Double-tapping ransomware hits the same victim twice. Exim mail servers are found exposed to attack. Iran's OilRig deploys Menorah malware against Saudi targets. North Korea's Lazarus Group targets a Spanish aerospace firm. Update your ransomware scorecards: LostTrust is a rebrand of MetaEncryptor. Increased domestic surveillance in Russia, done partly so propaganda can be more effectively targeted. Killnet claims to have hit the British Royal family with a DDoS attack. Michael Denning, CEO at SecureG for Blu Ventures, shares developments in zero trust as a part of our Industry Voices segment. Rob Boyce from Accenture Security talks about Dark Web threat actors targeting macOS. And Cybersecurity Awareness Month begins this week.

Learn more about the Blu Ventures Conference here: https://www.bluventureinvestors.com/cyber-venture-forum

For links to all of today's stories check out our CyberWire daily news briefing:
https://thecyberwire.com/newsletters/daily-briefing/12/188

Selected reading.
Two or More Ransomware Variants Impacting the Same Victims and Data Destruction Trends (FBI) 
FBI: Ransomware Actors Launching 'Dual' Attacks (Decipher) 
A still unpatched 0-day RCE impacts more than 3.5M Exim servers (Security Affairs) 
New Critical Security Flaws Expose Exim Mail Servers to Remote Attacks (The Hacker News)
APT34 deploys new Menorah malware in targeted phishing attack (Candid.Technology) 
APT34 Deploys Phishing Attack With New Malware (Trend Micro) 
Iranian APT Group OilRig Using New Menorah Malware for Covert Operations (The Hacker News) 
Alleged Iranian hackers target victims in Saudi Arabia with new spying malware (Record) 
North Korean hackers posed as Meta recruiter on LinkedIn (CyberScoop)
Lazarus APT Exploiting LinkedIn to Target Spanish Aerospace Firm (Hackread)
North Korean Lazarus targeted a Spanish aerospace company (Security Affairs)
Meet LostTrust ransomware — A likely rebrand of the MetaEncryptor gang (BleepingComputer)
Ukraine at D+585: Trench fighting in the south. (CyberWire)
Royal Family's official website targeted in cyber attack (Sky News)
Royal family website hit by cyber attack (The Independent)
The country ‘dodged a bullet’ after shutdown avoided, but the cyber threat still hovers (Washington Post)
US Federal shutdown averted (or postponed): effects on cybersecurity. (CyberWire)
Cybersecurity Awareness Month: perspectives from the cyber sector. (CyberWire)
Kicking off NIST's Cybersecurity Awareness Month Celebration & Our Cybersecurity Awareness Month 2023 Blog Series (NIST) 
Learn more about your ad choices. Visit megaphone.fm/adchoices

Adventures of ransomware, and other developments in cybercrime. Cyberespionage and hybrid warfare. A government shutdown averted. Cybersecurity Awareness Month is underway.

This week, we are joined by Ted Wagner, Chief Information Security Officer at SAP National Security Services, or SAP NS2. Ted sits down to share his story on how he got introduced into the industry and why he chose this as a career path. He went straight into the Armyas a second lieutenant in the artillery field after high school, which after his time was up he decided to move on and started working for a company that allowed him to do a management training program. After that he found himself working on IT projects which got him interested in the field. Ted shares that one thing that has helped him throughout his career is teaching about very technical terms and turning it into more operational or business like terms for his students at MIT. He shares that people getting into this field should get as much hands on experience as they can, saying "I think those are all things that can really help someone who may not have all the experience, but this is a pathway to, to learn." We thank Ted for sharing his story with us.
Learn more about your ad choices. Visit megaphone.fm/adchoices

Ted Wagner: Get that hands on experience. [CISO] [Career Notes]

David Liebenberg from Cisco Talos joins to discussing Talos' discovery of cracked Microsoft Windows software being downloaded by enterprise users across the globe. Downloading and running this compromised software not only serves as an entry point for threat actors, but can serve as a gateway to access control systems and establish backdoors.
Talos identified additional malware, including RATs, on endpoints running this cracked software, which allows an attacker to gain unauthorized remote access to the compromised system, providing the attacker with various capabilities, such as controlling the system, capturing screenshots, recording keystrokes and exfiltrating sensitive information.
This research article was not published by Cisco Talos' team.
Learn more about your ad choices. Visit megaphone.fm/adchoices

