacy. The US designates Huawei and Hikvision as controlled by China’s military. A superseding indictment in Julian Assange’s case. The EU looks at GDPR and likes what it sees. REvil gets ready to sell stolen data. David Dufour from Webroot with tips on navigating new workplace realities. Our guest is David Sanger, author of The Perfect Weapon - War, Sabotage, and Fear in the Cyber Age. And the Navy recruiting campaign that wasn’t. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/123
Jun 25, 2020
BlueLeaks updates and fallout. Hidden Cobra hunt. Hacking leads to trade wars. What the crooks are watching, from their home and yours.
1427
Twitter permanently suspends DDoSecrets for violating its policy with respect to hacked material. DDoSecrets explains its thinking with respect to BlueLeaks. A quick look at a Hidden Cobra hunt. Sino-Australian dispute over hacking may be moving into a trade war phase. Lessons on election management. What do cybercriminals watch when they binge-watch? Joe Carrigan explains the Ripple 20 vulnerabilities. Cybersecurity Canon week continues with Joseph Menn, author of Cult of the Dead Cow: How the Original Hacking Supergroup Might Just Save the World. And some notes on the most malware-infested movie and television fan communities. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/122
Jun 24, 2020
Hacking attends international conflicts and disputes in India, Australia, and Ethiopia. US designates four Chinese media outlets foreign missions. Sodinokibi evolves; Evil Corps rises from its virtual grave.
1403
International conflicts and disputes are attended by hacking in South Asia, Australia, and Africa. The US designates four Chinese media outlets as foreign missions, that is, propaganda outfits. Sodinokibi ransomware sniffs at paycard and point-of-sale systems. Ben Yelin on TSA’s facial recognition program. Cybersecurity Canon Week continues with our guest is Bill Bonney, Co-Author of CISO Desk Reference Guide. And Evil Corp is back, apparently because you just can’t keep a bad man down. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/121
Jun 23, 2020
BlueLeaks hacktivists dump police files online. NSO Group back in the news. COVID-19 apps and databases versus privacy. Cyber conflict: China versus India and Australia. An alt-coin baron’s story.
1370
BlueLeaks dumps stolen police files online. A report of spyware delivered via network injection. COVID-19 apps and databases are reported to have indifferent privacy safeguards, and there’s been one big recent leak. India and Australia both on alert for Chinese cyberattacks. Our own Rick Howard on intelligence operations. It’s cybersecurity Canon Week, our guest is Todd Fitzgerald, author of CISO Compass. And New Zealand piles on in the case of a Russian alt-coin baron. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/120
Jun 22, 2020
Superhero origin stories and lessons that last. [Career Notes]
414
Dean of Research, Johannes Ullrich, relays his experiences from studying the hard sciences to his career shift to cybersecurity. Basic principles, superhero origin stories, physics labs and radiation all figure in. And there’s a lot in common with network security best practices. Have a listen to what Johannes has learned and what he hopes to impart on his students. Our thanks to Johannes for sharing his story with us. 
Jun 21, 2020
Click here to update your webhook. [Research Saturday]
1213
Slack is a cloud-based messaging platform that is commonly used in workplace communications. Slack Incoming Webhooks allow you to post messages from your applications to Slack. Generally, Slack webhooks are considered a low risk integration. A deeper dive into webhooks shows that this is not entirely accurate.  Joining us in this week's Research Saturday is Ashley Graves from AT&T Cybersecurity's Alien Labs to discuss her research.  The research can be found here:  Slack phishing attacks using webhooks
Jun 20, 2020
Australia warns of a large-scale espionage campaign. China indicts two long-detained Canadians. And the Lazarus Group may be about to undertake a widespread COVID-19-themed fraud effort.
1417
A look at the “state-based cyber actor” the Australian government is concerned about. Some signs of Chinese retaliation for Five Eyes’ skepticism of Huawei. Johannes Ullrich explains malware triggering multiple signatures in anti-malware products. Our guest is Geoff White, author of Crime Dot Com, on how he tracked down the creator of the Love Bug. And an alert about the possibility of some COVID-19-themed fraud from the Lazarus Group. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/119
Jun 19, 2020
Cyber support for a kinetic conflict. Cyberespionage. Spyware in Chrome extensions. Criminal phishing bypasses defenses. Proposed revisions to Section 230. Zoom and encryption.
1378
Sino-Indian conflict extends to cyberspace. InvisiMole connected to Gamaredon. Spyware found in Chrome extensions. Phishing around technical defenses (and some criminal use of captchas). The US Justice Department releases its study of Section 230 of the Communications Decency Act. Zully Ramzan from RSA on privacy and security in a post-COVID world. Our guest is Michael Powell from NCTA on the importance of the UK cybersecurity sector. And Zoom decides to make end-to-end encryption generally available. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/118
Jun 18, 2020
Ripple20 flaws in the IoT supply chain. Operation In(ter)ception looks for intelligence, and cash, too. Sino-Indian tensions. A look at Secondary Infektion. How not to influence reviewers.
1399
Ripple20 vulnerabilities are reported in the IoT software supply chain. North Korean operators go for intelligence, but also for cash, and they’re phishing in LinkedIn’s pond. Sino-Indian tensions find expression in cyberspace. A long look at the Russian influence operation, Secondary Infektion. Joe Carrigan from JHU ISI on why older adults share more misinformation online. Our guest Will LaSala from OneSpan tracks the increase in online banking fraud during COVID-19. And the strange case of the bloggers who angered eBay may have more indictments on the way. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/117
Jun 17, 2020
Cyberespionage and counterespionage. The DDoS that never was. A very strange case of cyberstalking. And leaky niche dating sites.
1383
What does Beijing want to know about US Presidential campaigns? Position papers, mostly. A redacted version of the CIA’s inquiry into the WikiLeaks Vault 7 material is out. That DDoS attack you read about on Twitter? Never happened. Former eBay employees face Federal charges of conspiracy to commit cyberstalking and witness tampering. Ben Yelin explains a judge refusing to sign off on a potential Facebook facial recognition settlement. Our guest is Randy Vanderhoof from the Secure Technology Alliance on mobile drivers licenses. And where would you store “niche” dating app material? In a misconfigured AWS S3 bucket. Where else? For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/116
Jun 16, 2020
ActionSpy Android spyware deployed against Uyghurs in Tibet. Anonymous claims an action against Atlanta PD. Security vendor or malware purveyor? Spelling counts.
1270
A new Android spyware tool is deployed against China’s Uyghur minority. Anonymous claims it disrupted the Atlanta Police Department’s website yesterday to protest a police shooting. An apparently legitimate security firm has apparently been selling malware to criminals. Breachstortion joins sextortion as a criminal tactic. Craig Williams from Cisco Talos on Astaroth, an information-stealer that has been targeting Brazil, Our own Rick Howard on risk assessments. And why spelling always counts. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/115
Jun 15, 2020
The mark of making a difference. [Career Notes]
366
Financial firm CISO, Tom Quinn, takes us from his first experience with modern computers in the military to his current role as a Chief Information Security Officer. It's important to understand how the technology works, but it's also important to understand how people work. And, to make a difference. Our thanks to Tom for sharing his story with us. 
Jun 14, 2020
The value of the why and the who. [Research Saturday]
1674
Proactive, efficient threat mitigation and risk management require understanding adversaries’ fundamental thought processes, not just their tools and methods. Cyber threat intelligence analysts combed through 15 years (2004 to 2019) of public sources that have documented the activities of one prolific threat actor, Russia’s military intelligence agency, the GRU. Analysis shows that the timing, targets, and impacts of this activity mirrored Russian strategic concerns about specific events and developments.  Joining us in this week's Research Saturday are Brad Stone & Nate Beach-Westmoreland from Booz Allen Hamilton to discuss their report and some of the 33 case studies presented in it. The research can be found here:  Bearing Witness: Uncovering the Logic Behind Russian Military Cyber Operations
Jun 13, 2020
Chinese, Russian, and Turkish domestic influence campaigns. Zoom’s China troubles. Honda, Enil recover from Ekans. Ransomware attacks against a city and an M&A consultancy.
1557
Twitter’s transparency efforts see through accounts being run by Chinese, Russian, and Turkish actors. Zoom is working to both comply with Chinese law and contain the reputational damage involved in doing so. Industrial firms recover from Ekans infestations. Caleb Barlow from CynergisTek on how hospital CISOs are dealing with the COVID-19 situation. Our guest is Ronald Eddings from Palo Alto Networks and the Hacker Valley Studio Podcast on strategies for finding and managing security architects. And it’s not Posh Spice who’s got the attention of Maze; it’s just her M&A advisors. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/114
Jun 12, 2020
Gamaredon ups its crazy game. Doxing during unrest. Bogus contact-tracing apps spread spyware. Thanos in the ransomware market. Crypto Wars notes. Another 419 scam.
1337
The Gamaredon Group is back, and what’s their secret? Like Crazy Eddie’s, it’s volume! Doxing during times of unrest. Phoney contact-tracing apps are snooping on personal information in at least ten countries. Thanos is a criminal favorite in the ransomware-as-a-service market. Another skirmish in the Crypto Wars is brewing up on Capitol Hill. David Dufour from Webroot on how organizations can successfully navigate their new workplace realities. Our guest is Chester Wisniewski from Sophos on fleeceware apps found in the Apple app store. And no, really, Elon Musk is not on YouTube offering you Bitcoin. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/113
Jun 11, 2020
A big Patch Tuesday. Honda ransomware update. Facebook helped the FBI with a zero-day. Cloud service outages. Breach settlements. BellTroX explains itself, sort of.
1353
Notes on Patch Tuesday--it was a fairly big one this time. Honda continues its investigation of the incident it sustained over the weekend, and outsiders see it as a ransomware attack. Facebook is said to have developed a Tails zero-day to help the FBI with a notorious case. Crooks are turning to search engine optimization. IBM and Google cloud services recovered quickly from outages. You’re unlikely to get rich from a breach settlement. Joe Carrigan describes free online courseware aimed at Community College students. Our guest is Dennis Toomey from BAE on how financial institutions need to enact stronger cyber protocols as employees migrate to working from home. And BellTroX says, hey, it was just helping some private eyes. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/112
Jun 10, 2020
Tracking down hackers-for-hire. SNAKE ransomware bites Honda. Anti-DDoS for criminal markets. And a menu for cyber contraband.
