podcast cover
Software Engineering

The CyberWire - Your cyber security news connection.


More signal, less noise—we distill the day’s critical cyber security news into a concise daily briefing.
Gift card bots evolve and adapt — Research Saturday

23:29 | Aug 24th

Researchers at Distil Networks have been tracking online bots targeting ecommerce gift card systems of major online retailers. The threat actors show remarkable resourcefulness and adaptability. Jonathan Butler is technical account team manager at Di...Show More
Google takes down YouTube influence operation. Cryptomining in a nuclear plant. Spyware in the Google Play Store.

22:29 | Aug 23rd

Google takes down YouTube accounts spreading disinformation about Hong Kong protests. Cryptomining gear seized at a Ukrainian nuclear plant. CISA outlines its strategic vision. Telcos and law enforcement team up to stop robocalls. Spyware makes it in...Show More
North Korean and Chinese cyber espionage. Updates on Texas ransomware. Steam zero-day released.

20:05 | Aug 22nd

A North Korean cyber espionage campaign targets universities, think tanks, and foreign ministries. Chinese cyber spies goes after the healthcare sector. A bug hunter discloses a zero-day for Steam. Updates on the Texas ransomware attacks. Adult sites...Show More
China criticizes Twitter and Facebook. Silence expands internationally. A popular Ruby library was backdoored.

20:39 | Aug 21st

China says Twitter and Facebook are restricting its freedom of speech. The Silence criminal gang has expanded internationally. Google, Mozilla, and Apple are blocking the Kazakh government’s root certificate. A popular Ruby library was backdoored aft...Show More
Chinese information operations on Twitter and Facebook. iOS jailbreak released. Adult websites leak information.

21:10 | Aug 20th

Twitter and Facebook shut down Chinese information operations. A jailbreak for the latest version of iOS is out. Facebook may have known about the “view as” bug. Vulnerabilities in Google’s Nest cams are patched. Instagram gets a data abuse bounty pr...Show More
ISIS claims Kabul massacre. Huawei gets a temporary break. Texas governments hit by ransomware. Hy-Vee warns of point-of-sale attack.

19:27 | Aug 19th

ISIS claims responsibility for Kabul massacre. Huawei gets another temporary reprieve. Local governments in Texas sustain ransomware attacks. Georgia hopes to combat cyberattacks with training. Google cuts a data sharing service. Bulletproof VPN serv...Show More
Detecting dating profile fraud — Research Saturday

25:04 | Aug 17th

Researchers from King’s College London, University of Bristol, Boston University, and University of Melbourne recently collaborated to publish a report titled, "Automatically Dismantling Online Dating Fraud." The research outlines techniques to analy...Show More
ECB sustains an intrusion into a third-party-hosted service. Norman quietly mines Monero. MetaMorph appears in a stealthy phishing campaign. Information operations.

23:28 | Aug 16th

The European Central Bank shutters a service due to a hostile intrusion. Norman quietly mines Monero. MetaMorph passes through email security filters. Some Capital One insiders thought they saw trouble brewing. Instagram crowd-sources epistemology. D...Show More
Huawei accused of abetting domestic surveillance in Africa. Cyber gangs adapt and evolve. Prosecutors indicate they’ll add charges to “erratic.” Bluetana detects card skimmers.

18:33 | Aug 15th

Huawei accused of aiding government surveillance programs in Zambia and Uganda. Cyber gangs are adapting to law enforcement, and they’ve turned to “big game hunting.” They’re also adapting legitimate tools to criminal purposes. US Federal prosecutors...Show More
Hacking the Czech Foreign Ministry. Microsoft patches new wormable bugs. More controversial human review of AI. Insecure links, exposed databases, and a California vanity plate.

20:08 | Aug 14th

The Czech Senate wants action on what it describes as a foreign state’s cyberattack on the country’s Foreign Ministry. Microsoft warns against the wormable DéjaBlue set of vulnerabilities. More humans found training AI. Insecure airline check-in link...Show More
UN Security Council looks at North Korean cybercrime. Notes on PsiXBot and BITTER APT. The state of spearphishing. Election security. A final look back at Black Hat and Def Con.

20:16 | Aug 13th

More on the UN Security Council’s report on North Korean state-sponsored cyber crime. PsiXBot evolves. BITTER APT probes Chinese government networks in an apparent espionage campaign. A study looks at the state of spearphishing. It’s not just the thr...Show More
A look back at Black Hat and Def Con. Sometimes failures that look like accidents are accidents. Russia wants better content suppression from Google. Notes on intelligence services.

20:36 | Aug 12th

A look back at Black Hat and Def Con, with notes on technology and public policy. Participants urge people to contribute their expertise to policymakers. Power failures in the UK at the end of last week are largely resolved, and authorities say they’...Show More
Unpacking the Malvertising Ecosystem — Research Saturday

26:09 | Aug 10th

Researchers at Cisco's Talos Unit recently published research exploring the tactics, technics and procedures of the global malvertising ecosystem. Craig Williams is head of Talos Outreach at Cisco, and he guides us through the life cycle of malicious...Show More
Voting machine security. Airliner firmware. Attribution and deterrence in cyberwar. Monitoring social media. Broadcom buys Symantec’s enterprise security business. Policing, privacy, and an IoT OS.

25:07 | Aug 9th

Are voting machines too connected for comfort? Airliner firmware security is in dispute. Attribution, deterrence, and the problem of an adversary who doesn’t have much to lose. Monitoring social media for signs of violent extremism. Broadcom will buy...Show More
Hacking in the Gulf region. Vulnerability research into airliner avionics. Phishing and ransomware move to the cloud. EU data responsibilities. US bans five Chinese companies.

19:43 | Aug 8th

Tensions in the Gulf are accompanied by an increase in cyber optempo. A warning about vulnerable airliner avionics. Phishing is moving to the cloud, and so is ransomware. Android’s August patches address important Wi-Fi issues. An EU court decision c...Show More
Another speculative execution flaw. LokiBot evolves. APT41 moonlights. Scammers exploit tragedies. Black Hat notes.

20:08 | Aug 7th

A new speculative execution processor flaw is addressed with software mitigations. LokiBot gets more persistent, and it adopts steganography for better obfuscation. The cyber-spies of APT41 seem to be doing some moonlighting. An accused criminal who ...Show More
Fancy Bear is snuffling around corporate IoT devices. Machete takes its cuts at Venezuelan military targets. What Mr. Kim is buying. MegaCortex goes for automation. Vigilantes, misconfigurations, etc.

20:44 | Aug 6th

Fancy Bear is back, and maybe in your office printer. El Machete, a cyber espionage group active at least since 2014, is currently working against the Venezuelan military. A UN report allegedly offers a look at what Mr. Kim is doing with the money hi...Show More
Ransomware attacks in Mexico and Germany. Wipers in criminal service. Supervising Siri and Alexa. Mass shooters find inspiration and online expression.

18:28 | Aug 5th

A Mexican publisher is hit with an extortion demand. Ransomware increasingly carries a destructive, wiper component: Germany is dealing with a virulent strain right now. Apple and Amazon, after the bad optics of reports that they’re farming out Siri ...Show More
Package manager repository malware detection — Research Saturday

11:38 | Aug 3rd

Researchers at Reversing Labs have been tracking malware hidden in software package manager repositories, and it's use as a supply chain attack vector. Robert Perica is a principal engineer at Reversing Labs, and he joins us to share their findings. ...Show More
Spearphishing utility companies. Bellingcat as gadfly, and target. Facebook takes down more coordinated inauthenticity. Card skimming. Tech regulation. Random acts of cruelty.

24:35 | Aug 2nd

LookBack malware used in spearphishing campaigns against US utilities. Phishing Bellingcat. Facebook takes down two campaigns of coordinated inauthenticity that had been active in the Middle East and North Africa. The growing problem of online card s...Show More
Capital One investigation update. Don’t give up on the cloud. Exposed databases and backdoors. Cybercrime as high-stakes poker. Phishing the financials. Bots on holiday.

20:43 | Aug 1st

Investigators pursue the possibility that the alleged Capital One hacker might have hit other companies’ data. An exposed ElastiSearch database, now secured, was found at Honda Motors. Data from beauty retailer Sephora are found on the dark web. Defe...Show More
Capital One breach update. CISA warns of avionics CAN bus vulnerabilities. More attacks on local Louisiana governments. Change at the SEC. Cyber summer school for NATO, EU diplomats.

19:49 | Jul 31st

Capital One takes a market hit from its data loss. Observers see the incident as a reminder that cloud users need to pay attention to their configurations. CISA warns of vulnerabilities in small, general aviation aircraft. Another parish in Louisiana...Show More
Capital One sustains a major data breach. Phishing in LinkedIn. VxWorks patches and mitigations. Brute-forcing NAS credentials. LAPD doxed?

20:22 | Jul 30th

Capital One sustains a major data breach affecting 106 million customers, and a suspect is in custody, thanks largely to her incautious online boasting. Iranian social engineers are phishing in LinkedIn, baiting the hook with a bogus job offer. WindR...Show More
Bears sniff at Bellingcat. Magecart in spoofed domains. MyDoom is still active. Shipboard malware was Emotet. Hutchins sentenced. Digital assistants have big ears. Taxes owed on alt-coin gains.

