Good podcast

Top 100 most popular podcasts

The CyberWire Daily

The CyberWire Daily

The daily cybersecurity news and analysis industry leaders depend on. Published each weekday, the program also includes interviews with a wide spectrum of experts from industry, academia, and research organizations all over the world.


iTunes / Overcast / RSS



Diving deep into North Korea's APT37 tool kit. [Research Saturday]

Guest Hossein Jazi of Malwarebytes joins us to take a deep dive into North Korea's APT37 (aka ScarCruft, Reaper and Group123) toolkit. On December 7 2020 the Malwarebytes Labs threat team identified a malicious document uploaded to Virus Total which was purporting to be a meeting request likely used to target the government of South Korea. The meeting date mentioned in the document was 23 Jan 2020, which aligns with the document compilation time of 27 Jan 2020, indicating that this attack took place almost a year ago. The file contains an embedded macro that uses a VBA self decoding technique to decode itself within the memory spaces of Microsoft Office without writing to the disk. It then embeds a variant of the RokRat into Notepad. Based on the injected payload, the Malwarebytes team believes that this sample is associated with APT37. This North Korean group is also known as ScarCruft, Reaper and Group123 and has been active since at least 2012, primarily targeting victims in South Korea. The research can be found here: Retrohunting APT37: North Korean APT used VBA self decode technique to inject RokRat
Link to episode

SUNSHUTTLE backdoor described. What the Exchange Server campaign was after. Misconfigured clouds. Airline IT service provided attacked. Criminal-on-criminal crime.

A new second-stage backdoor has been found in a SolarWinds compromise victim. Those exploiting the now-patched Exchange Server zero days seem to have done so to establish a foothold in the targeted systems. India continues to investigate a Chinese cyber threat to its infrastructure. Misconfigured clouds leak mobile app data. A major airline IT provider sustains a cyber attack. Dinah David helps us prevent account takeover attacks. Our guest is Troy Hunt from NordVPN. And criminals hack other criminals. For links to all of today's stories check out our CyberWire daily news brief:
Link to episode

Happy Slam the Scam Day. Indian authorities continue to investigate grid incidents. CISA tells US Federal agencies to clean up Exchange bugs by noon tomorrow. Supply chain compromise.

Indian authorities say October?s Mumbai blackout was ?human error,? not cybersabotage. CISA directs US civilian agencies to clean up Microsoft Exchange on-premise vulnerabilities. More effects of the Accellion FTA supply chain compromise. Some trends in social engineering. Andrea Little Limbago brings us up to date on the RSA supply chain sandbox. Our guest is Brittany Allen from Sift on a new Telegram fraud ring. And happy National Slam the Scam Day. For links to all of today's stories check out our CyberWire daily news brief:
Link to episode

RedEcho under investigation (amid reassurances). Stopping Operation Exchange Marauder. Containing Ursnif. Cyber proliferation. And another round in the Crypto Wars.

India continues to investigate the possibility of RedEcho cybersabotage of its power distribution system, but says any hack was stopped and contained. Microsoft issues an out-of-band patch against a Chinese-run ?Operation Exchange Marauder.? The financial sector works to contain an Ursnif outbreak. CISA issues ICS security advisories. Myanmar and the difficulty of stopping cyber proliferation. Joe Carrigan looks at CNAME cloaking. Our guest is author Neil Daswani from Stanford University?s Advanced Security Certification Program, on his upcoming book Big Breaches - Cybersecurity Lessons for Everyone. And another round in the Crypto Wars seems ready to start. For links to all of today's stories check out our CyberWire daily news brief:
Link to episode

India investigates the possibility of cybersabotage. Walls are opaque to defenders, too. Recommendations for cyber nonproliferation. SolarWinds updates (with an SEC appearance).

Indian authorities continue to investigate the possibility that Mumbai?s power grid was hacked last October. Apple?s walled garden?s security can inhibit detection of threats that manage to get inside. An Atlantic Council report recommends international action against access-as-a-service brokers to stall proliferation of cyber offensive tools. Ben Yelin has the story of legislators asking the military why they?re so interested in apps serving Muslims. Our guest is John Grange from OppsCompass with insights on the top cloud security mistakes organizations make. Updates on the SolarWinds incident (including an SEC probe into who knew what when). For links to all of today's stories check out our CyberWire daily news brief:
Link to episode

?RedEcho?s?activity in India?s power grid is described. US report on Khashoggi murder declassified SolarWinds compromise inquiry updates. Ill-intentioned SEO. President?s Cup winner announced.