1371
Commercialized hacking-for-hire is traced to an Indian firm, but it’s probably not an isolated problem. Ransomware shuts down Honda production lines in three continents. Criminals develop and distribute an anti-DDoS tool to help keep the dark web souks responsive and available. Ben Yelin revisits Twitter’s flagging or removing the U.S. President’s tweets. Our guest is Jeremy Oddo from The Third Floor to discuss cybersecurity in Hollywood during COVID-19. And researchers compile a menu of cyber contraband. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/111
Jun 09, 2020
Regional rivals jostle in cyberspace. Election interference and vulnerable online voting. Phishing for a competitive advantage. Reducing dependence on foreign companies for infrastructure.
1348
South and Southwest Asian regional rivalries play out in cyberspace. Election interference could move from disruptive influence operations to actual vote manipulation. Someone is spearphishing leaders in Germany’s PPE task force. Nations move to restrict dependence on foreign companies in their infrastructure. Justin Harvey from Accenture on the train of thought behind breach disclosure. Our own Rick Howard on DevSecOps. And Washington State recovers some, but not all, of the unemployment funds lost to fraud. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/110
Jun 08, 2020
Ask more people to dance. [Career Notes]
319
Cyber analyst, Tracy Maleeff, shares her unexpected journey from the library to cybersecurity and offers advice for those both seeking to make a change and those doing the hiring. It's not just about the invitation, it's more than that. Our thanks to Tracy for sharing her story with us. 
Jun 07, 2020
Due diligence cannot be done as a one-off. [Research Saturday]
1291
Earlier this year, a Virgin Media database containing the personal details of 900,000 people was discovered to be unsecured and accessible online for 10 months. The breach was discovered by researchers at the security firm TurgenSec. This breach had major implications under GDPR.  Joining us in this week's Research Saturday are George Punter and Peter Hansen from TurgenSec to talk about the discovery of the breach.  The research can be found here:  Virgin Media Disclosure Statement & Resources
Jun 06, 2020
Hurricane Panda and Charming Kitten paw at, respectively, the campaigns of Mr. Biden and Mr. Trump. Lies’ bodyguard of truth. Information warfare in the Gulf.
1373
It’s mostly cyberespionage today, with an admixture of influence operations. Google has warned both major US Presidential campaigns that Chinese and Iranian intelligence services are after their staffers’ email accounts, so far apparently without much success. Russia, China, and Iran devote some purposive media attention to US civil unrest. Johannes Ullrich from SANS on malicious PowerPoint add-ins. Our guest is Bil Harmer from SecureAuth on credential carelessness. And Qatar’s rivals in the Gulf continue their information campaign against Doha: this time it’s bogus news of a coup. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/109
Jun 05, 2020
Nuisance-level hacktivism. Ongoing cyberespionage and cybercriminal campaigns. EU unhappy with Russia’s hacking the Bundestag. CISA has a new cybersecurity resource.
1320
Nuisance-level hacktivism continues to surround US protests. The Higaisa APT is active in Southeast Asia. Goblin Panda is back, with USB-borne malware. A new strain of ransomware is described: “Tycoon.” The EU considers whether to sanction Russia over the GRU’s hack of Germany’s Bundestag. CISA launches a new public resource for cybersecurity. Zulfikar Ramzan from RSA on cybersecurity and digital risk in the context of pandemics. Our guest is Grant Goodes from GuardSquare on security of mobile app voting. And a Texas man pleads guilty to conspiracy to commit money-laundering in the course of a BEC scam. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/108
Jun 04, 2020
Slacktivism and vandalism in a time of unrest. Ransomware operators continue to evolve. Email voting. Looking up how-to-guides to cybercrime during social isolation.
1339
Protest groups sustain DDoS attacks, too. Old school denial-of-service afflicts police radio networks in Chicago: they’re being jammed with talk, music, and other noise. Influencers and wannabes continue to use unrest as an occasion for on-line branding. The Sodinokibi gang is selling data stolen in ransomware attacks, and Maze seems to be establishing a criminal cartel. Is email to voting what shadow IT is to the enterprise? Ben Yelin describes a federal case involving police screenshots of a suspects’ phone as evidence. Our guest is Steve Durbin from the Information Security Forum on the Threat Horizon 2022 report. And cybercrime for dummies. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/107
Jun 03, 2020
Current forms of hacktivism, misinformation, and disinformation. More recommendations from the Cyberspace Solarium. Fraud accompanies Test and Trace.
1351
Unrest accompanied by misinformation, disinformation, and Anonymous theater. Booter hacktivism. Extremist inauthenticity. The Cyberspace Solarium Commission releases its white paper on the pandemic’s lessons for cybersecurity. Joe Carrigan unpacks Casio executing a DMCA takedown on a hardware hack. Our guest is Herb Stapleton from the FBI on the 20 year anniversary of the IC3. And the UK’s Test and Trace system is expected to be accompanied by a wave of fraud. Actually, that fraud has already begun. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/106
Jun 02, 2020
Cyberattacks and hacktivism around Minnesota’s unrest. Amtrak breach. Port scanning. Some lessons from the pandemic.
1295
Hacking, and more claims of hacking, surround the unrest in Minnesota. Data breach at Amtrak Guest Rewards. More companies found port scanning. Four cybersecurity lessons from the pandemic. David Dufour from Webroot with an overview of online scams his team is tracking during COVID-19, Our own Rick Howard compares resiliency with business continuity. And a new 5G device is not only holographic, but quantum oscillatin’ too. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/105
Jun 01, 2020
Extending security tools to the at home workforce during the pandemic. [Research Saturday]
1762
In this episode of CyberWire-X, Rick Howard, the CyberWire’s Chief Analyst, interviews security thought leaders on the strategy and tactics to extend the security controls we’ve typically used to protect our handful of remote employees in the past to today, during the pandemic, that requires us to deploy flexible but equivalent controls at scale to everybody in the organization. Joining us is Bob Turner, CISO of the University of Wisconsin at Madison. Later in the program, we will hear from Mounir Hahad, the head of Threat Labs, and Mike Spanbauer, a security evangelist, at Juniper Networks, the sponsor of the show. Thanks to our sponsor, Juniper Networks. 
May 31, 2020
Twofold snooping venture. [Research Saturday]
1283
Working with many different honeypot implementations, a security researcher did an experiment expanding on that setting up a simple docker image with SSH, running a guessable root password. The catch? What happened in the next 24 hours was unexpected. Joining us in this week's Research Saturday to talk about his experiment is Larry Cashdollar of Akamai.  The research can be found here:  A Brief History of a Rootable Docker Image
May 30, 2020
Sandworm is out and about, so patch already. Steganography used in attacks on industrial targets. An Executive Order on Preventing Online Censorship. Breaches, ransomware, and lessons.
1490
NSA warns that the GRU’s Sandworm outfit has been actively exploiting a known vulnerability in Exim. Someone is attacking industrial targets in Japan and Europe using steganography and other evasive tactics. NTT Communications is breached, and Michigan State University sustains a ransomware attack. Ben Yelin unpacks the President’s executive order aimed at social media companies. Our guest is Vik Arora of the Hospital for Special Surgery on protecting health care organizations during COVID-19. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/104
May 29, 2020
Hackers for hire. A bulk power distribution risk? An Executive Order on social media is under consideration. COVID-19 and cybersecurity.
1353
Hackers-for-hire find criminal work during the pandemic. The US Department of Energy is said to have taken possession of a Chinese-manufactured transformer. US President Trump may be considering an Executive Order about the legal status of social media. Contact-tracing apps in France and the UK are scrutinized for privacy. Ben Yelin from with the latest iPhone cracking case between the FBI and Apple. Our guest is retired CIA master of disguise Jonna Mendez on her book The Moscow Rules. Canada’s Centre for Cyber Security assesses current risks, and Huawei’s CFO loses a round in a Vancouver court. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/103
May 28, 2020
Berserk Bear is back, and still loves that critical infrastructure honey. COVID-19 apps: good, bad, and bogus. Android issues discovered. A FIN7 arrest. Mr. Faraday’s underwear.
1352
Berserk Bear is back, and snuffling around Germany’s infrastructure. Two new Android issues surface. India opens up the source code for its COVID-19 contact-tracing app as such technological adjuncts to public health continue to arouse privacy concerns. [F]Unicorn poses as Italy’s Immuni app. An alleged FIN7 gangster is arrested. Australia’s Data61 urges companies not to scrimp on R&D. Joe Carrigan on Android mobile malware getting new features. Our guest is Frederick “Flee” Lee from Gusto on CCPA. And does your underwear come with a Faraday cage? We thought it might. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/102
May 27, 2020
The evolution of malware, both criminal and state-run.
1275
Turla tunes its tools. The commodity Trojan AnarchyGrabber is now stealing passwords. A new iOS jailbreak has been released. The UK reconsiders its decision to allow Huawei into its 5G networks. A tech group lobbies the US House against warrantless inspection of searches. Remote work’s regulatory risk. COVID-19 conspiracy theories. Hackers say they’re vigilantes. Our own Rick Howard on intrusion kill chains, his latest episode of CSO Perspectives. Our guest is Nico Fischbach from Forcepoint on deepfakes expanding outside of disinformation campaigns to the enterprise. And too many remote workers appear to have too much time on their hands. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/101
May 26, 2020
Naming and shaming is the worst thing we can do. [Research Saturday]
1654
In December 2019, the GOLD VILLAGE threat group that operates the Maze ransomware created a public website to name and shame victims. The threat actors used the website to dump data they exfiltrated from victims' networks before they deployed the ransomware. Secureworks Counter Threat Unit (CTU) researchers have observed several ransomware operators following suit. Joining us in this week's Research Saturday is Alex Tilley of SecureWorks' Counter Threat Unit. 
May 23, 2020
An election database leaks. Phishing from Firebase. Shiny Hunters sell Mathway user records. COVID-19-themed scams. On that return to the office thing...
1533
Indonesia’s election database has leaked, and PII is for sale in the dark web. Phishing campaigns abuse Firebase. The Shiny Hunters are selling Mathway user records. US agencies warn of COVID-19-themed criminal campaigns. Contact tracing technology hits a rough patch. Johannes Ullrich from SANS on phishing PDFs with incremental updates. Our guest is author Peter Singer on his new book, Burn-In. And what are you going to do when you return to the workplace? If, that is, you’ve left the workplace at all, and if you’re in fact ever going to return? For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/100
May 22, 2020
Cyberwar, cybercrime, and hacktivism: updates on all three. Contact tracing and its discontents. Cybersecurity economic trends during the pandemic.