19:54 | Jul 29th

Bellingcat gets a look-in from the Bears. Magecart card-skimming code found in bogus domains. The MyDoom worm remains active in the wild, fifteen years after it first surfaced. Election security threats. The US Coast Guard says the malware that hit a...Show More
Special Edition - Cult of the Dead Cow author Joseph Menn extended interview

23:18 | Jul 28th

Our guest today is Joseph Menn. He’s a longtime investigative reporter on technology issues, currently working for Reuters in San Francisco. He’s the author of several books, the latest of which is titled Cult of the Dead Cow - How the original hacki...Show More
Day to day app fraud in the Google Play store — Research Saturday

20:08 | Jul 27th

Researchers at bot mitigation firm White Ops have been tracking fraudulent apps in the Google Play store. These apps often imitate legitimate apps, even going so far as to lift code directly from them, but instead of providing true functionality they...Show More
Winnti and other Chinese espionage activity. Volume I of the US Senate report on election meddling is out. Ransomware from Sabine, Louisiana, to Johannesburg, South Africa.

25:36 | Jul 26th

Winnti and other Chinese threats have been active against German and French targets. The US Senate Intelligence Committee has issued the first volume of its report on Russian operations against US elections--this one deals with infrastructure. Louisi...Show More
News about Russian and Chinese government threat actors. Powerful crimeware active in Brazil. BlueKeep really needs to be patched. Messenger Kids issues. Dispatches from the cryptowars.

20:09 | Jul 25th

Did you know that Fancy Bear has taken to wearing a Monokle? A new Chinese cyber espionage campaign is identified. Intrusion Truth tracks APT17 to Jinan, and China’s Ministry of State Security. Guildma malware is active in Brazil, and may be spreadin...Show More
Lancaster University breached. Kazakhstan is testing out HTTPS interception. The UK postpones its decision on Huawei’s 5G gear. The FTC is requiring Facebook to set up a privacy committee.

19:18 | Jul 24th

In today’s podcast, we hear that Lancaster University has suffered a data breach. A reportedly critical vulnerability in VLC Media Player may have already been fixed last year. Kazakhstan is testing out HTTPS interception. The UK postpones its decisi...Show More
Venezuela blames power failure on exotic sabotage, again. Huawei may have built North Korea’s 3G wireless networks. Were record privacy fines high enough? Logic bombing the customer.

19:27 | Jul 23rd

Venezuela’s government says the country’s massive blackout is the work of sabotage by foreign actors (read, the Yanquis) who took down the grid with an “electromagnetic attack.” Documents leaked from Huawei indicate that the electronics giant did ess...Show More
FSB contractor hacked. Pegasus now able to rummage clouds? Iranian cyber ops spike. Fraudulent student profiles. Judgement in Equifax FTC case. NSA hoarder gets nine years.

19:57 | Jul 22nd

A contractor for Russia’s FSB security agency was apparently breached. NSO Group says its Pegasus software can now obtain access to private messages held in major cloud services. Iranian cyber operations are said to be spiking, and Tehran is paying p...Show More
Special Edition — The Fifth Domain coauthor Richard A. Clarke

22:40 | Jul 21st

Our guest today is Richard A. Clarke, former National Coordinator for Security, Infrastructure Protection and Counter-terrorism for the United States. Under President George W. Bush he was appointed Special Advisor to the President on cybersecurity. ...Show More
Nansh0u not your normal cryptominer — Research Saturday

17:48 | Jul 20th

Researchers at Guardicore Labs have been tracking an unusual cryptominer that seems to be based in China and is targeting Windows MS-SQL and phpMyAdmin servers. Some elements of the exploit make use of sophisticated components previously associated w...Show More
Following K3chang. Bulgaria’s tax agency breach. An alternative currency gets some incipient regulatory scrutiny. Why towns are hit with ransomware. A hair-care hack.

24:47 | Jul 19th

K3chang is out, about, and more evasive than ever. Data breached at Bulgaria’s National Revenue Agency has turned up online in at least one hacker forum. Facebook’s planned Libra cryptocurrency received close scrutiny and a tepid reception on Capitol...Show More
TrickBot’s new tricks. Poisoning the ad supply chain. Clouds get schooled. Novel phishing tackle, but stale bait. Cyberwar powers. Election interference. FaceApp fears. Bad macro suspect arrested.

19:46 | Jul 18th

TrickBot gets some new tricks, and they’re being called Trickbooster. Poisoning the advertising supply chain. Hessian schools will shy away from American cloud services. A novel phishing campaign is technically savvy but gives itself away with broken...Show More
Telco data breach. Firmware supply chain problems. Hacking BLE. Census security. Continuity of operations. Decryptor for GandCrab, NSPM 13. Bulgaria’s tax hack.

20:32 | Jul 17th

Sprint warns of data breach. Eclypsium announces discovery of server firmware supply chain problems. Bluetooth Low Energy may be less secure than thought. Congress hears about US census cybersecurity. Ransomware and continuity of operations. The FBI ...Show More
GandCrab hoods may be back with new ransomware. Video-on issues. Broadcom-Symantec talks are off, for now. Treason or just business? Robo-calls. A decryptor for Ims0rry ransomware.

19:47 | Jul 16th

The retirement of GandCrab’s hoods may have been exaggerated. Video conferencing tools RingCentral and Zhumu may have picked up Zoom’s issues in the tech they licensed. Broadcom’s projected acquisition of Symantec is on hold, at least for now. One Si...Show More
Voting machine woes. Router exploits trouble Brazil, Bitpoint alt-coin exchange investigates theft. Facebook fined $5 billion. Power failures probably unrelated to cyberattacks. Amazon Prime phishing.

19:39 | Jul 15th

Upgraded voting machines may not be as secure, or as upgraded, as election officials seem to think. Criminals continue to exploit routers in Brazil. A Japanese cryptocurrency exchange shuts down while it investigates a multimillion dollar theft. The ...Show More
Opportunistic botnets round up vulnerable routers — Research Saturday

18:04 | Jul 13th

Researchers at Netscout's ASERT Team have been tracking the growth of botnets originating in Egypt and targeting routers in South Africa. The payload is a variant of the Hakai DDoS bot. Richard Hummel is threat intelligence manager at Netscout, and h...Show More
Buhtrap gets into the spying game. US cyber operations against Iran considered: there are both strategic and Constitutional issues. Election security. Water bills. And again with the WannaCry.

23:51 | Jul 12th

Buhtrap moves from financial crime to cyber espionage. There may have been as many as three distinct US cyber operations against Iran late last month. The US legislative and executive branches continue to try to sort out Constitutional issues surroun...Show More
Magecart is getting interested in exposed databases. Agent Smith may be in your Android app store. Tracking FinSpy. A contractor gets spearphished.

20:09 | Jul 11th

GDPR fines and their implications. A reminder about Magecart, and some notes on its recent interest in scanning for unprotected AWS S-3 buckets. Agent Smith (of Guangzhou, not the Matrix) is infesting Android stores with evil twins of legitimate apps...Show More
Zoom addresses concerns about call joining and cameras. ICS vulnerabilities addressed. Patch Tuesday notes. Tracing a disinformation campaign.

20:44 | Jul 10th

Zoom agrees to change what it still sort of regards as a feature and not a bug. Industrial control system vulnerabilities are reported and patched. Microsoft issues seventy-seven fixes on Patch Tuesday. Adobe has a relatively light month for patches....Show More
Security issues with Zoom for Macs. Astaroth fileless malware reported in Brazil. GoBotKR distributed by torrent. ICO hits British Airways with a record fine. State attacks and state defenses.

20:17 | Jul 9th

Zoom user security appears to have been sacrificed on the altar of user experience. The fileless Astaroth Trojan is again in circulation, mostly, for now, in Brazil. Torrents are distributing the GoBot2 backdoor. The UK’s Information Commissioner’s O...Show More
Another ransomware victim pays extortionists. Business email compromise. Government impostor scams. ShadowBrokers still airborne. Exploit supply chain. Silence suspected in bank heists.

20:24 | Jul 8th

Another ransomware victim pays up. Privilege escalation comes to ransomware. Vendor impersonation scams hit cities, and government impersonation scams hit citizens: be wary of both. Former NSA contractor Hal Martin will be sentenced later this month,...Show More
Warnings of Outlook exploitation, with a possible Iranian connection. GPS jamming in the Eastern Med. Satellite vulnerabilities. 505 errors. TA505’s new tactics. Content moderation updates.

20:11 | Jul 3rd

US Cyber Command warns that an Outlook vulnerability is being actively exploited in the wild. Other sources see a connection with Iran. GPS signals are being jammed near Tel Aviv, and Russian electronic activity in Syria is suspected as the cause. A ...Show More
US-Iranian tension expressed in cyberspace. OceanLotus and Ratsnif. Ransomware in Georgia, again. Going low-tech to protect the grid. Magecart update. Cryptowars and agency equities.

19:38 | Jul 2nd

Tensions between the US and Iran are likely to find further expression in cyberspace. OceanLotus’s Ratsnif kit isn’t up to the threat actors normally high standards of coding, but it’s plenty good enough. Cyberattacks in the states of Florida and Geo...Show More
Huawei spits the hook? CISA warns about the risk of Iranian cyberattack. Power grid security. Cryptocurrency and fraud. Content moderation. Senators like Hack the Pentagon.

