In this episode of The Cybersecurity Defenders Podcast, we discuss the GRU-backed cyber unit Sandworm which was recently promoted to APT44 by Mandiant.Sandworm is a notorious hacking group, believed to be linked to Russia's military intelligence agency, the GRU. Known for its destructive cyberattacks, Sandworm has targeted various sectors worldwide, including energy, media, and election systems. Their activities are marked by the use of sophisticated malware and tactics that not only seek to steal information but also to disrupt critical infrastructure. The group gained international prominence with attacks like NotPetya in 2017, which caused billions of dollars in damage across multiple countries, emphasizing their capability to impact global cyber stability.The name "Sandworm" is inspired by the monstrous creatures from Frank Herbert's science fiction novel "Dune," reflecting the group's elusive and destructive nature. Over the years, Sandworm's operations have evolved, showcasing their adaptability and the increasing complexity of their attacks. This evolution highlights the growing challenges in cybersecurity, making the understanding of such threat actors crucial for developing robust defense strategies against state-sponsored cyber warfare.YouTube video showing Sandworm attacking a Ukrainian power plant here.Episode #56 - When the lights went out in Ukraine (Part 1)Episode #74 - When the lights went out in Ukraine (Part 2)Episode #16 - NotPetya

In this episode of The Cybersecurity Defenders Podcast, we discuss some cutting-edge intel coming out of LimaCharlie's community Slack channel.eSentire's Threat Response Unit has observed FakeBat loader being distributed via FakeUpdates, ultimately leading to a LummaC2 infection via a custom-written PaykRunPE provided by the FakeBat Threat Actors.CISA is investigating a breach at business intelligence company Sisense and urged all Sisense customers to reset any credentials and secrets that may have been shared with the company.CISA has confirmed that Russian government-backed hackers stole emails from several U.S. federal agencies as a result of an ongoing cyberattack at Microsoft.Volexity identified a zero-day exploitation of a vulnerability found within the GlobalProtect feature of Palo Alto Networks PAN-OS at one of its network security monitoring customers.

In this episode of The Cybersecurity Defenders Podcast, we take a close look at Digital Forensics with Carlos Cajigas, CTO of Covert Bit.Carlos is a seasoned Incident Response professional hailing from San Juan, Puerto Rico. Carlos's journey in the field began after dedicating over a decade to law enforcement, specializing as a Digital Forensics Detective and Examiner in West Palm Beach, Florida. His extensive experience spans conducting detailed examinations on numerous digital devices, backed by hundreds of hours in specialized training from reputable institutions like EnCase, NW3C, Access Data, and SANS, to name a few. Carlos is not just an expert in the field; he's also a dedicated educator, holding instructor roles with both the Florida Department of Law Enforcement and SANS, where he teaches courses on Windows Forensic Analysis and Advanced Incident Response. With a solid academic foundation, Carlos brings a wealth of knowledge and insight into today's digital forensics and incident response landscape.You can find Carlos on Twitter/X here.

In this episode of The Cybersecurity Defenders Podcast, we discuss some cutting-edge intel coming out of LimaCharlie's community Slack channel.On March 29, 2024 defenders became aware that a backdoor was intentionally planted inside of XZ Utils an open source data compression utility available on many installations of Linux and other Unix-like operating systems. The threat actors behind this implant likely spent years on this operation and were very close to getting the backdoor merged into Debian and Redhat before it was discovered.The original disclosure email can be found here.A technical break down of the compromise can be found here.A Wired article covering the compromise in-depth can be found here.