Chinese cyber engagement with Indian critical infrastructure is reported: the objective isn?t benign from India?s point of view, but exactly what the objective is, specifically, remains a matter of speculation. The US Governemnt declassifies its report on the murder of Saudi journalist Jamal Khashoggi. The SolarWinds supply chain compromise remains under investigation, with an intern making a special appearance. Maligh search engine optimizations. Rick Howard shares hash table opinions on Google Cloud. Josh Ray from Accenture on Cybercrime and the Cloud. And congratulations to the winner?s of CISA?s President?s Cup. For links to all of today's stories check out our CyberWire daily news brief:
Link to episode

Aarti Borkar: Make your own choices. [Product} [Career Notes]

Head of Product for IBM Security Aarti Borkar shares her journey which included going after her lifelong love of math rather than following in her parents' footsteps in the medical field. In following her passions, Aarti found herself studying computer engineering and computer science, and upon taking a pause from her studies, she found a niche working at IBM in a mix of databases and networking. In her current position, Aarti describes her favorite discussion topics very often involve being around the use of AI for converting security into predictive domains. Aarti reminds us that you should pause and see if you are on the right path. Staying on a path just because you started there can be a bad idea. And, we thank Aarti for sharing her story.
Link to episode

Shining a light on China's cyber underground. [Research Saturday]

Guest Maurits Lucas from Intel471 joins us to discuss his team's research into cybercrime in China. Data from Intel 471 show that the Chinese cybercrime underground proliferates through use of common methods or platforms, but behaves differently in large part due to the caution that actors take with regard to their identity. While the average citizen must follow the heavy handed nature of the government?s surveillance of cyberspace, Chinese threat actors take special precautions to protect their forums, TTPs and themselves. This leads to the Chinese cybercrime underground being disorderly when compared to others, particularly Russia, which tend to be much more organized. The research can be found here: No pandas, just people: The current state of China?s cybercrime underground
Link to episode

Oxford lab studying the COVID-19 virus is hacked. Zoom impersonation campaign. Senators would?ve liked to have heard from Amazon about Solorigate. NSA likes zero trust. NIST IoT guidelines.

Oxford biology lab hacked. A Zoom impersonation phishing campaign afflicts targets in the EU. Senators disappointed in Amazon?s decision not to appear at this week?s SolarWinds hearing. NSA advocates adopting zero trust principles. CISA issues alerts on industrial control systems. The US Department of Homeland Security describes increases to its cybersecurity grant programs. Dinah Davis examines how healthcare is being targeted by ransomware. Our guest is Michael Hamilton from CI Security on the Public Infrastructure Security Cyber Education System. And NIST?s draft IoT security standards are still open for comment. For links to all of today's stories check out our CyberWire daily news brief:
Link to episode

PLA spyware keeps Tibetans under surveillance. Cyber conflict between Ukraine and Russia, some conventionally criminal, other state-directed. US Executive Order addresses supply chain resilience.

FriarFox is a bad browser extension, and it?s interested in Tibet. Ukraine accuses Russia of a software supply chain compromise (maybe Moscow hired Gamaredon to do the work). Egregor hoods who escaped recent Franco-Ukrainian sweeps are thought responsible for DDoS against Kiev security agencies over the weekend. A look at Babuk, a new ransomware-as-a-service entry. VMware servers are patched. Verizon?s Chris Novak looks at the 2021 threat landscape. Our guest is Andrew Hammond from the International Spy Museum. And a US Executive Order on supply chain security. For links to all of today's stories check out our CyberWire daily news brief:
Link to episode

Accellion FTA compromise spreads. Ocean Lotus is back. LazyScripter seems to represent a new threat group. Notes from the SolarWinds hearings. New ICS threat actors.

As more organizations are affected by the Accellion FTA compromise, authorities issue some recommendations for risk mitigation. Ocean Lotus is back, and active against Vietnamese domestic targets. LazyScripter is phishing with COVID and air travel lures. SolarWinds hearings include threat information, exculpation, and calls for more liability protection. Turkey Dog is after bank accounts. Joe Carrigan ponders the ease with which new security flaws are discovered. Rick Howard speaks with our guest Michael Dick from C2A Security on Automotive Security. And some new ICS threat groups are identified. For links to all of today's stories check out our CyberWire daily news brief:
Link to episode

DDoS in hybrid war. Accellion compromise attributed. Initial access brokers. Agile C2 for botnets. US Senate?s SolarWinds hearing. US DHS cyber strategy. Shiny new phishbait.

