CyberWire Daily

Edward Wu, senior principal data scientist at ExtraHop, joins Dave to discuss the company's research, "A Technical Analysis of How Spring4Shell Works." ExtraHop first noticed chatter from social media in March of 2022 on a new remote code execution (RCE) vulnerability and immediately started tracking the issue. In the research, it describes how the exploit works and breaks down how the ExtraHop team came to identify the Spring4Shell vulnerability. The research describes the severity of the vulnerability, saying, "The impact of an RCE in this framework could have a serious impact similar to Log4Shell." The research can be found here: How the Spring4Shell Zero-Day Vulnerability Works Learn more about your ad choices. Visit megaphone.fm/adchoices

Malibot is an info stealer masquerading as a coin miner. "Hermit" spyware is being used by nation-state security services. Fabricated evidence is planted in Indian computers. The US takes down a criminal botnet. The British Home Secretary signs the Assange extradition order. We wind up our series of RSA Conference interviews with David London from the Chertoff group and Hugh Njemanze from Anomali. And putting the Service into service learning. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/117 Selected reading. 'MaliBot' Android Malware Steals Financial, Personal Information (SecurityWeek) F5 Labs Investigates MaliBot (F5 Labs) Sophisticated Android Spyware 'Hermit' Used by Governments (SecurityWeek) Lookout Uncovers Android Spyware Deployed in Kazakhstan (Lookout) Police Linked to Hacking Campaign to Frame Indian Activists (Wired) U.S., partners dismantle Russian hacking 'botnet,' Justice Dept says (Reuters) Russian Botnet Disrupted in International Cyber Operation (US Attorney's Office, Southern District of California) Julian Assange: Priti Patel signs US extradition order (The Telegraph) AIVD disrupts activities of Russian intelligence officer targeting the International Criminal Court (AIVD) Alleged Russian spy studied at Johns Hopkins, won ICC internship (Washington Post) Learn more about your ad choices. Visit megaphone.fm/adchoices

Interpol coordinates international enforcement action against scammers. A new version of IceXLoader is observed. Exploiting versioning limits to render files inaccessible. Reflections on the first large-scale hybrid war. Kelly Shortridge from Fastly on why behavioral science and economics matters for InfoSec. Patrick Orzechowski from DeepWatch on Russian IoCs and critical infrastructure. And the possibility of cyber escalation in Russia’s hybrid war against Ukraine. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/116 Selected reading. Hundreds arrested and millions seized in global INTERPOL operation against social engineering scams (Interpol) New IceXLoader 3.0 – Developers Warm Up to Nim (Fortinet Blog) Proofpoint Discovers Potentially Dangerous Microsoft Office 365 Functionality that can Ransom Files Stored on SharePoint and OneDrive (Proofpoint) Russia’s cyber fog in the Ukraine war (GIS Reports) Russia Might Try Reckless Cyber Attacks as Ukraine War Drags On, US Warns (Defense One) Cyber Attacks in Times of Conflict (CyberPeace Institute) Vladimir Putin’s Ukraine invasion is the world’s first full-scale cyberwar (Atlantic Council) Why Russia has refrained from a major cyber-attack against the West (Cyber Security Hub) In modern war, we have as much to fear from cyber weapons as kinetics (Computing) Learn more about your ad choices. Visit megaphone.fm/adchoices