20:14 | Jul 1st

Huawei gets to buy some products from US companies, again. CISA reiterates warnings about the risk of cyberattack from Iran. Considerations about power grid security. Cryptocurrencies draw criminals, and some of the scammers are looking ahead. Austra...Show More
Giving everyone a stake in the success of Open Source implementation — Research Saturday

21:48 | Jun 29th

Synopsys recently published the 2019 edition of their Open Source Security and Risk Analysis (OSSRA) Report, providing an in-depth look at the state of open source security, compliance, and code quality risk in commercial software. Tim Mackey is pri...Show More
Regin in Yandex? Golang is out and busy. So is the ShadowGate crew. The ICO wants an explanation from the Metropolitan Police. Trackers in news sites. Phishing those who seek “Verification.”

24:37 | Jun 28th

Yandex says it was hacked with Regin spyware. The Golang cryptominer is spreading, again. And the ShadowGate ransomware crew is newly active with a dangerous drive-by. Three data exposures are reported. London’s Metropolitan Police are in trouble wit...Show More
Washington and Tehran confront one another in cyberspace. Dominion National investigates data incident. Facebook on info ops (and identity). Labor market notes. Skids on skids.

20:30 | Jun 27th

The US cyberattack against Iranian targets remains only indistinctly visible in the information fog of cyberwar. Iran’s APT33 seems to have altered its tactics after its operations against Saudi targets were described by Symantec at the end of March....Show More
Militia said to be target of US cyberattack. Myanmar shuts down networks. Spam campaign. Supply chain issues for Huawei gear. Election security. Recovering from ransomware by paying up?

20:12 | Jun 26th

Sources name a Shi’ite militia aligned with Iran as one target of last week’s US cyberattacks. Myanmar shuts down mobile networks in its Rakhine province, where the Buddhist insurgents of the Arakan Army have been using Facebook for coordination and ...Show More
Operation Soft Cell targets mobile networks. DC and Tehran trade barbs. Critical infrastructure concerns. Maryland’s Cyber Defense Initiative.

20:35 | Jun 25th

Operation Soft Cell was low, slow, patient, and focused, and apparently run from China. Washington and Tehran are woofing at each other, with more exchanges in cyberspace expected. Cyber due diligence is taken increasingly seriously during mergers an...Show More
Notes on a reported US cyberattack against Iran. A look at “Secondary Infektion.” And some cases of cyber stalking.

19:11 | Jun 24th

The US is said to have conducted cyberattacks against Iranian targets related to recent Iranian moves in the Gulf. They cyber operations are also said to have been a covert alternative to conventional military strikes. The Atlantic Council describes ...Show More
Middleboxes may be meddling with TLS connections — Research Saturday

21:50 | Jun 22nd

Researchers at Cloudflare have been examining HTTPS interception, a technique that weakens security, and have developed tools to help detect it.  Nick Sullivan is head of cryptography at Cloudflare, and he joins to us share their findings. The resear...Show More
US-Iranian tensions find expression in cyberspace as Refined Kitten returns. Facebook tries friction against abuse. Cryptominers in the wild. Lead generation for cyber criminals.

24:58 | Jun 21st

Tensions between the US and Iran over tanker attacks, nuclear ambitions, and the downing of a Global Hawk drone seem to be finding expression in cyberspace: Refined Kitten sees to be pawing for some American phish. Facebook tries friction as an alter...Show More
Turla hijacks OilRig infrastructure. Bouncing Golf is no game. CISA panel recommends supply chain security reforms. AMCA driven toward bankruptcy by data breach. Florida town pays ransom.

20:00 | Jun 20th

Call it Waterbug or call it Turla, the Russian cyber operation has been hijacking Iran’s OilRIg cyber espionage infrastructure. Other cyber campaigns also afflict Middle Eastern targets. A US panel convened by CISA has some recommendations for supply...Show More
BlueKeep, again. Facebook’s cryptocurrency play. Updates on alleged or suspected electrical grid hacks. Catphishing and spying. Compromised social media accounts.

19:52 | Jun 19th

More advice to patch BlueKeep, already. Facebook announces its planned launch of a cryptocurrency, Libra, to the accompaniment of considerable acclaim and at least as much skepticism. Updates on alleged power grid cyber operations. Catphishing and th...Show More
Power grids, accidents, the challenge of forensics, and the nature of deterrence. BlueKeep considerations. Third- and fourth-party risks.

20:08 | Jun 18th

Investigation into Argentina’s power failure continues, with preliminary indications suggesting “operational and design errors were responsible for the outage. Russia reacts to reports that the US staged malware in its power grid. Iran says it stoppe...Show More
Cyber deterrence? What grid failure looks like (and it needn’t come from a cyberattack). EU complains of Russian info ops. Twitter takes down inauthentic accounts.

20:18 | Jun 17th

The New York Times reports that the US has staged malware in Russia’s power grid, presumably as deterrence against Russian cyberattacks against the US. South America has largely recovered from a large-scale power outage that seems, so far, to have be...Show More
Apps on third-party Android store carry unwelcome code — Research Saturday

12:18 | Jun 15th

Researchers at Zscaler have been tracking look-alike apps in third-party Android app stores that carry malicious code. Deepen Desai is VP of security research and operations and Zscaler, and he joins us to share their findings.  The original research...Show More
Xenotime is now interested in the power grid. Vulnerable Exim servers under attack. Mr. Assange goes to court. Credential-stuffing attacks on gamers. And that Ms Katie Jones? Not a real person.

24:50 | Jun 14th

Xenotime is detected snooping around the North American power grid. Hacking groups exploit the Return of the Wizard vulnerability in Exim servers. Hearings on the extradition of WikiLeaks’ Julian Assange have begun. Online gamers are being chased wit...Show More
Telegram recovers from DDoS. Fishwrap campaign breaks old news. Ransomware hits ACSO plants. Congress considers hacking back, again. That ol’ devil limbic system.

20:18 | Jun 13th

Telegram recovers from a distributed denial-of-service attack. No attribution yet, but all the circumstantial evidence points to the Chinese security services. Operation Fishwrap, conducted by parties unknown, is an influence campaign that substitute...Show More
Shifting techniques in cybercrime. Miscreants take note: “the aperture” will henceforth be wider for US Cyber Command and offensive ops. What Radiohead did.

20:32 | Jun 12th

TA505 and Fin8 are both up to their old ways, with some new tricks in their criminal bag. A reminder about social engineering and Google Calendar. A new assertiveness is promised in US cyber operations, as the Administration “widens the aperture.” Up...Show More
Russia’s sovereign Internet. Huawei updates. CBP discloses exposure of images collected at a border crossing. Gmail features used for social engineering. M&A notes. Top bugs found by bounty hunters.

20:18 | Jun 11th

Russia says shrapnel from America’s war on that nice company Huawei is “destroying the world.” Russia also tells Tinder to fork over user pictures and messages. A Recorded Future study outlines the case for regarding Huawei as a security risk. US Cus...Show More
An espionage campaign succeeds without zero-days. Spam serves up old Office exploit. Disinformation makes it into YouTube. The Huawei Affair. Raytheon to be acquired.

17:07 | Jun 10th

MuddyWater shows renewed activity--no zero-days and no exotic malware, just clever approaches and determined social engineering. Spam is serving up payloads that exploit an old Microsoft Office vulnerability. Russian-sponsored disinformation has been...Show More
Xwo scans for default credentials and exposed web services — Research Saturday

14:43 | Jun 8th

Researchers at AT&T Alien Labs have been tracking a new malware family they've named "Xwo" that's scanning systems for default credentials and vulnerable web services.  Tom Hegel is security researcher with AT&T Alien Labs, and he share their finding...Show More
Recruiting spies at university? GoldBrute botnet and RDP vulnerabilities. MuddyWater update. RIG delivers Buran. Achilles claims to sell access. NRC’s IG reports on cyber. Antitrust for Big Tech.

25:43 | Jun 7th

The Australian National University hack and data loss look to many observers like the work of Chinese intelligence services. The GoldBrute botnet is scanning vulnerable RDP servers. MuddyWater is back, undeterred by leaks and learning from the best. ...Show More
BlueKeep proofs-of-concept. BeiTaAd plug-in is a serious Android pest. Cyber espionage against the EU’s Moscow embassy. Influence operations. A motive for GPS spoofing?

19:49 | Jun 6th

BlueKeep proof-of-concept exploits have been developed, and people are urged to patch. An annoying, disruptive advertising plug-in comes bundled with a couple of hundred Android apps in the Play Store. The EU’s Moscow embassy seems to have been the f...Show More
AMCA breach extends to LabCorp. Still no EternalBlue in Baltimore ransomware attack. Frankenstein malware. Real hacking isn’t like the movies. Huawei’s no-spy deal. US Data Strategy. Patch BlueKeep.

20:32 | Jun 5th

Another medical testing firm is hit by the third-party breach at AMCA. More officials say there’s no EternalBlue involved in Baltimore’s ransomware attack. (And that attack may have involved some doxing, too--investigation is underway.) Real hacking ...Show More
Iranian brute-forcing tool leaked. Third-party data breach touches medical testing company. Ransomware news and updates. An antitrust look at Silicon Valley?