Downloading cracked software. [Research Saturday]

Malicious ads in a chatbot. Google provides clarification on a recent vulnerability. Cl0p switches from Tor to torrents. Influence operations as an adjunct to weapons of mass destruction. Our guest Jeffrey Wells, former Maryland cyber czar and partner at Sigma7 shares his thoughts on what the looming US government shutdown will mean for the nation’s cybersecurity. Tim Eades from Cyber Mentor Fund discussing the 3 who’s a cybersecurity entrepreneur needs to consider. And NSA has a new AI Security Center.

For links to all of today's stories check out our CyberWire daily news briefing:
https://thecyberwire.com/newsletters/daily-briefing/12/187

Selected reading.
Malicious ad served inside Bing's AI chatbot (Malwarebytes)
Critical Vulnerability: WebP Heap Buffer Overflow (CVE-2023-4863) (Huntress) 
Google gives WebP library heap buffer overflow a critical score, but NIST rates it as high-severity (SC Media) 
A new Chrome 0-day is sending the Internet into a new chapter of Groundhog Day (Ars Technica) 
Google "confirms" that exploited Chrome zero-day is actually in libwebp (CVE-2023-5129) (Help Net Security) 
Google quietly corrects previously submitted disclosure for critical webp 0-day (Ars Technica)
CL0P Seeds ^_- Gotta Catch Em All! (Unit 42) 
A ransomware gang innovates, putting pressure on victims but also exposing itself (Washington Post) 
2023 Department of Defense Strategy for Countering Weapons of Mass Destruction (US Department of Defense)
NSA chief announces new AI Security Center, 'focal point' for AI use by government, defense industry (Breaking Defense)
NSA starts AI security center with eye on China and Russia (Fortune) 
NSA is creating a hub for AI security, Nakasone says (Record)
Learn more about your ad choices. Visit megaphone.fm/adchoices

Malicious ads in a chatbot. A vulnerability gets some clarification. Cl0p switches from Tor to torrents. Influence operations as an adjunct to WMD. And NSA’s new AI Security Center.

The Budworm APT's bespoke tools. Johnson Controls sustains a cyberattack. The US Privacy and Civil Liberties Oversight Board reports on Section 702. The looming government shutdown and cyber risk. Cybersecurity in the US industrial base. X cuts back content moderation capabilities. In our Industry Voices segment, Nicholas Kathmann from LogicGate describes the struggle when facing low cost attacks. Sam Crowther from Kasada shares his team's findings on Stolen Auto Accounts. And Ukrainian hacktivists target Russian airline check-in systems.

For links to all of today's stories check out our CyberWire daily news briefing:
https://thecyberwire.com/newsletters/daily-briefing/12/186

Selected reading.
Budworm: APT Group Uses Updated Custom Tool in Attacks on Government and Telecoms Org (Symantec Enterprise Blogs)
Johnson Controls reports data breach after severe ransomware attack (BeyondMachines) 
Report on the Surveillance Program Operated Pursuant to Section 702 of the Foreign Intelligence Surveillance Act (U.S. Privacy and Civil Liberties Oversight Board) 
Split privacy board urges big changes to Section 702 surveillance law (Washington Post)
Democrats fear cyberattacks as government shutdown looms (Nextgov.com) 
Aprio Releases U.S. National Manufacturing Survey, Highlighting the Need for Improved Operational Excellence, Digitization and Cybersecurity Practices (Aprio) 
Musk's X disabled feature for reporting electoral misinformation - researcher (Reuters) 
Musk’s X Cuts Half of Election Integrity Team After Promising to Expand It (The Information)
Aeroflot, other airlines’ flights delayed over DDoS attack (Cybernews)
Learn more about your ad choices. Visit megaphone.fm/adchoices

Buckworm APT’s specialized tools. Cyberattack against Johnson Controls. Oversight panel reports on Section 702. Cyber in election security, and in the US industrial base. Hacktivism versus Russia.