In this episode of The Cybersecurity Defenders Podcast we have an in-depth talk about the cyber threat from China, with Adam Kozy and Daniel Velasquez.Daniel started his career as a defender in the United States Marine Corps as an intelligence analyst where he served in Afghanistan - from there he went on to work with the Defense Intelligence Agency, Joint Special Operations Command and the CIA. After his service, he was a director at Mandiant and is now the Executive Vice President of OP[4] - a company providing security for critical devices and embedded systems.Adam began his career as an intelligence analyst working with the Federal Bureau of Investigation where he provided all-source analysis of Asia-Pacifc related cybersecurity issues. After the FBI, Adam was the principal intelligence analyst for the Asia cyber team at CrowdStrike. Currently, he is the founder of SinaCyber which is a boutique consulting firm combining native Chinese language research and cyber intelligence expertise to create bespoke reports for government officials, technology firms, and financial institutions under threat from China's rampant cyber espionage campaigns.The history of China and its people goes back to ancient times. It is a rich and beautiful culture that has given much to the world in the form of art, ideas and technology. When we talk about China or the Chinese in this podcast episode we are specifically talking about the Chinese Communist Party - or CCP - which are a group of elites offering an increasingly authoritarian world view and alternative model to Western ideals of democracy and freedom. The Chinese people themselves are not your enemy. Current laws in China make it easy for the CCP to co-opt its citizenry for use in intelligence operations, wittingly and unwittingly. Unnecessarily making this into a racial divide alienates the folks that can help us the most in the coming years and provides more ammunition for Beijing.It was an incredible honor to speak with these two, and I hope you enjoy this conversation full of valuable information.Adam's testimony before the U.S.-China Economic and Security Review Commission Hearing on, “China’s Cyber Capabilities: Warfare, Espionage, and Implications for the United States” here.The Mandiant report on APT1 can be found here.

In this episode of The Cybersecurity Defenders Podcast we speak with Salvador Mendoza, Director of Research and Development at Metabase Q, about the tokenization of payment systems.Salvador is a prominent figure in the cybersecurity industry and holds the position of Director of Research and Development at Metabase Q. He is also an integral member of the Ocelot Offensive Security Team. His area of expertise lies in the intricate world of the tokenization process, payment systems, and the development of embedded prototypes. With a commendable history of presenting at high-profile security conferences including Black Hat, DEF CON, Hack in the Box, and Troopers, Salvador brings a wealth of knowledge and insight to our discussion. Furthermore, he is the author of the insightful book, "Show me the e-money. Hacking digital payment systems: NFC, RFID, MST and EMV Chips," where he delves into the vulnerabilities and security measures of digital payment technologies.You can find his book for purchase here.And you can find the PCI spec here.You can follow Salvaador on Twitter/X here.

In this episode of The Cybersecurity Defenders Podcast, we discuss some cutting-edge intel coming out of LimaCharlie's community Slack channel.Unit 42 have recently identified a wave of large-scale StrelaStealer campaigns impacting over 100 organizations across the EU and U.S.Researchers at Mandiant on Friday raised an alarm after discovering Russia’s APT29 hacking group targeting political parties in Germany, indicating a possible new operational focus beyond typical attacks on diplomatic figures.The newly discovered vulnerability baked into Apple’s M-series of chips that allows attackers to extract secret keys from Macs when they perform widely used cryptographic operations.The Department of Justice this week charged seven Chinese nationals, who are affiliates of threat group APT31, with widespread cyber espionage against US businesses and politicians.

In this episode of The Cybersecurity Defenders Podcast we speak with Grace Chi, CoFounder & COO of Pulsedive Cyber Threat Intelligence about a report she published on cyber threat intelligence networking.Cyber Threat Intelligence (CTI) is an evolving field, with an industry-wide consensus that teams cannot effectively operate in an intelligence silo. This sentiment is shared across all stakeholder segments – public, private, vendor, and academic. In support of improved CTI sharing, stakeholders have invested in efforts around cross-boundary collaboration, technical standardization, managing trust, and reporting best practices. However, understanding the time and effort spent in CTI networking (i.e. connecting human-to-human for improved business outcomes) is often overlooked.The report can be found here: Sharing, Compared: A Study on the Changing Landscape of CTI NetworkingThe Op Ed mentioned in the show: Op-Ed: How tro Make STIX StickieAnd the subreddit mention on the show (possibly NSFW): LinkedIn LunaticsPulsedive can be found on Twitter here.Grace can be found on LinkedIn here.