Ukrainian security services complain of DDoS from Russia. The Accellion compromise is attributed to an extortion gang. Digital Shadow tracks the rise of initial access brokers, new middlemen in the criminal-to-criminal market. A botmaster uses an agile C2 infrastructure to avoid takedowns. IT executives to appear at US Senate hearings on Solorigate. US DHS talks up its cyber strategies. Ben Yelin comments on the latest court ruling on device searches at the border. Rick Howard speaks with Ariel Assaraf from Coralogix on SOAR and SIEM. And don?t be deceived by bogus FedEx and DHL phishbait. For links to all of today's stories check out our CyberWire daily news brief:
Link to episode

Facebook takes down Myanmar military page. Chinese cyberespionage and cloned Equation Group tools. Supply chain compromises. Threat trends.

Facebook takes down Myanmar junta?s main page. APT31 clones Equation Group tools. Silver Sparrow?s up to...something or other. Bogus Flash Player update serves fake news and malware. Effects of supply chain compromises spread. Clubhouse?s privacy issues. VC firm breached. CrowdStrike releases its annual threat report. We welcome Josh Ray from Accenture security to our show. Rick Howard examines Google?s cloud services. And a Maryland school concludes its annual cyber challenge. For links to all of today's stories check out our CyberWire daily news brief:
Link to episode

Billy Wilson: Translating language skills to technical skills. [HPC] [Career Notes]

High Performance Computing Systems Administrator at Brigham Young University Billy Wilson tells his cybersecurity career story translating language skills to technical skills. According to Billy's employer, moving to a technical position at his alma mater occurred because Billy showed this potential and a thirst for learning. He is currently pursuing his master's degree from SANS Technology Institute for Information Security Engineering while working to secure BYU's data for their computationally-intensive research. Billy notes that not everyone has one overarching passion which gives him variety in his work. And, we thank Billy for sharing his story with us.
Link to episode

Attackers (ab)using Google Chrome. [Research Saturday]

Guest Bojan Zdrnja of Infigo IS and a certified instructor at SANS Institute shares an incident he discovered where attackers were using a pretty novel way of exfiltrating data and using that channel for C&C communication. The code that was acquired was only partially recovered, but enough to indicate powerful features that the attackers were (ab)using in Google Chrome. The basis for this attack were malicious extensions that the attacker dropped on the compromised system. The research can be found here: Abusing Google Chrome extension syncing for data exfiltration and C&C
Link to episode

Mopping up Solorigate. Tehran?s Lightning and Thunder in Amsterdam. The view from Talinn. Malware designed for Apple?s new chips. Lessons from the ice, and how hackers broke bad.

Microsoft wraps up its internal investigation of Solorigate, which the US Government continues to grapple with, and which has had some effect in Norway. An apparent Iranian APT has been hosting its command-and-control in two Netherlands data centers. Estonia?s annual intelligence report describes Russian and Chinese ambitions in cyberspace. Threat actors are hard at work against Apple?s new processors. Kevin Magee on the Canadian National Cyber Threat Assessment for 2020. Our guest is Mark Testoni from SAP National Security Services on the Biden administration?s first 100 days. Plus, lessons from the ice, and how hackers became cybercriminals. For links to all of today's stories check out our CyberWire daily news brief:
Link to episode

The WatchDog Monero cryptojacking operation. ?A criminal syndicate with a flag.? US Senator asks FBI, EPA for a report on water system cybersecurity. Cybercrooks placed on notice.

Watch out for the WatchDog Monero cryptojacking operation. The US Justice Department describes North Korea as ?a criminal syndicate with a flag.? CISA outlines the DPRK malware that figures in the AppleJeus toolkit. The Chair of the US Senate Intelligence Committee asks the FBI and EPA for a report on the Oldsmar water system cybersabotage incident. Egregor takes a hit from French and Ukrainian police. Dinah Davis has advice on getting buy-in from the board. Our guest is Bentsi Ben Atar from Sepio Systems on hardware attacks. And the Netherlands Police advise cybercriminals to just move on. For links to all of today's stories check out our CyberWire daily news brief:
Link to episode

US warns of DPRK threat to cryptocurrency holders, and indicts four on conspiracy charges. Centreon says Sandworm affected unsupported open-source tools. Big Hack skepticism. Patch notes.