A Joint Advisory warns of Beijing's "BlackTech" threat activity. ShadowSyndicate is a new ransomware as a service operation. A Smishing Triad in the UAE. Openfire flaw actively exploited against servers. AtlasCross is technically capable and, above all, "cautious." Xenomorph malware in the wild. DDoS and API attacks hit the financial sector. In our Industry Voices segment, Joe DePlato from Bluestone Analytics demystified dark net drug markets. Our guest is Richard Hummel from Netscout with the latest trending DDoS vectors. And the FCC chair announces plans to restore net neutrality.

For links to all of today's stories check out our CyberWire daily news briefing:
https://thecyberwire.com/newsletters/daily-briefing/12/185

Selected reading.
CISA, NSA, FBI and Japan Release Advisory Warning of BlackTech, PRC-Linked Cyber Activity (Cybersecurity and Infrastructure Security Agency) 
Dusting for fingerprints: ShadowSyndicate, a new RaaS player? (Group-IB)
Smishing Triad Stretches Its Tentacles into the United Arab Emirates (Security Affairs)
Hackers actively exploiting Openfire flaw to encrypt servers (BleepingComputer) 
Vulnerability in Openfire messaging software allows unauthorized access to compromised servers (Dr.Web) 
Suspicious New Ransomware Group Claims Sony Hack (Dark Reading) 
Sony investigates cyberattack as hackers fight over who's responsible (BleepingComputer) 
Sony Investigating After Hackers Offer to Sell Stolen Data (SecurityWeek) 
Xenomorph Malware Strikes Again: Over 30+ US Banks Now Targeted (Threat Fabric)
The High Stakes of Innovation: Attack Trends in Financial Services (Akamai)
FACT SHEET: FCC Chairwoman Rosenworcel Proposes to Restore Net Neutrality Rules (Federal Communications Commission) 
Ukraine: Russian hackers infiltrating software supply chains (Computing)
Russian hacking operations target Ukrainian law enforcement (CyberScoop) 
Ukraine accuses Russian spies of hacking law enforcement (Register) 
Russian hackers target Ukrainian government systems involved in war crimes investigations (Record) 
Ukraine Cyber Defenders Prepare for Winter (Bank Info Security) 
Learn more about your ad choices. Visit megaphone.fm/adchoices

What up in the underworld’s C2C markets. An update on the Sony hack claims. Notes on cyberespionage, from Russia, China, and parts unknown. And there’s a market for bugs.

An advanced phishing campaign hits hospitality industry. An information-stealing campaign deploys ZenRAT. More MOVEit-related data breaches are disclosed. Mixin Network suspends deposits and withdrawals. The OpenSea NFT market warns of third-party risk to its API. Phishing for Ukrainian military drone operators. Mr. Security Answer Person John Pescatore shares thoughts in Cisco acquiring Splunk. Ann Johnson from the Afternoon Cyber Tea podcast interviews Deb Cupp sharing a lesson in leadership. And the UK adopts a hunt-forward approach to cyber war.

For links to all of today's stories check out our CyberWire daily news briefing:
https://thecyberwire.com/newsletters/daily-briefing/12/184

Selected reading.
Luxury Hotels Major Target of Ongoing Social Engineering Attack (Cofense) 
ZenRAT: Malware Brings More Chaos Than Calm (Proofpoint) 
More MOVEit-related data breaches are disclosed. (CyberWire)
Mixin Network suspends deposits and withdrawals. (CyberWire)
OpenSea NFT market warns of third-party risk to its API. (CyberWire)
Threat Labs Security Advisory: New STARK#VORTEX Attack Campaign: Threat Actors Use Drone Manual Lures to Deliver MerlinAgent Payloads (Securonix) 
Ukrainian Military Targeted in Phishing Campaign Leveraging Drone Manuals (The Hacker News) 
British Army general says UK now conducting ‘hunt forward’ operations (Record)
Learn more about your ad choices. Visit megaphone.fm/adchoices

Crooks phish for guests; spies phish for drone operators. ZenRAT is used in an info-stealing campaign. More MOVEit-related incidents (some involving Cl0p). DeFi platforms hit. The UK hunts forward.

