CyberWire Daily

Building a proxy botnet. Active flaws in PowerShell Gallery. A cyber incident disrupts Clorox. Scams lure would-be mobile beta-testers. Lessons learned from the Russian cyberattack on Viasat. An update on cyber threats to Starlink. Robert M. Lee from Dragos shares his thoughts on the waves of layoffs that have gone through the industry. Steve Leeper of Datadobi explains mitigating risks associated with illegal data on your network. And hey, world leader: it’s never too late to stop manifesting a chronic cranio-urological condition, as they more-or-less say in the Quantum Realm. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/157 Selected reading. ProxyNation: The dark nexus between proxy apps and malware (AT&T Alien Labs)  Massive 400,000 proxy botnet built with stealthy malware infections (BleepingComputer)  PowerHell: Active Flaws in PowerShell Gallery Expose Users to Attacks (Aqua Security)  Clorox Operations Disrupted By Cyber-Attack (Infosecurity Magazine)  Cyber Criminals Targeting Victims through Mobile Beta-Testing Applications (IC3)  FBI warns about scams that lure you in as a mobile beta-tester (Naked Security) Incident response lessons learned from the Russian attack on Viasat (CSO Online) Recent Intel Report Reveals New Starlink Vulnerabilities, Increasing Concerns About the Future of Global Satellite Internet (Debrief) Hacked electronic sign declares “Putin is a dickhead” as Russian ruble slumps (Graham Cluley) 

China accuses the US of installing backdoors in a Wuhan lab. NetScaler backdoors are found. A Phishing scam targets executives. LinkedIn sees a surge in account hijacking. Raccoon Stealer gets an update. Cryptocurrency recovery scams. We kick off our new Learning Layer segment with N2K’s Sam Meisenberg. And a Moscow court fines Reddit and Wikipedia, for unwelcome content about Russia's war. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/156 Selected reading. Ministry warns of data security risks after US agencies identified behind cyberattack on Wuhan Earthquake Monitoring Center (Global Times) China accuses U.S. intelligence agencies as source behind Wuhan cybersecurity attack (ZDNET)  China teases imminent exposé of seismic US spying scheme (Register)  2,000 Citrix NetScaler Instances Backdoored via Recent Vulnerability (SecurityWeek)  Cloud Account Takeover Campaign Leveraging EvilProxy Targets Top-Level Executives at over 100 Global Organizations (Proofpoint) LinkedIn Accounts Under Attack (Cyberint) LinkedIn faces surge of account hijacking (Computing) LinkedIn accounts hacked in widespread hijacking campaign (BleepingComputer) Raccoon Stealer malware returns with new stealthier version (BleepingComputer) FBI warns of increasing cryptocurrency recovery scams (BleepingComputer)  Russia slaps Reddit, Wikipedia with fines (Cybernews)

New targets of Chinese cyberespionage are uncovered. Monti ransomware is back. An evasive phishing campaign exposed. A Realtors' network taken down by cyberattack. A closer look at NoName057(16). Perspective on cyberwar - remember Pearl Harbor, but don’t see it everywhere. Ben Yelin on the Consumer Financial Protection Bureau’s plans to regulate surveillance tech. Microsoft’s Ann Johnson and Charlie Bell ponder the future of security. And scammers are targeting kids playing Fortnite and Roblox. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/155 Selected reading. Chinese spies who read State Dept. email also hacked GOP congressman (Washington Post)  Binary Ballet: China’s Espionage Tango with Microsoft (SecurityHQ) Microsoft Exchange hack to be investigated by US Cyber Safety Board (Computing) Monti ransomware targets VMware ESXi servers with new Linux locker (BleepingComputer)  Evasive Phishing Campaign Steals Cloud Credentials Using Cloudflare R2 and Turnstile (Netskope) Cyberattack on Bay area vendor cripples real estate industry (The Real Deal) Intel insiders go undercover revealing fresh details into NoName hacktivist operations (Cybernews)  Why the US Military Wants You To Rethink the Idea of 'Cyber War' (The Messenger)  A Huge Scam Targeting Kids With Roblox and Fortnite 'Offers' Has Been Hiding in Plain Sight (WIRED)