19:56 | Jun 4th

Jason, an Iranian brute-forcing tool, has been leaked. A third-party breach affects customer and patient data held by Quest Diagnostics. Eurofins Scientific is recovering from a ransomware attack. A look at Baltimore City’s ransomware infestation sho...Show More
Recovery from network congestion. GandCrab to close. BlackSquid drops XMRig. BlueKeep patching lags. Crypto for criminals trial. Antitrust investigation of Google. “Persistence of Chaos” sold.

20:46 | Jun 3rd

Google’s cloud services recover from network congestion. GandCrab’s proprietors say they’re retiring rich at the end of the month. BlackSquid delivers the XMRig Monero miner. Updates on the Baltimore ransomware incident. Too many machines not yet pat...Show More
Blockchain bandits plunder weak wallets — Research Saturday

19:12 | Jun 1st

Adrian Bednarek is a senior research analyst at Independent Security Evaluators. He and his colleagues looked at weak private cryptocurrency keys on the Ethereum blockchain in an attempt to discover how and why they are being generated as well as how...Show More
Malicious misdirection. Found on the subway. A summary of file exposure. Turla’s back, and as clever as ever. ICRC proposes rules of cyberwar. Baltimore ransomware update.

25:42 | May 31st

Malicious misdirection served up from unpatched WordPress sites. A big, big set of dating site records has been found exposed online--it’s in China, but the records seem to belong to anglophones. Many other files are exposed elsewhere, too, so it’s n...Show More
Malicious misdirection. Found on the subway. A summary of file exposure. Turla’s back, and as clever as ever. ICRC proposes rules of cyberwar. Baltimore ransomware update.

20:21 | May 30th

Malicious misdirection served up from unpatched WordPress sites. A big, big set of dating site records has been found exposed online--it’s in China, but the records seem to belong to anglophones. Many other files are exposed elsewhere, too, so it’s n...Show More
Special Counsel Mueller speaks about his investigation of Russian influence in the 2016 US presidential campaign. Iranian coordinated inauthenticity. BlueKeep, Pegasus updates.

20:56 | May 29th

Special Counsel Mueller makes his first public statement about the results of his investigation into influence operations surrounding the 2016 US Presidential campaign. He says his first statement will also be his last. FireEye identifies Iranian coo...Show More
Sensitive mortgage documents left exposed online. Someone’s scanning for BlueKeep RDP issues. Huawei updates. The case of Baltimore City’s ransomware.

15:19 | May 28th

First American Financial suffers a data exposure, with hundreds of millions of mortgage-related documents left open to the Internet. Someone is scanning Tor for signs of BlueKeep RDP vulnerabilities. China complains about US complaints against Huawei...Show More
A fresh look at GOSSIPGIRL and the Supra Threat Actors — Research Saturday

29:27 | May 25th

Chronicle researchers Juan Andres Guerrero Saade and Silas Cutler recently published research tracking the development of the Stuxnet family of malware, which ultimately led them to the GOSSIPGIRL Supra Group of threat actors.  Juan Andres Guerrero S...Show More
Stone Panda update. A new strain of Mirai. Bogus cryptocurrency apps are trending in Google Play. Mr. Assange is charged under the Espionage Act. Info ops. Law firms as phishbait.

25:18 | May 24th

Stone Panda is distributing the Quasar RAT. A new strain of Mirai is out. Bitcoin prices are up, and so is the incidence of malicious cryptocurrency apps in Google Play. The US charges Wikileaks’ Julain Assagne with seventeen new counts under the Esp...Show More
NATO and UK to Russia: hands off elections and infrastructure. More trouble for Huawei, and maybe for others. Notes from the Cyber Investing Summit. Equifax downgraded over 2017 breach. Is it art?

20:31 | May 23rd

The UK and NATO send Moscow a pointed message about the consequences of meddling with either infrastructure or elections. More companies, including ARM, decide they won’t be working with Huawei. Other Chinese companies seem headed for US blacklisting...Show More
Fancy Bear fingered, again. Warnings for travelers. Political parties get a cybersecurity grade. Updates on US restrictions on Chinese companies.

19:40 | May 22nd

Fancy Bear’s latest campaign is using malware reported to Virus Total by US Cyber Command. IBM’s X-Force looks at cybersecurity for travelers, and shares a bunch of horror stories. Security Scorecard looks at the online security of political parties ...Show More
BlackWater snoops through the Middle East. TeamViewer hacked. Android app behaving badly. A misconfigured database with scraped Instagram data. Ransomware notes. Huawei updates.

18:02 | May 21st

BlackWater is snooping around the Middle East. It’s evasive, and it looks a lot like the more familiar MuddyWater threat actor. TeamViewer turns out to have been hacked, and the perpetrators look like the proprietors of the Winnti backdoor. An Androi...Show More
Huawei agonistes. Hacktivism is way down. New EU sanctions regime. Facebook goes after more coordinated inauthenticity. Salesforce still fixing its fix. OGuser hacked.

20:04 | May 20th

Huawei is on the US Entity List, and US exporters have been quick to notice and cut the Shenzhen company off. Security concerns are now expected to shift to the undersea cable market. Hacktivism seems to have gone into eclipse. The EU enacts a sancti...Show More
Elfin APT group targets Middle East energy sector — Research Saturday

15:19 | May 18th

Researchers at Symantec have been tracking an espionage group known as Elfin (aka APT 33) that has targeted dozens of organizations over the past three years, primarily focusing on Saudi Arabia and the United States.  Alan Neville is a principal thre...Show More
Slack closes a vulnerability. Email tracking in a court martial. Restrictions on doing business with Huawei come into place. A case of responsible disclosure.

25:28 | May 17th

A Slack vulnerability is disclosed and fixed. And this is not as seen on TV: a real NCIS investigation is likely to occupy real JAGs for some time to come, with implications for military and civilian cyber law. The US is moving rapidly on Huawei and ...Show More
US Executive Order aimed at China, and Huawei. Hunting backdoors in Dutch networks. Spyware proliferation. Cipher stunting. Titan key spoofing. Meaconing warning. Exposed PII in Russia.

20:38 | May 16th

President Trump declares a state of emergency over the threat from foreign adversaries and the companies they control. (And yes, Huawei, he’s looking at you.) Dutch intelligence is said to be investigating the possibility of backdoors in telecommunic...Show More
Sharing espionage tools and infrastructure. Speculative execution flaws found in Intel chips. A big Patch Tuesday. CrowdStrike’s IPO. WhatsApp exploitation. Cyber Solarium. Ransomware in Baltimore.

18:04 | May 15th

Chinese domestic and foreign intelligence services are cooperating more closely in cyberspace. Another set of speculative execution issues is found in Intel chips. This month’s Patch Tuesday was a big one. CrowdStrike files for its long-anticipated I...Show More
Russians hacked two Florida counties. Fxmsp targets named. WhatsApp patches spyware-enabling flaws. Breach costs. Cisco patches routers. Endless Mayfly’s endless hogwash.

20:36 | May 14th

Russian operators breached two Florida counties’ voting systems, but without altering vote counts. Symantec, McAfee and Trend Micro are thought to be the security vendors hit by Fxmsp cybercrminals. WhatApp patches a flaw exploited to install spyware...Show More
Security companies allegedly hacked by Fxmsp remain unidentified. SharePoint bug exploited in the wild. G7 preps major cyber exercise. Anthem hack motive? Amnesty takes NSO Group to court.

16:08 | May 13th

Fxmsp criminals are now said to have code from a fourth security company, but none of the claimed victims have been publicly identified. A SharePoint vulnerability is being exploited against unpatched servers in the wild. The G7 are preparing a major...Show More
Steganography enables sophisticated OceanLotus payloads — Research Saturday

17:31 | May 11th

Researchers at Blackberry Cylance have been tracking payload obfuscation techniques employed by OceanLotus (APT32), specifically steganography used to hide code within seemingly benign image files. Tom Bonner is director of threat research at Blackb...Show More
Breaches at AV companies? Pyongyang’s ElectricFish. Symantec’s CEO steps down. Calls to break up Facebook and regulate the pieces. US Federal indictments for leaks and breaches. Verizon DBIR reviewed.

24:47 | May 10th

Fxmsp may have breached three anti-virus companies. US-CERT and CISA warn against a new North Korean malware tool being used by Hidden Cobra: they’re calling it “ElectricFish.” A changing of the guard at Symantec. Former Facebook insiders call for br...Show More
Someone is after Tehran’s hackers. GitLab misconfiguration. AI’s attack potential. Amazon pursues hackers who defrauded sellers. DeepDotWeb indictments. Evil Clippy. Lunch hacks in San Mateo.

18:58 | May 9th

The Green Leakers release more information about Iranian cyber operators, including details about MuddyWater and the Rana Institute. A misconfigured GitLab instance exposes data used by Samsung engineers. Thoughts on how AI can shift the advantage to...Show More
Turla’s new backdoor. Verizon’s 2019 Data Breach Investigations Report. Bad actors seek to influence the EU. US CYBERCOM preps for 2020. Baltimore’s ransomware. Monolingual content moderation.

