CyberWire Daily

Nuisance-level DDoS and cyberespionage continue to mark Russia's cyber campaign in the hybrid war. There’s a US Presidential memorandum on software supply chain security. Webworm repurposes older RATs. Trends in cyber insurance claims. OriginLogger may be the new Agent Tesla. The SparklingGoblin APT described. Mathieu Gorge of VigiTrust describes cyber vulnerabilities in the hospitality industry. Dinah Davis from Arctic Wolf explains a PayPal phishing attack. And Royal funeral phishbait. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/178 Selected reading. Pro-Russia hackers claim to have temporarily brought down Japanese govt websites (Asia News Network) Gamaredon APT targets Ukrainian government agencies in new campaign (Cisco Talos) Russia-linked Gamaredon APT target Ukraine with a new info-stealer (Security Affairs) Fears grow of Russian spies turning to industrial espionage (The Record by Recorded Future) Enhancing the Security of the Software Supply Chain through Secure Software Development Practices (The White House) Enhancing the Security of the Software Supply Chain to Deliver a Secure Government Experience (The White House) White House releases post-SolarWinds federal software security requirements (Federal News Network) Webworm: Espionage Attackers Testing and Using Older Modified RATs (Threat Hunter Team Symantec) Coalition Releases 2022 Cyber Claims Report: Mid-year Update (GlobeNewswire News Room) OriginLogger: A Look at Agent Tesla’s Successor (Unit 42) You never walk alone: The SideWalk backdoor gets a Linux variant (WeLiveSecurity) [Scam site harvests credentials] (Proofpoint) Current, former social media execs address national security issues at Senate hearing (Fox Business) Senators Have Stopped Embarrassing Themselves at Tech Hearings (Slate Magazine) Learn more about your ad choices. Visit megaphone.fm/adchoices

Patch Tuesday notes. The US Senate Judiciary Committee hears from the Twitter whistleblower. Joint warning of IRGC cyber activity. Rob Boyce from Accenture on cybercriminals weaponizing leaked ransomware data. Chris Novak from Verizon describes his participation in the CISA Advisory Board. And Ukraine reiterates confidence in its resiliency. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/177 Selected reading. Adobe Patches 63 Security Flaws in Patch Tuesday Bundle (SecurityWeek) Microsoft Releases September 2022 Security Updates (CISA) Microsoft's September Patch Tuesday fixes five critical bugs (Computing) Microsoft Raises Alert for Under-Attack Windows Flaw (SecurityWeek) SAP Security Patch Day September 2022 (Onapsis) Apple Releases Security Updates for Multiple Products (CISA) Apple fixes eighth zero-day used to hack iPhones and Macs this year (BleepingComputer) Apple Will Let You Remove Rapid Security Response Updates in iOS 16 (Mac Rumors) Data Security at Risk: Testimony from a Twitter Whistleblower (United States Senate Committee on the Judiciary) Twitter Employees Have Too Much Access to Data, Whistleblower Says (Wall Street Journal) Twitter whistleblower reveals employees concerned China agent could collect user data (Reuters) Security failures cause ‘real harm to real people’ (Washington Post) Twitter whistleblower testifies to Congress, calls for tech regulation reforms (The Record by Recorded Future) The Search for Dirt on the Twitter Whistle-Blower (The New Yorker) Whistle-Blower Says Twitter ‘Chose to Mislead’ on Security Flaws (New York Times) Twitter whistleblower says site put growth over security (Computing) Written Statement of Peiter (“Mudge”) Zatko United States Senate Judiciary Committee September 13, 2022 (Katz Banks Kumin) What we learned when Twitter whistleblower Mudge testified to Congress (TechCrunch) How China became big business for Twitter (Reuters) Twitter whistleblower exposes limits of FTC’s power (Washington Post) Twitter Whistle-Blower Testimony Spurs Calls for Tech Regulator (Bloomberg) Iranian Islamic Revolutionary Guard Corps-Affiliated Cyber Actors Exploiting Vulnerabilities for Data Extortion and Disk Encryption for Ransom Operations (CISA) Ukraine’s Cyberwar Chief Sounds Like He’s Winning (WIRED) DDoS attacks on financial sector surge during war in Ukraine, new FCA data reveals (PR Newswire) Learn more about your ad choices. Visit megaphone.fm/adchoices

In this extended interview, CyberWire Daily Podcast host Dave Bittner sits down with members of the FBI's Baltimore field office: Special Agent in Charge, Tom Sobocinski, and Supervisory Special Agent for Cyber, Tom Breeden. As part of the FBI's cybersecurity awareness campaign, they discuss what the FBI can do to enhance and amplify cyber efforts in ways unlike any other public or private organization. This interview from August 30, 2022 originally aired as a shortened version on the CyberWire Daily Podcast. Learn more about your ad choices. Visit megaphone.fm/adchoices

Apple patches its software. Reviewing the cyber phase of a hybrid war. The return of the (ShadowPad) alumni. Phishing from the Static Expressway. The state of cloud security. Overconfidence comes at a cost. Ann Johnson of Afternoon Cyber Tea speaks with Dr. Josephine Wolff from the Fletcher School about cyber insurance past. My conversation with FBI special agents Tom Sobocinski and Tom Breeden. And Charming Kitten and group-think in social engineering. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/176 Selected reading. Apple security updates (Apple Support) Ukraine Cyber War Update September 2022 (CyberCube) New Wave of Espionage Activity Targets Asian Governments (Broadcom Software Blogs) Chinese gov’t hackers using ‘diverse’ toolset to target Asian prime ministers, telecoms (The Record by Recorded Future) Leveraging Facebook Ads to Send Credential Harvesting Links (Avanan) Unpatched and Outdated Medical Devices Provide Cyber Attack Opportunities (FBI) CFO Cyber Security Survey: Over-Confidence is Costly (Kroll) Snyk’s State of Cloud Security Report Reveals 80% of Organizations Have Experienced a Severe Cloud Security Incident in Past Year (Snyk) Look What You Made Me Do: TA453 Uses Multi-Persona Impersonation to Capitalize on FOMO (Proofpoint) Iranian military using spoofed personas to target nuclear security researchers (The Record by Recorded Future) Alleged cyber commander of Iran’s Revolutionary Guard named by opposition outlet (Times of Israel) Learn more about your ad choices. Visit megaphone.fm/adchoices

Albania reports additional cyberattacks from Iran over the weekend. RaidForums has a new successor. A look at threat actor reconnaissance in the contemporary Internet. Kinetic strikes hit Ukraine’s infrastructure. Rick Howard calculates risk with classic mathematical theorems. Tim Eades from Cyber Mentor Fund on the dynamic nature of the attack surface. And a look into the cyber phase of the hybrid war. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/175 Selected reading. Albania blames Iran for second cyberattack since July (CNN) Treasury Sanctions Iranian Ministry of Intelligence and Minister for Malign Cyber Activities (US Department of the Treasury) Iran strongly condemns US sanctions over Albania hacking (Al Arabiya) Six months into Breached: The legacy of RaidForums? (KELA) 2022 State of the Internet Report (Censys) Ukraine hails snowballing offensive, blames Russia for blackouts (Reuters) Ukraine says Russia is retaliating by hitting critical infrastructure, causing blackouts. (New York Times) Last reactor at Ukraine’s Zaporizhzhia nuclear plant stopped (Associated Press) Ukraine Warns Russian Cyber Onslaught Is Coming (Voice of America) Montenegro wrestles with massive cyberattack, Russia blamed (ABC News) CyberCube: Russia’s Sovereign Internet Creates Security Risks With Implications for Cyber (Re)Insurance While War in Ukraine Develops (Associated Press) Learn more about your ad choices. Visit megaphone.fm/adchoices