In this episode of The Cybersecurity Defenders Podcast, we discuss some cutting-edge intel coming out of LimaCharlie's community Slack channel.Threat actors have been actively targeting vulnerable Connect Secure VPN appliances after the disclosure of CVE-2023-46805 and CVE-2023-21887.Threat researchers recently observed an interesting variant of StopCrypt ransomware. The ransomware executes its malicious activities by utilizing multi-stage shellcodes before launching a final payload that contains the file encryption code.In the last week of January 2024, a patch was released to address a directory traversal vulnerability in the package that allows unauthenticated, remote attackers to access sensitive information from arbitrary files on the server if exploited. On March 8th, Microsoft said that it’s still trying to evict the elite Russian government hackers who broke into the email accounts of senior company executives in November and who it said have been trying to breach customer networks with stolen access data.

In this episode of The Cybersecurity Defenders Podcast, we discuss some cutting-edge intel coming out of LimaCharlie's community Slack channel.North Korean threat actors known as the Lazarus Group exploited a zero-day in the Windows AppLocker driver to gain kernel-level access and turn off security tools, allowing them to bypass noisy Bring Your Own Vulnerable Driver techniques.Researchers observed threat actors run the Angry IP Scanner, followed by some Mimikatz functions, and then the kicker, the open-source QEMU hardware emulator and virtualizer.Threat actors have been observed installing RMM tools as a means of maintaining persistence within a compromised organization. Hackers breached some of the systems belonging to CISA in February through some known vulnerabilities in Ivanti products.

In this episode of The Cybersecurity Defenders Podcast, we recount some hacker history, and with the help of John Hammond, Principal Security Researcher at Huntress, tell the story of the MOVEit cyberattack: the biggest data theft of 2023.The MOVEit cyberbreach, was a far-reaching cyber attack that unfolded with significant implications worldwide. The breach initially came to light on June 3, when the Government of Nova Scotia disclosed that approximately 100,000 of its current and former employees had been affected, signaling the severity of the breach's impact.The scope of the breach widened on June 5, as it became apparent that numerous organizations in the United Kingdom had also fallen victim. Among those affected were prominent entities such as the BBC, British Airways, Boots, Aer Lingus, and the payroll service provider Zellis. This phase of the breach underscored its indiscriminate nature, with targets spanning across various sectors.Further developments were reported on June 12, with major organizations like Ernst & Young, Transport for London, and Ofcom announcing their entanglement in the breach. Of particular concern was Ofcom's revelation that personal and confidential information had been compromised, highlighting the breach's capacity to infiltrate and extract sensitive data.The United States felt the breach's ramifications by June 15, with reports confirming that the Department of Energy, among other federal entities, was impacted by the MOVEit vulnerability. The breach's reach extended further on June 16, affecting state-level organizations such as the Louisiana Office of Motor Vehicles and Oregon Driver and Motor Vehicle Services, thereby impacting millions of American residents.By October 25, 2023, a report from the cybersecurity firm Emsisoft indicated that the MOVEit cyberbreach had affected over 2,500 organizations globally, with a significant 80% of these being based in the United States. This breach highlights the critical vulnerabilities within digital infrastructures and underscores the urgent need for enhanced security measures to protect against such widespread cyber threats.This story was written by the talented Nathaniel Nelson and produced by the team at LimaCharlie.And a special thank you to John Hammond, Principal Security researcher at Huntress, for sharing his expertise and experienceIf you have any feedback or ideas for future topics or guests, please send an email to defenders@limacharlie.io.

