The Cybersecurity Defenders Podcast

In this episode of The Cybersecurity Defenders Podcast, we discuss some cutting-edge intel coming out of LimaCharlie's community Slack channel.Unit 42 have recently identified a wave of large-scale StrelaStealer campaigns impacting over 100 organizations across the EU and U.S.Researchers at Mandiant on Friday raised an alarm after discovering Russia’s APT29 hacking group targeting political parties in Germany, indicating a possible new operational focus beyond typical attacks on diplomatic figures.The newly discovered vulnerability baked into Apple’s M-series of chips that allows attackers to extract secret keys from Macs when they perform widely used cryptographic operations.The Department of Justice this week charged seven Chinese nationals, who are affiliates of threat group APT31, with widespread cyber espionage against US businesses and politicians.

In this episode of The Cybersecurity Defenders Podcast we speak with Grace Chi, CoFounder & COO of Pulsedive Cyber Threat Intelligence about a report she published on cyber threat intelligence networking.Cyber Threat Intelligence (CTI) is an evolving field, with an industry-wide consensus that teams cannot effectively operate in an intelligence silo. This sentiment is shared across all stakeholder segments – public, private, vendor, and academic. In support of improved CTI sharing, stakeholders have invested in efforts around cross-boundary collaboration, technical standardization, managing trust, and reporting best practices. However, understanding the time and effort spent in CTI networking (i.e. connecting human-to-human for improved business outcomes) is often overlooked.The report can be found here: Sharing, Compared: A Study on the Changing Landscape of CTI NetworkingThe Op Ed mentioned in the show: Op-Ed: How tro Make STIX StickieAnd the subreddit mention on the show (possibly NSFW): LinkedIn LunaticsPulsedive can be found on Twitter here.Grace can be found on LinkedIn here.

In this episode of The Cybersecurity Defenders Podcast, we discuss some cutting-edge intel coming out of LimaCharlie's community Slack channel.Threat actors have been actively targeting vulnerable Connect Secure VPN appliances after the disclosure of CVE-2023-46805 and CVE-2023-21887.Threat researchers recently observed an interesting variant of StopCrypt ransomware. The ransomware executes its malicious activities by utilizing multi-stage shellcodes before launching a final payload that contains the file encryption code.In the last week of January 2024, a patch was released to address a directory traversal vulnerability in the package that allows unauthenticated, remote attackers to access sensitive information from arbitrary files on the server if exploited. On March 8th, Microsoft said that it’s still trying to evict the elite Russian government hackers who broke into the email accounts of senior company executives in November and who it said have been trying to breach customer networks with stolen access data.

In this episode of The Cybersecurity Defenders Podcast, we discuss some cutting-edge intel coming out of LimaCharlie's community Slack channel.North Korean threat actors known as the Lazarus Group exploited a zero-day in the Windows AppLocker driver to gain kernel-level access and turn off security tools, allowing them to bypass noisy Bring Your Own Vulnerable Driver techniques.Researchers observed threat actors run the Angry IP Scanner, followed by some Mimikatz functions, and then the kicker, the open-source QEMU hardware emulator and virtualizer.Threat actors have been observed installing RMM tools as a means of maintaining persistence within a compromised organization. Hackers breached some of the systems belonging to CISA in February through some known vulnerabilities in Ivanti products.