An African power generator has been targeted by ransomware. The APT31 group is believed to be responsible for attacks on industrial systems in Eastern Europe. There have been arrests related to the takedown of LolekHosted. Ukraine's SBU has alleged that Russia's GRU is using specialized malware to attack Starlink. Microsoft has decided not to extend licenses for its products in Russia. Rick Howard opens his toolbox on DDOS. In our Solution Spotlight: Simone Petrella and Camille Stewart Gloster discuss the White House release of its cybersecurity workforce and education strategy. And the Cyber Safety Review Board will be investigating cases of cyberespionage against Exchange. Watch the full video of Simone and Camille here: Solution Spotlight: Simone Petrella and Camille Stewart Gloster For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/154 Selected reading. DroxiDat-Cobalt Strike Duo Targets Power Generator Network (Infosecurity Magazine) New SystemBC Malware Variant Targets Southern African Power Company (The Hacker News) Power Generator in South Africa hit with DroxiDat and Cobalt Strike (Security Affairs)  Southern African power generator targeted with DroxiDat malware (Record)  Common TTPs of attacks against industrial organizations. Implants for uploading data (Kaspersky ICS CERT) APT31 Linked to Recent Industrial Attacks in Eastern Europe (Infosecurity Magazine)  Researchers Shed Light on APT31's Advanced Backdoors and Data Exfiltration Tactics (The Hacker News)  LOLEKHosted admin arrested for aiding Netwalker ransomware gang (BleepingComputer) Russian spy agencies targeting Starlink with custom malware, Ukraine warns (The Telegraph) Russia Bans iPhones And iPads For Official Use: Report (BW Businessworld) Microsoft Suspends Extending Licenses For Companies in Russia (RadioFreeEurope/RadioLiberty)  Department of Homeland Security’s Cyber Safety Review Board to Conduct Review on Cloud Security (US Department of Homeland Security) Microsoft Exchange hack is focus of cyber board’s next review (Record)  Microsoft is under scrutiny after a recent attack by suspected Chinese hackers (Windows Central)  The DHS’s CSRB to review cloud security practices following the hack of Microsoft Exchange govt email accounts (Security Affairs) Microsoft's role in data breach by Chinese hackers to be part of US cyber inquiry (Firstpost)

Dr. Georgianna Shea, the Chief Technologist at the Transformative Cyber Innovation Lab at the Foundations for Defensive Democracies (FDD) sits down to share her incredible story, moving around to different roles and how that has lead her to where she is today. Her careers have taken her to many different states throughout the years, as she has learned and grew into the roles she took on, from Hawaii to D.C., Dr. Shea has done it all. Sharing some advice, Dr. Shea says "My words of wisdom are take advantage of every opportunity and don't wait for anybody. I try to mentor people and I talk to young people a lot, you know, trying to get into the field and, and I see a lot of waiting on other people." She explains that you are able to work on your own to become an expert, and taking that initiative will be the thing to get you to where you want to be. We thank Dr. Georgianna Shea for sharing her story with us.

Alex Delamotte from SentinelLabs joins Dave to discuss their work on "Cloudy With a Chance of Credentials | AWS-Targeting Cred Stealer Expands to Azure, GCP." As actors find more ways to profit from compromising services, SentinelLabs finds that cloud service credentials are becoming increasingly targeted. The lack of threats explicitly targeting Azure and GCP credentials up to this point means there are likely many fresh targets. The research states "These campaigns share similarity with tools attributed to the notorious TeamTNT cryptojacking crew. However, attribution remains challenging with script-based tools, as anyone can adapt the code for their own use." The research can be found here: Cloudy With a Chance of Credentials | AWS-Targeting Cred Stealer Expands to Azure, GCP