Mark Logan, CEO of One Identity, sits down to share his story, explaining how he fit into different roles growing up in different companies. Mark has nearly two decades of C-Suite experience at an array of different organizations, finally landing on his current position as the CEO at One Identity. Sharing his different roles, he also gives a quote from Steve Jobs, saying "it's not what I say yes to, it's what I say no to." He believes that's a key area for his workers because when he is able to make up his mind, his team and his customers have someone they can rely on. Mark says that as a CEO he wants to share the advice of always marching towards your goals, and identifying that different people have different goals because they work in different fields, but that's what makes a company work best. He says "I've found that the more you can delegate, provided you've got the right folks in place the better." We thank Mark for sharing his story. Learn more about your ad choices. Visit megaphone.fm/adchoices

Deepen Desai from Zscaler ThreatLabz joins Dave to discuss their work on "Return of the Evilnum APT with updated TTPs and new targets." Zscaler’s ThreatLabz team recently caught a new Evilnum APT attack campaign that uses the document template on MS Office Word to inject malicious payload to the victim's machine. There are three new instances used of the campaign, including updated tactics, techniques, and procedures. Researchers have been closely monitoring Evilnum APT’s activity. They ssay ThreatLabz identified several domains associated with the Evilnum APT group. Which has led them to discover that the "group has been successful at flying under the radar and has remained undetected for a long time." The research can be found here: Return of the Evilnum APT with updated TTPs and new targets Learn more about your ad choices. Visit megaphone.fm/adchoices

Nation-states are expected to target the US midterm elections. North Korea’s Lazarus Group is targeting energy companies. The Ukraine’s Ministry of Digital Transformation on cyber lessons learned from Russia’s hybrid war against Ukraine. CISA flags twelve known exploited vulnerabilities for attention and remediation. Vulnerable anti-cheat engines used for malicious purposes. Steve Carter from Nucleus Security has thoughts on AI in cybersecurity. Roland Cloutier, former CSO of TikTok, discusses working around the changing career field, needs, and how enterprise executives are developing and finding talent. And a look at top gaming-related malware lures. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/174 Selected reading. Mandiant ‘highly confident’ foreign cyberspies will target US midterm elections (The Register) What to Expect When You’re Electing: Preparing for Cyber Threats to the 2022 U.S. Midterm Elections (Mandiant) North Korea’s Lazarus hackers are exploiting Log4j flaw to hack US energy companies (TechCrunch) Lazarus and the tale of three RATs (Cisco Talos) How Gaming Cheats Are Cashing in Below the Operating System (Eclypsium) Good game, well played: an overview of gaming-related cyberthreats in 2022 (Securelist) Cybercriminals target games popular with kids to distribute malware (The Register) CISA Adds Twelve Known Exploited Vulnerabilities to Catalog (CISA) Learn more about your ad choices. Visit megaphone.fm/adchoices

Bronze President shows both enduring interests and adaptability. Iranian threat actor activity is reported. Cybersecurity and small-to-medium businesses. An initial access broker repurposes Conti's old playbook for use against Ukraine. Johannes Ullrich from SANS on Scanning for VoIP Servers. Our guest is Ian Smith from Chronosphere on observability. And Kyivstar as a case study in telco resiliency. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/173 Selected reading. BRONZE PRESIDENT Targets Government Officials (Secureworks) APT42: Crooked Charms, Cons, and Compromises (Mandiant) Profiling DEV-0270: PHOSPHORUS’ ransomware operations (Microsoft) Albania cuts diplomatic ties with Iran over July cyberattack (The Washington Post) Initial access broker repurposing techniques in targeted attacks against Ukraine (Google) Unprecedented Shift: The Trickbot Group is Systematically Attacking Ukraine (IBM SecurityIntelligence) Ransomware gang's Cobalt Strike servers DDoSed with anti-Russia messages (BleepingComputer) Ukraine’s largest telecom stands against Russian cyberattacks (POLITICO) Learn more about your ad choices. Visit megaphone.fm/adchoices

The Albanian government attributes a disruptive cyber attack to Iran. TikTok says it’s found no evidence of a data breach. Researchers have discovered a new strain of Linux malware. US agencies warn of ransomware targeting the education sector. Finland prepares to increase its cybersecurity capacity. Deepen Desai from Zscaler on the latest updates to Raccoon Stealer. Our guest is Lance Spitzner from the SANS Institute with results of their recent Security Awareness Report. And a fond farewell to the father of Let’s Encrypt. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/172 Selected reading. Albania cuts Iran ties over cyberattack, U.S. vows further action (Reuters) Statement by NSC Spokesperson Adrienne Watson on Iran’s Cyberattack against Albania (The White House) TikTok Data Breach Exposing 2B Records And Source Code May Not Have Happened After All (Hot Hardware) TikTok Denies Data Breach Reportedly Exposing Over 2 Billion Users' Information (The Hacker News) Shikitega - New stealthy malware targeting Linux (AT&T Alien Labs) #StopRansomware: Vice Society (CISA) Peter Eckersley, tech activist and founder of Let's Encrypt, dies at 43 (Techspot) Honoring Peter Eckersley, Who Made the Internet a Safer Place for Everyone (Electronic Frontier Foundation) Learn more about your ad choices. Visit megaphone.fm/adchoices

CISA, the FBI, and the Multi-State Information Sharing and Analysis Center, or MS ISAC, are releasing this advisory to disseminate indicators of compromise and TTPs associated with Vice Society actors and their ransomware campaigns. The FBI, CISA, and the MS-ISAC have recently observed Vice Society actors disproportionately targeting the education sector with ransomware attacks. AA22-249A Alert, Technical Details, and Mitigations Stopransomware.gov is a whole-of-government approach that gives one central location for ransomware resources and alerts. Resource to mitigate a ransomware attack: CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide. No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment. All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at [email protected] or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or [email protected]. Learn more about your ad choices. Visit megaphone.fm/adchoices

A Phishing-as-a-service offering on the dark web bypasses MFA. The Worok cyberespionage group is active in Central Asia and the Middle East. Prynt Stealer and the evolution of commodity malware. Sharkbot malware reemerged in Google Play. BlackCat/ALPHV claims credit for attack on the Italian energy sector. Joe Carrigan shares stats on social engineering. Our guest is Angela Redmond from BARR Advisory with six cybersecurity KPIs. And the Los Angeles Unified School District was hit with ransomware. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/171 Selected reading. EvilProxy Phishing-As-A-Service With MFA Bypass Emerged In Dark Web (Resecurity) Worok: The big picture (WeLiveSecurity) Dev backdoors own malware to steal data from other hackers (BleepingComputer) The Prynt Stealer malware contains a secret backdoor. Crooks steal data from other cybercriminals (Security Affairs) Fake Antivirus and Cleaner Apps Caught Installing SharkBot Android Banking Trojan (The Hacker News) SharkBot malware sneaks back on Google Play to steal your logins (BleepingComputer) BlackCat ransomware claims attack on Italian energy agency (BleepingComputer) 11.84GB of United States Military Contractor and Military Reserve data has been leaked. (vx-underground) Hackers honeytrap Russian troops into sharing location, base bombed: Report (Newsweek) LAUSD hit by hackers in apparent cyber attack (FOX 11 Los Angeles) Los Angeles Unified Targeted by Ransomware Atta (Los Angeles Unified School District) Learn more about your ad choices. Visit megaphone.fm/adchoices

Anjali Hansen, a senior privacy counselor from Noname Security shares her story as she climbed through the ranks to get to where she is toady. When Anjali started she wanted to do international law. She started working for the International Trade Commission after law school which is where she was able to gain most of her experience and gain real world abilities. Working with online fraud and abuse, she shares, concerned her because it felt like governments could not protect organizations from threats occurring, which is how she got interested in cyber crime. From there, she moved to Noname Security and working there she found that she is working with every group in the organization, creating a cross team collaboration and how much she admires that type of model. She says "We have to help other departments protect the data because the data's throughout an organization, it's in HR, it's in sales and marketing, it's in IT, it's in finance. So you have to be able to work with all these teams." We thank Anjali for sharing her story. Learn more about your ad choices. Visit megaphone.fm/adchoices