1381
Website defacements in Israel may be hacktivist work. Iranian cyberespionage against Saudi Arabia and Kuwait. The latest evolution of ZeuS. The Winnti Group is still hacking, and it still likes stealing in-game commodities. Contact tracing during the pandemic proves harder than many thought it would be. Economic trends for the security sector as it prepares to emerge from the general state of emergency. Caleb Barlow wonders if GDPR may have unintended consequences for stopping COVID-19 scammers. Gabriel Bassett from Verizon on the 2020 DBIR. And if you’re looking for qualified workers, follow the layoff news. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/98
May 21, 2020
Cyber espionage: many operations and many targets. Misinformation and online fraud during the pandemic. Beer and conviviality versus operational security.
1369
Cyber spies steal prototype missile data. Others hack into South Asian telecoms, and still others go after easyJet passengers’ travel data. Cyberattacks, misinformation, and cyber fraud continue to follow the COVID-19 pandemic. Joe Carrigan weighs in on the Thunderspy vulnerability. Our guest is James Dawson with insights on DMARK threats and why it’s worse during COVID-19. And think twice before you post, no matter how good or bad you think the beer is. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/98
May 20, 2020
Cyber conflict in the Middle East. EasyJet breached. More errors than exploits. The Dark Web during the pandemic. 5G misinformation. REvil updates.
1356
Foreign intelligence services attribute a recent cyberattack on an Iranian port to Israeli operators. EasyJet discloses a breach of passenger information. Verizon’s annual Data Breach Report is out, and it finds more errors than it does exploits. A look at the Dark Web during the pandemic. US authorities warn local law enforcement to watch for misinformation-driven telecom vandalism. Ben Yelin explains why the ACLU is suing Baltimore over a surveillance plane. Our guest is Robb Reck from Ping Identity on a recent CISO Advisory Council meeting regarding the sudden shift to working from home. And REvil is still offering celebrity dirt for sale...if they’ve actually got any. For links to all of today's stories check out our CyberWire daily news brief: https://www.thecyberwire.com/newsletters/daily-briefing/9/97
May 19, 2020
Supercomputers as cryptomining rigs. UK grid operator recovers from hack. EU Parliament data exposure. REvil ransomware gang promises dirty laundry. US-China conflict. Catphishing.
1336
European supercomputers were hacked by cryptominers. UK electrical power distributor recovers from its cyberattack. A database containing personal data related to the EU Parliament is found exposed. REvil says it’s got the celebrity goods, but has yet to show its hand. The US and China move into a new round of trade and security conflict. Justin Harvey shares insights on how companies are adjusting to the new remote working environment and the impacts to their security posture. Our guest is Ehsan Foroughi from SecurityCompass on compliance issues. And catphishing with some pretty implausible impersonations of US Army generals. For links to all of today's stories check out our CyberWire daily news brief: https://thecyberwire.com/newsletters/daily-briefing/9/96
May 18, 2020
Gangnam Industrial Style APT campaign targets South Korea. [Research Saturday]
1269
Section 52, CyberX’s threat intelligence team, has uncovered an ongoing industrial cyberespionage campaign targeting hundreds of manufacturing and other industrial firms primarily located in South Korea. CyberX has identified more than 200 compromised systems from this campaign, including one belonging to a multi-billion dollar Korean conglomerate that manufactures critical infrastructure equipment such as heavy equipment for power transmission and distribution facilities, renewable energy, chemical plants, welding, and construction. Joining us in this week's Research Saturday is Phil Neray, one of the authors of this report.  The research can be found here: Gangnam Industrial Style: APT Campaign Targets Korean Industrial Companies
May 16, 2020
Malware versus air-gapped systems. Ransomware against utilities and hospitals. Lessons for cybersecurity from the pandemic response. Outlaw blues.
1495
More malware designed for air-gapped systems. A British utility sustains a ransomware attack. The US Cyberspace Solarium Commission sees lessons in the pandemic for cybersecurity. Contact-tracing technologies take a step back,maybe a step or two forward. Rob Lee from Dragos comparing the state of ICS security around the world, our guest is Ian Pitt from LogMeIn on lessons learned working remotely during COVID-19. Criminals increase ransomware attacks on hospitals, and swap templates to impersonate government relief agencies. For links to all of today's stories check out our CyberWire daily news brief: https://thecyberwire.com/newsletters/daily-briefing/9/95
May 15, 2020
ARCHER incident. Contact tracing smishing. Malware vs. air gaps. A surcharge for deletion. Anti-creepware. 5G coronavirus delusions.
1294
ARCHER goes offline after a security incident. Scammers smish victims with bogus contact-tracing messages. Ramsay malware goes after air-gapped systems. Ako ransomware now places a surcharge on deletion of stolen data. Google boots creepware apps with the help of the CreepRank algorithm. Johannes Ullrich explains that when it comes to malicious binaries bypassing anti-malware filters, size matters. Our guest is Pat Craven, Director of the Center for Cyber Safety and Education on the security social media apps. And kooky 5G conspiracists go after cell towers in the US. For links to all of today's stories check out our CyberWire daily news brief: https://thecyberwire.com/newsletters/daily-briefing/9/93
May 14, 2020
More data theft by ransomware. Patch Tuesday notes. Espionage and possible data corruption against COVID-19 researchers. Be a role model for your AI.
1328
Ransomware continues to steal personal information. Notes on Patch Tuesday--and please, by all means patch. The FBI says it’s investigating cyberespionage directed against COVID-19 researchers (and US officials see direct data corruption in espionage). And the AI doesn’t really know what to make of us any more. Joe Carrigan from JHU ISI on Twitter’s response to 5G related Coronavirus conspiracy theories, our guest is Chris Cochran from Netflix on the importance of personal health and safety. For links to all of today's stories check out our CyberWire daily news brief: https://thecyberwire.com/newsletters/daily-briefing/9/93
May 13, 2020
Cyberwar looms in the Middle East? Hidden Cobra’s fangs described. Evasive Astaroth. Ransomware in Texas courts. COVID-19 espionage. Content moderation.
1327
Unattributed cyberattacks in an Iranian port prompt speculation that a broader cyberwar in the Middle East may be in the offing. CISA releases malware analysis reports on North Korea’s Hidden Cobra. Astaroth malware grows more evasive (and it was already pretty good at hiding). Texas courts sustain a ransomware attack. COVID-19 espionage warnings are on the way. Twitter’s misinformation warning system. Ben Yelin describes a Fourth Amendment case on automated license plate reader (ALPR) databases. Our guest is Brian Dye from Corelight on dealing with encrypted traffic without compromising privacy. And taking down Plandemic’s trailer. For links to all of today's stories check out our CyberWire daily news brief: https://thecyberwire.com/newsletters/daily-briefing/9/92
May 12, 2020
Cyberattacks with kinetic consequences. Thunderspy and evil maids. Developing background to the US bulk power security executive order. Conspiracy theories and the culture of social media.
1339
A cyberattack with kinetic effect. Shiny Hunters post more stolen wares online. Thunderspy and evil maids. Some developing background to the US bulk power state-of-emergency Executive Order. Contact tracing apps: reliability, privacy, security, familiarity, and rates of adoption all raise questions. The economic consequences of the pandemic emergency. Caleb Barlow from CynergisTek on Alan Brunacini’s concept of an Incident Action Plan, our guest is James Yeager from CrowdStrike on their Global Threat Report. And the reappearance of the yellow press in social media. For links to all of today's stories check out our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/May/CyberWire_2020_05_11.html
May 11, 2020
The U.S. campaign trail is actually quite secure. [Research Saturday]
1362
Multiple media reports have indicated that the United States’ (U.S.) 2020 general election could be targeted by foreign and domestic actors after the successful cyber and misinformation attacks during the 2016 general election. The responsibility of secure and ethical online campaigning has become a central issue in the 2020 election. In some cases, it has become part of candidate platforms. Joining us in this week's Research Saturday is Paul Gagliardi from Security Scorecard, discussing their recent report detailing the cybersecurity of the 2020 Presidential race.  The research can be found here: 2020 Democratic Presidential Candidates Get Smart to Cybersecurity Report
May 09, 2020
PLA cyber espionage, and training WeChat censorship algorithms against the Chinese diaspora. Snake is back, and so is Charming Kitten. Election security. Recruiting money mules.
1495
Naikon has returned from four years in the shadows to snoop around the shores of the South China Sea. Tencent trains censorship algorithms on WeChat. Snake ransomware is back, making its way through the healthcare sector. Seeing Charming Kitten's pawprints in World Health Organization networks. Voting security during (or even after) a pandemic. Malek Ben Salem from Accenture on their Technology Vision report, our guest is Thomas Rid from Johns Hopkins University on his book, Active Measures. And unemployed workers are offered gigs as money mules. For links to all of today's stories check out our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/May/CyberWire_2020_05_08.html
May 08, 2020
Mining Monero. A RAT in a 2FA app. The decline of the Cereal botnet. Markets during the pandemic. Ransomware in Taiwan. Twitter appeals to reason.
1303
A new Monero miner is out and about. Hidden Cobra is pushing a RAT through a Trojanized two-factor authentication app. The rise and fall of a botnet. Markets, criminal and legitimate, react to the pandemic. Ransomware hits Taiwan. Remcos is resurgent. Michael Sechrist from BAH on where things are headed with ransomware, our guest is Rachael Stockton from LastPass on their Psychology of Passwords report. And, despite what you saw on Twitter when you were “doing your own research,” 5G does not cause COVID-19, and telecom repair crews are not agents of the Illuminati. For links to all of today's stories check out our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/May/CyberWire_2020_05_07.html
May 07, 2020
Taking down coordinated inauthenticity. Contact tracing and other COVID-19 notes. BlackInfinity taken down.
1351
Facebook reports on the coordinated inauthenticity it took down in April. Investigations into COVID-19’s origins continue, as does medical espionage. Contact tracing’s challenges. Joe Carrigan from JHU ISI on recent flaws in antivirus products, our guests are Laura Deimling and Courtney Wandeloski from Down To Staff on interviewing tips for employees and hiring managers. And European police take down the BlackInfinity credential traffickers. For links to all of today's stories check out our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/May/CyberWire_2020_05_06.html
May 06, 2020
Bear hunt in the Bundestag. Kaiji botnet described. Cryptojacking. Joint US-UK warning against attacks on COVID-19 response. Contact tracing. Puppy scams.