In this episode of The Cybersecurity Defenders Podcast, we recount some hacker history, and with the help of John Hammond, Principal Security Researcher at Huntress, tell the story of the MOVEit cyberattack: the biggest data theft of 2023.The MOVEit cyberbreach, was a far-reaching cyber attack that unfolded with significant implications worldwide. The breach initially came to light on June 3, when the Government of Nova Scotia disclosed that approximately 100,000 of its current and former employees had been affected, signaling the severity of the breach's impact.The scope of the breach widened on June 5, as it became apparent that numerous organizations in the United Kingdom had also fallen victim. Among those affected were prominent entities such as the BBC, British Airways, Boots, Aer Lingus, and the payroll service provider Zellis. This phase of the breach underscored its indiscriminate nature, with targets spanning across various sectors.Further developments were reported on June 12, with major organizations like Ernst & Young, Transport for London, and Ofcom announcing their entanglement in the breach. Of particular concern was Ofcom's revelation that personal and confidential information had been compromised, highlighting the breach's capacity to infiltrate and extract sensitive data.The United States felt the breach's ramifications by June 15, with reports confirming that the Department of Energy, among other federal entities, was impacted by the MOVEit vulnerability. The breach's reach extended further on June 16, affecting state-level organizations such as the Louisiana Office of Motor Vehicles and Oregon Driver and Motor Vehicle Services, thereby impacting millions of American residents.By October 25, 2023, a report from the cybersecurity firm Emsisoft indicated that the MOVEit cyberbreach had affected over 2,500 organizations globally, with a significant 80% of these being based in the United States. This breach highlights the critical vulnerabilities within digital infrastructures and underscores the urgent need for enhanced security measures to protect against such widespread cyber threats.This story was written by the talented Nathaniel Nelson and produced by the team at LimaCharlie.And a special thank you to John Hammond, Principal Security researcher at Huntress, for sharing his expertise and experienceIf you have any feedback or ideas for future topics or guests, please send an email to defenders@limacharlie.io.

Explore the evolution of malware with insights on Nood RAT and its implications for Linux users. Delve into the dark side of cyber warfare and its potential to disrupt physical systems. Investigate the advanced evasion techniques employed by Pikabot and the resurgence of Bifrost malware. Learn about the Biden administration's Executive Order aimed at protecting sensitive American data from foreign exploitation, while addressing the vagueness and implementation challenges it faces. The discussion also touches on new cybersecurity laws enhancing protections for cloud providers.

In this episode of The Cybersecurity Defenders Podcast, we take a close look at weaponizing ASCII escape sequences with Fredrik (STÖK) Alexandersson from Truesec.Fredrik (STÖK) Alexandersson is a dynamic individual driven by a boundless curiosity and a passion for sharing knowledge. With over three decades of professional experience, he's hacked his way through realms ranging from computers and technology to marketing, fashion, communication, and even the human psyche. Renowned for his lightning-fast presentations and his knack for making complex technical subjects entertaining, STÖK is a prominent figure in the cybersecurity community. His meticulous attention to detail, insatiable curiosity, and "Good Vibes Only" attitude have inspired millions worldwide and earned him recognition from industry giants like Salesforce, Microsoft, and Verizon Media, among many others. Currently, he working as a Hacker and Creative Director at TRUESEC.You can follow him on Twitter/X here.And you can watch his talk on Weaponizing ASCII escape sequences here.

In this episode of The Cybersecurity Defenders Podcast, we discuss some cutting-edge intel coming out of LimaCharlie's community Slack channel.Law enforcement from 10 countries - in a joint operation called ‘Operation Cronos’ - have disrupted the criminal operation of the LockBit ransomware group.FortiGuard has identified a grouping of malware droppers used to deliver various final-stage payloads through 2023 they are calling the TicTacToe dropper.Cisco Talos researchers have observed a significant increase in the volume of malicious emails leveraging the Google Cloud Run service to infect potential victims with banking trojans. A massive leak from a Chinese Ministry of Public Security contractor called I-Soon shows that Bejing’s intelligence and military groups are attempting large-scale, systemic cyber intrusions against foreign governments, companies, and infrastructure.

Delve into cybersecurity in space systems with Tim Fowler from Black Hills Information Security. Explore the evolving relationship between technology and space exploration. Trace the history of space exploration from Sputnik to SpaceX. Uncover cybersecurity challenges in space projects and vulnerabilities in space systems. Learn about cube satellites, orbital networks, and cybersecurity mitigation strategies. Gain insights on the future of cybersecurity integration with business objectives.

In this episode of The Cybersecurity Defenders Podcast, we discuss some cutting-edge intel coming out of LimaCharlie's community Slack channel.ZScaler ThreatLabz are reporting on some recent campaigns, which started in February 2024, where they observed Pikabot reemerging with significant changes in its code base and structure.OpenAi is claiming that they have terminated accounts associated with state-affiliated threat actors.A January 2024 court-authorized operation has neutralized a network of hundreds of small office/home office (SOHO) routers that were used to commit crimes by the GRU Military Unit 26165.SecurityWeek is reporting on the fine folks at CISA who are urging the patching of a Cisco ASA flaw that is being used in ransomware.A document naming APT groups and operations can be found here.