High Bitcoin valuation draws the attention of cybercriminals, and a number of those criminals work for Mr. Kim, of Pyongyang. Alleged criminals, we should say. Centreon offers an update of its investigation of the Sandworm incident ANSSI uncovered. Reports of the Big Hack are received with caution. Patches applied, pulled, and replaced. Joe Carrigan describes a legal dustup between Proofpoint and Facebook over lookalike domains. Our guest is Sinan Eren from Barracuda Networks on their state of cloud networking report. And Florida?s water system cybersabotage provides a good reminder to stay away from unsupported software. For links to all of today's stories check out our CyberWire daily news brief:
Link to episode

France?s ANSII warns of a longrunning Sandworm campaign. DPRK tried to steal COVID-19 vaccine data. Supermicro is exasperated. Static Kitten phishes in the UAE

France finds Sandworm?s trail in a software supply chain. Microsoft is impressed by the amount of effort Russian intelligence services put into the SolarWinds campaign. Pyongyang is reported to have attempted to steal COVID-19 vaccine information. Supermicro reiterates objections to Bloomberg's report on alleged hardware supply chain compromises. Static Kitten is phishing in the UAE. Updates on the Florida water utility cybersabotage. Ben Yelin examines to what degree the FBI can access Signal app messages. Rick Howard gathers the hash table to discuss AWS. And a new executive director arrives at our state cybersecurity association. For links to all of today's stories check out our CyberWire daily news brief:
Link to episode

Hank Thomas and Mike Doniger, getting the specs on the cyber SPAC. [update]

In this special edition, our extended conversation with Hank Thomas and Mike Doniger from their new company SCVX. Both experienced investors, their plan is to bring a new funding mechanism known as a SPAC to cyber security which, they say, is new to the space.  February 2021 Update: we revisit the topic with guest Hank Thomas to hear the latest on SPACs.
Link to episode

Hank Thomas and Mike Doniger, getting the specs on the cyber SPAC. [Special Edition Update]

In this special edition, our extended conversation with Hank Thomas and Mike Doniger from their new company SCVX. Both experienced investors, their plan is to bring a new funding mechanism known as a SPAC to cyber security which, they say, is new to the space.  February 2021 Update: we revisit the topic with guest Hank Thomas to hear the latest on SPACs.
Link to episode

Dr. Jessica Barker: Cybersecurity has a huge people element to it. [Socio-technical] [Career Notes]

Co-founder and socio-technical lead at Cygenta, Dr. Jessica Barker, shares her story from childhood career aspirations of becoming a farmer to her accidental pivot to working in cybersecurity. With a PhD in civic design, Jessica looked at the creation of social and civic places until she was approached by a cybersecurity consultancy interested in the human side of cybersecurity. She jumped in and the rest is history. Having experienced some negativity as a woman in cybersecurity, Jessica is a strong proponent of diversity in the field. She suggests that newcomers to the industry follow what interests them and jump in. And, we thank Jessica for sharing her story with us.
Link to episode

Using the human body as a wire-like communication channel. [Research Saturday]

Guest Dr. Shreyas Sen, a Perdue University associate professor of electrical and computer engineering, joins us to discuss the following scenario:. Instead of inserting a card or scanning a smartphone to make a payment, what if you could simply touch the machine with your finger? A prototype developed by Purdue University engineers would essentially let your body act as the link between your card or smartphone and the reader or scanner, making it possible for you to transmit information just by touching a surface. The research can be found here: Tech makes it possible to digitally communicate through human touch (press release) BodyWire-HCI: Enabling New Interaction Modalities by Communicating Strictly During Touch Using Electro-Quasistatic Human Body Communication (research paper)
Link to episode

Alleged hardware backdoors, again. Selling game source code. ICS security, especially with respect to water utility cybersabotage. Don?t be the hacker?s valentine.

Bloomberg revives its reporting on hardware backdoors on chipsets. Has someone bought the source code for the Witcher and Cyberpunk? CISA issues ICS alerts. The FBI and CISA offer advice about water system cybersabotage as state and local utilities seek to learn from the Oldsmar attack. Verizon?s Chris Novak ponders if you should get your Cybersecurity DIY, managed, or co-managed? Our guest is David Barzilai from Karamba Security on the growing importance of IoT security. And, looking for love on Valentine?s Day? Look carefully...and don?t give that intriguing online stranger money, We know, we know, they seem nice, but still... For links to all of today's stories check out our CyberWire daily news brief:
Link to episode

Spyware in the Subcontinent. Notes on cyber fraud, cyber theft, and ransomware. The US gets a chief to lead response to Solorigate. Updates on the Florida water system cybersabotage.

Spyware in the Subcontinent. Some crooks auction stolen game source code while others bilk food delivery services. Emotet survived its takedown. Ransomware developments. The US now has a point person for Solorigate investigation and response. Andrea Little Limbago from Interos on her participation in the National Security Institute at George Mason University. Our guest is Chris Cochran from Hacker Valley Studio with a preview of their Black Excellence in Cyber podcast.And there?s no attribution yet in the Oldsmar, Florida, water system cybersabotage, but it?s increasingly clear that the utility wasn?t a hard target.  For links to all of today's stories check out our CyberWire daily news brief:
Link to episode

Paying for the bomb the 21st century way. Domestic Kitten?s international romp. Malware versus gamers. Patch Tuesday notes. An update on the Oldsmar water system cyber sabotage.