Ryan Kovar from Splunk sits down with Dave to discuss their findings in "Truth in Malvertising?" that contradict the LockBit group's encryption speed claims. Splunk's SURGe team recently released a whitepaper, blog, and video that outlined the encryption speeds of 10 different ransomware families. During their research they cam across Lockbit doing the same thing. After completing the research, the researchers came back to test the veracity of LockBit’s findings. The research showed three interesting finds. The first find showed that LockBit’s fastest and slowest samples were closely aligned between the tests, but the other results were very different. They also found that LockBit continues to be the fastest ransomware, but LockBit 2.0 was more efficient yet slower than its previous counterpart, LockBit 1.0. Lastly, once ransomware gets to the point of encrypting your systems, it’s too late. The research can be found here: Truth in Malvertising? Learn more about your ad choices. Visit megaphone.fm/adchoices

REvil (or an impostor, or successor) may be back. A Paris-area medical center continues to work to recover from cyber extortion. An assessment of Russian failure (or disinclination) to mount effective cyber campaigns. Cyber criminals find wartime to be a tough time. Josh Ray from Accenture looks at cyber threats to the rail industry. Our guest is Dan Murphy of Invicti making the case that not all vulnerabilities are created equal. And Yandex Taxi’s app was hacked in a nuisance attack. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/170 Selected reading. REvil says they breached electronics giant Midea Group (Cybernews) Paralysed French hospital fights cyber attack as hackers lower ransom demand (RFI) French hospital hit by $10M ransomware attack, sends patients elsewhere (BleepingComputer) Hacks tied to Russia and Ukraine war have had minor impact, researchers say (The Record by Recorded Future) Getting Bored of Cyberwar: Exploring the Role of the Cybercrime Underground in the Russia-Ukraine Conflict (arXiv:2208.10629v2) Why Russia's cyber war in Ukraine hasn't played out as predicted (New Atlas) Cyber key in Ukraine war, says spy chief (The Canberra Times) Montenegro Sent Back to Analog by Unprecedented Cyber Attacks (Balkan Insight) Montenegro blames criminal gang for cyber attacks on government (EU Reporter) Ransomware Attack Sends Montenegro Reaching Out to NATO Partners (Bloomberg) “I’m tired of living in poverty” – Russian-Speaking Cyber Criminals Feeling the Economic Pinch (Digital Shadows) Yandex Taxi hack creates huge traffic jam in Moscow (Cybernews) Anonymous hacked Russia's largest taxi firm and caused a massive traffic jam (Daily Star) Learn more about your ad choices. Visit megaphone.fm/adchoices

The BianLian ransomware gang is better at coding than at the business of crime. The Attack on Montenegro seems to be ransomware. A look at Ragnar Locker's current interests. Recruiting for gangland gets allusive, but those who know, well, they know. Our guest is Dan Lanir of OPSWAT with insights on recent federal legislation supporting cyber jobs. Ben Yelin lexamines a lawsuit filed by the FTC against an online data broker. And it’s Insider Threat Month, so keep an eye on yourself. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/169 Selected reading. BianLian Ransomware Gang Gives It a Go! ([redacted]) Montenegro blames criminal gang for cyber attacks on government (Reuters) FBI's team to investigate massive cyberattack in Montenegro (AP NEWS) US issues rare security alert as Montenegro battles ransomware (TechCrunch) Cuba ransomware group claims attack on Montenegro government (IT PRO) Cuba Ransomware Team claims credit for attack on Montenegro (Databreaches.net) Montenegro blames Cuba ransomware for cyberattack (Cybernews) Cybercriminals Apparently Involved in Russia-Linked Attack on Montenegro Government (SecurityWeek) THREAT ANALYSIS REPORT: Ragnar Locker Ransomware Targeting the Energy Sector (Cybereason) Behind the News: The Ragnar Locker Attack on Greek Natural Gas Supplier DESFA - Radiflow (Radiflow) Mobile App Supply Chain Vulnerabilities Could Endanger Sensitive Business Information (Broadcom Software Blogs / Threat Intelligence) “Looking for pentesters”: How Forum Life Has Conformed to the Ransomware Ban (Digital Shadows) NCSC and Federal Partners Focus on Countering Risk in Digital Spaces during National Insider Threat Awareness Month 2022 (ODNI) Learn more about your ad choices. Visit megaphone.fm/adchoices

While multi-cloud brings significant benefits, it also poses serious security risks. And identity is the reason. Each cloud platform, such as Azure, Google, and AWS, uses proprietary identity systems, and the lack of interoperability makes it unruly to manage. These disparate systems can’t talk to each other resulting in a fragmented environment full of identity silos — the perfect way for an attacker to get in and cause destruction. In this episode of CyberWire-X, the CyberWire's CSO, Chief Analyst, and Senior Fellow, Rick Howard, is joined in the first half by Hash Table member Rick Doten, the CISO for Healthcare Enterprises and Centene. In the second half of the show, CyberWire podcast host Dave Bittner talks with our episode sponsor Strata Identity's CEO and Co-founder Eric Olden. Both sets of discussions center around the challenges to identity management caused by the rapid shift to multi-cloud. Learn more about your ad choices. Visit megaphone.fm/adchoices

Chrome extensions steal browser data. A business email compromise attack is under investigation in Kentucky. Belarusian Cyber Partisans claim to have a complete Belarusian passport database. Organizing a cyber militia. CISA releases twelve ICS security advisories. Our guest is Asaf Kochan of Sentra on overemphasizing “the big one.” Carole Theriault cautions against getting ahead of yourself in the cryptocurrency supply chain. Cosplaying" hardware. And Canada welcomes a new SIGINT boss. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/168 Selected reading. Chrome extensions with 1.4 million installs steal browsing data (BleepingComputer) Malicious Cookie Stuffing Chrome Extensions with 1.4 Million Users (McAfee Blog) Police investigate electronic theft of federal funds (City of Lexington) FBI, Secret Service join Kentucky investigation into $4 million cybercrime theft (The Record by Recorded Future) Russian hackers blamed for ongoing Montenegro cyberattack (Tech Monitor) “For the 1st time in human history a #hacktivist collective obtained passport info of the ALL country's citizens.” (Cyber Partisans) Inside the IT Army of Ukraine, ‘A Hub for Digital Resistance’ (The Record by Recorded Future) Ukraine takes down cybercrime group hitting crypto fraud victims (BleepingComputer) Hitachi Energy FACTS Control Platform (FCP) Product (CISA) Hitachi Energy Gateway Station (GWS) Product (CISA) Hitachi Energy MSM Product (CISA). Hitachi Energy RTU500 series (CISA) Fuji Electric D300win (CISA) Honeywell ControlEdge (CISA) Honeywell Experion LX (CISA) Honeywell Trend Controls Inter-Controller Protocol (CISA) Omron CX-Programmer (CISA) PTC Kepware KEPServerEX (CISA) Sensormatic Electronics iSTAR (CISA) Mitsubishi Electric GT SoftGOT2000 (CISA) Walmart Sells Fake 30TB Hard Drive That’s Actually Two Small SD Cards in a Trench Coat (Vice) Learn more about your ad choices. Visit megaphone.fm/adchoices

