CosmicEnergy is OT and ICS malware from Russia, maybe for red teaming, maybe for attack. Updates on Volt Typhoon, China’s battlespace preparation in Guam and elsewhere. In the criminal underworld, Legion malware has been upgraded for the cloud. Johannes Ullrich from SANS examines time gaps in logging. Our guest is Kevin Kirkwood from LogRhythm with a look at extortion attempts and ransomware. And Atlantic hurricane season officially opens next week: time to batten down those digital hatches.  For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/102 Selected reading. COSMICENERGY: New OT Malware Possibly Related To Russian Emergency Response Exercises (Mandiant) People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection (Joint Advisory) Volt Typhoon targets US critical infrastructure with living-off-the-land techniques (Microsoft)  China hits back at 'the empire of hacking' over Five Eyes US cyber attack claims (ABC) Updates to Legion: A Cloud Credential Harvester and SMTP Hijacker (Cado) Legion Malware Upgraded to Target SSH Servers and AWS Credentials (Hacker News) CISA Warns of Hurricane/Typhoon-Related Scams (Cybersecurity and Infrastructure Security Agency CISA)

China's Volt Typhoon snoops into US infrastructure, with special attention paid to Guam. Iranian cybercriminals are seen conducting ops against Israeli targets. A new ransomware gang uses recycled ransomware. A persistent Brazilian campaign targets Portuguese financial institutions. A new botnet targets the gaming industry. Phishing attempts impersonate OpenAI. Pro-Russian geolocation graffiti. Andrea Little Limbago from Interos addresses the policy implications of ChatGPT. Our guest is Jon Check from Raytheon Intelligence & Space, on cybersecurity and workforce strategy for the space community. And KillNet says no to slacker hackers. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/101 Selected reading. People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection (Joint Advisory) Volt Typhoon targets US critical infrastructure with living-off-the-land techniques (Microsoft) Chinese hackers spying on US critical infrastructure, Western intelligence says (Reuters) Agrius Deploys Moneybird in Targeted Attacks Against Israeli Organizations (Check Point) Iran-linked hackers Agrius deploying new ransomware against Israeli orgs (The Record) Iranian Hackers Set Sights On Israeli Shipping & Logistics Firms (Information Security Buzz) Fata Morgana: Watering hole attack on shipping and logistics websites (ClearSky Security) Iran suspect in cyberattack targeting Israeli shipping, financial firms (Al-Monitor) Buhti: New Ransomware Operation Relies on Repurposed Payloads (Symantec) Operation Magalenha | Long-Running Campaign Pursues Portuguese Credentials and PII (SentinelOne) The Dark Frost Enigma: An Unexpectedly Prevalent Botnet Author Profile (Akamai) Fresh Phish: ChatGPT Impersonation Fuels a Clever Phishing Scam (INKY)

Cybersecurity authorities are issuing this joint Cybersecurity Advisory to highlight a recent cluster of activity associated with a People’s Republic of China state-sponsored cyber actor, also known as Volt Typhoon.  AA23-144A Alert, Technical Details, and Mitigations Active Directory and domain controller hardening: Best Practices for Securing Active Directory | Microsoft Learn CISA regional cyber threats: China Cyber Threat Overview and Advisories Microsoft Threat Intelligence blog: Volt Typhoon targets US critical infrastructure with living-off-the-land techniques | Microsoft Security Blog No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment. U.S. DIB sector organizations may consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System services, vulnerability scanning, and threat intelligence collaboration for eligible organizations. For more information on how to enroll in these services, email [email protected]  To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at [email protected], or call (888) 282-0870, or report incidents to your local FBI field office.

Kimsuky's tailored reconnaissance tools. GoldenJackal is an APT quietly active since 2019. Criminals target Youtube viewers with free cracked software. Rheinmetall’s data was posted to BlackBasta's extortion site. The "Cuba" gang claims credit for the attack on the Philadelphia Inquirer. CERT-UA identifies a probable Russian cyberespionage campaign. Ireland views cyber assistance to Ukraine as a contribution to collective security. Ann Johnson from Afternoon Cyber Tea speaks with Tyrance Billingsley about Black Tech. Our guest is Oz Alashe from CybSafe on raising VC money amidst a down economy. And KillNet's underperforming hacktivists. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/100 Selected reading. Kimsuky | Ongoing Campaign Using Tailored Reconnaissance Toolkit (SentinelOne) North Korean Kimsuky Hackers Strike Again with Advanced Reconnaissance Malware (The Hacker News) Meet the GoldenJackal APT group. Don’t expect any howls (Kaspersky) Follina — a Microsoft Office code execution vulnerability (DoublePulsar) YouTube Pirated Software Videos Deliver Triple Threat: Vidar Stealer, Laplas Clipper, XMRig Miner (FortiGuard Labs) Arms maker Rheinmetall confirms BlackBasta ransomware attack (Bleeping Computer) Inquirer and forensics team investigating computer disruptions to publishing (Philadelphia Inquirer) Cuba ransomware claims cyberattack on Philadelphia Inquirer (Bleeping Computer) Espionage activity UAC-0063 in relation to Ukraine, Kazakhstan, Kyrgyzstan, Mongolia, Israel, India (CERT-UA#6549) (CERT-UA) Ukraine Identifies Central Asian Cyberespionage Campaign (BankInfoSecurity) Ireland’s cyber security agency has been providing ‘non-lethal aid’ to Ukraine (Irish Times)

AhRat exfiltrates files and records audio on Android devices. The BlackCat ransomware group uses a signed kernel driver to evade detection. GUI-Vil in the cloud. Unwitting money mules. Ben Yelin unpacks the Supreme Court’s section 230 rulings. Our guest is Mike DeNapoli from Cymulate with insights on cybersecurity effectiveness. And a trio of commercial spyware cases. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/12/99 Selected reading. Android app breaking bad: From legitimate screen recording to file exfiltration within a year (ESET) Love scam or espionage? Transparent Tribe lures Indian and Pakistani officials (ESET) BlackCat Ransomware Deploys New Signed Kernel Driver (Trend Micro) Unmasking GUI-Vil: Financially Motivated Cloud Threat Actor (Permiso) Uncle Sam strangles criminals' cashflow by reining in money mules (The Register) German prosecutors charge four over violating trade act to sell spyware to Turkey (Washington Post) Israel Torpedoed Morocco Spyware Deal - and NSO Competitor QuaDream Shut Down (Haaretz) He Was Investigating Mexico’s Military. Then the Spying Began. (New York Times)