The Gelsemium APT is active against a Southeast Asian government. A multi-year campaign against Tibetan, Uighur, and Taiwanese targets. Stealth Falcon's new backdoor. Predator spyware is deployed against Apple zero-days. An update on Pegasus spyware found in Meduza devices. There’s a shift in Russian cyberespionage targeting. A rumor of cyberwar in occupied Crimea. In our Industry Voices segment, Amit Sinha, CEO of Digicert, describes digital trust for the software supply chain. Our guest is Arctic Wolf’s Ian McShane with insights on the MGM and Caesars ransomware incident. And if you’re looking for a Super Bowl pick, go with an egg-laying animal…and, oh, the NFL and CISA are noodling cyber defense for the big game.

For links to all of today's stories check out our CyberWire daily news briefing:
https://thecyberwire.com/newsletters/daily-briefing/12/183

Selected reading.
Rare Backdoors Suspected to be Tied to Gelsemium APT Found in Targeted Attack in Southeast Asian Government (Unit 42)
Rare Backdoors Suspected to be Tied to Gelsemium APT Found in Targeted Attack in Southeast Asian Government (IBM X-Force Exchange)
Evasive Gelsemium hackers spotted in attack against Asian govt (BleepingComputer)
Unit 42 Researchers Discover Multiple Espionage Operations Targeting Southeast Asian Government (Unit 42)
EvilBamboo Targets Mobile Devices in Multi-year Campaign (Volexity) 
From Watering Hole to Spyware: EvilBamboo Targets Tibetans, Uyghurs, and Taiwanese (The Hacker News)
Stealth Falcon preying over Middle Eastern skies with Deadglyph (We Live Security) t
Deadglyph: Covertly preying over Middle Eastern skies (LABScon) 
New stealthy and modular Deadglyph malware used in govt attacks (BleepingComputer) 
Deadglyph: New Advanced Backdoor with Distinctive Malware Tactics (The Hacker News) 
0-days exploited by commercial surveillance vendor in Egypt (Google).
PREDATOR IN THE WIRES: Ahmed Eltantawy Targeted with Predator Spyware After Announcing Presidential Ambitions (The Citizen Lab) 
New Apple Zero-Days Exploited to Target Egyptian ex-MP with Predator Spyware (The Hacker News) 
Egyptian presidential hopeful targeted by Predator spyware (Washington Post)
Russian news outlet in Latvia believes European state behind phone hack (the Guardian) 
Exclusive: Russian hackers seek war crimes evidence, Ukraine cyber chief says (Reuters).
Russian hackers trying to steal evidence of Moscow’s war crimes in Ukraine - cyber chief (Ukrinform).
Large-scale cyberattack reported in occupied Crimea (The Kyiv Independent) 
NFL, CISA Look to Intercept Cyber Threats to Super Bowl LVIII (Dark Reading) 
Learn more about your ad choices. Visit megaphone.fm/adchoices

Cyberespionage in East and Southeast Asia, for both intelligence collection and domestic security, Spyware tools tracked. Shifting cyber targets in Russia’s hybrid war. Securing the Super Bowl.

In this extended interview, Simone Petrella sits down with Chris Krebs of the Krebs Stamos Group at the mWise 2023 Cybersecurity Conference to discuss threat intelligence .
Learn more about your ad choices. Visit megaphone.fm/adchoices

Threat intelligence discussion with Chris Krebs. [Special Edition]

This week our guest is Merritt Baer, a Field CISO from Lacework, and a cloud security unicorn, sits down to share her incredible story working through the ranks to get to where she is today. Before working at Lacework Merritt served in the Office of the CISO at Amazon Web Services, as part of a small elite team that formed a Deputy CISO. She provided technical cloud security guidance to AWS’ largest customers, like the Fortune 100, on security as a bottom line proposition. She also has experience in all three branches of government and the private sector and served as Lead Cyber Advisor to the Federal Communications Commission. Merritt shares some amazing advice for up and comers into the field, saying "my personal philosophy is that no one has to go down for you to go up. I'm always encouraging my colleagues, um, and other executives to be thinking about how we can, you know, steal, sharpen, steal, how we can be good for each other, how we can collaborate, how we can, um, create more strengths in one another." We thank Merritt for sharing her story with us.
Learn more about your ad choices. Visit megaphone.fm/adchoices

Merritt Baer: No one has to go down for you to go up. [CISO] [Career Notes]