Cyberespionage around the South China Sea. Oktapus and the Twilio compromise. Montenegro works to recover from a Russian cyber offensive. A big Russian streaming platform sustains a data leak. Ann Johnson of the Afternoon Cyber Tea podcast speaks with Dave DeWalt of NightDragon and Jay Leek of both Syn Ventures and Clear Sky Security about cyber capital investment. Mr. Security Answer Person John Pescatore examines the allure of the healthcare industry for ransomware operators. And the LockBit gang looks beyond double extortion. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/167 Selected reading. Rising Tide: Chasing the Currents of Espionage in the South China Sea (Proofpoint) Why the Twilio Breach Cuts So Deep (WIRED) Tentacles of ‘0ktapus’ Threat Group Victimize 130 Firms (Threatpost) Hackers used Twilio breach to intercept Okta onetime passwords (SiliconANGLE) Okta Impersonation Technique Could be Utilized by Attackers (SecurityWeek) Ukraine launches counter-offensive to retake Kherson from Russia (The Telegraph) Russia-Ukraine war: Kremlin insists invasion going to plan despite counterattacks; first grain ship docks in Africa – live (the Guardian) Montenegro says Russian cyberattacks threaten key state functions (BleepingComputer) Montenegro struggles to recover from cyberattack that officials blame on Russia (The Record by Recorded Future) Leading Russian streaming platform suffers data leak allegedly impacting 44 million users (The Record by Recorded Future) LockBit ransomware mulls triple extortion following DDoS attack (SC Media) Learn more about your ad choices. Visit megaphone.fm/adchoices

Russian cyber operations in Southeastern Europe. The challenge of containing the cyber phases of a hybrid war. Russian and Chinese cyber activity in Latin America. Greenwashing influence operations. Rick Howard looks at risk probabilities. Dinah Davis from Arctic Wolf looks at ransomware payment myths. And an Iranian threat actor exploits Log4j vulnerabilities against Israeli targets. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/166 Selected reading. Russia blamed for wave of hacker attacks in Southeast Europe (BNE) Montenegro declares it is in 'hybrid war' with Russia after massive cyber attack (Metro) Montenegro reports massive Russian cyberattack against govt (ABC News) Montenegro Reports Massive Russian Cyberattack Against Govt (AP via SecurityWeek) Montenegro's state infrastructure hit by cyber attack -officials (Reuters) Cyber Element in the Russia-Ukraine War & its Global Implications (Modern Diplomacy) Swiss secret service worried about Russian cyber operations (SWI swissinfo.ch) China and Russia Step Up Cyber Presence in Latin America (Diálogo Américas) Dominican Republic refuses to pay ransom after attack on agrarian institute (The Record by Recorded Future) China-Linked Bots Attacking Rare Earths Producer ‘Every Day’ (Bloomberg) Iranian Hackers Exploiting Unpatched Log4j 2 Bugs to Target Israeli Organizations (The Hacker News) MERCURY leveraging Log4j 2 vulnerabilities in unpatched systems to target Israeli organizations (Microsoft Threat Intelligence Center) Iran exploiting Log4j 2 weakness to attack Israel, says Microsoft (Israel Defense) Learn more about your ad choices. Visit megaphone.fm/adchoices

David Nosibor, Product Lead for SafeCyber at UL Solutions, started his career in a unique way by not letting himself be pigeonholed. Within his company, David was able to grow to the position he is in now and says that his position feels like a lot of roles tied into one. He says that on any given day he is tackling all sorts of elements, such as marketing, operations, working with the engineering team, figuring out ways to acquire customers, retain them, and also working on sales and business development capabilities. He also says that constantly learning and getting new opportunities was how he ended up being where he is today. David states that staying focused and being on the lookout for ways to accomplish the mission is the best way for him in his company to democratize product security. He quotes the famous singer Sean Carter in saying that he firmly believes in taking calculated risks to get where you need to be going. We thank David for sharing his story. Learn more about your ad choices. Visit megaphone.fm/adchoices

Nick Ascoli from ForeTrace in a partnership with PIXM sits down with Dave to provide insight on their team's work on "Phishing tactics: how a threat actor stole 1 million credentials in 4 months." During routine analysis, researchers discovered the connection between the pages using PIXM’s deep html analysis feature, which enabled them to view and analyze the underlying code on the pages after they were flagged as phishing. This led to the ensuing investigation, which was led by PIXM’s threat research team with assistance from Nick Ascoli. The research states "we uncovered a campaign whose scale has potentially impacted hundreds of millions of facebook users, and whose complexity offer insight into the evolving nature of phishing operations, especially from a technical perspective." The research can be found here: Phishing tactics: how a threat actor stole 1M credentials in 4 months Learn more about your ad choices. Visit megaphone.fm/adchoices

Palo Alto describes the Black Basta ransomware-as-a-service operation. Okta on Scatter Swine, the threat actor that compromised Twilio. Microsoft describes Nobelium's new approach to establishing persistence. Russia's war against Ukraine has induced stresses in the cyber underworld. LastPass discloses a security incident. Josh Ray from Accenture on cyber crime and the cost-of-living crisis. Our own Dave Bittner sits down with Chris Handman from TerraTrue to discuss how he works to transform legal teams into advocates and collaborators that can ensure privacy is baked in every step of the way. And CISA adds ten entries to its Known Exploited Vulnerabilities Catalog. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/165 Selected reading. Threat Assessment: Black Basta Ransomware (Palo Alto Networks Unit 42) MagicWeb: NOBELIUM’s post-compromise trick to authenticate as anyone (Microsoft Threat Intelligence Center) Microsoft Uncovers New Post-Compromise Malware Used by Nobelium Hackers (The Hacker News) Microsoft: Russian hackers gain powerful 'MagicWeb' authentication bypass (ZDNET) Detecting Scatter Swine: Insights into a relentless phishing campaign (Okta Security) Twilio hackers hit over 130 orgs in massive Okta phishing attack (BleepingComputer) Twilio says breach also compromised Authy two-factor app users (TechCrunch) How the war in Ukraine is reshaping the dark web (New Statesman) Notice of Recent Security Incident (The LastPass Blog) LastPass Says Source Code Stolen in Data Breach (SecurityWeek) LastPass developer systems hacked to steal source code (BleepingComputer) Learn more about your ad choices. Visit megaphone.fm/adchoices

Ukrainian and Russian cyber operations at six months. Oktapus criminal campaign compromises 9931 accounts in more than 130 organizations. Exotic Lily and Bumblebee Loader. Insights derived from DNS traffic. Chris Novak from Verizon on DHS Cyber Safety Review Board's report on the Log4j investigation that Verizon conducted. Dave Bittner sits down with our guest Dr. Scott Crowder, CTO and VP, Quantum Computing, Technical Strategy and Transformation for IBM Systems to discuss the increasingly urgent need for industries to prepare for security threats that quantum could unleash. And the US Department of Homeland Security shutters its Disinformation Governance Board. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/164 Selected reading. How Ukraine used Russia’s digital playbook against the Kremlin (POLITICO) Ukraine's volunteer 'IT army' responds to Russian hackers, minister says (ABC News) Overview of the Cyber Weapons Used in the Ukraine - Russia War (Trustwave) How Russia-Ukraine cyberwar is impacting orgs: Two-thirds say they have been targeted (VentureBeat) Twilio hackers breached over 130 organizations during months-long hacking spree (TechCrunch) Roasting 0ktapus: The phishing campaign going after Okta identity credentials (Group-IB) Bumblebee Malware Loader: Deep Instinct Prevents Attack Pre-Execution (Deep Instinct) Akamai’s Insights on DNS in Q2 2022 (Akamai) Following HSAC Recommendation, DHS terminates Disinformation Governance Board (US Department of Homeland Security) Homeland Security Scraps Disinformation Board Attacked by GOP (Bloomberg) Learn more about your ad choices. Visit megaphone.fm/adchoices