In this episode of The Cybersecurity Defenders Podcast, we discuss some cutting-edge intel coming out of LimaCharlie's community Slack channel.AhnLab Security Intelligence Center published an article exploring Nood RAT. Nood RAT is a variant of Gh0st RAT that works in Linux.GTPDOOR is the name of Linux-based malware that is intended to be deployed on systems in telco networks adjacent to the GRPS eXchange Network with the novel feature of communicating C2 traffic over GTP-C Control Plane signaling messages.Researchers reporting on Pikabot evasion techniques for Endpoint Detection and Response systems by employing an advanced technique to hide its malicious activities known as “indirect system calls”.Nit 42 at Palo Alto Networks, they are reporting on a new Linux variant of Bifrost that is showcasing an innovative technique to evade detection.President Biden issued an Executive Order to protect Americans’ sensitive personal data from exploitation by countries of concern.

In this episode of The Cybersecurity Defenders Podcast, we take a close look at weaponizing ASCII escape sequences with Fredrik (STÖK) Alexandersson from Truesec.Fredrik (STÖK) Alexandersson is a dynamic individual driven by a boundless curiosity and a passion for sharing knowledge. With over three decades of professional experience, he's hacked his way through realms ranging from computers and technology to marketing, fashion, communication, and even the human psyche. Renowned for his lightning-fast presentations and his knack for making complex technical subjects entertaining, STÖK is a prominent figure in the cybersecurity community. His meticulous attention to detail, insatiable curiosity, and "Good Vibes Only" attitude have inspired millions worldwide and earned him recognition from industry giants like Salesforce, Microsoft, and Verizon Media, among many others. Currently, he working as a Hacker and Creative Director at TRUESEC.You can follow him on Twitter/X here.And you can watch his talk on Weaponizing ASCII escape sequences here.

In this episode of The Cybersecurity Defenders Podcast, we discuss some cutting-edge intel coming out of LimaCharlie's community Slack channel.Law enforcement from 10 countries - in a joint operation called ‘Operation Cronos’ - have disrupted the criminal operation of the LockBit ransomware group.FortiGuard has identified a grouping of malware droppers used to deliver various final-stage payloads through 2023 they are calling the TicTacToe dropper.Cisco Talos researchers have observed a significant increase in the volume of malicious emails leveraging the Google Cloud Run service to infect potential victims with banking trojans. A massive leak from a Chinese Ministry of Public Security contractor called I-Soon shows that Bejing’s intelligence and military groups are attempting large-scale, systemic cyber intrusions against foreign governments, companies, and infrastructure.

In this episode of The Cybersecurity Defenders Podcast, we talk about cybersecurity issues as they relate to the space industry with Tim Fowler, Offensive Security Analyst at Black Hills Information Security.Tim's unique blend of curiosity, determination, and passion for problem-solving make him stand out in the cybersecurity world. As a frequent speaker on topics ranging from Information Security to Open Source software, Tim's mission is clear: to empower others to take control of their journey and make a positive impact in the world of cybersecurity. Currently Tim is working as an offensive security analyst for Black Hills Information Security - and he is here today to talk to use about the research he has been doing around cybersecurity in space…. and yes, it is as awesome as it sounds.Tim’s upcoming training: Introduction to Cybersecurity in Space SystemsResources mentioned in the show:TREKS Cybersecurity FrameworkSpace Attack Research & Tactic Analysis (SPARTA)SPACE-SHIELDOpenSatKitNASA Core Flight SystemTiny GSOpenC3NASA Operational Simulator for Small Satellites

In this episode of The Cybersecurity Defenders Podcast, we discuss some cutting-edge intel coming out of LimaCharlie's community Slack channel.ZScaler ThreatLabz are reporting on some recent campaigns, which started in February 2024, where they observed Pikabot reemerging with significant changes in its code base and structure.OpenAi is claiming that they have terminated accounts associated with state-affiliated threat actors.A January 2024 court-authorized operation has neutralized a network of hundreds of small office/home office (SOHO) routers that were used to commit crimes by the GRU Military Unit 26165.SecurityWeek is reporting on the fine folks at CISA who are urging the patching of a Cisco ASA flaw that is being used in ransomware.A document naming APT groups and operations can be found here.