What?s North Korea doing with all that money the Lazarus Group steals? Buying atom bombs, apparently. Iran?s Domestic Kitten is scratching at some international surveillance targets. Not everyone who says they?re a Bear really is one. Parking malware in Discord. Notes on Patch Tuesday. Joe Carrigan details a gift card scam that hit a little close to home. Our guest is Saket Modi, CEO of Safe Security with thoughts on quantifying risk. And the latest on the water system cyber sabotage down in Florida. For links to all of today's stories check out our CyberWire daily news brief:
Link to episode

Almost too much lye in the water, down Florida-way. BlackTech?s new malware strain. Huawei says it?s OK if the White House calls.

Florida water treatment plant sustains cyberattack: the hack was successful, the sabotage wasn?t. A new malware strain is associated with Chinese intelligence services. Ben Yelin tracks a surveillance plane who?s funding has fallen. Our guest is Col. Stephen Hamilton from Army Cyber Institute at West Point. And Huawei?s CEO says, sure, he?d take a call from President Biden. For links to all of today's stories check out our CyberWire daily news brief:
Link to episode

A junta shuts down a nation?s data networks. Lessons from multi-domain ops against ISIS? SilentFade returns. Iran?s surveillance actors. Data breaches large and small. Company towns returning?

Myanmar blocks data networks. Notes on offensive cyber operations, from present and former Five Eyes officials. SilentFade seems to be back, with more ad fraud. Iranian cyber operators up their surveillance game. Brazil?s big data breach remains under investigation. Company towns may make a return in Nevada. Rick Howard casts his gaze on the AWS cloud. We welcome Dinah Davis from Arctic Wolf as our newest industry partner. And why in the world are hackers interested in other people?s colonoscopies?  For links to all of today's stories check out our CyberWire daily news brief:
Link to episode

Jason Clark: Challenge the way things are done. [Strategy] [Career Notes]

Chief strategy officer and chief security officer for Netskope, Jason Clark, shares his journey as he challenges the status quo and works to expand diversity in cybersecurity. Jason started his career by breaking the mold and heading to the Air Force rather than his family legacy of Army service. Following his military service, he became a CISO for the New York Times at age 26 and kept building from there. Jason advises, "You should always be seeking out jobs you're actually not qualified for. I think that's how you grow. If you know you could do the job, and you've got half the skills, go for it." Jason aspires to a legacy of increasing diversity in the cybersecurity industry and founded a non-profit to do just that. And, we thank Jason for sharing his story with us.
Link to episode

In the clear: what it's like working as a woman in the cleared community. [Special Edition]

This special edition podcast highlights three women, Priyanka, Ashley and Lauren, who chose to focus their careers in cybersecurity for the mission-based organization Northrop Grumman. Kathleen Smith from ClearedJobs.Net joins us as our panel moderator. The CyberWire's Jennifer Eiben hosts the event. We are excited to share this look into the world of women in cybersecurity.
Link to episode

"Follow the money" the cybersecurity way. [Research Saturday]

Guest Joe Slowik joins us from Domain Tools to share their research "Current Events to Widespread Campaigns: Pivoting from Samples to Identify Activity" where they examined technical artifacts emerging around the 2020 conflict between Armenia and Azerbaijan in the Caucasus region.  Cyber Threat Intelligence (CTI) practitioners can gain insight into adversary operations by tracking conflicts or geopolitical tensions. Similar to a ?follow the money? approach in criminal investigations, looking at conflict zones can reveal cyber capabilities deployed as part of events ?either by the parties to the conflict itself, or third parties interested in monitoring events for their own purposes. Based on precedent, analysts can identify developments in adversary operations and technical capabilities by tracking identifiers related to major events and conflict zones. Identifying capabilities deployed to take advantage of such items can yield insights into fundamental attacker tradecraft and behaviors, and enable defense and response for incidents which may strike far closer to home at a later date. The research can be found here: Current Events to Widespread Campaigns: Pivoting from Samples to Identify Activity
Link to episode

Lazarus Group seems to have deployed an IE zero day. Electrobras discloses ransomware attack. TrickBot returns. Breaches at security companies. Russo-American get-to-know-you talks.

Lazarus Group seems to have had an IE zero day. Brazilian power utility discloses a ransomware attack on business systems. TrickBot?s back. Automated attacks are going after web applications. Two security firms report breaches. Patching notes. A look at life in the cleared community. Caleb Barlow from CynergisTek with handling disinformation in our runbooks. And Washington and Moscow hold the usual frank discussions--the Americans, at least, talked about cybersecurity. For links to all of today's stories check out our CyberWire daily news brief:
Link to episode

Kubernetes clusters attacked. Home insecurity devices. Update on the supply chain incidents. Incomplete patches. Marque and reprisal? Ransomware notes. Class clowns and zoom-bombing.