A medical center near Paris comes under ransomware attack, and refuses to pay up. Lessons for the fifth domain from six months of hybrid war. Deepfake scams appear to have arrived. Deepen Desai from Zscaler with introduction to our audience. Dave Bittner sits down with Gil Hoffer, CTO and Co-founder of Salto to discuss “Who Hacked Slack?.” And Threat actors prepare to exploit Hikvision camera vulnerability. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/163 Selected reading. Cyber attackers disrupt services at French hospital, demand $10 million ransom (France 24) French hospital hit by $10M ransomware attack, sends patients elsewhere (BleepingComputer) DECLENCHEMENT DU PLAN BLANC DIMANCHE 21 AOUT 2022 (CHSF - Centre Hospitalier Sud Francilien) Ukraine at D+181: Independence Day and six months of war. (CyberWire) Six months, twenty-three lessons: What the world has learned from Russia’s war in Ukraine (Atlantic Council) Hackers Used Deepfake of Binance CCO to Perform Exchange Listing Scams (Bitcoin News) Hackers Use Deepfakes of Binance Exec to Scam Multiple Crypto Projects (Gizmodo) Binance's CEO said thousands of people are falsely claiming to be his employees on LinkedIn. Experts warn it's an example of the platform's growing problem with fake accounts. (Business Insider) Twitter’s Ex-Security Head Files Whistleblower Complaint (Wall Street Journal) Twitter is vulnerable to Russian and Chinese influence, whistleblower says (CNN) Over 80,000 exploitable Hikvision cameras exposed online (BleepingComputer) Experts warn of widespread exploitation involving Hikvision cameras (The Record by Recorded Future) Hikvision Surveillance Cameras Vulnerabilities (CYFIRMA) Learn more about your ad choices. Visit megaphone.fm/adchoices

Iranian APT data extraction tool described. LockBit gang comes under DDoS. Twitter whistleblower security claims made public. Poland and Ukraine conclude cybersecurity agreement. Greek national natural gas supplier under criminal cyberattack. Update to the Joint Alert on Zimbra exploitation. Addition to CISA's Known Exploited Vulnerabilities Catalog. Johannes Ullrich from SANS on Control Plane vs. Data Plane vulnerabilities. Our guest is David Nosibor, Platform Solutions Lead for UL to discuss SafeCyber Phase II. And, finally, targeting and trolling, with an excursus on Speedos. Really. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/162 Selected reading. New Iranian APT data extraction tool (Google) LockBit gang hit by DDoS attack after Entrust leaks (Register) Former security chief claims Twitter buried ‘egregious deficiencies’ (Washington Post) Ex-Twitter exec blows the whistle, alleging reckless and negligent cybersecurity policies (CNN) Twitter’s Ex-Security Head Files Whistleblower Complaint (Wall Street Journal) Deception, Bots, and Foreign Agents: The Twitter Whistleblower’s Biggest Allegations (Time) The Ministry of Digital Transformation, State Service of Special Communication and Information Protection and the Council of Ministers of the Republic of Poland signed Memorandum of understanding in the cybersecurity field. (State Service of Special Communication and Information Protection) Greek natural gas operator suffers ransomware-related data breach (BleepingComputer) Greek gas operator refuses to negotiate with ransomware group after attack (The Record by Recorded Future) Announcement | (DESF) Threat Actors Exploiting Multiple CVEs Against Zimbra Collaboration Suite (CISA) US government really hopes you've patched your Zimbra server (Register) CISA Adds One Known Exploited Vulnerabilities to Catalog (CISA) Speedo-wearing Russian tourists leak defence secrets on Twitter (The Telegraph) Learn more about your ad choices. Visit megaphone.fm/adchoices

Bogus DDoS protection pages distribute malware. Estonia deals with DDoS attacks. Roskomnadzor's Internet panopticon. Rick Howard on the RSA Security Breach of 2011 and the Equifax breach of 2017. Caleb Barlow on what does a recession mean for cyber security venture capital and what is the impact of this on the industry? And data-tampering attacks are regarded as a growing risk. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/161 Selected reading. WordPress sites hacked with fake Cloudflare DDoS alerts pushing malware (BleepingComputer) Fake DDoS Pages On WordPress Sites Lead to Drive-By-Downloads (Sucuri Blog) Car blast kills daughter of Russian known as 'Putin's brain' (AP NEWS) Russia blames Kyiv for killing daughter of ‘Putin’s Rasputin’, but the truth may be closer to home (The Telegraph) Alexander Dugin's daughter killed by anti-war Russians: Former state deputy (Newsweek) Estonia Repels Biggest Cyber-Attack Since 2007 (Infosecurity Magazine) Estonia's Battle Against a Deluge of DDoS Attacks (Infosecurity Magazine) Latvia Starts Removing Soviet Monument in Challenge to Russia (Bloomberg) Data-tampering attacks are a 'nightmare' threat that's hard to detect (Protocol) Learn more about your ad choices. Visit megaphone.fm/adchoices

Roya Gordon, a Security Research Evangelist at ICS cybersecurity firm Nozomi Networks, started her career as an intelligence specialist in the U.S. Navy. After her time serving, Roya spent time as a Control Systems Cybersecurity Analyst at the Idaho National Laboratory and then took the role of Cyber Threat Intelligence Manager at Accenture. She shares her story after the NSA accepted her and then quickly diverted, creating a new path for Roya to follow. She shares the jobs she went after along the way, leading up to Nozomi Networks and how she wishes to be a trailblazer for young black women everywhere. She hopes to shape young women's minds on what the cybersecurity industry is actually like, in hopes that she can be a figure people look up to. We thank Roya for sharing her story. Learn more about your ad choices. Visit megaphone.fm/adchoices

Dick O'Brien from Symantec, a part of Broadcom Software, joins Dave to discuss how the cyber-criminal operation, Clipminer Botnet, makes operators behind it at least $1.7 million. Symantec's research says "The malware being used, tracked as Trojan.Clipminer, has a number of similarities to another crypto-mining Trojan called KryptoCibule, suggesting it may be a copycat or evolution of that threat." Symantec determined that the malware has the ability to mine for cryptocurrency using compromised computers’ resources. They also share a way to protect against the cyber-criminal operation, as well as sharing some indicators you could be compromised. The research can be found here: Clipminer Botnet Makes Operators at Least $1.7 Million Learn more about your ad choices. Visit megaphone.fm/adchoices

Killnet claims a DDoS campaign against Estonia. The head of GCHQ calls Russian cyber operations a failure. US Cyber Command concludes its "hunt forward" mission in cooperation with Croatia. A criminal gang targets the travel and hospitality sectors. Thomas Pace of NetRise shares insights on firmware vulnerabilities. Daniel Floyd from BlackCloak on Quantifying the Business Need for Digital Executive Protection. CISA issues five ICS security advisories. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/160 Selected reading. Estonia says it repelled major cyber attack after removing Soviet monuments (Reuters) There’s a chance regular people didn’t even notice: expert on Russian cyber attack (TVP World) Estonia says it repelled a major cyberattack claimed by Russian hackers. (New York Times) The head of GCHQ says Vladimir Putin is losing the information war in Ukraine (The Economist) Cyber Command deployed 'hunt forward' defenders to Croatia to help secure systems (The Record by Recorded Future) U.S. Cyber Command completes defensive cyber mission in Croatia (CyberScoop) You Can’t Audit Me: APT29 Continues Targeting Microsoft 365 (Mandiant) Reservations Requested: TA558 Targets Hospitality and Travel (Proofpoint) Cybercrime Group TA558 Ramps Up Email Attacks Against Hotels (Decipher) CISA Adds Seven Known Exploited Vulnerabilities to Catalog (CISA) Siemens Linux-based Products (Update G) (CISA) Siemens Industrial Products LLDP (Update B) (CISA) Siemens OpenSSL Affected Industrial Products (CISA) Mitsubishi Electric MELSEC Q and L Series (CISA) Mitsubishi Electric GT SoftGOT2000 (CISA) Learn more about your ad choices. Visit megaphone.fm/adchoices

