CyberWire Daily

By CyberWire, Inc.

Listen to a podcast, please open Podcast Republic app. Available on Google Play Store.


Category: Technology

Open in Apple Podcasts


Open RSS feed


Open Website


Rate for this podcast

Subscribers: 1433
Reviews: 5

CyberGirl
 Oct 28, 2020
An excellent resource for the cyber news of the day, without the extra "fluff". NOTE: this is NOT an educational podcast, it is strictly distilled news.

Matt Aguirre
 Mar 10, 2019


 Jan 16, 2019

Average Joe
 Dec 12, 2018
This is a great source for a daily overview of what happened in Cyber Security and IT!

Mikey
 Nov 11, 2018
Although I enjoy listening, it's like a new language which I'm slowly learning. I wish some more time was given to background regarding malware.

Description

The daily cybersecurity news and analysis industry leaders depend on. Published each weekday, the program also includes interviews with a wide spectrum of experts from industry, academia, and research organizations all over the world.

Episode Date
Ukraine's Defense Intelligence warns of coming Russian cyberattacks against infrastructure. Next moves for Lapsus$? Cashout scams and neglected wallets. Developments in the Optus breach.
1704
Ukraine's Defense Intelligence warns of coming Russian cyberattacks against infrastructure. Next moves for Lapsus$? We know it’s a bear market, but take a look at your wallet, crypto speculators, at least now and then. Mr Security Answer Person john Pescatore on next year's most over-hyped term. Ben Yelin explains a thirty five million dollar data privacy settlement. And, finally, developments in the Optus breach. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/186 Selected reading. Invaders Preparing Mass Cyberattacks on Facilities of Critical Infrastructure of Ukraine and Its Allies (Defence Intelligence of the Ministry of Defence of Ukraine)  Ukraine Says Russia Planning 'Massive Cyberattacks' on Critical Infrastructure (SecurityWeek) Ukraine warns of Russian cyber attacks targeting critical infrastructure (Computing)  Russia plans “massive cyberattacks” on critical infrastructure, Ukraine warns (Ars Technica) Ukraine warns allies: Russia plans 'massive cyberattacks' (Register) Hackers Working With Russia to Coordinate Cyberattacks, Google Says - Tech News Briefing - WSJ Podcasts (Wall Street Journal) Viasat Hack "Did Not" Have Huge Impact on Ukrainian Military Communications, Official Says (Zero Day)  Who’s next in Lapsus$’ crosshairs? (Digital Shadows) Report: Sift Uncovers New Cashout Scam Targeting Forgotten Crypto Accounts (GlobeNewswire News Room) Optus hacker releases 10,000 customers' details and issues new threat (Sky News) ‘Last thing I need’: Optus customer scrambles to protect himself (Australian Financial Review) An alleged hacker has offered their 'deepest apologies' to Optus. Here's the latest on the data breach (ABC) Singtel's Optus under further fire for cyber breach; purported hackers claim data deleted (The Straits Times) ‘Not feasible’ to crack properly encrypted data (Australian Financial Review) Optus hack not 'sophisticated' as claims 10,000 customers have data publicly released (9News) Everything Happening in This Optus Cyberattack Shitstorm, I Promise (Vice) Australian cybersecurity minister lambasts Optus for ‘unprecedented' hack (The Record by Recorded Future) FBI Working With Australian Authorities on Optus Cyberattack (MarketScreener) 
Sep 27, 2022
Unrest in Iran finds expression in cyberspace. Cyber conflict and diplomacy. Cybercrime in the hybrid war. And there seems to have been an arrest in the Uber and Rockstar breaches.
1827
Unrest in Iran finds expression in cyberspace. Albania explains its reasons for severing relations with Iran. Cybercrime in the hybrid war. Rick Howard on risk forecasting with data scientists. Dave Bittner sits down with Dr. Bilyana Lilly to discuss her new book: "Russian Information Warfare: Assault on Democracies in the Cyber Wild West."And there seems to have been an arrest in the Uber and Rockstar breaches. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/185 Selected reading. Iran’s War Within (Foreign Affairs) Iran’s Hijab Protests Have Lit a Fire the Regime Can’t Put Out (World Politics Review)  ‘Something big is happening’: the Iranians risking everything to protest (the Guardian) Dissident: 'Iranian women are furious' over headscarf death (AP NEWS) OpIran: Anonymous declares war on Teheran amid Mahsa Amini’s death (Security Affairs) IDF official says military foiled ‘dozens’ of Iran cyberattacks on civilian sites (Times of Israel) Analysis | 'Our Conflict With Iran Is Unparalleled', Say Israel's Elite Cyber Unit Commanders (Haaretz)  US Issues License to Expand Internet Access for Iranians (VOA) US Treasury carves out Iran sanctions exceptions for internet providers (The Record by Recorded Future)  Iran and Albania: diplomacy and cyber operations (CyberWire) Ukraine dismantles hacker gang that stole 30 million accounts (BleepingComputer)  The SBU neutralized a hacker group that "hacked" almost 30 million accounts of Ukrainian and EU citizens (SSU) Les détails personnels de stars, dont Sir David Attenborough et Sarah Ferguson, ont été divulgués après le piratage d'un magasin bio par des escrocs russes (News 24)  London Police Arrested 17-Year-Old Hacker Suspected of Uber and GTA 6 Breaches (The Hacker News) UK teen suspected of Uber and Rockstar hacks arrested (Computing) 
Sep 26, 2022
Adam Marrè: Learning to be a leader. [CISO] [Career Notes]
676
Adam Marrè, CISO from Arctic Wolf sits down to share his story of rising through the ranks. After 9/11 he decided he wanted to make a difference in the world and so he chose to go into the FBI, there he learned the skills that got him to where he is today. In his time at the FBI, he was able to do what he loved which was working with computers while gaining more knowledge on cybersecurity and became computer forensic certified. Ultimately he needed a change in the end and decided to leave the FBI, He was able to learn the leadership skills he needed to move past that career path and follow a new dream. He is now able to share his passion with the world and help people understand security to help protect themselves as well as helping people finding success in their careers and in their lives. We thank Adam for sharing his story.
Sep 25, 2022
Keeping an eye on RDS vulnerabilities. [Research Saturday]
1046
Gafnit Amiga, Director of Security Research from Lightspin joins Dave to discuss her team's research "AWS RDS Vulnerability Leads to AWS Internal Service Credentials." The research describes how the vulnerability was caught and right after it was reported the AWS Security team applied an initial patch limited only to the recent Amazon Relational Database Service (RDS) and Aurora PostgreSQL engines, excluding older versions. They followed by personally reaching out to the customers affected by the vulnerability and helped them through the update process. The research states "Lightspin's Research Team obtained credentials to an internal AWS service by exploiting a local file read vulnerability on the RDS EC2 instance using the log_fdw extension." The research can be found here: AWS RDS Vulnerability Leads to AWS Internal Service Credentials
Sep 24, 2022
Privateers seem to be evolving into front groups for the Russian organs. Unidentified threat actors engaging in cyberespionage. Catphishing from a South Carolina prison.
2053
The GRU's closely coordinating with cyber criminals. An unidentified threat actor deploys malicious NPM packets. Gootloader uses blogging and SEO poisoning to attract victims. Metador is a so-far unattributed threat actor. Johannes Ullrich from SANS on Resilient DNS Infrastructure. Maria Varmazis interviews Anthony Colangelo, host of spaceflight podcast Main Engine Cutoff, about the iPhone 14 “Emergency SOS via Satellite” feature. And having too much time on your hands while doing time is not a good thing. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/184 Selected reading. GRU: Rise of the (Telegram) MinIOns (Mandiant) Void Balaur | The Sprawling Infrastructure of a Careless Mercenary (SentinelOne) An unidentified threat actor deploys malicious NPM packets (CyberWire) Threat analysis: Malicious npm package mimics Material Tailwind CSS tool (ReversingLabs) A Multimillion Dollar Global Online Credit Card Scam Uncovered (ReasonLabs) Gootloader Poisoned Blogs Uncovered by Deepwatch’s ATI Team (Deepwatch)  The Mystery of Metador | An Unattributed Threat Hiding in Telcos, ISPs, and Universities (SentinelOne)  SC inmate sentenced for ‘sextortion’ scheme that targeted military (Stars and Stripes)
Sep 23, 2022
GRU operators masquerade as Ukrainian telecommunications providers. 2K Games Support compromised to spread malware. Developments in the cyber underworld.
2103
GRU operators masquerade as Ukrainian telecommunications providers. Another video game maker is compromised to spread malware. Noberus may be a successor to Darkside and BlackMatter ransomware. Robert M. Lee from Dragos explains Crown Jewel analysis. Our guest is Nathan Hunstad from Code42 with thoughts on insider risk events. Threat actors have their insider threats, too. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/183 Selected reading. Russia-Nexus UAC-0113 Emulating Telecommunication Providers in Ukraine (Recorded Future) Russian Cyberspies Targeting Ukraine Pose as Telecoms Providers (SecurityWeek) Shadowy Russian Cell Phone Companies Are Cropping Up in Ukraine (WIRED) CISA Alert AA22-264A – Iranian state actors conduct cyber operations against the government of Albania. (CyberWire) Iranian State Actors Conduct Cyber Operations Against the Government of Albania (CISA) 2K Games says hacked help desk targeted players with malware (BleepingComputer) 2K Games helpdesk hacked to spread malware to players (TechRadar) Rockstar parent company hacked again as 2K Support sends users malware (Dexerto) ‘Grand Theft Auto VI’ leak is Rockstar’s nightmare, YouTubers’ dream (Washington Post) Noberus Ransomware: Darkside and BlackMatter Successor Continues to Evolve its Tactics (Symantec)  LockBit ransomware builder leaked online by “angry developer” (BleepingComputer) 
Sep 22, 2022
CISA Alert AA22-265A – Control system defense: know the opponent. [CISA Cybersecurity Alerts]
189
This alert builds on previous NSA and CISA guidance to stop malicious ICS activity and reduce OT exposure. The alert documentation linked in the show notes describes TTPs that malicious actors use to compromise OT/ICS assets. It also recommends mitigations that owners and operators can use to defend their systems from each of the listed TTPs. NSA and CISA encourage OT and ICS owners and operators to apply the recommendations in this documentation. AA22-265A Alert, Technical Details, and Mitigations NSA and CISA guidance to stop malicious ICS activity and reduce OT exposure For NSA client requirements or general cybersecurity inquiries, contact Cybersecurity_Requests@nsa.gov. To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov.   To report incidents and anomalous activity or to request incident response resources or technical assistance related to these threats, contact CISA at report@cisa.gov, or call (888) 282-0870, or report incidents to your local FBI field office.
Sep 22, 2022
CISA Alert AA22-264A – Iranian state actors conduct cyber operations against the government of Albania. [CISA Cybersecurity Alerts]
189
In July 2022, Iranian state cyber actors—identifying as “HomeLand Justice”—launched a destructive cyber attack against the Government of Albania which rendered websites and services unavailable. An FBI investigation indicates Iranian state cyber actors acquired initial access to the victim’s network approximately 14 months before launching the destructive cyber attack, which included a ransomware-style file encryptor and disk wiping malware. AA22-264A Alert, Technical Details, and Mitigations CISA’s free Cyber Hygiene Services (CyHy) CISA’s zero–trust principles and architecture. Iran Cyber Threat Overview and Advisories. All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.
Sep 22, 2022
A call-up of Russian reserves, and more notes on the IT Army's claimed hack of the Wagner Group. Netflix phishbait. The Rockstar Games and LastPass incidents. CISA releases eight ICS Advisories.
1973
It’s partial mobilization in Russia, and airline flights departing Russia are said to be sold out. Further notes on the IT Army's claimed hack of the Wagner Group. Leveraging Netflix for credential harvesting. Rockstar Games suffers a leak of new Grand Theft Auto footage. Ben Yelin has the latest on regulations targeting crypto. Our guest is Amy Williams from BlueVoyant discussing the value of feminine energy in the male dominated field of cybersecurity. CISA releases eight ICS Advisories. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/182 Selected reading. Russia moves toward annexing Ukraine regions in a major escalation (Washington Post) Four occupied Ukraine regions plan imminent ‘votes’ on joining Russia (the Guardian)  Putin sets partial military call-up, won’t ‘bluff’ on nukes (AP NEWS) Putin announces partial military mobilization for Russian citizens (Axios) Pro-Ukraine Hacktivists Claim to Have Hacked Notorious Russian Mercenary Group (Vice)  Fresh Phish: Netflix Bad Actors Go Behind the Scenes to Stage a Credential Harvesting Heist (INKY) Leveraging Netflix for credential harvesting. (CyberWire) Social Engineering: How A Teen Hacker Allegedly Managed To Breach Both Uber And Rockstar Games (Forbes) Rockstar Games suffers leak of new Grand Theft Auto footage. (CyberWire)  LastPass source code breach – incident response report released (Naked Security) Notice of Recent Security Incident (The LastPass Blog) The LastPass incident. (CyberWire) Medtronic NGP 600 Series Insulin Pumps (CISA) Hitachi Energy PROMOD IV (CISA)  Hitachi Energy AFF660/665 Series (CISA)  Dataprobe iBoot-PDU (CISA) Host Engineering Communications Module (CISA) AutomationDirect DirectLOGIC with Ethernet (CISA) AutomationDirect DirectLOGIC with Serial Communication (CISA) MiCODUS MV720 GPS tracker (Update A) (CISA)
Sep 21, 2022
An overview of Russian cyber operations. The IT Army of Ukraine says it’s doxed the Wagner Group. Lapsus$ blamed for Uber hack. A look at the risk of stolen single sign-on credentials.
1936
An overview of Russian cyber operations. The IT Army of Ukraine claims to have doxed the Wagner Group. Who dunnit? Lapsus$ dunnit. Emily Mossburg from Deloitte and Shelley Zalis of the Female Quotient on why gender equality is essential to the success of the cyber industry. We’ve got a special preview of the International Spy Museum's SpyCast's latest episode with host Andrew Hammond interviewing Robert Gates on the 75th anniversary of the CIA. And a look at the risk of stolen single sign-on credentials. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/181 Selected reading. Ukraine's IT Army hacks Russia's Wagner Group (Computing) Untangling the Russian web: Spies, proxies, and spectrums of Russian cyber behavior  (Atlantic Council) Security update | Uber Newsroom (Uber Newsroom) Tentative attribution in the Uber breach. (CyberWire) Uber says Lapsus$-linked hacker responsible for breach (Reuters) Uber blames security breach on Lapsus$, says it bought credentials on the dark web (ZDNET) Uber's breach shows how hackers keep finding a way in (Protocol) Uber attributes hack to Lapsus$, working with FBI and DOJ on investigation (The Record by Recorded Future) Uber data breach spotlights need for enterprises to ‘get the basics right’, say experts (ITP.net) "Keys to the Kingdom" at Risk: Analyzing Exposed SSO Credentials of Public Companies (Bitsight)
Sep 20, 2022
An update on the Uber breach. Emotet and other malware delivery systems. Belarusian Cyber Partisans work against the regime in Minsk. And risky piracy sites.
1783
An update on the Uber breach. Emotet and other malware delivery systems. Belarusian Cyber Partisans work against the regime in Minsk. Grayson Milbourne of OpenText Security Solutions on the arms race for vulnerabilities. Rick Howard continues his exploration of cyber risk. And risky piracy sites–that’s on the Internet, kids, not the high seas. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/180 Selected reading. Developments in the case of the Uber breach. (CyberWire) Preliminary lessons from the Uber breach. (CyberWire) Uber says “no evidence” user accounts were compromised in hack (The Verge) Uber Claims No Sensitive Data Exposed in Latest Breach… But There's More to This (The Hacker News) Uber apparently hacked by teen, employees thought it was a joke (The Verge) Uber hacker claims to have full control of company's cloud-based servers (9to5Mac) The Uber Hack’s Devastation Is Just Starting to Reveal Itself (WIRED)  Uber was breached to its core, purportedly by an 18-year-old. Here’s what’s known (Ars Technica) Uber hacked by teen who annoyed employee into logging them in - report (Jerusalem Post) 18-year-old allegedly hacks Uber and sends employees messages on Slack (Interesting Engineering) Uber Investigating Massive Security Breach by Alleged Teen Hacker (Gizmodo) Uber cyber attack: protecting against social engineering (Information Age) Threat actor breaches many of Uber’s critical systems (Cybersecurity Dive) Uber hacker claims to have full control of company's cloud-based servers (9to5Mac) Uber confirms hack in the the latest access and identity nightmare for corporate America (SC Media) Uber hacked, attacker tears through the company's systems (Help Net Security) Uber confirms it is investigating cybersecurity incident (The Record by Recorded Future) UBER HAS BEEN HACKED, boasts hacker – how to stop it happening to you (Naked Security) Emotet and other malware delivery systems. (CyberWire) Emotet botnet now pushes Quantum and BlackCat ransomware (BleepingComputer) AdvIntel's State of Emotet aka "SpmTools" Displays Over Million Compromised Machines Through 2022 (AdvIntel) August’s Top Malware: Emotet Knocked off Top Spot by FormBook while GuLoader and Joker Disrupt the Index (Check Point Software) How Belarusian hacktivists are using digital tools to fight back (The Record by Recorded Future) Malvertising on piracy sites. (CyberWire) Unholy Triangle (Digital Citizens' Alliance) Piracy Advertising Researchers Fall Victim to Ransomware Attacks (TorrentFreak)
Sep 19, 2022
Jaya Baloo: Don't be afraid to bounce ideas off your teammates. [CISO] [Career Notes]
619
Jaya Baloo, a Chief Information Security Officer from Avast sits down to share her story, sharing how she got into the technology field at a younger age with being introduced to computers and games on her PS 24. She started off going to college for political science and after not knowing what to do after that, she got her first start in cybersecurity. After falling in love with cybersecurity she kept moving up the ranks in different organizations before finding herself at Avast. She shares that at Avast she leans on her team quite a bit and you should never be afraid to bounce ideas off of your teammates. She says "The best ideas come from like bouncing ideas off of each other, sharing within the group and then if I can't figure it out myself, that's why I hire these amazing individuals it's to help me figure it out." We thank Jaya for sharing her story.
Sep 18, 2022
An increase in bypassing bot management? [Research Saturday]
969
Sam Crowther, CEO of Kasada join's Dave to discuss their work on "The New Way Fraudsters Bypass Bot Management." Kasada researchers recently discovered a new type of bot called Solver Services, which is used and created by bad actors to bypass the majority of bot management systems. The research states "Now it’s easier than ever for mainstream bot operators to scrape content, take over accounts, hoard inventory, and commit other forms of automated fraud against organizations using legacy bot management solutions." Attackers are able to by these “Solver” bots, APIs, and services for less than $500 per month to make a profit. The research can be found here: The Emergence of Solver Services: The New Way Fraudsters Bypass Bot Management Vendors
Sep 17, 2022
Uber sustains a major data breach. Notes on the underworld. A large DDoS attack is stopped in Eastern Europe. An FBI alert and a brace of CISA advisories. Congress deliberates cyber policy.
2065
Uber suffers a data breach. Social media executives testify before Congress. A Large DDoS attack is thwarted in Eastern Europe. The FBI warns of increased cyberattacks against healthcare payment processors. Policy makers consider new OT security incentives. Malek Ben Salem from Accenture on future-proof cloud security. Our guest Diana Kelley from Cybrize discusses the need for innovation and entrepreneurship in cybersecurity. And if you’ve been hoping for a LockerGoga decryptor, you’re in luck. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/179 Selected reading. Uber hacked, internal systems breached and vulnerability reports stolen (BleepingComputer)  Uber suffers computer system breach, alerts authorities (Washington Post) Uber Investigating Data Breach After Hacker Claims Extensive Compromise (SecurityWeek)  Uber Investigating Breach of Its Computer Systems (New York Times) Uber investigating "total compromise" of its internal systems (Computing)  There’s No Honor Among Thieves: Carding Forum Staff Defraud Users in an ESCROW Scam (Digital Shadows)  Social media hearings highlight lack of trust, transparency in sector (The Record by Recorded Future)  Breaking the Boycott (Cybersixgill) Record-Breaking DDoS Attack in Europe (Akamai) Cyber Criminals Targeting Healthcare Payment Processors, Costing Victims Millions in Losses (FBI) Siemens Mobility CoreShield OWG Software (CISA) Siemens Simcenter Femap and Parasolid (CISA) Siemens RUGGEDCOM ROS (CISA)  Siemens Mendix SAML Module (CISA) Siemens SINEC INS (CISA) Siemens RUGGEDCOM ROS (Update A) (CISA) Simcenter Femap and Parasolid (CISA)  Siemens Industrial Products Intel CPUs (Update A) (CISA) Siemens OpenSSL Affected Industrial Products (CISA)  Siemens OpenSSL Vulnerability in Industrial Products (Update E) (CISA) Siemens SCALANCE (CISA)  CISA Adds Six Known Exploited Vulnerabilities to Catalog (CISA) Building on our Baseline: Securing Industrial Control Systems Against Cyberattacks (House Committee on Homeland Security)  Bitdefender Releases Universal LockerGoga Decryptor in Cooperation with Law Enforcement (Bitdefender Labs)
Sep 16, 2022
CISA Alert AA22-257A – Iranian Islamic Revolutionary Guard Corps-Affiliated Cyber Actors Exploiting Vulnerabilities for Data Extortion and Disk Encryption for Ransom Operations. [CISA Cybersecurity Alerts]
151
This joint Cybersecurity Advisory highlights continued malicious cyber activity by advanced persistent threat actors affiliated with the Iranian Government’s Islamic Revolutionary Guard Corps. The IRGC-affiliated actors are actively targeting a broad range of entities, including entities across multiple U.S. critical infrastructure sectors as well as Australian, Canadian, and United Kingdom organizations.  AA22-257A Alert, Technical Details, and Mitigations AA22-257A.stix CISA’s Iran Cyber Threat Overview and Advisories FBI’s Iran Threat webpage. Iranian Government-Sponsored APT Cyber Actors Exploiting Microsoft Exchange and Fortinet Vulnerabilities in Furtherance of Malicious Activities Technical Approaches to Uncovering and Remediating Malicious Activity All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.
Sep 15, 2022
Notes from the hybrid war: nuisance-level DDoS, cyberespionage, and the possibility of financially motivated hacking. US policy on the software supply chain, and notes from the underworld.
2120
Nuisance-level DDoS and cyberespionage continue to mark Russia's cyber campaign in the hybrid war. There’s a US Presidential memorandum on software supply chain security. Webworm repurposes older RATs. Trends in cyber insurance claims. OriginLogger may be the new Agent Tesla. The SparklingGoblin APT described. Mathieu Gorge of VigiTrust describes cyber vulnerabilities in the hospitality industry. Dinah Davis from Arctic Wolf explains a PayPal phishing attack. And Royal funeral phishbait. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/178 Selected reading. Pro-Russia hackers claim to have temporarily brought down Japanese govt websites (Asia News Network) Gamaredon APT targets Ukrainian government agencies in new campaign (Cisco Talos) Russia-linked Gamaredon APT target Ukraine with a new info-stealer (Security Affairs) Fears grow of Russian spies turning to industrial espionage (The Record by Recorded Future) Enhancing the Security of the Software Supply Chain through Secure Software Development Practices (The White House) Enhancing the Security of the Software Supply Chain to Deliver a Secure Government Experience (The White House) White House releases post-SolarWinds federal software security requirements (Federal News Network) Webworm: Espionage Attackers Testing and Using Older Modified RATs (Threat Hunter Team Symantec) Coalition Releases 2022 Cyber Claims Report: Mid-year Update (GlobeNewswire News Room) OriginLogger: A Look at Agent Tesla’s Successor (Unit 42)  You never walk alone: The SideWalk backdoor gets a Linux variant (WeLiveSecurity) [Scam site harvests credentials] (Proofpoint) Current, former social media execs address national security issues at Senate hearing (Fox Business) Senators Have Stopped Embarrassing Themselves at Tech Hearings (Slate Magazine)
Sep 15, 2022
Patch Tuesday notes. Mr. Mudge goes to Washington. Joint warning of IRGC cyber activity. No major developments in the cyber phases of Russia’s hybrid war (but Ukraine is sounding confident).
2163
Patch Tuesday notes. The US Senate Judiciary Committee hears from the Twitter whistleblower. Joint warning of IRGC cyber activity. Rob Boyce from Accenture on cybercriminals weaponizing leaked ransomware data. Chris Novak from Verizon describes his participation in the CISA Advisory Board. And Ukraine reiterates confidence in its resiliency. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/177 Selected reading. Adobe Patches 63 Security Flaws in Patch Tuesday Bundle (SecurityWeek) Microsoft Releases September 2022 Security Updates (CISA) Microsoft's September Patch Tuesday fixes five critical bugs (Computing) Microsoft Raises Alert for Under-Attack Windows Flaw (SecurityWeek) SAP Security Patch Day September 2022 (Onapsis)  Apple Releases Security Updates for Multiple Products (CISA) Apple fixes eighth zero-day used to hack iPhones and Macs this year (BleepingComputer)  Apple Will Let You Remove Rapid Security Response Updates in iOS 16 (Mac Rumors) Data Security at Risk: Testimony from a Twitter Whistleblower (United States Senate Committee on the Judiciary) Twitter Employees Have Too Much Access to Data, Whistleblower Says (Wall Street Journal)  Twitter whistleblower reveals employees concerned China agent could collect user data (Reuters) Security failures cause ‘real harm to real people’ (Washington Post) Twitter whistleblower testifies to Congress, calls for tech regulation reforms (The Record by Recorded Future) The Search for Dirt on the Twitter Whistle-Blower (The New Yorker) Whistle-Blower Says Twitter ‘Chose to Mislead’ on Security Flaws (New York Times)  Twitter whistleblower says site put growth over security (Computing)  Written Statement of Peiter (“Mudge”) Zatko United States Senate Judiciary Committee September 13, 2022 (Katz Banks Kumin)  What we learned when Twitter whistleblower Mudge testified to Congress (TechCrunch)  How China became big business for Twitter (Reuters) Twitter whistleblower exposes limits of FTC’s power (Washington Post) Twitter Whistle-Blower Testimony Spurs Calls for Tech Regulator (Bloomberg) Iranian Islamic Revolutionary Guard Corps-Affiliated Cyber Actors Exploiting Vulnerabilities for Data Extortion and Disk Encryption for Ransom Operations (CISA) Ukraine’s Cyberwar Chief Sounds Like He’s Winning (WIRED)  DDoS attacks on financial sector surge during war in Ukraine, new FCA data reveals (PR Newswire)
Sep 14, 2022
A conversation with members of Baltimore FBI: Special Agent in Charge, Tom Sobocinski, and Supervisory Special Agent for Cyber, Tom Breeden. [Special Editions]
1205
In this extended interview, CyberWire Daily Podcast host Dave Bittner sits down with members of the FBI's Baltimore field office: Special Agent in Charge, Tom Sobocinski, and Supervisory Special Agent for Cyber, Tom Breeden. As part of the FBI's cybersecurity awareness campaign, they discuss what the FBI can do to enhance and amplify cyber efforts in ways unlike any other public or private organization. This interview from August 30, 2022 originally aired as a shortened version on the CyberWire Daily Podcast.
Sep 13, 2022
Apple patches. Reviewing the cyber phase of a hybrid war. ShadowPad’s return. Phishing from the Static Expressway. Medical device threats. Security trends. Charming Kitten’s social engineering.
2127
Apple patches its software. Reviewing the cyber phase of a hybrid war. The return of the (ShadowPad) alumni. Phishing from the Static Expressway. The state of cloud security. Overconfidence comes at a cost. Ann Johnson of Afternoon Cyber Tea speaks with Dr. Josephine Wolff from the Fletcher School about cyber insurance past. My conversation with FBI special agents Tom Sobocinski and Tom Breeden. And Charming Kitten and group-think in social engineering. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/176 Selected reading. Apple security updates (Apple Support) Ukraine Cyber War Update September 2022 (CyberCube) New Wave of Espionage Activity Targets Asian Governments (Broadcom Software Blogs) Chinese gov’t hackers using ‘diverse’ toolset to target Asian prime ministers, telecoms (The Record by Recorded Future) Leveraging Facebook Ads to Send Credential Harvesting Links (Avanan) Unpatched and Outdated Medical Devices Provide Cyber Attack Opportunities (FBI)  CFO Cyber Security Survey: Over-Confidence is Costly (Kroll)  Snyk’s State of Cloud Security Report Reveals 80% of Organizations Have Experienced a Severe Cloud Security Incident in Past Year (Snyk)  Look What You Made Me Do: TA453 Uses Multi-Persona Impersonation to Capitalize on FOMO (Proofpoint) Iranian military using spoofed personas to target nuclear security researchers (The Record by Recorded Future) Alleged cyber commander of Iran’s Revolutionary Guard named by opposition outlet (Times of Israel)
Sep 13, 2022
Albania reports more Iranian cyberattacks. RaidForums has a new successor. A look at threat actor reconnaissance in the contemporary Internet.
1887
Albania reports additional cyberattacks from Iran over the weekend. RaidForums has a new successor. A look at threat actor reconnaissance in the contemporary Internet. Kinetic strikes hit Ukraine’s infrastructure. Rick Howard calculates risk with classic mathematical theorems. Tim Eades from Cyber Mentor Fund on the dynamic nature of the attack surface. And a look into the cyber phase of the hybrid war. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/175 Selected reading. Albania blames Iran for second cyberattack since July (CNN) Treasury Sanctions Iranian Ministry of Intelligence and Minister for Malign Cyber Activities (US Department of the Treasury) Iran strongly condemns US sanctions over Albania hacking (Al Arabiya) Six months into Breached: The legacy of RaidForums? (KELA) 2022 State of the Internet Report (Censys) Ukraine hails snowballing offensive, blames Russia for blackouts (Reuters) Ukraine says Russia is retaliating by hitting critical infrastructure, causing blackouts. (New York Times) Last reactor at Ukraine’s Zaporizhzhia nuclear plant stopped (Associated Press) Ukraine Warns Russian Cyber Onslaught Is Coming (Voice of America) Montenegro wrestles with massive cyberattack, Russia blamed (ABC News) CyberCube: Russia’s Sovereign Internet Creates Security Risks With Implications for Cyber (Re)Insurance While War in Ukraine Develops (Associated Press)
Sep 12, 2022
Mark Logan: March towards your goals. [CEO] [Career Notes]
651
Mark Logan, CEO of One Identity, sits down to share his story, explaining how he fit into different roles growing up in different companies. Mark has nearly two decades of C-Suite experience at an array of different organizations, finally landing on his current position as the CEO at One Identity. Sharing his different roles, he also gives a quote from Steve Jobs, saying "it's not what I say yes to, it's what I say no to." He believes that's a key area for his workers because when he is able to make up his mind, his team and his customers have someone they can rely on. Mark says that as a CEO he wants to share the advice of always marching towards your goals, and identifying that different people have different goals because they work in different fields, but that's what makes a company work best. He says "I've found that the more you can delegate, provided you've got the right folks in place the better." We thank Mark for sharing his story.
Sep 11, 2022
A CSO's 9/11 Story: CSO Perspectives Bonus.
1713
From the 20th anniversary of 9/11 in 2021, Rick Howard, the CyberWire’s CSO, Chief Analyst, and Senior Fellow, recounts his experience from inside the Pentagon running the communications systems for the Army Operations Center. CyberWire Pro subscribers also get exclusive access to Rick's original 2001 essay with notes from the day of the attack. If you would like to check that out, you can subscribe today.
Sep 11, 2022
Evilnum APT returns with new targets. [Research Saturday]
1387
Deepen Desai from Zscaler ThreatLabz joins Dave to discuss their work on "Return of the Evilnum APT with updated TTPs and new targets." Zscaler’s ThreatLabz team recently caught a new Evilnum APT attack campaign that uses the document template on MS Office Word to inject malicious payload to the victim's machine. There are three new instances used of the campaign, including updated tactics, techniques, and procedures. Researchers have been closely monitoring Evilnum APT’s activity. They ssay ThreatLabz identified several domains associated with the Evilnum APT group. Which has led them to discover that the "group has been successful at flying under the radar and has remained undetected for a long time." The research can be found here: Return of the Evilnum APT with updated TTPs and new targets
Sep 10, 2022
Threats to US elections. Lazarus Group targeting energy companies. Gaming-related threats.
2229
Nation-states are expected to target the US midterm elections. North Korea’s Lazarus Group is targeting energy companies. The Ukraine’s Ministry of Digital Transformation on cyber lessons learned from Russia’s hybrid war against Ukraine. CISA flags twelve known exploited vulnerabilities for attention and remediation. Vulnerable anti-cheat engines used for malicious purposes. Steve Carter from Nucleus Security has thoughts on AI in cybersecurity. Roland Cloutier, former CSO of TikTok, discusses working around the changing career field, needs, and how enterprise executives are developing and finding talent. And a look at top gaming-related malware lures. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/174 Selected reading. Mandiant ‘highly confident’ foreign cyberspies will target US midterm elections (The Register) What to Expect When You’re Electing: Preparing for Cyber Threats to the 2022 U.S. Midterm Elections (Mandiant) North Korea’s Lazarus hackers are exploiting Log4j flaw to hack US energy companies (TechCrunch) Lazarus and the tale of three RATs (Cisco Talos) How Gaming Cheats Are Cashing in Below the Operating System (Eclypsium) Good game, well played: an overview of gaming-related cyberthreats in 2022 (Securelist) Cybercriminals target games popular with kids to distribute malware (The Register) CISA Adds Twelve Known Exploited Vulnerabilities to Catalog  (CISA)
Sep 09, 2022
Bronze President shows both enduring interests and adaptability. Iranian threat actor activity reported. Cybersecurity and small-to-medium businesses.
1935
Bronze President shows both enduring interests and adaptability. Iranian threat actor activity is reported. Cybersecurity and small-to-medium businesses. An initial access broker repurposes Conti's old playbook for use against Ukraine. Johannes Ullrich from SANS on Scanning for VoIP Servers. Our guest is Ian Smith from Chronosphere on observability. And Kyivstar as a case study in telco resiliency. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/173 Selected reading. BRONZE PRESIDENT Targets Government Officials (Secureworks) APT42: Crooked Charms, Cons, and Compromises (Mandiant) Profiling DEV-0270: PHOSPHORUS’ ransomware operations (Microsoft) Albania cuts diplomatic ties with Iran over July cyberattack (The Washington Post) Initial access broker repurposing techniques in targeted attacks against Ukraine (Google) Unprecedented Shift: The Trickbot Group is Systematically Attacking Ukraine (IBM SecurityIntelligence) Ransomware gang's Cobalt Strike servers DDoSed with anti-Russia messages (BleepingComputer) Ukraine’s largest telecom stands against Russian cyberattacks (POLITICO)
Sep 08, 2022
Albania attributes major cyberattack to Iran. TikTok denies breach. New Linux malware.
1542
The Albanian government attributes a disruptive cyber attack to Iran. TikTok says it’s found no evidence of a data breach. Researchers have discovered a new strain of Linux malware. US agencies warn of ransomware targeting the education sector. Finland prepares to increase its cybersecurity capacity. Deepen Desai from Zscaler on the latest updates to Raccoon Stealer. Our guest is Lance Spitzner from the SANS Institute with results of their recent Security Awareness Report. And a fond farewell to the father of Let’s Encrypt. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/172 Selected reading. Albania cuts Iran ties over cyberattack, U.S. vows further action (Reuters) Statement by NSC Spokesperson Adrienne Watson on Iran’s Cyberattack against Albania (The White House) TikTok Data Breach Exposing 2B Records And Source Code May Not Have Happened After All (Hot Hardware) TikTok Denies Data Breach Reportedly Exposing Over 2 Billion Users' Information (The Hacker News) Shikitega - New stealthy malware targeting Linux (AT&T Alien Labs) #StopRansomware: Vice Society (CISA) Peter Eckersley, tech activist and founder of Let's Encrypt, dies at 43 (Techspot) Honoring Peter Eckersley, Who Made the Internet a Safer Place for Everyone (Electronic Frontier Foundation)
Sep 07, 2022
CISA Alert AA22-249A – #StopRansomware: Vice Society.” [CISA Cybersecurity Alerts]
203
CISA, the FBI, and the Multi-State Information Sharing and Analysis Center, or MS ISAC, are releasing this advisory to disseminate indicators of compromise and TTPs associated with Vice Society actors and their ransomware campaigns. The FBI, CISA, and the MS-ISAC have recently observed Vice Society actors disproportionately targeting the education sector with ransomware attacks. AA22-249A Alert, Technical Details, and Mitigations Stopransomware.gov is a whole-of-government approach that gives one central location for ransomware resources and alerts. Resource to mitigate a ransomware attack: CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide. No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment. All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.
Sep 06, 2022
Notes on the C2C market. A new cyberespionage threat actor has surfaced. Sharkbot made a brief return to Google Play. Privateering and catphishing in the hybrid war.
1883
A Phishing-as-a-service offering on the dark web bypasses MFA. The Worok cyberespionage group is active in Central Asia and the Middle East. Prynt Stealer and the evolution of commodity malware. Sharkbot malware reemerged in Google Play. BlackCat/ALPHV claims credit for attack on the Italian energy sector. Joe Carrigan shares stats on social engineering. Our guest is Angela Redmond from BARR Advisory with six cybersecurity KPIs. And the Los Angeles Unified School District was hit with ransomware. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/171 Selected reading. EvilProxy Phishing-As-A-Service With MFA Bypass Emerged In Dark Web (Resecurity) Worok: The big picture (WeLiveSecurity)  Dev backdoors own malware to steal data from other hackers (BleepingComputer)  The Prynt Stealer malware contains a secret backdoor. Crooks steal data from other cybercriminals (Security Affairs) Fake Antivirus and Cleaner Apps Caught Installing SharkBot Android Banking Trojan (The Hacker News) SharkBot malware sneaks back on Google Play to steal your logins (BleepingComputer)  BlackCat ransomware claims attack on Italian energy agency (BleepingComputer) 11.84GB of United States Military Contractor and Military Reserve data has been leaked. (vx-underground) Hackers honeytrap Russian troops into sharing location, base bombed: Report (Newsweek)  LAUSD hit by hackers in apparent cyber attack (FOX 11 Los Angeles) Los Angeles Unified Targeted by Ransomware Atta (Los Angeles Unified School District)
Sep 06, 2022
New CISO responsibilities: supply chain. [CSO Perspectives]
1483
Rick Howard, the Cyberwire’s CSO and Chief Analyst, is joined by Hash Table members Ann Johnson, Microsoft’s Corporate VP on Security, Compliance, & Identity, and Ted Wagner, the SAP National Security Services CISO, t0 discuss supply chain as a new CISO responsibility.
Sep 05, 2022
Anjali Hansen: Cross team collaboration works best. [Privacy Counsel] [Career Notes]
596
Anjali Hansen, a senior privacy counselor from Noname Security shares her story as she climbed through the ranks to get to where she is toady. When Anjali started she wanted to do international law. She started working for the International Trade Commission after law school which is where she was able to gain most of her experience and gain real world abilities. Working with online fraud and abuse, she shares, concerned her because it felt like governments could not protect organizations from threats occurring, which is how she got interested in cyber crime. From there, she moved to Noname Security and working there she found that she is working with every group in the organization, creating a cross team collaboration and how much she admires that type of model. She says "We have to help other departments protect the data because the data's throughout an organization, it's in HR, it's in sales and marketing, it's in IT, it's in finance. So you have to be able to work with all these teams." We thank Anjali for sharing her story.
Sep 04, 2022
LockBit's contradiction on encryption speed. [Research Saturday]
1264
Ryan Kovar from Splunk sits down with Dave to discuss their findings in "Truth in Malvertising?" that contradict the LockBit group's encryption speed claims. Splunk's SURGe team recently released a whitepaper, blog, and video that outlined the encryption speeds of 10 different ransomware families. During their research they cam across Lockbit doing the same thing. After completing the research, the researchers came back to test the veracity of LockBit’s findings. The research showed three interesting finds. The first find showed that LockBit’s fastest and slowest samples were closely aligned between the tests, but the other results were very different. They also found that LockBit continues to be the fastest ransomware, but LockBit 2.0 was more efficient yet slower than its previous counterpart, LockBit 1.0. Lastly, once ransomware gets to the point of encrypting your systems, it’s too late. The research can be found here: Truth in Malvertising?
Sep 03, 2022
Ransomware groups continue to shift identities and targets. Assessments of the cyber phases of a hybrid war. Is wartime tough for criminals? Anonymous counts coup…against Moscow’s taxis.
1790
REvil (or an impostor, or successor) may be back. A Paris-area medical center continues to work to recover from cyber extortion. An assessment of Russian failure (or disinclination) to mount effective cyber campaigns. Cyber criminals find wartime to be a tough time. Josh Ray from Accenture looks at cyber threats to the rail industry. Our guest is Dan Murphy of Invicti making the case that not all vulnerabilities are created equal. And Yandex Taxi’s app was hacked in a nuisance attack. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/170 Selected reading. REvil says they breached electronics giant Midea Group (Cybernews) Paralysed French hospital fights cyber attack as hackers lower ransom demand (RFI) French hospital hit by $10M ransomware attack, sends patients elsewhere (BleepingComputer) Hacks tied to Russia and Ukraine war have had minor impact, researchers say (The Record by Recorded Future)  Getting Bored of Cyberwar: Exploring the Role of the Cybercrime Underground in the Russia-Ukraine Conflict (arXiv:2208.10629v2)  Why Russia's cyber war in Ukraine hasn't played out as predicted (New Atlas) Cyber key in Ukraine war, says spy chief (The Canberra Times)  Montenegro Sent Back to Analog by Unprecedented Cyber Attacks (Balkan Insight) Montenegro blames criminal gang for cyber attacks on government (EU Reporter) Ransomware Attack Sends Montenegro Reaching Out to NATO Partners (Bloomberg)  “I’m tired of living in poverty” – Russian-Speaking Cyber Criminals Feeling the Economic Pinch (Digital Shadows) Yandex Taxi hack creates huge traffic jam in Moscow (Cybernews) Anonymous hacked Russia's largest taxi firm and caused a massive traffic jam (Daily Star)
Sep 02, 2022
News on three ransomware operations: BianLian, Cuba, and Ragnar Locker. How the gangs are recruiting. Mobile app supply chain blues. Happy Insider Threat Month.
1899
The BianLian ransomware gang is better at coding than at the business of crime. The Attack on Montenegro seems to be ransomware. A look at Ragnar Locker's current interests. Recruiting for gangland gets allusive, but those who know, well, they know. Our guest is Dan Lanir of OPSWAT with insights on recent federal legislation supporting cyber jobs. Ben Yelin lexamines a lawsuit filed by the FTC against an online data broker. And it’s Insider Threat Month, so keep an eye on yourself. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/169 Selected reading. BianLian Ransomware Gang Gives It a Go! ([redacted])  Montenegro blames criminal gang for cyber attacks on government (Reuters)  FBI's team to investigate massive cyberattack in Montenegro (AP NEWS)  US issues rare security alert as Montenegro battles ransomware (TechCrunch)  Cuba ransomware group claims attack on Montenegro government (IT PRO)  Cuba Ransomware Team claims credit for attack on Montenegro (Databreaches.net)  Montenegro blames Cuba ransomware for cyberattack (Cybernews)  Cybercriminals Apparently Involved in Russia-Linked Attack on Montenegro Government (SecurityWeek) THREAT ANALYSIS REPORT: Ragnar Locker Ransomware Targeting the Energy Sector (Cybereason) Behind the News: The Ragnar Locker Attack on Greek Natural Gas Supplier DESFA - Radiflow (Radiflow) Mobile App Supply Chain Vulnerabilities Could Endanger Sensitive Business Information (Broadcom Software Blogs / Threat Intelligence)  “Looking for pentesters”: How Forum Life Has Conformed to the Ransomware Ban (Digital Shadows)  NCSC and Federal Partners Focus on Countering Risk in Digital Spaces during National Insider Threat Awareness Month 2022 (ODNI)
Sep 01, 2022
Securing multi-cloud identity with orchestration. [CyberWire-X]
1897
While multi-cloud brings significant benefits, it also poses serious security risks. And identity is the reason. Each cloud platform, such as Azure, Google, and AWS, uses proprietary identity systems, and the lack of interoperability makes it unruly to manage. These disparate systems can’t talk to each other resulting in a fragmented environment full of identity silos — the perfect way for an attacker to get in and cause destruction. In this episode of CyberWire-X, the CyberWire's CSO, Chief Analyst, and Senior Fellow, Rick Howard, is joined in the first half by Hash Table member Rick Doten, the CISO for Healthcare Enterprises and Centene. In the second half of the show, CyberWire podcast host Dave Bittner talks with our episode sponsor Strata Identity's CEO and Co-founder Eric Olden. Both sets of discussions center around the challenges to identity management caused by the rapid shift to multi-cloud. 
Sep 01, 2022
Malicious Chrome extensions. BEC in Kentucky. Dispatches from a hybrid war, including state-directed, partisan, and criminal action. ICS advisories. “Cosplaying” hardware.
1576