Hildegard malware is targeting Kubernetes clusters. Remote access flaws found in consumer security devices. A brief update on the spreading software supply chain incidents. Project Zero sees incomplete patches at the root of most successful zero-day attacks. Recruiting a privateer?s crew. The current mood among ransomware victims. We?ll search for the truth about 5G with Rob Lee and Rick Howard. And who?s behind zoom-bombing remote learning? A hint: the kids aren?t alright. For links to all of today's stories check out our CyberWire daily news brief:
Link to episode

China gets in on the SolarWinds act. More SolarWinds vulnerabilities disclosed and patched. Abuse of lawful intercept tech in South Sudan. BEC phishes for gift cards. Parasitic card skimmer found.

It appears Chinese intelligence services have been exploiting a vulnerability in SolarWinds to steal data from a US Government payroll system. The presumed Russian intrusion into SolarWinds may have been going on for nine months or more. Three new SolarWinds vulnerabilities are disclosed and patched. Amnesty accuses South Sudan of abusing intercept tools. BEC compromise is involved in gift card scams. Joe Carrigan has thoughts on opt-in privacy policies. Our guest is Dale Ludwig from CHERRY on USB attacks and hardware security. And carders steal from other carders. For links to all of today's stories check out our CyberWire daily news brief:
Link to episode

Coups d?état and Internet disruption. Cyberespionage in the supply chain, again. SonicWall zero day exploited in the wild. Tracking criminal infrastructure-as-a-service. Data breach in Washington State.

Myanmar?s junta jams the Internet. Operation NightScout looks like a highly targeted cyberespionage campaign delivered through a compromised supply chain. SonicWall zero day is being actively exploited in the wild. StrangeU and RandomU are filling a niche in the criminal-to-criminal market. Ben Yelin ponders whether the Solarwinds attack can be considered an act of war. Our guest Jamie Brown from Tenable on the National Cyber Director position and what it means for the Biden administration. Another data breach is associated with Accellion FTA. And it?s Groundhog Day, campers. For links to all of today's stories check out our CyberWire daily news brief:
Link to episode

Solorigate: targeting, collateral damage, or staging? The Cyberspace Solarium has some advice for US President Biden. URKI breach. British Mensa thinks over a data exposure.

Untangling Solorigate, and distinguishing primary targets from collateral damage (or maybe side benefits, or maybe battlespace preparation). Congress asks NSA for background on an earlier supply chain incident. The Cyberspace Solarium Commission offers the new US Administration some transition advice. Rick Howard hears from the hash table on Microsoft Azure. Andrea Little Limbago from Interos on the intersection of COVID and cyber vulnerabilities. And the week gets off to a rough start for smart Britons. For links to all of today's stories check out our CyberWire daily news brief:
Link to episode

Kyla Guru: You are a key piece to our national security. [Education] [Career Notes]

Founder and CEO of nonprofit Bits N' Bytes Cybersecurity Education and undergraduate student at Stanford University, Kyla Guru shares her journey from GenCyber Camp to becoming a cybersecurity thought leader. Seeing the need. for cybersecurity education in her own community spurred Kyla into action engaging our civilian population in understanding their role in the cybersecurity space. Kyla recommends putting yourself out there: taking courses, getting more knowledge, getting internships, meeting people and going to conferences. Kyla thinks her generation has an inquisitive mind and feels that is where advocacy and education come in with cybersecurity. She shares for any young person "thinking about maybe starting something in security, this is definitely the time to do so." And, we thank Kyla for sharing her story with us.
Link to episode

Security platforms vs best of breed point products: What should you deploy? [CyberWire-X]

For 20 years, the cybersecurity practitioner?s goto move when confronted with a new risk or compliance requirement has been to install a technical tool somewhere in the security stack to cover it. Over time, the number of tools that the infosec team has to manage has slowly grown. With the advent of bring-your-own device to the workplace, CIOs choosing SaaS applications to do work that has been traditionally handled in the data center, and organizations rushing to deploy their services into hybrid cloud environments, the number of individual data islands where company material information is routinely stored and must be covered by the security stack has increased. The complexity of this situation is immense. Two strategies have emerged to address this problem. The first is to continue down the path of installing more technical tools in each data island to cover the risk and having the infosec team manually process the telemetry of all the security devices with bigger teams and helper-automation-tools like SOAR platforms and SIEM databases. The second strategy is to choose a security vendor's platform that performs most of the security tasks on all the data islands but now makes the organization reliant on a single point of failure. Joining Rick Howard from the CyberWire's Hash Table's group of experts to consider the matter are Mike Higgins from Haven Health and Greg Notch from the National Hockey League, and later in the show, Rick speaks with Lior Div of Cybereason, who gives their point of view on this debate.
Link to episode