BlackByte is back. Iran suspected of cyber operations against four Israeli sectors. A look at wipers as a tool in hybrid war. A Russian cyber ops scorecard. Josh Ray from Accenture on how dark web actors are focusing on VPNs. Our guest is Corey Nachreiner from WatchGuard with findings of their latest Internet Security Report. Cyber war clauses coming to cyber insurance policies. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/159 Selected reading. BlackByte ransomware gang is back with new extortion tactics (BleepingComputer) Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors | Mandiant (Mandiant) Russia-Ukraine cyberwar creates new malware threats (VentureBeat) Global Threat Landscape Report: A Semiannual Report by FortiGuard Labs (Fortinet) Overview of the Cyber Weapons Used in the Ukraine - Russia War (Trustwave SpiderLabs) Lloyd’s sets requirements for state-backed cyber attack exclusions (Insurance Day) Learn more about your ad choices. Visit megaphone.fm/adchoices

A DDoS attack against a Ukrainian nuclear power provider. The US Army draws some lessons from the cyber phases of Russia's hybrid war. Vulnerabilities in Zimbra are undergoing widespread exploitation.Reports of new Lazarus Group activity. CISA releases eight ICS security advisories. Carole Theriault looks at scammers and cryptocurrencies. Our guest is Jennifer Reed from Aviatrix on the changing landscape of cloud security. And the SEC charges three with insider trading during the 2017 Equifax breach. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/158 Selected reading. Ukrainian Nuclear Operator Accuses Russians Hackers Of Attacking Its Website (RadioFreeEurope/RadioLiberty) Ukraine nuclear power company says Russia attacked website (Al Jazeera) Ukraine Nuclear Operator Reports Cyberattack on Its Website (The Defense Post) How electronic warfare is reshaping the war between Russia and Ukraine (The Record by Recorded Future) Army lesson from Ukraine war: cyber, EW capabilities not decisive on their own (FedScoop) Learning from Ukraine, Army cyber schoolhouse focuses on electromagnetic spectrum (Breaking Defense) Cyber and full-spectrum operations push the Great Power conflict left of boom (Breaking Defense) Microsoft Exchange alternative Zimbra is getting widely exploited, 1000s hit (The Stack) CISA Alert AA22-228A – Threat actors exploiting multiple CVEs against Zimbra Collaboration suit (CyberWire) Threat Actors Exploiting Multiple CVEs Against Zimbra Collaboration Suite (CISA) A signed Mac executable… (ESET) Yokogawa CENTUM Controller FCS (CISA) LS ELECTRIC PLC and XG5000 (CISA) Delta Industrial Automation DRAS (CISA) Softing Secure Integration Server (CISA) B&R Industrial Automation Automation Studio 4 (CISA) Emerson Proficy Machine Edition (CISA) Sequi PortBloque S (CISA) Siemens Industrial Products with OPC UA (CISA) U.S. SEC charges 3 people with insider trading tied to Equifax hack (Reuters) SEC Charges Three Chicago-Area Residents with Insider Trading Around Equifax Data Breach Announcement (US Securities and Exchange Commission) Learn more about your ad choices. Visit megaphone.fm/adchoices

CISA and the Multi-State Information Sharing & Analysis Center, or MS-ISAC are publishing this joint Cybersecurity Advisory in response to active exploitation of multiple Common Vulnerabilities and Exposures against Zimbra Collaboration Suite, an enterprise cloud-hosted collaboration software and email platform. AA22-228A Alert, Technical Details, and Mitigations Volexity’s Mass Exploitation of (Un)authenticated Zimbra RCE: CVE-2022-27925 Hackers are actively exploiting password-stealing flaw in Zimbra CISA adds Zimbra email vulnerability to its exploited vulnerabilities catal… CVE-2022-27925 detail Mass exploitation of (un)authenticated Zimbra RCE: CVE-2022-27925 CVE-2022-37042 detail Authentication bypass in MailboxImportServlet vulnerability CVE-2022-30333 detail UnRAR vulnerability exploited in the wild, likely against Zimbra servers Zimbra Collaboration Kepler 9.0.0 patch 25 GA release Zimbra UnRAR path traversal Operation EmailThief: Active exploitation of zero-day XSS vulnerability in… Hotfix available 5 Feb for zero-day exploit vulnerability in Zimbra 8.8.15 All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at [email protected] or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or [email protected]. Learn more about your ad choices. Visit megaphone.fm/adchoices

Microsoft identifies and disrupts Russian cyberespionage activity. An update on RedAlpha. An evil PLC proof-of-concept shows how programmable logic controllers could be "weaponized." Ben Yelin has an update on right to repair. Our guest is Arthur Lozinski of Oomnitza with a look at attack surface management maturity. And the Cl0p gang hits an English water utility (but tries to extort the wrong one–stuff happens, y’know?). For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/157 Selected reading. Disrupting SEABORGIUM’s ongoing phishing operations (Microsoft Security Microsoft disrupts Russian-linked hackers targeting NATO countries (Breaking Defense) Microsoft Announces Disruption of Russian Espionage APT (SecurityWeek) Microsoft disrupts Russia-linked hacking group targeting defense and intelligence orgs (The Record by Recorded Future) Microsoft shuts down accounts linked to Russian spies (Register) RedAlpha Conducts Multi-Year Credential Theft Campaign Targeting Global Humanitarian, Think Tank, and Government Organizations (Recorded Future) Hackers linked to China have been targeting human rights groups for years (MIT Technology Review) Evil PLC Attack: Using a Controller as Predator Rather than Prey (Claroty) Hackers attack UK water supplier but extort wrong victim (BleepingComputer) South Staffordshire Water victim of cyber attack, customers not at risk (Computing) South Staffordshire Water says it was target of cyber attack as criminals bungle extortion attempt (Sky News) Learn more about your ad choices. Visit megaphone.fm/adchoices

Shuckworm maintains its focus on Ukrainian targets. Killnet's DDoS and dubious proof-of-work. Iron Tiger's supply chain campaign. TikTok and national security. Dinah Davis from Arctic Wolf shares insights on Dark Utilities. Rick Howard digs into identity management. And an arrest in the case of the Tornado Cash crypto mixer. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/156 Selected reading. Shuckworm: Russia-Linked Group Maintains Ukraine Focus (Symantec) Killnet Releases 'Proof' of its Attack Against Lockheed Martin (SecurityWeek) Killnet greift lettisches Parlament an (Tagesspiegel) Iron Tiger Compromises Chat Application Mimi, Targets Windows, Mac, and Linux Users (Trend Micro) How Frustration Over TikTok Has Mounted in Washington (New York Times) 3 ways China's access to TikTok data is a security risk (CSO Online) Arrest of suspected developer of Tornado Cash (FIOD) Tornado Cash Developer Arrested After U.S. Sanctions the Cryptocurrency Mixer (The Hacker News) Arrested Tornado Cash developer is Alexey Pertsev, his wife confirms (The Block) Learn more about your ad choices. Visit megaphone.fm/adchoices

Christian Lees, CTO at Resecurity, shares his story and insight on coming into the cybersecurity world. He considers himself a late bloomer because he did not go to college until he was 23. He wasn’t sure of what he wanted to do, and a family friend gave him a computer and the rest was history, he says. He fell in love with computers and started working at different companies trying to get ahead. He says it's not always textbook, and sometimes you just need to cut your teeth on something to get where you're going. Throughout his journey, he was constantly questioning whether he made the right decision, and in the end he says you have to be willing to "define friction points in it, you may join security field, not knowing what you're gonna do, but by being that curious person and breaking things and putting it back together, you'll find the right way and just never stop being curious." We thank Christian for sharing his story. Learn more about your ad choices. Visit megaphone.fm/adchoices