Chrome extensions steal browser data. A business email compromise attack is under investigation in Kentucky. Belarusian Cyber Partisans claim to have a complete Belarusian passport database. Organizing a cyber militia. CISA releases twelve ICS security advisories. Our guest is Asaf Kochan of Sentra on overemphasizing “the big one.” Carole Theriault cautions against getting ahead of yourself in the cryptocurrency supply chain. Cosplaying" hardware. And Canada welcomes a new SIGINT boss. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/168 Selected reading. Chrome extensions with 1.4 million installs steal browsing data (BleepingComputer)  Malicious Cookie Stuffing Chrome Extensions with 1.4 Million Users (McAfee Blog)  Police investigate electronic theft of federal funds (City of Lexington)  FBI, Secret Service join Kentucky investigation into $4 million cybercrime theft (The Record by Recorded Future) Russian hackers blamed for ongoing Montenegro cyberattack (Tech Monitor) “For the 1st time in human history a #hacktivist collective obtained passport info of the ALL country's citizens.” (Cyber Partisans) Inside the IT Army of Ukraine, ‘A Hub for Digital Resistance’ (The Record by Recorded Future)  Ukraine takes down cybercrime group hitting crypto fraud victims (BleepingComputer)  Hitachi Energy FACTS Control Platform (FCP) Product (CISA) Hitachi Energy Gateway Station (GWS) Product (CISA) Hitachi Energy MSM Product (CISA). Hitachi Energy RTU500 series (CISA) Fuji Electric D300win (CISA) Honeywell ControlEdge (CISA) Honeywell Experion LX (CISA) Honeywell Trend Controls Inter-Controller Protocol (CISA) Omron CX-Programmer (CISA) PTC Kepware KEPServerEX (CISA) Sensormatic Electronics iSTAR (CISA) Mitsubishi Electric GT SoftGOT2000 (CISA) Walmart Sells Fake 30TB Hard Drive That’s Actually Two Small SD Cards in a Trench Coat (Vice)
Aug 31, 2022
Cyberespionage around the South China Sea. Oktapus and the Twilio compromise. Notes from Russia’s hybrid war. And the LockBit gang looks beyond double extortion.
1546
Cyberespionage around the South China Sea. Oktapus and the Twilio compromise. Montenegro works to recover from a Russian cyber offensive. A big Russian streaming platform sustains a data leak. Ann Johnson of the Afternoon Cyber Tea podcast speaks with Dave DeWalt of NightDragon and Jay Leek of both Syn Ventures and Clear Sky Security about cyber capital investment. Mr. Security Answer Person John Pescatore examines the allure of the healthcare industry for ransomware operators. And the LockBit gang looks beyond double extortion. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/167 Selected reading. Rising Tide: Chasing the Currents of Espionage in the South China Sea (Proofpoint)  Why the Twilio Breach Cuts So Deep (WIRED) Tentacles of ‘0ktapus’ Threat Group Victimize 130 Firms (Threatpost) Hackers used Twilio breach to intercept Okta onetime passwords (SiliconANGLE) Okta Impersonation Technique Could be Utilized by Attackers (SecurityWeek) Ukraine launches counter-offensive to retake Kherson from Russia (The Telegraph) Russia-Ukraine war: Kremlin insists invasion going to plan despite counterattacks; first grain ship docks in Africa – live (the Guardian) Montenegro says Russian cyberattacks threaten key state functions (BleepingComputer) Montenegro struggles to recover from cyberattack that officials blame on Russia (The Record by Recorded Future) Leading Russian streaming platform suffers data leak allegedly impacting 44 million users (The Record by Recorded Future)  LockBit ransomware mulls triple extortion following DDoS attack (SC Media)
Aug 30, 2022
How a hybrid war spreads its cyber effects. Russian and Chinese cyber ops in Latin America. Greenwashing influence. Iranian threat actor exploits Log4j vulnerabilities against Israeli targets.
1455
Russian cyber operations in Southeastern Europe. The challenge of containing the cyber phases of a hybrid war. Russian and Chinese cyber activity in Latin America. Greenwashing influence operations. Rick Howard looks at risk probabilities. Dinah Davis from Arctic Wolf looks at ransomware payment myths. And an Iranian threat actor exploits Log4j vulnerabilities against Israeli targets. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/166 Selected reading. Russia blamed for wave of hacker attacks in Southeast Europe (BNE) Montenegro declares it is in 'hybrid war' with Russia after massive cyber attack (Metro) Montenegro reports massive Russian cyberattack against govt (ABC News) Montenegro Reports Massive Russian Cyberattack Against Govt (AP via SecurityWeek) Montenegro's state infrastructure hit by cyber attack -officials (Reuters)  Cyber Element in the Russia-Ukraine War & its Global Implications (Modern Diplomacy) Swiss secret service worried about Russian cyber operations (SWI swissinfo.ch) China and Russia Step Up Cyber Presence in Latin America (Diálogo Américas) Dominican Republic refuses to pay ransom after attack on agrarian institute (The Record by Recorded Future)  China-Linked Bots Attacking Rare Earths Producer ‘Every Day’ (Bloomberg)  Iranian Hackers Exploiting Unpatched Log4j 2 Bugs to Target Israeli Organizations (The Hacker News) MERCURY leveraging Log4j 2 vulnerabilities in unpatched systems to target Israeli organizations (Microsoft Threat Intelligence Center) Iran exploiting Log4j 2 weakness to attack Israel, says Microsoft (Israel Defense)
Aug 29, 2022
David Nosibor: Taking calculated risks. [Product Lead] [Career Notes]
486
David Nosibor, Product Lead for SafeCyber at UL Solutions, started his career in a unique way by not letting himself be pigeonholed. Within his company, David was able to grow to the position he is in now and says that his position feels like a lot of roles tied into one. He says that on any given day he is tackling all sorts of elements, such as marketing, operations, working with the engineering team, figuring out ways to acquire customers, retain them, and also working on sales and business development capabilities. He also says that constantly learning and getting new opportunities was how he ended up being where he is today. David states that staying focused and being on the lookout for ways to accomplish the mission is the best way for him in his company to democratize product security. He quotes the famous singer Sean Carter in saying that he firmly believes in taking calculated risks to get where you need to be going. We thank David for sharing his story.
Aug 28, 2022
How a wide scale Facebook campaign stole 1 million credentials. [Research Saturday]
1537
Nick Ascoli from ForeTrace in a partnership with PIXM sits down with Dave to provide insight on their team's work on "Phishing tactics: how a threat actor stole 1 million credentials in 4 months." During routine analysis, researchers discovered the connection between the pages using PIXM’s deep html analysis feature, which enabled them to view and analyze the underlying code on the pages after they were flagged as phishing. This led to the ensuing investigation, which was led by PIXM’s threat research team with assistance from Nick Ascoli. The research states "we uncovered a campaign whose scale has potentially impacted hundreds of millions of facebook users, and whose complexity offer insight into the evolving nature of phishing operations, especially from a technical perspective." The research can be found here: Phishing tactics: how a threat actor stole 1M credentials in 4 months
Aug 27, 2022
A Black Basta update. Okta talks Scatter Swine. Nobelium's MagicWeb. Wartime stress in the cyber underworld. LastPass security incident. CISA adds to its Known Exploited Vulnerabilities Catalog.
1649
Palo Alto describes the Black Basta ransomware-as-a-service operation. Okta on Scatter Swine, the threat actor that compromised Twilio. Microsoft describes Nobelium's new approach to establishing persistence. Russia's war against Ukraine has induced stresses in the cyber underworld. LastPass discloses a security incident. Josh Ray from Accenture on cyber crime and the cost-of-living crisis. Our own Dave Bittner sits down with Chris Handman from TerraTrue to discuss how he works to transform legal teams into advocates and collaborators that can ensure privacy is baked in every step of the way. And CISA adds ten entries to its Known Exploited Vulnerabilities Catalog. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/165 Selected reading. Threat Assessment: Black Basta Ransomware (Palo Alto Networks Unit 42) MagicWeb: NOBELIUM’s post-compromise trick to authenticate as anyone (Microsoft Threat Intelligence Center) Microsoft Uncovers New Post-Compromise Malware Used by Nobelium Hackers (The Hacker News) Microsoft: Russian hackers gain powerful 'MagicWeb' authentication bypass (ZDNET) Detecting Scatter Swine: Insights into a relentless phishing campaign (Okta Security) Twilio hackers hit over 130 orgs in massive Okta phishing attack (BleepingComputer) Twilio says breach also compromised Authy two-factor app users (TechCrunch) How the war in Ukraine is reshaping the dark web (New Statesman) Notice of Recent Security Incident (The LastPass Blog) LastPass Says Source Code Stolen in Data Breach (SecurityWeek) LastPass developer systems hacked to steal source code (BleepingComputer)
Aug 26, 2022
Notes from six months of hybrid war. Oktapus criminal campaign. Exotic Lily and Bumblebee Loader. Insights derived from DNS traffic. US DHS shutters its Disinformation Governance Board.
1668
Ukrainian and Russian cyber operations at six months. Oktapus criminal campaign compromises 9931 accounts in more than 130 organizations. Exotic Lily and Bumblebee Loader. Insights derived from DNS traffic. Chris Novak from Verizon on DHS Cyber Safety Review Board's report on the Log4j investigation that Verizon conducted. Dave Bittner sits down with our guest Dr. Scott Crowder, CTO and VP, Quantum Computing, Technical Strategy and Transformation for IBM Systems to discuss the increasingly urgent need for industries to prepare for security threats that quantum could unleash. And the US Department of Homeland Security shutters its Disinformation Governance Board. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/164 Selected reading. How Ukraine used Russia’s digital playbook against the Kremlin (POLITICO) Ukraine's volunteer 'IT army' responds to Russian hackers, minister says (ABC News)  Overview of the Cyber Weapons Used in the Ukraine - Russia War (Trustwave)  How Russia-Ukraine cyberwar is impacting orgs: Two-thirds say they have been targeted (VentureBeat) Twilio hackers breached over 130 organizations during months-long hacking spree (TechCrunch) Roasting 0ktapus: The phishing campaign going after Okta identity credentials (Group-IB) Bumblebee Malware Loader: Deep Instinct Prevents Attack Pre-Execution (Deep Instinct) Akamai’s Insights on DNS in Q2 2022 (Akamai) Following HSAC Recommendation, DHS terminates Disinformation Governance Board (US Department of Homeland Security) Homeland Security Scraps Disinformation Board Attacked by GOP (Bloomberg)
Aug 25, 2022
Ransomware attack hits a French hospital. Lessons for the fifth domain from six months of hybrid war. Deepfake scams have arrived. Threat actors prepare to exploit Hikvision camera vulnerability.
1696
A medical center near Paris comes under ransomware attack, and refuses to pay up. Lessons for the fifth domain from six months of hybrid war. Deepfake scams appear to have arrived. Deepen Desai from Zscaler with introduction to our audience. Dave Bittner sits down with Gil Hoffer, CTO and Co-founder of Salto to discuss “Who Hacked Slack?.” And Threat actors prepare to exploit Hikvision camera vulnerability. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/163 Selected reading. Cyber attackers disrupt services at French hospital, demand $10 million ransom (France 24) French hospital hit by $10M ransomware attack, sends patients elsewhere (BleepingComputer) DECLENCHEMENT DU PLAN BLANC DIMANCHE 21 AOUT 2022 (CHSF - Centre Hospitalier Sud Francilien) Ukraine at D+181: Independence Day and six months of war. (CyberWire)  Six months, twenty-three lessons: What the world has learned from Russia’s war in Ukraine (Atlantic Council)  Hackers Used Deepfake of Binance CCO to Perform Exchange Listing Scams (Bitcoin News) Hackers Use Deepfakes of Binance Exec to Scam Multiple Crypto Projects (Gizmodo)  Binance's CEO said thousands of people are falsely claiming to be his employees on LinkedIn. Experts warn it's an example of the platform's growing problem with fake accounts. (Business Insider) Twitter’s Ex-Security Head Files Whistleblower Complaint (Wall Street Journal) Twitter is vulnerable to Russian and Chinese influence, whistleblower says (CNN) Over 80,000 exploitable Hikvision cameras exposed online (BleepingComputer) Experts warn of widespread exploitation involving Hikvision cameras (The Record by Recorded Future)  Hikvision Surveillance Cameras Vulnerabilities (CYFIRMA)
Aug 24, 2022
Iranian APT data extraction tool described. LockBit gang comes under DDoS. Twitter whistleblower security claims made public. Greek natural gas supplier under cyberattack. Updates on a hybrid war.
1712
Iranian APT data extraction tool described. LockBit gang comes under DDoS. Twitter whistleblower security claims made public. Poland and Ukraine conclude cybersecurity agreement. Greek national natural gas supplier under criminal cyberattack. Update to the Joint Alert on Zimbra exploitation. Addition to CISA's Known Exploited Vulnerabilities Catalog. Johannes Ullrich from SANS on Control Plane vs. Data Plane vulnerabilities. Our guest is David Nosibor, Platform Solutions Lead for UL to discuss SafeCyber Phase II. And, finally, targeting and trolling, with an excursus on Speedos. Really. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/162 Selected reading. New Iranian APT data extraction tool (Google) LockBit gang hit by DDoS attack after Entrust leaks (Register)  Former security chief claims Twitter buried ‘egregious deficiencies’ (Washington Post)  Ex-Twitter exec blows the whistle, alleging reckless and negligent cybersecurity policies (CNN)  Twitter’s Ex-Security Head Files Whistleblower Complaint (Wall Street Journal) Deception, Bots, and Foreign Agents: The Twitter Whistleblower’s Biggest Allegations (Time) The Ministry of Digital Transformation, State Service of Special Communication and Information Protection and the Council of Ministers of the Republic of Poland signed Memorandum of understanding in the cybersecurity field. (State Service of Special Communication and Information Protection)  Greek natural gas operator suffers ransomware-related data breach (BleepingComputer)  Greek gas operator refuses to negotiate with ransomware group after attack (The Record by Recorded Future) Announcement | (DESF) Threat Actors Exploiting Multiple CVEs Against Zimbra Collaboration Suite (CISA)  US government really hopes you've patched your Zimbra server (Register) CISA Adds One Known Exploited Vulnerabilities to Catalog (CISA)  Speedo-wearing Russian tourists leak defence secrets on Twitter (The Telegraph)
Aug 23, 2022
Bogus DDoS protection pages distribute malware. Estonia deals with DDoS attacks. Roskomnadzor's Internet panopticon.And data-tampering attacks are regarded as a growing risk.
1336
Bogus DDoS protection pages distribute malware. Estonia deals with DDoS attacks. Roskomnadzor's Internet panopticon. Rick Howard on the RSA Security Breach of 2011 and the Equifax breach of 2017. Caleb Barlow on what does a recession mean for cyber security venture capital and what is the impact of this on the industry? And data-tampering attacks are regarded as a growing risk. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/161 Selected reading. WordPress sites hacked with fake Cloudflare DDoS alerts pushing malware (BleepingComputer) Fake DDoS Pages On WordPress Sites Lead to Drive-By-Downloads (Sucuri Blog) Car blast kills daughter of Russian known as 'Putin's brain' (AP NEWS) Russia blames Kyiv for killing daughter of ‘Putin’s Rasputin’, but the truth may be closer to home (The Telegraph) Alexander Dugin's daughter killed by anti-war Russians: Former state deputy (Newsweek) Estonia Repels Biggest Cyber-Attack Since 2007 (Infosecurity Magazine)  Estonia's Battle Against a Deluge of DDoS Attacks (Infosecurity Magazine) Latvia Starts Removing Soviet Monument in Challenge to Russia (Bloomberg) Data-tampering attacks are a 'nightmare' threat that's hard to detect (Protocol)
Aug 22, 2022
Roya Gordon: Becoming a trailblazer. [Research] [Career Notes]
663
Roya Gordon, a Security Research Evangelist at ICS cybersecurity firm Nozomi Networks, started her career as an intelligence specialist in the U.S. Navy. After her time serving, Roya spent time as a Control Systems Cybersecurity Analyst at the Idaho National Laboratory and then took the role of Cyber Threat Intelligence Manager at Accenture. She shares her story after the NSA accepted her and then quickly diverted, creating a new path for Roya to follow. She shares the jobs she went after along the way, leading up to Nozomi Networks and how she wishes to be a trailblazer for young black women everywhere. She hopes to shape young women's minds on what the cybersecurity industry is actually like, in hopes that she can be a figure people look up to. We thank Roya for sharing her story.
Aug 21, 2022
Clipminer: Making millions off of malware. [Research Saturday]
1056
Dick O'Brien from Symantec, a part of Broadcom Software, joins Dave to discuss how the cyber-criminal operation, Clipminer Botnet, makes operators behind it at least $1.7 million. Symantec's research says "The malware being used, tracked as Trojan.Clipminer, has a number of similarities to another crypto-mining Trojan called KryptoCibule, suggesting it may be a copycat or evolution of that threat." Symantec determined that the malware has the ability to mine for cryptocurrency using compromised computers’ resources. They also share a way to protect against the cyber-criminal operation, as well as sharing some indicators you could be compromised. The research can be found here: Clipminer Botnet Makes Operators at Least $1.7 Million
Aug 20, 2022
Notes on the hybrid war. Criminal gang hits travel and hospitality sectors. Additions to CISA's Known Exploited Vulnerabilities Catalog. CISA issues five ICS security advisories.
1863
Killnet claims a DDoS campaign against Estonia. The head of GCHQ calls Russian cyber operations a failure. US Cyber Command concludes its "hunt forward" mission in cooperation with Croatia. A criminal gang targets the travel and hospitality sectors. Thomas Pace of NetRise shares insights on firmware vulnerabilities. Daniel Floyd from BlackCloak on Quantifying the Business Need for Digital Executive Protection. CISA issues five ICS security advisories. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/160 Selected reading. Estonia says it repelled major cyber attack after removing Soviet monuments (Reuters) There’s a chance regular people didn’t even notice: expert on Russian cyber attack (TVP World)  Estonia says it repelled a major cyberattack claimed by Russian hackers. (New York Times) The head of GCHQ says Vladimir Putin is losing the information war in Ukraine (The Economist) Cyber Command deployed 'hunt forward' defenders to Croatia to help secure systems (The Record by Recorded Future) U.S. Cyber Command completes defensive cyber mission in Croatia (CyberScoop) You Can’t Audit Me: APT29 Continues Targeting Microsoft 365 (Mandiant) Reservations Requested: TA558 Targets Hospitality and Travel (Proofpoint) Cybercrime Group TA558 Ramps Up Email Attacks Against Hotels (Decipher) CISA Adds Seven Known Exploited Vulnerabilities to Catalog (CISA)  Siemens Linux-based Products (Update G) (CISA) Siemens Industrial Products LLDP (Update B) (CISA) Siemens OpenSSL Affected Industrial Products (CISA) Mitsubishi Electric MELSEC Q and L Series (CISA) Mitsubishi Electric GT SoftGOT2000 (CISA)
Aug 19, 2022
BlackByte’s back, as BlackByte 2.0. Iranian cyber ops against Israel. Wipers and cyberespionage as tools in Russia’s hybrid war. Cyber war clauses coming to cyber insurance policies.
1783
BlackByte is back. Iran suspected of cyber operations against four Israeli sectors. A look at wipers as a tool in hybrid war. A Russian cyber ops scorecard. Josh Ray from Accenture on how dark web actors are focusing on VPNs. Our guest is Corey Nachreiner from WatchGuard with findings of their latest Internet Security Report. Cyber war clauses coming to cyber insurance policies. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/159 Selected reading. BlackByte ransomware gang is back with new extortion tactics (BleepingComputer)  Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors | Mandiant (Mandiant) Russia-Ukraine cyberwar creates new malware threats  (VentureBeat) Global Threat Landscape Report: A Semiannual Report by FortiGuard Labs (Fortinet)  Overview of the Cyber Weapons Used in the Ukraine - Russia War (Trustwave SpiderLabs) Lloyd’s sets requirements for state-backed cyber attack exclusions (Insurance Day)
Aug 18, 2022
Cyber incidents and lessons from Russia's hybrid war. Zimbra vulnerabilities exploited. New Lazarus Group activity reported. ICS security advisories .Insider trading charges from 2017 Equifax breach.
1595
A DDoS attack against a Ukrainian nuclear power provider. The US Army draws some lessons from the cyber phases of Russia's hybrid war. Vulnerabilities in Zimbra are undergoing widespread exploitation.Reports of new Lazarus Group activity. CISA releases eight ICS security advisories. Carole Theriault looks at scammers and cryptocurrencies. Our guest is Jennifer Reed from Aviatrix on the changing landscape of cloud security. And the SEC charges three with insider trading during the 2017 Equifax breach. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/158 Selected reading. Ukrainian Nuclear Operator Accuses Russians Hackers Of Attacking Its Website (RadioFreeEurope/RadioLiberty) Ukraine nuclear power company says Russia attacked website (Al Jazeera) Ukraine Nuclear Operator Reports Cyberattack on Its Website (The Defense Post) How electronic warfare is reshaping the war between Russia and Ukraine (The Record by Recorded Future) Army lesson from Ukraine war: cyber, EW capabilities not decisive on their own (FedScoop) Learning from Ukraine, Army cyber schoolhouse focuses on electromagnetic spectrum (Breaking Defense) Cyber and full-spectrum operations push the Great Power conflict left of boom (Breaking Defense) Microsoft Exchange alternative Zimbra is getting widely exploited, 1000s hit (The Stack) CISA Alert AA22-228A – Threat actors exploiting multiple CVEs against Zimbra Collaboration suit (CyberWire) Threat Actors Exploiting Multiple CVEs Against Zimbra Collaboration Suite (CISA) A signed Mac executable… (ESET) Yokogawa CENTUM Controller FCS (CISA) LS ELECTRIC PLC and XG5000 (CISA) Delta Industrial Automation DRAS (CISA) Softing Secure Integration Server (CISA) B&R Industrial Automation Automation Studio 4 (CISA) Emerson Proficy Machine Edition (CISA) Sequi PortBloque S (CISA) Siemens Industrial Products with OPC UA (CISA) U.S. SEC charges 3 people with insider trading tied to Equifax hack (Reuters)  SEC Charges Three Chicago-Area Residents with Insider Trading Around Equifax Data Breach Announcement (US Securities and Exchange Commission)
Aug 17, 2022
CISA Alert AA22-228A – Threat actors exploiting multiple CVEs against Zimbra Collaboration suite. [CISA Cybersecurity Alerts}
151
CISA and the Multi-State Information Sharing & Analysis Center, or MS-ISAC are publishing this joint Cybersecurity Advisory in response to active exploitation of multiple Common Vulnerabilities and Exposures against Zimbra Collaboration Suite, an enterprise cloud-hosted collaboration software and email platform. AA22-228A Alert, Technical Details, and Mitigations Volexity’s Mass Exploitation of (Un)authenticated Zimbra RCE: CVE-2022-27925 Hackers are actively exploiting password-stealing flaw in Zimbra CISA adds Zimbra email vulnerability to its exploited vulnerabilities catal… CVE-2022-27925 detail Mass exploitation of (un)authenticated Zimbra RCE: CVE-2022-27925 CVE-2022-37042 detail Authentication bypass in MailboxImportServlet vulnerability CVE-2022-30333 detail UnRAR vulnerability exploited in the wild, likely against Zimbra servers Zimbra Collaboration Kepler 9.0.0 patch 25 GA release Zimbra UnRAR path traversal Operation EmailThief: Active exploitation of zero-day XSS vulnerability in… Hotfix available 5 Feb for zero-day exploit vulnerability in Zimbra 8.8.15 All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.
Aug 17, 2022
Russian cyberespionage and influence op disrupted. RedAlpha versus Chinese minorities and (of course) Taiwan. Evil PLC proof-of-concept. Cl0p takes a poke at a water utility.
1639
Microsoft identifies and disrupts Russian cyberespionage activity. An update on RedAlpha. An evil PLC proof-of-concept shows how programmable logic controllers could be "weaponized." Ben Yelin has an update on right to repair. Our guest is Arthur Lozinski of Oomnitza with a look at attack surface management maturity. And the Cl0p gang hits an English water utility (but tries to extort the wrong one–stuff happens, y’know?). For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/157 Selected reading. Disrupting SEABORGIUM’s ongoing phishing operations (Microsoft Security Microsoft disrupts Russian-linked hackers targeting NATO countries (Breaking Defense)  Microsoft Announces Disruption of Russian Espionage APT (SecurityWeek)  Microsoft disrupts Russia-linked hacking group targeting defense and intelligence orgs (The Record by Recorded Future)  Microsoft shuts down accounts linked to Russian spies (Register) RedAlpha Conducts Multi-Year Credential Theft Campaign Targeting Global Humanitarian, Think Tank, and Government Organizations (Recorded Future) Hackers linked to China have been targeting human rights groups for years (MIT Technology Review)  Evil PLC Attack: Using a Controller as Predator Rather than Prey (Claroty) Hackers attack UK water supplier but extort wrong victim (BleepingComputer) South Staffordshire Water victim of cyber attack, customers not at risk (Computing)  South Staffordshire Water says it was target of cyber attack as criminals bungle extortion attempt (Sky News)
Aug 16, 2022
Shuckworm and Killnet continue to hack in the interest of Russia. Iron Tiger's supply chain campaign. TikTok and national security. And an arrest in the case of the Tornado Cash crypto mixer.
1571
Shuckworm maintains its focus on Ukrainian targets. Killnet's DDoS and dubious proof-of-work. Iron Tiger's supply chain campaign. TikTok and national security. Dinah Davis from Arctic Wolf shares insights on Dark Utilities. Rick Howard digs into identity management. And an arrest in the case of the Tornado Cash crypto mixer. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/156 Selected reading. Shuckworm: Russia-Linked Group Maintains Ukraine Focus (Symantec) Killnet Releases 'Proof' of its Attack Against Lockheed Martin (SecurityWeek)  Killnet greift lettisches Parlament an (Tagesspiegel) Iron Tiger Compromises Chat Application Mimi, Targets Windows, Mac, and Linux Users (Trend Micro) How Frustration Over TikTok Has Mounted in Washington (New York Times) 3 ways China's access to TikTok data is a security risk (CSO Online) Arrest of suspected developer of Tornado Cash (FIOD) Tornado Cash Developer Arrested After U.S. Sanctions the Cryptocurrency Mixer (The Hacker News) Arrested Tornado Cash developer is Alexey Pertsev, his wife confirms (The Block)
Aug 15, 2022
Christian Lees: it's not always textbook. [CTO] [Career Notes]
563
Christian Lees, CTO at Resecurity, shares his story and insight on coming into the cybersecurity world. He considers himself a late bloomer because he did not go to college until he was 23. He wasn’t sure of what he wanted to do, and a family friend gave him a computer and the rest was history, he says. He fell in love with computers and started working at different companies trying to get ahead. He says it's not always textbook, and sometimes you just need to cut your teeth on something to get where you're going. Throughout his journey, he was constantly questioning whether he made the right decision, and in the end he says you have to be willing to "define friction points in it, you may join security field, not knowing what you're gonna do, but by being that curious person and breaking things and putting it back together, you'll find the right way and just never stop being curious." We thank Christian for sharing his story.
Aug 14, 2022
Red teamer's perspective on demotivating attackers. [CyberWire-X]
1584
Cybercriminals are motivated by one simple incentive - money. Their favorite tools are bots to leverage sophistication, scalability, and ease of use. The effect is the creation of the underground bot ecosystem. This community allows threat actors to work together and continually improve their tactics. They sell bypasses for rule-based anti-bot solutions to other less technical fraudsters. In this episode of CyberWire-X, the CyberWire's CSO, Chief Analyst, and Senior Fellow, Rick Howard, is joined in the first half by Hash Table member Etay Maor. Cato Networks’ Senior Director Security Strategy. They discuss this reality that has put defenders at a serious disadvantage and the mitigation steps to consider for future attacks.. In the second half of the show, CyberWire podcast host Dave Bittner talks with our episode sponsor Kasada's founder Sam Crowther talking about what he saw first-hand as a red teamer at a major Australian bank and what inspired him to reimagine bot mitigation with the founding principle of undermining the attacker’s ROI.
Aug 14, 2022
Fake job ads and how to spot them. [Research Saturday]
1163
Ashley Taylor from SANS.edu, joins Dave to discuss fake job ads and methods to proactively detect these scams. The research shares how job seekers are under attack, with scammers posing as fake job recruiters to steal information from people who are interested in the job posting. The brands being impersonated as are at risk of losing credibility to their brand identity. The research shares exactly how these doppelgängers are posing a threat to job seekers and the best practices to detect these scams. It also shares how one company that works in medical device manufacturing industry has been a target for these scams. It concludes with sharing some of the ways to proactively spot these scams before they happen. The research can be found here: Doppelgängers: Finding Job Scammers Who Steal Brand Identities
Aug 13, 2022
The optempo of a hybrid war's cyber phase. Hacktivists as cyber partisans. Zeppelin ransomware alert. DoNot Team update. Rewards for Justice offers $10 million for info on Russian bad actors.
1664
The optempo of the war's cyber phase, and Ukraine’s response. Organizing and equipping hacktivists. Joint warning on Zeppelin ransomware. Update on the DoNot Team, APT-C-35. Rewards for Justice offers $10 million for information on Conti operators. Rob Boyce from Accenture shares insights from BlackHat. Caleb Barlow ponders closing the skills gap while shifting to remote work. And, hey, Mr. Target: pick one, OK? For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/155 Selected reading. Black Hat 2022‑ Cyberdefense in a global threats era (WeLiveSecurity) How one Ukrainian ethical hacker is training 'cyber warriors' in the fight against Russia (The Record by Recorded Future) #StopRansomware: Zeppelin Ransomware (CISA) APT-C-35: New Windows Framework Revealed (Morphisec) The US Offers a $10M Bounty for Intel on Conti Ransomware Gang (Wired)
Aug 12, 2022
CISA Alert AA22-223A – #StopRansomware: Zeppelin Ransomware. [CISA Cybersecurity Alerts}
196
Zeppelin ransomware functions as a ransomware-as-a-service (RaaS), and since 2019, actors have used this malware to target a wide range of businesses and critical infrastructure organizations. Actors use remote desktop protocol (RDP), SonicWall firewall vulnerabilities, and phishing campaigns to gain initial access to victim networks and then deploy Zeppelin ransomware to encrypt victims’ files. AA22-223A Alert, Technical Details, and Mitigations Zeppelin malware YARA signature What is Zeppelin Ransomware? Steps to Prepare, Respond, and Prevent Infection Stopransomware.gov is a whole-of-government approach that gives one central location for ransomware resources and alerts. No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment. This joint Cybersecurity Advisory is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed TTPs and IOCs to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources. All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.
Aug 11, 2022
Dispatches from a hybrid war. CISA releases its election cybersecurity toolkit. Post-incident disruption at NHS is expected to last at least three weeks. Cisco discloses a security incident.
1670
KillMilk says his crew downed Lockheed Martin's website. Industroyer2, and what became of it. CISA releases its election cybersecurity toolkit. Post-incident disruption at Britain’s NHS. Carl Wright of AttackIQ shares strategies for CISOs to successfully prepare for the next attack. Dr. Christopher Pierson from Blackcloak joins us from Black Hat. And Cisco seems to have thwarted a security incident. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/154 Selected reading. Russian hacking group claims attack on Lockheed Martin (SiliconANGLE HIMARS-Maker Lockheed Martin "confident" against Russian hackers (Newsweek) Industroyer2: How Ukraine avoided another blackout attack (SearchSecurity) Researchers Look Inside Russian Malware Targeting Ukrainian Power Grid (PCMAG) CISA Releases Toolkit of Free Cybersecurity Resources for Election Community (CISA) Cybersecurity Toolkit to Protect Elections (CISA)  NHS staff told to plan for three weeks of disruption following cyberattack (Computing) Major NHS IT outage to last for three weeks (The Independent) Exclusive: NHS chiefs fear cyber attackers have accessed patient data (Health Service Journal)  Cisco Event Response: Corporate Network Security Incident (Cisco) Cisco Talos shares insights related to recent cyber attack on Cisco (Cisco Talos) Cisco confirms May attack by Yanluowang ransomware group (The Record by Recorded Future) Cisco Hit by Cyberattack From Hacker Linked to Lapsus$ Gang (Bloomberg) Cisco's own network compromised by gang with Lapsus$ links (Register)  Cisco hacked by Yanluowang ransomware gang, 2.8GB allegedly stolen (BleepingComputer)
Aug 11, 2022
Patches, and some incentive to apply them. Hacktivism, privateering, and patriotic banditry in Russia’s hybrid war.
2037
Patch notes, and the risks associated with failure to patch. Finland's parliament comes under cyberattack. Killnet says there will be blood, but they may just be grandstanding for the home crowd. Cyberattacks against a UK firm that's criticized Russia's war. We’re joined by FBI Cyber Division AD Bryan Vorndran and Adam Hickey, deputy assistant attorney general for the National Security Division with an introduction to Watchguard. Our guest is Matthew Warner from Blumira with tips on avoiding burnout. And not all criminal organizations are working for Russia. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/153 Selected reading. Already Exploited Zero-Day Headlines Microsoft Patch Tuesday (SecurityWeek)  Microsoft August 2022 Patch Tuesday fixes exploited zero-day, 121 flaws (BleepingComputer). IBM Patches High-Severity Vulnerabilities in Cloud, Voice, Security Products (SecurityWeek) Adobe Patch Tuesday: Code Execution Flaws in Acrobat, Reader (SecurityWeek)  ICS Patch Tuesday: Siemens, Schneider Electric Fix Only 11 Vulnerabilities (SecurityWeek)  VMSA-2022-0022 (VMware)  Emerson OpenBSI (CISA)  Emerson ControlWave (CISA) Mitsubishi Electric GT SoftGOT2000 (CISA)  Multiple attackers increase pressure on victims, complicate incident response (Sophos News) Life After Death—SmokeLoader Continues to Haunt Using Old Vulnerabilities (Fortinet Blog)  NBI launches probe into attack on Finnish Parliament site (Yle) Russian hacker warns cyberwarfare will turn deadly (Newsweek)  Russian hacker warns cyberwarfare will turn deadly (Newsweek) Suspected Russian cyber attack on British soil as firm subjected to ‘daily’ hacks (The Telegraph) Meet DUMPS Forum: A pro-Ukraine, anti-Russia cybercriminal forum | Digital Shadows (Digital Shadows)
Aug 10, 2022
Cyberespionage against belligerents' industry. Tornado Cash sanctions. Data breaches at Twilio and Klayvio. Intercept tools and policies in Canada.
1738
Tracking apparent Chinese industrial cyberespionage. Tornado Cash sanctions. Twilio discloses a breach. Social engineering exposes data at Klaviyo. Microsoft’s Ann Johnson previews the latest season of Afternoon Cyber Tea. Joe Carrigan tracks the growth in cryptojacking. And what might the Mounties be monitoring? For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/152 Selected reading. Cyberspying Aimed at Industrial Enterprises in Russia and Ukraine Linked to China (SecurityWeek) China-linked spies used six backdoors to steal defense info (Register) U.S. Treasury Sanctions Notorious Virtual Currency Mixer Tornado Cash (U.S. Department of the Treasury) Twilio hacked by phishing campaign (TechCrunch) Twilio, a texting platform popular with political campaigns, reports breach (CyberScoop) Incident Report: Employee and Customer Account Compromise - August 4, 2022 (Twilio Blog) Email marketing firm hacked to steal crypto-focused mailing lists (BleepingComputer) RCMP has used spyware to access targets’ communications as far back as 2002: Senior Mountie (Global News) RCMP says it has not used Pegasus spyware (POLITICO)
Aug 09, 2022
Cybersecurity is a team sport. [CyberWire-X]
1994
In order to run a successful SOC, security leaders rely on tools with different strengths to create layers of defense. This has led to a highly siloed industry with over 2,000 vendors, each with their own specific function and who very seldom work together. To gain an advantage on attackers, we need to start seeing cybersecurity as a team sport–united for a shared mission. In this episode of CyberWire-X, the CyberWire's CSO, Chief Analyst, and Senior Fellow, Rick Howard, is joined in the first half by two Hash Table members, Ted Wagner, CISO at SAP National Security Services, and Jenn Reed, CISO at Aviatrix. In the second half of the show, CyberWire podcast host Dave Bittner talks with our episode sponsor ExtraHop's Senior Product Marketing Manager, Chase Snyder, and CrowdStrike's Head of Product Marketing, Janani Nagarajan .They discuss why and how vendors should work together to enable better integrated security for their customers. They’ll answer questions like “what is XDR?” and “how do I get my vendors to work together?”. 
Aug 09, 2022
Wipers, tak; grid takedown, nyet. Twitter 0-day exploited before patching. NHS 111 recovering from cyberattack. Notes on the C2C underworld.
1590
Shifting cyber threats during Russia's war against Ukraine. A Twitter exploit may have compromised more than 5 million accounts. A Cyberattack disrupts NHS 111. Developments in the C2C market. An alleged Russian cryptocurrency exchange operator is extradited to the US. Rick Howard looks at FinTech. Andrea Little Limbago from Interos on Industrial policy and the tech divide. And a Crypto mixing service has been sanctioned by the US Treasury Department. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/151 Selected reading. ESET Threat Report T 1 2022 (WeLiveSecurity)  Twitter confirms zero-day used to expose data of 5.4 million accounts (BleepingComputer) NHS 111 software outage confirmed as cyber-attack (BBC News)  Ministers coordinate response after cyber-attack hits NHS 111 (the Guardian) Thousands of hackers flock to 'Dark Utilities' C2-as-a-Service (BleepingComputer) Attackers leveraging Dark Utilities "C2aaS" platform in malware campaigns (Cisco Talos) Genesis Brings Polish to Stolen-Credential Marketplaces (Sophos) Cyber-related Designation (U.S. Department of the Treasury) U.S. imposes sanctions on virtual currency mixer Tornado Cash (Reuters) Crypto Mixing Service Tornado Cash Blacklisted by US Treasury (CoinDesk) Alleged Russian Cryptocurrency Money Launderer Extradited to United States (US Department of Justice) Russian accused of money laundering and running $4B bitcoin exchange extradited to US | CNN Politics (CNN)
Aug 08, 2022
Anna Belak: Acquiring skills to make you into a unicorn. [Thought Leadership] [Career Notes]
593
Anna Belak, Director of Thought Leadership at Sysdig, shares her story from physics to cyber. Anna explains how she went into college with the thinking of getting a physics degree and then for her PhD decided to switch to material science and engineering. Both were not something she enjoyed and ultimately decided to go into cyber. She shares some advice on how you should never limit yourself to your degree, as well as always learning new skills and honing in on skills you already have. She say's by doing these things it will make you into a unicorn, meaning if you are good at one thing and teach yourself to be good at something else, you will become that much more valuable. Anna hopes she makes an impact with the people she works with, she hopes they will want to work with her even long after she leaves a company. We thank Anna for sharing her story.
Aug 07, 2022
Iran-linked Lyceum Group adds a new weapon to its arsenal. [Research Saturday]
1018
Deepen Desai from Zscaler's ThreatLabz joins Dave to discuss how APTs, like Lyceum Group, create tactics and malware to carry out attacks against their targets. The Lyceum group has been active since 2017 and is a state-sponsored Iranian APT group. This group targets Middle Eastern organizations most notably in the energy and telecommunication sectors, and they rely heavily on .NET based malwares. Zscaler said in their research they "recently observed a new campaign where the Lyceum Group was utilizing a newly developed and customized .NET based malware targeting the Middle East by copying the underlying code from an open source tool." They go on to give an analysis explaining why the .NET based DNS backdoor is causing problems. The research can be found here: Lyceum .NET DNS Backdoor
Aug 06, 2022
CyberFront Z's failed influence operation. Iranian operators target Albanian government networks. CISA issues two ICS security advisories. CISA and ACSC issue a joint advisory on top malware strains.
1765
CyberFront Z's failed influence operation. Iranian operators target Albanian government networks. CISA issues two ICS security advisories. Andy Robbins of SpecterOps to discuss Attack Paths in Azure. Denis O'Shea of Mobile Mentor talking on the intersection of endpoint security and employee experience. CISA and ACSC issue a joint advisory on top malware strains. for links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/150 Selected reading. Quarterly Adversarial Threat Report (Meta) Meta took down Russian troll farm that supported country’s invasion of Ukraine (The Hill) Russia's Infamous Troll Farm Is Back -- and Sh*tting the Bed (Rolling Stone)  Meta’s threat report highlights clumsy attempt to manipulate Ukraine discourse (TechCrunch)  Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations (Mandiant)  CISA Alert AA22-216A – 2021 top malware strains. (The CyberWire) 2021 Top Malware Strains (CISA) Digi ConnectPort X2D (CISA) Cisco Releases Security Updates for RV Series Routers (CISA)
Aug 05, 2022
Ukraine claims to have taken down a massive Russian bot farm. Were Russian cyber operations premature? Report: Emergency Alert System vulnerable to hijacking. And more crypto looting.
1663
Ukraine claims to have taken down a massive Russian bot farm. Russian cyber operations may have been premature. A report says Emergency Alert Systems might be vulnerable to hijacking. The Mirai botnet may have a descendant. Adam Flatley from Redacted with a look back at NotPetya. Ryan Windham from Imperva takes on Bad Bots. Attacks on a cryptocurrency exchange attempt to bypass 2FA. Solana cryptocurrency wallets looted. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/149 Selected reading. Ukraine takes down 1,000,000 bots used for disinformation (BleepingComputer) Did Russia mess up its cyberwar with Ukraine before it even invaded? (Washington Post)  So RapperBot, What Ya Bruting For? (Fortinet Blog) Gaming Respawned (Akamai) Coinbase Attacks Bypass 2FA (Pixm Anti-Phishing) Thousands of Solana wallets drained in multimillion-dollar exploit (TechCrunch) Thousands of Solana Wallets Hacked in Crypto Cyberattack (Wall Street Journal)  Solana, USDC Drained From Wallets in Attack (Decrypt)  Ongoing solana attack targets thousands of crypto wallets, costing users more than $5 million so far (CNBC)  Solana and Slope Confirm Wallet Security Breach (Crypto Briefing) How Hackers Target Bridges Between Blockchains for Crypto Heists (Wall Street Journal)
Aug 04, 2022
CISA Alert AA22-216A – 2021 top malware strains. [CISA Cybersecurity Alerts]
198
This joint Cybersecurity Advisory was coauthored by CISA and the Australian Cyber Security Centre, or ACSC. This advisory provides details on the top malware strains observed in 2021. AA22-216A Alert, Technical Details, and Mitigations For alerts on malicious and criminal cyber activity, see the FBI Internet Crime Complaint Center webpage. For more information and resources on protecting against and responding to ransomware, refer to StopRansomware.gov, a centralized, U.S. Government webpage providing ransomware resources and alerts. The ACSC recommends organizations implement eight essential mitigation strategies from the ACSC’s Strategies to Mitigate Cyber Security Incidents as a cybersecurity baseline. These strategies, known as the “Essential Eight,” make it much harder for adversaries to compromise systems. Refer to the ACSC’s practical guides on how to protect yourself against ransomware attacks and what to do if you are held at ransom at cyber.gov.au. All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.
Aug 04, 2022
Tories delay leadership vote over security concerns. Cyber phases of Russia’s hybrid war. CHinese patriotic hacktivism vs. Taiwan. Malware designed to abuse trust. Putting a price on your privacy.
1841
Tories delay a leadership vote over security concerns. A summary of the cyber phases of the hybrid war. Cyberattacks affect three official sites in Taiwan. Malware designed to abuse trust. Gunter Ollmann of Devo to discuss how Cybercriminals are Winning the AI Race. Renuka Nadkarni of Aryaka explains enterprises can recession proof security architecture. Plus, putting a price on your privacy. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/148 Selected reading. Tory leadership vote delayed after GCHQ hacking alert (The Telegraph)  Nozomi Networks Labs Report: Wipers and IoT Botnets Dominate the Threat Landscape – Manufacturing and Energy at Highest Risk (Nozomi Networks)  Those Pelosi-inspired cyberattacks in Taiwan probably weren't all they were cracked up to be (Washington Post) Increase in Chinese "Hacktivism" Attacks (SANS Internet Storm Center) Cyberattacks crashed several Taiwanese government websites hours before Pelosi’s visit. (New York Times) Taiwan presidential office website hit by cyberattack ahead of Pelosi visit (POLITICO)  Taiwanese government sites disrupted by hackers ahead of Pelosi trip (The Record by Recorded Future) Deception at a scale (VirusTotal) The Price Cybercriminals Charge for Stolen Data (SpiderLabs Blog)
Aug 03, 2022
Nomad cryptocurrency bridge looted. BlackCat ransomware hits Europenan energy company. DSIRF disputes Microsoft's report on cyber mercenaries. Are there spies under Mr. Putin’s long table?
1719
Nomad cryptocurrency bridge is looted. The BlackCat ransomware gang hits a Luxembourgeois energy company. DSIRF disputes Microsoft's characterization of the Austrian firm as cyber mercenaries. Ben Yelin looks at privacy concerns in the education software market. Our guest is PJ Kirner from Illumio to discuss Zero Trust Segmentation. And, finally, are there spies under Mr. Putin’s very very long table? For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/147 Selected reading. Crypto Firm Nomad Loses Nearly $200 Million in Bridge Hack (Bloomberg)  Crypto Bridge Nomad Drained of Nearly $200M in Exploit (CoinDesk) Nomad token bridge drained of $190M in funds in security exploit (Cointelegraph)  Nomad token bridge hacked in nearly $200 million exploit (mint)  BlackCat ransomware gang hits Luxembourg energy supplier Creos (Computing) Luxembourg energy provider Encevo Group battles ransomware attack by BlackCat (Tech Monitor) BlackCat ransomware claims attack on European gas pipeline (BleepingComputer) Luxembourg energy companies struggling with alleged ransomware attack, data breach (The Record by Recorded Future) Austrian spy firm accused by Microsoft says hacking tool was for EU states (Reuters) Dilyana Gaytandzhieva: Putin’s Elite Inner Circle Infiltrated By Nato Informants (SouthFront) GEC Special Report: Pillars of Russia’s Disinformation and Propaganda Ecosystem (US Department of State)
Aug 02, 2022
KillNet threatens hack-and-leak op against HIMARS maker. Online investment scams hit Europe. Microsoft associates Raspberry Robin with EvilCorp.
1715