1371
A pretty Fancy Bear hunt in Germany. A new IoT botnet surfaces. Cryptojackers exploit a Salt bug. Bribing an insider as a way to get personal data. The UK’s NCSC and the US CISA issue a joint warning about campaigns directed against institutions working on a response to COVID-19. Britain’s contact tracing app starts its trial on the Isle of Wight. Ben Yelin from UMD CHHS on AI inventions and their pending patents, our guest is Matt Glenn from Illumio on why companies should break up with their firewalls. And don’t get puppy scammed--you’re looking for wags in all the wrong places. For links to all of today's stories check out our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/May/CyberWire_2020_05_05.html
May 05, 2020
A state of emergency over bulk power in the States. Beijing’s disinformation about COVID-19, and its motivation for a coverup. Hacking biomedical research. Curious Xiaomi phones.
1341
A US Executive Order on Securing the United States Bulk-Power System declares a state of emergency in electricity generation and distribution. China’s disinformation about COVID-19 may have begun in the earliest stages of the pandemic. Someone’s hacking for information on British biomedical research. Xiaomi seems very interested in users of its phones. Andrea Little Limbago on global privacy trends, our guest is Mathew Newfield from Unisys with insights on cybersecurity breaches. And the Love Bug’s creator is found. For links to all of today's stories check out our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/May/CyberWire_2020_05_04.html
May 04, 2020
Fingerprint authentication is not completely secure. [Research Saturday]
1338
Passwords are the traditional authentication methods for computers and networks. But passwords can be stolen. Biometric authentication seems the perfect solution for that problem. Our guest today is Craig Williams, director of Talos outreach at Cisco. He'll be discussing and providing insights into their report which shows that fingerprints are good enough to protect the average person's privacy if they lose their phone. However, a person that is likely to be targeted by a well-funded and motivated actor should not use fingerprint authentication. The research can be found here: Fingerprint cloning: Myth or reality?
May 02, 2020
China hacks at Vietnam over a territorial dispute. Kim’s still in charge, but could Hidden Cobra get loose if his grip slackens? COVID-19 and cybersecurity.
1500
Tensions between China and its neighbors. ICS incursions are troubling. The US intelligence community comments on COVID 19 disinformation. The FBI tracks increased cybercrime activity during the pandemic. Johannes Ullrich explains Excel 4 Macro vulnerabilities. Our guest is Tina C. Williams-Koroma, from TCecure on the importance of strong, effective leadership in cybersecurity. And smile for the web-cam. Your boss may be watching. For links to all of today's stories check out our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/May/CyberWire_2020_05_01.html
May 01, 2020
The persistence of ransomware. Exposure notifications and contact tracing. Doxing and conspiracy theories. More notes on the underworld.
1356
Ransomware not only encrypts and steals data, but establishes persistence as well. Apple and Google roll out their exposure notification API. GCHQ will help secure Britain’s centralized contact tracing system. A conspiracy-minded motive for doxing. Criminal markets and criminal enterprises continue to mimic legitimate ones. And a new wrinkle in mobile ransomware. Rob Lee from Dragos with insights on a recent ransomware incident shutting down a gas pipeline, guest is Drex DeFord from Drexio on Cybersecurity in Healthcare amid COVID-19. For links to all of today's stories check out our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/April/CyberWire_2020_04_30.html
Apr 30, 2020
Content farmers and disinformation tactics. PhantomLance: quiet, selective, and apparently effective. Lawful intercept and contact-tracing apps. A look at the black market.
1352
Researchers see a coming shift in tactics used by Chinese “content farmers.” Amplifying disinformation through influencers and other agents of influence. PhantomLance is a quiet and selective Vietnamese cyber espionage campaign. Lawful intercept and contact tracing apps. And the black market for malware is surprisingly open, cheap, and attentive to its customers. Joe Carrigan from JHU ISI on cheating in online games, guest is Tonya Ugoretz from the FBI on engagement with public and private sector during COVID-19. For links to all of today's stories check out our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/April/CyberWire_2020_04_29.html
Apr 29, 2020
Shade shuts down. CLOP hits pharma. Medical research firm breached. The pain caused by disinformation. Mr. Kim goes downy ocean?
1342
Shade ransomware operators close down, or so they say. A US pharmaceutical company is the victim of CLOP ransomware, and a Chinese medical research firm is breached by cyber criminals. Centralized versus decentralized approaches to contact tracing. A GDPR assistance site proves leaky. Disinformation breeds misinformation which breeds folly that brings misery. And Mr. Kim seems to be chillin’ downy ocean. Ben Yelin from UMD CHHS on responses to the EARN IT Act, guest is Katie Arrington, CISO for Assistant Secretary for Defense Acquisition on the Cybersecurity Maturity Model (CMMC) certification. For links to all of today's stories check out our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/April/CyberWire_2020_04_28.html
Apr 28, 2020
Where’s Kim Jong-un? Disinformation campaigns against European targets. Cyberattack against wastewater treatment plants. Hupigon RAT is back.
1331
Reports to the contrary, as far as anyone really knows, North Korea’s Kim is still large and in charge. Poland reports Russian disinformation effort. The EU issues a controversial report on COVID-19 disinformation amid accusations that Europe is knuckling under to Chinese pressure. A cyberattack on wastewater treatment systems in Israel is reported. And the old Hupigon RAT is back, and looking for love. Caleb Barlow from CynergisTek on his responsibilities during an incident from the SOC operator to the CEO, guest is Dave Weinstein from Claroty on threats and existing security violations facing the U.S. critical infrastructure. For links to all of today's stories check out our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/April/CyberWire_2020_04_27.html
Apr 27, 2020
Contact tracing as COVID-19 aid. [Research Saturday]
2110
Successful containment of the Coronavirus pandemic rests on the ability to quickly and reliably identify those who have been in close proximity to a contagious individual. Mayank Varia from Boston University describes how his team suggests an approach based on using short-range communication mechanisms, like Bluetooth, that are available in all modern cell phones. The research can be found here: Anonymous Collocation Discovery: Harnessing Privacy to Tame the Coronavirus
Apr 25, 2020
iOS zero-days, reconsidered. Hacking during a pandemic. An old campaign connected with the ShadowBrokers comes to light. Advice on web shells. Astroturfing and influence.
1544
An update on those iOS zero-days: they may not be as serious as assumed. Calls to take biomedical facilities off the hacking target list. Nazar and the ShadowBrokers. NSA and ASD issue joint advice on web shell malware. A report on astroturfing and influence operations. Joker’s Stash lays out more stolen cards. And Nintendo reports a problem with a legacy system. Michael Sechrist from BAH on the increase in IT/OT convergence, guest is Terence Jackson from Thycotic on HIPAA, telemedicine and the new normal of data regulation. For links to all of today's stories check out our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/April/CyberWire_2020_04_24.html
Apr 24, 2020
APT32 activity reported. Florentine Banker’s patient BEC. iOS zero-days exploited in the wild. Sinkholing a cryptomining botnet. Intelligence services and gangs follow the news.
1361
Someone, probably Vietnam, is trying to develop intelligence on China’s experience with the coronavirus. Florentine Banker is an example of well-organized crime. iOS zero-days have been exploited in the wild; a fix is promised. A cryptomining botnet is sinkholed. And intelligence services and criminals are tuning their phishbait to current events, as they always do. Malek Ben Salem from Accenture on encrypted DNS, guest is Russ Mohr with MobileIron on why the applications that excite us about 5G are the same applications that warrant the most concern. For links to all of today's stories check out our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/April/CyberWire_2020_04_23.html
Apr 23, 2020
COVID-19 relief. Data exposure at the SBA. Ransomware gangland. The CTL-League’s volunteer defenders. Active measures, disinformation, and cyber deterrence.
1376
The US Senate authorizes more COVID-19 small business relief. A data exposure at the US Small Business Administration. The CTL-League looks like a model for cyber volunteer organizations. The US Senate reports its evaluation of the Intelligence Community’s look at Russian active measures in 2016. Calls for deterrence amid a converged campaign of disinformation. Joe Carrigan from JHU ISI on Microsoft zero-days, guest is Chris Chiles from OST on what companies need to consider before implementing 5G. For links to all of today's stories check out our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/April/CyberWire_2020_04_22.html
Apr 22, 2020
DPRK leadership crisis? Probably not. Economic espionage in the oil patch. COVID-19 relief fraud. US Supreme Court will take up CFAA. Virtual proctoring.
1375
Fears about North Korean instability can wait until it’s determined that there’s actually instability. An economic espionage campaign targeted the oil and gas sector. Much phishing surrounds government COVID-19 economic relief programs around the world. The US Supreme Court will hear a case involving the Computer Fraud and Abuse Act. And if you’re studying from home, don’t cheat. And teacher, maybe don’t spy. Ben Yelin from UMD CHHS on training facial recognition software to recognize medical masks, guest is Gonda Lamberink from UL on making product security transparent and accessible to consumers. For links to all of today's stories check out our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/April/CyberWire_2020_04_21.html
Apr 21, 2020
Update on threats to Czech infrastructure. Relief funds looted. PoetRAT vs. ICS. CISA updates essential workforce guidelines. Data breaches. Zoom-bombing.
1357
A wave of attacks against hospitals and infrastructure in the Czech Republic seems to have been largely unsuccessful, but more may be on their way. German relief funds earmarked for small business are looted by cybercrooks. PoetRAT is active against ICS targets in Azerbaijan. CISA updates its Guidance on the Essential Critical Infrastructure Workforce. Breaches at Cognizant, Aptoide, and Webkinz World. And more Zoom-bombing. David Dufour from Webroot on AI and machine learning, guest is Kelly White of Mastercard’s RiskRecon on how one of their healthcare customers is tracking COVID-19 infections. For links to all of today's stories check out our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/April/CyberWire_2020_04_20.html
Apr 20, 2020
Complementary colors: teaming tactics in cybersecurity. [Research Saturday]
1647
We often hear cybersecurity professionals talking about red teams, blue teams, and purple teams. In this episode of CyberWire-X, we investigate what those terms mean, how security teaming approaches have changed over time, and the value of teaming for organizations large and small. Join us for a lively conversation with our experts Austin Scott from Dragos, and Caleb Barlow, from Cynergistek in part one. In part 2, we’ll also hear from Dan DeCloss from Plextrac, the sponsor of today’s episode. 
Apr 19, 2020
How low can they go? A spike in Coronavirus phishing. [Research Saturday]
1126
As much of the world grapples with the new coronavirus, COVID-19, and how to handle it, attackers are taking advantage of the widespread discussion of COVID-19 in emails and across the web. Joining us today is Fleming Shi, CTO of Barracuda discussing their report on these types of attacks, which are up 667-percent since the end of February. The research can be found here: Threat Spotlight: Coronavirus-Related Phishing To learn more about our Academic and Military discounts, visit The CyberWire and click on the Contact Us button in the Academic or Government & Military box. 