20:24 | May 8th

Turla is back, and with a clever backdoor called “LightNeuron.” Verizon’s Data Breach Investigations Report shows that the C-suite remains a big target of social engineers, that crooks are following companies into the cloud, that ransomware remains p...Show More
Reverse engineering Equation Group attack tools (and putting them to bad use). Hacking, jamming, and airstrikes. Taking down coordinated inauthenticity. How big is the dark web?

20:33 | May 7th

Buckeye seems to have reengineered some of Uncle Sam’s cyber tools, and they did it without, apparently, help from the ShadowBrokers. More on airstrikes as retaliation for hacking, with a brief excursus on electronic warfare. Notes on malicious commi...Show More
Supply chain hacking campaign looks like espionage. Airstrikes versus hackers. FTC versus Facebook. Notes from the Global Cyber Innovation Summit. What’s up with MegaCortex.

20:48 | May 6th

Tracking a group that’s after the software supply chain. Israel adds airstrikes to the array of responses it’s prepared to make to hackers. The US Federal Trade Commission still doesn’t know how you solve a problem like Mark. Some more notes from las...Show More
Sea Turtle state-sponsored DNS hijacking — Research Saturday

23:33 | May 4th

Researchers at Cisco Talos have been tracking what they believe is a state-sponsored attack on DNS systems, targeting the Middle East and North Africa. This attack has the potential to erode trust and stability of the DNS system, so critical to the g...Show More
Utility hack update. Surveillance tool proliferation. Exploit black market. Novel ransomware, old distro channel. Notes from the Global Cyber Innovation Summit.

25:34 | May 3rd

That cyber incident that affected electrical utilities in the western United States seems to have been a denial-of-service attack. Concerns arise over potential proliferation of Chinese security service tools. Exploit blackmarketeer Volodya and some ...Show More
Wipro update. Office 365 attacks. The "Smart Content Store" is bad mojo. Russian Internet sovereignty. Global Cyber Innovation Summit notes.

17:14 | May 2nd

The group behind the Wipro attack has been active since 2015. Office 365 are still being targeted by account takeover attacks. A third-party Android app store is serving malware. The UK Defense Secretary has been sacked over leaked information. The U...Show More
US Energy Department alludes to March cyber incident. BND 19-02 is out. Facebook likes privacy. Assange gets a short nickel.

20:17 | May 1st

In today’s podcast, we hear that a US Energy Department report alludes to a March cyber incident. Citycomp refused to yield to blackmail, so now its client data is being leaked. The US Department of Homeland Security has issued Binding Operational Di...Show More
Telnet may not be the backdoor you’re looking for. Large PII database left exposed by parties unknown. DHS has a Critical Functions List. ISIS inspiration is back.

20:06 | Apr 30th

A backdoor turns out to be a familiar kind of Telnet implementation (and it was fixed seven years ago in any case). A large database of US household personally identifiable information was found exposed online, but who owned it remains unclear. The U...Show More
IoT devices exposed in peer-to-peer software vulnerability. Car hacking claims. More warnings of possible violence in Sri Lanka. Curating app stores for security. eScooter’s “voices” hacked.

15:11 | Apr 29th

Vulnerable peer-to-peer software exposes consumer and small-business IoT devices to compromise. A hacker says he’s hacked automotive GPS trackers, all for the good, of course, and could even turn off a car’s engine. Not, you know, that he would. Sri ...Show More
Deep Learning threatens 3D medical imaging integrity — Research Saturday

21:10 | Apr 27th

Researchers at Ben Gurion University in Israel have developed techniques to infiltrate medical imaging system networks and alter 3D medical scans within, fooling both human and automated examiners with a high rate of success.  Yisroel Mirsky is a cyb...Show More
Sri Lanka bombing investigation updates. Cryptojacking targets enterprises in East Asia. Oracle web server zero-day. The criminal-to-criminal credential-stuffing market. Who talked about Huawei in UK?

24:42 | Apr 26th

Investigation of the Easter massacres in Sri Lanka continues. For all the concern about online inspiration, some of the coordination seems to have been face-to-face. Symantec describes a cryptojacking campaign, Beapy, that propagates using EternalBlu...Show More
Pledging allegiance to ISIS, and then going forth to kill. Adware in Google Play. Context-aware phishbait. Facebook and the FTC. Server crash or exit scam?

20:50 | Apr 25th

Sri Lanka’s investigation of the Easter massacres continues, with some ISIS video surfacing. Apps with aggressive adware found in Google Play. Context-aware phishbait may be bringing the Qbot banking Trojan to an email thread near you. Facebook seems...Show More
Sri Lanka bombing investigation update. Christchurch call. ShadowHammer moves upstream. Carbanak in VirusTotal after all. Spoofing banks. Bots vs. Mueller Report. ASD’s best practices.

20:49 | Apr 24th

Sri Lanka investigates a homegrown jihadist group with possible international connections for the Easter massacres. New Zealand is preparing the Christchurch Call to exclude violent terrorist content from the Internet. ShadowHammer moves its supply c...Show More
ISIS claims responsibility for Sri Lanka massacre. Spearphishing embassies in Europe. How the Blockchain Bandit probably did it. Mexican embassy doxed.

20:07 | Apr 23rd

ISIS claims responsibility for the Sri Lankan bombings. The government maintains its declared state of emergency, and has arrested at least forty in the course of its investigation. Check Point describes a spearphishing campaign against embassies in ...Show More
Sri Lanka’s social media clamp-down, and investigation of Easter massacres. CIA said to have details on Huawei’s relationship with China’s security services. Marcus Hutchins pleads guilty.

16:06 | Apr 22nd

Sri Lanka clamps down on social media in the wake of Easter massacres. Authorities suspect an Islamist group, but no terrorist organization has so far claimed responsibility. CIA intelligence is said to have the goods on Chinese security services’ ho...Show More
Undetectable vote manipulation in SwissPost e-voting system — Research Saturday

26:00 | Apr 20th

Researchers have discovered a number of vulnerabilities in the SwissPost e-vote system which could allow undetectable manipulation of votes.  Dr Vanessa Teague is Associate Professor and Chair, Cybersecurity and Democracy Network at the Melbourne Sch...Show More
Observations on the Mueller Report. Doxing Iranian intelligence. Insecure messaging. Old Excel macros. Wipro hack and gift cards.

24:51 | Apr 19th

Some observations on the Mueller Report, in particular its insight into what two specific GRU units were up to. (And some naming of DCLeaks and Guccifer 2.0 as GRU fronts.) Someone is doxing Iran’s OilRig cyberespionage group. A French government mes...Show More
Mueller Report is out. Sea Turtle DNS-manipulation campaign. Over-privileged and under-honest apps kicked out of Google Play. Facebook has another privacy incident. Fraud and destruction.

20:54 | Apr 18th

The US Justice Department releases the redacted Mueller Report: investigators found no evidence sufficient to establish conspiracy or coordination between any US persons and the Russians over the 2016 campaign, but the Bears were busy. The Sea Turtle...Show More
Spearphishing from “Luhansk.” Pro-Assange hacktivism. Another undercover private eye? Pirated Game of Thrones episodes carry malware.

19:59 | Apr 17th

Spearphishing campaign against Ukraine traced to the so-called “Luhansk People’s Republic.” Anonymice threaten to rain chaos on Yorkshire if Julian Assange isn’t freed--actually, more chaos since the initial chaos was perhaps too easily overlooked. A...Show More
Fraud will follow fire, alas. Wipro compromise. DDoS in Ecuador. Brazil’s hacker underground. Selling a keylogger. Facebook and data. EU copyright law. Huawei’s prospects. Fact-checkin’, fer real.

19:48 | Apr 16th

Condolences to the city of Paris and the people of France. And, alas, expect fraud to follow fire. A compromise may have turned a company’s networks against its customers. Denial-of-service in Ecuador. A look at Brazil’s cyber criminals. Selling a ke...Show More
ISIS inspiration in exile. Facebook’s Sunday outage. A Microsoft IE bug, and a web-mail breach. Issues with VPNs. Last minute tax scams. Oculus Easter eggs.

15:34 | Apr 15th

An ISIS hard drive suggests the Caliphate’s plans for inspiration as it enters exile. Facebook’s Sunday outage remains unexplained. Microsoft deals with a breach in its consumer web mail products. A researcher drops an Internet Explorer zero-day that...Show More
The ghost and the mole; Eric O'Neill's Gray Day — Special Edition

37:48 | Apr 14th

Eric O’Neill is a former FBI counterintelligence and counterterrorism operative, and founder of the Georgetown Group, a security and investigative firm, as well as national security strategist for Carbon Black. In his book Gray Day, My Undercover Mis...Show More
Establishing software root of trust unconditionally — Research Saturday

22:29 | Apr 13th

Researchers at Carnegie Mellon University's CyLab Security and Privacy Institute claim to have made an important breakthrough in establishing root of trust (RoT) to detect malware in computing devices. Virgil Gligor is one of the authors of the resea...Show More
Mr. Assange’s courthouse future(s). Dragonblood Wi-Fi vulnerabilities. Tax fraud and identity theft dark web souks.

24:30 | Apr 12th

Julian Assange remains in British custody. Hearings on the US extradition warrant are expected to begin next month. The US indictment revives discussion of the Computer Fraud and Abuse Act under which Mr. Assange was charged. Some notes on why Ecuado...Show More
Julian Assange is out of the embassy and in custody. Pyongyang’s HOPLIGHT. Operations SneakyPastes. Incident response planning blues. High school jam.