Charming Kitten collects against Iranian expatriate dissidents. The Cyber Safety Review Board reports on Lapsus$. A Call for comment on open-source, memory-safe standards. How NSA is coping with the cyber labor market. Yandex is restructuring. The Washington Post’s Tim Starks joins us with the latest cyber security efforts from the DOD. Our guest is Dan L. Dodson, CEO of Fortified Health Security with insights on protecting patient data. And How Viasat was hacked. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/153 Selected reading. Germany says Charming Kitten hackers target Iran dissidents (Deutsche Welle) Cyber Safety Review Board Releases Report on Activities of Global Extortion-Focused Hacker Group Lapsus$ (US Department of Homeland Security)  Review Of The Attacks Associated with Lapsus$ And Related Threat Groups Report (Cybersecurity and Infrastructure Security Agency CISA) Fact Sheet: Office of the National Cyber Director Requests Public Comment on Open-Source Software Security and Memory Safe Programming Languages (ONCD | The White House)  Amid historic hiring surge, NSA considers hybrid, unclassified work options (Federal News Network) Exclusive: Fear of tech 'brain drain' prevents Russia from seizing Yandex for now, sources say (Reuters) Yandex co-founder Volozh slams Russia's 'barbaric' invasion of Ukraine (Reuters)  Satellite hack on eve of Ukraine war was a coordinated, multi-pronged assault (CyberScoop)

A New Magento campaign is discovered. Gootloader malware-as-a-service afflicts law firms. Researchers find security flaws affecting cryptowallets. Panasonic warns of increasing attacks against IoT. A Belarusian cyberespionage campaign outlined. The five cyber phases of Russia's hybrid war, and lessons in resilience from Ukraine's experience. In our Threat Vector segment, Kristopher Russo, Senior Threat Researcher for Unit 42 joins David Moulton to discuss Muddled Libra. Kayla Williams from Devo describes their work benefiting the community at BlackHat. And a new DARPA challenge seeks to bring artificial intelligence to cybersecurity. On this segment of Threat Vector, Kristopher Russo, Senior Threat Researcher for Unit 42, joins host David Moulton to discuss part one of two Muddled Libra. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/152 Threat Vector links. Threat Group Assessment: Muddled Libra Guest: Kristopher Russo: From practitioner to researcher Kristopher Russo has spent years entrenched in various specializations of cybersecurity. As a researcher focused on ransomware and cybercrime he brings a from the trenches perspective to cyber threat intelligence. Selected reading. Xurum: New Magento Campaign Discovered (Akamai) Gootloader: Why your Legal Document Search May End in Misery (Trustwave) Fireblocks Researchers Uncover Vulnerabilities Impacting Dozens of Major Wallet Providers (Fireblocks) New BitForge cryptocurrency wallet flaws lets hackers steal crypto (BleepingCompute Panasonic Warns That IoT Malware Attack Cycles Are Accelerating (WIRED)  MoustachedBouncer: Espionage against foreign diplomats in Belarus (We Live Security)  Belarus hackers target foreign diplomats with help of local ISPs, researchers say (TechCrunch)  Pro-Russian hackers claim attacks on French, Dutch websites (Record)  Zhora: Russia's cyber 'war crimes' will outlast invasion (Register) The Power of Resilience (Cybersecurity and Infrastructure Security Agency CISA) Biden-Harris Administration Launches Artificial Intelligence Cyber Challenge to Protect America’s Critical Software (The White House) AIxCC (AIxCC) The Biden administration wants to put AI to the test for cybersecurity (Washington Post)