Apr 18, 2020
Warnings on healthcare attacks and espionage campaigns. Post-patching issues in VPNs. COVID-19 phishing. Contact tracing, for lungs and minds. Telework notes.
1561
Czech intelligence warns of an impending cyber campaign against hospitals. The US Defense Department alerts contractors that Electric Panda is back, and after their data. Pulse Secure VPN’s post- patching issues. Google blocks COVID-19 phishing emails. Apple and Google work on tracing physical contact, but Facebook is tracing contact with misinformation. Zoom offers some fixes, gets banned in India, and receives a mashnote from Larry Ellison. And notes on HIPAA and CMMC. Johannes Ullrich from SANS on exposed RDP servers while we work from home, guest is Tia Hopkins from eSentire on STEM/cybersecurity education. For links to all of today's stories check out our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/April/CyberWire_2020_04_17.html
Apr 17, 2020
US warns of DPRK cyber activity. Replacing Huawei. COVID-19-themed cybercrime and state-directed activity. Telework notes.
1366
The US Government issues a major advisory warning of North Korean offensives in cyberspace, most of them financially motivated. Ericsson will provide BT the equipment to replace Huawei gear in its networks. Notes on COVID-19-themed cybercrime. Some temporary telework may become permanent. Disinformation from Tehran; domestic phishbait from Damascus. And to Zoom or not to Zoom? Rob Lee from Dragos with a summary of his RSA keynote, guest is Gregg Smith from Attila on cybersecurity concerns for employees working from home during the COVID-19 pandemic. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/April/CyberWire_2020_04_16.html
Apr 16, 2020
Energetic Bear lands at SFO. Windpower utility hit with RagnarLocker ransomware. COVID-19-themed threats. Telework advice. Zooming.
1381
Energetic Bear’s pawprints seen at SFO. A leading windpower company is hit with ransomware. Advice for more secure telework. Why healthcare is an attractive target for cyberattack during a pandemic. ICANN pleads for action against scam domains. And the fortunes of Zoom. Joe Carrigan from JHU ISI on undocumented backdoors in Android apps, guest is Emily Mossburg from Deloitte on the geographical and cultural elements of privacy. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/April/CyberWire_2020_04_15.html
Apr 15, 2020
The online stresses of the COVID-19 pandemic. APT41’s backdoor campaign. Contact-tracking and privacy. Virtual court is now in online session. Zoom’s fortunes. And tax-season online fraud.
1313
Demand for online services during the pandemic stresses government providers. APT41’s backdoor campaign aimed at information theft. Contact-tracking apps and privacy. Some courts move to hear cases online. Zoom’s continuing mixed success. And did you file your tax return? The crooks might have done so for you. Ben Yelin from UMD CHHS on Microsoft’s reaction to Washington State’s new facial recognition law, guest is Francis Dinha from OpenVPN on remote working during the COVID-19 pandemic. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/April/CyberWire_2020_04_14.html
Apr 14, 2020
Ill-received pranks. SFO breach. Silicon Valley cooperates on contact tracking. COVID-19 disinformation and scams. Notes on ransomware and booter services.
1393
Vandals prank victims with security researchers’ names. San Francisco International discloses compromised networks. Google and Apple cooperate on contact tracking tech. Chinese disinformation campaigns rely on ad purchases and social media amplification. Phishing attempts and other scams. Notes on ransomware. And police in the Netherlands take down some DDoS-for-hire services. Andrea Little Limbago on government created internet blackouts, guest is Herb Stapleton from the FBI on COVID-19 scams. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/April/CyberWire_2020_04_13.html
Apr 13, 2020
Profiling an audacious Nigerian cybercriminal. [Research Saturday]
1442
By day, he is Dton, an upstanding Nigerian citizen. He believes in professionalism, hard work and excellence. He’s a leader, a content creator, an entrepreneur and an innovator; an accomplished business administrator; a renaissance man who is adored by his colleagues. But by night, he is Bill Henry, Cybercriminal Entrepreneur. We sat down with a researcher at CheckPoint for the inside scoop into this fascinating, brazen individual.  The research can be found here: The Inside Scoop on a Six-Figure Nigerian Fraud Campaign
Apr 11, 2020
That odd and bogus 5G meme. Malvertising. Data breach hits Pakistani mobile users. xHelper update. Data privacy and data utility. COVID-19 and cybersecurity.
1603
The curious history of the delusion that COVID-19 has something to do with 5G. Malvertising spoofs a security company’s website. Data breach hits Pakistani mobile users. xHelper is still in circulation. Data privacy versus data utility. COVID-19-driven patterns of cybercrime. And more on Zoom and the challenges of working remotely. Mike Benjamin from CenturyLink on ddosing, botnets and IoT news, guest is Nathalie Marcotte from Schneider Electric on the role cybersecurity plays in convergence of IT/OT. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/April/CyberWire_2020_04_10.html
Apr 10, 2020
Operation Pinball. Implausibly spoofed, not really official, COVID-19 emails. CISA updates US Federal telework guidance. ICO defers some big GDPR fines. Zoom agonistes. Fleeceware in Apple’s store.
1361
Operation Pinball roils up Eastern Europe and the Near Abroad. Crooks who can’t write idiomatic American English are spoofing emails from the White House in a COVID-19-themed phishing campaign. CISA updates telework guidelines for Federal agencies. Some GDPR fines are deferred until after the pandemic. Zoom continues to reel from its success. And fleeceware is found in the iTunes store. Caleb Barlow from CynergisTek on OODA loops, guest is Or Katz from Akamai on how current industry (and employee) phishing defenses are being bypassed by attackers. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/April/CyberWire_2020_04_09.html
Apr 09, 2020
Joint UK-US warning on COVID-19-themed cyber threats. Disinformation in the subcontinent. Public and private apps with privacy issues. A new IoT botnet. APT notes. Frontiers in biometrics.
1347
NCSC and CISA issue a joint warning on cyber threats during the COVID-19 pandemic. India’s government seeks to limit disinformation in social media. Zoom works on privacy issues, and government contact-tracking apps face their own problems. A new DDoS botnet, “dark_nexus,” is out. BGP hijack questions persist. Is a front company facilitating Chinese government RATs? Spies and spyware. And a biometric advance leads from the rear. Joe Carrigan from JHU ISI on how COVID-19 is reinforcing TLS 1.0, guest is Pedram Amini from InQuest on winning the Cyber Tank contest. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/April/CyberWire_2020_04_08.html
Apr 08, 2020
Trends in COVID-19-themed cybercrime. Social media seek to inhibit the misinformation pandemic. Corp[dot] off the market. BEC in cloud services. Investment notes. Big big fraud.
1361
Criminals increase their targeting of hospitals and pharmaceutical companies. Ordinary scams proliferate worldwide, using COVID-19 as their bait. Social media seek to inhibit the flow of coronavirus misinformation. The commodification of zero-day exploits. Corp[dot]com is no longer available. FBI warns of business email compromise via cloud services. A quick look at investment, and, finally, something other than the Brooklyn Bridge is for sale. Ben Yelin from UMD CHHS on a class action lawsuit against Zoom, guest is Matt Davey from 1Password on shadow IT trends, security risks, and best practices for oversight. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/April/CyberWire_2020_04_07.html
Apr 07, 2020
COVID-19 updates: crime, propaganda, and craziness. (Also telework.) BGP hijacking. DarkHotel sighting. Apps behaving badly. And a risk of sim-swapping.
1338
The COVID-19 pandemic continues to drive a spike in cybercrime. It’s also been the occasion for various state-operated disinformation campaigns, and for some surprisingly widespread popular delusions. Zoom’s acknowledgement that some traffic was mistakenly routed through China draws more scrutiny to the teleconferencing service. A possible BGP hijack is reported. DarkHotel is said to be back. Bad stuff in Google Play. And a sim-swapping risk. Malek Ben Salem from Accenture on CISO health concerns, guest is Dr. Celeste Paul from NSA on cognitive capacity and burnout. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/April/CyberWire_2020_04_06.html
Apr 06, 2020
A rough year ahead for ransomware attacks - and how to stop them. [Research Saturday]
952
2020 is shaping up to be a rough year. Ransomware attacks will continue to grow as cybercriminals get more sophisticated in their methods and expand their reach. Allan Liska, Senior Analyst at Recorded Future, shares their findings and predictions in a new report.  The research can be found here: 5 Ransomware Trends to Watch in 2020
Apr 04, 2020
Cybersecurity notes during the pandemic emergency. Twitter bots. Ransomware attack on a biotech firm. WHO updates. And how are the cyber gangs doing these days?
1581
Geolocation in support of social distancing. Fixing vulnerabilities in a popular teleconferencing service. Twitter bots running an influence campaign against the Turkish government are taken down. A biotech firm reports a ransomware attack. More on attempts to compromise the World Health Organization. And a look at how cyber criminals are faring during the emergency. Michael Sechrist from BAH on cybercrime changes in the age of Coronavirus, guest is Admiral James Stavridis (Ret.) from Preveil on global cyber security threats and realities. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/April/CyberWire_2020_04_03.html
Apr 03, 2020
WHO email accounts prospected. Mandrake versus Android users. Vollgar versus MS-SQL servers. Ransomware and hospitals. Notes on the effects of COVID-19, and a disinformation campaign.
1303
Attempts on World Health Organization email accounts possibly linked to Iran. Mandrake Android malware is active against carefully selected targets. Vollgar attacks Windows systems running MS-SQL Server. Hospitals remain attractive targets for ransomware gangs. Italy’s social security operations shut down by hacking. Coronavirus disinformation. The pandemic’s effects on business. And a look at the fortunes of Zoom. Andrea Little Limbago from Virtru on the global battle for information control, guest is Perry Carpenter from KnowBe4 on security awareness. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/April/CyberWire_2020_04_02.html
Apr 02, 2020
More data breaches. DPRK spearphishing. DoJ IG sees problems in FISA warrant processes. Houseparty updates. Huawei sanctions. And notes about the pandemic.