KillNet threatens hack-and-leak op against HIMARS maker. Online investment scams hit Europe. Microsoft associates Raspberry Robin with EvilCorp. Rick Howard previews season ten of the CSO Perspectives podcast. Our guest is Nate Kharrl of SpecTrust on deploying fraud detection at the gateway. And a heartfelt farewell to a woman who’s inspiration lives on. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/146 Selected reading. Cyberactivist Group Killnet Declares War on Lockheed Martin (Sputnik) Russian Hackers Target U.S. HIMARS Maker in 'New Type of Attack': Report (Newsweek) Founder of pro-Russian hacktivist Killnet quitting group (SC Magazine)  Huge network of 11,000 fake investment sites targets Europe (BleepingComputer) Microsoft links Raspberry Robin malware to Evil Corp attacks (BleepingComputer)  Microsoft ties novel ‘Raspberry Robin’ malware to Evil Corp cybercrime syndicate (The Record by Recorded Future) FakeUpdates malware delivered via Raspberry Robin has possible ties to EvilCorp (SC Magazine) Ransomware-as-a-service: Understanding the cybercrime gig economy and how to protect yourself (Microsoft Security) Australia charges dev of Imminent Monitor RAT used by domestic abusers (BleepingComputer)  Brisbane teenager built spyware used by domestic violence perpetrators across world, police allege (the Guardian)
Aug 01, 2022
Larry Cashdollar: Always learning new technology. [Intelligence response engineer] [Career Notes]
529
Larry Cashdollar, Principal Security Intelligence Response Engineer at Akamai Technologies, sits down with Dave Bittner to discuss his life leading up to working at Akamai. He shares his story from his beginnings to now, describing what college life was like as a young computer enthusiast. He says "If you look at my 1986 yearbook, I think it was my sixth grade class, it says computer scientist for my career path. So I had a love of computers when I was really young. I guess I knew what field I wanted to get into right off the bat." He describes different career paths that all led him to his current position. He also shares his love for computers and technology through the decades of his youth, and how he is learning, even now. We thank Larry for sharing his story.
Jul 31, 2022
What malicious campaign is lurking under the surface? [Research Saturday]
1368
Israel Barak, CISO from Cybereason, sits down with Dave to discuss their research, "Operation CuckooBees: Cybereason Uncovers Massive Chinese Intellectual Property Theft Operation." Cybereason researchers recently found an attack lurking beneath the surface which was assessed to be the work of Chinese APT Winnti. Cybereason briefed the FBI and the DOJ on the investigation into the malicious campaign. The research states, "For years, the campaign had operated undetected, siphoning intellectual property and sensitive data." The team quickly made two reports on the campaign, one sharing an examination on the tactics and techniques. The second gives a detailed analysis of the malware and exploits used. The research can be found here: Operation CuckooBees: Cybereason Uncovers Massive Chinese Intellectual Property Theft Operation
Jul 30, 2022
Hacktivism in a hybrid war. Pyongyang's [un]H0lyGh0st. Notes on the C2C market. Rewards for Justice seeks some righteous snitches.
1678
Anonymous's hacktivism in a hybrid war. Pyongyang's [un]H0lyGh0st. Phishing in the IPFS. Update on the initial access criminal-to-criminal market and its effect on MSPs. Cyber gangs move away from malicious macros. Thomas Etheridge from CrowdStrike on managed detection and response. Rick Howard sits down with Art Poghosyan from Britive to discuss DevSecOps and Identity Management. And Rewards for Justice seeks some righteous snitches. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/145 Selected reading. Putin 'embarrassed' as hackers launch cyber war on Russian President over Ukraine invasion (Express.co.uk) Is Anonymous Rewriting the Rules of Cyberwarfare? Timeline of Their Attacks Against the Russian Government (Website Planet)  HolyGhost’s Bargain Basement Approach To Ransomware (Digital Shadows) IPFS: The New Hotbed of Phishing (Trustwave) Threat Advisory: Hackers Are Selling Access to MSPs (Huntress) We’re currently monitoring a situation that entails a hacker selling access to an MSP with access to 50+ customers, totaling 1,000+ servers. Experts warn of hacker claiming access to 50 U.S. companies through breached MSP (The Record by Recorded Future) How Threat Actors Are Adapting to a Post-Macro World (Proofpoint) Rewards for Justice – Reward Offer for Information on Russian Interference in U.S. Elections (United States Department of State)
Jul 29, 2022
SSSCIP and CISA sign memorandum of cooperation. Tailored security services, or just hired guns? Bringing PSOAs to heel. More credential-harvesting.
1486
SSSCIP and CISA sign a memorandum of cooperation. Are private-sector offensive actors tailored security services, or are they just hired guns? Bringing cyber mercenaries to heel. Malek Ben Salem from Accenture on why crisis management is at the heart of ransomware resilience. Our guest is Derek Manky from Fortinet on the World Economic Forum Partnership Against Cybercrime. And more credential-harvesting scams are out in the wild. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/144 Selected reading. United States and Ukraine Expand Cooperation on Cybersecurity (CISA) US, Ukraine sign pact to expand cooperation in cyberspace (The Hill) Untangling KNOTWEED: European private-sector offensive actor using 0-day exploits (Microsoft Security) Continuing the fight against private sector cyberweapons (Microsoft On the Issues) Experts Urge Congress to Pressure Commercial Spyware Vendors (Decipher) Mirroring Actual Landing Pages for Convincing Credential Harvesting (Avanan)
Jul 28, 2022
The cost of a data breach as an economic drag. Personal apps as a potential business risk. Why so little ransomware in Ukraine? Employee engagement study reaches predictably glum conclusions.
1578
IBM reports on the cost of a data breach. Personal apps as a potential business risk. Over on the dark side, there’s help wanted in the C2C labor market. An employee engagement study reaches predictably glum conclusions. Betsy Carmelite from Booz Allen Hamilton on reducing software supply chain risks with SBOMs. Our guest is Elaine Lee from Mimecast discussing the pros and cons of AI in cybersecurity. And Why so much attempted DDoS, but not so much ransomware? For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/143 Selected reading. IBM Report: Consumers Pay the Price as Data Breach Costs Reach All-Time High (IBM Newsroom) Cost of a Data Breach Report 2022 (IBM Security) Netskope Threat Research: Data Sprawl Creating Risk for Organizations Worldwide as Personal App Use in Business Continues to Rise (PR Newswire) Financial Incentives May Explain the Perceived Lack of Ransomware in Russia’s Latest Assault on Ukraine (Council on Foreign Relations) Tessian | 1 in 3 Employees Do Not Understand the Importance of Cybersecurity at Work, According to New Report (RealWire)
Jul 27, 2022
LockBit gets an upgrade. CosmicStrand UEFI firmware rootkit. Treating thieves like white hats? Most-impersonated brands. AV-Test's Twitter account is hijacked. The cyber phase of a hybrid war.
1621
LockBit gets an upgrade. CosmicStrand firmware rootkit is out in a new and improved version. Are thieves being treated like white hats? AV-Test's Twitter account is hijacked. Joe Carrigan considers the mental health effects of the online scam economy. Mr. Security Answer Person John Pescatore ponders the cybersecurity talent gap. And ongoing speculation on the cyber phase of the hybrid war. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/142 Selected reading. LockBit Ransomware Group Augments Its Latest Variant, LockBit 3.0, With BlackMatter Capabilities (Trend Micro) CosmicStrand: the discovery of a sophisticated UEFI firmware rootkit (Securelist) Crypto Firms Make Thieving Hackers an Offer: Keep a Little, Give Back the Rest (Wall Street Journal) Phishers’ Favorites Top 25, H1 2022: Microsoft Is the Most Impersonated Brand in Phishing Attacks (Vade Secure) Testing times for AV-Test as Twitter account hijacked by NFT spammers (Graham Cluley) Ukraine fall-out and new ransomware tactics elevate cyber risks (Strategic Risk Europe) Ed’s note: The Ukrainian-Russian cyber war no one speaks about (Smart Energy)
Jul 26, 2022
The minor mystery of GPS-jamming. Twitter investigates apparent data breach. Ransomware C2 staging discovered. A C2C offering restricted to potential privateers.
1664
The minor mystery of GPS-jamming. Twitter investigates an apparent data breach. Ransomware command and control staging is discovered. Andrea Little Limbago from Interos looks at the intersection of social sciences and cyber. Our guest is Nelly Porter from Google Cloud on the emerging idea of confidential computing. A C2C offering restricted to potential privateers. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/141 Selected reading. Why Isn’t Russia jamming GPS harder in Ukraine? (C4ISRNet) Twitter data breach exposes contact details for 5.4M accounts; on sale for $30k (9to5Mac) Twitter investigating authenticity of 5.4 million accounts for sale on hacking forum (The Record by Recorded Future) Russian Ransomware C2 Network Discovered in Censys Data (Censys) Researcher finds Russia-based ransomware network with foothold in U.S. (The Record by Recorded Future) New Cross-Platform 'Luna' Ransomware Only Offered to Russian Affiliates (SecurityWeek) 
Jul 25, 2022
Mary Writz: Take a negative and make it into a positive. [VP Product Strategy] [Career Notes]
481
Mary Writz, Vice President of Product Strategy at ForgeRock, shares how each career path she has taken has led her to where she is now. Mary describes how she has been a woman working in a male dominated field for most of her career and how she had to take charge, and she had to get the men to take charge with her. She says "I was often leading people, mostly men older than me, potentially smarter than me, more well paid than me. So I had to learn how to think about galvanizing this group to charge forward with me, even though I was a bit of a minority in that way." She also states that she tells herself to always make a positive out of a negative by showing people how you can respond to what's happening with a lot of energy, focus, and care and that's what got her to where she is today.
Jul 24, 2022
The great overcorrection: shifting left probably left you vulnerable. Here’s how you can make it right. [CyberWire-X]
1618
Shifting left has been a buzzword in the application security space for several years now, and with good reason – making security an integral part of development is the only practical approach for modern agile workflows. But in their drive to build security testing into development as early as possible, many organizations are neglecting application security in later phases and losing sight of the big picture. In this episode of CyberWire-X, the CyberWire's CSO, Chief Analyst, and Senior Fellow, Rick Howard, talks with two Hash Table members, Centene’s VP and CISO for Healthcare Enterprises, Rick Doten, and Akamai’s Advisory CISO, Steve Winterfeld. In the second half of the show, CyberWire podcast host Dave Bittner talks with our episode sponsor Invicti’s Chief Product Officer, Sonali Shah. They discuss the challenges and misunderstandings around shifting left, and provide tips on how organizations can implement web application security program without tradeoffs throughout the whole application security lifecycle.
Jul 24, 2022
Has GOLD SOUTHFIELD resumed operations? [Research Saturday]
1339
Rob Pantazopoulos from Secureworks, joins Dave to discuss their work on "REvil Development Adds Confidence About GOLD SOUTHFIELD Reemergence." Secureworks researchers published a new analysis on what can be considered the ‘first’ set of ransomware samples associated with the reemergence. These updated samples indicate that GOLD SOUTHFIELD has resumed operations. The research states "The identification of multiple samples containing different modifications and the lack of an official new version indicate that REvil is under active development." Researchers identified two samples, one in October of 2021, and the other in March of 2022. The March sample has modifications that lead researchers to distinguish the two samples from one another. The research can be found here: REvil Development Adds Confidence About GOLD SOUTHFIELD Reemergence
Jul 23, 2022
Espionage and counterespionage during the hybrid war. Assessing Russian cyberops. Conti's fate. Investigating cut Internet cables in France. Trends in “pig-butchering.”
1756
Traditional espionage and counterespionage during the hybrid war. Assessing Russian cyberattacks. Conti's fate and effects. Investigating cut Internet cables in France. My conversation with AD Bryan Vorndran of the FBI Cyber Division on reverse webshell operation and Hafnium. Our guest is Tom Kellermann of VMware to discuss the findings of their Modern Bank Heists report. And, finally the dark online world of “pig-butchering.” For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/140 Selected reading. UK Spy Chief Sees Russia’s Military Running ‘Out of Steam’ Soon (Bloomberg) Exhausted Russian army gives Ukraine chance to strike back, says British spy chief (The Telegraph)  'Cut by half' Putin's masterplan backfires as 400 Russian spies thrown out of Europe (Express)  Half of Russian spies in Europe expelled since Ukraine invasion, says MI6 chief (the Guardian)  MI6 chief: Russia’s spies ‘not having a great war’ in Ukraine (The Record by Recorded Future)  CIA chief says 15,000 Russians killed in war, dismisses Putin health rumors (Washington Post)  CIA Chief Says Russia’s Iran Drone Deal Shows Military Weakness (Bloomberg)  Ukraine confronts Kremlin infiltration threat at unreformed state bodies (Atlantic Council)  US seeking to understand Russia’s failure to project cyber power in Ukraine (Defense News) Battling Moscow's hackers prior to invasion gave Kyiv 'full dress rehearsal' for today's cyber warfare (CyberScoop) How Conti ransomware hacked and encrypted the Costa Rican government (BleepingComputer)  Anatomy of Attack: Truth Behind the Costa Rica Government Ransomware 5-Day Intrusion (AdvIntel)  Conti Criminals Resurface as Splinter RaaS Groups  (Security Boulevard) The Unsolved Mystery Attack on Internet Cables in Paris (Wired)  Massive Losses Define Epidemic of ‘Pig Butchering’ (KrebsOnSecurity)
Jul 22, 2022
Notes on the underworld: emerging, enduring, and vanishing gangs, and their C2C markets. More spearphishing of Ukrainian targets. US CYBERCOM releases IOCs obtained from Ukrainian networks.
1794
A criminal talent broker emerges. Developing threats to financial institutions. Phishing through PayPal. Lessons to be learned from LAPSUS$, post-flameout. More spearphishing of Ukrainian targets. US Cyber Command releases IOCs obtained from Ukrainian networks. Johannes Ullrich from SANS on the value of keeping technology simple. Our guests are Carla Plummer and Akilah Tunsill from the organization Black Girls in Cyber. And not really honor, but honor’s self-interested first cousin. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/139 Selected reading. Atlas Intelligence Group (A.I.G) – The Wrath of a Titan (Cyberint) 'AIG' Threat Group Launches With Unique Business Model (Dark Reading) Buy, Sell, Steal, EvilNum Targets Cryptocurrency, Forex, Commodities (Proofpoint) Sending Phishing Emails From PayPal (Avanan)  Brazen, Unsophisticated and Illogical: Understanding the LAPSUS$ Extortion Group (Tenable®) Evacuation and Humanitarian Documents used to Spear Phish Ukrainian Entities (Mandiant) Cyber National Mission Force discloses IOCs from Ukrainian networks (U.S. Cyber Command)  The Evolution of Cybercrime: Why the Dark Web is Supercharging the Threat Landscape and How to Fight Back (HP Wolf Security)
Jul 21, 2022
Cyber phases of Russia’s hybrid war seem mostly espionage. Belgium accuses China of spying. LockBit ransomware spreads. And Micodus GPS tracker vulnerabilities are real and unpatched.
1907
What’s Russia up to in cyberspace, nowadays? Belgium accuses China of cyberespionage. LockBit ransomware spreading through compromised servers. Malek Ben Salem from Accenture explains the Privacy Enhancing Technologies of Federated Learning with Differential Privacy guarantees. Rick Howard speaks with Rob Gurzeev from Cycognito on Data Exploitation. And Micodus GPS tracker vulnerabilities should motivate the user to turn the thing off. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/138 Selected reading. Continued cyber activity in Eastern Europe observed by TAG (Google) Declaration by the High Representative on behalf of the European Union on malicious cyber activities conducted by hackers and hacker groups in the context of Russia’s aggression against Ukraine (European Council) China: Declaration by the Minister for Foreign Affairs on behalf of the Belgian Government urging Chinese authorities to take action against malicious cyber activities undertaken by Chinese actors (Federal Public Service Foreign Affairs)  Déclaration du porte-parole de l'Ambassade de Chine en Belgique au sujet de la déclaration du gouvernement belge sur les cyberattaques (Embassy of the People's Republic of China in the Kingdom of Belgium) LockBit: Ransomware Puts Servers in the Crosshairs (Broadcom Software Blogs | Threat Intelligence) Critical Vulnerabilities Discovered in Popular Automotive GPS Tracking Device (MiCODUS MV720) (BitSight) CISA released Security Advisory on MiCODUS MV720 Global Positioning System (GPS) Tracker (CISA)
Jul 20, 2022
Espionage and cyberespionage. Albania's national IT networks work toward recovery. Malicious apps ejected from Google Play. White House summit addresses the cyber workforce. Notes on cybercrime.
1806
A Cozy Bear sighting. Shaking up Ukraine's intelligence services. Albania's national IT networks continue to work toward recovery. US Justice Department seizes $500k from DPRK threat actors. The FBI warns of apps designed to defraud cryptocurrency speculators. A White House meeting today addresses the cyber workforce. Ben Yelin looks at our right to record police. Our guest is Tim Knudsen, Director of Product Management for Zero Trust at Google Cloud, speaking with Rick Howard. And another trend we’d like to be included out of. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/137 Selected reading. Russian APT29 Hackers Use Online Storage Services, DropBox and Google Drive (Unit 42) Russian hacking unit Cozy Bear adds Google Drive to its arsenal, researchers say (CyberScoop) Russian SVR hackers use Google Drive, Dropbox to evade detection (BleepingComputer)  Ukraine’s spy problem runs deeper than Volodymyr Zelensky’s childhood friend (The Telegraph)  Albanian government websites go dark after cyberattack (Register)  On Google Play, Joker, Facestealer, & Coper Banking Malware (Zscaler)  Justice Department seizes $500K from North Korean hackers who targeted US medical organizations (CNN)  Cyber Criminals Create Fraudulent Cryptocurrency Investment Applications to Defraud US Investors (US Federal Bureau of Investigation) Announcement of White House National Cyber Workforce and Education Summit | The White House (The White House) Fortinet Announces Free Training Offering for Schools at White House Cyber Workforce and Education Summit (Fortinet) Not your average side hustle: the women making thousands from 'pay pigs' who enjoy being financially dominated (Business Insider)
Jul 19, 2022
Ukraine’s security chief and head prosecutor are out. Cyberattacks hit Albania. APTs prospect journalists. The GRU trolls researchers. CISA to open an attaché office in London.
1517
Ukraine shakes up its security and prosecutorial services. Cyberattacks hit Albania. Advanced persistent threat actors prospect journalists. The GRU is said to be trolling researchers who look into Sandworm. Thomas Etheridge from CrowdStrike on identity management. Our guest is Robin Bell from Egress discussing their Human Activated Risk Report. And CISA opens a liaison office in London. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/136 Selected reading. Ukraine's Zelenskyy fires top security chief and prosecutor (AP NEWS) Zelenskiy Ousts Ukraine’s Security Chief and Top Prosecutor (Bloomberg) Volodymyr Zelensky sacks top aides over 'Russian collaboration' (The Telegraph) A massive cyberattack hit Albania (Security Affairs) Information Systems Are Intact, Says Albanian Government after Cyber Attack (Exit - Explaining Albania)  Albania closes down online gov't systems after cyber attack (ANI News). Albania Shuts Down Digital Services and Government Websites after Cyber Attack (Exit - Explaining Albania) Hackers pose as journalists to breach news media org’s networks (BleepingComputer) Cybersecurity Firm: What US Journalists Need To Know About The Foreign Hackers Targeting Them Forbes) Sandworm APT Trolls Researchers on Its Trail as It Targets Ukraine (Dark Reading)
Jul 18, 2022
Mike Arrowsmith: Facing adversity in the workplace. [CTrO] [Career Notes]
441
Mike Arrowsmith, Chief Trust Officer at NinjaOne, leads the organization’s IT, security, and support infrastructure to ensure they meet customers’ security and data privacy demands as it scales. Mike discusses how his career path has led him to the position he currently holds and how exciting the world of cybersecurity can be. He mentioned how he mentored students in college thinking of going into the field, and he used a metaphor to help describe the industry, saying "We are working against adversaries that are always typically one step ahead. Figuratively, if you could imagine, you're trying to chase a ball, but you never can quite get your hands on it." He shares how he loves the evolving field and that he thrives in a situation where things are constantly changing. We thank Mike for sharing his story.
Jul 17, 2022
Cybercriminals shift tactics from disruption to data leaks. [CyberWire-X]
1721
On this episode of CyberWire-X, we examine double extortion ransomware. The large-scale cyber events of yesterday – Stuxnet, the Ukraine Power Grid Attack – were primarily focused on disruption. Cybercriminals soon shifted to ransomware with disruption still the key focus – and then took things to the next level with Double Extortion Ransomware. When ransomware first started to take off as the attack method of choice around 2015, the hacker playbook was focused on encrypting data, requesting payment and then handing over the encryption keys. Their methods escalated with Double Extortion, stealing data as well as encrypting it - and threatening to leak data if they don’t receive payment. We’ve seen with ransomware groups like Maze that they will follow through with publishing private information if not paid. In the first part of the show, Rick Howard, the CyberWire’s CSO, Chief Analyst, and Senior Fellow, talks with Wayne Moore, Simply Business' CISO and CyberWire Hash Table member, and, in the second half of the show, the CyberWire's podcast host Dave Bittner talks with Nathan Hunstad, episode sponsor Code42’s Deputy CISO. They discuss how classic ransomware protection such as offsite backups are no longer enough. They explain that Double Extortion means that you need to understand what data has been stolen and weigh the cost of paying with the cost of your data going public.
Jul 17, 2022
A record breaking DDoS attack. [Research Saturday]
1560
Chad Seaman, Team Lead at Akamai SIRT joins Dave to discuss their research about a record-breaking DDoS Attack. The research says "A new reflection/amplification distributed denial-of-service (DDoS) vector with a record-breaking potential amplification ratio of 4,294,967,296:1 has been abused by attackers in the wild to launch multiple high-impact DDoS attacks." Starting in mid-February 2022, security researchers, network operators, and security vendors noticed a spike in DDoS attacks. Researchers started to investigate the spike and determined that the devices that were being abused to launch these attacks are MiCollab and MiVoice Business Express collaboration systems. The research goes into how you can help mitigate the attacks and how Mitel has now released patched software. The research can be found here: CVE-2022-26143: TP240PhoneHome Reflection/Amplification DDoS Attack Vector
Jul 16, 2022
A conversation with Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly. [Special Edition]
2026
In this extended interview, CyberWire Daily Podcast host Dave Bittner sits down with Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly to discuss her time at CISA and the work of her team. This interview from July 15, 2022 originally aired as a shortened version on the CyberWire Daily Podcast.
Jul 15, 2022
Criminal gangs at war. A "cyber world war?" A new DPRK ransomware operation. Media organizations targeted by state actors. NSA guidance on characterizing threats and risks to microelectronics.
2150
Gangland goes to war. Is there a "cyber world war" in progress? Ukraine thinks so. A new North Korean ransomware operation is described, but it’s not yet clear if it’s a state operation or some moonlighting by Pyongyang’s operators. Media organizations remain attractive targets for state actors. NSA releases guidance on characterizing threats and risks to microelectronics. Betsy Carmelite from Booz Allen talks about why now is the time to plan for post-quantum cryptography. Our guest is Cybersecurity and Infrastructure Security Agency (CISA) Director Jen Easterly discussing her time at CISA and the work of her team.  For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/135 Selected reading. Inside The Russian Cybergang Thought To Be Attacking Ukraine—The Trickbot Leaks (Forbes) Who is Trickbot? (Cyjax) Who is Trickbot? (Cyjax) NATO and the European Union work together to counter cyber threats (NATO)  The Man at the Center of the New Cyber World War (POLITICO) Russian cyber threat to Canada worse than previously reported: CSE (National Post)  North Korean threat actor targets small and midsize businesses with H0lyGh0st ransomware (Microsoft Security)  Above the Fold and in Your Inbox: Tracing State-Aligned Activity Targeting Journalists, Media (Proofpoint) NSA Publishes Guidance on Characterizing Threats, Risks to DoD Microelectronics (National Security Agency/Central Security Service)
Jul 15, 2022
Ukraine evaluates Russia’s cyber ops. Smartphones go to war. Lilith ransomware. ChromeLoader evolves. Rolling-PWN looks real after all. Schulte guilty in Vault 7 case.
1851
An overview of the cyber phase of Russia's hybrid war. Smartphones as sources of targeting information. Lilith enters the ransomware game. ChromeLoader makes a fresh appearance. Honda acknowledges that Rolling-PWN is real (but says it's not as serious as some think). Part two of Carole Theriault’s conversation with Jen Caltrider from Mozilla's Privacy Not Included initiative. Our guest is Josh Yavor of Tessian to discuss Accidental Data Loss Over Email. A guilty verdict in the Vault 7 case. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/134 Selected reading. Ukraine's Cyber Agency Reports Q2 Cyber-Attack Surge (Infosecurity Magazine) 2022 Q2 (SSSCIP) The weaponizing of smartphone location data on the battlefield (Help Net Security)  New Lilith ransomware emerges with extortion site, lists first victim (BleepingComputer) A new ransomware operation has been launched under the name 'Lilith,' and it has already posted its first victim on a data leak site created to support double-extortion attacks. New Ransomware Groups on the Rise (Cyble) Cyble analyzes new ransomware families spotted in the wild led by notable examples such as LILITH, RedAlert, and 0Mega. New Lilith ransomware emerges with extortion site, lists first victim (BleepingComputer) New Ransomware Groups on the Rise (Cyble) Researchers Uncover New Variants of the ChromeLoader Browser Hijacking Malware (The Hacker News) ChromeLoader: New Stubborn Malware Campaign (Unit 42)  Honda Admits Hackers Could Unlock Car Doors, Start Engines (SecurityWeek) Honda redesigning latest vehicles to address key fob vulnerabilities (The Record by Recorded Future)  Statement Of U.S. Attorney Damian Williams On The Espionage Conviction Of Ex-CIA Programmer Joshua Adam Schulte (US Department of Justice)  Ex-C.I.A. Engineer Convicted in Biggest Theft Ever of Agency Secrets (New York Times) Former CIA Staffer Convicted For Massive Data Breach To WikiLeaks (Forbes)
Jul 14, 2022
AiTM sets up BEC. Silent validation bots. Smishing attempt at the European Central Bank. Shields up in Berlin. Hacktivism in a hybrid war. Patch notes.
1680
Adversary-in-the-middle sites support business email compromise. Silent validation carding bot discovered. Attempted social engineering at the European Central Bank. Germany puts its shields up. Carole Theriault speaks with Jen Caltrider about Mozilla's *Privacy Not Included initiative. Our guest is Lucia Milica on Proofpoint’s Voice of the CISO report. And Hacktivism in a hybrid war. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/133 Selected reading. From cookie theft to BEC: Attackers use AiTM phishing sites as entry point to further financial fraud (Microsoft Security Blog)  PerimeterX Discovers New Silent Validation Carding Bot (PerimeterX) Hackers posing as Merkel target ECB's Lagarde - German source (Reuters)  European Central Bank head targeted in hacking attempt (AP NEWS) Cyberangriff auf Spitzenpolitiker: Hacker nutzten Merkels Handynummer, um das Whatsapp-Konto von Lagarde zu knacken (Business Insider) Germany bolsters defenses against Russian cyber threats (Deutsche Welle)  Ukraine's cyber army hits Russian cinemas (CyberNews) DDoS attacks surge in popularity in Ukraine — but are they more than a cheap thrill? (The Record by Recorded Future) Microsoft Releases July 2022 Security Updates (CISA) CISA orders agencies to patch new Windows zero-day used in attacks (BleepingComputer) SAP Releases July 2022 Security Updates (CISA) Schneider Electric Easergy P5 and P3 (CISA) Dahua ASI7213X-T1 (CISA)
Jul 13, 2022
High-end and low-end extortion. Push to start–wait, not you… Social media and open-source intelligence. Russian cyberattacks spread internationally. Preparing for cyber combat.
1737
High-end and low-end extortion. Vehicles from Honda may soon be rolling off the lot. Social media and open-source intelligence. Russian cyberattacks spread internationally. Joe Carrigan surveys items for sale in dark web markets. Our guest is Jonathan Wilson of AU10TIX to discuss consumer sentiment around data privacy. Preparing for cyber combat. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/132 Selected reading. BlackCat (Aka ALPHV) Ransomware Is Increasing Stakes Up To $2,5M In Demands (Resecurity) Ransomware gang now lets you search their stolen data (BleepingComputer) Luna Moth: The Actors Behind the Recent False Subscription Scams (Sygnia) 'Luna Moth' Group Ransoms Data Without the Ransomware (Dark Reading) Hackers can unlock Honda cars remotely in Rolling-PWN attacks (BleepingComputer) Hackers Say They Can Unlock and Start Honda Cars Remotely (Vice) Rolling PWN (PWN)  Russia launches attack on Poland as hackers declare war on 10 countries, including UK (Express) Vice Minister: cyber attacks are aimed at seeking publicity and raising tensions (DELFI) How one Ukrainian ethical hacker is training 'cyber warriors' in the fight against Russia (The Record by Recorded Future) The Biggest Threat to the Military May Not Be What You Think (ClearanceJobs)
Jul 12, 2022
DDoS attacks strike countries friendly to Ukraine. Predatory Sparrow's assault on Iran's steel industry. Callback phishing impersonates security companies. Anubis is back. BlackCat ups the ante.
1641
More deniable DDoS attacks strike countries friendly to Ukraine. Predatory Sparrow's assault on Iran's steel industry. A callback phishing campaign impersonates security companies. The Anubis Network is back. Thomas Etheridge from CrowdStrike on the importance of outside threat hunting. Rick Howard weighs in on sentient AI. And a ransomware gang ups the ante. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/131 Selected reading. Pro-Russian cybercriminals briefly DDoS Congress.gov (CyberScoop) Lithuania's state-owned energy group hit by 'biggest cyber attack in a decade' (lrt.lt) Ignitis Group hit by DDoS attack as Killnet continues Lithuania campaign (Tech Monitor) Russian ‘Hacktivists’ Are Causing Trouble Far Beyond Ukraine (Wired - 07-11-2022)  Predatory Sparrow: Who are the hackers who say they started a fire in Iran? (BBC News) Hacktivists claiming attack on Iranian steel facilities dump tranche of 'top secret documents' (CyberScoop) Callback Phishing Campaigns Impersonate CrowdStrike, Other Cybersecurity Companies (CrowdStrike) Anubis Networks is back with new C2 server (Security Affairs) BlackCat (aka ALPHV) ransomware is increasing stakes up to $2.5 million in demands(Help Net Security) Resecurity - BlackCat (aka ALPHV) Ransomware is Increasing Stakes up to $2,5M in Demands (Resecurity)
Jul 11, 2022
Simone Petrella: Fake it, until you make it. [CEO] [Career Notes]
517
Simone Petrella, CEO of cybersecurity training workforce firm CyberVista, spent her career in the Department of Defense as a threat intelligence analyst before founding CyberVista. She says that running a company has a new set of challenges each day thrown at you. She explains that the way she finds the most success is by letting her team contribute to each matter, and having a say in the decisions made as they pertain to each department. Simone says "I would say is I am a firm firm believer in the idea of empowering people to really own and kind of run with the things that they're passionate about." She notes that people will do amazing things when they are passionate and that faking it until you make it is true, because you will get where you're going by having that passion and that inspiration. We thank Simone for sharing her story.
Jul 10, 2022
Information operations during a war. [Research Saturday]
1225
Alden Wahlstrom, senior analyst on Mandiant's Information Operations Team, shares a comprehensive overview and analysis of the various information operations activities they’ve seen while responding to the Russian invasion. While the full extent of the Russia-Ukraine war has yet to come to light, more than two months after the start of the invasion, Mandiant has identified activity that they believed to be information operations campaigns conducted by actors possibly in support of the political interests of nation-states such as Russia, Belarus, China, and Iran. The research shares a chart with all of the known information operations events that have taken place so far dating back to January of 2022. It also states that following the beginning of the Russian attack they have seen concerning signs, including "incidents involving the deployment of wiper malware disguised as ransomware." The research can be found here: The IO Offensive: Information Operations Surrounding the Russian Invasion of Ukraine
Jul 09, 2022
An update on cyber operations in Russia’s hybrid war. NPM compromise updates. CISA releases ICS security advisories. Free ransomware decryptors released. Disneyland's Instagram account hijacked.
1669
An update on cyber operations in the hybrid war. NPM compromise updates. Free decryptors for AstraLocker and Yashma ransomware. Johannes Ullrich from SANS on attacks against Perimeter Security Devices. Our guest is Sonali Shah from Invicti Security with a look at DevSecOps anxiety. And who’s the villain who hijacked the Instagram account of Disneyland? For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/130 Selected reading. Russia-Ukraine war: List of key events, day 135 (Al Jazeera) Russia-Ukraine war: Putin warns Moscow has 'barely started' its campaign (The Telegraph)  Russian Cybercrime Trickbot Group is systematically attacking Ukraine (Security Affairs)  US finance sector encouraged to stay vigilant against retaliatory Russian cyberattacks (SC Magazine)  Someone may be prepping an NPM crypto-mining spree (Register)  ICS CERT Advisories (CISA) Free decryptor released for AstraLocker, Yashma ransomware victims (BleepingComputer)  Disneyland’s Instagram Account Hacked With a Series of Profane, Racist Posts (Wall Street Journal)
Jul 08, 2022
Chinese industrial espionage warning. Trickbot's privateering. Russian influence ops target NATO resolve. Cozy Bear sighting. Chinese APTs target Russia. NFT scams are pestering Ukraine.
1956
The FBI and MI-5 warn of Chinese industrial espionage. Revelations of Trickbot's privateering role. Russian influence operations target France, Germany, Poland, and Turkey. Chinese APTs target Russian organizations in a cyberespionage effort. Robert M. Lee from Dragos on CISA expanding the Joint Cyber Defense Collaborative. Ben Yelin speaks with Matt Kent from Public Citizen about the American Innovation and Online Choice Act. And who would guess it, but NFT scams are pestering Ukraine. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/129 Selected reading. Heads of FBI, MI5 Issue Joint Warning on Chinese Spying (Wall Street Journal)  FBI and MI5 leaders give unprecedented joint warning on Chinese spying (the Guardian) FBI and MI5 bosses: China cheats and steals at massive scale (Register) FBI director suggests China bracing for sanctions if it invades Taiwan (Washington Post)  Unprecedented Shift: The Trickbot Group is Systematically Attacking Ukraine (Security Intelligence) Trickbot may be carrying water for Russia (Washington Post) Russia Info Ops Home In on Perceived Weak Links (VOA) Targets of Interest | Russian Organizations Increasingly Under Attack By Chinese APTs (SentinelOne) Chinese hackers targeting Russian government, telecoms: report (The Record by Recorded Future) Near-undetectable malware linked to Russia's Cozy Bear (Register) Russia's Cozy Bear linked to nearly undetectable malware (Computing) When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors (Unit 42)  NFT scammers see an opportunity in Ukraine donations (The Record by Recorded Future)
Jul 07, 2022
CISA Alert AA22-187A – North Korean state-sponsored cyber actors use Maui ransomware to target the healthcare and public health sector. [CISA Cybersecurity Alerts]
178
The FBI, CISA, and the Department of the Treasury are releasing this joint Cybersecurity Advisory to provide information on Maui ransomware, which has been used by North Korean state-sponsored cyber actors since at least May 2021 to target Healthcare and Public Health Sector organizations. AA22-187A Alert, Technical Details, and Mitigations Stairwell Threat Report: Maui Ransomware North Korea Cyber Threat Overview and Advisories Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments National Conference of State Legislatures: Security Breach Notification Laws Health Breach Notification Rule Protecting Sensitive and Personal Information from Ransomware-Caused Data Breaches StopRansomware.gov CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.
Jul 06, 2022
Quantum computing and security standards. Cyber war, and the persistence of cybercrime. DPRK ransomware versus healthcare. Cyber incidents and credit, in Shanghai and elsewhere.
1831
Quantum computing and security standards. Notes on the cyber phases of a hybrid war, and how depressingly conventional cybercrime persists in wartime. Pyongyang operators are using Maui ransomware against healthcare targets. Malek Ben Salem from Accenture looks at the security risks of GPS. Our guest is Brian Kenyon of Island to discuss enterprise browser security. Shanghai's big data exposure. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/128 Selected reading. NIST Announces First Four Quantum-Resistant Cryptographic Algorithms (NIST) Winners of NIST's post-quantum cryptography competition announced (Computing)  NIST unveils four algorithms that will underpin new 'quantum-proof' cryptography standards (SC magazine)  NIST Identifies 4 Quantum-Resistant Encryption Algorithms (Nextgov.com) Prepare for a New Cryptographic Standard to Protect Against Future Quantum-Based Threats (CISA) Quantum-resistant encryption recommended for standardization (Register) Keeping Phones Running in Wartime Pushes Kyivstar to the Limit (Bloomberg) The Ukraine war could provide a cyberwarfare manual for Chinese generals eyeing Taiwan (CyberScoop) Ukrainian police takes down phishing gang behind payments scam (ZDNet) Cyber Police of Ukraine arrested 9 men behind phishing attacks on Ukrainians attempting to capitalize on the ongoing conflict (Security Affairs)  North Korean State-Sponsored Cyber Actors Use Maui Ransomware to Target the Healthcare and Public Health Sector (CISA)  Reports (Moody’s) Clarion Housing ‘cyber incident’ affects thousands of tenants (Cambs Times)  In a big potential breach, a hacker offers to sell a Chinese police database. (New York Times) Nearly one billion people in China had their personal data leaked, and it's been online for more than a year (CNN)  China data breach likely to fuel identity fraud, smishing attacks (ZDNet)  China Tries to Censor What Could Be Biggest Data Hack in History (Gizmodo)  Here are four big questions about the massive Shanghai police leak (Washington Post) Shanghai Data Breach Exposes Dangers of China’s Trove (Bloomberg)
Jul 06, 2022
Cyberattack hits Ukrainian energy provider. NCSC updates its guidance on preparing for a long-term Russian cyber campaign. Hacktivists, scammers, misconfigurations, and rogue insiders.
1837
Cyberattack hits a Ukrainian energy provider. NCSC updates its guidance on preparing for a long-term Russian cyber campaign. Royal Army accounts are hijacked. A hacktivist group claims to have hit Iranian sites. A very very large database of PII is for sale on the dark web. Chase Snyder from ExtraHop has a look back at WannaCry, 5 years on. Ben Yelin examines the constitutionality of keyword search warrants. And a rogue employee makes off with bug reports. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/127 Selected reading. Russian hackers allegedly target Ukraine's biggest private energy firm (CNN) Proruskí hackeri opäť útočili. Ďalšia významná spoločnosť hlási, že čelila kybernetickým útokom (Vosveteit.sk) Preparing for the long haul: the cyber threat from Russia (NCSC) Official British Army Twitter and YouTube accounts hijacked by NFT scammers (Hot for Security) British army confirms breach of its Twitter and YouTube accounts (the Guardian)  British Army hit by cyberattack as Twitter and YouTube accounts hacked (The Telegraph)  Iranians' Remote Access to Banking Services Cut Off Over 'Cyber Attacks' (IranWire)  (Video) Iranian regime’s Islamic Culture and Communications Organization targeted in massive cyber offensive (EIN News) Hackers Claim Theft of Police Info in China’s Largest Data Leak (Bloomberg)  Hacker Selling Shanghai Police Database with Billions of Chinese Citizens Data (HackRead) Giant data breach? Leaked personal data of one billion people has been spotted for sale on the dark web (ZDNet)  Hacker claims to have stolen 1 bln records of Chinese citizens from police (Reuters)  HackerOne disclosed on HackerOne: June 2022 Incident Report (HackerOne)  HackerOne Employee Caught Stealing Vulnerability Reports for Personal Gains (The Hacker News) Rogue HackerOne employee steals bug reports to sell on the side (BleepingComputer)
Jul 05, 2022
Patrick Morley: Former Carbon Black CEO [Cyber CEOs Decoded]
3671
In this episode, Marc and Patrick Morley, former CEO of Carbon Black, get nostalgic as they discuss Patrick's journey of coming up through the start up scene in the 90s—from working with VCs to taking companies public—and compare it to running cyber companies today. Along with the early career experience that helped form Patrick's leadership philosophy, he shares his experience of becoming CEO of Bit9, seeing the company through a breach, acquiring Carbon Black, bring the company public and later getting acquired by VMWare—this episode is filled to the brim. You'll also learn about: How build a criteria for joining a start up Why cyber is the most mission-driven area of tech What it's like to call 600 customers in 2 days after a breach and not lose a single one Seven philosophies for running a cyber company
Jul 04, 2022
Could REvil have a copycat? [Research Saturday]
966
Larry Cashdollar from Akamai, joins Dave to discuss their research on a DDoS campaign claiming to be REvil. The research shares that Akamai's team was notified last week of an attack on one of their hospitality customers that they called "Layer 7" by a group claiming to be associated with REvil. In the research, they dive into the attack, as well as comparing it to other similar attacks that have been made by the group. The research states "The attacks so far target a site by sending a wave of HTTP/2 GET requests with some cache-busting techniques to overwhelm the website." It also stated that this is a smaller attack than they have seen by the group before, and notes that there seems to be more of a political agenda behind the attack, whereas in the past, REvil has been less political. The research can be found here: REvil Resurgence? Or a Copycat?
Jul 02, 2022
Notes on cyber conflict. Lazarus Group blamed for the Harmony cryptocurrency heist. MedusaLocker warning. Observation of the C2C market. The Crypto Queen cracks the FBI’s Ten Most Wanted.
1821
An update on the DDoS attack against Norway. NATO's resolutions on cyber security. North Korea seems to be behind the Harmony cryptocurrency heist. MedusaLocker warninga. Microsoft sees improvements in a gang's technique. Google blocks underworld domains. The Israeli-Iranian conflict in cyberspace. Chris Novak from Verizon with his take on this year’s DBIR. Our guest is Jason Clark of Netskope on the dynamic challenges of a remote workforce.And Now among the FBI’s Ten Most Wanted: one Crypto Queen. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/126 Selected reading. Pro-Russian hackers launched a massive DDoS attack against Norway (Security Affairs) NATO establishes program to coordinate rapid response to cyberattacks (POLITICO)  NATO to create cyber rapid response force, increase cyber defense aid to Ukraine (CyberScoop) FACT SHEET: The 2022 NATO Summit in Madrid | The White House (The White House) North Korean Lazarus hackers linked to Harmony bridge thef (TechCrunch)  North Korea Suspected of Plundering Crypto to Fund Weapons Programs (Wall Street Journal) Crypto crash threatens North Korea's stolen funds as it ramps up weapons tests (Reuters) CISA Alert AA22-181A – #StopRansomware: MedusaLocker. (CISA Cybersecurity Alerts with the CyberWire) #StopRansomware: MedusaLocker (CISA) Microsoft warning: This malware that targets Linux just got a big update (ZDNet)  Microsoft Warns of Cryptomining Malware Campaign Targeting Linux Servers (The Hacker News)  Google blocked dozens of domains used by hack-for-hire groups (BleepingComputer) Countering hack-for-hire groups (Google) Gantz orders probe after TV reports hint IDF behind Iran steel plant cyberattack (Times of Israel) Proofpoint: Zionist covert operation? (PressTV) Zionist intelligence company cyberattacked by Iraqi hackers (Mehr) FBI Offers $100,000 Reward for Capture of Ten Most Wanted Fugitive ‘Cryptoqueen’ (FBI)
Jul 01, 2022
CISA Alert AA22-181A – #StopRansomware: MedusaLocker. [CISA Cybersecurity Alerts]
189
CISA, the FBI, the Department of the Treasury, and the Financial Crimes Enforcement Network are releasing this alert to provide information on MedusaLocker ransomware. Observed as recently as May 2022, MedusaLocker actors predominantly rely on vulnerabilities in Remote Desktop Protocol to access victims’ networks. AA22-181A Alert, Technical Details, and Mitigations Stop Ransomware CISA Ransomware Guide CISA No-cost Ransomware Services All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.
Jun 30, 2022
Killnet hits Norwegian websites. Hacktivists tied to Russia's government. Looking ahead to new cyber phases of Russia's hybrid war. C2C market differentiation. Gennady Bukin, call your shoe store.
1835
Killnet hits Norwegian websites. Hacktivists are tied to Russia's government. Amunet as a case study in C2C market differentiation. C2C commodification extends to script kiddies. Andrea Little Limbago from Interos examines borderless data. Rick Howard speaks with Cody Chamberlain from NetSPI on Breach Communication. Roscosmos publishes locations of Western defense facilities…and subsequently says it sustained a DDoS attack. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/125 Selected reading. Pro-Russian hacker group says it attacked Norway (The Independent Barents Observer) Cyberattack hits Norway, pro-Russian hacker group fingered (AP NEWS) Norway blames "pro-Russian group" for cyber attack (Reuters) Mandiant Finds Possible Link Between Kremlin, Pro-Russian ‘Hacktivists’ (Bloomberg) Market Differentiation: Cybercriminal Forums’ Unusual Features Designed To Attract Users (Digital Shadows) Minors Use Discord Servers to Earn Extra Pocket Money Through Spreading Malware (PR Newswire) Russia publishes Pentagon coordinates, says Western satellites 'work for our enemy' (Reuters) Russian Space Agency Targeted in Cyberattack (Wall Street Journal) Cyberattack hits Russian space agency site after sharing NATO photos (Jerusalem Post)