20:09 | Apr 11th

Julian Assange is out of the Ecuadoran embassy and in British custody. He’s been found guilty of bail jumping, and will face extradition to the US on charges related to conspiracy to release classified material. Hidden Cobra is back with a new Trojan...Show More
The Triton actor seems to be back. Project TajMahal is after diplomatic secrets. California’s motor-voter program and a DMV hack.

17:56 | Apr 10th

FireEye says that the Triton actor is back. There’s some ICS malware staged in an unnamed “critical infrastructure” facility, and it looks as if the people who went after a petrochemical plant in 2017 are back for battlespace preparation. Kaspersky d...Show More
GossipGirl, the supra threat actor. LockerGoga’s destructive functionality. More hacking allegations out of Caracas. Revolutionary Guard now a designated terrorist group. Creepy crime.

20:49 | Apr 9th

In today’s podcast, we hear about GossipGirl, potentially a “supra threat actor” Chronicle sees linking Stuxnet, Flame, and Duqu. LockerGoga’s destructive functionality may be a feature, not a bug. Venezuela now says its power grid is being hacked by...Show More
US DHS Secretary Nielsen resigns. Credential stuffing campaigns. Cryptojacking disrupts a business. A duty of care, online. Tax season scams.

15:44 | Apr 8th

In today’s podcast, we hear about leadership changes at the US Department of Homeland Security. A look at credential stuffing. Cryptojacking disrupts production at an optical equipment manufacturer. The British Government moves toward establishing a ...Show More
Lessons learned from Ukraine elections — Research Saturday

23:15 | Apr 6th

Joep Gommers from EclecticIQ joins us to share their research tracking the information operations and and security methods they've been tracking that Russians have been using in advance of the recently held elections in Ukraine. The research can be f...Show More
Crooks use Facebook, too. Congress asks FEMA for an explanation. Card skimmers in Mexico.

20:49 | Apr 5th

In today’s podcast we hear about an “Amazon-style fulfillment model” for the criminal-to-criminal market. Criminals have Facebook groups, too, and lots of friends (“friends” here being a term of art). Xiaomi patches man-in-the-middle problems in its ...Show More
Keeping Winnti out of the goods while keeping an eye on them. GlitchPOS malware. What do apps want? Third-party Facebook data exposure. Digital hygiene. A scareware scam.

20:35 | Apr 4th

In today’s podcast we hear that Bayer, maker of pharmaceuticals and agricultural products, blocked an espionage attempt by China’s Winnti Group, and has been quietly monitoring the threat actor since last year. GlitchPOS and its evolution. Do those a...Show More
For OceanLotus, a picture is worth a thousand words (or at least a few lines of loader code). Georgia Tech breached. Mounties raid offices associated with Orcus RAT.

20:45 | Apr 3rd

In today’s podcast, we hear that OceanLotus, a.k.a. Cobalt Kitty, a.k.a. APT32, is out and about and using a steganographic vector to deliver its loader. Georgia Tech suffers a major data breach, with access to student, staff, and faculty records by ...Show More
Ransomware deletes dupes. Exodus scandal grows in Italy. Election reports from Ukraine and Israel.

20:27 | Apr 2nd

In today’s podcast, we hear that a ransomware strain deletes duplicates. But you know that just keeping a duplicate on the same drive wasn’t a secure backup, right? Right? Exodus spyware, now ejected from Google Play, is becoming a significant scanda...Show More
Patch Magento soon. Toyota hacked again. Exodus spyware hits app stores. Moscow seeks to corral VPN providers. Facebook wants regulation. Swatting sentence. Phishing tackle in Nigeria.

18:06 | Apr 1st

In today’s podcast, we hear that Magento users are being  urged to patch as risk of exploitation rises. Toyota experiences another cyber attack, and some observers blame, on grounds of motive, opportunity, and track record, OceanLotus. Exodus spyware...Show More
Bonus Episode: The grugq illuminates influence operations

34:45 | Mar 31st

We're sharing a special bonus episode, celebrating the 100th episode of the Recorded Future podcast and featuring well-known hacker, presenter and social media personality the grugq. The topic is influence operations.
Alarming vulnerabilities in automotive security systems — Research Saturday

18:42 | Mar 30th

Researchers at Pen Test Partners recently examined a variety of third-party automotive security systems and found serious security issues, potentially giving bad actors the ability to locate, disable or meddle with multiple vehicle systems. Ken Munro...Show More
Russian information operations, and lessons on election security from the Near Abroad. Magneto proof-of-concept exploit. Huawei, security, and bugs. Training AI. Labor market news.

24:41 | Mar 29th

In today’s podcast, we hear that Ukraine is preparing for this weekend’s elections while facing intense Russian information operations. Estonia’s experience with such interference may hold lessons. A Magneto vulnerability, just patched, could comprom...Show More
Gustuff is out and after Android devices. Microsoft takes down Phosphorus. Elfin is working for Tehran. Russian cyber troops come to help Venezuela’s Chavistas. Guilty plea expected in Martin case.

19:58 | Mar 28th

In today’s podcast we hear that a  young banking Trojan gains criminal marketshare in the Android ecosystem. Microsoft lawyers up and seizes sites Iran’s Charming Kitten used to stage its attacks. Another Iranian APT, “Elfin,” is described. A battali...Show More
State cyber-espionage. Influence operations and coordinated inauthenticity. Add Lucky Elephant to the menagerie. ASUS supply chain updates. Notes on Norsk Hydro’s recovery. Reactions to the Mueller Report.

20:47 | Mar 27th

In today’s podcast, we hear that the Spanish Defense Ministry has been reported to have suffered cyberespionage. The Lazarus Group’s life of crime. Facebook takes down “coordinated inauthenticity.” Add Lucky Elephant to the bad actor menagerie: it’s ...Show More
More on ASUS supply chain backdoor. FEMA data mishandling. LockerGoga ransomware. Mueller report responses.

20:21 | Mar 26th

In today’s podcast we hear about supply chain attacks and Operation ShadowHammer’s ASUS backdoor. LockerGoga ransomware may be slow and sloppy, but its masters are determined and willing to play for high stakes. What will happen with FEMA over its da...Show More
Mueller finds no evidence of Russia collusion. ISIS no longer holds any ground. LockerGoga hits chemical plants. FEMA fumbles PII. Cyber 9/12. PewDiePie versus T-Series.

19:33 | Mar 25th

In today’s podcast, we hear that the  US Attorney General has reported to Congress the results of Special Counsel Mueller’s investigation. The basic finding is that there’s no evidence of collusion with Russian influence operations. ISIS no longer ho...Show More
Ryuk ransomware relationship revelations — Research Saturday

21:39 | Mar 23rd

Investigators from McAfee's advanced threat research unit, working with partners at Coveware, have reevaluated hasty attributions of Ryuk ransomware to North Korea and have explored the inner workings of the threat. John Fokker is head of cyber inves...Show More
Finland’s data protection authority investigates suspicious smartphone activity. GitHub repos are leaking keys. Cardiac devices can be hacked.

23:28 | Mar 22nd

In today’s podcast, we hear that Finland’s data protection authority is investigating reports that Nokia 7 Plus smartphones are sending data to a Chinese telecom server. Thousands of API tokens and cryptographic keys are exposed in public GitHub repo...Show More
Russian APTs target EU governments. FIN7 is back. Google and Facebook scammed.

19:36 | Mar 21st

Fancy Bear and Sandworm are launching cyberespionage campaigns against European governments before the EU parliamentary elections. The FIN7 cybercrime group is still active, and it’s using new malware. A scammer stole more than $100 million from Goog...Show More
Norsk Hydro recovers from LockerGoga infection. Cyber conflict, cyber deterrence, and an economic case for security. EU out of compliance with GDPR? Big Tech in court. Thoughts on courtship.

19:55 | Mar 20th

In today’s podcast, we hear that Norsk Hydro’s recovery continues, with high marks for transparency. Some notes on the challenges of deterrence in cyberspace from yesterday’s CYBERSEC DC conference, along with context for US skepticism about Huawei h...Show More
LockerGoga hits Norse Hydro. Mirai botnet malware gets an update. The DHS is concerned about cybersecurity.

18:57 | Mar 19th

In today’s podcast, we hear that an aluminum manufacturing giant in Norway has suffered a major ransomware attack. A new version of the Mirai botnet malware is targeting enterprise systems. The US Homeland Security Secretary says the private sector a...Show More
Online content and terrorism. Huawei’s shifting strategy. Venezuela’s grid failure is explicable by corruption and incompetence--no hacking or sabotage required. Gnostiplayers are back. AI and evil.

16:24 | Mar 18th

In today’s podcast we hear about content moderation in the aftermath of the New Zealand mosque shootings. A shift in Huawei’s strategy in the face of Five Eye--and especially US--sanctions: the US doesn’t like us because we’re a threat to their abili...Show More
ThinkPHP exploit from Asia-Pacific region goes global — Research Saturday

11:43 | Mar 16th

Akamai's Larry Cashdollar joins us to describe an exploit he recently came across while researching MageCart incidents. It's a remote command execution vulnerability affecting ThinkPHP, a popular web framework. The original research can be found here...Show More
Terror, announced and celebrated online. JavaScript sniffer afflicts e-commerce sites. Cryptojacking in the cloud. Perspectives on regulation, thoughts on a pervasive IoT. China’s IP protection law.