Cybercriminals are motivated by one simple incentive - money. Their favorite tools are bots to leverage sophistication, scalability, and ease of use. The effect is the creation of the underground bot ecosystem. This community allows threat actors to work together and continually improve their tactics. They sell bypasses for rule-based anti-bot solutions to other less technical fraudsters. In this episode of CyberWire-X, the CyberWire's CSO, Chief Analyst, and Senior Fellow, Rick Howard, is joined in the first half by Hash Table member Etay Maor. Cato Networks’ Senior Director Security Strategy. They discuss this reality that has put defenders at a serious disadvantage and the mitigation steps to consider for future attacks.. In the second half of the show, CyberWire podcast host Dave Bittner talks with our episode sponsor Kasada's founder Sam Crowther talking about what he saw first-hand as a red teamer at a major Australian bank and what inspired him to reimagine bot mitigation with the founding principle of undermining the attacker’s ROI. Learn more about your ad choices. Visit megaphone.fm/adchoices

Ashley Taylor from SANS.edu, joins Dave to discuss fake job ads and methods to proactively detect these scams. The research shares how job seekers are under attack, with scammers posing as fake job recruiters to steal information from people who are interested in the job posting. The brands being impersonated as are at risk of losing credibility to their brand identity. The research shares exactly how these doppelgängers are posing a threat to job seekers and the best practices to detect these scams. It also shares how one company that works in medical device manufacturing industry has been a target for these scams. It concludes with sharing some of the ways to proactively spot these scams before they happen. The research can be found here: Doppelgängers: Finding Job Scammers Who Steal Brand Identities Learn more about your ad choices. Visit megaphone.fm/adchoices

The optempo of the war's cyber phase, and Ukraine’s response. Organizing and equipping hacktivists. Joint warning on Zeppelin ransomware. Update on the DoNot Team, APT-C-35. Rewards for Justice offers $10 million for information on Conti operators. Rob Boyce from Accenture shares insights from BlackHat. Caleb Barlow ponders closing the skills gap while shifting to remote work. And, hey, Mr. Target: pick one, OK? For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/155 Selected reading. Black Hat 2022‑ Cyberdefense in a global threats era (WeLiveSecurity) How one Ukrainian ethical hacker is training 'cyber warriors' in the fight against Russia (The Record by Recorded Future) #StopRansomware: Zeppelin Ransomware (CISA) APT-C-35: New Windows Framework Revealed (Morphisec) The US Offers a $10M Bounty for Intel on Conti Ransomware Gang (Wired) Learn more about your ad choices. Visit megaphone.fm/adchoices

Zeppelin ransomware functions as a ransomware-as-a-service (RaaS), and since 2019, actors have used this malware to target a wide range of businesses and critical infrastructure organizations. Actors use remote desktop protocol (RDP), SonicWall firewall vulnerabilities, and phishing campaigns to gain initial access to victim networks and then deploy Zeppelin ransomware to encrypt victims’ files. AA22-223A Alert, Technical Details, and Mitigations Zeppelin malware YARA signature What is Zeppelin Ransomware? Steps to Prepare, Respond, and Prevent Infection Stopransomware.gov is a whole-of-government approach that gives one central location for ransomware resources and alerts. No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment. This joint Cybersecurity Advisory is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed TTPs and IOCs to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources. All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at [email protected] or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or [email protected]. Learn more about your ad choices. Visit megaphone.fm/adchoices

KillMilk says his crew downed Lockheed Martin's website. Industroyer2, and what became of it. CISA releases its election cybersecurity toolkit. Post-incident disruption at Britain’s NHS. Carl Wright of AttackIQ shares strategies for CISOs to successfully prepare for the next attack. Dr. Christopher Pierson from Blackcloak joins us from Black Hat. And Cisco seems to have thwarted a security incident. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/154 Selected reading. Russian hacking group claims attack on Lockheed Martin (SiliconANGLE HIMARS-Maker Lockheed Martin "confident" against Russian hackers (Newsweek) Industroyer2: How Ukraine avoided another blackout attack (SearchSecurity) Researchers Look Inside Russian Malware Targeting Ukrainian Power Grid (PCMAG) CISA Releases Toolkit of Free Cybersecurity Resources for Election Community (CISA) Cybersecurity Toolkit to Protect Elections (CISA) NHS staff told to plan for three weeks of disruption following cyberattack (Computing) Major NHS IT outage to last for three weeks (The Independent) Exclusive: NHS chiefs fear cyber attackers have accessed patient data (Health Service Journal) Cisco Event Response: Corporate Network Security Incident (Cisco) Cisco Talos shares insights related to recent cyber attack on Cisco (Cisco Talos) Cisco confirms May attack by Yanluowang ransomware group (The Record by Recorded Future) Cisco Hit by Cyberattack From Hacker Linked to Lapsus$ Gang (Bloomberg) Cisco's own network compromised by gang with Lapsus$ links (Register) Cisco hacked by Yanluowang ransomware gang, 2.8GB allegedly stolen (BleepingComputer) Learn more about your ad choices. Visit megaphone.fm/adchoices

Patch notes, and the risks associated with failure to patch. Finland's parliament comes under cyberattack. Killnet says there will be blood, but they may just be grandstanding for the home crowd. Cyberattacks against a UK firm that's criticized Russia's war. We’re joined by FBI Cyber Division AD Bryan Vorndran and Adam Hickey, deputy assistant attorney general for the National Security Division with an introduction to Watchguard. Our guest is Matthew Warner from Blumira with tips on avoiding burnout. And not all criminal organizations are working for Russia. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/153 Selected reading. Already Exploited Zero-Day Headlines Microsoft Patch Tuesday (SecurityWeek) Microsoft August 2022 Patch Tuesday fixes exploited zero-day, 121 flaws (BleepingComputer). IBM Patches High-Severity Vulnerabilities in Cloud, Voice, Security Products (SecurityWeek) Adobe Patch Tuesday: Code Execution Flaws in Acrobat, Reader (SecurityWeek) ICS Patch Tuesday: Siemens, Schneider Electric Fix Only 11 Vulnerabilities (SecurityWeek) VMSA-2022-0022 (VMware) Emerson OpenBSI (CISA) Emerson ControlWave (CISA) Mitsubishi Electric GT SoftGOT2000 (CISA) Multiple attackers increase pressure on victims, complicate incident response (Sophos News) Life After Death—SmokeLoader Continues to Haunt Using Old Vulnerabilities (Fortinet Blog) NBI launches probe into attack on Finnish Parliament site (Yle) Russian hacker warns cyberwarfare will turn deadly (Newsweek) Russian hacker warns cyberwarfare will turn deadly (Newsweek) Suspected Russian cyber attack on British soil as firm subjected to ‘daily’ hacks (The Telegraph) Meet DUMPS Forum: A pro-Ukraine, anti-Russia cybercriminal forum | Digital Shadows (Digital Shadows) Learn more about your ad choices. Visit megaphone.fm/adchoices

Tracking apparent Chinese industrial cyberespionage. Tornado Cash sanctions. Twilio discloses a breach. Social engineering exposes data at Klaviyo. Microsoft’s Ann Johnson previews the latest season of Afternoon Cyber Tea. Joe Carrigan tracks the growth in cryptojacking. And what might the Mounties be monitoring? For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/152 Selected reading. Cyberspying Aimed at Industrial Enterprises in Russia and Ukraine Linked to China (SecurityWeek) China-linked spies used six backdoors to steal defense info (Register) U.S. Treasury Sanctions Notorious Virtual Currency Mixer Tornado Cash (U.S. Department of the Treasury) Twilio hacked by phishing campaign (TechCrunch) Twilio, a texting platform popular with political campaigns, reports breach (CyberScoop) Incident Report: Employee and Customer Account Compromise - August 4, 2022 (Twilio Blog) Email marketing firm hacked to steal crypto-focused mailing lists (BleepingComputer) RCMP has used spyware to access targets’ communications as far back as 2002: Senior Mountie (Global News) RCMP says it has not used Pegasus spyware (POLITICO) Learn more about your ad choices. Visit megaphone.fm/adchoices