Jun 30, 2022
Article 5? It’s complicated. Influence ops for economic advantage. SOHO routers under attack. YTStealer described. RansomHouse hits AMD. A NetWalker affiliate cops a plea.
1829
NATO's response to Killnet's cyberattacks on Lithuania. Influence operations in the interest of national market share. SOHO routers are under attack. YTStealer is out and active in the wild. RansomHouse hits AMD. CISA releases six ICS security advisories. The most dangerous software weaknesses. Betsy Carmelite from Booz Allen Hamilton takes a look back at Biden’s executive order on cyber. Our guest is Philippe Humeau of CrowdSec on taking a collaborative approach to security. And a guilty plea in the case of the NetWalker affiliate. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/124 Selected reading. Could the Russian cyber attack on Lithuania draw a military response from NATO? (Sky News)  Pro-PRC DRAGONBRIDGE Influence Campaign Targets Rare Earths Mining Companies in Attempt to Thwart Rivalry to PRC Market Dominance (Mandiant) ZuoRAT Hijacks SOHO Routers to Silently Stalk Networks (Lumen)  New YTStealer Malware Aims to Hijack Accounts of YouTube Content Creators (Hacker News) RansomHouse Extortion Group Claims AMD as Latest Victim (RestorePrivacy)  RansomHouse gang claims to have some stolen AMD data (Register) CISA releases 6 Industrial Control Systems Advisories (Cybersecurity and Infrastructure Security Agency) 2022 CWE Top 25 Most Dangerous Software Weaknesses (CISA)  Netwalker ransomware affiliate agrees to plead guilty to hacking charges (The Record by Recorded Future)
Jun 29, 2022
DDoS threat to Lithuania continues. Hacktivists hit Iranian steel mill. Bumblebee loader takes C2C markteshare. CISA adds Known Exploited Vulnerabilities. Music piracy. Where do spies go?
1752
Distributed denial-of-service attacks against Lithuania. Dark Crystal RAT described. Iranian steel mill suspends production due to cyberattack. Bumblebee rising. CISA adds to its Known Exploited Vulnerabilities Catalog. Music pirate sites brought down by US and Brazilian authorities. Joe Carrigan looks at Apple’s private access tokens. Mister Security Answer Person John Pescatore drops some sboms. And where do Russian intelligence officers go after they’ve been PNGed? For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/123 Selected reading. Lithuania targeted by massive Russian cyberattack over transit blockade (Newsweek) Russia's Killnet hacker group says it attacked Lithuania (Reuters) Killnet, Kaliningrad, and Lithuania’s Transport Standoff With Russia (Flashpoint) Ukraine Targeted by Dark Crystal RAT (DCRat) | FortiGuard Labs (Fortinet Blog) Cyberattack Forces Iran Steel Company to Halt Production (SecurityWeek) Iran’s steel industry halted by cyberattack (Jerusalem Post) Bumblebee: New Loader Rapidly Assuming Central Position in Cyber-crime Ecosystem (Broadcom Software Blogs) CISA Adds Eight Known Exploited Vulnerabilities to Catalog (CISA)  US, Brazil seize 272 websites used to illegally download music (BleepingComputer)  Swiss intel service: Watch out for redeployed Russian spies (AP News)
Jun 28, 2022
Notes from the cyber phases of the hybrid war against Ukraine. Conti retires its brand, and LockBit 2.0 is now tops in ransomware. Extortion skips the encryption. Cyber exercise in the financial sector.
1515
Lithuania sustains a major DDoS attack. Lessons from NotPetya. Conti's brand appears to have gone into hiding. Online extortion now tends to skip the ransomware proper. Josh Ray from Accenture on how social engineering is evolving for underground threat actors. Rick Howard looks at Chaos Engineering. US financial institutions conduct a coordinated cybersecurity exercise. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/122 Selected reading. Russia's Killnet hacker group says it attacked Lithuania (Reuters) The hacker group KillNet has published an ultimatum to the Lithuanian authorities (TDPel Media)  5 years after NotPetya: Lessons learned (CSO Online)  The cyber security impact of Operation Russia by Anonymous (ComputerWeekly) Conti ransomware finally shuts down data leak, negotiation sites (BleepingComputer) The Conti Enterprise: ransomware gang that published data belonging to 850 companies (Group-IB) Fake copyright infringement emails install LockBit ransomware (BleepingComputer) NCC Group Monthly Threat Pulse – May 2022 (NCC Group) We're now truly in the era of ransomware as pure extortion without the encryption (Register) Wall Street Banks Quietly Test Cyber Defenses at Treasury’s Direction (Bloomberg)
Jun 27, 2022
Richard Melick: Finding the right pattern to solve the problem. [Threat reporting] [Career Notes]
551
Richard Melick, Director of Threat Reporting for Zimperium, talks about his journey, from working in the military to moving up to the big screens. He shares that he's been in the business of solving unique cybersecurity problems for so long that he has found his own path that works very well for him. He says, "if I go to a unique problem and try to solve it, I find that I'm solving it the same way that I would've solved it five years ago, because I found my pattern." Richard reflects on his time working in the industry, from moving away from the military and into different roles over the years. He notes that giving credit where credit is due, to those who deserve it, is how you keep the audience engaged as a storyteller. We thank Richard for sharing his story.
Jun 26, 2022
Lazarus Targets Chemical Sector With 'Dream Job.' [Research Saturday]
1337
Alan Neville, a Threat Intelligence Analyst from Symantec Broadcom, joins Dave to discuss their research "Lazarus Targets Chemical Sector." Symantec has observed the North Korea-linked threat group known as Lazarus conducting an espionage campaign targeting organizations operating within the chemical sector. The campaign appears to be a continuation of the group's activity called Operation Dream Job, which Symantec first came across in August of 2020. The research states "evidence includes file hashes, file names, and tools that were observed in previous Dream Job campaigns." The research can be found here: Lazarus Targets Chemical Sector
Jun 25, 2022
Lithuania warns of DDoS. Some limited Russian success in cyber phases of its hybrid war. Spyware infestations in Italy and Kazakstan. Tabletop exercises. Ransomware as misdirection
1746
Lithuania's NKSC warns of increased DDoS threat. Limited Russian success in the cyber phases of its hybrid war. Another warning of spyware in use against targets in Italy and Kazakhstan. Hey, critical infrastructure operators: CISA’s got tabletop exercises for you. Kevin Magee from Microsoft has advice for recent grads. A look back the year since Colonial Pipeline with Padraic O'Reilly of CyberSaint. And sometimes ransomware is just a spy’s way of saying, “nothing up my sleeve…” For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/121 Selected reading. Lithuania warns of rise in DDoS attacks against government sites (BleepingComputer)  Defending Ukraine: Early Lessons from the Cyber War (Microsoft)  Why think tanks are such juicy targets for cyberspies (The Record by Recorded Future) The war in Ukraine is showing the limits of cyberattacks (Tech Monitor) Spyware vendor targets users in Italy and Kazakhstan (Google Threat Analysis Group) BRONZE STARLIGHT Ransomware Operations Use HUI Loader (SecureWorks) CISA Tabletop Exercises Packages (CTEP) (CISA) CISA Tabletop Exercise Package (CTEP) Workshop (Government Technology)
Jun 24, 2022
CISA Alert AA22-174A – Malicious cyber actors continue to exploit Log4Shell in VMware Horizon systems. [CISA Cybersecurity Alerts]
194
CISA and the US Coast Guard Cyber Command are releasing this joint Cybersecurity Advisory to warn network defenders that cyber threat actors, including state-sponsored APT actors, have continued to exploit CVE-2021-44228 (Log4Shell) in VMware Horizon and Unified Access Gateway servers to obtain initial access to organizations that did not apply available patches or workarounds. AA22-174A Alert, Technical Details, and Mitigations Malware Analysis Report 10382254-1 stix Malware Analysis Report 10382580-1 stix CISA’s Apache Log4j Vulnerability Guidance webpage Joint CSA Mitigating Log4Shell and Other Log4j-Related Vulnerabilities CISA’s database of known vulnerable services on the CISA GitHub page See National Security Agency (NSA) and Australian Signals Directorate (ASD) guidance Block and Defend Web Shell Malware for additional guidance on hardening internet-facing systems. All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.
Jun 24, 2022
Reviewing Russian cyber campaigns in the war against Ukraine. Ukraine's IT Army is a complex phenomenon. Take ICEFALL seriously. CISA has updated its cloud security guidance.
1752
Reviewing Russian cyber campaigns in the war against Ukraine, and the complexity of Ukraine's IT Army. ICEFALL advice and reactions. Carole Theriault looks at Hollywood’s relationship with VPNs. Podcast partner Robert M. Lee from Dragos provides a rundown on Pipedream. And CISA updates its Cloud Security Technical Reference Architecture. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/120 Selected reading. [Blog] Defending Ukraine: Early Lessons from the Cyber War (Microsoft On the Issues) [Report] Defending Ukraine: Early Lessons from the Cyber War (Microsoft) Russian cyber spies attack Ukraine's allies, Microsoft says (Reuters)  Research questions potentially dangerous implications of Ukraine's IT Army (CyberScoop) The IT Army of Ukraine Structure, Tasking, and Ecosystem (Center for Security Studies)  CISA Releases Security Advisories Related to OT:ICEFALL (Insecure by Design) Report (CISA) Industry Reactions to 'OT:Icefall' Vulnerabilities Found in ICS Products (SecurityWeek)  Cloud Security Technical Reference Architecture (CISA)
Jun 23, 2022
A Fancy Bear sighting. Why Russian cyberattacks against Ukraine have fallen short of expectations. ToddyCat APT discovered. ICEFALL ICS issues described. Europol collars 9. Say it ain’t so, Dmitry.
1795
Fancy Bear sighted in Ukrainian in-boxes. Why Russian cyberattacks against Ukraine have fallen short of expectations. ToddyCat APT is active in European and Asian networks. ICEFALL ICS vulnerabilities described. CISA issues ICS vulnerability advisories. Europol makes nine collars. Andrea Little Limbago from Interos on The global state of data protection and sharing. Rick Howard speaks with Michelangelo Sidagni from NopSec on the Future of Vulnerability Management. We are shocked, shocked, to hear of corruption in the FSB For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/119 Selected reading. Ukrainian cybersecurity officials disclose two new hacking campaigns (CyberScoop)  Ukraine Warns of New Malware Campaign Tied to Russian Hackers (Bloomberg Law)  Russian govt hackers hit Ukraine with Cobalt Strike, CredoMap malware (BleepingComputer)  Opinion How Russia’s vaunted cyber capabilities were frustrated in Ukraine (Washington Post)  New Toddycat APT Targets MS Exchange Servers in Europe and Asia (Infosecurity Magazine)  Microsoft Exchange servers hacked by new ToddyCat APT gang (BleepingComputer) OT:ICEFALL: 56 Vulnerabilities Caused by Insecure-by-Design Practices in OT (Forescout) From Basecamp to Icefall: Secure by Design OT Makes Little Headway (SecurityWeek) Dozens of vulnerabilities threaten major OT device makers (Cybersecurity Dive)  CISA releases 6 Industrial Control Systems Advisories (Cybersecurity and Infrastructure Security Agency)  Phishing gang behind several million euros worth of losses busted in Belgium and the Netherlands (Europol) Подполковника УФСБ по Самарской области арестовали за кражу криптовалюты у хакера (TASS)
Jun 22, 2022
Cyberattack suspected in Israeli false alarms. Risk surface assessments. Fitness app geolocation as a security risk. Cyber phases of Russia’ hybrid war. A conviction in the Capital One hacking case.
1804
A Cyberattack is suspected of causing false alarms in Israel. Risk surface assessments. Renewed warning of the potential security risks of fitness apps. Cyber options may grow more attractive to Russia as kinetic operations stall. DDoS in St. Petersburg. Ben Yeling details a Senate bill restricting the sale of location data. Our guest is Jon Check from Raytheon's Intelligence and Space Division discussing the National Collegiate Cyber Defense Competition. A conviction in the Capital One hacking case. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/118 Selected reading. Suspected cyberattack triggers sirens in Jerusalem, Eilat (Israel Hayom) Suspected Iranian Cyberattack on Israel Triggers Sirens (Haaretz) Iranian cyberattack may be behind false rocket warning sirens in Jerusalem (Jerusalem Post)  Israel suspects Iranian cyber-attack behind false siren alerts (Middle East Monitor)  Strava fitness app used to spy on Israeli military officials (Computing)  Treasury's Adeyemo sees elevated cyber threats in wake of Russia's war in Ukraine (Reuters) More cyber warfare with Russia lies on the horizon (Interesting Engineering) Prolonged war may make Russia more cyber aggressive, US official says (C4ISRNet)  What the Russia-Ukraine war means for the future of cyber warfare (The Hill)  Complex Russian cyber threat requires we go back to basics (ComputerWeekly.com)  Vladimir Putin speech delayed 'because of cyber-attack' as he hits out at 'economic blitzkrieg' against Russia (Scotsman) UPDATE 1-Putin's St Petersburg speech postponed by an hour after cyberattack (Yahoo) Think of the Russia-Ukraine conflict as a microcosm of the cyber war  (SC Magazine) The link between cyberattacks and war: Gartner (CRN Australia)  Ex-Amazon Worker Convicted in Capital One Hacking (New York Times) Jury Convicts Seattle Woman in Massive Capital One Hack (SecurityWeek) Former Seattle tech worker convicted of wire fraud and computer intrusions (US Attorney’s Office, Western District of Washington)
Jun 21, 2022
Interview select: David Ring at RSAC discussing FBI cyber strategy/role in the cyber ecosystem and private sector engagement.
967
As we break to observe the Juneteenth holiday, our team thought you might like to try a sample of a CyberWire Pro podcast called Interview Selects. These podcasts are a series of extended interviews, exclusives, and a curated selection of our most engaging and informative interviews over the years, featuring cyber security professionals, journalists, authors and industry insiders. In this extended interview, Dave Bittner speaks with FBI Cyber Section Chief David Ring at RSAC discussing FBI cyber strategy/role in the cyber ecosystem and private sector engagement. Like what you hear? Consider subscribing to CyberWire Pro for $99/year. Learn more.
Jun 20, 2022
Lauren Van Wazer: You have to be your own North Star. [CISSP] [Career Notes]
497
Lauren Van Wazer, Vice President, Global Public Policy and Regulatory Affairs for Akamai Technologies, shares her story as she followed her own North Star and landed where she is today. She describes her career path, highlighting how she went from working at AT&T to being able to work in the White House. She shares how she is a coach and a leader to the team she works with now, saying "my view is I've got their back, if they make a mistake, it's my mistake, and if they do well, they've done well." Lauren hopes she's made an impact in the world by making it a little bit better than before, and discusses how she doesn't let anyone stop her from her goals. Lauren shares her outlook on her experiences, calling attention to different roles in her life that made her journey all the better. We thank Lauren for sharing.
Jun 19, 2022
Dissecting the Spring4Shell vulnerability. [Research Saturday]
1408
Edward Wu, senior principal data scientist at ExtraHop, joins Dave to discuss the company's research, "A Technical Analysis of How Spring4Shell Works." ExtraHop first noticed chatter from social media in March of 2022 on a new remote code execution (RCE) vulnerability and immediately started tracking the issue. In the research, it describes how the exploit works and breaks down how the ExtraHop team came to identify the Spring4Shell vulnerability. The research describes the severity of the vulnerability, saying, "The impact of an RCE in this framework could have a serious impact similar to Log4Shell." The research can be found here: How the Spring4Shell Zero-Day Vulnerability Works
Jun 18, 2022
Malibot info stealer is no coin miner. "Hermit" spyware. Fabricated evidence in Indian computers. FBI takes down botnet. Assange extradition update. Putting the Service into service learning.
1875
Malibot is an info stealer masquerading as a coin miner. "Hermit" spyware is being used by nation-state security services. Fabricated evidence is planted in Indian computers. The US takes down a criminal botnet. The British Home Secretary signs the Assange extradition order. We wind up our series of RSA Conference interviews with David London from the Chertoff group and Hugh Njemanze from Anomali. And putting the Service into service learning. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/117 Selected reading. 'MaliBot' Android Malware Steals Financial, Personal Information (SecurityWeek) F5 Labs Investigates MaliBot (F5 Labs) Sophisticated Android Spyware 'Hermit' Used by Governments (SecurityWeek) Lookout Uncovers Android Spyware Deployed in Kazakhstan (Lookout) Police Linked to Hacking Campaign to Frame Indian Activists (Wired) U.S., partners dismantle Russian hacking 'botnet,' Justice Dept says (Reuters) Russian Botnet Disrupted in International Cyber Operation (US Attorney's Office, Southern District of California) Julian Assange: Priti Patel signs US extradition order (The Telegraph) AIVD disrupts activities of Russian intelligence officer targeting the International Criminal Court (AIVD) Alleged Russian spy studied at Johns Hopkins, won ICC internship (Washington Post)
Jun 17, 2022
Interpol scores against BEC, online fraud, and money laundering. Developments in C2C markets. Versioning vulnerability. Cyber war and cyber escalation.
1717
Interpol coordinates international enforcement action against scammers. A new version of IceXLoader is observed. Exploiting versioning limits to render files inaccessible. Reflections on the first large-scale hybrid war. Kelly Shortridge from Fastly on why behavioral science and economics matters for InfoSec. Patrick Orzechowski from DeepWatch on Russian IoCs and critical infrastructure. And the possibility of cyber escalation in Russia’s hybrid war against Ukraine. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/116 Selected reading. Hundreds arrested and millions seized in global INTERPOL operation against social engineering scams (Interpol) New IceXLoader 3.0 – Developers Warm Up to Nim (Fortinet Blog)  Proofpoint Discovers Potentially Dangerous Microsoft Office 365 Functionality that can Ransom Files Stored on SharePoint and OneDrive (Proofpoint)  Russia’s cyber fog in the Ukraine war (GIS Reports) Russia Might Try Reckless Cyber Attacks as Ukraine War Drags On, US Warns (Defense One) Cyber Attacks in Times of Conflict (CyberPeace Institute) Vladimir Putin’s Ukraine invasion is the world’s first full-scale cyberwar (Atlantic Council) Why Russia has refrained from a major cyber-attack against the West (Cyber Security Hub) In modern war, we have as much to fear from cyber weapons as kinetics (Computing)
Jun 16, 2022
Hertzbleed, a troublesome feature of processors. Cyberespionage and hybrid war. Patch Tuesday notes. Software bills of materials. Wannabe cybercrooks and criminal publicity stunts.
1790
The Hertzbleed side-channel issue affects Intel and AMD processors. An Iranian spearphishing campaign prospected former Israeli officials. Patch Tuesday notes. A look at software bills of materials. Russia routes occupied Ukraine's Internet traffic through Russia. Intercepts in the hybrid war: the odd and the ugly. Deepen Desai from ZScaler joins us with the latest numbers on ransomware. Rob Boyce from Accenture Security looks at cyber invisibility. And, finally, criminal wannabes and criminal publicity stunts. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/115 Selected reading. A new vulnerability in Intel and AMD CPUs lets hackers steal encryption keys (Ars Technica)  Iranian Spear-Phishing Operation Targets Former Israeli and US High-Ranking Officials (Check Point Research) Microsoft June 2022 Patch Tuesday fixes 1 zero-day, 55 flaws (BleepingComputer)  Microsoft Releases June 2022 Security Updates (CISA)  Windows Updates Patch Actively Exploited 'Follina' Vulnerability (SecurityWeek)  Adobe Plugs 46 Security Flaws on Patch Tuesday (SecurityWeek) Citrix Releases Security Updates for Application Delivery Management (CISA) SAP Releases June 2022 Security Updates (CISA)  So long, Internet Explorer. The browser retires today (AP NEWS) SBOM in Action: finding vulnerabilities with a Software Bill of Materials (Google Online Security Blog) Russia Is Taking Over Ukraine’s Internet (Wired) Belarusian hacktivist group releases purported Belarusian wiretapped audio of Russian embassy (CyberScoop)  Intercepted call: Russian plan to send PoWs out into minefields (The Telegraph)  Hacker Advertises ‘Crappy’ Ransomware on Instagram (Vice)  LockBit Ransomware Compromise of Mandiant Not Supported by Any Evidence, May Be a PR Move by Cybercrime Gang (CPO Magazine)
Jun 15, 2022
Dealing with Follina. SeaFlower steals cryptocurrencies. Cyber phases of a hybrid war, with some skeptical notes on Anonymous. And the war’s effect on the underworld.
1599
Dealing with the GRU's exploitation of the Follina vulnerabilities. SeaFlower uses stolen seed phrases to rifle cryptocurrency wallets. Ukraine moves sensitive data abroad. Anonymous claims to have hacked Russia's drone suppliers and to have hit sensitive targets in Belarus. Rick Howard reports on an NSA briefing at the RSA Conference. Our guest is Ricardo Amper from Incode with a look at biometrics in sports stadiums. And the effects of war on the cyber underworld. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/114 Selected reading. Follina flaw being exploited by Russian hackers, info stealers (Computing)  Chinese Hackers Adding Backdoor to iOS, Android Web3 Wallets in 'SeaFlower' Campaign (SecurityWeek) How SeaFlower...installs backdoors in iOS/Android web3 wallets to steal your seed phrase (Medium)  Ukraine Has Begun Moving Sensitive Data Outside Its Borders (Wall Street Journal)  Anonymous claims hack on Russian drones (Computing)  How the Cybercrime Landscape has been Changed following the Russia-Ukraine War (Kela)
Jun 14, 2022
A new RAT from Beijing. Muslim hacktivism in India. Ukraine reports a GRU spam campaign against media outlets. A Moscow court fines Wikimedia. And that UK cyber disaster was just a promo.
1620
A Chinese APT deploys a new cyberespionage tool. Hacktivism roils India after a politician's remarks about the Prophet. Ukraine reports a "massive" spam campaign against the country's media organizations. A Russian court fines Wikimedia for "disinformation." From the NSA’s Cybersecurity Collaboration Center our guests are Morgan Adamski and Josh Zaritsky. Rick Howard sets the cyber sand table on Colonial Pipeline. And the Martians haven’t landed, and the Right Honorable Mr. Johnson is still PM. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/113 Selected reading. CERT-UA warns of cyberattack on Ukrainian media (Interfax-Ukraine) Russian hackers start targeting Ukraine with Follina exploits (BleepingComputer) Massive cyber attack on media organizations of Ukraine using the malicious program CrescentImp (CERT-UA # 4797) (CERT-UA) Wikimedia Foundation appeals Russian fine over Ukraine war articles (The Verge) GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool (Unit42) Prophet remark: Slew of cyber attacks on Indian govt, private sites (The Times of India) 70 Indian government, private websites face international cyber attacks over Prophet row (The Times of India) Channel 4 faces Ofcom probe over ’emergency news’ stunt to promote cyber attack drama The Undeclared War (INews)
Jun 13, 2022
Deepen Desai: A doctor in computer viruses. [CISO] [Career Notes]
558
Deepen Desai, Global Chief Information Security Officer at Zscaler, shares his story as a doctor that treats computer viruses. He describes how he got into the security field and his work with Zscaler. He says what it's like learning and growing in this field and shares great advice for people who are up and coming in the field. Deepen describes working with an incredible team and how much joy it brings him to see his team learning and growing beyond their roles working with him. He says he want's to be remembered as a mentor among his colleagues. He says "I still remember my first team that I built, 15 years ago. Most of those guys are leading key technologies at many of the major security vendors, and some of them are still with me." We thank Deepen for sharing his story.
Jun 12, 2022
New developments in the WSL attack. [Research Saturday]
1405
Danny Adamitis from Lumen's Black Lotus Labs, joins Dave to discuss new developments in the WSL attack surface. Since September 2021, Black Lotus Labs have been monitoring malware repositories as a part of their proactive threat hunting process. Danny shares how researchers discovered a series of suspicious ELF files compiled for Debian Linux . The research states how the team identified a series of samples that target the WSL environment, were uploaded every two to three weeks and that they started as early as May 3, 2021 and go until August 22, 20221. The research can be found here: Windows Subsystem For Linux (WSL): Threats Still Lurk Below The (Sub)Surface No Longer Just Theory: Black Lotus Labs Uncovers Linux Executables Deployed As Stealth Windows Loaders
Jun 11, 2022
The cautionary example of a hybrid war. SentinelOne finds a Chinese APT operating quietly since 2012. A hardware vulnerability in Apple M1 chips. And go, Tigers.
1940
Looking at Russia's hybrid war as a cautionary example. Russia warns, again, that it will meet cyberattacks with appropriate retaliation. (China says "us too.") NSA and FBI warn of nation-state cyber threats. SentinelOne finds a Chinese APT that's been operating, quietly, for a decade. "Unpatchable" vulnerability in Apple chips reported. We’ve got more interviews from RSA Conference, including the FBI’s Cyber Section Chief David Ring, ExtraHop’s CEO, Patrick Dennis. And the overhead projector said, “Go Tigers.” For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/112 Selected reading. Top Senate Democrats sound the alarm about Russian interference in the 2022 midterms (Business Insider)  Russia says West risks ‘direct military clash’ over cyberattacks (NBC News) Russia, China, oppose US cyber support of Ukraine (Register)  #RSAC: NSA Outlines Threats from Russia, China and Ransomware (Infosecurity Magazine)  FBI official: Chinese hackers boost recon efforts (The Record by Recorded Future)  Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years (SentinelOne)  MIT researchers uncover ‘unpatchable’ flaw in Apple M1 chips (TechCrunch) New Jersey school district forced to cancel final exams amid ransomware recovery effort (The Record by Recorded Future)
Jun 10, 2022
Updates on the hybrid war: hacktivism and hunting forward. Election security. Trends in phishing. The return of Emotet.
1716
Another hacked broadcast in a hybrid war. Hunting forward as an exercise in threat intelligence collection and sharing. Cyber threats to the US midterm elections. Phishing for cryptocurrency. FakeCrack delivers a malicious payload to the unwary. Vacations are back. So is travel-themed phishbait. Ann Johnson from Microsoft shares insights on the trends she’s tracking here at RSA. Johannes Ullrich brings highlights from his RSA conference panel discussion. And Emotet returns, in the company of some old familiar criminal collaborators. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/111 Selected reading. Hacked Russian radio station broadcasts Ukrainian anthem (Washington Post)  Ukraine Successfully Defends Its Cyberspace While Russia Leans Heavily on Guns, Bombs (CNET) Ukraine war: US cyber chief on Kyiv's advantage over Russia (Sky News) NSA Director Confirms Cyber Command 'Hunt Forward' Approach Applies to Russia (ClearanceJobs)  Experts, NSA cyber director say ransomware could threaten campaigns in 2022 (CyberScoop) Ransomware, botnets could plague 2022 midterms, NSA cyber director says (The Record by Recorded Future) How Cyber Criminals Target Cryptocurrency (Proofpoint) Crypto stealing campaign spread via fake cracked software (Avast) Threat Actors Prepare Travel-Themed Phishing Lures for Summer Holidays (Hot for Security) Emotet Malware Returns in 2022 (Deep Instinct)
Jun 09, 2022
Cyber war: a continuing threat, a blurry line between combatants and noncombatants. Chinese cyberespionage and its “plumbing.” CISA adds Known Exploited Vulnerabilities. News from Jersey.
1825
US officials continue to rate the threat of Russian cyberattack as high. Civilians in cyber war. Broadcast interference and propaganda. A Joint CISA/FBI warning of Chinese cyberespionage. What gets a vulnerability into the Known Exploited Vulnerabilities Catalog? Andrea Little Limbago from Interos and Mike Sentonas from Crowdstrike join us with previews of their RSA conference presentations. And, finally, some Jersey-based cyber campaigns (that’s the Bailiwick, not the Garden State). For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/110 Selected reading. Russian Cyber Threat Remains High, U.S. Officials Say (Wall Street Journal) Shields Up: The New Normal (CyberScoop) Russian Government, Cybercriminal Cooperation a 'Force Multiplier' (Decipher)  Opinion The U.S.-Russia conflict is heating up — in cyberspace (Washington Post)  Smartphones Blur the Line Between Civilian and Combatant (Wired) Russian Cyberattack Hits Wales-Ukraine Football Broadcast (Gov Info Security)  People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices (CISA) US agencies detail the digital ‘plumbing’ used by Chinese state-sponsored hackers (The Record by Recorded Future)  CISA Provides Criteria and Process for Updates to the KEV Catalog (CISA) Reducing the Significant Risk of Known Exploited Vulnerabilities (CISA) Jersey computers used in international cyber-attacks (Jersey Evening Post)
Jun 08, 2022
CISA Alert AA22-158A – People’s Republic of China state-sponsored cyber actors exploit network providers and devices. [CISA Cybersecurity Alerts]
232
This joint Cybersecurity Advisory describes the ways in which People’s Republic of China state-sponsored cyber actors continue to exploit publicly known vulnerabilities in order to establish a broad network of compromised global infrastructure. These actors use the network to exploit a wide variety of targets worldwide, including public and private sector organizations. AA22-158A Alert, Technical Details, and Mitigations Refer to China Cyber Threat and Advisories, Internet Crime Complaint Center, and NSA Cybersecurity Guidance for previous reporting on People’s Republic of China state-sponsored malicious cyber activity. US government and critical infrastructure organizations should consider signing up for CISA’s cyber hygiene services, including vulnerability scanning, to help reduce exposure to threats. US Defense Industrial Base organizations should consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System (PDNS) services, vulnerability scanning, and threat intelligence collaboration. For more information on eligibility criteria and how to enroll in these services, email dib_defense@cyber.nsa.gov. All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.
Jun 08, 2022
Updates on the cyber phases of Russia's hybrid war, including the role of DDoS and cyber offensive operations. Ransomware, bad and sometimes bogus
1615
DDoS as a weapon in a hybrid war. Resilience in the defense of critical infrastructure. Offensive cyber operations against Russia. LockBit claims to have hit Mandiant, but their claim looks baseless. Rick Howard joins us with thoughts on trends he’s tracking at the RSA conference. Our guest is Dr. Diane Janosek from NSA with insights on personal resilience. Effects of ransomware on businesses. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/109 Selected reading. Ukraine at D+102: Ukraine's SSSCIP on cyber war. (The CyberWire)  Major DDoS attacks increasing after invasion of Ukraine (SearchSecurity)  The Russia–Ukraine War: Ukraine’s resistance in the face of hybrid warfare (Observer Research Foundation) Ukraine Symposium - U.S. Offensive Cyber Operations in Support of Ukraine (Lieber Institute: Articles of War)  Russia ready to cooperate with all states in cyber domain (UNI India) LockBit 2.0 gang claims Mandiant as latest victim; Mandiant sees no evidence of it (CyberScoop) Mandiant: “No evidence” we were hacked by LockBit ransomware (BleepingComputer)  Cybereason Ransomware True Cost to Business Study Reveals Organizations Pay Multiple Ransom Demands (Cybereason) Average Ransom Payment Up 71% This Year, Approaches $1 Million (Palo Alto Networks Blog)
Jun 07, 2022
Ukraine offers an update on the cyber phases of Russia's hybrid war. Atlassian patches Confluence. CISA advisory on voting system. "State-aligned" campaign tried to exploit Follina. "Cyber Spetsnaz."
1709
Ukraine offers an update on the cyber phases of Russia's hybrid war. Atlassian patches a Confluence critical vulnerability. CISA releases ICS advisory on voting systems. A "State-aligned" phishing campaign tried to exploit Follina. Is Electronic warfare a blunt instrument in the ether? Verizon’s Chris Novak stops by with thoughts on making the most of your trip to the RSA conference. Our guest is Tom Garrison from Intel with a look at hardware security. And a Russia-aligned group says they’re not just hacktivists; they’re "Cyber Spetsnaz." For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/108 Selected reading. Remarks by Victor Zhorov, deputy head of SSSCIP. (SSSCIP) US military hackers conducting offensive operations in support of Ukraine, says head of Cyber Command (Sky News) Russian ministry website appears hacked; RIA reports users data protected (Reuters) Confluence Security Advisory 2022-06-02 (Atlassian) Atlassian Releases New Versions of Confluence Server and Data Center to Address CVE-2022-26134 (CISA)  Patch released for exploited Atlassian zero-day vulnerability (The Record by Recorded Future)  CISA Releases Security Advisory on Dominion Voting Systems Democracy Suite ImageCast X (CISA)  State-Backed Hackers Exploit Microsoft 'Follina' Bug to Target Entities in Europe and U.S (The Hacker News) Deadly secret: Electronic warfare shapes Russia-Ukraine war (AP NEWS)  Exclusive: Pro-Russia group ‘Cyber Spetsnaz’ is attacking government agencies (Security Affairs)
Jun 06, 2022
Defining the intruder’s dilemma. [CyberWire-X]
2035
For this Cyberwire-X episode, we are talking about the failure of perimeter defense as an architecture where, since the 1990s when it was invented, the plan was to keep everything out. That model never really worked that well since we had to poke holes in the perimeter to allow employees, contractors, and partners to do legitimate business with us. Those same holes could be exploited by the bad guys, too. The question is, what are we doing instead? What is the security architecture, the strategy, and the tactics that we are all using today that is more secure than perimeter defense? In the first part of the show, Rick Howard, the CyberWire’s CSO, Chief Analyst, and Senior Fellow, talks with Jerry Archer, the Sallie Mae CSO and CyberWire Hash Table member, and, in the second half of the show, the CyberWire's podcast host Dave Bittner talks with Mike Ernst, episode sponsor ExtraHop’s Vice President of Sales Engineering, to discuss Software Defined Perimeter and intrusion kill chain prevention strategy.
Jun 05, 2022
Laura Hoffner: Setting your sights high. [Intelligence] [Career Notes]
562
Executive Vice President at Concentric, Laura Hoffner shares her story about working as a Naval Intelligence Officer and supporting special operations around the globe for 12 years, to now, where she transitioned to the Naval Reserves and joined the Concentric team. Laura knew since she was in the seventh grade she wanted to work with SEALs and work in intelligence. She set her goals high and achieved them shortly after graduating college. She credits being a Naval Intelligence Officer to helping her get to where she is today and says how much she is enjoying working with Concentric, saying she's "ultimately just incredibly benefiting from unbelievable mentors at the company itself." We thank Laura for sharing her story.
Jun 05, 2022
LemonDucks evading detection. [Research Saturday]
997
Scott Fanning from CrowdStrike's research team, joins Dave to discuss their work on "LemonDuck Targets Docker for Cryptomining Operations." LemonDuck is a well-known cryptomining botnet, and research suggests attackers are attracted to the monetary gain from the recent boom in cryptocurrency. LemonDuck was caught trying to disguise it's attack against Docker by running an anonymous mining operation by the use of proxy pools. Scott shares how it’s unknown which organizations have been targeted and just how much cryptocurrency has been stolen. The research can be found here: LemonDuck Targets Docker for Cryptomining Operations
Jun 04, 2022
Managing messaging in a hybrid war.Anti-Tehran hacktivism and Tehran-sponsored cyber ops. Rebranding as sanctions evasion. A threat to firmware. CISA warns of Confluence exploits.
1649
Moscow wants attention to be paid to its messengers. Western support for Ukraine in cyberspace. US remains on alert for Russian cyberattacks. Iran: anti-government hacktivism and Tehran-sponsored cyber ops. Rebranding as sanctions evasion. A gangland threat to firmware. Johannes Ullrich from SANS on security of browsers caching passwords. Dave Bittner sits down with Perry Carpenter to discuss his new book, "The Security Culture Playbook: An Executive Guide To Reducing Risk and Developing Your Human Defense Layer,''co-author was Kai Roer.. And CISA adds an Atlassian issue to its Known Exploited Vulnerabilities Catalog. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/107 Selected reading. Russia summons heads of U.S. media outlets, warns of 'stringent measures' (Reuters) US confirms military hackers have conducted cyber operations in support of Ukraine (CNN)  Advancing security across Central and Eastern Europe (Google)  US Justice Department Braces for More Russian Cyberattacks (VOA) Russia, backed by ransomware gangs, actively targeting US, FBI director says (Cybersecurity Dive)  Exiled Iran Group Claims Tehran Hacking Attack (SecurityWeek) Exposing POLONIUM activity and infrastructure targeting Israeli organizations (Microsoft Security)  To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions (Mandiant) Russia-Linked Ransomware Groups Are Changing Tactics to Dodge Crackdowns (Wall Street Journal)  Conti Targets Critical Firmware (Eclypsium) Atlassian: Unpatched critical Confluence flaw under attack (Register)  CISA Adds One Known Exploited Vulnerability (CVE-2022-26134) to Catalog (CISA)
Jun 03, 2022
Cyber operations in the hybrid war. Karakurt extortion group warning. Clipminer is out in the wild. GootLoader expands its payloads and targeting. Leak brokers and booters shut down.
1467
Russian government agencies are buying VPNs. CISA and its partners warn about the Karakurt extortion group. Clipminer is out in the wild. GootLoader expands its payloads and targeting. Carole Theriault has the latest on fraudsters imitating law enforcement. Kevin Magee from Microsoft on security incentives by way of insurance. And leak brokers and booters shut down. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/106 Selected reading. White House: cyber activity not against Russia policy (Reuters)  Some see cyberwar in Ukraine. Others see just thwarted attacks. (Washington Post)  ESET Threat Report details targeted attacks connected to the Russian invasion of Ukraine and how the war changed the threat landscape (ESET)  Ukraine - 100 days of war in cyberspace (CyberPeace Institute)  Russian VPN Spending (Top 10 VPN) Karakurt Data Extortion Group (CISA) Karakurt Data Extortion Group (CISA)  US Agencies: Karakurt extortion group demanding up to $13 million in attacks (The Record by Recorded Future) Clipminer Botnet Makes Operators at Least $1.7 Million (Symantec Enterprise Blog) GootLoader Expands its Payloads Infecting a Law Firm with IcedID (eSentire)  WeLeakInfo.to and Related Domain Names Seized (US Department of Justice)
Jun 02, 2022
CISA Alert AA22-152A – Karakurt data extortion group. [CISA Cybersecurity Alerts]
160
The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury (Treasury), and the Financial Crimes Enforcement Network (FinCEN) are releasing this joint Cybersecurity Advisory to provide information about the Karakurt data extortion group, also known as the Karakurt Team and Karakurt Lair. Karakurt actors have employed a variety of TTPs, creating significant challenges for defense and mitigation. Karakurt victims have not reported encryption of compromised machines or files; rather, Karakurt actors claim to steal data and threaten to auction it or release it to the public unless they receive payment. AA22-152A Alert, Technical Details, and Mitigations CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide Data Integrity: Detecting and Responding to Ransomware and Other Destructive Events. Stopransomware.gov  CISA's Ransomware Readiness Assessment CISA's cyber hygiene services FinCEN Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime FinCEN Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.
Jun 01, 2022
Costa Rica hit with another round of ransomware. Cyber phases of Russia’s hybrid war against Ukraine. CISOs and 3rd-party risk. Elasticsearch databases as extortion targets. And Razzlekhan!
1487
Costa Rica's healthcare system comes under renewed ransomware attack. Cyber phases of the hybrid war. Charity fraud exploits sympathy for Ukraine. US FBI attributes last year's attack on Boston Children's Hospital to Iran. CISOs surveyed on their challenges (and they're particularly worried about exposure to 3rd-party risk). Robert M. Lee joins us for the launch of the new Control Loop podcast. Josh Ray from Accenture looks at ransomware trends. Razzlekhan and Dutch: a cryptocurrency love song. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/105 Selected reading. Latest cyberattack in Costa Rica targets hospital system (Reuters) Costa Rica’s public health agency hit by Hive ransomware (BleepingComputer) Costa Rican Social Security Fund hit with ransomware attack (The Record by Recorded Future) Costa Rica May Be Pawn in Conti Ransomware Group’s Bid to Rebrand, Evade Sanctions (KrebsOnSecurity) Ukraine joins its first NATO cyber defense center meeting (TheHill) US military hackers conducting offensive operations in support of Ukraine, says head of Cyber Command (Sky News) The FBI Warns of Scammers Soliciting Donations Related to the Crisis in Ukraine (Internet Crime Complaint Center (IC3)) FBI director blames Iran for ‘despicable’ attempted cyberattack on Boston Children’s Hospital (CNN) Hackers ransom 1,200 exposed Elasticsearch databases (TechTarget) The CISOs Report (Security Current) New York couple accused of laundering $4.5 bln in crypto still in plea talks (Reuters)
Jun 01, 2022
Potential cyber threats to agriculture. Cyber phases of Russia’s hybrid war. REvil prosecution at a stand (and it’s the Americans’ fault, say Russian sources). Microsoft mitigates Follima.
1665
Sanctions, blockades, and their effects on the world economy. Western nations remain on alert for Russian cyber attacks. REvil prosecution has reached a dead end. Microsoft issues mitigations for a recent zero-day. John Pescatore’s Mr. Security Answer Person is back, looking at authentication. Joe Carrigan looks at new browser vulnerabilities. Notes from the underworld. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/104 Selected reading. In big bid to punish Moscow, EU bans most Russia oil imports (AP NEWS)  EU, resolving a deadlock, in deal to cut most Russia oil imports (Reuters The E.U.’s embargo will bruise Russia’s oil industry, but for now it is doing fine. (New York Times)  Russia’s Black Sea Blockade Will Turbocharge the Global Food Crisis (Foreign Policy)  Russia’s Invasion Unleashes ‘Perfect Storm’ in Global Agriculture (Foreign Policy)  ‘War in Ukraine Means Hunger in Africa’ (Foreign Policy) Afghanistan’s Hungry Will Pay the Price for Putin’s War (Foreign Policy) Remote bricking of Ukrainian tractors raises agriculture security concerns (CSO Online) Major supermarkets 'uniquely vulnerable' as Russian cyber attacks rise (ABC) Italy warns organizations to brace for incoming DDoS attacks (BleepingComputer) Whitepaper - PIPEDREAM: CHERNOVITE's Emerging Malware Targeting Industrial Environments (Dragos). Experts believe that Russian Gamaredon APT could fuel a new round of DDoS attacks (IT Security News)  Putin horror warning over 'own goal' attack on UK coming back to haunt Kremlin (Express.co.uk)  Putin plot: UK hospitals at risk of chilling ‘sleeper cell’ attack by Russia (Express)  Will Russia Launch a New Cyber Attack on America? (The National Interest)  Hackers wage war on Russia’s largest bank (The Telegraph)  REvil prosecutions reach a 'dead end,' Russian media reports (CyberScoop)  Microsoft Office zero-day "Follina"—it’s not a bug, it’s a feature! (It's a bug) (Malwarebytes Labs). Microsoft Word struck by zero-day vulnerability (Register)  Clop ransomware gang is back, hits 21 victims in a single month (BleepingComputer) Conti ransomware explained: What you need to know about this aggressive criminal group (CSO Online) 
May 31, 2022
Introducing Control Loop, the industrial cybersecurity podcast. [Trailer]
166
Cybersecurity for Operational Technology and Industrial Control Systems. The Control Loop podcast, hosted by the CyberWire’s Dave Bittner, investigates the latest threat intelligence, security strategies, and technologies that industry professionals rely on to safeguard civilization. Every two weeks, Dave analyzes the biggest stories in OT security with commentary from key industry leaders and operators. Each episode includes new guests who provide the insider’s perspective on major threats and vulnerabilities, novel ideas and solutions, and critical training topics.  Control Loop Episode 1 premieres on June 1st, 2022. Listen and subscribe to the podcast wherever you get your favorite shows and subscribe to the newsletter on the CyberWire website.
May 30, 2022
Michael Scott: A team of humble intellects. [Information security] [Career Notes]
547
Chief Information Security Officer at Immuta, Michael Scott shares his story from working at a forgotten internet service provider to leading the security fight for major food chain restaurants. Michael explains how the different roles at various companies he has worked with paved his way to where he is now at Immuta. He works with a group of colleagues and he leads in a different style, describing that "It really is just a collection of a lot of, we call humble intellects" working with him. Michael attributes adversity to being a cornerstone of existence in the security community, and explains how that helps him keep up the fight. We thank Michael for sharing his story with us.
May 29, 2022
Compromised military tech? [Research Saturday]
1247
Dick O'Brien from Symantec's threat hunter team, joins Dave to discuss their work on "Stonefly: North Korea-linked spying operation continues to hit high-value targets." Stonefly specializes in mounting highly selective targeted attacks against targets that could yield intelligence to assist strategically important sectors. Symantec found that The attackers breached an engineering firm in February 2022, most likely by exploiting the Log4j vulnerability, Their research describes who these high value targets are and ways to prevent this malware from breaching any more companies as well as indications that you could be compromised. The research can be found here: Stonefly: North Korea-linked Spying Operation Continues to Hit High-value Targets
May 28, 2022
Cyber ops and a side benefit of sanctions. BlackCat wants $5 million from Carinthia. Fraudster pressures Verizon. Spain responds to surveillance scandal. CISA has 5G implementation guidelines.
1447