Maxim Zavodchik from Akamai joins Dave to discuss their research on "Xurum: New Magento Campaign Discovered." Akamai researchers have discovered an ongoing server-side template injection campaign that is exploiting digital commerce websites. This campaign targets Magento 2 shops, and was dubbed Xurum in reference to the domain name of the attacker’s command and control (C2) server. 
The research states "The attacker uses an advanced web shell named “wso-ng” that is activated only when the attacker sends the cookie “magemojo000” to the backdoor “GoogleShoppingAds” component."
The research can be found here:
Xurum: New Magento Campaign Discovered

Learn more about your ad choices. Visit megaphone.fm/adchoices

Behind the Google shopping ad masks. [Research Saturday]

A new APT is found: enter Sandman. Tracking an initial access broker called Gold Melody. Iran’s OilRig group is active against Israeli targets. Cyber ops as an instrument of soft power. Recovery and investigation in the casino ransomware attacks. In our Solutions Spotlight, Simone Petrella speaks with MK Palmore from Google Cloud about talent retention and the cybersecurity skills gap. Our guest is Kristen Marquardt of Hakluyt with advice for cyber startups. And Bermuda points to Russian threat actors.

For links to all of today's stories check out our CyberWire daily news briefing:
https://thecyberwire.com/newsletters/daily-briefing/12/182

Selected reading.
Sandman APT | A Mystery Group Targeting Telcos with a LuaJIT Toolkit (SentinelOne)
GOLD MELODY: Profile of an Initial Access Broker (Secureworks)
OilRig’s Outer Space and Juicy Mix: Same ol’ rig, new drill pipes (We Live Security)
Cyber Soft Power | China's Continental Takeover (SentinelOne)
MGM Resorts computers back up after 10 days as analysts eye effects of casino cyberattacks (AP News)
MGM Restores Casino Operations 10 Days After Cyberattack (Dark Reading)
MGM Resorts computers back up after being down 10 days due to casino cyberattacks (CBS News)
MGM says its recovered from cyberattack, employees tell different story (Cybernews)
'Power, influence, notoriety': The Gen-Z hackers who struck MGM, Caesars (Reuters)
Apple emergency updates fix 3 new zero-days exploited in attacks (BleepingComputer) 
Russia linked to cyberattack on government services (Royal Gazette)
Learn more about your ad choices. Visit megaphone.fm/adchoices

Enter the Sandman. A look at an initial access broker. Iran’s OilRig hits Israeli targets. Cyber ops and soft power. Update on casino ransomware attacks. Bermuda’s government sustains cyberattacks.

CISA and the FBI warn of Snatch ransomware. A look at phishing trends. Ransomware is increasingly cited in cyber insurance claims. Trends in cyber threats to academic institutions. A Russian hacktivist auxiliary disrupts Canadian border control and airport sites. The ICC remains tight-lipped concerning cyberattack. N2K’s Simone Petrella sits down with Chris Krebs at the mWise conference. In today’s Threat Vector segment, David Moulton from Unit 42 takes a peek into the modern threat landscape with Wendi Whitmore, SVP of Unit 42. And MGM Resorts says it’s well on the way to recovery.

For links to all of today's stories check out our CyberWire daily news briefing:
https://thecyberwire.com/newsletters/daily-briefing/12/181

Threat Vector links.
To learn what is top of mind each month from the experts at Unit 42 sign up for their Threat Intel Bulletin. 

Selected reading.
#StopRansomware: Snatch Ransomware (Cybersecurity and Infrastructure Security Agency CISA)
2023 .Phishing Trends (ZeroFox)
Cyber Insurance Claims Frequency and Severity Both Increased For Businesses in 1H 2023, Coalition Report Finds (Business Wire) 
2023 Cyber Claims Report: Mid-year Update (Coalition) 
Since 2018, ransomware attacks on the education sector have cost the world economy over $53 billion in downtime alone (Comparitech)
Canada blames border checkpoint outages on cyberattack (Record)
Cyberattack hits International Criminal Court (SC Media)
International Criminal Court hacked amid Russia probe (Register)
International Criminal Court under siege in cyberattack that could constitute world’s first cyber war crime (Yahoo News)
Our hotels and casinos are operating normally. (FAQ - MGM Resorts)
MGM Resorts computers back up after 10 days as analysts eye effects of casino cyberattacks (AP News - 09-20-2023)
Learn more about your ad choices. Visit megaphone.fm/adchoices

Don’t get snatched. Trends in phishing, cyber insurance claims, and threats to academic institutions. Hacktivism in the hybrid war. Updates on the ICC attack. MGM says its casinos are back.