21:55 | Mar 15th

In today’s podcast, we hear that a terror attack against two New Zealand mosques is announced on Twitter and live-streamed on Facebook. A new, unobtrusive JavaScript sniffer infests some e-commerce sites in the UK and the US. Cryptojacking finds its ...Show More
Indonesian election security. Watering hole in Pakistani passport site. RAT hunting. “Intelligence brute-forcing.” Just-patched zero-day exploited. PoS DGA attack. Operation Sheep. BND advises “nein” to Huawei.

20:12 | Mar 14th

In today’s podcast, we hear that Indonesia says it’s got its voting security under control, and a lot of the problems sound like good old familiar fraud and dirty campaigning. Trustwave warns of a watering hole on a Pakistani government site. Recorde...Show More
Election security and influence operations. Hacking the Fleet. Undersea cable competition. 5G worries. Calls to rein in Big Tech. UN report outlines North Korean cyber crime (there’s a lot of it).

20:23 | Mar 13th

In  today’s podcast, we hear that election interference concerns persist around the world. Governments seek to address them with a mix of threat intelligence and attention to security basics. A US Navy report says the Fleet’s supply chain is well on ...Show More
Venezuela power blackout updates. Social media and social control. Trojanized games. Free decryptor out for ransomware strain. Ads on Facebook. A look at 30 years of the web.

20:11 | Mar 12th

In today’s podcast, we hear an update on Venezuela and its power outages. Amplification of social media posts as a form of mass persuasion. A look at how control of the Internet has replaced control of the radio station as a move in civil war and cou...Show More
Allegations and information operations. Iridium group may have compromised Citrix. Sino-American trade and security conflicts continue. Fashions in trolling.

16:54 | Mar 11th

Venezuela sustains power outages, and the regime blames hackers and wreckers. The opposition says it’s all due to the regime’s corruption, incompetence, and neglect. Citrix loses business documents in what might have been an Iranian espionage operati...Show More
Job-seeker exposes banking network to Lazurus Group — Research Saturday

22:11 | Mar 9th

Vitali Kremez is a Director of Research at Flashpoint. His team discovered that the recently disclosed intrusion suffered in December 2018 by Chilean interbank network Redbanc involved PowerRatankba, a malware toolkit with ties to North Korea-linked ...Show More
Chinese influence campaigns. Egyptian spear phishing. Hundreds of million email records exposed.

22:58 | Mar 8th

In today’s podcast, we hear that Chinese information operations on US social media are widespread. The Egyptian government launches spear phishing attacks against activists. Hundreds of millions of email records were found online. Chelsea Manning is ...Show More
Scope of APT33 attacks revealed. GandCrab criminals shift tactics. Slub malware uses Slack.

20:55 | Mar 7th

The scope of Iran-linked APT33 cyberattacks has been revealed. GandCrab criminals are using more sophisticated tactics. A new type of malware was using Slack to communicate. Chrome gets an important update. Huawei sues the US, and Germany sets toughe...Show More
5G worries. Whitefly vs. SingHealth. Speculative execution bug.

20:11 | Mar 6th

In today’s podcast, we hear that Australia's former prime minister warns Britain about Chinese tech companies. Symantec says Whitefly was behind SingHealth's massive data breach. Iranian hackers show code overlap. Intel CPUs are vulnerable to another...Show More
India hacks back. Rob Joyce discusses cyber conflict. Chinese hackers look for maritime technologies. Google reveals a macOS vulnerability.

19:48 | Mar 5th

In today’s podcast, we hear that India went on the offensive when its government websites were attacked by hackers from Pakistan. Rob Joyce, Senior Advisor for Cybersecurity Strategy to the Director of the US National Security Agency, discusses trend...Show More
Operation Sharpshooter. Canada begins extradition process. Huawei will sue the US. Facebook’s global lobbying practices revealed. Visitor management systems are vulnerable.

15:22 | Mar 4th

In today’s podcast, we hear that Operation Sharpshooter is linked to North Korea. Canada begins the extradition process for Meng Wanzhou. Huawei is planning to sue the US for banning its equipment from government use.  Facebook may have used question...Show More
Fake Fortnite app scams infect gamers — Research Saturday

15:17 | Mar 2nd

Researchers at Zscaler have been tracking a variety fake versions of the popular Fortnite game on the Google Play store, along with associated scams. Deepen Desai is head of security research at Zscaler, and he joins us to share their findings. The ...Show More
Qbot spreads. Bug hunting makes a millionaire. US Cyber Command shows what “persistent engagement” looks like. Huawei agonistes. There’s no Momo, really.

23:07 | Mar 1st

Qbot infections are spreading. The bounty-hunting gig economy apparently has its first millionaire. Observers are liking what they see in US Cyber Command’s “persistent engagement.” Canada mulls the extradition of Huawei’s CFO to the US. The US conti...Show More
Third-parties can misconfigure, too. Coinhive goes out of business. Intel decides 5G project with Chinese partner is too hard. Bronze Union. Clearing Facebook data. Proper disposal of lawful intercept tools.

20:50 | Feb 28th

In today’s podcast we hear that a misconfigured Amazon Web Services database has exposed a risk screening database--and it seems the exposure itself was an instance of third-party risk. Farewell to Coinhive, long a favorite of cryptominers everywhere...Show More
Router vulnerabilities. Hacking around the Hanoi summit. DDoSing an election. Brushing back a troll farm. Crytpojacking an embassy.

20:34 | Feb 27th

In today’s podcast, we hear that Nokia routers have been found vulnerable to man-in-the-middle and denial-of-service attacks. As one would expect, the  US and North Korean summit in Hanoi this week summons up some hacking. Ukraine accuses Russia of D...Show More
Sino-Australian, Sino-American cyber tensions. Threat trends. Bare-metal cloud issues addressed. USB-C and memory attacks, Credential stuffing in tax season. Twitter hijacking.

20:35 | Feb 26th

In today’s podcast, we hear updates on suspicions of Chinese operators. Some trend reports from IBM and NETSCOUT. Bare-metal cloud services get reflashed. USB-C ports may be more vulnerable than thought to direct memory access attacks. Credential-stu...Show More
Another warning of DNS hijacking. B0r0nt0k ransomware is out and about, and in too many servers. Whitelisting a controversial CA. Blockchain security. Bots get on the consular calendar.

16:21 | Feb 25th

In today’s podcast, we hear that ICANN has warned of a DNS hijacking wave, and is urging widespread DNSSEC adoption. Security firms see Iran as a particularly active DNS hijacker. A B0r0nt0k ransomware outbreak infests Linux servers, but Windows user...Show More
Rosneft suspicions shift from espionage to business email compromise — Research Saturday

27:06 | Feb 23rd

Researchers at security firm Cylance have been tracking a threat group targeting the Rosneft Russian oil company. As Cylance uncovered details, suspicions shifted from state-sponsored espionage to business email compromise.  Kevin Livelli is directo...Show More
Influence operations in Ukraine’s elections. Australian hacks look more like China’s work. Huawei and the 5G future. Objectionable content in comments. DrainerNot. No more soldier-selfies in Russia.

25:20 | Feb 22nd

In today’s podcast, we hear that Kiev says it’s found complex, large-scale Russian influence operations in Ukraine’s presidential election. Australian investigators are said to be closer to concluding that recent hacking attempts were the work of Chi...Show More
Hybrid war and tactical influence operations. Separ lives off the land. NoRelationship attacks get past email filters. Responsible disclosure. Man-in-the-room bug. Ship hacking. Password managers.

20:24 | Feb 21st

In today’s podcast we hear about a test of influencing soldiers through their social media: Instagram works best, Twitter not so much. Separ credential-stealing malware successfully lives off the land. NoRelationship attacks get past some email filte...Show More
Fancy Bear phishes in think tanks. Lazarus Group takes a swipe at Russian organizations. New decryptor for GandCrab. Citizen Lab and Novalpina discuss NSO Group. Ryuk’s lousy help desk.

20:37 | Feb 20th

In today’s podcast, we hear that Microsoft has disclosed a Fancy Bear sighting, snuffling around Atlanticist think tanks in Europe. Ukraine says, in effect, see, we told you so. Speaking of bears, it seems that North Korea’s Hidden Cobra may be strik...Show More
International cyber conflict: India and Pakistan; Australia and China. Rietspoof malware. Microsoft ejects cyptojackers from its store. NCSC may go easy on Huawei. Parliament criticizes Facebook.

20:24 | Feb 19th

In today’s podcast, we hear of a small flare in cyber conflict between India and Pakistan. Australian political parties as well as Parliament subjected to attempted cyberattacks. A new strain of malware is being distributed through messaging apps. Mi...Show More
Seedworm digs Middle East intelligence — Research Saturday

16:19 | Feb 16th

Researchers at Symantec have been tracking Seedworm, a cyber espionage group targeting the Middle East as well as Europe and North America. The threat group targets government agencies, oil & gas facilities, NGOs, telecoms and IT firms. Al Cooley is ...Show More
GandCrab notes. Make tests, not bans, says GSMA. Content moderation. Takedown of inauthentic accounts. Influence operations. Happy birthday, GCHQ.