1293
Marriott discloses a major data breach. Another insecurely configured Elasticsearch database is found, this one belonging to a secure cloud backup provider. More spearphishing from Pyongyang. The US Justice Department IG sees systemic problems in the FISA warrant process. Updates on the Houseparty affair. Huawei suggests that Beijing will retaliate against more sanctions from Washington. And more COVID-19 notes concerning the cyber sector. Joe Carrigan from JHU ISI on Safari blocking third-party cookies, guest is Monzy Merza of Splunk on becoming an InfoSec leader. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/April/CyberWire_2020_04_01.html
Apr 01, 2020
Supply chain attack warning. CFAA clarified. COVID-19 and its economic squalls.
1326
FBI warns of another supply chain attack, this one distributing the Kwampirs RAT. More exposed databases found. The US Computer Fraud and Abuse Act gets some clarification from a Federal Court. Security and networking companies are weathering the COVID-19 economic storm, but not without squalls, some legal, some cyber, and others just reputational. Ben Yelin from UMD CHHS on ending targeted advertising, guest is Brendan O’Connor from AppOmni on the state of cloud security. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/March/CyberWire_2020_03_31.html Support our show
Mar 31, 2020
Updates on the cyber ramifications of the coronavirus pandemic. Saudi surveillance program. Ransomware developments. Lost USB attacks are in progress.
1316
Updates on the coronavirus and its effect on the cyber sector. Criminals spoof infection warnings from hospitals. The country of Georgia’s voter data has been exposed online. The Kingdom of Saudi Arabia seems to have conducted extensive surveillance of its subjects as they travel in the US. The Zeus Sphinx Trojan is back. Dharma ransomware’s source code is for sale in the black market. And beware teddy bears bearing USB drives. David Dufour from Webroot on differences between privacy and security, guest is Daniel dos Santos from Forescout on Ransomware, IoT, and the impact on critical infrastructure. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/March/CyberWire_2020_03_30.html Support our show
Mar 30, 2020
Hidden dangers inside Windows and LINUX computers. [Research Saturday]
1457
Eclypsium has issued a study that suggests the prevalence of “unsigned firmware in WiFi adapters, USB hubs, trackpads, and cameras used in computers from Lenovo, Dell, HP and other major manufacturers.” Here to discuss their findings is Rick Altherr, a Principle Engineer at Eclypsium. The research can be found here: Perilous Peripherals: The Hidden Dangers Inside Windows and LINUX Computers. 
Mar 28, 2020
Some notes on cyber gangland. South Koren APT using zero days against North Koreans? USB attacks. Telework challenges. CMMC remains on schedule.
1569
Ransomware gangs don’t seem to be trimming their activities for the greater good. TA505 and Silence identified as the groups behind recent attacks on European companies. An APT possibly connected to South Korea is linked to attacks on North Korean professionals. A criminal campaign of USB attacks is reported. Problems with VPNs and teleconferencing. The Pentagon’s CMMC will move forward on schedule. Rob Lee from Dragos on ICS resiliency in the face of Coronavirus, guest is James Dawson from Danske Bank on the unique challenges of IT Risk & Controls in global banking. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/March/CyberWire_2020_03_27.html Support our show
Mar 27, 2020
Advice on secure telework. Magecart infestations. DNS hijacking with a COVID-19 twist and an info-stealer hook. Patch notes. The US 5G security strategy.
1261
NIST offers advice on telework, as does Microsoft. Things to do for your professional growth while you’re in your bunker. Magecart hits Tupperware, and they won’t be the last as e-commerce targeting spikes. DNS hijacking contributes to an info-stealing campaign. Apple and Adobe both patch. The US publishes its 5G security strategy. And some thoughts on the value of work, as brought into relief by a pandemic. Thomas Etheridge from Crowdstrike on their 2020 Cyber Front Lines Report, guest is Michelle Koblas from AppDynamics on third-party risk management. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/March/CyberWire_2020_03_26.html Support our show
Mar 26, 2020
APT41 is back from its Lunar New Year break. Commodity attack tools for states and gangs. Russia takes down a domestic carding crew. Restricting misinformation.
1314
APT41 is back, and throwing its weight around in about twenty verticals. States and gangs swap commodity malware. The FSB--yes, that FSB--takes down a major Russian carding gang. Coronavirus-themed attacks are likely to outlast the pandemic. Facebook Messenger considers limiting mass message forwarding as a way of slowing the spread of COVID-19 misinformation. Joe Carrigan from JHU ISI on stimulus check scams, guest is Rachael Stockton from LogMeIn (LastPass) on the future of business network access security. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/March/CyberWire_2020_03_25.html Support our show
Mar 25, 2020
Active ICS threats. TrickBot and TrickMo. RCE vulnerability in Windows. Google ejects click-fraud malware infested apps from Play. Attackers hit WHO, hospitals, and biomedical research.
1350
WildPressure APT targets industrial systems in the Middle East. ICS attack tools show increasing commodification. TrickMo works against secure banking. Microsoft warns of RCE vulnerability in the way Windows renders fonts. Click fraud malware found in childrens’ apps sold in Google Play. DarkHotel attacks the World Health Organization. Ransomware hits Parisian hospitals and a British biomedical research firm. More COVID-19 phishbait. Ben Yelin from UMD CHHS on Coronavirus detecting cameras, guest is Allan Liska from Recorded Future on security in the time of Coronavirus. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/March/CyberWire_2020_03_24.html Support our show
Mar 24, 2020
Coronavirus fraud booms; prosecutors are taking note. Stolen data on the dark net. Software updates affected by pandemic. A new Mirai variant is out. A DDoS that wasn’t.
1335
US prosecutors begin to follow through on their announced determination to pay close attention to coronavirus fraud. Data stolen from Chinese social network Weibo is now for sale on the black market--at a discount. The pandemic affects scheduled software updates and sunsets at Google and Microsoft. A new Mirai variant is out in the wild. And a DDoS attack in Australia turns out to be just a lot of Australians in need of government services. Mike Benjamin from CenturyLink on threat actors using 3rd party file hosting, guest is Andrew Peterson from Signal Sciences on top application security attacks. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/March/CyberWire_2020_03_23.html Support our show
Mar 23, 2020
The security implications of cloud infrastructure in IoT. [Research Saturday]
1866
Cloud computing is now at the center of nearly every business strategy. But, as with the rapid adoption of any new technology, growing pains persist. The key findings in these reports shed light on security missteps that are actually in practice by organizations across the globe. Joining us in this special Research Saturday are Palo Alto Network's Matthew Chiodi and Ryan Olson. They discuss their findings in two different threat reports.  The research can be found here: Cloud Threat Report IoT Threat Report
Mar 21, 2020
CISA on running critical sectors during an emergency. Disinformation, phishbait, and rumor. What’s Fancy Bear up to these days? Distinguishing altruism from self-interest.
1571
CISA describes what counts as critical infrastructure during a pandemic, and offers some advice on how to organize work during the emergency. Iran runs a disinformation campaign--apparently mostly for the benefit of a domestic audience--alleging that COVID-19 is a US biowar operation. Intelligence services, criminals, vandals, and gossips all flack coronavirus hooey in cyberspace. Fancy Bear is back. And what would provoke good behavior among thieves? (A hint: not altruism.) Malek Ben Salem from Accenture on mobile tracking and privacy, guest is Thomas Quinn from T Rowe Price on the job of protecting a financial institution. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/March/CyberWire_2020_03_20.html Support our show
Mar 20, 2020
EU suspects Russia of disinformation. TrickBot’s latest module is a brute. Parallax RAT and the MaaS black market. Pandemic hacking trends. What to do with time on your hands.
1347
The EU suggests that Russia’s mounting an ongoing disinformation campaign concerning COVID-19. Russia says they didn’t do nuthin’. TrickBot is back with a new module, still under development, and it seems most interested in Hong Kong and the US. The Parallax RAT is the latest offering in the malware-as-a-service market. Food delivery services are now targets of opportunity for cybercriminals. Zoom-bombing is now a thing. And some advice from an astronaut. Andrea Little Limbago from Virtru with insights into her career path, guest is Tom Creedon from LookingGlass Cyber on the Asia-Pacific Cyber Conflict. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/March/CyberWire_2020_03_19.html Support our show
Mar 19, 2020
Coronavirus phishing. Money mule recruiting. Remote work and behavioral baselining. HHS incident seems to have been...an incident. Advice from NIST, and from Dame Vera Lynne.
1471
More coronavirus phishing expeditions. Don’t let idleness or desperation lead you into a money-mule scam. How do behavioral expectations change during periods of remote work? The Health and Human Services incident appears to be just that. NIST has some advice for video-conferencing and virtual meetings. And an exhortation to return to the Blitz spirit. Joe Carrigan from JHU ISI on limitations of two-factor authenticator mobile apps, guest is Johnnie Konstantas from Oracle on cloud misconfigurations and shared responsibility in the public cloud. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/March/CyberWire_2020_03_18.html Support our show
Mar 18, 2020
Cyberattack on US HHS probably a minor probe. Disinformation about COVID-19 continues to serve as both phishbait and disruption. US prosecutors move to stop prosecution Concord Management.
1341
The cyberattack on the US Department of Health and Human Services seems now to have been a minor incident. Disinformation about COVID-19 and measures to contain the pandemic continues to serve as both phishbait and disruption. And US prosecutors move to stop prosecution of a Russian influence shop fingered by the Mueller investigation. Ben Yelin from UMD CHHS on HHS issuing health data rules, guest is Kevin Mitnick from KnowBe4 on the state of cybersecurity from the RSAC 2020 floor.  For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/March/CyberWire_2020_03_17.html Support our show
Mar 17, 2020
COVID-19’s effects on cyberspace: disinformation, espionage, data theft, fraud, and extortion. Also far greater remote working.
1310
COVID-19’s effects on cyberspace: disinformation, espionage, data theft, fraud, and extortion. Also far greater remote working. David Dufour from Webroot on their 2020 Threat Report, guest is Simone Petrella from CyberVista on cybersecurity skills. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/March/CyberWire_2020_03_16.html Support our show
Mar 16, 2020
TLS is here to stay. [Research Saturday]
1190
As websites and apps more widely adopt TLS (Transport Layer Security) and communicate over HTTPS connections, unencrypted traffic may draw even more attention, since it’s easier for analysts and security tools to identify malicious communication patterns in those plain HTTP sessions. Malware authors know this, and they’ve made it a priority to adopt TLS and thereby obfuscate the contents of malicious communication. Joining us on this week's Research Saturday is Chester Wisniewski from SophosLabs discussing their research on the subject.  The research can be found here: Nearly a quarter of malware now communicates using TLS
Mar 14, 2020
COVID-19 as both incentive for remote work and phishbait. Offshored trolling. A list of “digital predators.” US Senate doesn’t extend domestic surveillance authority.