The International Criminal Court reports a "cybersecurity incident." ShroudedSnooper intrusion activity is both novel and simple. Criminal malware targets Chinese-speaking victims. The costs of insider risk. More on the casino attacks (and related social engineering capers). In our Learning Layer segment, Sam Meisenberg drops into a CISSP tutoring session and offers some test-taking tips. Our guest is Aaron Brazelton, Dean of Admissions and Advancement at the Alabama School of Cyber Technology and Engineering. And the Clorox incident shows how one company navigates unfamiliar new SEC rules.
Join Sam Meisenberg as he drops into a CISSP tutoring session talking about the difference between due diligence and due care along with some test-taking tips.

For links to all of today's stories check out our CyberWire daily news briefing:
https://thecyberwire.com/newsletters/daily-briefing/12/180

Learning Layer.
Learning about the CISSP certification from (ISC)²

Selected reading.
War crimes tribunal ICC says it has been hacked (Reuters)
International Criminal Court says cybersecurity incident affected its information systems last week (AP News) 
Hackers breached International Criminal Court’s systems last week (BleepingComputer)
New ShroudedSnooper actor targets telecommunications firms in the Middle East with novel Implants (Cisco Talos)
ShroudedSnooper's HTTPSnoop Backdoor Targets Middle East Telecom Companies (The Hacker News)
Chinese Malware Appears in Earnest Across Cybercrime Threat Landscape (Proofpoint) 
Hackers who breached casino giants MGM, Caesars also hit 3 other firms, Okta says (Reuters)
Las Vegas casino ransomware attacks: Okta in the spotlight (The Stack) 
MGM losing up to $8.4M per day as cyberattack paralyzes slot machines, hotels for 8th straight day: analyst (New York Post) 
Caesars reports cyberattack but did not go offline (Top Class Actions) 
What Las Vegas tourists need to know about casino hacks (Washington Post) 
MGM, Caesars Face Regulatory, Legal Maze After Cyber Incidents (Dark Reading)
Clorox Cyberattack Brings Early Test of New SEC Cyber Rules (Wall Street Journal)
Learn more about your ad choices. Visit megaphone.fm/adchoices

Hacking the ICC. ShroudedSnooper active, simple, and novel. New criminal malware used against Chinese-speakers. More on the materiality of cyberattacks.

Colombia continues its recovery from last week's cyberattacks. AI training data is accidentally published to GitHub. The cyberespionage techniques of Earth Lusca. Clorox blames product shortages on a cyber attack. Cybersecurity incidents in industrial environments. Where the wild bots are. Joe Carrigan looks at top level domain name exploitation. Our guest is Kristen Bell from GuidePoint Security with a look at vulnerability vs. exploitability. And there’s talk of potential Russia-DPRK cooperation in cyberspace.

For links to all of today's stories check out our CyberWire daily news briefing:
https://thecyberwire.com/newsletters/daily-briefing/12/179

Selected reading.
More than 50 Colombian state, private entities hit by cyberattack -Petro (Reuters) 
Colombia Mulls Legal Action Against US Firm Targeted In Cyber Attack (Barron's)
Microsoft mitigated exposure of internal information in a storage account due to overly-permissive SAS token (Microsoft Security Response Center)
Microsoft AI Researchers Expose 38TB of Data, Including Keys, Passwords and Internal Messages (SecurityWeek)
Earth Lusca Employs New Linux Backdoor, Uses Cobalt Strike for Lateral Movement (Trend Micro) 
Chinese hackers have unleashed a never-before-seen Linux backdoor (Ars Technica)
The Clorox Company FORM 8-K (US Securities and Exchange Commission) 
Clorox Warns of Product Shortages Following Cyberattack (Wall Street Journal)
Clorox warns of product shortages, profit hit from August cyberattack (The Street) 
Can't find the right Clorox product? A recent cyberattack is causing some shortages (USA Today) 
Clorox warns of product shortages after cyberattack (Fox Business) 
As flu season looms, hackers force a shortage of Clorox products (Fortune)
New Research Finds Cyberattacks Against Critical Infrastructure on the Rise, State-affiliated Groups Responsible for Nearly 60% (Business Wire)
Death By a Billion Bots (Netacea)
Russian and North Korea artillery deal paves the way for dangerous cyberwar alliance (EconoTimes) 
Learn more about your ad choices. Visit megaphone.fm/adchoices