The Kimsuky group from North Korea expands spyware, malware and infrastructure. [Research Saturday]

Guest Yonatan Striem-Amit joins us from Cybereason to share their Nocturnus Team research into Kimsuky. The Cybereason Nocturnus Team has been tracking various North Korean threat actors, among them the cyber espionage group known as Kimsuky, (aka: Velvet Chollima, Black Banshee and Thallium), which has been active since at least 2012 and is believed to be operating on behalf of the North Korean regime. The group has a rich and notorious history of offensive cyber operations around the world, including operations targeting South Korean think tanks, but over the past few years they have expanded their targeting to countries including the United States, Russia and various nations in Europe. The research can be found here: Back to the Future: Inside the Kimsuky KGH Spyware Suite
Link to episode

Lebanon Cedar?s wide-ranging cyberespionage campaign. Lazarus Group said to be behind the social engineering of vulnerability researchers. Solorigate spreads. Social media and the short squeeze.

Lebanon Cedar is quietly back, and running a cyberespionage campaign through vulnerable servers. Social engineering of vulnerability researchers is now attributed to the Lazarus Group. That ?SolarWinds? incident is a lot bigger than SolarWinds. Notes on social media and the short squeeze. Verizon?s Chris Novak looks at the changing landscape of ransomware payments. Our guest Professor Brian Gant from Maryville University examines cybersecurity threats of the new U.S. administration. And the GAO thinks the US State Department should use ?data and evidence.? For links to all of today's stories check out our CyberWire daily news brief:
Link to episode

Advice on Supernova and encouragement to patch Sudo. NetWalker taken down. Influencers tighten a big short squeeze. And charges are brought in a 2016 case of alleged US voter suppression.

Updates from CISA on Supernova. US Cyber Command recommends patching Sudo quickly. US and Bulgarian authorities take down the NetWalker ransomware-as-a-service operation. Influencers drive a big short-squeeze in the stock market. Thomas Etheridge from CrowdStrike on Recovering from a ransomware event. Our guest Zack Schuler from Ninjio examines the security challenges of Work From Anywhere. And another influencer is charged with conspiracy to deprive people of their right to vote. For links to all of today's stories check out our CyberWire daily news brief:
Link to episode

Emotet takedown. Solorigate updates (and President Biden tells President Putin he?d like him to knock it off). Vulnerabilities and threats discovered and described.

Europol leads an international, public-private, takedown of Emotet. Four security companies describe their brushes with the compromised SolarWinds Orion supply chain. Solorigate is one of the issues US President Biden raised in his first phone call with Russian President Putin. New vulnerabilities and threats described. Our guest Michael Hamilton of CI Security questions how realistic CISA's latest guidance on agency forensics may be. Joe Carrigan looks at bad guys taking advantage of Google Forms. And the Internet is back in business on the US East Coast. For links to all of today's stories check out our CyberWire daily news brief:
Link to episode

Pyongyang?s social engineering campaign to compromise vulnerability researchers. Anonymous is back? Workforce development. Cyber Force? Why not?

Google reports North Korean social engineering of vulnerability researchers. Anonymous resurfaces, maybe, and tells Malaysia?s government it?s not happy with them. Notes on false credentialism and workforce development from the National Governors Association cyber summit. Kevin Magee from Microsoft Canada on the launch of the Rogers Cybersecurity Catalyst at Ryerson University to support Canadian Cybersecurity Startups. Our guest is James Stanger from CompTIA on their ultimate DDoS guide. And does America need a Cyber Force? Some think so. For links to all of today's stories check out our CyberWire daily news brief:
Link to episode

The FSB warns Russian businesses to up their security game--the Americans are coming. SonicWall?s investigation of a possible cyberattack. DIA and commercial data brokers. OPC issues. Robota.