Reports of a Wide-ranging cyberespionage campaign by China's Ministry of State Security. EvilProxy phishing tool targets executives, and defeats multifactor authentication. Vulnerabilities in CPUs. Yashma ransomware targets a wide range of countries. MacOS threat trends. Is there a Russian attempt to disrupt British elections? Rob Boyce from Accenture checks in from the Blackhat conference. Maria Varmazis talking with Black Hat Aerospace Village's Kaylin Trychon and Steve Luczynski. Ukraine claims to have stopped a Russian spyware campaign. And Patch Tuesday has come and gone, but the vulnerabilities remain–unless, of course, you’ve applied the patches. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/151 Selected reading. Chinese hackers targeted at least 17 countries across Asia, Europe and North America (Record) RedHotel: A Prolific, Chinese State-Sponsored Group Operating at a Global Scale (Recorded Future) Cloud Account Takeover Campaign Leveraging EvilProxy Targets Top-Level Executives at over 100 Global Organizations (Proofpoint)  ‘Downfall’ vulnerability leaves billions of Intel CPUs at risk  (CyberScoop)  New Inception attack leaks sensitive data from all AMD Zen CPUs (BleepingComputer) New Yashma Ransomware Variant Targets Multiple English-Speaking Countries (The Hacker News)  Suspected Vietnamese hacker targets Chinese, Bulgarian organizations with new ransomware (Record) Black Hat USA 2023 – Bitdefender macOS Threat Report Reveals Key Dangers for Mac Users (Bitdefender)  Russia ‘tops list of suspects’ in cyber attack which exposed data of 40m UK voters (The Telegraph) Electoral Commission hack: Five things you need to know (Computing) ‘Hostile actors’ hacked British voter registry, electoral agency says (Washington Post) Electoral Commission apologises for security breach involving UK voters’ data (the Guardian)  Ukraine says it prevented Russian hacking of armed forces combat system (Reuters)  Ukraine says it thwarted attempt to breach military tablets (Record) Russian secret services try to penetrate operation planning electronic system of Ukraine's army (Ukrainska Pravda) Patch Tuesday: Adobe Patches 30 Acrobat, Reader Vulns (SecurityWeek)  Patch Tuesday: Microsoft (Finally) Patches Exploited Office Zero-Days (SecurityWeek) Microsoft Releases August 2023 Security Updates (Cybersecurity and Infrastructure Security Agency CISA) Fortinet Releases Security Update for FortiOS (Cybersecurity and Infrastructure Security Agency CISA) Adobe Releases Security Updates for Multiple Products (Cybersecurity and Infrastructure Security Agency CISA)  Patch Tuesday review: August 2023. (CyberWire)

Reports on a 2020 Chinese penetration of Japan's defense networks. MOVEit-connected supply chain issues aren't over. Akamai looks at the current state of ransomware. Mallox ransomware continues its evolution. Machine identities and shadow access. Ukrainian hacktivist auxiliaries hit Russian websites. Joe Carrigan unpacks statistics recently released by CISA. Our guest is Jeffrey Wheatman from Black Kite discussing the market shift from SRS to cyber risk intelligence. And radiation sensor reports from Chernobyl may have been manipulated. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/150 Selected reading. China hacked Japan’s sensitive defense networks, officials say (Washington Post)  Japan says cannot confirm leakage after report says China hacked defence networks (Reuters) MOVEit hack spawned around 600 breaches but isn't done yet - cyber analysts (Reuters) Mallox Ransomware Group Revamps Malware Variants, Evasion Tactics (Dark Reading) TargetCompany Ransomware Abuses FUD Obfuscator Packers (Trend Micro) New IAM Research by Stack Identity Finds Machine Identities Dominate Shadow Access in the Cloud, Revealing Easy Attack Vector for Hackers (Business Wire) Ukraine-Linked Group Claims It Hacked Website Of Moscow Property Registration Bureau (RadioFreeEurope/RadioLiberty) Ukraine-linked group claims it hacked Moscow property registration bureau website – RFE/RL (Euromaidan Press) Pro-Ukrainian hackers breach Moscow engineering service website (New Voice of Ukraine) Ukrainian state agencies targeted with open-source malware MerlinAgent (Record) The Mystery of Chernobyl’s Post-Invasion Radiation Spikes (WIRED)