In this episode of The Cybersecurity Defenders Podcast, we delve into an innovative, engineering-centered perspective on cybersecurity with Maxime Lamothe-Brassard, the Founder & CEO of LimaCharlie.As part of the Canadian Intelligence apparatus, Maxime worked in positions ranging from development of cyber defence technologies, Counter Computer Network Exploitation, and Counter Intelligence. Maxime led the creation of an advanced cyber security program for the Canadian government and received several Director’s awards for his service.After leaving the government, Maxime provided direct help to private and public organizations in matters of cyber defence and worked for Crowdstrike, Google and Google X. Maxime left Google X - where he was a founding member of Chronicle Security - in 2018 to found LimaCharlie.

In this episode of The Cybersecurity Defenders Podcast, we discuss some cutting-edge intel coming out of LimaCharlie's community Slack channel.The spectacular headline announcing a DDOS attack that involved 3-million electric toothbrushes.A hardware attack to bypass TPM-based encryption which is used on most Microsoft Windows devices.CrowdStrike researchers have identified a HijackLoader sample that employs sophisticated evasion techniques to enhance the complexity of the threat.

In this episode of The Cybersecurity Defenders Podcast, we take a close look at WiFi attack methods, and the defenses to them, with Lennart Koopmann, Founder of the Nzyme Network Defense System.Lennart Koopman, a tech enthusiast originally from Germany, now calling Houston, TX home. He began coding at a young age and chose to forgo formal education, diving straight into the world of computers after high school.Lennart's career path led him through various roles, from assisting in a hospital's IT helpdesk to web development and eventually joining a startup. In 2009, he launched the Graylog log management system as a side project, marking his entry into the tech scene.Currently, Lennart is focused on his latest endeavor: The nzyme Network Defense System, demonstrating his ongoing commitment to technological advancement.The WiFiPhisher Github account can be found here. Lennart’s talk at MSS CTRL (LINK) can be found here.The Nzyme Network Defense System website can be found here. Lennart can be found in Twitter/X here.

In this episode of The Cybersecurity Defenders Podcast, we take a close look at the AnyDesk and Cloudflare breaches that were both disclosed on February 2, 2024.AnyDesk, a prominent remote desktop software provider, disclosed a cyberattack late on February 2nd, causing the company to enforce strict security measures for nearly a week. Adversaries breached AnyDesk's systems, compromising vital assets such as source code and private code signing keys, and gaining unauthorized access to production systems.For more on AnyDesk's breach, see the following references:https://techcrunch.com/2024/02/05/remote-access-giant-anydesk-resets-passwords-and-revokes-certificates-after-hack/https://anydesk.com/en/public-statementhttps://www.infosecurity-magazine.com/news/anydesk-hit-cyberattack-customer/https://www.helpnetsecurity.com/2024/02/05/anydesk-hacked/https://thehackernews.com/2024/02/anydesk-hacked-popular-remote-desktop.htmlOn the other front, Cloudflare disclosed that a nation-state actor infiltrated their self-hosted Atlassian server on November 14, 2023, utilizing stolen access tokens and service account credentials from the Okta breach. The threat actor conducted reconnaissance activities from November 14th to 17th, gaining access to Cloudflare's internal wiki and bug database. Additional access attempts on November 20th and 21st indicated the actor's persistence, culminating in establishing continuous access through ScriptRunner for Jira on November 22nd. Finally, they tried, unsuccessfully, to access a console server that had access to a data center that Cloudflare had not yet put into production in São Paulo, Brazil.For more details on Cloudflare's breach, consult the following sources:https://www.csoonline.com/article/1303785/nation-state-actor-used-recent-okta-compromises-to-hack-into-cloudflare-systems.htmlhttps://www.techtarget.com/searchsecurity/news/366568694/Cloudflare-discloses-breach-related-to-stolen-Okta-datahttps://www.computing.co.uk/news/4170126/cloudflare-server-breached-suspected-sponsored-threat-actors