Pro-Russian DDoS attacks. Sanctions and their effect on ransomware. BlackCat wants $5 million from Carinthia. A fraudster pressures Verizon. Spain will tighten judicial review of intelligence services. Johannes Ullrich looks at VSTO Office Files. Our guests are Cecilia Marinier and Niloo Howe with a preview of the RSAC Innovation Sandbox. CISA releases ICS advisories and with its partners issue guidelines for evaluating 5G implementation. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/103 Selected reading. Hacktivists Expanding DDoS Attacks as Part of International Cyber Warfare Strategy (Imperva)  Cyberattacks against UK CNI increase amidst Russia-Ukraine war (Intelligent CIO Europe)  A cyberwar is already happening in Ukraine, Microsoft analysts say (NPR.org) NSA: Sanctions on Russia Having a Positive Effect on Ransomware Attacks, Attempts Down Due to Difficulty Collecting Ransom Payments (CPO Magazine)  BlackCat/ALPHV ransomware asks $5 million to unlock Austrian state (BleepingComputer)  Hacker Steals Database of Hundreds of Verizon Employees (Vice)  Drupal Releases Security Updates (CISA) Keysight N6854A Geolocation server and N6841A RF Sensor software (CISA)  Horner Automation Cscape Csfont (CISA)  Spain vows legal reforms in wake of spying allegations (MSN) Spain’s PM vows to reform intelligence services following phone hacking scandal (The Record by Recorded Future)  Spain set to strengthen oversight of secret services after NSO spying scandal (Times of Israel)  CISA and DoD Release 5G Security Evaluation Process Investigation Study (CISA)
May 27, 2022
"Pantsdown" firmware vulnerability. ChromeLoader warning. Conti update. Ransomware at SpiceJet. CISA's Known Exploited Vulnerabilities Catalog expands. Kyiv honors Google. Reformed ID thief.
1549
"Pantsdown" in QCT Baseboard Management Controllers. A warning on ChromeLoader. Conti updates. Ransomware’s effect on SpiceJet. CISA's Known Exploited Vulnerabilities Catalog expands, again. Kyiv honors Google. Josh Ray from Accenture reminds us it’s military appreciation month. Our guest is Melissa Bischoping of Tanium with lessons learned from the American Dental Association ransomware attack. And a poacher turned gamekeeper? For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/102 Selected reading. Critical 'Pantsdown' BMC Vulnerability Affects QCT Servers Used in Data Centers (The Hacker News) ChromeLoader: a pushy malvertiser (Red Canary)  Conti leaks data stolen during January attack on Oregon county (The Record by Recorded Future)  Is the Conti Ransomware Gang Stronger Apart Then Together? (OODA Loop)  SpiceJet: Passengers stranded as India airline hit by ransomware attack (BBC News)  SpiceJet's woes continue as ransomware attack delays flights (The Loadstar) . SpiceJet's brush with ransomware is a timely reminder to protect yourself against this cyber menace (cnbctv18.com CISA Adds 34 Known Exploited Vulnerabilities to Catalog (CISA)  Mykhailo Fedorov presented the first "Peace prize" to Google (Digital Gov)   Notorious Vietnamese hacker turns government cyber agent (France 24)
May 26, 2022
More cyberespionage in Russia. Advice on conducting propaganda. Iranian group conducts DDoS against Port of London Authority. News from the underworld. CISA alerts. Operation Delilah.
1648
More cyberespionage targets Russian networks. Lincoln Project veterans visit Ukraine with advice on conducting an influence campaign against President Putin. A politically motivated DDoS attack hits the Port of London Authority website. Is REvil back and looking into new criminal techniques, or is a recent DDoS campaign the work of impostors? RansomHouse may be operated by frustrated bounty hunters. Kevin Magee from Microsoft sets his security sights toward space. Our guest is Mathieu Gorge of VigiTrust to discuss the threat of printer hacks. Operation Delilah trims SilverTerrier’s locks. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/101 Selected reading. Unknown APT group has targeted Russia repeatedly since Ukraine invasion (Malwarebytes Labs)  Hackers target Russian govt with fake Windows updates pushing RATs (BleepingComputer)  Researchers Find New Malware Attacks Targeting Russian Government Entities (The Hacker News)  Ukraine May Use Lincoln Project's Anti-Trump Tactics Against Putin (Newsweek) Pro-Iran Group ALtahrea Hits Port of London Website by DDoS Attack (HackRead) REvil Resurgence? Or a Copycat? (Akamai) RansomHouse: Bug bounty hunters gone rogue? (Help Net Security)  Data theft gang RansomHouse might be 'frustrated' white hat hackers, researchers claim (Tech Monitor) CISA Adds 20 Known Exploited Vulnerabilities to Catalog (CISA)  CISA adds 41 flaws to its Known Exploited Vulnerabilities Catalog (Security Affairs)  Rockwell Automation Logix Controllers (CISA)  Matrikon OPC Server (CISA)  Mitsubishi Electric FA Engineering Software Products (Update D) (CISA)  Mitsubishi Electric Factory Automation Engineering Products (Update F) (CISA)  Suspected head of cybercrime gang arrested in Nigeria (Interpol) Interpol arrests alleged leader of the SilverTerrier BEC gang (BleepingComputer)  INTERPOL hauls in alleged Nigerian cybercrime ringleader (CyberScoop)  Operation Delilah: Unit 42 Helps INTERPOL Identify Nigerian Business Email Compromise Actor (Unit42)
May 25, 2022
Verizon's 2022 DBIR shows a sharp rise in ransomware. Origins of Chaos ransomware. GuLoader’s phishbait. Malicious proofs-of-concept. Hyperlocal disinformation and hybrid warfare. Robin Hood?
1733
Verizon's 2022 Data Breach Investigation Report shows a sharp rise in ransomware. Origins of the Chaos ransomware operation. The GuLoader campaign uses bogus purchase orders. Security researchers are targeted in a malware campaign. Hyperlocal disinformation. Turla reconnaissance has been detected in Austrian and Estonian networks. Ben Yelin describes a content moderation fight that may be headed to the supreme court. Our guest is Richard Melick from Zimperium to discuss threats to mobile security. Robin Hood (or not). For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/100 Selected reading. 2022 Data Breach Investigations Report (Verizon Business)  Yashma Ransomware, Tracing the Chaos Family Tree (BlackBerry) Spoofed Saudi Purchase Order Drops GuLoader: Part 1 (Fortinet Blog)  Malware Campaign Targets InfoSec Community: Threat Actor Uses Fake Proof of Concept to Deliver Cobalt-Strike Beacon (Cyble) Network of hyperlocal Russian Telegram channels spew disinformation in occupied Ukraine (CyberScoop)  Russian hackers perform reconnaissance against Austria, Estonia (BleepingComputer) New ransomware forces victims to donate to poor (The Independent)
May 24, 2022
A new loader variant for wiper campaigns. Sanctions, hacktivism, and disinformation. Conti’s toxic branding. Happy birthday, US Cyber Command.
1465
There’s a new loader identified in wiper campaigns. President Putin complains of sanctions and cyberattacks, and vows to increase Russia's cybersecurity. Coordinated inauthenticity at scale. Killnet crows large over Italian operations. Conti's dissolution doesn't mean its operators' disappearance. Rick Howard looks at software defined perimeters. Dinah Davis from Arctic Wolf on how ransomware groups are upping their game to nation state levels. And happy birthday, US Cyber Command...but we're not necessarily wishing you a moonshot for your birthday present. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/99 Selected reading. Sandworm uses a new version of ArguePatch to attack targets in Ukraine (WeLiveSecurity)  Putin complains about barrage of cyberattacks (Military Times) Putin promises to bolster Russia's IT security in face of cyber attacks (Reuters) Russia keeps getting hacked (Mashable)  Putin is bringing his disinformation war to Ukraine (Newsweek)  Putin is bringing his disinformation war to Ukraine (Newsweek) Russian government procured powerful botnet to shift social media trending topics (The Record by Recorded Future) Fronton: Russian IoT Botnet Designed to Run Social Media Disinformation Campaigns (The Hacker News)  Russian Hackers Claim Responsibility for Attacks on Italian Government Websites (Wall Street Journal) Anonymous Declares Cyber-War on Pro-Russian Hacker Gang Killnet (Infosecurity Magazine)  DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape (AdvIntel)  Notorious cybercrime gang Conti 'shuts down,' but its influence and talent are still out there (The Record by Recorded Future) Could a Cyber Attack Overthrow a Government? Conti Ransomware Group Now Threatening To Topple Costa Rican Government if Ransom Not Paid (CPO Magazine)  Fears grow after ransomware attack on Costa Rica escalates (TechCrunch)  US Cyber Command’s birthday (US Cyber Command) U.S. Needs New 'Manhattan Project' to Avoid Cyber Catastrophe | Opinion (Newsweek) Cyber pros are fed up with talk about a cyber-Manhattan Project (Washington Post)
May 23, 2022
Charity Wright: Pursue what you love [Threat intelligence] [Career Notes]
560
Threat intelligence analyst at Recorded Future, Charity Wright, shares her story from the army to her career today. Transitioning from the army to cybersecurity was an exciting change for her. During college she was recruited by the U.S army where she started her journey and learned new skills paving her pathway to threat intelligence where she is now. She shares that she works with a great team of junior analysts who are constantly checking each others biases which helps keep Charity grounded in her work. Charity spends her days keeping an eye on threats around the world where she says there is never a dull day in her line of work. We thank Charity for sharing her story with us.
May 22, 2022
AutoWarp bug leads to Automation headaches. [Research Saturday]
1166
Yanir Tsarimi from Orca Security, joins Dave to discuss how researchers have discovered a critical Azure Automation service vulnerability called AutoWarp. The security flaw was discovered this past March causing Yanir to leap into action announcing the issue to Microsoft who helped to swiftly resolve the cross-account vulnerability. The research shows how this serious flaw would allow attackers unauthorized access to other customer accounts and potentially full control over resources and data belonging to those accounts, as well as put multiple Fortune 500 companies and billions of dollars at risk. The research shares the crucial time line that the vulnerability was discovered as well as Microsofts response to the vulnerability. The research can be found here: AutoWarp: Critical Cross-Account Vulnerability in Microsoft Azure Automation Service
May 21, 2022
Is Conti rebranding? Commercial spyware scrutinized. Notes from the cyber phases of a hybrid war. Notes on the underworld. Software supply chain attack. Canada will exclude Huawei from 5G.
1859
Was Conti’s digital insurrection in Costa Rica misdirection? Google assesses a commercial spyware threat “with high confidence.” Continuing expectations of escalation in cyberspace. The limitations of an alliance of convenience. Fronton botnet shows versatility. Russian hacktivists hit Italian targets, again. Lazarus Group undertakes new SolarWinds exploitation. Crypters in the C2C market. CrateDepression supply chain attack. Johannes Ullrich describes an advance fee scam hitting crypto markets. Our guest is Marty Roesch, CEO of Netography and inventor of Snort. Canada to exclude Huawei from 5G networks on security grounds. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/98 Selected reading. Conti ransomware shuts down operation, rebrands into smaller units (BleepingComputer)  Protecting Android users from 0-Day attacks (Google)  Microsoft President: Cyber Space Has Become the New Domain of Warfare (Infosecurity Magazine) Twisted Panda: Chinese APT espionage operation against Russian’s state-owned defense institutes (Check Point Research)  Chinese Hackers Tried to Steal Russian Defense Data, Report Says (New York Times)  China-linked Space Pirates APT targets the Russian aerospace industry (Security Affairs)  This Russian botnet does far more than DDoS attacks - and on a massive scale (ZDNet)  Pro-Russian hackers attack institutional websites in Italy, police say (Reuters)  Lazarus hackers target VMware servers with Log4Shell exploits (BleepingComputer) ITG23 Crypters Highlight Cooperation Between Cybercriminal Groups (Security Intelligence)  CrateDepression | Rust Supply-Chain Attack Infects Cloud CI Pipelines with Go Malware (SentinelOne)  Canada to ban Huawei/ZTE 5G equipment, joining Five Eyes allies (Reuters)
May 20, 2022
CISA Alert AA22-138B – Threat actors chaining unpatched VMware vulnerabilities for full system control. [CISA Cybersecurity Alerts]
194
CISA is releasing this cybersecurity advisory to warn organizations that malicious cyber actors are exploiting CVE-2022-22954 and CVE-2022-22960. These vulnerabilities affect versions of VMware products. Successful exploitation permits malicious actors to trigger a server-side template injection that may result in remote code execution or escalation of privileges to root level access. Based on this activity, CISA expects malicious cyber actors to quickly develop a capability to exploit newly released VMware vulnerabilities CVE-2022-22972 and CVE-2022-22973 in the same impacted VMware products. AA22-138B Alert, Technical Details, and Mitigations AA22-138B.stix Emergency Directive 22-03 Mitigate VMware Vulnerabilities VMware Security Advisory VMSA-2022-0011 VMware Security Advisory VMSA-2022-0014 All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.
May 20, 2022
Information operations and the invasion of Ukraine. VMware patches vulnerabilities. F5 BIG-IP vulnerabilities actively exploited. TDI clarifies data incident. Robo-calling the Kremlin.
1849
Russian information operations surrounding the invasion of Ukraine. VMware patches vulnerabilities. F5 BIG-IP vulnerabilities undergoing active exploitation. Texas Department of Insurance clarifies facts surrounding its data incident. Robert M. Lee from Dragos is heading to Davos to talk ICS. Rick Howard speaks with author Chase Cunningham on his book "Cyber Warfare –Truth, Tactics and Strategies”. Robo-calling the Kremlin. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/97 Selected reading. Information Operations Surrounding the Russian Invasion of Ukraine (Mandiant)  CISA Issues Emergency Directive and Releases Advisory Related to VMware Vulnerabilities (CISA) Emergency Directive 22-03 (CISA)  Threat Actors Chaining Unpatched VMware Vulnerabilities for Full System Control (CISA)  Threat Actors Exploiting F5 BIG IP CVE-2022-1388 (CISA)  CISA Alert AA22-138A – Threat Actors Exploiting F5 BIG-IP CVE-2022-1388. (The CyberWire)  Additional facts: TDI data security event (Texas Department of Insurance)  This Hacktivist Site Lets You Prank Call Russian Officials (Wired) 
May 19, 2022
CISA Alert AA22-138A – Threat Actors Exploiting F5 BIG-IP CVE-2022-1388. [CISA Cybersecurity Alerts]
200
CISA and the Multi-State Information Sharing & Analysis Center (MS-ISAC), are releasing this joint Cybersecurity Advisory in response to active exploitation of CVE-2022-1388. This vulnerability is a critical iControl REST authentication bypass vulnerability affecting multiple versions of F5 Networks BIG-IP.  AA22-138A Alert, Technical Details, and Mitigations F5 Security Advisory K23605346 and indicators of compromise F5 guidance K11438344 for remediating a compromise Emerging Threats suricata signatures Palo Alto Networks Unit 42 Threat Brief: CVE-2022-1388. This brief includes indicators of compromise.  Cisco Talos Intelligence Group - Comprehensive Threat Intelligence: Threat Advisory: Critical F5 BIG-IP Vulnerability. This blog includes indicators of compromise. Note: due to the urgency to share this information, CISA and MS-ISAC have not yet validated this content. Randori’s bash script. This script can be used to identify vulnerable instances of BIG-IP. Note: MS-ISAC has verified this bash script identifies vulnerable instances of BIG-IP.  All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.
May 19, 2022
Privateering goes fully political. Compromised robots? Conti’s campaign against Costa Rica. Cyberconflict along the Nile. A reset in the cyber insurance market.
1533
Chaos ransomware group declares for Russia. Hacktivists claim to have compromised Russian-manufactured ground surveillance robots. Conti's ongoing campaign against Costa Rica. The claimed "international" cyberattack against Nile dam was stopped. Rick Howard speaks with author Caroline Wong on her book “Security Metrics, a Beginner's Guide”. Our guests are Kathleen Smith and Rachel Bozeman, hosts of the new podcast, Security Cleared Jobs. And the cyber insurance market experiences a “reset.” For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/96 Selected reading. Chaos Ransomware Variant Sides with Russia (Fortinet Blog) Did hackers commandeer surveillance robots at a Russian airport? (The Daily Dot)  Russian Hacking Cartel Attacks Costa Rican Government Agencies (New York Times)  Costa Rican president claims collaborators are aiding Conti's ransomware extortion efforts (CyberScoop)  "We will overthrow the government" - Does Conti have help inside Costa Rica? (Tech Monitor)  Costa Ricans scrambled to pay taxes by hand after cyberattack took down country’s collection system (Yahoo)  Ethiopia faces new cyberattacks on its Nile dam (Al-Monitor)  Cyber Insurers Raise Rates Amid a Surge in Costly Hacks (Wall Street Journal)
May 18, 2022
CISA Alert AA22-137A – Weak security controls and practices routinely exploited for initial access. [CISA Cybersecurity Alerts]
169
This joint cybersecurity advisory was coauthored by the cybersecurity authorities of the US, Canada, New Zealand, the Netherlands, and the UK. Cyber actors routinely exploit poor security configurations, weak controls, and other poor cyber hygiene practices to gain initial access or as part of other tactics to compromise a victim’s system. This joint Cybersecurity Advisory identifies commonly exploited controls and practices, and includes best practices to mitigate these risks. AA22-137A Alert, Technical Details, and Mitigations White House Executive Order on Improving the Nation’s Cybersecurity NCSC-NL Factsheet: Prepare for Zero Trust NCSC-NL Guide to Cyber Security Measures N-able Blog: Intrusion Detection System (IDS): Signature vs. Anomaly-Based NCSC-NL Guide to Cyber Security Measures National Institute of Standards and Technology SP 800-123 – Keeping Servers Secured NCSC-UK Guidance – Phishing Attacks: Defending Your Organisation  Open Web Application Security Project (OWASP) Proactive Controls: Enforce Access Controls All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.
May 17, 2022
Russian cyber threats and NATO’s Article 5. Conti says it’s going to bring Cost Rica to its knees. BLE proof-of-concept hack. CISA warns of initial access methods. Thanos proprietor indicted.
1718
An assessment of the Russian cyber threat. NATO's Article 5 in cyberspace. Conti's ransomware attack against Costa Rica spreads, in scope and effect. Bluetooth vulnerabilities demonstrated in proof-of-concept. CISA and its international partners urge following best practices to prevent threat actors from gaining initial access. Joe Carrigan looks at updates to the FIDO alliance. Rick Howard and Ben Rothke discuss author Andrew Stewart's book "A Vulnerable System: The History of Information Security in the Computer Age". And,the doctor was in, but wow, was he also way out of line. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/95 Selected reading. Russia Planned a Major Military Overhaul. Ukraine Shows the Result. (New York Times)  The Cyberwar Against Pro-Ukrainian Countries is Real. Here’s What to Do (CSO Online)  Collective cyber defence and attack: NATO’s Article 5 after the Ukraine conflict (European Leadership Network)  Cyber attack on Costa Rica grows as more agencies hit, president says (Reuters) Ransomware gang threatens to ‘overthrow’ new Costa Rica government, raises demand to $20 million (The Record by Recorded Future)  Hacker Shows Off a Way to Unlock Tesla Models, Start Cars (Bloomberg) NCC Group uncovers Bluetooth Low Energy (BLE) vulnerability that puts millions of cars, mobile devices and locking systems at risk (NCC Group)  Technical Advisory – Tesla BLE Phone-as-a-Key Passive Entry Vulnerable to Relay Attacks (NCC Group Research)  Technical Advisory – Kwikset/Weiser BLE Proximity Authentication in Kevo Smart Locks Vulnerable to Relay Attacks (NCC Group Research) Technical Advisory – BLE Proximity Authentication Vulnerable to Relay Attacks (NCC Group Research)  Alert (AA22-137A) Weak Security Controls and Practices Routinely Exploited for Initial Access (CISA) Hacker and Ransomware Designer Charged for Use and Sale of Ransomware, and Profit Sharing Arrangements with Cybercriminals (U.S. Attorney’s Office for the Eastern District of New York)  US prosecutors allege Venezuelan doctor is ransomware mastermind (ZDNet)  'Multi-tasking doctor' was mastermind behind 'Thanos' ransomware builder, DOJ says (The Record by Recorded Future)  U.S. Charges Venezuelan Doctor for Using and Selling Thanos Ransomware (The Hacker News)
May 17, 2022
Users advised to patch actively exploited Zyxel vulnerability. Hacktivism and influence ops in Russia’s hybrid war. Ransomware notes. Indiscriminate hacktivism? Alt-coin sanctions case will proceed.
1517
Users are advised to patch Zyxel firewalls. Battlefield failure and popular morale in Russia’s hybrid war. Nuisance-level hacktivism in the hybrid war. Sweden and Finland move closer to NATO membership; concern over possible Russian cyberattacks rises. Intelligence, disinformation, or wishful thinking? Conti calls for rebellion in Costa Rica. PayOrGrief is just rebranded DoppelPaymer. Anonymous action in Sri Lanka seems indiscriminate and counterproductive. Dinah Davis from Arctic Wolf examines cyber security for startups. Rick Howard looks at two factor authentication. And a judge says cryptocurrency can’t be used to evade sanctions. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/94 Selected reading. Critical Vulnerability Allows Remote Hacking of Zyxel Firewalls (SecurityWeek)  Zyxel security advisory for OS command injection vulnerability of firewalls (Zyxel)  Growing evidence of a military disaster on the Donets pierces a pro-Russian bubble. (New York Times)  OpRussia update: Anonymous breached other organizations (Security Affairs)  Italy prevents pro-Russian hacker attacks during Eurovision contest (Reuters)  Finland, Sweden’s NATO moves prompt fears of Russian cyberattacks (The Hill)  Coup to remove cancer-stricken Putin underway in Russia, Ukrainian intelligence chief says (Fortune)  Conti ransomware gang calls for Costa Rican citizens to revolt if government doesn't pay (SC Magazine)  Anonymous wanted to help Sri Lankans. Their hacks put many in grave danger (Rest of World)  U.S. issues charges in first criminal cryptocurrency sanctions case (Washington Post)
May 16, 2022
Eric Escobar: Collaboration is key. [Pen tester] [Career Notes]
492
Principal consultant and pen tester at Secureworks, Eric Escobar, shares his career path translating his childhood favorite Legos to civil engineering and pivoting to cybersecurity. Eric was always headed toward engineering and got both his bachelor and master degrees in civil engineering. Upon breaking into a network with a friend, he was bitten by the cybersecurity bug. Making the switch to the red team and basically becoming a bankrobber for hire, Eric tests the security of many companies' networks. He feels that curiosity is an essential trait for cybersecurity and collaboration is key as no one person knows everything. He advises those interested in cybersecurity to just start. We thank Eric for sharing his story with us.
May 15, 2022
The current state of zero trust. [CyberWire-X]
1911
According to the zero trust philosophy, we all assume that our networks are already compromised and try to design them to limit the damage if it turns out to be so. In this episode of CyberWire-X, we’ve invited subject matter experts, Amanda Fennell, the Chief Information Officer and Chief Security Officer of Relativity, and Galeal Zino, CEO of episode Sponsor NetFoundry, to the Cyberwire Hash Table to discuss all the ways to think about the solution in the modern era: Software Defined Perimeter (SDP), Secure Access Service Edge (SASE), identity and authorization, and private WAN, all through a First Principle lens.
May 15, 2022
Vulnerabilities in IoT devices. [Research Saturday]
1412
Dr. May Wang, Chief Technology Officer at Palo Alto Networks, joins Dave Bittner to discuss their findings detailed in Unit 42's "Know Your Infusion Pump Vulnerabilities and Secure Your Healthcare Organization" research. Unit 42 recently set out to better understand how well hospitals and other healthcare providers are doing in securing smart infusion pumps, which are network-connected devices that deliver medications and fluids to patients. This topic is of critical concern because security lapses in these devices have the potential to put lives at risk or expose sensitive patient data. Unit 42's discovery of security gaps in three out of four infusion pumps that they reviewed highlights the need for the healthcare industry to redouble efforts to protect against known vulnerabilities, while diligently following best practices for infusion pumps and hospital networks. May walks us through Unit 42's work. The research can be found here: Know Your Infusion Pump Vulnerabilities and Secure Your Healthcare Organization
May 14, 2022
War crimes in cyberspace? Iranian cyberespionage (and a possible APT side-hustle). A backdoor for Roblox. Darkweb C2C trader sentenced. eBay newsletter conspirator pleads guilty. CIA gets a CISO.
1479
Ukraine holds its first war crimes trial. Are there war crimes in cyberspace? Iranian cyberespionage (and a possible APT side-hustle). Roblox seems to have been used to introduce a backdoor. CISA issues ICS advisories. Darkweb C2C trader sentenced. The last conspirator in the strange case of the eBay newsletter takes a guilty plea. Carole Theriault looks at Google’s new approach to cookies in Europe. Our guest is Mary Writz of ForgeRock on the growing importance of mobile device authentication security. And CIA gets a CISO. For links to all of today's stories check out our CyberWire daily news briefing: httpshttps://thecyberwire.com/newsletters/daily-briefing/11/93 Selected reading. Ukraine to put first Russian soldier on trial for war crimes | DW | 12.05.2022 (Deutsche Welle) Russian soldier on trial in first Ukraine war-crimes case (AP NEWS) First Russian soldier goes on trial in Ukraine for war crimes (the Guardian)  The Case for War Crimes Charges Against Russia’s Sandworm Hackers (Wired) Iranian hackers exposed in a highly targeted espionage campaign (BleepingComputer)  Iranian APT Cobalt Mirage launching ransomware attacks (SearchSecurity) Iranian Hackers Leveraging BitLocker and DiskCryptor in Ransomware Attacks (The Hacker News)  Iranian Cyberspy Group Launching Ransomware Attacks Against US (SecurityWeek)  Please Confirm You Received Our APT | FortiGuard Labs  (Fortinet Blog)  Roblox Exploited with Trojans from Scripting Engine (Avanan) Ukrainian cybercriminal sentenced to 4 years in U.S. prison for credential theft scheme (CyberScoop) Ukrainian sentenced to 4 years for selling hacked passwords (The Record by Recorded Future)  Ex-eBay exec charged with harassing newsletter publishers pleads guilty (Reuters) CIA selects new CISO with deep private sector experience (The Record by Recorded Future)
May 13, 2022
Killnet hits Italian targets. Access restored to RuTube. Hacktivism in the hybrid war. Emotet surges. NPM dependency confusion attacks were pentesting. Cybercrime and punishment.
1571
Killnet hits Italian targets. Access to RuTube is restored. Hacktivism in the hybrid war. Emotet surges. Clearing up the confusion of NPM dependency confusion attacks. Tim Eades from Cyber Mentor Fund on finding the right investors. Our guest is Michael DeBolt of Intel 471 on the growing interest in Biometrics in the criminal underground. And cybercrime and punishment, Florida-man edition. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/92 Selected reading. Ukraine maps reveal how much territory Russia has lost in just a few days (Newsweek)  Pro-Russian hackers target Italy institutional websites -ANSA news agency (Reuters)  Russian cyber experts restore RuTube access after three-day outage (Reuters)  They Fled Ukraine to Keep Their Cyber Startup Alive. Now, They’re Hacking Back. (Wall Street Journal) Ukraine hacktivism 'problematic' for security teams says NSA cyber chief (Tech Monitor) HP Wolf Security Threat Insights Report Q1 2022 | HP Wolf Security (HP Wolf Security) npm supply chain attack targets Germany-based companies with dangerous backdoor malware (JFrog) SaaS App Vanity URLs Can Be Spoofed for Phishing, Social Engineerin (SecurityWeek) Trio Of Cybercriminals Sentenced For Conspiracy To Commit Fraud And Aggravated Identity Theft (US Attorney for the Middle District of Florida)
May 12, 2022
CISA Alert AA22-131A – Protecting against cyber threats to managed service providers and their customers. [CISA Cybersecurity Alerts]
207
The cybersecurity authorities of the UK, Australia, Canada, New Zealand, and the US have observed a recent increase in malicious cyber activity against managed service providers (MSPs). Allied cybersecurity authorities expect state-sponsored cyber actors to increase their targeting of MSPs in an attempt to exploit provider-customer trust relationships. This advisory includes security guidance tailored for both MSPs and their customers.  AA22-131A Alert, Technical Details, and Mitigations Technical Approaches to Uncovering and Remediating Malicious Activity Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses APTs Targeting IT Service Provider Customers ACSC's Managed Service Providers: How to manage risk to customer networks  Global Targeting of Enterprise Managed Service Providers Cyber Security Considerations for Consumers of Managed Services  How to Manage Your Security When Engaging a Managed Service Provider Kaseya Ransomware Attack: Guidance for Affected MSPs and their Customers Baseline Cyber Security Controls for Small and Medium Organizations Actions to take when the cyber threat is heightened Top 10 IT Security Action Items to Protect Internet Connected Networks and Information CCCS's Alert: Malicious Cyber Activity Targeting Managed Service Providers  CISA Cybersecurity Alert: APT Activity Exploiting MSPs (2018) CISA Cyber Essentials and CISA Cyber Resource Hub  Improving Cybersecurity of Managed Service Providers  Shields Up Technical Guidance All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.
May 12, 2022
Consensus on the Viasat hack: Russia did it. Kaspersky remains under investigation. The Nerbian RAT is out. NPM dependencies exploited, but to what end? Advisories from CISA and its partners.
1543
There’s international consensus on the cyberattack against Viasat. Kaspersky remains under investigation. The Nerbian RAT is out. NPM dependencies are exploited, but to what end? Caleb Barlow examines Russia’s future on the internet. Our guest is Deepen Desai from Zscaler with the latest phishing research. And new advisories from CISA and its partners. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/91 Selected reading. Nerbian RAT Using COVID-19 Themes Features Sophisticated Evasion Techniques (Proofpoint) NPM dependency confusion hacks target German firms (ReversingLabs) npm Supply Chain Attack Targeting Germany-Based Companies (JFrog) Adminer in Industrial Products (CISA) Eaton Intelligent Power Protector (CISA)  Eaton Intelligent Power Manager Infrastructure (CISA)  Eaton Intelligent Power Manager (CISA) AVEVA InTouch Access Anywhere and Plant SCADA Access Anywhere (CISA)  Mitsubishi Electric MELSOFT GT OPC UA (CISA)  CISA Adds One Known Exploited Vulnerability to Catalog (CISA)  Alert (AA22-131A) Protecting Against Cyber Threats to Managed Service Providers and their Customers (CISA) Protecting Against Cyber Threats to Managed Service Providers and their Customers (CISA) Russia downed satellite internet in Ukraine -Western officials (Reuters)  US and its allies say Russia waged cyberattack that took out satellite network (Ars Technica)  Western powers blame Russia for Ukraine satellite hack (The Record by Recorded Future)  Russian cyber operations against Ukraine: Declaration by the High Representative on behalf of the European Union (European Council)  Attribution of Russia’s Malicious Cyber Activity Against Ukraine - United States Department of State (United States Department of State)  U.S. Government Attributes Cyberattacks on SATCOM Networks to Russian State-Sponsored Malicious Cyber Actors (CISA) Russia behind cyber-attack with Europe-wide impact an hour before Ukraine invasion (GOV.UK) Estonia joins the statement of attribution on cyberattacks against Ukraine (Ministry of Foreign Affairs, Republic of Estonia)  Statement on Russia’s malicious cyber activity affecting Europe and Ukraine (Canada.ca)  Attribution to Russia for malicious cyber activity against European networks (Australian Government Department of Foreign Affairs and Trade)  Russia hacked an American satellite company one hour before the Ukraine invasion (MIT Technology Review)  NSA Probing Reach of Software From Russia’s Kaspersky in US Systems (Bloomberg) 
May 11, 2022
Notes on cyber phases of Russia’s hybrid war, including an assessment of Victory Day as an influence op. A look at C2C markets. And Spain’s spyware scandal claims an intelligence chief.
1774
A quick introductory note on Russia’s hybrid war against Ukraine. Russian television schedules hacked to display anti-war message. Phishing campaign distributes Jester Stealer in Ukraine. European Council formally attributes cyberattack on Viasat to Russia. Costa Rica declares a state of emergency as Conti ransomware cripples government sites. DCRat and the C2C markets. The gang behind REvil does indeed seem to be back. More Joker-infested apps found in Google Play. Guest Nick Adams from Differential Ventures discusses what will drive continued growth of cybersecurity beyond attack surfaces and governance from a VC's perspective. Partner Ben Yelin from UMD CHHS on digital privacy concerns in the aftermath of the potential overturn of Roe vs Wade. And Spain’s spyware scandal takes down an intelligence chief. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/90 Selected reading. Ukraine morning briefing: Five developments as Joe Biden warns Vladimir Putin has 'no way out' (The Telegraph) Viewpoint: Putin now faces only different kinds of defeat (BBC News)  Putin's Victory Day speech gives no clue on Ukraine escalation (Reuters)  On Victory Day, Putin defends war on Ukraine as fight against ‘Nazis’ (Washington Post)  In Speech, Putin Shows Reluctance in Demanding Too Much of Russians (New York Times)  Putin's parade shows he "is going to continue at whatever cost" in Ukraine (Newsweek) Russia’s display of military might sent the West a strong message – just not the one Putin intended (The Telegraph) Russian TV Schedules Hacked on Victory Day to Show Anti-War Messages (HackRead)  Russian TV hacked to say ‘blood of Ukrainians is on your hands’ (The Telegraph)  Mass Distribution of Self-Destructing Malware in Ukraine (BankInfoSecurity)  Russian cyber operations against Ukraine: Declaration by the High Representative on behalf of the European Union (European Council)
May 10, 2022
Mixer gets sanctioned. Reward offered for Conti hoods. Ag company hit with ransomware. Hacktivism and cyberattacks in Russia’s hybrid war. That apology? The Kremlin takes it back.
1582
The US Treasury Department sanctions a cryptocurrency mixer. Rewards for Justice is interested in Conti. US tractor manufacturer AGCO was hit by a ransomware attack. Russian hacktivism hits German targets and threatens the UK. A Russian diplomatic account was apparently hijacked. Tracking Cobalt Strike servers used against Ukraine. Dinah Davis from Arctic Wolf defends against DDOS attacks. Rick Howard looks at Single Sign On. And no apology for you, Mr. Bennett. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/89 Selected reading. U.S. Treasury Issues First-Ever Sanctions on a Virtual Currency Mixer, Targets DPRK Cyber Threats (U.S. Department of the Treasury) Reward Offers for Information to Bring Conti Ransomware Variant Co-Conspirators to Justice (United States Department of State) AGCO ransomware attack disrupts tractor sales during U.S. planting season (Reuters) Agricultural equipment maker AGCO reports ransomware attack (The Record by Recorded Future) Russia’s chief diplomat in Scotland condemns Ukraine invasion in social media post (The Telegraph)   Pro-Russian Hackers Hit German Government Sites, Spiegel Says (Bloomberg) Tracking Cobalt Strike Servers Used in Cyberattacks on Ukraine (IronNet) Russia tensions with Israel may intensify as Kremlin denies Putin's apology (Newsweek)
May 09, 2022
Amanda Fennell: There's a cyber warrior in all of us [Information] [Career Notes]
543
Chief security officer and chief information officer at Relativity, Amanda Fennel shares her story from archeology to cybersecurity. She shares the path that lead her towards becoming an archeologist and how it turned out not being exactly what she expected. She then shares how she got into the cyber business and how her past has impacted what she's doing now. She describes how she would like to be remembered in the cyber world, she says "I do hope that I left things better than I found them, not just the security of a product or a company, but I believe strongly that every person has a little cyber warrior inside of them." We thank Amanda for sharing her story.
May 08, 2022
Attacking where vulnerable. [Research Saturday]
1034
Tushar Richabadas from Barracuda joins Dave Bittner to discuss their findings detailed in their "Threat Spotlight: Attacks on Log4Shell vulnerabilities." Their research shows the percentage of attackers targeting the vulnerabilities, and shows where the dips and spikes are over the course of the past couple of months. The research has also gathered where the attackers main IP addresses are located, with 83% of them located in the United States. They breakdown what this malware can do and how to protect yourself against it. They say "Due to the growing number of vulnerabilities found in web applications, it is getting progressively more complex to protect against attacks." The research can be found here: Threat Spotlight: Attacks on Log4Shell vulnerabilities
May 07, 2022
Victory Day approaches so shields up. Hackivists in the battlespace. Raspberry Robin and a USB worm. A carefully operated credential phishing campaign. Happy Mother’s Day (and stay safe online).
1287
An update on the war in Ukraine as Victory Day approaches. President Lukashenka on the war next door. Hackivists in the battlespace. Raspberry Robin and a USB worm. A carefully operated credential phishing campaign. Another ICS security alert from CISA. Dinah Davis from Arctic Wolf on reflection amplification techniques. Carole Theriault examines zero trust architecture access policies. Happy Mother’s Day (and stay safe online). For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/88 Selected reading. Mariupol steel mill battle rages as Ukraine repels attacks (Military Times)  Why the battle for Mariupol is important for Vladimir Putin. (New York Times) A race against time in Ukraine as Russia advances, West sends weapons (Washington Post) The AP Interview: Belarus admits Russia's war 'drags on' (AP NEWS) Russia’s ally Belarus criticises war effort for ‘dragging on’ (The Telegraph) NSA cyber boss seeks to discourage vigilante hacking against Russia (Defense News) Shields Up: Russian Cyberattacks Headed Our Way (JD Supra) Raspberry Robin gets the worm early (Red Canary)  VIP3R: New actor. Old story. Great success. (Menlo Security) Johnson Controls Metasys (CISA)  Top 3 Mother’s Day Scam Sites – Be Smart When Buying Gifts (Trend Micro News)
May 06, 2022
Dateline Moscow, Kyiv, and Minsk: Hacktivisim and privateering. Log4j vulnerabilities more widespread than initially thought. US Cyber Command deploys "hunt forward" team to Lithuania.
1435
Hacktivisim and privateering in Moscow, Kyiv, and Minsk. Log4j vulnerabilities are more widespread than initially thought. US Cyber Command deployed a "hunt forward" team to Lithuania. CISA adds five vulnerabilities to its Known Exploited Vulnerabilities Catalog. Jen Miller-Osborn from Palo Alto Networks discusses the findings from the Center for Digital Government's survey on Getting Ahead of Ransomware. Grayson Milbourne of Webroot/OpenText discusses OpenText's 2022 BrightCloud Threat Report. And Anonymous leaks emails allegedly belonging to the Nauru Police Force. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/87 Selected reading. Russian ally Belarus launches military quick-response drills (Washington Post) Putin’s Ukraine War: Desperate Belarus dictator strikes back (Atlantic Council) Russian ransomware group claims attack on Bulgarian refugee agency (CyberScoop) Russia and Ukraine Conflict Q&A | Cybersixgill (Cybersixgill) Threat Advisory: New Log4j Exploit Demonstrates a Hidden Blind Spot in the Global Digital Supply Chain (Cequence) Anonymous Leak 82GB of Police Emails Against Australia's Offshore Detention (HackRead)
May 05, 2022
More malware deployed in Eastern Europe. Cozy Bear is typosquatting. CuckooBees swarm around intellectual property. Tracking the DPRK’s hackers. Quiet persistence in corporate networks.
1724
An upswing in malware deployed against targets in Eastern Europe. Cozy Bear is typosquatting. CuckooBees swarm around intellectual property. Tracking the DPRK’s hackers. Quiet persistence in corporate networks. CISA issues an ICS advisory. Caleb Barlow on backup communications for your business during this period of "shields up." Duncan Jones from Cambridge Quantum sits down with Dave to discuss the NIST algorithm finalist Rainbow vulnerability. And, hey, officer, honest, it was just a Squirtle…. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/86 Selected reading. Update on cyber activity in Eastern Europe (Google)  Multiple government hacking groups stay busy targeting Ukraine and the region, Google researchers say (CyberScoop) Google: Nation-state phishing campaigns expanding to target Eastern Europe orgs (The Record by Recorded Future) SolarWinds hackers set up phony media outlets to trick targets (CyberScoop)  SOLARDEFLECTION C2 Infrastructure Used by NOBELIUM in Company Brand Misuse (Recorded Future)  Experts discover a Chinese-APT cyber espionage operation targeting US organizations (VentureBeat) Operation CuckooBees: Cybereason Uncovers Massive Chinese Intellectual Property Theft Operation (Cybereason Nocturnus)  Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques (Cybereason)  Chinese hackers cast wide net for trade secrets in US, Europe and Asia, researchers say (CNN)  Researchers tie ransomware families to North Korean cyber-army (The Record by Recorded Future) The Hermit Kingdom’s Ransomware Play (Trellix) New espionage group is targeting corporate M&A (TechCrunch)  Cyberespionage Group Targeting M&A, Corporate Transactions Personnel (SecurityWeek)  UNC3524: Eye Spy on Your Email (Mandiant)  Yokogawa CENTUM and ProSafe-RS (CISA)  Cops ignored call to nearby robbery, preferring to hunt Pokémon (Graham Cluley)
May 04, 2022
Hybrid war and disinfo from the swamp. Stormous hacks on behalf of Russia. DNS poisoning risk. Updates on Chinese cyberespionage campaigns. Notes on ransomware operations.
1448
Russia reroutes Internet traffic in occupied regions of Ukraine through Russian services. The Stormous gang, hacking on behalf of Russia. DNS poisoning risk. Updates on Chinese cyberespionage campaigns. Our guest Chetan Mathur of Next Pathway finds similarities between the cloud industry and the 1849 California Gold Rush. Eldan Ben-Haim of Apiiro on why cybersecurity is largely a culture issue. Notes on ransomware operations. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/85 Selected reading. Microsoft sees Russian cyberattacks on Ukraine 'getting more and more disruptive' (Inside Defense)  Sergey Lavrov claims Hitler had 'Jewish blood' (The Telegraph) Lavrov’s anti-Semitic outburst exposes absurdity of Russia’s “Nazi Ukraine” claims (Atlantic Council)  Russia likens Zelensky to Hitler as Mariupol says Russia worse than Nazis (Newsweek)  Russia reroutes internet in occupied Ukrainian territory through Russian telcos (The Record by Recorded Future)  Stormous: The Pro-Russian, Clout Hungry Ransomware Gang Targets the US and Ukraine (Trustwave) Zhadnost ‘stamps’ out Ukrainian National Postal Service’s website. (SecurityScorecard)  Industrial cybersecurity researchers, looking for help, go public with unpatched IoT bug (The Record by Recorded Future)  Nozomi Networks Discovers Unpatched DNS Bug in Popular C Standard Library Putting IoT at Risk (Nozomi Networks) Chinese "Override Panda" Hackers Resurface With New Espionage Attacks (The Hacker News)  Chinese Hackers Caught Exploiting Popular Antivirus Products to Target Telecom Sector (The Hacker News)  New Black Basta Ransomware Possibly Linked to Conti Group (SecurityWeek)  Experts Analyze Conti and Hive Ransomware Gangs' Chats With Their Victims (The Hacker News)  Conti and Hive ransomware operations: What we learned from these groups' victim chats (Cisco Talos)  Conti and Hive ransomware operations: (Cisco Talos)
May 03, 2022
The future of security validation – what next? [CyberWire-X]
1727
Security executives need visibility into their real cyber risk in real time. But with the flood of vulnerability alerts, how can organizations pinpoint impactful security gaps? To meet this challenge, security teams are shifting to an exploit-centric approach to security validation to expose potential threats from ransomware, leaked credentials, phishing, & more.  On this episode, of CyberWire-X, we explore how automation can help teams make this shift to prioritize remediation based on bottom line business impact. Rick Howard, the CyberWire's CSO, Chief Analyst and Senior Fellow, discusses the topic with Rick Doten, CISO, Carolina Complete Health and CyberWire Hash Table member, while Dave Bittner, CyberWire podcast host, engages with Sponsor Pentera's Jay Mar-Tang, Sales Engineering Manager for the Americas, about automated security validation.
May 03, 2022
Cyber sabotage and cyberespionage. Updates on Russia’s hybrid war against Ukraine. REvil seems to have returned.
1519
Cable sabotage in France remains under investigation. Spearphishing by Cozy Bear. Widespread and damaging Russian cyberattacks have yet to appear, but criminals find a new field of activity. Hacktivism and privateering. The legal and prudential limits to hacktivism. Applying lessons learned from an earlier cyberwar. Romanian authorities say last week’s DDoS incident was retaliation for Bucharest’s support of Kyiv. Rick Howard is dropping some SBOMS. Carole Theriault reports on virtual kidnappings. REvil seems to be back after all. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/84 Selected reading. How the French fiber optic cable attacks accentuate critical infrastructure vulnerabilities (CyberScoop)  Russian hackers compromise embassy emails to target governments (BleepingComputer)  Ukraine's defense applies lessons from a 15-year-old cyberattack on Estonia (NPR)  Feared Russian cyberattacks against US have yet to materialize (C4ISRNet) Hacking Russia was off-limits. The Ukraine war made it a free-for-all. (Washington Post)  A YouTuber is promoting DDoS attacks on Russia — how legal is this? (BleepingComputer) Ukraine’s Digital Fight Goes Global (Foreign Affairs) Romanian government says websites attacked by pro-Russian group (The Record by Recorded Future)  REvil ransomware returns: New malware sample confirms gang is back (BleepingComputer)
May 02, 2022
DevSecOps and securing the container. [CyberWire-X]
1913
The move to cloud has great potential to improve security, but the required process and cultural changes can be daunting. There are a vast number of critical vulnerabilities that make it to production and demand more effective mitigations. Although “shifting security left” should help, organizations are not able to achieve this quickly enough, and “shifting left” does not account for runtime threats. Organizations must strive to improve the prioritization of vulnerabilities to ensure the most dangerous flaws are fixed early. But even then, some risk will be accepted, and a threat detection and response program is required for full security coverage. On this episode of CyberWire-X, host Rick Howard, the CyberWire's CSO, Chief Analyst and Senior Fellow, explores how to secure your software development lifecycle, how to use a maturity model like BSIM, where do containers fit in that process, and the Sysdig 2022 Cloud-Native Security and Usage report. Joining Rick on this episode are Tom Quinn, CISO at T. Rowe Price and CyberWire Hash Table member, and from episode sponsor Sysdig is their Director of Thought Leadership, Anna Belak, to discuss their experiences and real world data, as well as practical approaches to managing cloud risk. 