26:04 | Feb 15th

In today’s podcast, we hear that GandCrab has been scuttling through unpatched holes. Independent testing as an alternative to banning specific vendors as security risks. Big Tech gets some Congressional scrutiny over content moderation. Facebook tak...Show More
Former Air Force counterintelligence specialist indicted on charges of spying for Iran. Where’s the stolen Equifax data? Two alleged Apophis Squad clowns indicted.

20:32 | Feb 14th

In today’s podcast we hear that US prosecutors have unsealed the indictment of a former US Air Force counterintelligence specialist on charges she conspired to commit espionage on behalf of Iran. The US Treasury Department announces further sanctions...Show More
China says it had nothing to do with the Parliament hack in Australia. Notes on Patch Tuesday. Shlayer and GreyEnergy malware analyzed. Tomorrow is Valentine’s Day—act accordingly.

19:59 | Feb 13th

In today’s podcast, we hear that China has denied involvement in the Australian Parliament hack. Patch Tuesday notes. A new strain of Shlayer malware is out. A look at GreyEnergy. Reactions to the destructive VFEmail attack. And thoughts on St. Valen...Show More
VFEmail attacked, infrastructure wiped. EU considers a response to APT10. US Executive Order on AI is out. GPS jamming threat. Stryker hack. Shadow IT in the Corps.

19:35 | Feb 12th

In today’s podcast, we hear that VFEmail has sustained a devastating, data-destroying attack. The EU considers whether it should, can, or will make a coordinated response to China’s APT10. A US Executive Order outlines a strategy to maintain superior...Show More
Cryptojackers gone wild. Attempted hack of Australia’s Parliament investigated. Huawei security concerns continue. Russia tests Internet autarky. Prosecutors investigate alleged blackmail.

19:02 | Feb 11th

In today’s podcast, we hear that clipper malware has been ejected from Google Play. A different cryptojacker is kicking its competitors out of infected machines. Australian authorities continue to investigate the attempted hack of Parliament, with Ch...Show More
Trends and tips for cloud security — Research Saturday

19:50 | Feb 9th

The team at Palo Alto Networks' Unit 42 recently published research tracking trends in how organizations are addressing cloud security, along with tips for improvement.  Ryan Olson is VP of threat intelligence at Palo Alto Networks, and he joins us t...Show More
Australia’s Federal Parliament has a cyber incident. DHS warns of third-party spying. Legit privacy app tampered with. Credit Union phishing. Bezos vs. Pecker. FaceTime bounty. Seal scat.

25:11 | Feb 8th

In today’s podcast, we hear that Australia is investigating an attempted hack of its Federal Parliament. The US Department of Homeland Security warns that spies are working through third parties to get to their targets. Spyware is bundled in a legiti...Show More
Social engineering and the power of brands. Insecure check-ins? APT10 is quiet but not gone. MacOS Keychain bug. Assessment of Chinese device manufacturers continues.

20:01 | Feb 7th

In today’s podcast, we hear about social engineering, with a few new twists. Some airlines may be exposing passenger data with insecure check-in links. APT10 may be lying low, for now, but the US Department of Homeland Security expects the cyber spie...Show More
APT10 stays busy. More skepticism about Huawei (and ZTE, for that matter). No foreign “material effect” on US midterms. Reverse RDP risk. IIoT bug found. RSA Innovation Sandbox finalists.

20:43 | Feb 6th

In today’s podcast, we hear that Chinese threat group APT10 seems to have been busy lately, and up to its familiar industrial espionage. More governments express skepticism about Chinese manufacturers. The US report on election security is out: influ...Show More
ExileRAT versus Tibet. SpeakUp backdoors Linux. Facebook bans Myanmar militias. Norway sees a threat in Huawei. Westminster gets hacked? Bangladesh Bank sues over SWIFT caper.

20:10 | Feb 5th

In today’s podcast, we hear that ExileRAT is targeting Tibet’s government-in-exile. The SpeakUp backdoor afflicts many varieties of Linux systems. Facebook bans ethnic militias in Myanmar from its platform. Norway’s PST intelligence service says that...Show More
Tracking the impresario behind Collection#1. OceanLotus and a new downloader. CookieMiner malware afflicts Macs. Huawei’ prospects. Influence ops. Extortion by bluff.

17:46 | Feb 4th

In today’s podcast, we hear that Collection#1 looks like the work of an aggregator who goes by the name of “C0rpz.” OceanLotus is working with a new downloader. CookieMiner malware is poking around in Macs. Huawei continues to receive harsh security ...Show More
Online underground markets in the Middle East — Research Saturday

17:59 | Feb 2nd

Researchers at Trend Micro recently published their look inside online underground marketplaces in the Middle East and North Africa, where criminals are buying and selling malware, laundering money and event booking their next discount vacation. Jon ...Show More
No more Apple time-out for Facebook and Google. Inauthentic sites taken down. Fancy Bear paws at Washington, again. Malware-serving ads. Amplification DDoS. Data exposures in India.

24:39 | Feb 1st

In today’s podcast, we hear that Apple has let Facebook and Google out of time-out. Russia decides it would like access to Apple data because, you know, its Russian law. Social networks take down large numbers of inauthentic accounts. Fancy Bear is s...Show More
Commodity credential stuffing gets four new collections. Google was also doing a pay-to-pwn, like Facebook. Russian trolling. FaceTime bug investigation. Joanap botnet. Other online scams.

20:05 | Jan 31st

In today’s podcast, we hear that Collections #2 through #5 have joined Collection #1 in hacker fora. Google is found to be collecting data from devices in much the same way its advertising peer Facebook was. Russian trolls seek to discredit the Speci...Show More
US IC on cyber threats. Iran goes after PII. UAE surveillance described. Scanning for unpatched routers. Huawei’s possible fates. Scam exploits child. FaceTime disclosure. Facebook Research.

19:49 | Jan 30th

In today’s CyberWire, we hear that US Intelligence Community leaders testify that the major cyber threat comes from Russia, China, North Korea, and Iran. Iran’s APT39 takes an interest in PII. A UAE surveillance program is revealed. Hackers scanning ...Show More
004 Case studies in risk and regulation — CyberWire-X

32:13 | Jan 30th

In the final episode of our four-part series, called “Ground Truth or Consequences: the challenges and opportunities of regulation in cyberspace,” we examine some of the game changing high profile breaches like Yahoo, Equifax and OPM, along with thei...Show More
FaceTime’s odd bug, and how to squash it. FormBook malware surges through a new hosting service. Some international law enforcement wins. International conflict in cyberspace.

20:04 | Jan 29th

In today’s podcast, we hear that a FaceTime bug lets you listen to someone’s phone before they’ve even picked up. FormBook malware’s surge is abetted by a new hosting service. Compromised server market xDedic has been taken down. Europol is looking f...Show More
Someone takes an unhealthy interest in Citizen Lab. Ukraines accuses Russia of election phishing. Russian bigshots doxed. Tension over Venezuela. Swatting indictments. National Privacy Day.

19:10 | Jan 28th

In today’s podcast, we hear about some Spy vs. Spy at Citizen Lab, but who the spies were working for isn’t clear. Ukraine’s cyber police accuse Russia of phishing for election influence. As Fortuna’s wheel turns, Russian bigwigs get doxed by transpa...Show More
Amplification bots and how to detect them. — Research Saturday

18:34 | Jan 26th

Researchers from Duo Security have been analyzing the behavior of Twitter bots in a series of posts on their web site. Their most recent dive into the subject explores amplification bots, which boost the impact of tweets through likes and retweets. ...Show More
Glitches, not attacks or takedowns. Tracing Gray Energy and Zebrocy back to their servers. US Army tactical cyber operations. Venezuela crisis. Bellingcat and OSINT. Roger Stone arrested.

25:03 | Jan 25th

In today’s podcast, we hear that two potential cyberattacks now look like glitches. Gray Energy and Zebrocy look as if they’re close enough to be, if not the same threat actor, at least first cousins. The US Army pushes significant cyber capability t...Show More
The US House of Representatives wants to know more about DNS-hijacking. Huawei skepticism. Anonymous dunnit, say the Russians. Financial data exposed. Family spooked by hackers.

20:00 | Jan 24th

In today’s podcast, we hear that the US House would like some more information from DHS about what prompted its emergency directive about DNS hijacking. More skepticism about Huawei from various governments. A British think tank has been hacked—obser...Show More
Emergency Directive 19-01 versus DNS hijacking. 2019 US National Intelligence Strategy on cyber. France says cyber war is upon us. Courts in UK have email trouble. Hacks and lulz.

19:43 | Jan 23rd

In today’s podcast, we hear that Emergency Directive 19-01 has told US Federal civilian agencies to take steps to stop an ongoing DNS-hijacking campaign. The US National Intelligence Strategy is out, and it prominently features cyber as a “topical mi...Show More
Ex-employee backdoor. Stealthy DDoS. Anubis dropper looks for motion. Influence operations. Privacy actions. The curious case of the espionage arrest in Russia.

20:44 | Jan 22nd

In today’s podcast, we hear that the WordPress Multilingual Plugin was compromised by a disgruntled ex-employee. Stealthy DDoS might escape notice. Anubis droppers wait for the phone to move before executing. EU works against influence in its May ele...Show More