In order to run a successful SOC, security leaders rely on tools with different strengths to create layers of defense. This has led to a highly siloed industry with over 2,000 vendors, each with their own specific function and who very seldom work together. To gain an advantage on attackers, we need to start seeing cybersecurity as a team sport–united for a shared mission. In this episode of CyberWire-X, the CyberWire's CSO, Chief Analyst, and Senior Fellow, Rick Howard, is joined in the first half by two Hash Table members, Ted Wagner, CISO at SAP National Security Services, and Jenn Reed, CISO at Aviatrix. In the second half of the show, CyberWire podcast host Dave Bittner talks with our episode sponsor ExtraHop's Senior Product Marketing Manager, Chase Snyder, and CrowdStrike's Head of Product Marketing, Janani Nagarajan .They discuss why and how vendors should work together to enable better integrated security for their customers. They’ll answer questions like “what is XDR?” and “how do I get my vendors to work together?”. Learn more about your ad choices. Visit megaphone.fm/adchoices

Shifting cyber threats during Russia's war against Ukraine. A Twitter exploit may have compromised more than 5 million accounts. A Cyberattack disrupts NHS 111. Developments in the C2C market. An alleged Russian cryptocurrency exchange operator is extradited to the US. Rick Howard looks at FinTech. Andrea Little Limbago from Interos on Industrial policy and the tech divide. And a Crypto mixing service has been sanctioned by the US Treasury Department. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/151 Selected reading. ESET Threat Report T 1 2022 (WeLiveSecurity) Twitter confirms zero-day used to expose data of 5.4 million accounts (BleepingComputer) NHS 111 software outage confirmed as cyber-attack (BBC News) Ministers coordinate response after cyber-attack hits NHS 111 (the Guardian) Thousands of hackers flock to 'Dark Utilities' C2-as-a-Service (BleepingComputer) Attackers leveraging Dark Utilities "C2aaS" platform in malware campaigns (Cisco Talos) Genesis Brings Polish to Stolen-Credential Marketplaces (Sophos) Cyber-related Designation (U.S. Department of the Treasury) U.S. imposes sanctions on virtual currency mixer Tornado Cash (Reuters) Crypto Mixing Service Tornado Cash Blacklisted by US Treasury (CoinDesk) Alleged Russian Cryptocurrency Money Launderer Extradited to United States (US Department of Justice) Russian accused of money laundering and running $4B bitcoin exchange extradited to US | CNN Politics (CNN) Learn more about your ad choices. Visit megaphone.fm/adchoices

Anna Belak, Director of Thought Leadership at Sysdig, shares her story from physics to cyber. Anna explains how she went into college with the thinking of getting a physics degree and then for her PhD decided to switch to material science and engineering. Both were not something she enjoyed and ultimately decided to go into cyber. She shares some advice on how you should never limit yourself to your degree, as well as always learning new skills and honing in on skills you already have. She say's by doing these things it will make you into a unicorn, meaning if you are good at one thing and teach yourself to be good at something else, you will become that much more valuable. Anna hopes she makes an impact with the people she works with, she hopes they will want to work with her even long after she leaves a company. We thank Anna for sharing her story. Learn more about your ad choices. Visit megaphone.fm/adchoices

Deepen Desai from Zscaler's ThreatLabz joins Dave to discuss how APTs, like Lyceum Group, create tactics and malware to carry out attacks against their targets. The Lyceum group has been active since 2017 and is a state-sponsored Iranian APT group. This group targets Middle Eastern organizations most notably in the energy and telecommunication sectors, and they rely heavily on .NET based malwares. Zscaler said in their research they "recently observed a new campaign where the Lyceum Group was utilizing a newly developed and customized .NET based malware targeting the Middle East by copying the underlying code from an open source tool." They go on to give an analysis explaining why the .NET based DNS backdoor is causing problems. The research can be found here: Lyceum .NET DNS Backdoor Learn more about your ad choices. Visit megaphone.fm/adchoices

CyberFront Z's failed influence operation. Iranian operators target Albanian government networks. CISA issues two ICS security advisories. Andy Robbins of SpecterOps to discuss Attack Paths in Azure. Denis O'Shea of Mobile Mentor talking on the intersection of endpoint security and employee experience. CISA and ACSC issue a joint advisory on top malware strains. for links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/150 Selected reading. Quarterly Adversarial Threat Report (Meta) Meta took down Russian troll farm that supported country’s invasion of Ukraine (The Hill) Russia's Infamous Troll Farm Is Back -- and Sh*tting the Bed (Rolling Stone) Meta’s threat report highlights clumsy attempt to manipulate Ukraine discourse (TechCrunch) Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations (Mandiant) CISA Alert AA22-216A – 2021 top malware strains. (The CyberWire) 2021 Top Malware Strains (CISA) Digi ConnectPort X2D (CISA) Cisco Releases Security Updates for RV Series Routers (CISA) Learn more about your ad choices. Visit megaphone.fm/adchoices

Ukraine claims to have taken down a massive Russian bot farm. Russian cyber operations may have been premature. A report says Emergency Alert Systems might be vulnerable to hijacking. The Mirai botnet may have a descendant. Adam Flatley from Redacted with a look back at NotPetya. Ryan Windham from Imperva takes on Bad Bots. Attacks on a cryptocurrency exchange attempt to bypass 2FA. Solana cryptocurrency wallets looted. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/149 Selected reading. Ukraine takes down 1,000,000 bots used for disinformation (BleepingComputer) Did Russia mess up its cyberwar with Ukraine before it even invaded? (Washington Post) So RapperBot, What Ya Bruting For? (Fortinet Blog) Gaming Respawned (Akamai) Coinbase Attacks Bypass 2FA (Pixm Anti-Phishing) Thousands of Solana wallets drained in multimillion-dollar exploit (TechCrunch) Thousands of Solana Wallets Hacked in Crypto Cyberattack (Wall Street Journal) Solana, USDC Drained From Wallets in Attack (Decrypt) Ongoing solana attack targets thousands of crypto wallets, costing users more than $5 million so far (CNBC) Solana and Slope Confirm Wallet Security Breach (Crypto Briefing) How Hackers Target Bridges Between Blockchains for Crypto Heists (Wall Street Journal) Learn more about your ad choices. Visit megaphone.fm/adchoices

This joint Cybersecurity Advisory was coauthored by CISA and the Australian Cyber Security Centre, or ACSC. This advisory provides details on the top malware strains observed in 2021. AA22-216A Alert, Technical Details, and Mitigations For alerts on malicious and criminal cyber activity, see the FBI Internet Crime Complaint Center webpage. For more information and resources on protecting against and responding to ransomware, refer to StopRansomware.gov, a centralized, U.S. Government webpage providing ransomware resources and alerts. The ACSC recommends organizations implement eight essential mitigation strategies from the ACSC’s Strategies to Mitigate Cyber Security Incidents as a cybersecurity baseline. These strategies, known as the “Essential Eight,” make it much harder for adversaries to compromise systems. Refer to the ACSC’s practical guides on how to protect yourself against ransomware attacks and what to do if you are held at ransom at cyber.gov.au. All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at [email protected] or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or [email protected]. Learn more about your ad choices. Visit megaphone.fm/adchoices