1496
COVID-19 significantly increased remote working, and the pandemic is now a favorite lure in the phishing tackle of both intelligence services and criminal gangs. Russian trolling has been off-shored, setting up shop in Ghana and Nigeria for running influence operations against the US. Microsoft issues an out-of-band patch. Reporters Without Borders publishes its list of “digital predators.” And the Senate doesn’t renew US domestic surveillance authorities. Thomas Etheridge from Crowdstrike on the impact of ransomware, guest is Josiah Dykstra from NSA on Cloud Vulnerabilities from an NSA viewpoint. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/March/CyberWire_2020_03_13.html Support our show
Mar 13, 2020
The return of Turla. Data exposure incidents disclosed. Beijing accuses Taipei of waging cyberwarfare against the PRC. Coronavirus disinformation.
1390
Turla’s back, this time with watering holes in compromised Armenian websites. Data exposures are reported in the Netherlands and the United States. China accuses Taiwan of waging cyberwarfare in an attempt to disrupt Beijing’s management of the coronavirus epidemic. The US and the EU separately undertake efforts to suppress COVID-19 disinformation. And the ins-and-outs of teleworking. Mike Benjamin from CenturyLink with Emotet updates, guest is Tom Pendergast from MediaPRO on their State of Privacy and Security Awareness Report. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/March/CyberWire_2020_03_12.html Support our show
Mar 12, 2020
The Cyberspace Solarium reports. Coronavirus scams and coronavirus realities. Notes on March’s Patch Tuesday.
1289
The Cyberspace Solarium has released its report, as promised, and they wish to make your flesh creep. Coronavirus scams and phishbait amount to what some are calling an “infodemic.” Some notes on Patch Tuesday, and, finally, some words on the actual coronavirus epidemic. Joe Carrigan from JHU ISI on FBI recovering stolen funds, guest is Josh Mayfield from RiskIQ on his 2020 predictions. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/March/CyberWire_2020_03_11.html Support our show
Mar 11, 2020
Caution in the Play store. EU power consortium’s business systems hacked. Cablegate--a look back. Schulte trial ends in minor convictions, but a hung jury on major counts. The cyber underworld.
1361
Google removes from the Play store an app nominally designed to track COVID-19 infections. An EU power distribution consortium says its business systems were hacked. An assessment of Cablegate has been declassified. Ex-CIA employee Schulte’s trial for disclosing classified information ends in a hung jury. The alleged proprietor of a criminal market is arrested. Crooks hack rival crooks. More US primaries are held today. And a case of identity theft in North Carolina. Ben Yelin from UMD CHHS with updates on ClearView AI, guest is Kathleen Kuczma from Recorded Future on 2019 Top Vulnerabilities List. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/March/CyberWire_2020_03_10.html Support our show
Mar 10, 2020
Coronavirus misinformation, phishbait, and disinformation. Ransomware’s growing reach. How criminals’ desire for glory works against their desire to escape apprehension.
1377
Coronavirus misinformation, coronavirus online scams, and coronavirus disinformation. Ransomware hits a steel plant, local government, and a defense contractor. And how criminals’ desire for glory betrays them in social media. Zulfikar Ramzan from RSA Security with three product updates, guest is Robert Waitman from Cisco on their Annual Data Privacy Benchmark study. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/March/CyberWire_2020_03_09.html Support our show
Mar 09, 2020
Overworked developers write vulnerable software. [Research Saturday]
1086
Why do some developers and development teams write more secure code than others? Software is written by people, either alone or in teams. Ultimately secure code development depends on the actions and decisions taken by the people who develop the code. Understanding the human factors that influence the introduction of software vulnerabilities, and acting on that knowledge, is a definitive way to shift security to the left.  On this Research Saturday, our conversation with Anita D’Amico from CodeDX on which developers and teams are more likely to write vulnerable software. The research can be found here: Which Developers and Teams Are More Likely to Write Vulnerable Software?
Mar 07, 2020
Misconfigured databases, again. Vulnerable subdomains. Dark web search engines. Troll farming. An update on the crypto wars.
1449
Virgin Media discloses a data exposure incident, another misconfigured database. Microsoft subdomains are reported vulnerable to takeover. A dark web search engine is gaining popularity, and black market share. Researchers find that Russian disinformation trolls have upped their game. The crypto wars have flared up as the US Senate considers the EARN IT act. Tech companies sign on to voluntary child protection principles. And Huawei talks about backdoors. Thomas Etheridge from Crowdstrike on empowering business leaders to manage cyber risk, guest is Sherri Davidoff on her book, Data Breaches: Crisis and Opportunity. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/March/CyberWire_2020_03_06.html Support our show
Mar 06, 2020
Credential stuffing attacks and data breaches. Coronavirus-themed phishbait is an international problem. Super Tuesday security post mortems. Huawei agonistes.
1317
Credential stuffing affects J. Crew and Tesco customers. T-Mobile discloses a data breach. Emcor works to recover from a ransomware infestation. Coronavirus-themed emails remain common phishbait--it’s an international problem. US authorities are pleased with how election security on Super Tuesday went, but some local governments are recovering from self-inflicted tech wounds. And there’s more on official US suspicion of Huawei. Mike Benjamin from CenturyLink on Nanocore, guest is Bil Harmer from SecureAuth on nation-state attacks. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/March/CyberWire_2020_03_05.html Support our show
Mar 05, 2020
Election security--a look back at Super Tuesday. Cyberspace Solarium preview. Rapid Alert System engaged in EU. Cyber capability building in Ukraine. Cloud backups as attack surface.
1386
A quick security retrospective on Super Tuesday, a day on which no dogs barked (or bears growled, or kittens yowled, or pandas did whatever it is that pandas do). The Cyberspace Solarium previewed the good-government framework it intends to recommend in next Wednesday’s final report. The EU uses its Rapid Alert System against coronavirus disinformation. US aid will go to Ukraine for cybersecurity capability building. And backups are an attack surface, too. Joe Carrigan from JHU ISI on FBI convictions of Romanian criminals, guest is Chris Kubic from Fidelis Cybersecurity with lessons learned from securing the country’s biggest and deepest secrets.  For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/March/CyberWire_2020_03_04.html Support our show
Mar 04, 2020
Vault 7, again, as Beijing names and shames. Schulte case goes to jury. Maersk to cut incident response jobs. The Cyberspace Solarium’s election security preview. Advice for intel collection.
1506
Chinese security firm calls out the US CIA for Vault 7 campaigns against civil aviation. Meanwhile, the jury’s out in the Joshua Shulte Vault 7 case. Incident responders in the UK may be reentering the labor market. US agencies issue a joint warning to adversaries (and joint encouragement to citizens) about election interference. The Cyberspace Solarium talks about elections. And the Justice Department offers advice on cyber threat intelligence collection. Ben Yelin from UMD CHHS on telecommunications companies in hot water with the FCC, guest is Stuart Reed from Nominet with new CISO stress research. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/March/CyberWire_2020_03_03.html Support our show
Mar 03, 2020
Super Tuesday eve primary jitters. DoppelPaymer hits an aerospace supplier. WordPress plugins exploited in the wild. Vote for the catphish.
1196
It’s Super Tuesday eve, and people worry about influence operations, both foreign and domestic. DoppelPaymer hits a precision manufacturer, and moves surprisingly quickly to expose stolen files. Vulnerable WordPress plugins are being exploited in the wild. And a catphish is running for Congress in Rhode Island--he’s even got the blue checkmark. Johannes Ullrich from the SANS Technology Center on the development of authentication issues in iOS, guest is Elvis Chan from the FBI on election security. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/March/CyberWire_2020_03_02.html Support our show
Mar 02, 2020
Application tracking in Wacom tablets. [Research Saturday]
1313
Today's Research Saturday features our conversation with Robert Heaton, a software engineer with Stripe who penned a blog post about his disappointing discovery involving his Wacom tablet tracking his applications. The post struck a nerve and has since been widely distributed. The research can be found here:  Wacom drawing tablets track the name of every application that you open
Feb 29, 2020
South Carolina primary affords the next test of US election security. Cerberus evolves. Bot-driven fraud. FCC to fine wireless carriers for location data handling. FISA changes.
1545
South Carolina prepares for tomorrow’s primary, confident that it will be able to conduct the vote securely and without disruption. An evolved version of the Cerberus Trojan has been spotted. Bots are making fraudulent appeals for brushfire aid to the Australian Red Cross. The FCC is preparing to fine four major wireless carriers for mishandling user geolocation data. Proposed changes to FISA surveillance in the US. And farewell to RSAC 2020. Partner is Mike Benjamin from CenturyLink with observations from RSA, guests are magicians Penn and Teller with insights on deception and social engineering. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/February/CyberWire_2020_02_28.html Support our show
Feb 28, 2020
RSAC 2020. Naming and shaming. Kitty espionage update. Wi-Fi crypto flaw. Impersonating the DNC. Ransomware gets more aggressive. When is removing a GPS tracker theft?
1438
Naming and shaming seems to work, at least against China’s Ministry of State Security. Iranian cyberespionage continues its regional focus. Wi-Fi chip flaws could expose encrypted traffic to snoopers. Someone, maybe from abroad, is pretending to be the US Democratic National Committee. Tips on backing up files. Ransomware gangs up their game. And that unmarked small box on your car? Go ahead: you can take it off. David Dufour from Webroot with trends and predictions from the floor at RSA, guest is Liesyl Franz from the Dept. of State on nation state cyber activities and deterrence in cyberspace. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/February/CyberWire_2020_02_27.html Support our show
Feb 27, 2020
Chrome zero-day patched. Ransomware against infrastructure. Notes from RSAC 2020. Julian Assange’s extradition hearing.
1353
Google patches a Chrome zero-day. Ransomware attacks against infrastructure. DoppelPaymer prepares to dox its victims. How CISA and NSA cooperate. Dallas County, Iowa, finally drops charges against pentesters. Mr. Assange’s evolving defense against extradition to the US. Notes on RSAC 2020. And if you were a superhero, which superhero would you be? Justin Harvey from Accenture on his RSA observations, guest is Keith Mularski from EY on ransomware. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/February/CyberWire_2020_02_26.html Support our show
Feb 26, 2020
Cloud Snooper is out and about. US states’ contracts with Chinese vendors. Voatz receives more scrutiny. Facebook’s troll hunt--no joy this time. Notes from RSAC 2020.