Russia?s FSB warns businesses to be on the lookout for American cyberattacks after the White House says it?s reserving its right to respond to the Solorigate cyberespionage campaign. SonicWall investigates an apparent compromise of its systems. Senator asks the US DNI for an explanation of DIA purchases of geolocation data from commercial vendors. OPC issues described. Andrea Little Limbago from Interos on the tech "naughty list" of restricted or sanctioned companies. Rick Howard previews his first principles analysis of Microsoft Azure. And a happy birthday to the word ?robot,? now one-hundred years young. For links to all of today's stories check out our CyberWire daily news brief:
Link to episode

Ben Yelin: A detour could be a sliding door moment. [Policy] [Career Notes]

Program Director for Public Policy and External Affairs at the University of Maryland's Center for Health and Homeland Security Ben Yelin shares his journey from political junkie to Fourth Amendment specialist. Several significant life defining political developments like the disputed 2000 election, 9/11, and the Iraqi war occurred during his formative years that shaped Ben's interest in public policy and his desire to pursue a degree in law. An opportunity to be a teaching assistant turned out to be one of those sliding door scenarios that led Ben to where he is now, a lawyer in the academic and consulting worlds specializing in cybersecurity and digital privacy issues. Through his work, Ben hopes to elevate the course of the debate on these very important issues. And, we thank Ben for sharing his story with us.
Link to episode

Trickbot may be down, but can we count it out? [Research Saturday]

Guest Mark Arena from Intel471 joins us to discuss his team's research into Trickbot and its evolution from a banking trojan to a long-standing, most likely well-resourced operation that was taken down last year. Mark shares some insight into Trickbot's order of operations and what went on behind the scenes that his team working with Brian Krebs were able to discover. Since the separate and independent actions taken against Trickbot, Intel471 has observed successful disruption of its command and control infrastructure. However, the actors linked to Trickbot have not ceased their criminal activities. These actors have continued engaging in ransomware activity, using BazarLoader instead of Trickbot. Intel471 is unable to assess the long-term impact of the Trickbot disruption activity or whether Trickbot will continue to be used by cybercrime groups. This analysis covers the period from Sept. 22, 2020 until Nov. 6, 2020. The research can be found here: Trickbot down, but is it out?
Link to episode

Implications of Solorigate?s circumspection. RBNZ cleans data sources. Gamarue in student laptops. Dodgy apps. Ransom DDoS surges. Securing the President?s Peloton.

Twice, it?s maybe an indicator. Once, it?s nuthin? at the machines. The Reserve Bank of New Zealand works to clean up its data sources. Wormy student laptops. Daily Food Diary is a glutton for your data. Ransom DDoS. Caleb Barlow examines how we handle disinformation in our runbooks and response plans. Our guest Ron Gula from Gula Tech Adventures shares his thoughts on proper public cyber response to the SolarWinds attack. And should we worry about that White House Peloton? For links to all of today's stories check out our CyberWire daily news brief:
Link to episode

Solorigate?s stealthy, careful operators. LuckyBoy malvertising. BEC as reconnaissance? Remote work and leaky sites. And good riddance to the Joker?s Stash.

Microsoft researchers detail the lengths to which the Solorigate threat actor went to stay undetected and establish persistence. LuckyBoy malvertising is described. Business email compromise as a reconnaissance technique? More reminders about the risks that accompany remote work. Ben Yelin looks at cyber policy issues facing the Biden administration. Rick Howard speaks with Frank Duff from Mitre on their ATT&CK Evaluation Program. And good riddance to the Joker?s Stash (we hope). For links to all of today's stories check out our CyberWire daily news brief:
Link to episode

More on that Solorigate threat actor, especially its non-SolarWinds activity. Chimera?s new target list. Executive Order on reducing IaaS exploitation. The case of the stolen laptop.

Another security company discloses a brush with the threat actor behind Solorigate. Advice on hardening Microsoft 365 against that same threat actor. Chimera turns out to be interested in airlines as well as semiconductor manufacturing intellectual property. Former President Trump?s last Executive Order addresses foreign exploitation of Infrastructure-as-a-Service products. Joe Carrigan looks at a hardware key vulnerability. Our guest is Chris Eng from Veracode with insights from their State of Software Security report. And investigation of that laptop stolen from the Capitol continues. For links to all of today's stories check out our CyberWire daily news brief:
Link to episode

EMA emails altered before release in apparent disinformation effort. Vishing rising. Another backdoor found in SolarWinds supply chain campaign. An arrest and a stolen laptop.

The European Medicines Agency says stolen emails about vaccine development were altered before being dumped online. Another backdoor is found associated with the SolarWinds supply chain campaign. DNS cache poisoning vulnerabilities are described. FBI renews warnings about vishing. Iran?s ?Enemies of the People? disinformation campaign. Vishing is up. Rick Howard previews his hashtable discussion on Solarigate. Verizon?s Chris Novak looks at cyber espionage. And the FBI makes an arrest in connection with a laptop taken during the Capitol Hill riot. For links to all of today's stories check out our CyberWire daily news brief:
Link to episode
A tiny webapp by I'm With Friends.
Updated daily with data from the Apple Podcasts.