Ransomware in Colombia. An accidental data exposure. Cyberespionage hits unpatched systems. An attack on IT systems disrupts industrial production. Bots and bad actors.

Cyber threats trending from East Asia. The Lazarus Group is suspected in the CoinEx crypto theft. Pig butchering, enabled by cryptocurrency. BlackCat is active against Azure storage. a Ukrainian view of cyber warfare. A US-Canadian water commission deals with a ransomware attack. Eric Goldstein from CISA shares insights on cyber threats from China. Neil Serebryany of Calypso explains the policies, tools and safeguards in place to enable the safe use of generative AI. And more details emerge in the Las Vegas casinos’ ransomware incidents. Danny Ocean, call your office.

For links to all of today's stories check out our CyberWire daily news briefing:
https://thecyberwire.com/newsletters/daily-briefing/12/178

Selected reading.
Sophistication, scope, and scale: Digital threats from East Asia increase in breadth and effectiveness (Microsoft Security Compliance and Identity)
Evidence points to North Korea in CoinEx cryptocurrency hack, analysts say (Record) 
CoinEx invites hackers to negotiate after suffering data breach (The Times of India
BlackCat ransomware hits Azure Storage with Sphynx encryptor (BleepingComputer)
MGM websites up, but reservation systems still affected by hack (Las Vegas Review-Journal)
The chaotic and cinematic MGM casino hack, explained (Vox)
Massive MGM and Caesars Hacks Epitomize a Vicious Ransomware Cycle (WIRED)
US-Canada water commission confirms 'cybersecurity incident' (Register) 
Ukraine's Fusion of Cyber and Kinetic Warfare: Illia Vitiuk's Stand Against Russian Cyber Operations (AFCEA International)
Learn more about your ad choices. Visit megaphone.fm/adchoices

A quick look at some threats from China and North Korea, some engaged in collection, some in theft. BlackCat and other ransomware operators. And a view of cyberwar from Ukraine’s SSU.

Karl Mattson, CISO at Noname Security, joins us to share his story. Having started out as a "military brat," traveling the world as the child of a Marine, Karl later joined the Army not long after high school. In the Army, Karl was assigned the career field of intelligence analyst and started working with the NSA. He says that was a real career break. Following the Army, Karl worked in the financial services world as a CISO. At Noname, Karl began by building out internal risk and IT functions into a strong, what he calls spectacular team. Karl recommends "deferring gratification as long as possible" when building your career. He says, "People early in their career, looking at government service, those positions don't, you know, make anybody rich overnight, but they are amazing career cornerstones to build on." He closes sharing the importance of relationships. We thank Karl for sharing his story with us.
Learn more about your ad choices. Visit megaphone.fm/adchoices

Karl Mattson: Defer gratification. (CISO) [Career Notes]

Guest Manuel Hepfer from ISTARI shares his research on cyber resilience which includes discussions with 37 CEOs to gain insight into how they manage cybersecurity risk. ISTARI and Oxford University's Saïd Business School dive into the minds and experiences of CEOs on how they manage cybersecurity risk.
Ask any CEO to name the issues that keep them awake at night and cybersecurity risk is likely near the top of the list – with good reason. With the accelerating digitalisation of business models comes vulnerability to cyberattack. And while spending on cybersecurity increases every year, so does the number of serious incidents. Even the largest and most technologically advanced companies are not immune.
CEOs must formally answer to regulators, shareholders and board members for their organisation’s cybersecurity. Yet the majority (72%) of CEOs we interviewed as part of our research said they were not comfortable making cybersecurity-related decisions.
The research and associated article can be found here:

Research: The CEO Report on Cyber Resilience


Article: Make Cybersecurity a Strategic Asset



Learn more about your ad choices. Visit megaphone.fm/adchoices

A look into the emotions and anxieties of the highest levels of decision-making. [Research Saturday]

"Peach Sandstorm" is an Iranian cyberespionage campaign. A Cyberattack against a telecom provider affects government and corporate online operations in Colombia. Python NodeStealer takes browser credentials. Caesars Entertainment files its 8-K. Some MGM Entertainment systems remain down. Betsy Carmelite from Booz Allen talking about how to leverage cyber psychology. Ron Reiter of Sentra outlines the threats for connected cars. And a third-party incident exposes personal data of the Manchester police.

For links to all of today's stories check out our CyberWire daily news briefing:
https://thecyberwire.com/newsletters/daily-briefing/12/177

Selected reading.
Peach Sandstorm password spray campaigns enable intelligence collection at high-value targets (Microsoft)
Hackers Backed by Iran Caught in Apparent Global Spy Campaign (The Messenger)
BNamericas - Colombia cyberattack hits government, corpor... (BNamericas.com)
Colombia's judicial branch thrown offline in major cyber attack (Colombia Reports) 
Casino giant Caesars Entertainment reports cyberattack; MGM Resorts says some systems still down (AP News)
Casino Operators Caesars and MGM Still Reeling From Cyber Attacks (Kiplinger.com) 
Groups linked to Las Vegas cyber attacks are prolific criminal hacking gangs (CyberScoop) 
MGM still responding to wide-ranging cyberattack as rumors run rampant (Record)
Ransomware in the casinos. (CyberWire)
MGM Resorts shuts down some systems. (CyberWire)
Manchester police officers’ data stolen following ransomware attack on supplier (Record)
Contractor Data Breach Impacts 8k Greater Manchester Police Officers (Hackread) 
A Second Major British Police Force Suffers a Cyberattack in Less Than a Month (SecurityWeek) 
Who is behind the latest wave of UK ransomware attacks? (the Guardian) 
Learn more about your ad choices. Visit megaphone.fm/adchoices

Peach Sandstorm cyberespionage. Criminal attacks against a Colombian telco and two major US casino firms. A thief in the browser. And the Greater Manchester Police are on a virtual manhunt.

The MGM Resorts incident is now believed to be ransomware, and how does that inform our view of Materiality of a cyber incident? MetaStealer targets businesses. Cloud access with stolen credentials. The cloud as an expansive attack surface. Johannes Ullrich from SANS describes malware in dot-inf files. In our Industry Voices segment Dave speaks with Oliver Tavakoli, CTO at Vectra, on the complexity and challenges of cloud service security. And welcome back, or not, Your Highness the Large Language Model, Prince of Nigeria.

For links to all of today's stories check out our CyberWire daily news briefing:
https://thecyberwire.com/newsletters/daily-briefing/12/176

Selected reading.
Caesars Entertainment Paid Millions to Hackers in Attack (Bloomberg) 
Caesars Paid Ransom After Suffering Cyberattack (Wall Street Journal) 
The Cyberattack That Sent Las Vegas Back in Time (Wall Street Journal) 
Pro Take: MGM Casino Hack Shows Challenge in Defending Connected Tech (Wall Street Journal) 
ALPHV Ransomware Used Vishing to Scam MGM Resorts Employee, Researchers (Hackread)
FBI probing MGM Resorts cyber incident as some casino systems still down (Reuters) 
MGM Resorts says cyberattack could have material effect on company (NBC News) 
MGM Resorts cybersecurity breach could cost millions, expert says (KLAS) 
MGM Resorts shuts down some systems because of a “cybersecurity issue.” (Updated.) (CyberWire)
macOS Info-Stealer Malware 'MetaStealer' Targeting Businesses (SecurityWeek) 
“Authorized” to break in: Adversaries use valid credentials to compromise cloud environments (Security Intelligence) 
Unit 42 Attack Surface Threat Report (Palo Alto Networks)
The Nigerian Prince is Alive and Well: Cybercriminals Use Generative… (Abnormal) 
Learn more about your ad choices. Visit megaphone.fm/adchoices

Get Started

Download the App