1496
Cloud Snooper is infesting cloud infrastructure servers. A China-skeptical advocacy group draws attention to US states’ contracts with Chinese vendors that aren’t named “Huawei.” Senator Wyden would like the security company that audited the Voatz to explain the clean bill of health it gave the voting app. Facebook’s campaign troll hunt comes up empty, so far, this time. And what we’re seeing and hearing at RSAC 2020. Our Chief Analyst Rick Howard on SASE and what he’s looking for at RSA, guest is Dr. Chenxi Wang from Rain Capital previewing her panel at RSA and discussing innovations in the industry.  For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/February/CyberWire_2020_02_25.html Support our show
Feb 25, 2020
Reactions to allegations in Georgia’s October cyber incidents. Commodification of spamming kit. Satellite vulnerabilities. Election security. FISA reauthorization? Mr. Assange’s extradition. RSAC 2020.
1338
The EU condemns Russian cyberattacks on Georgia, and Russia says Russia didn’t do it--it’s all propaganda. Skids can buy spamming tools for less than twenty bucks. Satellite constellations offer an expanding attack surface. Amid continuing worries about US election security, the question of Russian trolling or home-grown American vitriol arises in Nevada (but the smart money’s on the U S of A). FISA reauthorization is coming up. And hello from RSAC 2020. Joe Carrigan from JHU ISI on SIM swappers targeting carrier employees, guest is Erez Yalon from Checkmarx on the recently published OWASP API Security Top Ten list. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/February/CyberWire_2020_02_24.html Support our show
Feb 24, 2020
New vulnerabilities in PC sound cards. [Research Saturday]
1375
SafeBreach Labs discovered a new vulnerability in the Realtek HD Audio Driver Package, which is deployed on PCs containing Realtek sound cards.  On this week's Research Saturday, our conversation with Itzik Kotler, who is Co-Founder and CTO at SafeBreach.  The research can be found here:  Realtek HD Audio Driver Package - DLL Preloading and Potential Abuses
Feb 22, 2020
DISA data breach. More complaint against alleged GUR operations in Georgia. Trolls move from creation to curation. The UK deals with high-risk 5G vendors.
1403
The US Defense Information Agency discloses a data breach affecting personal information of up to two-hundred thousand individuals. More international reprobation for the alleged GRU hack of Georgian websites. Trolls move from creation to curation. Stalkerware data exposure. And a look at how the UK might actually implement its compromise position on high-risk 5G vendors. Joining us in studio, a surprise new addition to the CyberWire team, guest is Aisling MacRunnels from Synack on women in cyber. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/February/CyberWire_2020_02_21.html Support our show
Feb 21, 2020
UK, US blame Russia for 2019 Georgia hacks. Senator Sanders thinks Russian bots could impersonate supporters. Mr. Assange’s extradition. MGM Resorts breach. Ms Winner wants a pardon.
1337
British and American authorities blame Russia’s GRU for last October’s defacement campaign against Georgian websites. Senator Sanders thinks maybe some of his apparent supporters are Russian bots--the ones who are tweeting bad stuff in social media. Julian Assange says he was offered a pardon to say the Russians didn’t meddle with the DNC. Stolen data from MGM Resorts turns up in a hacker forum. NSA leaker Reality Winner would like a pardon. Justin Harvey from Accenture on staying prepared against potential Iranian cyberattacks, guest is Jamie Tomasello from Cisco Duo on cognitive capacity and burnout. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/February/CyberWire_2020_02_20.html Support our show
Feb 20, 2020
Ransomware hits US natural gas pipeline facility. DRBControl’s espionage campaign. Firmware signing. No bill of attainder against Huawei. A mistrial in the Vault 7 case?
1371
CISA reports a ransomware infestation in a US natural gas compression facility--it arrived by spearphishing and there are, CISA thinks, larger lessons to be learned. A new threat actor, possibly linked to China’s government, is running an espionage campaign against gambling and betting operations in Southeast Asia. More notes on firmware signatures. Huawei loses one in US Federal Court, and the defense asks for a mistrial in the Vault 7 case. Caleb Barlow from CynergisTek on Wigle and the impact your SSID name can have on your privacy, guest is Anita D’Amico from CodeDX on which developers and teams are more likely to write vulnerable software. For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/February/CyberWire_2020_02_19.html Support our show
Feb 19, 2020
Fox Kitten campaign linked to Iran. LokiBot’s new clothes. Unsigned firmware. Iowa Democratic caucus post-mortem. SoftBank and the GRU. Hacker madness.
1300
Fox Kitten appears to combine three APTs linked to Iran. LokiBot is masquerading as an installer for Epic Games. Unsigned firmware found in multiple devices. Extortionists threaten to flood AdSense banners with bot traffic. China says the Empire of Hackers is in Washington, not Beijing. Iowa Democratic caucus IT post-mortems continue. Japan connects SoftBank breach to GRU. And more on that hacker-madness poster from the West Midlands. Ben Yelin from UMD CHHS on wireless carriers selling location data. Guest is Kaitlin Bulavinetz from Washington Cyber Roundtable on facilitating conversations among the industry.  For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/February/CyberWire_2020_02_18.html Support our show
Feb 18, 2020
If you can't detect it, you can't steal it. [Research Saturday]
1608
BGN Technologies, the technology transfer company of Ben-Gurion University (BGU) of the Negev, Israel, is introducing the first all-optical “stealth” encryption technology that will be significantly more secure and private for highly-sensitive cloud computing and data center network transmission. Joining us in this special Research Saturday is BGN's Dan Sadot who helped pioneer this technology.  The Research can be found here: Ben-Gurion University Researchers Introduce the FirstAll-Optical, Stealth Data Encryption Technology
Feb 15, 2020
Huawei gets a RICO prosecution. Details on DPRK Hidden Cobra Trojans. Google takes down Chrome malvertising network. Run DNC. Hacker madness. Happy St. Valentine’s Day.
1476
The US indicts Huawei for racketeering. The FBI and CISA release details on malware used by North Korea’s Hidden Cobra. Iran attributes last week’s DDoS attack to the US. Google takes down a big malvertising and click-fraud network that exploited Chrome extensions. Reports surface of DNC involvement in IowaReporterApp. Not all official advice is necessarily good advice. And if things don’t work out with your object of affection, don’t spy on their social media accounts, OK? Craig Williams from Cisco Talos with updates on JhoneRAT. Guest is Shuvo Chatterjee from Google on their Advanced Protection Program (APP). For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/February/CyberWire_2020_02_14.html Support our show
Feb 14, 2020
Internecine phishing in the Palestinian Territories. What could Iran do in cyberspace? US Census 2020 and cybersecurity. Mobile voting. How to make bigger money in sextortion.
1337
Researchers report phishing campaigns underway in the Palestinian Territories. They appear to be a Hamas-linked effort targeting the rival Fatah organization. FireEye offers a summary of current Iranian cyber capabilities. The GAO warns that the Census Bureau still has some cyber security work to do before this year’s count. Researchers call mobile voting into question. And some observations about why some extortion brings in a bigger haul than its rivals. Johannes Ullrich from SANS Technology Center on IoT threats. Guest is Darren Van Booven from Trustwave on how to know if the CCPA applies to your organization.  For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/February/CyberWire_2020_02_13.html Support our show
Feb 13, 2020
Facebook takes down coordinated inauthenticity. US says it’s got the goods on Huawei. EU will leave facial recognition policy up to member states. Patch Tuesday. Counting on the caucus.
1371
Facebook takes down coordinated inauthenticity from Myanmar, Vietnam, Iran, and Russia. The US says it’s got the goods on Huawei’s backdoors. Notes on Patch Tuesday. The EU backs away from a five-year moratorium on facial recognition software. Switzerland takes a look at Crypto AG. And the Nevada Democratic caucus a week from Saturday will use iPads, Google Forms, and some tools to process the results. That’s “tools,” Jack, not “apps.” Ben Yelin from UMD CHHS on the Senate GOP blocking election security bills. Guest is Christopher Hadnagy from Social-Engineer, LLC on social engineering trends they are tracking.  For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/February/CyberWire_2020_02_12.html Support our show
Feb 12, 2020
Pyongyang’s guide to hacking on behalf of rogue regimes. RATs in the supply chain? Data exposures and data breaches. Securing elections (and caucuses, too).
1384
Pyongyang establishes a template for pariah states trying to profit in cyberspace. The FBI warns that there’s a RAT in the ICS software supply chain. The US has a new counterintelligence strategy, and cyber figures in it prominently. Likud’s exposure of Israeli voter data may benefit opposition intelligence services. Notes on the Equifax breach indictments. As New Hampshire votes in its primaries, CISA warns everyone not to get impatient. And Iowa? Still counting. Robert M. Lee from Dragos on their recent report, “Industrial Cyber Attacks: A Humanitarian Crisis in the Making.” Guest is Andrew Wajs from Scenera on the NICE Alliance and Cloud Privacy.  For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/February/CyberWire_2020_02_11.html Support our show
Feb 11, 2020
US indicts PLA officers in Equifax hack. Pyongyang shows pariah states how it’s done. DDoS in Iran. Updates on Democratic Party caucus IT issues. Likud has a buggy app, too.
1395
US indicts four members of China’s People’s Liberation Army in connection with the 2017 Equifax breach. North Korea establishes an Internet template for pariah regimes’ sanctions evasion. Iran sustained a major DDoS attack Saturday. US Democratic Party seeks to avoid a repetition of the Iowa caucus in other states as the Sanders campaign asks for a partial recanvas. Israel’s Likud Party involved in a voter database exposure incident via its own app. Joe Carrigan from JHU ISI with a look back at the Clipper chip. Guest is Shannon Brewster from AT&T Cybersecurity with thoughts on election security.  For links to all of today's stories check our our CyberWire daily news brief: https://thecyberwire.com/issues/issues2020/February/CyberWire_2020_02_10.html Support our show
Feb 10, 2020
The Chameleon attacks Online Social Networks. [Research Saturday]
1188
The Chameleon attack technique is a new type of OSN-based trickery where malicious posts and profiles change the way they are displayed to OSN users to conceal themselves before the attack or avoid detection. Joining us to discuss their findings in a new report entitled "The Chameleon Attack: Manipulating Content Display in Online Social Media" is Ben-Gurion University's Rami Puzis.  The research can be found here: The Chameleon Attack: Manipulating Content Display in Online Social Media Demonstration video of a Chameleon Attack
Feb 08, 2020
Chinese cyber espionage in Malaysia and Japan. Android Bluetooth bug. Google expels suspect apps from the Play store. More Iowa caucus finger-pointing. US preps indictments of Chinese nationals.
1601