May 01, 2022
Jon DiMaggio: Two roads diverged. [Strategy] [Career Notes]
529
Chief security strategist from Analyst1, Jon DiMaggio shares his story on how he grew to become apart of the cybersecurity world. He describes different jobs that paved the way to the knowledge he has one the industry right now, and he even shares about an experience that led him to path that split and which decision he would make, would be crucial in his career. He explains which way he ended up going and how a critical part of his career helped to determine that path. He say's "there's two paths when you have that happen, you can either let it defeat you, or you know, you come back swinging." We thank Jon for sharing his story.
May 01, 2022
Attackers coming in from the Backdoor? [Research Saturday]
1339
Vikram Thakur of Symantec Threat Hunter team joins Dave Bittner to discuss their work on Daxin, a new and the most advanced piece of malware researchers have seen from China-linked actors. Symantec said " There is strong evidence to suggest the malware, Backdoor.Daxin, which allows the attacker to perform various communications and data-gathering operations on the infected computer, has been used as recently as November 2021 by attackers linked to China." They go on to explain how Daxin is used to target organizations and governments of strategic interest to China and how those agencies can protect themselves. Symantec also discusses how this is the most advanced piece of malware their researchers have seen. The research can be found here: Daxin: Stealthy Backdoor Designed for Attacks Against Hardened Networks
Apr 30, 2022
Cyber phases of a hybrid war. DDoS in Romania. Flash loan caper hits a DeFi platform. Coca-Cola investigates Stormous claims. A Declaration for the Future of the Internet.
1566
Russian and Ukrainian operators exchange cyberattacks. Wiper malware: contained, but a potentially resurgent threat. #OpRussia update. DDoS in Romania. Flash loan caper hits a DeFi platform. Coca-Cola investigates Stormous breach claims. CISA issues two new ICS advisories. Caleb Barlow on cleaning up the digital exhaust of your home. Our guests are Freddy Dezeure and George Webster on reporting cyber risk to boards. A Declaration for the Future of the Internet. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/83 Selected reading. Russian missiles bombard Kyiv during UN chief’s visit (The Telegraph)  Zelenskiy urges ‘strong response’ after Russia strikes Kyiv during UN Ukraine visit (the Guardian)  Anonymous hacked Russian PSCB Commercial Bank and companies in the energy sector (Security Affairs)  Ongoing DDoS attacks from compromised sites hit Ukraine (Security Affairs)  Ukraine’s Digital Battle With Russia Isn’t Going as Expected (Wired)  CISA and FBI Update Advisory on Destructive Malware Targeting Organizations in Ukraine (CISA)  Government and researchers keep US attention on Russia's cyber activity in Ukraine (The Record by Recorded Future)  CISA Adds New Russian Malware to Cyber Advisory (Nextgov)  An Overview of the Increasing Wiper Malware Threat (Fortinet Blog)  Cyber Attacks Hit Romanian Government Websites (Balkan Insight)  More than $13 million stolen from DeFi platform Deus Finance (The Record by Recorded Future)  Coca-Cola Investigates Hacking Claim (Wall Street Journal)  Coca-Cola investigating data breach claims by Stormous group (Computing)  Has 'clown show' hacking gang Stormous really breached Coca-Cola? (Tech Monitor)  Delta Electronics DIAEnergie (CISA)  Johnson Controls Metasys (CISA) 1 A Declaration for the Future of the Internet (The White House)  FACT SHEET: United States and 60 Global Partners Launch Declaration for the Future of the Internet (The White House)  US joins 55 nations to set rules for internet, with eye on China and Russia (South China Morning Post) China, India, Russia missing from future of internet pledge by US, EU, and 33 others (ZDNet)  US, partners launch plan for 'future' of internet, as China, Russia use 'dangerous' malign practices (Fox News)  U.S. joins 55 nations to set new global rules for the internet (Reuters) Reporting Cyber Risk to Boards. Board Edition. Reporting Cyber Risk to Boards. CISO Edition.
Apr 29, 2022
Russia and Ukraine trade cyberattacks. Chinese intelligence services look at Russian targets. Five Eyes advise on “routinely exploited vulnerabilities.” Physical sabotage as cyberattack. Name that mascot.
1466
Microsoft summarizes the scale of Russian cyberattacks against Ukraine. Russian cyber capabilities should be neither overestimated nor underestimated. Russia has also come under cyberattack during its hybrid war. Chinese intelligence services are paying close attention to Russian targets. The Five Eyes advise us on “routinely exploited vulnerabilities.” Physical sabotage as cyberattack. Linda Gray-Martin and Britta Glade from RSA discuss what’s new at RSAC and cybersecurity trends. Marc van Zadelhoff of Devo talks about their new podcast Cyber CEOs Decoded coming to the CyberWire network. And, hey kids, name that mascot. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/82 Selected reading. Special Report: Ukraine (Microsoft)  Russian Cyber Capabilities Have ‘Reached Their Full Potential,’ Ukrainian Official Says (Wall Street Journal)  Industroyer2: Nozomi Networks Labs Analyzes the IEC 104 Payload (Nozomi Networks)  Russia Is Being Hacked at an Unprecedented Scale (Wired) BRONZE PRESIDENT targets Russian speakers with updated PlugX - Blog (Secureworks) CISA, FBI, NSA, and International Partners Warn Organizations of Top Routinely Exploited Vulnerabilities (National Security Agency/Central Security Service)  The Air Force is trusting the internet to name its ridiculous new cybersecurity mascot (Task & Purpose)
Apr 28, 2022
Russian privateering continues. Stonefly is straight out of Pyongyang, and the Lazarus Group has never really left. Foggy Bottom seeks (Russian) snitches.
1377
Heard on the Baltimore waterfront. Privateering against Western brands. An update on sanctions and counter sanctions. Stonefly, straight outta Pyongyang. Lazarus is also back (and not in the good way). Richard Hummel from NETSCOUT discusses their bi-annual Threat Intel Report. Jon DiMaggio from Analyst1 joins us to discuss his new book, “The Art of Cyberwarfare - An Investigator’s Guide to Espionage, Ransomware, and Organized Cybercrime.” And the US Department of State has added six Russian GRU officers to its Rewards for Justice program. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/81 Selected reading. Britain says Ukraine controls majority of its airspace (Reuters)  Latest strikes on Russia hint daring Ukraine is not intimidated by the Kremlin (The Telegraph)  West gearing up to help Ukraine for ‘long haul’, says US defence secretary (the Guardian)  U.S., allies promise to keep backing Ukraine in its war with Russia (Washington Post)  Russia-linked hackers claim to have breached Coca-Cola Company (CyberNews) Stormous ransomware gang claims to have hacked Coca-Cola (Security Affairs)  Chinese drone-maker DJI quits Russia and Ukraine (Register)  Russia to Cut Gas to Poland and Bulgaria, Making Energy a Weapon (Bloomberg)  Russia cuts off gas to Poland, Bulgaria, stoking tensions with E.U. over Ukraine (Washington Post)  Why Russia’s Economy Is Holding On (Foreign Policy)  Stonefly: North Korea-linked Spying Operation Continues to Hit High-value Targets (Symantec) A "Naver"-ending game of Lazarus APT (Zscaler) U.S. offers $10 mln reward for information on Russian intelligence officers -State Dept (Reuters) US offering $10 million for info on Russian military hackers accused of NotPetya attacks (The Record by Recorded Future)  Rewards for Justice – Reward Offer for Information on Russian Military Intelligence Officers Conducting Malicious Activity Against U.S. Critical Infrastructure - United States Department of State (United States Department of State)
Apr 27, 2022
Diplomacy and hybrid war. Heightened cyber tension as Quds Day approaches. Conti in Costa Rica. North Korean cyber operators target journalists. C2C notes.. A guilty plea in a cyberstalking case.
1694
Heightened cyber tension as Quds Day approaches. Costa Rican electrical utility suffers from Conti ransomware. Emotet’s operators seem to be exploring new possibilities. North Korean cyber operators target journalists who cover the DPRK. A guilty plea in a strange case of corporate-connected cyberstalking. Bel Yelin ponders the potential Twitter takeover. Mr. Security Answer Person John Pescatore addresses questions about vendors. And cybercrime, run like a business. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/80 Selected reading. Russia’s invasion of Ukraine: List of key events from day 62 (Al Jazeera)  Ukraine takes war behind enemy lines as Russian fuel depots set ablaze (The Telegraph)  Russia pounds eastern Ukraine as West promises Kyiv new arms (AP NEWS)  Finland, Sweden to begin NATO application in May, say local media reports (Reuters)  ‘Thanks, Putin’: Finnish and Swedish Lawmakers Aim for NATO Membership (Foreign Policy)  World War Three now a 'real' danger, Russian foreign minister Sergei Lavrov warns (The Telegraph)  Moscow cites risk of nuclear war as U.S., allies pledge heavier arms for Ukraine (Reuters)  Russia Warns of Nuclear War Risk as Ukraine Talks Go On (Bloomberg)  From Jordan to Japan: US invites 14 non-NATO nations to Ukraine defense summit (Breaking Defense) State TV says Iran foiled cyberattacks on public services (AP NEWS) State TV Says Iran Foiled Cyberattacks on Public Services (SecurityWeek) Iranian hackers claim they’ve hit the Bank of Israel - but ‘no proof,’ cyber authority says (Haaretz) North Korean hackers targeting journalists with novel malware (BleepingComputer) The ink-stained trail of GOLDBACKDOOR (Stairwell) Conti ransomware cripples systems of electricity manager in Costa Rican town (The Record by Recorded Future)  Emotet Tests New Delivery Techniques (Proofpoint)  Ex-eBay exec pleads guilty to harassing couple whose newsletter raised ire (Reuters) Mastermind of Natick couple’s harassment pleads guilty (Boston Globe)  Former eBay Executive Pleads Guilty to His Role in Cyberstalking Campaign (US Department of Justice)  Cyberkriminelle bieten Schadsoftware kostenlos an (IT-Markt)
Apr 26, 2022
Swapping small attacks in cyberspace. What Lapsus$ internal chatter reveals. Costa Rica won’t pay Conti’s ransom. No farms, no future. Locked Shields wraps up.
1403
Anonymous counts coup with their #OpRussia campaign. Alternative energy suppliers in Europe sustain cyberattacks. What Lapsus$ internal chatter reveals. Costa Rica won’t pay Conti’s ransom. Rick Howard hits the history books. Our guest is Paul Giorgi of XM Cyber with a look at multi-cloud hopping. Locked Shields wraps up. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/79 Selected reading. Ukraine's Postal Service DDOS'd After Printing Moskova Stamps (Gizmodo)  Since declaring cyber war on Russia Anonymous leaked 5.8 TB of Russian data (Security Affairs) European Wind-Energy Sector Hit in Wave of Hacks (Wall Street Journal)  Schneider Electric says no evidence that Incontroller/Pipedream malware exploits vulnerabilities (MarketScreener)  Aid groups helping Ukraine face both cyber and physical threats (CNN)  Leaked Chats Show LAPSUS$ Stole T-Mobile Source Code (KrebsOnSecurity)  Lapsus$ hackers breached T-Mobile’s systems and stole its source code (The Verge) Lapsus$ hackers targeted T-Mobile (TechCrunch) FBI Warns of Targeted Cyberattacks on Food Plants Amid Heightened Coverage of Fires (NTD)  Ransomware Attacks on Agricultural Cooperatives Potentially Timed to Critical Seasons (IC3)  Cyberattack causes chaos in Costa Rica government systems (ABC News)  Finland wins NATO cyber defense competition (C4ISRNet)
Apr 25, 2022
Danielle Jablanski: Finding the path to success [Strategy] [Career Notes]
531
Operational technology cybersecurity strategist from Nozomi Networks, Danielle Jablanski shares her story of building a target map to end up where she is today. She shares how she started in college and how different paths in life got her to be on the target of success where she is today. She says " you build out that kind of target of where you want to be, and understand that getting to that point might mean doing things you don't enjoy for a number of years, but figuring that out is another way to get to that target without having like a clear bullseye" She goes on to explain how this target map is helping her to create real change and ultimately makes an impact. We thank Danielle for sharing her story.
Apr 24, 2022
BABYSHARK is swimming again! [Research Saturday]
2220
John Hammond from Huntress joins Dave Bittner on this episode to discuss malware known as BABYSHARK and how it is swimming out for blood once again. Huntress's research says "This activity aligns with known tradecraft attributed to North Korean threat actors targeting national security think tanks." Huntress also adds that the activity was spotted on February 16th and immediately their ThreatOps team began following the trail of breadcrumbs. They said "This led them to uncover the malware that was set to target specifically this organization–and certain influential individuals within it." The research can be found here: Targeted APT Activity: BABYSHARK Is Out for Blood
Apr 23, 2022
The cyber phases of Russia's war against Ukraine. Sanctions and the criminal underworld. Conti’s fortunes. More_eggs resurfaces. BlackCat ransomware warning.
1804
A look at Russian malware used against Ukrainian targets. Actual and potential targets harden themselves against Russia cyberattacks. Sanctions and the criminal underworld. Conti’s fortunes. A credential stealer resurfaces in corporate networks. BlackCat ransomware warning. Tomer Bar from SafeBreach discusses MuddyWaters. Dr. Christopher Emdin previews his new book STEM, STEAM, Make, Dream. CISA releases three more ICS security advisories. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/78 Selected reading. Russia outlines when Ukraine war will end (Newsweek)  Russia racing against clock to win Ukraine war before May 9 'Victory Day' (Newsweek)  A deeper look at the malware being used on Ukrainian targets (The Record by Recorded Future) Ukraine ramps up cyber defences to slow surge in attacks (The Straits Times) Five Eyes Alert Warns of Heightened Risk of Russian Cyber Attacks (Bloomberg)  Preparing for Energy Industry Cyberattacks (Wall Street Journal) US sets dangerous precedents in cyberspace (Global Times)  Russia’s War in Ukraine Has Complicated the Means Through Which Cybercriminals Launder Funds. Here’s How They’re Adapting (Flashpoint)  U.S. Treasury Designates Facilitators of Russian Sanctions Evasion (U.S. Department of the Treasury) Russia says nyet, sanctions Mark Zuckerberg, LinkedIn’s Roslansky, VP Harris and other US leaders (TechCrunch)  Russia’s War in Ukraine Has Complicated the Means Through Which Cybercriminals Launder Funds. Here’s How They’re Adapting (Flashpoint)  GOLD ULRICK continues Conti operations despite public disclosures (Secureworks)  Costa Rica's Alvarado says cyber​​attacks seek to destabilize country as government transitions (Reuters) Hackers Spearphish Corporate Hiring Managers with Poisoned Resumes, Infecting Them with the More_Eggs Malware, Warns eSentire (eSentire)  BlackCat/ALPHV Ransomware Indicators of Compromise (IC3)  FBI: BlackCat ransomware breached at least 60 entities worldwide (BleepingComputer)  Delta Electronics ASDA-Soft (CISA)  Johnson Controls Metasys SCT Pro (CISA)  Hitachi Energy MicroSCADA Pro/X SYS600 (CISA) 
Apr 22, 2022
Renewed Five Eyes’ warning about potential Russian cyberattacks. FBI warns of the threat of ransomware attacks against the agriculture sector. REvil may be back in business.
1323
A renewed Five Eyes’ warning about potential Russian cyberattacks. The FBI warns of the threat of ransomware attacks against the agriculture sector. REvil may be back in business. Carole Theriault shares insights on bug bounty programs. Our own Rick Howard checks in with Zack Barack from Coralogix on where things stand with XDR. And beware of threats of Facebook account suspension. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/77 Selected reading. Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure US and allies warn of Russian hacking threat to critical infrastructure REvil's TOR sites come alive to redirect to new ransomware operation ( FBI Warns of Ransomware Attacks on Farming Co-ops During Planting, Harvest Seasons ( Phishing Site on Facebook Domain Used to Steal Credentials
Apr 21, 2022
Updates on Russia’s hybrid war. Pegasus spyware in the service of espionage. CISA issues alerts and vulnerability warnings. C2C markets. Extradition for Assange? A guilty plea in a US cyberstalking case.
1563
A Shuckworm update. Pegasus spyware found in UK government officials’ phones. CISA issues six ICS security alerts and adds three entries to its Known Exploited Vulnerabilities Catalog. Gangs succeed when criminals run them like a business. Julian Assange moves closer to extradition to the US. Tim Eades from Cyber Mentor Fund on cyber valuations. Our guest is Wes Mullins from deepwatch discussing adversary simulations. And a guilty plea in a high-profile cyberstalking case. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/76 Selected reading. Shuckworm: Espionage Group Continues Intense Campaign Against Ukraine UK Government Reportedly Infected With NSO Group Spyware ‘CatalanGate’ Spyware Infections Tied to NSO Group Pegasus Spyware and Citizen Surveillance: What You Need to Know Julian Assange extradition order issued by London court, moving WikiLeaks founder closer to US transfer . Former eBay executive to plead guilty to cyberstalking campaign targeting couple
Apr 20, 2022
In a hybrid war, it’s about the timing. Not quite all quiet on the cyber front. Pyongyand is phishing for wallets (and and other blockchained valuables). Emotet really likes those malicious macros.
1461
In a hybrid war, sometimes it’s about the timing. Not quite all quiet on the cyber front. Pyongyang is phishing for crypto wallets (and your NFTs, and other blockchained valuables). Emotet really likes those malicious macros. Joe Carrigan looks at prompt bombing. Bec McKeown from Immersive Labs explains human cyber capabilities. And it’s our anniversary this week: celebrate with us. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/75 Selected reading. Ukraine Update: Zelenskiy Says Battle for Donbas Has Begun (Bloomberg)  Ukraine at D+50: Russian reconstitution continues as shields stay up for ICS attacks. (The CyberWire) Military intel chief believes Russia not to achieve any wins in Ukraine by Easter as Kremlin wishes (Ukrinform) Ukraine War Divides Orthodox Faithful (New York Times)  US officials ramp up warnings about Russian cyberattacks (The Hill)  NATO Plays Cyberwar to Prep for a Real Russian Attack (Gizmodo)  FS-ISAC Leads Financial Sector in Global Live-Fire Cyber Exercise Locked Shields (PR Newswire)  If anyone understands Russian cyber dangers, it's Estonia's former president (Washington Post) North Korean State-Sponsored APT Targets Blockchain Companies (CISA)   TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies (CISA)  US warns of Lazarus hackers using malicious cryptocurrency apps (BleepingComputer)  Trends in the Recent Emotet Maldoc Outbreak | FortiGuard Labs (Fortinet Blog)
Apr 19, 2022
Nuisance-level cyber ops in a hybrid war. “CatalanGate.” Industrial Spy caters to victims’ competitors? Conti chatter. $5 million reward for info on DPRK ops. Exercise Locked Shields.
1520
Nuisance-level cyberattacks continue on both sides of Russia’s hybrid war against Ukraine. Face-saving disinformation. “CatalanGate.” Industrial Spy says it caters to its victims’ competitors. More on what’s been learned from Conti’s leaked chatter. Rewards for Justice offers $5 million for tips on DPRK cyber ops. Awais Rashid on supply chain risk management. Our guest is Jack Chapman from Egress to discuss a 232% increase in LInkedIn phishing attacks. And Exercise Locked Shields begins tomorrow. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/74 Selected reading. Occupants send computer viruses allegedly on behalf of SBU (Interfax-Ukraine) Ransomware groups go after a new target: Russian organizations (The Record by Recorded Future). Currency.com Targeted in Failed Cyber-Attack (Accesswire)  Russia says missile attacks on Kyiv will increase (Military Times)  Film and photos appear to show Russian cruiser Moskva shortly before it sank (the Guardian) CatalanGate: Extensive Mercenary Spyware Operation against Catalans Using Pegasus and Candiru (The Citizen Lab) New Industrial Spy stolen data market promoted through cracks, adware (BleepingComputer)  Event Overview: CONTI Leaks 2022 (BlueVoyant) U.S. offers $5 million for info on North Korean cyber operators (The Record by Recorded Future)  North Korea: Up to $5 Million Reward (US State Department) World´s Largest International Live-Fire Cyber Exercise launches in Tallinn (CCDCOE) 
Apr 18, 2022
Satya Gupta: Rising to your contribution. [CTO] [Career Notes]
565
Co-founder and CTO of Virsec, Satya Gupta shares his story of how he has over 25 years of expertise in embedded systems, network security and systems architecture. He also talks about how a colleague of his told him something that resinated with him, he said " that was really a remarkable statement that I heard from that person. You rise to the point where you can actually contribute." He also discusses how he got into the startup atmosphere and how different scenarios in his life helped to lead him to the successful man he has become in the cyber community. We thank Satya for sharing his story.
Apr 17, 2022
CyberWire Live: Hack the Port 2022 Fireside chat. [Special Edition]
2325
At the Hack the Port 2022 event, the CyberWire held a CyberWire Live event. CyberWire Daily Podcast host Dave Bittner was joined by Roya Gordon, OT/IoT Security Research Evangelist at Nozomi Networks, and Christian Lees, CTO at Resecurity. During this fireside chat format session, Dave and our guests discussed ICS, OT cybersecurity, the role of security research and demos, supply chain compromise, and IT/OT security trends among other things. Thanks to the team at MISI/DreamPort for this opportunity.
Apr 17, 2022
A fight to defend Taiwan financial institutions. [Research Saturday]
1154
Alan Neville from Symantec/Broadcom joins Dave Bittner on this episode to discuss Antlion, a Chinese state-backed hacker group, are using custom backdoors to target financial institutions in Taiwan. Symantec's blog shares the research behind the attacks and how the backdoor allowed the attackers to run WMI commands remotely. Symantec's research showed that "The goal of this campaign appears to have been espionage, as we saw the attackers exfiltrating data and staging data for exfiltration from infected networks." They have since found that this attack has been going on over the course of the past 18 months, in which 250 days were spent on the financial organization and around 175 days were spent on the manufacturing organization. The research can be found here: Antlion: Chinese APT Uses Custom Backdoor to Target Financial Institutions in Taiwan
Apr 16, 2022
Further developments in Russia’s hybrid war. Conti claims responsibility for the Nordex hack. Lazarus Group heist. Indictments in influence ops case.
1440
Further developments in the Incontroller/Pipedream industrial control system threat. Conti claims responsibility for the Nordex hack. The half-a-billion stolen from Ronin went to the Lazarus Group. And indictments in an influence ops case. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/73 Selected reading. Ukraine war: Russia threatens to step up attacks on Kyiv (BBC News)  Live Updates: Russia Sets Stage for Battle to Control Ukraine’s East (New York Times) Russian Troops Risk Repeating Blunders If They Try for May 9 Win (Bloomberg)  Why Putin may be aiming to declare victory over Ukraine on May 9 (Fortune)  What Victory Day means for Russian identity (Washington Post)  Spy games: expulsion of diplomats shines light on Russian espionage (the Guardian) Finland and Sweden pursue unlinked NATO membership (Defense News) What Finland Can Offer NATO (Foreign Policy) U.S. warns energy firms of a rapidly advancing hacking threat (E&E News)  Wind turbine firm Nordex hit by Conti ransomware attack (BleepingComputer)  Karakurt revealed as data extortion arm of Conti cybercrime syndicate (BleepingComputer) Threat Spotlight: Conti Ransomware Group Behind the Karakurt Hacking Team (Infinitum) US agency attributes $540 million Ronin hack to North Korean APT group (The Record by Recorded Future) North Korea Designation Update (U.S. Department of the Treasury)  Russian legislator, staff accused of trying to influence US lawmakers: DOJ (Newsweek)  Russian Legislator and Two Staff Members Charged with Conspiring to Have U.S. Citizen Act as an Illegal Agent of the Russian Government in the United States (US Department of Justice)
Apr 15, 2022
A nation-state threat actor targets industrial systems. It’s hard to recover from a threat to industrial systems. Lazarus Group resumes Operation Dream Job. OldGremlin is back. Conti runs like a business.
1387
A nation-state threat actor (probably Russian) targets industrial systems. A quick look at the GRU's earlier attempt against Ukraine's power grid. The difficulty of recovering from a credible threat to industrial systems. Lazarus Group resumes Operation Dream Job. OldGremlin speaks Russian, and it holds Russian companies for ransom. Carole Theriault looks at research on lie detection. Josh Ray from Accenture drops some SBOMs. And another look at the privateers in the Conti gang. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/72 Selected reading. Ukraine Update: U.S., EU to Send More Arms; Warship Damaged (Bloomberg)  INCONTROLLER: New State-Sponsored Cyber Attack Tools Target Multiple Industrial Control Systems (Mandiant). PIPEDREAM: CHERNOVITE's Emerging Malware Targeting Industrial Environments | Dragos (Dragos)  APT Cyber Tools Targeting ICS/SCADA Devices (CISA)  U.S. warns newly discovered malware could sabotage energy plants (Washington Post)  Industroyer2 Targets Ukraine’s Electric Grid: Here’s How Companies Can Stay Protected and Resilient (Nozomi Networks) Wind Turbine Giant Nordex Hit By Cyber-Attack (Infosecurity Magazine) Lazarus Targets Chemical Sector (Symantec) Old Gremlins, new methods (Group-IB) Leaked documents show notorious ransomware group has an HR department, performance reviews and an 'employee of the month' (CNBC)
Apr 14, 2022
Powergrid attacks, DDoS, and doxing in a hybrid war. Notes on botnets, and a threat actor changes its phish hooks. Patch Tuesday. Sentence passed in a sanctions evasion case.
1547
Indestroyer2 and Ukraine's power grid. More on last week's distributed denial-of-service attack against Finland. Anonymous claims to have doxed Russia's Ministry of Culture. Hafnium gets evasive. Enemybot is under development but worth keeping an eye on. Changing the phish hook. Patch Tuesday notes. Tim Eades from Cyber Mentor Fund on digital & security transformations. Our guest is Aaron Shilts from NetSPI onproactive public-private sector security collaboration. Sanctions evasion is serious business. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/71 Selected reading. Why Russia’s Cyber Warriors Haven't Crippled Ukraine (The National Interest) In Ukraine, a ‘Full-Scale Cyberwar’ Emerges (Wall Street Journal)  Russian hackers tried to bring down Ukraine’s power grid to help the invasion (MIT Technology Review)  Russia's Sandworm Hackers Attempted a Third Blackout in Ukraine (Wired) Ukraine Thwarts Cyberattack on Electric Grid, Officials Say (Wall Street Journal)  Zhadnost strikes again… this time in Finland. (SecurityScorecard) Anonymous Hits Russian Ministry of Culture- Leaks 446GB of Data (HackRead)  Tarrask malware uses scheduled tasks for defense evasion (Microsoft Security Blog)  Enemybot: A Look into Keksec's Latest DDoS Botnet (Fortinet Blog)  Enemybot: a new Mirai, Gafgyt hybrid botnet joins the scene (ZDNet)  Qbot malware switches to new Windows Installer infection vector (BleepingComputer)  Microsoft Releases April 2022 Security Updates (CISA) Google Releases Security Updates for Chrome (CISA)  Citrix Releases Security Updates for Multiple Products (CISA) Apache Releases Security Advisory for Struts 2 (CISA)  Valmet DNA (CISA)  Mitsubishi Electric MELSEC-Q Series C Controller Module (CISA)  Inductive Automation Ignition (CISA)  Mitsubishi Electric GT25-WLAN (CISA)  Aethon TUG Home Base Server (CISA)  U.S. crypto researcher sentenced to five years for helping North Korea evade sanctions (Reuters)
Apr 13, 2022
Cyber takes point in a hybrid war. Medical robot vulnerabilities remediated. A Cyber Civil Defense for the US? Europol leads the takedown of RaidForums.
1629
GRU deploys Industroyer2 against the Ukrainian energy sector. NB65 counts coup against Roscosmos. Anonymous doxes three more Russian companies. President Putin purges the FSB’s Fifth Service. CISA warns of an exploited firewall vulnerability. Medical robots’ vulnerabilities are remediated. A Cyber Civil Defense effort in the US. Ben Yelin on newly passed cyber legislation. Our guest is Chase Snyder from ExtraHop to discuss their recent Cyber Confidence Index. And good riddance to RaidForums. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/70 Selected reading. Russia’s Reset (New York Times) Russia will not pause military operation in Ukraine for peace talks (Reuters)  Industroyer2: Industroyer reloaded | WeLiveSecurity (WeLiveSecurity) CERT-UA warns of large-scale cyber attack on energy sector (Interfax-Ukraine) Russia's space programme hit by western cyber attack (The Telegraph) Anonymous Hits 3 Russian Entities, Leaks 400 GB Worth of Emails (HackRead)  Russia’s Ukraine Propaganda Has Turned Fully Genocidal (Foreign Policy)  Russia-Ukraine latest news: Vladimir Putin vows ‘clear and noble’ aims of Russian invasion will be achieved (The Telegraph) CISA warns orgs of WatchGuard bug exploited by Russian state hackers (BleepingComputer) CISA Adds Eight Known Exploited Vulnerabilities to Catalog (CISA)  Cynerio Discovers and Discloses JekyllBot:5, a Series of Critical Zero-Day Vulnerabilities Allowing Attackers to Remotely Control Hospital Robots (Cynerio) Craig Newmark Philanthropies Pledges $50 Million to Cyber Civil Defense (Global Cyber Alliance) 
Apr 12, 2022
Cyber skirmishing as Russia redeploys in Ukraine. Spyware in senior EC official’s device. Sharkbot-infested apps ejected from Google Play. Advice from CISA.
1524
US National Security Advisor says atrocities were part of Russia's plan. Russian commanders seek to keep troops away from dangerous sections of the Internet. Cyberattacks in Finland may be a shot across Helsinki's bow. CERT-UA warns of a phishing campaign. Hacktivists hit Russian organizations. Mixed reviews for US preemptive measures against GRU botnets. Sharkbot-infested apps ejected from Google Play. Johannes Ullrich from SANS on malicious ISO files embedded in HTML. Our guest is Neal Dennis from Cyware on threat intel sharing with members of Auto-ISAC. What you should do when your Shields are Up. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/69 Selected reading. Russia Shuffles Command in Ukraine as Thousands Flee the East (New York Times)  Sullivan: Intel indicates plan from ‘highest levels’ of Russian government to target civilians (The Hill)  Russian soldiers banned from social media as ‘uncomfortable truths’ drain their morale (The Telegraph)  West Seeks to Pierce Russia’s Digital Iron Curtain (Foreign Policy) YouTube blocks Russian parliament channel, drawing ire from officials (Reuters)  U.S. quietly paying millions to send Starlink terminals to Ukraine, contrary to SpaceX claims (Washington Post) Hackers use Conti's leaked ransomware to attack Russian companies (BleepingComputer)  Державна служба спеціального зв’язку та захисту інформації України (GUR) How Russia's Invasion Triggered a US Crackdown on Its Hackers (Wired) The U.S. Opens a Risky New Front in Cyberdefense (Bloomberg)  Meet the 1,300 librarians racing to back up Ukraine’s digital archives (Washington Post)  The Race to Save Posts That May Prove Russian War Crimes (Wired)  Exclusive: Senior EU officials were targeted with Israeli spyware (Reuters)  SharkBot Android Malware Continues Popping Up on Google Play (SecurityWeek)  SharkBot Banking Trojan spreads through fake AV apps on Google Play (Security Affairs)  Sharing Cyber Event Information: Observe, Act, Report (CISA)
Apr 11, 2022
SolarWinds through a first principle lens. [CSO Perspectives]
1281
Enjoy this sample of CSO Perspectives, a CyberWire Pro podcast. Like what you hear? Consider subscribing to CyberWire Pro for $99/year. Learn more. On this episode, host Rick Howard discusses if the first principles theories prevent material impact in the real world, such as the latest SolarWinds attack. Previous episodes referenced: S1E6: 11 MAY: Cybersecurity First Principles S1E7: 18 MAY: Cybersecurity first principles: zero trust S1E8: 26 MAY: Cybersecurity first principles: intrusion kill chains. S1E9: 01 JUN: Cybersecurity first principles - resilience S1E11: 15 JUN: Cybersecurity first principles - risk S2E3: 03 AUG: Incident response: a first principle idea. S2E4: 10 AUG: Incident response: around the Hash Table.  S2E7: 31 AUG: Identity Management: a first principle idea. S2E8: 07 SEP: Identity Management: around the Hash Table. Other resources: “A BRIEF HISTORY OF SUPPLY CHAIN ATTACKS,” by Secarma, 1 September 2018. “Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers,” by 365 Defender Research Team and the Threat Intelligence Center (MSTIC), Microsoft, 18 December 2020. “A Timeline Perspective of the SolarStorm Supply-Chain Attack,” by Unit 42, Palo Alto Networks, 23 December 2020. “Cobalt Strike,” by MALPEDIA. “Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon,” by Kim Zetter, Published by Crown, 3 June 2014. “Cybersecurity Canon,” by Ohio State University. “FireEye shares jump back to pre-hack levels,” Melissa Lee, CNBC, 23 December 2020. "Implementing Intrusion Kill Chain Strategies by Creating Defensive Campaign Adversary Playbooks," by Rick Howard, Ryan Olson, and Deirdre Beard (Editor), The Cyber Defense Review, Fall 2020. “Orion Platform,” by SolarWinds. “Sandworm: A New Era of Cyberwar and the Hunt for the Kremlin's Most Dangerous Hackers,” by Andy Greenberg, Published by Doubleday, 7 May 2019.  “Solarstorm,” by Unit 42, Palo Alto Networks, 23 December 2020. “The Cybersecurity Canon: Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon,” by Rick Howard, The Cybersecurity Canon Project, 28 January 2015. “Using Microsoft 365 Defender to protect against Solorigate,” by the Microsoft 365 Defender Team, 28 December 2020.
Apr 11, 2022
Chenxi Wang: Overcoming the obstacle of fear. [Venture Capital] [Career Notes]
562
Founder and general partner of Rain Capital, Chenxi shares her story and how she conquered and got over the obstacle of fear to reach her goals in life. " I realized a lot of times my obstacle is my own fear rather than a real obstacle" Wang states, she also shares her story of breaking glass ceilings as a female founder and working in the field of cybersecurity. She hopes to be remembered for being a kind person and developing her own venture fund, as she shares her story to the top, she states what she does and how she got to be where she is today. We thank Chenxi for sharing her story.
Apr 10, 2022
The secrets behind Docker. [Research Saturday]
1314
Alon Zahavi from CyberArk, joins Dave Bittner on this episode to discuss CyberArk's work in conjunction with Patch Tuesday. CyberArk published about how Docker inadvertently created a new vulnerability and what happens when it's exploited. CyberArk's research concluded that an attacker may execute files with capabilities or setuid files in order to escalate its privileges up to root level. CyberArk found the new vuln in some of Microsoft’s Docker images, caused by misuse of Linux capabilities, a powerful additional layer of security that gives admins the ability to assign capabilities and privileges to processes and files in the Linux system The research can be found here: How Docker Made Me More Capable and the Host Less Secure
Apr 09, 2022
Disinformation in Russia’s war of aggression. Correlating overhead imagery and radio intercepts. Taking down state-sponsored cyber ops. Threats to power grids.
1448
Russian disinformation in its war against Ukraine. Overhead imagery and electronic intercepts suggest that Russian atrocities are matters of policy and strategy. Microsoft disrupts GRU cyber operations. Facebook takes down Iranian coordinated inauthenticity. India’s Power Ministry says it stopped a Chinese cyberattack. Dave Dufour from Webroot on evolving attack mechanisms. Our guest is Dan Petro of Bishop Fox with a warning for document redaction. Grid security and the value of exercises. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/68 Selected reading. Putin’s ‘probably given up’ on Kyiv as Ukraine war enters new phase (Defense News)  Ukraine says 39 killed in rocket strike on rail evacuation hub (Reuters) Russian rocket attack on Kramatorsk train station kills dozens—Ukraine (Newsweek)  Possible Evidence of Russian Atrocities: German Intelligence Intercepts Radio Traffic Discussing the Murder of Civilians in Bucha (Der Spiegel) Germany intercepts Russian talk of indiscriminate killings in Ukraine (Washington Post)  Microsoft says it disrupted Russian cyberattacks targeting Ukraine, West (The Hill) Disrupting cyberattacks targeting Ukraine - Microsoft On the Issues (Microsoft On the Issues)  GridEx VI Lessons Learned Report (NERC) Power Grid Stress Test Finds Low-Tech Needs for High-Tech Problems (Wall Street Journal)  Dire grid hacking scenario sparked “shields up” approach to Russian threat (Medium)
Apr 08, 2022
Blocking and tackling in the cyber phases of Russia’s hybrid war against Ukraine. Info-harvesting SDK. Recon into a power grid. Hydra Market indictment. Catphishing. Advance fee scams with a new twist.
1695
An update on US cyber defensive operations and the war in Ukraine. You can’t tell your oligarchs without a scorecard. Google ejects data-harvesting apps from Play. China preps the cyber battlespace against India’s power grid. More moves against Hydra Market. Bearded Barbie’s catphishing. Betsy Carmelite from BAH on a blueprint for achieving a secure and resilient dot gov. Our guest is Padraic O'Reilly from CyberSaint with a fresh look at ransomware. And your majesty, meet this here dissident, who also needs to move money for the best of reasons…. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/67 Selected reading. Pentagon: Russia has fully withdrawn from Kyiv, Chernihiv (Washington Post)  Zelenskyy tells UN: Act now on Russia or dissolve yourself altogether (Atlantic Council)  DoJ takes down Russian botnet that targeted WatchGuard and Asus routers (ZDNet)  FBI Disables "Cyclops Blink" Botnet Controlled by Russian Intelligence Agency (SecurityWeek)  Justice Department Announces Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s Main Intelligence Directorate (GRU) (US Department of Justice)  Adversarial Threat Report (Meta) Facebook cracks down on covert influence networks targeting Ukraine (Washington Post) Russian-backed hackers broke into Facebook accounts of Ukrainian military officials (CBS News)  Britain slaps sanctions on Russia’s biggest bank  (The Telegraph)  Russia hit with new round of U.S. sanctions as Biden decries 'major war crimes' (Reuters)  U.S. to Sanction Putin Children, Banks Over Bucha Atrocities (Bloomberg) The Forbes Ultimate Guide To Russian Oligarchs (Forbes)  Suspected Chinese Hackers Collect Intelligence From India’s Grid (Bloomberg)  Continued Targeting of Indian Power Grid Assets by Chinese State-Sponsored Activity Group (Recorded Future)  Operation Bearded Barbie: APT-C-23 Campaign Targeting Israeli Officials (Cybereason)  Google Bans Apps With Hidden Data-Harvesting Software (Wall Street Journal) The Nigerian Prince Scam, with a Russian Twist (Avanan)
Apr 07, 2022
Fire and cyber in Ukraine. Stone Panda (Cicada, APT10) expands its interests. Bogus e-commerce sites harvest banking credentials. Advice and guidance from CISA
1532
There’s a maneuver lull in Russia’s hybrid war against Ukraine, but fire and cyber ops continue. The US provides cyber assistance to Ukraine. The Cicada call of Stone Panda. Phony e-commerce sites seek to harvest banking credentials. CISA offers some advice and some guidance. Hydra Market sanctioned. Awais Rashid from Bristol University on anonymous communication systems. Our guest is Armaan Mahbod of DTEX Systems with a look at supermalicious insiders. And the most popular password is... For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/66 Selected reading. Russian military ‘weeks’ from being ready for new push as war takes its toll (The Telegraph) Russia's failure to take down Kyiv was a defeat for the ages (AP NEWS) U.S. Cyber Command providing cyber expertise and intelligence in Ukraine's fight against Russia (FedScoop)  Cyber Command chief: U.S. has 'stepped up' to protect Ukraine's networks (The Record by Recorded Future)  How Ukraine has defended itself against cyberattacks – lessons for the US (FIU News)  Cicada: Chinese APT Group Widens Targeting in Recent Espionage Activity (Symantec)  Fake e‑shops on the prowl for banking credentials using Android malware (WeLiveSecurity)  CISA adds Spring4Shell vulnerability, Apple zero-days to exploited catalog (The Record by Recorded Future)  LifePoint Informatics Patient Portal (CISA)  Rockwell Automation ISaGRAF (CISA)  Johnson Controls Metasys (CISA)  Philips Vue PACS (Update A) (CISA) Treasury Sanctions Russia-Based Hydra, World’s Largest Darknet Market, and Ransomware-Enabling Virtual Currency Exchange Garantex (U.S. Department of the Treasury) Most Common Passwords 2022 - Is Yours on the List? (CyberNews)
Apr 06, 2022
Disinformation at the UN. Phishing against Ukraine. Hydra Market taken down. Is someone carrying on for Lapsus$? Compromise at Mailchimp. FIN7 branches out into ransomware.
1409
Disinformation at the UN. Russian cyber operations against Ukraine. Bravo, BKA: German police take down a major contraband market. Under arrest but still in business? At least someone’s carrying on for Lapsus$. Compromise at Mailchimp. Joe Carrigan describes Javascript vulnerabilities. Carole Theriault with an eye on romance scams through the lens of Netflix's "The Tinder Swindler". And a well-known gang branches out. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/65 Selected reading. Live Updates: U.N. Security Council to Meet as Evidence of War Crimes Mounts (New York Times)  Elephant Framework Delivered in Phishing Attacks against Ukrainian Organizations (Intezer)  Germany takes down Hydra, world's largest darknet market (BleepingComputer) LAPSUS$ hacks continue despite two hacker suspects in court (Naked Security)  FIN7 hackers evolve toolset, work with multiple ransomware gangs (BleepingComputer) Notorious hacking group FIN7 adds ransomware to its repertoire (CyberScoop) Hackers breach MailChimp's internal tools to target crypto customers (BleepingComputer)  Email marketing giant Mailchimp has confirmed a data breach (TechCrunch) 
Apr 05, 2022
Doxing, trolling, and censorship in a hybrid war. Borat RAT. State’s Bureau of Cyberspace and Digital Policy. National Supply Chain Integrity Month. Wild youth. Hey spooks: brown bag it like the GRU.
1790
Doxing, trolling, and censorship in a hybrid war. Western organizations remain on alert for a Russian cyber campaign. Known Russian threat actors continue operations against Ukraine proper. Borat RAT described. Welcome the US State Department’s Bureau of Cyberspace and Digital Policy. National Supply Chain Integrity Month. Your wild ways will break your mother’s heart. Rick Howard weighs in on Shields Up. Josh Ray from Accenture on ideological differences on underground forums. And fast food as an OPSEC issue (and an OSINT source). For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/64 Selected reading. Ukraine intelligence leaks names of 620 alleged Russian FSB agents (Security Affairs)  Anonymous leaked 15 GB of data allegedly stolen from the Russian Orthodox Church (Security Affairs)  Listen Now: Deputy national security adviser talks about the risk of Russia waging cyberwar (NPR One)  Inside Cyber Front Z, the ‘People’s Movement’ Spreading Russian Propaganda (Vice) Ukraine Accuses Russia of Using WhatsApp Bot Farm to Ask Military to Surrender (Vice) ‘It’s like 1937’: Informants denounce anti-Ukraine war Russians (The Telegraph)  Cyber Espionage Actor Deploying Malware Using Excel (Bank Info Security) New Borat remote access malware is no laughing matter (BleepingComputer) Deep Dive Analysis – Borat RAT (Cyble) Establishment of the Bureau of Cyberspace and Digital Policy (United States Department of State)  Supply Chain Integrity Month (CISA) April is National Supply Chain Integrity Month. As Russia Plots Its Next Move, an AI Listens to the Chatter (Wired)  Data leak from Russian delivery app shows dining habits of the secret police (The Verge) 
Apr 04, 2022
Living security: the current state of XDR. [CyberWire-X]
1828
In this CyberWire-X episode, host Rick Howard, the CyberWire's CSO, Chief Analyst and Senior Fellow, explores the state of XDR. Joining Rick on this episode are Ted Wagner, SAP National Security Services CISO and CyberWire Hash Table member, and from episode sponsor Trellix are Bryan Palma, the Trellix Chief Executive Officer, and John Fokker, the Trellix Head of Cyber Investigations. Listen as Rick and guests discuss XDR, SASE, SIEM, and SOAR.
Apr 03, 2022
Michael DeBolt: From acting to cyber. [Intelligence] [Career Notes]
428
Chief intelligence officer at Intel 471, Michael shares his story where he started as an actor and quickly changed over to intelligence and what the transition was like for him. Michael grew up wanting to be an actor and even was able to land some acting jobs, after going into the Marine Corps he decided to leave acting behind and start a new path in his journey. He says looking for a purpose really helped to shape him, saying "looking back on it, I feel like my life purpose has really been all about kind of this relentless pursuit of justice" and how the risks in his life has helped to right the wrongs of the world. We thank Michael for sharing his story.
Apr 03, 2022
A popular malware scheme and pay-per-install services. [Research Saturday]
1235
Guest Michael DeBolt from Intel 471 joins Dave Bittner on this episode to discuss one of the most popular commodity malware loaders on the underground – PrivateLoader. The blog provides an analysis of campaigns since May 2021, full details on a Pay-per-install (PPI) malware service, the methods operators employ to obtain “installs,” and insights on the malware families the service delivers. On Intel 471's blog, it shows the breakdown of how the PrivateLoader download is delivered and how it works. The blog states "Visitors are lured into clicking a “Download Crack” or “Download Now” button to obtain an allegedly cracked version of the software." Michael explains more about this popular commodity malware loader. The research can be found here: PrivateLoader: The first step in many malware schemes
Apr 02, 2022
Epistemic closure in a hybrid war. Wiper used against VIasat modems. US Treasury sanctions more Russian actors. Remediating Spring4shell. Notes from law enforcement. And we’re not joking.
1546
Attempting to evolve rules of cyber conduct during a hot hybrid war. Waiting for major Russian cyber operations. Viasat terminals were hit by wiper malware. Patches and detection scripts for Spring4shell. Warning of ransomware threat to local governments. Emergency data requests under Senatorial scrutiny. NSA employee charged with mishandling classified material. Andrea Little Limbago from Interos on Bots, Warriors and Trolls. Rick Howard speaks with Maretta Morovitz on cyber deception. And no April Foolin’ here For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/63 Selected reading. Russia’s War Lacks a Battlefield Commander, U.S. Officials Say (New York Times)  Putin may be self-isolating from his military advisers, says White House (The Telegraph)  Confronting Russian Cyber Censorship (Wilson Center)  Zelensky Fires Two Generals (Wall Street Journal)  French intelligence chief Vidaud fired over Russian war failings (BBC News)  Cyber War Talks Heat Up at UN With Russia at Table (Bloomberg.com) Foreign Ministry statement on continued cyberattack by the “collective West” (Ministry of Foreign Affairs of the Russian Federation)  New Protestware Found Lurking in Highly Popular NPM Package (Checkmarx.com) Russia targeting Ukraine, countries opposing war in cyberspace (Jerusalem Post) Conti Leaks: Examining the Panama Papers of Ransomware (Trellix)  British intelligence agencies: Moscow continuously attacks Ukraine in cyberspace (The Times Hub) AcidRain | A Modem Wiper Rains Down on Europe (SentinelOne) SentinelOne finds ties between Viasat hack and Russian actor (SC Magazine) ExtraHop CEO: Expect a Russian cyber response to sanctions (Register) Treasury sanctions Russian research center blamed for Trisis malware (CyberScoop)  Treasury Targets Sanctions Evasion Networks and Russian Technology Companies Enabling Putin’s War (U.S. Department of the Treasury) Evgeny Viktorovich Gladkikh – Rewards For JusticeArtboard 4Artboard 4 (Rewards for Justice)  Spring confirms ‘Spring4Shell’ zero-day, releases patched update (The Record by Recorded Future)  Spring4Shell (CVE-2022-22965): Are you vulnerable to this Zero Day? (Cyber Security Works)  Ransomware Attacks Straining Local US Governments and Public Services (IC3)  Senate’s Wyden Probes Use of Forged Legal Requests by Hackers (Bloomberg)  NSA Employee Charged with Mishandling Classified Material (Military.com) National Security Agency Employee Indicted for Willful Transmission and Retention of National Defense Information (US Department of Justice)  National Security Agency Employee Facing Federal Indictment for Willful Transmission and Retention of National Defense Information (US Department of Justice)
Apr 01, 2022
Moscow poorly served by its intelligence services, say London and Washington. Cyber phases of the hybrid war. A new zero-day, and some resurgent criminal activity.
1401
Russian cyber operators collect against domestic targets. More details on the Viasat hack. Ukrainian hacktivists say they can interfere with Russian geolocation. Spring4shell is another remote-code-execution problem. The Remcos Trojan is seeing a resurgence. Malicious links distributed via Calendly. Johannes Ullrich from SANS on attack surface detection. Our guest is Fleming Shi from Barracuda on cybersecurity champions. Phishing with “emergency data requests.” Lapsus$ may be back from vacation. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/62 Selected reading. Vladimir Putin is being lied to by his advisers, says GCHQ (The Telegraph)  U.S. intelligence suggests that Putin’s advisers misinformed him on Ukraine. (New York Times)  White House: Intel shows Putin misled by advisers on Ukraine (AP NEWS)  Russian troops sabotaging their own equipment and refusing orders in Ukraine, UK spy chief says (CNBC)  Phishing campaign targets Russian govt dissidents with Cobalt Strike (BleepingComputer)  KA-SAT Network cyber attack overview (Viasat.com)  Tracking cyber activity in Eastern Europe (Google) Ukrainian Hackers Take Aim at Russian Artillery, Navigation Signals (Defense One)  Russian efforts in Ukraine have not yet spilled over into cyberattacks on US, says lawmaker (C4ISRNet) New Spring Framework RCE Vulnerability Confirmed - What to do? (Sonatype)  New Spring4Shell Zero-Day Vulnerability Confirmed: What it is and how to be prepared (Contrast Security) Spring Core on JDK9+ is vulnerable to remote code execution (Praetorian)  Spring4Shell: No need to panic, but mitigations are advised (Help Net Security)  Remcos Trojan: Analyzing the Attack Chain (Morphisec)  Apple and Meta Gave User Data to Hackers Who Used Forged Legal Requests (Bloomberg)  Fresh Phish: Phishers Schedule Victims on Calendar App (INKY)  Lapsus$ claims Globant as its latest breach victim (TechCrunch)
Mar 31, 2022
Taking down bot farms. Cyber aggression. Kinetic influence ops, Spamming yourself? CS control system advisories. Sanctions are also biting Russian cyber gangs.
1469
Taking down bot farms. Russia says the US is the aggressor in cyberspace. Influence operations, arriving at Mach 10. The call is coming from inside the house! Cyber incidents affect aviation services. CISA posts ICS control system advisories. I welcome Tim Eades from the Cyber Mentor Fund. Our guest is Alex Holland from HP Wolf Security describing a new wave of attacks. And Sanctions are also biting Russian cyber gangs. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/61 Selected reading. Ukraine dismantles 5 disinformation bot farms, seizes 10,000 SIM cards (BleepingComputer) Russia accuses U.S. of massive 'cyber aggression' (Reuters)  Russia Has Fired 'Multiple' Hypersonic Missiles Into Ukraine, US General Confirms (Defense One)  BREAKING: Russian Aviation Authority Suffers Cyberattack (Mentour Pilot)  Bradley Airport Website Suffers Cyber Attack (NBC Connecticut)  Philips e-Alert (CISA)  Rockwell Automation ISaGRAF (CISA)  Omron CX-Position (CISA)  Hitachi Energy LinkOne WebView (CISA) Modbus Tools Modbus Slave (CISA)  Delta Electronics DIAEnergie (CISA) “Your rubles will only be good for lighting a fire”: Cybercriminals reel from impact of sanctions (Digital Shadows)  Sanctions Hitting Russian Cyber-Criminals Hard (Infosecurity Magazine) 
Mar 30, 2022
Cyber phases of a hybrid war continue at a nuisance level. IcedID’s distribution vectors. Automating software supply-chain attacks. CISA offers power supply risk mitigation guidance.
1759
A cyberattack takes down a major Ukrainian Internet provider. GhostWriter is said to deploy Cobalt Strike against the Ukrainian government. Anonymous makes some large claims. This just in: spies drive drunk: Ukrainian intelligence doxes FSB officers. Conventional criminals continue to exploit sympathy for Ukraine in social engineering scams. Red-Lili automates software supply-chain attacks. Ben Yelin considers Russian cyber capabilities. Mr. Security Answer Person John Pescatore addresses security automation. And CISA offers mitigation guidance on risks to uninterruptible power supplies. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/60 Selected reading. Russia says it will scale back near Kyiv as talks progress (AP NEWS)  Ukraine Claims Some Battle Successes as Russia Focuses on Another Front (New York Times)  Ukrainian telecom company's internet service disrupted by 'powerful' cyberattack (Reuters)  ‘Most Severe’ Cyberattack Since Russian Invasion Crashes Ukraine Internet Provider (Forbes)  GhostWriter APT targets state entities of Ukraine with Cobalt Strike Beacon  (Security Affairs)  Secret World of Pro-Russia Hacking Group Exposed in Leak (Wall Street Journal)  Anonymous is working on a huge data dump that will blow Russia away (Security Affairs) While Twitter suspends Anonymous accounts, the group hacked VGTRK Russian Television and Radio (Security Affairs) Names and addresses of 620 FSB officers published in data breach (Times)  Russian spies unmasked in embarrassing blow for Vladimir Putin (The Telegraph)  New Conversation Hijacking Campaign Delivering IcedID (Intezer) Spoofed Invoice Used to Drop IcedID (Fortinet Blog)  A Beautiful Factory for Malicious Packages (Checkmarx)  School of Hard Knocks: Job Fraud Threats Target University Students (Proofpoint)  Mitigating Attacks Against Uninterruptible Power Supply Devices (CISA Insights)
Mar 29, 2022
Notes on the cyber aspects of the ongoing hybrid war. DDoS in the Marshall Islands. Lapsus$ Group post mortems. US FCC sanctions Kaspersky. CISA adds Known Exploited Vulnerabilities to its Catalog.
1498
Preparing for the spread of cyberattacks. A look at Cyber operations in the hybrid war. C3 and electronic warfare. The Republic of the Marshall Islands suffers rolling DDoS attacks. Okta gives a detailed account of its experience with the Lapsus$ Group. Lapsus$ under the law enforcement microscope. The FCC sanctions Kaspersky. Malek Ben Salem from Accenture on getting full potential from deception systems. Our guest is Greg Scasny of Blueshift Cybersecurity with remote workforce security concerns. And CISA adds to its Known Exploited Vulnerabilities Catalog. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/59 Selected reading. ‘Preparation, not panic’: Top US cyber official asks Americans to look out for Russian hacking efforts CNN Russia hacked Ukrainian satellite communications, officials believe BBC News Chinese cyberattacks on NATO countries increase 116% since Russia's invasion of Ukraine: study Fox Business Why hasn't Russia used its 'full scope' of electronic warfare?Breaking Defense Russian troops’ tendency to talk on unsecured lines is proving costly Washington Post Marshall Islands telecom service hit by cyber attack RNZ Okta: "We made a mistake" delaying the Lapsus$ hack disclosure BleepingComputer Who is LAPSUS$, the Big, Bad Cybercrime Gang Hacking Tech's Biggest Companies? Gizmodo FCC puts Kaspersky on security threat list, says it poses “unacceptable risk“ Ars Technica U.S. FCC adds Russia's Kaspersky, China telecom firms to national security threat list Reuters CISA Adds 66 Known Exploited Vulnerabilities to Catalog CISA
Mar 28, 2022
The breakdown of Shuckworm's continued cyber attacks against Ukraine. [Research Saturday]
1236
Guest Dick O'Brien from Symantec joins Dave Bittner on this episode to discuss how "Shuckworm Continues Cyber-Espionage Attacks Against Ukraine." The Russia-linked Shuckworm group (aka Gamaredon, Armageddon) has been active since 2013 and is known to use phishing emails to distribute either freely available remote access tools. In July 2021, Symantec observed Shuckworm activity on an organization in Ukraine and this continued until August 2021. According to a November 2021 report from the Security Service of Ukraine (SSU), since 2014 the Shuckworm group has been responsible for over 5,000 attacks against more than 1,500 Ukrainian government systems. Dick walks us through Symantec's investigation. The research can be found here: Shuckworm Continues Cyber-Espionage Attacks Against Ukraine
Mar 26, 2022
Fears of Russian escalation, with both chemical and cyber weapons, rise. DPRK APTs exploit Chrome vulnerabilities. Mustang Panda is back. Arrests made in the Lapsus$ case.
1563
Fears of Russian escalation as Ukraine’s counteroffensive sees successes. Warnings of possible Russian cyberattacks gain context from attribution of the Viasat incident and two US unsealed indictments. CISA continues to recommend best practices. North Korean APTs exploit Chrome vulnerabilities. Mustang Panda is back. David Dufour from Webroot on ransomware gangs and cartels. Our guest is Liliana Monge of Sabio Coding Bootcamp on creating opportunities for those looking to pursue a career in tech. And boy, boy, your wild ways will break your mother’s heart. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/58 Selected reading. Ukrainian forces advance east of Kyiv as Russians fall back (Reuters) Counteroffensive in Ukraine Shifts Dynamic of War (New York Times) Ukrainian forces claim to destroy a Russian landing ship. (New York Times)  Putin's war in Ukraine nearing possibly more dangerous phase (AP NEWS)  Syrians watch in horror as Putin deploys the Aleppo playbook in Ukraine (CNN)  Joe Biden: We will respond in kind if Vladimir Putin uses chemical weapons in Ukraine (The Telegraph)  A month into the Russian invasion, Ukraine is still mostly online (The Record by Recorded Future) Russian military behind hack of satellite communication devices in Ukraine at war’s outset, U.S. officials say (Washington Post)  Hackers Attacked Satellite Terminals Through Management Network, Viasat Officials Say (Air Force Magazine) Four Russian Government Employees Charged in Two Historical Hacking Campaigns Targeting Critical Infrastructure Worldwide (US Department of Justice)  US charges four Russian hackers over cyber-attacks on global energy sector (the Guardian)  North Korean Actors Exploited Chrome Flaw to Target U.S. Orgs (Decipher)  Countering threats from North Korea (Google) New Mustang Panda hacking campaign targets diplomats, ISPs (BleepingComputer)  Chinese APT Combines Fresh Hodur RAT with Complex Anti-Detection (Threatpost) Lapsus$: Oxford teen accused of being multi-millionaire cyber-criminal (BBC News)
Mar 25, 2022
Updates on Russia’s hybrid war against Ukraine. The leader of the Lapsus$ Gang may be a 16-year-old living with his Mom. Wanted cybercriminals. Hacktivism’s sometimes wayward aim.
1605
Concerns persist that President Putin will take his revenge in cyberspace for sanctions. Wiper attacks reported continuing in Ukraine. Russia also sustains cyberattacks. Lapsus$--living at home, with Mom. A carder kingpin finds his way onto the FBI’s Most Wanted List. Andrea Little Limbago from Interos on collective resilience. Our guest is Amit Shaked from Laminar Security on shadow data. Anonymous says it hit Nestlé, but Nestlé says it never happened. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/57 Selected reading. As Ukraine invasion stalls, Putin looks to cyber for revenge attack on US (Newsweek) Threat looms of Russian attack on undersea cables to shut down West’s internet (France 24)  A Mysterious Satellite Hack Has Victims Far Beyond Ukraine (Wired)  Anonymous hacks unsecured printers to send anti-war messages across Russia (HackRead) 'We want them to go to the Stone Age': Ukrainian coders are splitting their time between work and cyber warfare (CNBC)  Teen Suspected by Cyber Researchers of Being Lapsus$ Mastermind (Bloomberg) Nestlé denies Anonymous hack, claiming it accidentally leaked data dump itself (Fortune)  Nestlé says 'Anonymous' data leak actually a self-own (Register) Nestlé: You Can't Hack Us, We Leaked Our Own Data (Gizmodo)  FBI adds Russian cybercrime market owner to most wanted list (BleepingComputer) United States of America v. Igor Dekhtyar (US District Court for the Eastern District of Texas)
Mar 24, 2022
Insider Risk Excellence Awards. [CyberWire-X]
1356
In this CyberWire-X episode, host Dave Bittner chats with the judges of the Insider Risk Excellence Awards. The inaugural awards program, announced during last September's Insider Risk Summit, recognizes the best of the best in Insider Risk Management. They honor the work of individuals and organizations as they address Insider Risk in the most collaborative work environment we’ve ever seen. Judges Joe Payne, President and CEO, Code42 and Chairman, Insider Risk Summit and Wendy Overton, Director of Cyber Strategy and Insider Risk Leader, Optiv, talk about the growing Insider Risk problem, reveal the winners of each award category and pull back the curtain on how each of these Insider Risk trailblazers are making an impact. 
Mar 24, 2022
British-American warnings of a Russian cyber threat, and Russia’s response. More on the Lapsus$ gang incidents at Microsoft and Okta. And Secureworks looks at Conti and sees a criminal ecosystem.
1595
The US and the UK warn of impending Russian cyberattacks, and Russia responds with warnings against “banditry,” crime, and bad manners. CISA issues two new ICS advisories. Microsoft confirms a Lapsus$ gang incident, and so does Okta, but Okta’s case is more complicated. Josh Ray from Accenture on the cyber workforce. Our guest is Tom Gaffney from F-Secure with some ways to reduce digital anxietySecureworks takes a look at the criminal ecosystem around Conti. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/56 Selected reading. Ukraine war has put our relationship with US at breaking point - Russia (Daily Post Nigeria)  Kremlin dismisses U.S. warning of potential Russian cyber attacks (Reuters) . As Biden puts US on alert, Russia seeks talks to help prevent cyber war (Newsweek)  U.K. echoes Biden warning on Russian cyberattacks (The Record by Recorded Future)  Biden: Russia mulling cyberattacks on US (C4ISRNet)  National Security Advisor details new intelligence on potential Russian cyberattacks (FOX 5 DC) The Threat of Russian Cyberattacks Looms Large (The New Yorker)  FBI sees growing Russian hacker interest in US energy firms (AP NEWS)  CISA Call with Critical Infrastructure Partners on Potential Russian Cyberattacks Against the U.S. (YouTube)  CISA highlights new reporting hotline amid warnings about potential Russian cyber attacks (Federal News Network) Delta Electronics DIAEnergie (CISA)  Delta Electronics DIAEnergie (Update B) (CISA)  Microsoft, Okta Investigating Data Theft Claims (SecurityWeek)  Hackers hit authentication firm Okta, customers 'may have been impacted' (Reuters)  'This Is Really, Really Bad': Lapsus$ Gang Claims Okta Hack (Wired). Okta ‘identifying and contacting’ customers potentially affected by Lapsus$ breach (The Record by Recorded Future)  Okta Investigates Report of Security Breach, Says It Finds No Evidence of New Attack (Wall Street Journal)  Fury As Okta—The Company That Manages 100 Million Logins—Fails To Tell Customers About Breach For Months (Forbes)  Cloudflare’s investigation of the January 2022 Okta compromise (Cloudflare Blog). Updated Okta Statement on LAPSUS$ (Okta)  GOLD ULRICK leaks reveal organizational structure and relationships (Secureworks)  Details of Conti ransomware affiliate released (ComputerWeekly.com)  More can be done to curb misuse of Cobalt Strike, expert says (VentureBeat)
Mar 23, 2022
White House adds its voice to CISA’s Shields Up, warning of the possibility of Russian cyberattacks. New malware strains described, new criminal attack techniques observed.
1529
White House warns of large-scale Russian cyberattacks. Browser-in-the-Browser attacks. New Conti affiliate described. Android malware “Facestealer” described. Android malware “Facestealer” described. Microsoft and Okta investigate possible Lapsus$ attacks. Arid Gopher is out in the wild. Our guest is Swathi West of Barr Advisory on opportunities for the underrepresented in cybersecurity. Joe Carrigan wonders if we can’t just get rid of passwords once and for all. And advancing censorship by finding “extremism” and “Russophobia” in Meta’s platforms. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/55 Selected reading. Russia's hybrid war with Ukraine: strategy, norms, and alliances (The CyberWire) Statement by President Biden on our Nation’s Cybersecurity (The White House)  FACT SHEET: Act Now to Protect Against Potential Cyberattacks (The White House)  Statement from CISA Director Easterly on Potential Russian Cyberattacks Against the United States (CISA)  Press Briefing by Press Secretary Jen Psaki and Deputy NSA for Cyber and Emerging Technologies Anne Neuberger, March 21, 2022 (The White House)  Statement from Secretary Mayorkas on Cybersecurity Preparedness (US Department of Homeland Security)  Conti Affiliate Exposed: New Domain Names, IP Addresses and Email… (eSentire)  New Phishing toolkit lets anyone create fake Chrome browser windows (BleepingComputer). New Browser-in-the Browser (BITB) Attack Makes Phishing Nearly Undetectable (The Hacker News) Arid Gopher: Newest Micropsia Malware Variant (Deep Instinct)  Spyware dubbed Facestealer infects 100,000+ Google Play users (Pradeo)  Okta confirms investigation into potential breach (The Record by Recorded Future)  Microsoft investigating alleged Lapsus$ hack of Azure DevOps source code repositories (Computing)  Russian War Report: Meta officially declared “extremist organization” in Russia (Atlantic Council) 
Mar 22, 2022
Hacktivism, protestware, and information operations in a hybrid war. Brazi-based cyber gangs active in extortion. Steganography opens a backdoor. A free decryptor for Diavol ransomware.
1637
The widely expected, intense Russian cyber campaign has yet to appear. "Protestware" as a dangerous turn in hacktivism. Information operations and the persistence of independent channels of news. Social media as an opsec problem.Lapsus$ may have hit Microsoft. A second Brazilian gang tries its hand at extortion. A snakey backdoor afflicts French organizations. AD Bryan Vorndran of the FBI Cyber Division on what the agency brings to the table in the cyberspace. Rick Howard considers infrastructure as code. Emsisoft offers a free decryptor for Diavol ransomware. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/54 Selected reading. Volodymyr Zelensky tells Russia to seek ‘meaningful’ peace talks or face catastrophic losses (The Telegraph) Cyber threats and the Ukraine conflict (Avast) Cyber ‘cold war’ rages online but Russia holds back on massive digital attacks (Times of Israel)  Mar 13- Mar 19 Ukraine – Russia the silent cyber conflict (Security Affairs)  Former CIA officer shows what a Russian cyberattack on the US would look like (Fox News)  EU and US agencies warn that Russia could attack satellite communications networks (Security Affairs)  Banks on alert for Russian reprisal cyberattacks on Swift (Ars Technica)  Activists are targeting Russians with open-source “protestware” (MIT Technology Review)  Cyber warfare gets real for satellite operators (SpaceNews) More Conti ransomware source code leaked on Twitter out of revenge (BleepingComputer)  Open Source Maintainer Sabotages Code to Wipe Russian, Belarusian Computers (Vice)  Anonymous has unleashed a successful cyberwar to undermine Putin's Ukraine invasion (Fortune)  Some Russians are breaking through Putin’s digital iron curtain — leading to fights with friends and family (Washington Post)  On Russia's VK, anti-war messages defy Vladimir Putin's Ukraine censors (Newsweek) Why Russia’s anti-war movement matters (Atlantic Council)  Telegram Thrives Amid Russia’s Media Crackdown (Wall Street Journal)  British soldiers are ordered off WhatsApp amid fears that sensitive military details could be accessed by Russian hackers (Daily Mail) Microsoft Investigating Claim of Breach by Extortion Gang (Vice)  Hacking group that went after NVIDIA may have also attacked Microsoft (Windows Central)  Microsoft Allegedly Breached by LAPSUS Group (Cyber Kendra)  Lapsus$ gang sends a worrying message to would-be criminals (Register)  TransUnion cyber attack – hackers demand R225 million ransom (Business Tech). TransUnion Confirms Data Breach at South Africa Business (SecurityWeek)  UPDATE | TransUnion believes breach of 54 million SA records unrelated to current hack (Fin24)  Banks move to protect consumers in wake of TransUnion cyberattack (TechCentral)  Serpent, No Swiping! New Backdoor Targets French Entities with Unique Attack Chain (Proofpoint)  Emsisoft releases free decryptor for the victims of the Diavol ransomware (Security Affairs)
Mar 21, 2022
Derek Manky: Putting the rubber to the road. [Threat Intelligence] [Career Notes]
548
Chief Security Strategist and VP of Global Threat Intelligence at FortiGuard Labs, Derek Manky, shares his story from programmer to cybersecurity and how it all came together. Derek started his career teaching programming because he had such a passion for it. When he joined Fortinet, Derek said putting where it "really started putting the rubber to the road and connecting my previous experience with programming and debugging and knowledge of operating systems and all that with real-world applications." Derek advises that it doesn't need to be complicated getting into the cybersecurity field and that there are many avenues to enter the field. He hopes to have made a real dent, or "hopefully a crater" in cyber crime when he ends his career. We thank Derek for sharing his story with us. 
Mar 20, 2022
Implications of data leaks of sensitive OT information. [Research Saturday]
1448
Guest Nathan Brubaker from Mandiant joins Dave Bittner on this episode to discuss Mandiant Threat Intelligence's research: "1 in 7 Ransomware Extortion Attacks Leak Critical Operational Technology Information." Data leaks have always been a concern for organizations. The exposure of sensitive information can result in damage to reputation, legal penalties, loss of intellectual property, and even impact the privacy of employees and customers. However, there is little research about the challenges posed to industrial organizations when threat actors disclose sensitive details about their OT security, production, operations, or technology. In 2021, Mandiant Threat Intelligence continued observing ransomware operators attempting to extort thousands of victims by disclosing terabytes of stolen information on shaming sites. This trend, which Mandiant Threat Intelligence refers to as “Multifaceted Extortion,” impacted over 1,300 organizations from critical infrastructure and industrial production sectors in just one year. Nathan walks us through their research and findings. The research can be found here: 1 in 7 Ransomware Extortion Attacks Leak Critical Operational Technology Information
Mar 19, 2022
Hacktivism and other cyberattacks continue against Russian targets, but some hacktivism may go too far. C2C market notes. Advice from CISA and NIST. Prank calls as statecraft.
1514
Hacktivism and other cyberattacks continue against Russian targets, but some hacktivism that affects software supply chains may go too far. An initial access broker in the criminal-to-criminal market. BlackMatter may be working with BlackCat. CISA offers a warning and advice to SATCOM operators. NIST offers some guidance on industrial control system security. Johannes Ullrich reminds us to patch our backup tools. Our guest is Armando Saey from MISI with insights on maritime port security. And Rear Admiral Mehoff, call your office. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/53 Selected reading. Popular NPM Package Updated to Wipe Russia, Belarus Systems to Protest Ukraine Invasion (The Hacker News)  Software Supply Chain Weakness: Snyk Warns of 'Deliberate Sabotage' of NPM Ecosystem (SecurityWeek)  Russian government websites face ‘unprecedented’ wave of hacking attacks, ministry says (Washington Post)  Ukraine’s Digital Ministry Is a Formidable War Machine (Wired) Exposing initial access broker with ties to Conti (Google)  Experts Find Some Affiliates of BlackMatter Now Spreading BlackCat Ransomware (The Hacker News) Strengthening Cybersecurity of SATCOM Network Providers and Customers (CISA)  NIST SPECIAL PUBLICATION 1800-10 Protecting Information and System Integrity in Industrial Control System Environments: Cybersecurity for the Manufacturing Sector (NIST) Hoax caller claiming to be Ukrainian PM got through to UK defence secretary (the Guardian)  Russians target Priti Patel and Ben Wallace with fake video calls (The Telegraph) 
Mar 18, 2022
Debunking deepfakes. Hacktivism and information warfare. The prospect of “splinternets.” Germany warns of security product risks. Disruption of Ukrainian ISPs. New wrinkles in phishing.
1479
Not-so-deepfakes debunked. Hacktivism and information warfare in Russia’s war against Ukraine. The prospect of an age of “splinternets.” Germany warns of risks from Kaspersky security products. Disruption of Ukrainian ISPs. David Dufour from Webroot on cyberattacks hitting the automotive sector. Carole Theriault ponders parental disclosure of tracking their kids. Three new wrinkles to social engineering. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/52 Selected reading. Russia and Ukraine ‘draw up 15-point peace plan’ (The Telegraph)  Deepfake video of Zelenskyy could be 'tip of the iceberg' in info war, experts warn (NPR.org)  The Russia-Ukraine War And The Revival Of Hacktivism (Digital Shadows)  In a Chilling Threat, Putin Vows to Rid Russia of ‘Traitors’ (Bloomberg) Russia is risking the creation of a “splinternet”—and it could be irreversible (MIT Technology Review)  Traffic interception and MitM attacks among security risks of Russian TLS certs (CSO Online)  Germany's BSI warns against Kaspersky AV over spying concerns (CSO Online)  Major Ukrainian Internet Provider Triolan Suffers Severe Cyber Attacks and Infrastructure Destruction During Russian Invasion (CPO Magazine) The Attack of the Chameleon Phishing Page (Trustwave)  The Email Bait … and Phish: Instagram Phishing Attack (Armorblox)  Using CAPTCHA Forms to Bypass Filters (Avanan)
Mar 17, 2022
Ukrainian President Zelenskyy addresses the US Congress, as Russia’s hybrid war continues. LokiLocker ransomware flies a false flag. CISA warns of Russian cyber threat. Advance fee arrest.
1508
Ukrainian President Zelenskyy addresses the US Congress, as intelligence services, contractors, and hacktivists wage their part of a hybrid war. BlackBerry describes LokiLocker, a new strain of ransomware that’s not Iranian, but would have you think it is. CISA and the FBI warn of a Russian cyber campaign. Nigeria arrests an alleged advance-fee scam artist (he’s been wanted for some time.) For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/51
Mar 16, 2022
Disinformation and cyberattacks in Russia’s hybrid war against Ukraine. DDoS attack hits Israeli telcos. Captured tools are old news. Recent trends in cybercrime.
1726
Biowar disinformation. A new wiper is discovered in Ukrainian systems. Cyber criminals look for letters of marque from both sides (and some of them are looking like hacktivists). Ukrainian cybersecurity firms and intelligence services mobilize against Russia. Ben Yelin evaluates cyber engagements in the crisis. A protester crashes a Russian news broadcast. DDoS attack takes down Israeli sites. China claims to have “captured” NSA hacking tools. Our guest is Ben Brook CEO of Transcend with a look at data privacy. Recent trends in cybercrime. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/50 Selected reading. Researchers find new destructive wiper malware in Ukraine (The Verge)  Cloud Native Technologies Used in Russia-Ukraine Cyber Attacks (Aqua Security)  Financially motivated threat actors willing to go after Russian targets (Help Net Security)  Kyiv’s hackers seize their wartime moment (POLITICO)  Global Incident Report: Threat Actors Divide Along Ideological Lines over the Russia-Ukraine Conflict on Underground Forums (Accenture) Political fallout in cybercrime circles upping the threat to Western targets (CyberScoop) A protester storms a live broadcast on Russia’s most-watched news show, yelling, ‘Stop the war!’ (New York Times) Denial-of-service attack knocked Israeli government sites offline (CyberScoop)  China claims it captured NSA spy tool that already leaked (Register)  Ransomware Variants Q4 2021 (Intel471.com)  Cequence Security Releases Report Revealing Top 3 Attack Trends in API Security (Cequence) 
Mar 15, 2022
Russia’s hybrid war against Ukraine becomes more firepower intensive, but hackers make their mark. Cybercrime does business as usual.
1621
The situation in Russia’s war against Ukraine, and Mr. Putin’s frustration with his intelligence services. Provocations, state-hacking, and influence operations in a hybrid war. Lapsus$ hits Ubisoft with ransomware. LockBit hits Bridgestone America. The Escobar banking Trojan is out in the wild. Kaspersky source apparently not compromised after all. Dan Prince wonders if we are properly preparing for the roles of tomorrow? Rick Howard is pulling on the kill chain. And the wayward aim of public opinion. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/49 Selected reading. After more than two weeks of war, the Russian military grinds forward at a heavy cost (Washington Post)  Ukraine war latest: Talks resume as Russia strikes Kyiv (BBC News)  US view of Putin: Angry, frustrated, likely to escalate war (AP NEWS)  Kremlin arrests FSB chiefs in fallout from Ukraine chaos (Times)  Russian Cyber Restraint in Ukraine Puzzles Experts (SecurityWeek) Russia's cyber offensive against Ukraine has been limited so far. Experts are divided on why (KESQ) ‘ Not the time to go poking around’: How former U.S. hackers view dealing with Russia (POLITICO) We're seeing 800% increase in cyberattacks, says MSP (Register) Russia makes claims of US-backed biological weapon plot at UN (the Guardian)  Russian media spreading disinformation about US bioweapons as troops mass near Ukraine (Bulletin of the Atomic Scientists)  Russian TikTok Influencers Are Being Paid to Spread Kremlin Propaganda (Vice) The White House is briefing TikTok stars about the war in Ukraine (Washington Post)  Android malware Escobar steals your Google Authenticator MFA codes (BleepingComputer)  Google Attempts to Explain Surge in Chrome Zero-Day Exploitation (SecurityWeek) Google: We're spotting more Chrome browser zero-day flaws in the wild. Here's why (ZDNet). Ubisoft says it experienced a ‘cyber security incident’, and the purported Nvidia hackers are taking credit (The Verge) UPDATE 1-Japan's Denso hit by apparent ransomware attack - NHK (Reuters) LockBit ransomware group claims to have hacked Bridgestone Americas (Security Affairs)
Mar 14, 2022
Kristin Strand: Be firm in your goals. [Consultant] [Career Notes]
446
Cybersecurity Associate Consultant at BARR Advisory, Kristin Strand, shares her journey from the military to teaching and now to cybersecurity. Kristin shares how she'd wanted to be a teacher since she was young. She joined the Army to help pay for college and throughout her career has taken advantage of programs to help her move on to her next challenge. From teaching, Kristin decided to transition to IT and came to cybersecurity through a Department of Labor program. She's also currently training to be a drill sergeant. Kristin advises you stand firm to your goals and know what you want. It will come around. We thank Kristin for sharing her story with us.
Mar 13, 2022
The story of REvil: From origin to beyond. [Research Saturday]
2021
Guest Jon DiMaggio, Chief Security Strategist at Analyst1, joins Dave Bittner to discuss his team's research "A History of REvil" that chronicles the rise and fall of REvil. The REvil gang is an organized criminal enterprise based primarily out of Russia that runs a Ransomware as a Service (RaaS) operation. The core members of the gang reside and operate out of Russia. REvil leverages hackers for hire, known as affiliates, to conduct the breach, steal victim data, delete backups, and infect victim systems with ransomware for a share of the profits. Affiliates primarily stem across eastern Europe, though a small percentage operate outside that region. In return, the core gang maintains and provides the ransomware payload, hosts the victim data leak/auction site, facilitates victim communication and payment services, and distributes the decryption key. In simpler terms, the core gang are the service provider and persona behind the operation, while the affiliates are the hired muscle facilitating attacks. Jon walks us through the team's findings and details REvil's story. The research can be found here: A History of REvil
Mar 12, 2022
An update on the hybrid war in Ukraine. Conti and its users are still up and active. CISA releases twenty-four ICS security advisories. An extradition in the NetWalker case.
1607
An update on the hybrid war in Ukraine. Allegations of war crimes and Russian disinformation. Chemical, biological, and radiological weapons disinformation. Preparing for cyberattacks. Cyber operations against Russia. GPS interference reported along Finland’s border. Conti and its users are still up and active. CISA releases twenty-four ICS security advisories. Malek Ben Salem from Accenture on deception systems. Our guest is Joe Payne from Code42 on data exposure. An extradition in the NetWalker case. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/48 Selected reading. Russia 'did not attack Ukraine' says Lavrov after meeting Kuleba (euronews)  Read the latest cybersecurity analysis (Accenture) Where conflict is reported in Ukraine right now (The Telegraph)  How U.S. Bioweapons in Ukraine Became Russia’s New Big Lie (Foreign Policy)  Russian embassy demands Meta stop 'extremist activities' (NASDAQ:FB) (SeekingAlpha) Transparency Org Releases Alleged Leak of Russian Censorship Agency (Vice)  SecurityScorecard Discovers new botnet, ‘Zhadnost,’ responsible for… (SecurityScorecard)  Inside the Russian cyber war on Ukraine that never was (Task & Purpose)  Report: Recent 10x Increase in Cyberattacks on Ukraine (KrebsOnSecurity)  Russian defense firm Rostec shuts down website after DDoS attack (BleepingComputer)  The Spectacular Collapse of Putin’s Disinformation Machinery (Wired)  Will Russians Choose Truth or Lies? Ukraine’s Fate Depends on Them (Bloomberg)  Finnish govt agency warns of unusual aircraft GPS interference (BleepingComputer) Corporate website contact forms used to spread BazarBackdoor malware (BleepingComputer) U.S. Warns of Conti Ransomware Attacks as Gang Deals With Leak Fallout (SecurityWeek)  Ex Canadian government worker extradited to U.S. to face more ransomware charges (CBC)  Former Canadian Government Employee Extradited to the United States to Face Charges for Dozens of Ransomware Attacks Resulting in the Payment of Tens of Millions of Dollars in Ransoms (US Department of Justice) 
Mar 11, 2022
Cyber phases of a hybrid war. Google stops a Judgment Panda campaign and Symantec tracks Daxin. CISA updates its Conti alert. An alleged REvil member is arraigned in Texas.
1814
Prebunking a provocation. A spot report on the cyber phases of a hybrid war. Google stops a Judgment Panda campaign against US Government Gmail users. Symantec continues to track the origins and uses of the Daxin backdoor. CISA updates its Conti alert. Josh Ray from Accenture has tips on Log4J. Our guest is Chetan Conikee of ShiftLeft with strategies for reducing attackability. And law northeast of the Pecos, as an alleged member of REVil is arraigned in Texas. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/47 Selected reading. Vladimir Putin ‘plotting chemical weapons attack in Ukraine’ (The Telegraph) White House warns Russia could use chemical weapons in Ukraine (TheHill)  Russia, China May Be Coordinating Cyber Attacks: SaaS Security Firm (eSecurityPlanet)  More Than 5 Million Anti-Propaganda Text Messages Sent to Russians in Anonymous Information Warfare (Hstoday)  Anonymous hacked Russian cams, websites, announced a clamorous leak (Security Affairs)  EXCLUSIVE BNP Paribas bars Russia-based staff from computer systems as cyber attack fears grow (Reuters)  CISA updates Conti ransomware alert with nearly 100 domain names (BleepingComputer)  Google Blocks Chinese Phishing Campaign Targeting U.S. Government (SecurityWeek) Symantec tracked down one developer of ‘China’s most advanced piece of malware’ (Sc Magazine)  Daxin Backdoor: In-Depth Analysis, Part One (Symantec) Daxin Backdoor: In-Depth Analysis, Part Two (Symantec) Sodinokibi/REvil Ransomware Defendant Extradited to United States and Arraigned in Texas (US Department of Justice)
Mar 10, 2022
Waiting for the Bears to come out. APT41 hits US state governments. A surge in mobile malware, and a look at yesterday’s Patch Tuesday.
1693
Zelenskyy addresses the House of Commons. Cyber operations in Russia's war against Ukraine. Chinese cyber espionage campaign hits six US state governments (but it might be an APT side-hustle). A surge in mobile malware. Joe Carrigan looks at derestricting your software. Our guest Bob Dudley discusses cyberattacks against the European energy sector. And a quick look back at Patch Tuesday. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/46 Selected reading. Volodymyr Zelensky speech: Ukrainian President vows to fight Russians in 'forests, fields and on shores' as he channels Winston Churchill (The Telegraph)  Putin’s Endgame Starts to Look Like Reducing Ukraine to Rubble (Bloomberg Live Updates: Biden Bans Russian Oil Imports and Major U.S. Brands Close Outlets (New York Times) The March 2022 Security Update Review (Zero Day Initiative)  EU countries call for cybersecurity emergency response fund -document (Reuters) Annual Threat Assessment of the U.S. Intelligence Community (Office of the Director of National Intelligence) PTC Axeda agent and Axeda Desktop Server | (CISA)  AVEVA System Platform (CISA) Sensormatic PowerManage (CISA) 
Mar 09, 2022
Updates on Russia’s hybrid war, including cyber ops and influence operations. Mustang Panda focuses on Europe in its cyberespionage. Ransomware hits oil and gas sector. UPS vulnerabilities.
1605
Updates from the UK’s Ministry of Defense on Russia’s War in Ukraine. Influence operations: the advantage still seems to go to Ukraine, as Russian efforts look inward. Assessing the effects of hacktivism and cyber operations in the hybrid war. Privateering: Conti, Ragnar Locker, and (probably) others. Mustang Panda rears up in European diplomatic networks. Ransomware hits a Romanian fuel distributor. Andrea Little Limbago from Interos on data traps. Carole Theriault tracks the fight against deepfakes. Vulnerabilities found in UPS devices. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/45
Mar 08, 2022
Cyber dimensions of Russia’s hybrid war against Ukraine. Hacktivists and cybercriminals choose sides. Lapsu$ releases NVIDIA and Samsung data (and says a victim hacked back).
1694
Russian influence operations fail as few support Russia's war of aggression. Ukraine will become a "contributing participant" in NATO's CCDCOE. Ukrainian cyberattacks, and the marshaling of hacktivists. Russian cyberattacks: surprisingly restrained and unsurprisingly supported by criminal organizations like Conti. The FBI’s Bryan Vorndran joins us with insights on the work his team did on Sodinokibi. Rick Howard looks at vulnerability management. Lapsu$ gang releases data taken from NVIDIA and Samsung in separate extortion incidents. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/44 Selected reading. What Happened on Day 11 of Russia’s Invasion of Ukraine (New York Times) Putin says Ukraine's future in doubt as cease-fires collapse  After temporary cease-fires break down, Putin threatens Ukraine’s government (AP NEWS)  Ukraine to join NATO cyber defence centre as 'contributing participant' (Reuters) Putin Is Raising an Iron Firewall Around Russia (Bloomberg)  Three reasons Moscow isn't taking down Ukraine's cell networks (POLITICO)  Hacktivists Stoke Pandemonium Amid Russia’s War in Ukraine (Wired)  DDoS hacktivism: A highly risky exercise (Avast) This Ukrainian cyber firm is offering hackers bounties for taking down Russian sites (The Record by Recorded Future) Ukraine Cyber Official: We Only Attack Military Targets (SecurityWeek)  Volunteer Hackers Converge on Ukraine Conflict With No One in Charge (New York Times)  Russia shares list of 17,000 IPs allegedly DDoSing Russian orgs (BleepingComputer)  Ukraine's 'IT army' targets Belarus railway network, Russian GPS (Reuters)  HawkEye 360 detects GPS interference in Ukraine (SpaceNews)  Hackers are being forced to pick sides in the Russia-Ukraine war (KTVH)  Nvidia allegedly hacks back (Avast) Credentials of 71,000 NVIDIA Employees Leaked Following Cyberattack (SecurityWeek)  Leaked stolen Nvidia cert can code-sign Windows malware (Register)  Hackers claim massive Samsung leak, including encryption keys and source code (Android Police)  Lapsus$ group leaks 190GB of Samsung data, source code (Computing)  Samsung’s secret data leaks after devastating cyberattack (SamMobile) 
Mar 07, 2022
Chetan Conikee: Create narratives of your journey. [CTO] [Career Notes]
599
Founder and CTO of ShiftLeft, Chetan Conikee shares his story from computer science to founding his own company. When choosing a career, Chetan notes that "the liking and doing has to matter and be in conjunction with each other." Explaining the parallels in his home country of India and where he studied his for his masters in the US, Chetan stresses the need to find someone who inspires you to follow and learn from. On being an entrepreneur, he says, "The entrepreneurial mindset is a sum total of many sufferings that lead to success." Chethan advises you take time out to write narratives so that you are remembered and so that others following a similar path may learn from you. We thank Chetan for sharing his story with us.
Mar 06, 2022
HEAT: Examining the next-class of browser-based attacks. [CyberWire-X]
2132
Modern enterprises have evolved drastically over the last two years as a result of the global pandemic. Due in part to organizations pivoting quickly to new business models by migrating apps and services to the cloud to enable hybrid and remote workforces, the “new” office has quickly become the web browser. Today, business users are spending an average of 75% of their workday in a browser – that’s where productivity takes place! But the digital enhancements of the last two years have ushered in widespread transformation that expanded attack surfaces and created new opportunities for cyber miscreants, giving rise to Highly Evasive Advanced Threats (HEAT). During this episode of CyberWire-X, the CyberWire's Dave Bittner speaks with Dan Prince, Senior Lecturer in Security and Protection Science at the School of Computing and Communications at Lancaster University, about the topic. Show Sponsor Menlo Security's Nick Edwards and Dave explore what HEAT attacks are, how they work, and why they’re resulting in the rise of ransomware attacks and account takeovers.
Mar 06, 2022
An abuse of trust: Potential security issues with open redirects. [Research Saturday]
1431
Guest Mike Benjamin, VP of Security Research at Fastly, joins Dave Bittner to talk about the Fastly Security Research Team's work on "Open redirects: real-world abuse and recommendations." Open URL redirection is a class of web application security problems that makes it easier for attackers to direct users to malicious resources. This vulnerability class, also known as “open redirects,” arises when an application allows attackers to pass information to the app that results in users being sent to another location. That location can be an attacker-controlled website or server used to distribute malware, trick a user into trusting a link, execute malicious code in a trusted way, drive ad fraud, or even perform SEO manipulation. Knowing how an open redirect can be abused is helpful — but knowing how to design around it in the first place is even more important. Mike walks us through what his team uncovered, explains how redirects are used, how they can be abused, and how you can prevent that abuse. The research can be found here: Open redirects: real-world abuse and recommendations
Mar 05, 2022
Swapping propaganda shots. ICANN will not block the Internet in Russia. Hacktivists achieve a nuisance-level of success. NVIDIA gets a most curious demand. And there’s no US draft.
1590
Propaganda engagements in Russia’s hybrid war against Ukraine. ICANN will not block the Internet in Russia. Hacktivists, real and pretended, achieve a nuisance-level of success in Russia’s war. Scams and misinformation circulate in Telegram. NVIDIA gets a most curious demand from a cyber gang. CISA’s ICS advisories. Johannes Ullrich looks at phishing pages on innocent websites. Our guest is Chase Snyder from ExtraHop to discuss implications of the cyber talent shortage. And, hey, newsflash, no matter what the texts on your phone might say, there’s no military draft in the US. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/43 Selected readings. Putin Thought Ukraine Would Fall Quickly. An Airport Battle Proved Him Wrong (Wall Street Journal) Russia's chaotic and confusing invasion of Ukraine is baffling military analysts (CNBC)  Last Vestiges of Russia’s Free Press Fall Under Kremlin Pressure (New York Times)  Don’t mention the war: Russian state media sells the lie of Ukrainians shelling their own cities (The Telegraph)  Russian troops in disarray and ‘crying’ in combat, radio messages reveal (The Telegraph)  Demoralised Russian soldiers tell of anger at being ‘duped’ into war (the Guardian) The propaganda war has eclipsed cyberwar in Ukraine (MIT Technology Review) Ukraine's request to cut off Russia from the global internet has been rejected (CNN)  No, the Army isn’t sending Ukraine draft notices via text (Army Times)  Hackers Who Broke Into NVIDIA's Network Leak DLSS Source Code Online (Hacker News)  Hackers warn Nvidia to open-source their GPU drivers or face data leak (Computing)  Cybercriminals who breached Nvidia issue one of the most unusual demands ever (Ars Technica)  BD Pyxis (CISA)  BD Viper LT (CISA)  IPCOMM ipDIO (CISA)
Mar 04, 2022
Russia and Belarus exchange cyber operations with Ukraine. The US announces Task Force KleptoCapture. Vulnerable infusion pumps. TCP middlebox reflection. Notes on sanctions.
1824
The UN condemns Russia’s war in Ukraine. Ukraine’s cyber volunteers appear to be operating under the direction of Kyiv’s Ministry of Defense, and may be targeting Russian infrastructure. Belarusian cyber operators are phishing with stolen Ukrainian credentials in a cyberespionage campaign. Task Force KleptoCapture. Infusion pumps found vulnerable to cyberattack. TeaBot is found in the Play Store. TCP middlebox reflection. Dan Prince from Lancaster University on trustworthy autonomous systems. Our guest is John Shegerian from ERI on the security angle of e-recycling. And no more Harleys for Mr. Putin. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/42 Selected reading. Cyber Realism in a Time of War Russian Hybrid War Report: Social platforms crack down on Kremlin media as Kremlin demands compliance Russia's war spurs corporate exodus, exposes business risks Using DDoS, DanaBot targets Ukrainian Ministry of Defense Asylum Ambuscade: State Actor Uses Compromised Private Ukrainian Military Emails to Target European Governments and Refugee Movement Phishing campaign targets European officials assisting in refugee operations Anonymous vs. Russia: Hackers Say Space Agency Breached, More Than 1,500 Websites Hit Conti Ransomware Source Code Leaked Hacker Group Anonymous Vows to Disrupt Russia's Internet — RT Websites Become 'Subject of Massive DDoS Attacks' Ukrainian cyber resistance group targets Russian power grid, railways Army of Cyber Hackers Rise Up to Back Ukraine U.S. Officials Detail Efforts to Enforce Raft of New Russia Rules TCP Middlebox Reflection: Coming to a DDoS Near You TeaBot Android Banking Malware Spreads Again Through Google Play Store Apps Infusion Pump Vulnerabilities: Common Security Gaps
Mar 03, 2022
Slow-motion brutality against Ukraine as sanctions begin to bite Russia. Big Tech takes sides. Ransomware continues to bother major corporations.
1769
Russia’s invasion in Ukraine is still slow, but it’s grown more brutal. Sanctions are beginning to hit Russia hard. The cyber phase of this hybrid war seems more informational than destructive, which is surprising. Big Tech has taken Ukraine’s side, and some Russian companies face a tough balancing act. Our guest is Lavi Lazarovitz from CyberArk with predictions on supply chain security. Malek Ben Salem from Accenture on deploying effective deception systems. And ransomware continues to pester major corporations. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/41 Selected reading. Ukraine at D+6: Shocking and awful. (The CyberWire) The Fog of Cyberwar Descends on Ukraine and Russia (Bloomberg)  Russian Electric Vehicle Chargers Hacked, Tell Users ‘PUTIN IS A DICKHEAD’ (Vice)  Western Sanctions Bite Russian Economy, but Pose Unpredictable Risks (Wall Street Journal)  Targeted APT Activity: BABYSHARK Is Out for Blood (Huntress)  5 New Vulnerabilities Discovered in PJSIP Open Source Library (JFrog)  Nvidia says hackers are leaking company data after ransomware attack (TechCrunch)  Insurer Aon falls victim to a cyber attack (Computing)  Toyota to restart Japan production after cyberattack on supplier triggers one-day halt (The Edge Markets)  Cyberattack on Toyota's supply chain shuts all its factories in Japan for 24 hours (CNN)
Mar 02, 2022
Updates on Russia’s invasion of Ukraine, and the cyber phases of a hybrid war. Hacktivists and privateers. New Chinese malware described. Registration-bombing.
1787
Stalled columns, rocket fire, and negotiation over Ukraine. Two new pieces of malware found in use against Ukrainian targets. Ben Yelin joins us with analysis. Dealing with WhisperGate and HermeticWiper. The muted cyber phases of a hybrid war. Leaked files reveal Conti as a privateer. Sanctions move from deterrence to economic "war of attrition." Daxin: a backdoor that hides in normal network traffic. Registration-bombing lets fraud hide in the weeds. Our guest is Tresa Stephens from Allianz on the elevated concern for cyber risk among business leaders. And Razzlekhan talking a deal? Resources Ukraine Fighting Overshadows Chance of Russia Talks’ Success (Bloomberg) Both sides agree to second set of talks even as fighting rages. Russia suffers market seizure as ruble plunges on sanctions. After a Fumbled Start, Russian Forces Hit Harder in Ukraine (New York Times) After days of miscalculation about Ukraine’s resolve to fight, Russian forces are turning toward an old pattern of opening fire on cities and mounting sieges. The dire predictions about a Russian cyber onslaught haven’t come true in Ukraine. At least not yet. (Washington Post) For more than a decade, military commanders and outside experts have laid out blueprints for how cyberwar would unfold: military and civilian networks would be knocked offline, cutting-edge software would sabotage power plants, and whole populations would be unable to get money, gas or refrigerated food. A Free-for-All But No Crippling Cyberattacks in Ukraine War (SecurityWeek) In the early days of the war in Ukraine, Russia's ability to create mayhem through malware hasn’t had much of a noticeable impact CISA, FBI Issue Warnings on WhisperGate, HermeticWiper Attacks (SecurityWeek) The two U.S. agencies warn that both malware families were used in destructive cyberattacks targeting organizations in Ukraine. Anonymous Hacker Group Targets Russian State Media (SecurityWeek) Hacker group Anonymous claimed responsibility on for disrupting the work of websites of pro-Kremlin Russian media in protest of the invasion of Ukraine. Ukraine’s Volunteer ‘IT Army’ Is Hacking in Uncharted Territory (Wired) The country has enlisted thousands of cybersecurity professionals in the war effort against Russia. After Conti backs war, ransomware gangs realize peril of patriotism amid infighting (SC Magazine) Ransomware is actually a complex global economy. Different groups design ransomware and license that ransomware for use in attacks, with the latter often using many different vendors of the former. So while the designers of Conti may be Russian, the affiliate groups using Conti may include Ukrainians. And like in any business, there is peril in angering the consumer. A ransomware group paid the price for backing Russia (The Verge) Is proximity to the Putin regime becoming a liability? U.N. General Assembly set to isolate Russia over Ukraine invasion (Reuters) The 193-member United Nations General Assembly began meeting on the crisis in Ukraine on Monday ahead of a vote this week to isolate Russia by deploring its "aggression against Ukraine" and demanding Russian troops stop fighting and withdraw. Russia defends invasion during emergency UN General Assembly (Deutsche Welle) A clear majority of UN member states are expected to vote to condemn Russia's actions as Moscow becomes increasingly isolated internationally. The New Russian Sanctions Playbook (Foreign Affairs) Deterrence is out, and economic attrition is in. Russia seeks to halt investor stampede as sanctions hammer economy (Reuters) Russia said it was placing temporary curbs on foreigners seeking to exit Russian assets on Tuesday, putting the brakes on an accelerating investor exodus driven by crippling Western sanctions imposed over the invasion of Ukraine. For links to all of today's stories check out CyberWire daily news briefing for March 1, 2022.
Mar 01, 2022
An update on Russia’s hybrid war against Ukraine. Offensive cyber operations under hacktivist guise. Russian privateers return (also as hacktivists). Some non-war-related hacking.
1628
Ukrainian resistance may have stalled the Russian advance at key points. Cyber operations against Ukraine (and Russia). Diplomacy, now short of surrender? A SWIFT kick. Return of the privateers, now in the guise of patriotic hacktivists. Not all hacking is war-related. Josh Ray from Accenture on KillACK Backdoor Malware Continues to Evolve. Rick Howard revisits the cyber sand table. Criminals exploit Ukraine's suffering in social engineering campaigns. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/39
Feb 28, 2022
Sloane Menkes: What is the 2%? [Consultant] [Career Notes]
581
Principal in PricewaterhouseCoopers Cyber Risk and Regulatory Practice, Sloane Menkes, shares her story of how non-linear math helped to shape her life and career. Sloane credits a high school classmate for inspiring her mantra "What is the 2%?" that she employs when she feels like things are shutting down. She talks about her experiences in calculus class at the US AIr Force Academy that helped to enlighten her and inform the intuitive problem solving skill or way of thinking that she'd been employing in her life. She joined Office of Special Investigations and working with Howard Schmidt is where Sloane first started to get interested in cybersecurity. She shares what she loves about the consulting role is that the environment is constantly changing, and she offers some advice for women interested in cybersecurity. We thank Sloane for sharing her story with us.
Feb 27, 2022
Noberus ransomware: Coded in Rust and tailored to victim. [Research Saturday]
1294
Guest Dick O'Brien, Principal Editor at Symantec, joins Dave to discuss their team's research, "Noberus: Technical Analysis Shows Sophistication of New Rust-based Ransomware." Noberus is new ransomware used in mid-November attack, ConnectWise was likely infection vector. Symantec, a division of Broadcom Software, tracks this ransomware as Ransom.Noberus and our researchers first spotted it on a victim organization on November 18, 2021, with three variants of Noberus deployed by the attackers over the course of that attack. This would appear to show that this ransomware was active earlier than was previously reported, with MalwareHunterTeam having told BleepingComputer they first saw this ransomware on November 21. Noberus is an interesting ransomware because it is coded in Rust, and this is the first time we have seen a professional ransomware strain that has been used in real-world attacks coded in this programming language. Noberus appears to carry out the now-typical double extortion ransomware attacks where they first steal information from victim networks before encrypting files. Noberus adds the .sykffle extension to encrypted files. The research can be found here: Noberus: Technical Analysis Shows Sophistication of New Rust-based Ransomware
Feb 26, 2022
Hybrid aggression and hybrid resistance. Sanctions, defense, and (maybe) retaliation. MuddyWater is newly active. Trickbot seems to have retired. Notes on misinformation and the fog of war.
1761
Russia’s full-scale invasion meets regular and irregular Ukrainian resistance. Public uses of intelligence products. Hybrid aggression and hybrid defense in cyberspace, as the civilized world imposed sanctions on Russia. Iran’s MuddyWater threat actor is back, with renewed cyberespionage. Good-bye to Trickbot. Carole Theriault wraps up her look at mobile device security. Rick Howard checks in with Matthew Sharp ( Logicworks) & "Rock" Lambros (RockCyber) on "The CISO Evolution". And some notes on the fog of war. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/38
Feb 25, 2022
Russia’s full-scale invasion of Ukraine began this morning at 5:00 AM, Kyiv local time. Cyberattacks are serving as combat support and strategic disruption.
1507
Russia opens a general war against Ukraine, with rocket fires, heavy forces, and a not-so-veiled threat to NATO. Cyber operations are serving as combat support and strategic disruption. While the war in Ukraine dominates the news, elsewhere in the world cybercrime and cyberespionage continue at their customary levels. Carole Theriault looks to the security of your mobile devices. And our guest is Dr. Chenxi Wang of Rain Capital with insights on the new NIST software supply chain security standards. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/37
Feb 24, 2022
Putin goes medieval (we paraphrase the UK defense secretary). Cyberattack disrupts a logistics giant. Two reports look at the state of industrial cybersecurity.
1843
With diplomacy at a stand and Russian troops now openly in Ukraine, Western governments impose sanctions on Russia. A fresh round of distributed denial-of-service attacks against Ukraine. Cobalt Strike continues to be misused by criminals. A cyberattack has severely disrupted a major logistics firm. My conversation with Assistant Director Bryan Vorndran of the FBI Cyber Division. Our guest Ed Amoroso from TAG Cyber explains Research as a Service. And two looks at the recent and prospective state of industrial cybersecurity. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/36
Feb 23, 2022
Escalation in Russia’s hybrid aggression. APT10’s espionage against Taiwan’s financial sector. Developments in the C2C market. Jamming your teen’s Internet access.
1817
Russia escalates its hybrid war against Ukraine, with cyber implications for the rest of the world. Xenomorph banking Trojan hits European Android users. APT10’s months-long espionage campaign against Taiwan’s banks. Hive ransomware’s flawed encryption is good news. Trickbot’s place in the C2C market. Joe Carrigan shares the latest evolution of business email compromise. John Pescatore’s Mr. Security Answer Person returns. And there’s a right way and a wrong way to keep your teen offline. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/35
Feb 22, 2022
Interview select: Kenneth Geers of NATO's CCD COE on "Cyber War in Perspective: Russian Aggression Against Ukraine."
1432
As we break to observe Washington's birthday, our team thought you might like to try a sample of a CyberWire Pro podcast called Interview Selects. These podcasts are a series of extended interviews, exclusives, and a curated selection of our most engaging and informative interviews over the years, featuring cyber security professionals, journalists, authors and industry insiders. In this extended interview, Dave Bittner speaks with Kenneth Geers from NATO's CCD COE on "Cyber War in Perspective: Russian Aggression Against Ukraine." Like what you hear? Consider subscribing to CyberWire Pro for $99/year. Learn more.
Feb 21, 2022
Bonus: Afternoon Cyber Tea: IoT-Based Infrastructures
1792
Afternoon Cyber Tea with Ann Johnson is a CyberWire Network podcast created by Microsoft Security. It's a bi-weekly show that comes out every other Tuesday. We thought you would enjoy this episode in particular and hope you consider subscribing in your favorite podcast app. Diana Kelly, the co-founder, and CTO of SecurityCurve, a cybersecurity consulting firm, joins Ann Johnson on this episode of Afternoon Cyber Tea. Diana is a globally known security expert who donates much of her time volunteering in the cybersecurity community while also serving on the Association for Computing Machinery Ethics and Plagiarism Committee. Diana talks with Ann about helping inexperienced organizations get up to speed on the cybersecurity landscape, some of the current significant security and privacy hurdles currently plaguing the field, and some of the best practices to assist network defenders and users trying to combat botnet threats.      In This Episode You Will Learn:      How companies can protect themselves from new unsecure devices   When security risks correspond with access management and IoT devices  Why we need security programs to grow to a new level     Some Questions We Ask:  How should network defenders and users combat botnet threats?  What types of universal IoT standards need to be created?   What privacy hurdles are currently plaguing the field of IoT-connected devices?     Resources:    View Diana Kelly on LinkedIn  View Ann Johnson on LinkedIn    Related:   Listen to: Security Unlocked: CISO Series with Bret Arsenault     Listen to: Security Unlocked   Afternoon Cyber Tea with Ann Johnson is produced by Microsoft and distributed as part of The CyberWire Network.  
Feb 21, 2022
Joe Carrigan: Build your network. [Security engineer] [Career Notes]
609
Senior security engineer with the Johns Hopkins University Information Security Institute and the Institute for Assured Autonomy, Joe Carrigan, shares what he calls his life mistake and what spurred him to finally choose a career in technology. Throughout his life, Joe had interest in technology, he even worked at the computer lab in college, but never set his sights on that for a career. A conversation with a stranger guided him in that direction and he's been there ever since. As co-host of the CyberWire's Hacking Humans, Joe sees some heartbreaking results of scams and feels education of the public will help to prevent these. Joe reminds us to build our networks as they include people we can always go back to either when searching for a position or looking to fill one on our teams. We thank Joe for sharing his story with us.
Feb 20, 2022
What Log4Shell has taught us. [CyberWire-X]
1928
If 2021 taught us anything, it’s that our supply chain–especially our technical supply chain–hangs in the balance of a very fragile system. The year came to a close with the announcement of the Log4j zero day. Talk about saving the best for last. On this episode of CyberWire-X, the CyberWire's Rick Howard speaks with Tom Quinn CISO at T. Rowe Price, about the topic. Show Sponsor ExtraHop’s Head of Product, Ted Driggs, joins the CyberWire's Dave Bittner to examine what Log4Shell tells us about the state of cyber defense going into 2022, and what enterprises can do to prepare. Through these conversations, we explore the challenges that enterprises had in patching the vulnerability, take a closer look at the advanced post-compromise threat activity spotted in the wild, and glean lessons that can be learned to build resilience against the next Log4j-style zero day.
Feb 20, 2022
Instagram hijacks all start with a phish. [Research Saturday]
1378
Guest Marcelle Lee, Senior Security Researcher and Emerging Threats Lead, from SecureWorks joins Dave to share her team's work on "Ransoms Demanded for Hijacked Instagram Accounts." An extensive phishing campaign has targeted corporate Instagram accounts since approximately August 2021. The threat actors demand ransoms from the victims to restore access. Organizations typically focus on traditional enterprise cybersecurity threats. However, some threats are more subtle, targeting organizations on unexpected platforms. In October 2021, Secureworks Counter Threat Unit (CTU) researchers identified a phishing campaign that hijacks corporate Instagram accounts, as well as accounts of individual influencers who have a large number of followers. The threat actors then extort ransom payments from the victims. The activity continues at the time of the interview. The research can be found here: Ransoms Demanded for Hijacked Instagram Accounts
Feb 19, 2022
False flags, disinformation, and cyber operations in a hybrid conflict. Log4j vulnerabilities exploited. Wiper used against Iranian television. Kraken’s evolution. CISA’s guide to free security tools.
1747
False flags and disinformation in Ukraine, as Western governments warn of the risk of both Russian escalation and the prospects of cyberattacks spreading beyond Ukraine’s borders. Log4j “Day-1” vulnerabilities exploited in the wild. Threat actors deployed a wiper in the course of hijacking Iranian television. The Kraken botnet is evolving, picking up an information-stealing capability. Our guest is Brittany Allen of Sift to discuss the DOJ seizing 3.6B worth of stolen crypto. Chris Novak from Verizon addresses Geopolitics and threat intelligence. And CISA launches a Catalog of Free Cybersecurity Services and Tools. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/34
Feb 18, 2022
Someone’s engaged in provocation in the Donbas. Ukraine sees a Russian influence operation in recent DDoS attacks. Ice phishing as a threat made for a decentralized web.
1762
Provocation may have begun in Ukraine, and no one but Russia can see any signs of a Russian withdrawal of troops to garrison. Recent DDoS attacks in Ukraine are seen as an influence operation. The compromise of International Red Cross data has been tentatively attributed to an unnamed state actor. Johannes Ullirch from SANs shares a fancy phish. Our guests are Mike Theis and Stacy Hadeka from Hogan Lovells to discuss the cyber aspects of the False Claims Act. And Microsoft describes ice phishing: social engineering for a decentralized web3. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/33
Feb 17, 2022
A warning of cyberespionage targeting US cleared defense contractors. Update on the hybrid war against Ukraine. China’s favorite RAT. QR codes. Addiction to alt-coin speculation.
1858
US agencies warn of Russian cyberespionage against cleared defense contractors. Updates on the Russian pressure against Ukraine. ShadowPad as China’s RAT of choice. BlackCat claims to have leaked data stolen in a double-extortion ransomware attack. Follow the bouncing QR code. Dinah Davis from Arctic Wolf on Canada’s government ransomware playbook. Rick Howard chats with Bill Mann from Styra on DevSecOps. And if you’re addicted to cryptocurrency speculation, the first step in recovery is admitting you’ve got a problem. (The second step is to step away from the phone.) For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/32
Feb 16, 2022
Cyberattacks reported in Ukraine as Russia signals a willingness to negotiate with NATO. TA2541 targets aviation and allied sectors. BlackCat’s tough to shake. Romance scams. Beamers.
1638
Reports of cyberattacks against Ukrainian targets as the parties to the crisis resume negotiations. The US has been forthcoming with intelligence on Russia’s ambitions in the region; those revelations form part of an influence strategy. An apparent criminal group is targeting aviation and related sectors. BlackCat ransomware victims are having difficulty recovering. Why conditions favor romance scams. Ben Yelin looks at pending cyber breach notification laws. Our guest Padraic O'Reilly from CyberSaint on the effectiveness of Biden's plan to protect the water sector. And “beamers” defraud Roblox players. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/31
Feb 15, 2022
Hybrid war warnings over Russian designs on Ukraine. Senators ask about CIA bulk surveillance. No charges against reporter who inspected a website. Hacktivists or vigilantes?
1473
The US and the UK warn of the possibility of false-flag provocations as Russia keeps the pressure on Ukraine. NATO members and others issue warnings of the threat of Russian cyber operations spilling over the Ukrainian border. Two US Senators want an accounting from the CIA over an alleged bulk collection operation. No charges filed in the case of a reporter who viewed a website source. Hacktivism and vigilantism. 49ers hacked. Daniel Prince from Lancaster University on improving security in agile health IoT development. Rick Howard targets supply chain issues with the hash table. And have a careful Valentine’s Day. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/30
Feb 14, 2022
Roselle Safran: So much opportunity. [Entrepreneur][Career Notes]
487
CEO and Founder of KeyCaliber, Roselle Safran, takes us on her circuitous career journey from startup to White House and back to startup again. With a degree in civil engineering, Roselle veered off into a more technical role at a startup and she says "caught the startup bug." After convincing a hiring manager that she could learn on the job, she transitioned to computer forensics and started on the path of cybersecurity. Roselle worked in government for the Department of Homeland Security and then to the Executive Office of the President leading all of the security operations. She jumped back into the world of startups and has stayed there. Roselle tells people interested in a career in cybersecurity to just apply. Learn as much as you can and go for it. We thank Roselle for sharing her story with us.
Feb 13, 2022
SysJoker backdoor masquerades as benign updates. [Research Saturday]
944
Guests Avigayil Mechtinger and Ryan Robinson from Intezer discuss SysJoker malware, a backdoor that targets Windows, Linux and MacOS, Malware targeting multiple operating systems has become no exception in the malware threat landscape. Vermilion Strike, which was documented just last September, is among the latest examples until now.   In December 2021, the team at Intezer discovered a new multi-platform backdoor that targets Windows, Mac, and Linux. The Linux and Mac versions are fully undetected in VirusTotal. Intezer named this backdoor SysJoker. SysJoker was first discovered during an active attack on a Linux-based web server of a leading educational institution. After further investigation, Intezer found that SysJoker also has Mach-O and Windows PE versions. Based on Command and Control (C2) domain registration and samples found in VirusTotal, Intezer estimates that the SysJoker attack was initiated during the second half of 2021.   The research can be found here: New SysJoker Backdoor Targets Windows, Linux, and macOS
Feb 12, 2022
Update on Russia’s hybrid threat to Ukraine. Vodafone Portugal continues its recovery. The FritzFrog peer-to-peer botnet is back. And there’s a new wrinkle in the old familiar Nigerian prince scam.
1746
Update on Russia’s hybrid threat to Ukraine, with observations on possible international spillover. Vodafone Portugal continues its recovery. The FritzFrog peer-to-peer botnet is back, and has resumed operations against government, healthcare, and education targets. Caleb Barlow warns of attacks coming from inside your network. Our guest is Tom Boltman of Kovrr on the shift in the cyber insurance market due to ransomware. And there’s a new wrinkle in the old familiar Nigerian prince scam–did you know the UN was compensating victims by sending them ATM cards? Neither did the UN. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/29
Feb 11, 2022
Liquidating Lviv botfarms. Notes on hybrid war. Digital frameups in India? The Lazarus Group’s new yet familiar phishbait. Warnings about ransomware.
1732
Ukraine takes down two botfarms pushing panic. Thoughts on hybrid warfare. Russia and China explain how we ought to see the political and online worlds. Digital frameups are reported in India. Lazarus phishes with bogus job offers. Espionage services looking for journalists’ sources. David Dufour from Webroot ponders the Metaverse. Our guest is Amanda Fennell, host of the Security Sandbox podcast. And public and private-sector warnings about ransomware.
Feb 10, 2022
A Foreign Office hack is disclosed (but that’s it). Preparing for a cyber escalation in the hybrid war Russia’s waging against Ukraine. Multi-cloud threats. Patch Tuesday notes. Razzlekhan raps.
1638
Britain’s Foreign Office sustained a cyberattack last month (the details are secret). Poland stands up a Cyber Defense Force as Europe and North America raise their level of cyber readiness. Negotiations over the Russian pressure on Ukraine are likely to be protracted. Threats to multi-cloud environments. Patch Tuesday notes. Dinah Davis from Arctic Wolf on keeping kids safe online. Carole Theriault examines Mozilla’s Privacy Not Included campaign. And Razzlekhan rocks the mic with her mad skillz, or used to, anyway. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/27
Feb 09, 2022
Crowdfunding hacktivists and other irregulars. The Molerats have some new tools. Right-to-left override. Arrests in a cryptocurrency money-laundering case.
1679
Diplomacy continues over the Russian threat to Ukraine. In the meantime, hacktivists and others are said to be receiving crowdfunding through alt-coin remittances. The Molerats are back, and they have some new tools. Right-to-left override is being seen again in the wild. Vodafone Portugal is taken offline by a cyberattack. Joe Carrigan on Meta’s ten billion dollar privacy hit. Our guest is Greg Otto from Intel 471 to discuss shifts in ransomware strains. And two arrests are made in a money-laundering case connected with the Bitfinex hack. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/26
Feb 08, 2022
Russia’s hybrid war against Ukraine is currently heavier on the cyber than it is on the kinetic. BlackCat’s connection with DarkSide. An alert on LockBit. And six Indian call centers indicted.
1639
The FSB is active against Ukrainian targets as NATO continues to work out the cybersecurity assistance it will provide Kyiv. BlackCat is found to be connected to the DarkSide gang, either as a superseding affiliate or as a simple rebranding of the same old crew. The FBI issues an alert about LockBit. Kevin Magee from Microsoft on their final report on Nobellium and the Solar Winds attack. Rick Howard steers the hash table toward supply chains. And the US has indicted six call centers in India on charges related to some familiar scams. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/25
Feb 07, 2022
The persistent and patient nature of advanced threat actors. [Research Saturday]
1196
Guest Danny Adamitis from Black Lotus Labs joins Dave to discuss their team's new research "New Konni Campaign Kicks the New Year Off by Targeting Russian Ministry of Foreign Affairs." Black Lotus Labs, the threat research team of Lumen Technologies, uncovered a series of targeted actions against the Russian Federation’s Ministry of Foreign Affairs (MID). Based upon the totality of information available and the close correlation with prior reporting, we assess with moderate confidence these actions leveraged the Konni malware, which has previously been associated with the Democratic People’s Republic of Korea, and were undertaken to establish access to the MID network for the purpose of espionage. This activity cluster demonstrates the patient and persistent nature of advanced actors in waging multi-phased campaigns against perceived high-value networks. After gaining access through stolen credentials, the actor was able to exploit trusted connections to distribute and load the malware, first by impersonating a government software program coinciding with new Covid mandates, and then through sending trojanized files from a compromised account. The research can be found here: New Konni Campaign Kicks Off The New Year By Targeting Russian Ministry Of Foreign Affairs
Feb 05, 2022
Update on Russian cyber ops and disinformation around Ukraine. Ransomware disrupts European ports. Chinese intelligence services exploit a Zimbra zero-day.
1678
Primitive Bear is snuffling around Ukraine, and Russia may be preparing deepfake video to lend legitimacy to its claims with respect to its neighbor. European ports and other logistical installations are under attack by ransomware, apparently uncoordinated criminal activity. Daniel Prince from Lancaster University on safeguarding IoT in Healthcare. Our guest is Chris Wysopal of Veracode with research on increases in automation and componentization in software development. And a Chinese APT is said to be exploiting a Zimbra webmail cross-site-scripting zero-day, so users beware. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/24
Feb 04, 2022
Ukraine goes to a higher state of cyber alert. Chinese cyberespionage hits financial services in Taiwan. Arid Viper is back, and so is Adalat Ali. BlackCat disrupts fuel distro in Germany. Hacking the DPRK.
1782
Ukraine and NATO increase their cyber readiness. Chinese cyberespionage has been looking closely at financial services in Taiwan. Hacktivists hit Iranian state television. Arid Viper is phishing for targets in the Palestinian Territories, and apparently doesn’t care who knows it. BlackCat ransomware implicated in attacks on German fuel distribution firms. Verizon’s Chris Novak shares his thoughts on the cyber talent pool. Our guest is Torin Sandall from Styra on Open Policy Agent. And, Bro, treat yourself to a pair of Vans. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/23
Feb 03, 2022
Both sides in the conflict over Ukraine are talking with their allies and preparing for conflict in cyberspace. A cyberattack disrupts gasoline distribution in Germany. Notes on APTs and privateers.
1637
Tensions between Russia and Ukraine, and between Russia and NATO, remain high as diplomacy is at a temporary impasse: both sides have stated their incompatible positions and are consulting with their allies. NATO prepares to render cyber assistance to Ukraine. An unspecified cyberattack affects gasoline distribution in Germany. The White Tur threat group borrows heavily from several APTs, but itself remains mysterious. Charming Kitten gets some new claws. Caleb Barlow on Harvard’s analysis of Equifax. Our guest is Gunter Ollmann from Devo discussing their third annual SOC Performance Report. And the Trickbot gang seems to be privateering in that old familiar way. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/22
Feb 02, 2022
Updates on the crisis over Ukraine, as Russian cyber operations continue. Ransomware threatens OT. Ramnit remains a leading banking Trojan. Bots infesting some NFT markets. Agencies advise opsec.
1890
No progress so far in talks over the Ukraine crisis, as Moscow’s diplomacy and influence operations merge in a narrative of a Russia beset by armed Nazis, goaded on by a greedy America that doesn’t want Russia competing in world markets. Ransomware and cyberthreats to OT systems. Ramnit is still up and at em in the banking Trojan world. Bots are following big brands in NFT markets, with predictable effects. Ben Yelin has an update on NSO Groups’s marketing attempts to the FBI. An introduction to Dr. Andrew Hammond and the SpyCast podcast. And sending that sample in for your doctor? Bro, buy locally. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/21
Feb 01, 2022
The UN Security Council will take up Russia’s hybrid war against Ukraine as Western powers prepare sanctions. Other ransomware and social engineering campaigns.
1710
The US takes Russia to the UN Security Council over its threat to Ukraine, and, while Russian forces remain in assembly areas, a campaign of cyberattack and influence operations continues. Western powers, notably the UK and the US, are preparing sanctions against Russia. Elsewhere, ongoing ransomware and social engineering. Dinah Davis from Arctic Wolf on Linux malware via IoT devices. Rick Howard shares his favorite sources for keeping up to date. And there’s a pair of decisions in a long-running case involving HP Enterprise’s purchase of Autonomy. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/20
Jan 31, 2022
Helen Patton: A platform to talk about security. [CISO] [Career Notes]
615
Advisory CISO at Cisco, Helen Patton, shares that a combination of dumb luck, hard work and serendipity that got her to where she is today. Growing up in the country in Australia, Helen notes that computers were not really a thing. She happened into technology after moving to the US, as she was the only person in her office under 40. Of course she would be comfortable with computers and able to handle a database conversion, right? That launched her into a career that spanned supporting small nonprofits, working at one of the biggest banks on Wall Street while leading a global team, being the CISO of a major university, and now Advisory CISO at Cisco. Helen recently wrote a book, "Navigating the Cybersecurity Career Path," to help others know when it's time to move on from one role to another role as part of desire to give back to the community. We thank Helen for sharing her story with us.
Jan 30, 2022
Zero Trust for cloud assets: Identity authentication and authorization. [CyberWire-X]
2055
Applying Zero Trust principles to access rights can be tricky given the volume and dynamic nature of services in the cloud. Serverless computer services, like AWS Lambda, multiply the volume of identities to manage. These cloud services often have excessive permissions to access sensitive data and can become a potential entry point for an attacker to exploit. The CyberWire's Rick Howard speaks with Scott Farber, Principal Cyber Architect & Zero Trust Technical Lead at MITRE about the topic. Show Sponsor Sysdig's Vice President of Security Product Management, Maor Goldberg, brings experience with data center and cloud to a discussion with CyberWire-X on the considerations for managing access rights in this hybrid world. They consider the pros and cons of different approaches to enforcing least privilege in the cloud.
Jan 30, 2022
Use of legitimate tools possibly linked to Seedworm. [Research Saturday]
973
Guest Sylvester Segura from the Symantec Threat Hunter Team joins Dave to discuss their team's work on "Espionage Campaign Targets Telecoms Organizations across Middle East and Asia." Attackers most likely linked to Iran have attacked a string of telecoms operators in the Middle East and Asia over the past six months, in addition to a number of IT services organizations and a utility company. Organizations in Israel, Jordan, Kuwait, Saudi Arabia, the United Arab Emirates, Pakistan, Thailand, and Laos were targeted in the campaign, which appears to have made no use of custom malware and instead relied on a mixture of legitimate tools, publicly available malware, and living-off-the-land tactics. While the identity of the attackers remains unconfirmed, there is some evidence to suggest a link to the Iranian Seedworm (aka MuddyWater) group. The targeting and tactics are consistent with Iranian-sponsored actors. The research can be found here: Espionage Campaign Targets Telecoms Organizations across Middle East and Asia
Jan 29, 2022
Diplomacy and cyber warnings in the Ukraine crisis. REvil may not actually be out of business. A warning about Iranian state-directed hacking. And Data Privacy Day is observed.
1710
Diplomatic channels remain open even as NATO and the US reject Russian demands over Ukraine. More warnings over Russian cyber operations in the hybrid conflict (Voodoo Bear is mentioned in dispatches). Social media as a source of tactical intelligence. The FBI tells industry to be alert for Iranian hacking. Ransomware continues to circulate. Josh Ray from Accenture digs into the Bassterlord Networking Manual. Carole Theriault examines a university data backup snafu. And a happy Data Privacy Day to all. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/19
Jan 28, 2022
Updates on the hybrid war in Ukraine. Industrial espionage in Germany, conventional espionage in Western Asia. C2C markets, social engineering, and scamware.
1507
Cyber risk continues over Ukraine as the US and NATO reject Russian demands. Emissary Panda’s industrial espionage against German industry. Fancy Bear is spotted in Western Asia. The C2C market’s initial access broker Prophet Spider is selling access to unpatched VMware Horizon instances. Social engineering adapts to its marks. Thomas Etheridge from CrowdStrike on the power of Identity/Zero Trust in stopping ransomware attacks. Our guest is Gary Guseinov of Real Defense to discuss M&A activity. And Dark Herring scamware is ejected from app stores, but not before hitting over a hundred million victims. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/18
Jan 27, 2022
Tensions between Russia and Ukraine remain high as NATO offers Ukraine cyber, diplomatic, and other support. DDoS in the DPRK. DazzleSpy in the watering hole. TrickBot ups its game.
1719
Tensions between Russia and Ukraine remain high as NATO offers Ukraine cyber, diplomatic, and other support. North Korea gets DDoSed. DazzleSpy hits Hong Kong dissidents drawn to a watering hole. TrickBot ups its game. A quick look at ransomware trends. Microsoft’s Kevin Magee unpacks a recent World Economic Forum report. Our own Rick Howard speaks with Chriss Knisley from MITRE ATT&CK Defender on certifications. And Dame Fortune teaches Michiganders to throw caution to the winds. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/17
Jan 26, 2022
Hacktivism as irregular operations-short-of-war. A banking Trojan aims at fraudulent wire transfers. DTPacker’s two-step delivery. REvil re-forms? Ransomware and insider threats. DDoS in Andorra.
1969
Tensions remain high as Russia assembles troops near Ukraine and NATO moves to higher states of readiness. The Belarusian Cyber Partisans claim responsibility for a ransomware attack against Belarusian railroads. The BRATA banking Trojan spreads, as does DTPacker malware. REvil alumni may be getting the band back together. Ransomware operators working harder to recruit insiders at their targets. Joe Carrigan has the story of a romance scammer in custody. Mr. Security Answer Person John Pescatore has thoughts on BYOD. And there’s a major DDoS campaign shutting down the Internet in Andorra. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/16
Jan 25, 2022
Updates on the continuing hybrid war in Ukraine. Julian Assange will get another chance to avoid extradition. And Russian privateers find that they’re expendable.
1724
Updates on the continuing hybrid war in Ukraine. The UK charges Russia with trying to install a puppet in Kyiv. Nominal hacktivists claim an attack against Belarusian railroads. Compromise of Greek parliamentary email accounts reported. Netherlands authorities warn against relaxing your guard against Log4j exploitation. Julian Assange will get another chance to avoid extradition. Rick Howard’s been pondering his reading list. Dinah Davis from Arctic Wolf on securing your smart speakers. And Russian privateers find that they’re expendable. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/15
Jan 24, 2022
Andrew Maloney: Never-ending thirst for knowledge. [COO] [Career Notes]
545
COO and Co-Founder of Query. AI, Andrew Maloney, shares how the building blocks he learned in the military helped him get where he is today. Coming from a blue collar family with a minimal knowledge of computers, Andrew went into computer operations in the Air Force. While deployed to Oman just after the start of the Iraq War, Andrew said he got his break into security. That's where he learned the components that fit together in order to effectively secure an environment. Andrew's words of wisdom: You've got to keep pushing and you've got to believe in yourself and never sell yourself short. We thank Andrew for sharing his story with us.
Jan 23, 2022
A collaboration stumbles upon threat actor Lyceum. [Research Saturday]
1136
Guest Rob Boyce, Accenture's Global Lead for Cyber Incident Response and Transformation Services, joins Dave to discuss joint research done by Accenture’s Cyber Threat Intelligence (ACTI) group and Prevailion’s Adversarial Counterintelligence Team (PACT). The teams dug into recently publicized campaigns of the cyber espionage threat group Lyceum (aka HEXANE, Spirlin) to further analyze the operational infrastructure and victimology of this actor. The team’s findings corroborate and reinforce previous ClearSky and Kaspersky research indicating a primary focus on computer network intrusion events aimed at telecommunications providers in the Middle East. Additionally, the research expands on this victim set by identifying additional targets within internet service providers (ISPs) and government agencies. Although all victim-identifying information has been redacted, this report seeks to provide these targeted industry and geographic verticals with additional knowledge of the threat and mitigation opportunities. The research can be found here: Who are latest targets of cyber group Lyceum?
Jan 22, 2022
Ukrainian crisis continues, with attendant risk of hybrid warfare. MoonBounce malware in the wild. Pirate radio hacks a number station.
1636
US and Russian talks over Ukraine conclude with an agreement to further exchanges next week. Western governments continue to recommend vigilance against the threat of Russian cyberattacks against critical infrastructure. The US Treasury Department sanctions four Ukrainian nationals for their work on behalf of Russia’s FSB and its influence operations. A firmware bootkit is discovered in the wild. Security turnover at Twitter. Caleb Barlow looks at wifi hygiene. Our guest is Allan Liska on his latest ransomware book. And a number station gets hacked, in style. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/14
Jan 22, 2022
Looking toward tomorrow’s Russo-American talks about the Ukraine crisis. A memorandum gives NSA oversight authority for NSS. A look at the C2C markets.
1812
As Russian forces remain in assembly areas near the Ukrainian border, the US and Russia prepare for tomorrow’s high-level talks in Geneva. NATO members look to their cyber defenses. US President Biden issues a Memorandum on Improving the Cybersecurity of National Security, Department of Defense, and Intelligence Community Systems. Notes on C2C markets. Mirai is exploiting Log4j flaws. Verizon’s Chris Novak shares insights on Log4j challenges. Our guest is Ryan Kovar from Splunk with a look at the year ahead. And Olympic athletes heading to China? Better grab that burner phone. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/13
Jan 20, 2022
Updates on what Ukraine is now calling “BleedingBear.” CISA advises organizations to prepare for Russian cyberattacks. Other cyberespionage campaigns, and a new ransomware strain.
1607
Ukraine confirms that it was hit by wiper malware last week, as tension between Moscow and Kyiv remains high. It remains high as well between Russia and NATO, as Russia continues marshaling conventional forces around Ukraine. CISA advises organizations to prepare to withstand Russian cyberattacks. Other cyberespionage campaigns are reported, as is a new strain of ransomware. Microsoft’s Kevin Magee provides friendly counsel for CISOs and boards. Our guest is Clar Rosso from ISC2 on the communication gap between cybersecurity teams and executive leaders when it comes to ransomware. And the natural disaster in Tonga may offer lessons in resilience and recovery. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/12
Jan 19, 2022
A new member of the Winnti Cluster is described. Cobalt Strike used against unpatched VMware Horizon servers. Ukraine blames Russia for what seems to be a destructive supply chain attack.
1565
A new Chinese cyberespionage group is described. Cobalt Strike implants are observed hitting unpatched VMware Horizon servers. Ukraine attributes last week’s cyberattacks to Russia (with some possibility of Belarusian involvement as well). Microsoft doesn’t offer attribution, but it suggests that the incidents were more destructive than ransomware or simple defacements. The US warns of possible provocations. Ben Yelin looks at a bipartisan TLDR bill. Our guest is Lisa Plaggemier from the National Cybersecurity Alliance on the ongoing threat of phishing. And the REvil arrests in Russia may have been for “leverage.” For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/11
Jan 18, 2022
SOAR - a first principle idea. [CSO Perspectives}
1021
Rick explains the network defender evolution from defense-in-depth in the 1990s, to intrusion kill chains in 2010, to too many security tools and SOAR in 2015, and finally to devsecops somewhere in our future.  Resources: “Cybersecurity First Principles: DevSecOps.” by Rick Howard, CSO Perspectives, The CyberWire, 8 June 2020. “FAQ,” RSA Conference, 2020. "Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains,” by Eric Hutchins, Michael Cloppert, Rohan Amin, Lockheed Martin Corporation, 2010, last visited 30 April 2020.   “Malware? Cyber-crime? Call the ICOPs!” by Jon Oltsik, CSO, Cybersecurity Snippets, 22 June 2015. “Market Guide for Security Orchestration, Automation and Response Solutions,” by Gartner, ID G00727304, 21 September 2020.  “MITRE ATT&CK,” by Mitre. “The Cybersecurity Canon: The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win,” book review by Rick Howard, Palo Alto Networks, 21 October 2016. “The Cyber Kill Chain is making us dumber: A Rebuttal,” by Rick Howard, LinkedIn, 29 July 2017. “The Evolution of SOAR Platforms,” by Stan Engelbrecht, SecurityWeek, 27 July 2018. “What is SOAR (Security Orchestration, Automation, and Response)?” by Kevin Casey, The Enterprisers Project, 30 October 2020.
Jan 17, 2022
Marina Ciavatta: Going after the human error. [Social engineer] [Career Notes]
636
Social engineer and CEO of Hekate, Marina Ciavatta, shares her story of how people think her job is a la Mission Impossible coming from the ceiling with a rope and stealing stuff in the dead of the night. Marina does physical pentesting. Starting with an unused degree in journalism, Marina turned her talent for writing into a job as a content producer for a technology company and this appealed to her self-proclaimed nerdism. She fell in love with hacking and got into pentesting thanks to a friend. Marina recommends those interested in physical pentesting "try to find other social engineers to mingle. It's in the name. We are social creatures." We thank Marina for sharing her story with us.
Jan 16, 2022
Keeping APIs on the radar: Evaluating the banking industry. [Research Saturday]
1597
This episode features guest Alissa Knight, former hacker and partner at Knight Ink, along with Karl Mattson, CISO from Noname Security, discussing findings on severe API vulnerabilities in U.S. banking applications research that was conducted by Alissa and funded by Noname Security. The research, “Scorched Earth: Hacking Bank APIs,” unveils a number of vulnerabilities in the banking, cryptocurrency exchange, and FinTech industries. In her Money 20/20 keynote presentation entitled “Scorched Earth: Hacking Bank APIs”. In her presentation, Alissa revealed that she was able to gain access to 55 different banks and change PIN codes and move money in and out of accounts. Three lessons learned include: API security vulnerabilities affect all enterprises, API security needs to be operationalized across the enterprise, and API security requires posture management, runtime security, and active testing. Details can be found here: White paper: Hacking Banks and Cryptocurrency Exchanges Through Their APIs Blog post: 3 API Security Lessons from “Scorched Earth: Hacking Bank APIs” Press release: New Research Shows Vulnerabilities in Banking, Cryptocurrency Exchange, and FinTech APIs Allow Unauthorized Transactions and PIN Code Changes of Customers Alissa's presentation at Money 20/20.
Jan 15, 2022