The Hertzbleed side-channel issue affects Intel and AMD processors. An Iranian spearphishing campaign prospected former Israeli officials. Patch Tuesday notes. A look at software bills of materials. Russia routes occupied Ukraine's Internet traffic through Russia. Intercepts in the hybrid war: the odd and the ugly. Deepen Desai from ZScaler joins us with the latest numbers on ransomware. Rob Boyce from Accenture Security looks at cyber invisibility. And, finally, criminal wannabes and criminal publicity stunts. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/115 Selected reading. A new vulnerability in Intel and AMD CPUs lets hackers steal encryption keys (Ars Technica) Iranian Spear-Phishing Operation Targets Former Israeli and US High-Ranking Officials (Check Point Research) Microsoft June 2022 Patch Tuesday fixes 1 zero-day, 55 flaws (BleepingComputer) Microsoft Releases June 2022 Security Updates (CISA) Windows Updates Patch Actively Exploited 'Follina' Vulnerability (SecurityWeek) Adobe Plugs 46 Security Flaws on Patch Tuesday (SecurityWeek) Citrix Releases Security Updates for Application Delivery Management (CISA) SAP Releases June 2022 Security Updates (CISA) So long, Internet Explorer. The browser retires today (AP NEWS) SBOM in Action: finding vulnerabilities with a Software Bill of Materials (Google Online Security Blog) Russia Is Taking Over Ukraine’s Internet (Wired) Belarusian hacktivist group releases purported Belarusian wiretapped audio of Russian embassy (CyberScoop) Intercepted call: Russian plan to send PoWs out into minefields (The Telegraph) Hacker Advertises ‘Crappy’ Ransomware on Instagram (Vice) LockBit Ransomware Compromise of Mandiant Not Supported by Any Evidence, May Be a PR Move by Cybercrime Gang (CPO Magazine) Learn more about your ad choices. Visit megaphone.fm/adchoices

Dealing with the GRU's exploitation of the Follina vulnerabilities. SeaFlower uses stolen seed phrases to rifle cryptocurrency wallets. Ukraine moves sensitive data abroad. Anonymous claims to have hacked Russia's drone suppliers and to have hit sensitive targets in Belarus. Rick Howard reports on an NSA briefing at the RSA Conference. Our guest is Ricardo Amper from Incode with a look at biometrics in sports stadiums. And the effects of war on the cyber underworld. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/114 Selected reading. Follina flaw being exploited by Russian hackers, info stealers (Computing) Chinese Hackers Adding Backdoor to iOS, Android Web3 Wallets in 'SeaFlower' Campaign (SecurityWeek) How SeaFlower...installs backdoors in iOS/Android web3 wallets to steal your seed phrase (Medium) Ukraine Has Begun Moving Sensitive Data Outside Its Borders (Wall Street Journal) Anonymous claims hack on Russian drones (Computing) How the Cybercrime Landscape has been Changed following the Russia-Ukraine War (Kela) Learn more about your ad choices. Visit megaphone.fm/adchoices

A Chinese APT deploys a new cyberespionage tool. Hacktivism roils India after a politician's remarks about the Prophet. Ukraine reports a "massive" spam campaign against the country's media organizations. A Russian court fines Wikimedia for "disinformation." From the NSA’s Cybersecurity Collaboration Center our guests are Morgan Adamski and Josh Zaritsky. Rick Howard sets the cyber sand table on Colonial Pipeline. And the Martians haven’t landed, and the Right Honorable Mr. Johnson is still PM. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/113 Selected reading. CERT-UA warns of cyberattack on Ukrainian media (Interfax-Ukraine) Russian hackers start targeting Ukraine with Follina exploits (BleepingComputer) Massive cyber attack on media organizations of Ukraine using the malicious program CrescentImp (CERT-UA # 4797) (CERT-UA) Wikimedia Foundation appeals Russian fine over Ukraine war articles (The Verge) GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool (Unit42) Prophet remark: Slew of cyber attacks on Indian govt, private sites (The Times of India) 70 Indian government, private websites face international cyber attacks over Prophet row (The Times of India) Channel 4 faces Ofcom probe over ’emergency news’ stunt to promote cyber attack drama The Undeclared War (INews) Learn more about your ad choices. Visit megaphone.fm/adchoices

Deepen Desai, Global Chief Information Security Officer at Zscaler, shares his story as a doctor that treats computer viruses. He describes how he got into the security field and his work with Zscaler. He says what it's like learning and growing in this field and shares great advice for people who are up and coming in the field. Deepen describes working with an incredible team and how much joy it brings him to see his team learning and growing beyond their roles working with him. He says he want's to be remembered as a mentor among his colleagues. He says "I still remember my first team that I built, 15 years ago. Most of those guys are leading key technologies at many of the major security vendors, and some of them are still with me." We thank Deepen for sharing his story. Learn more about your ad choices. Visit megaphone.fm/adchoices

Danny Adamitis from Lumen's Black Lotus Labs, joins Dave to discuss new developments in the WSL attack surface. Since September 2021, Black Lotus Labs have been monitoring malware repositories as a part of their proactive threat hunting process. Danny shares how researchers discovered a series of suspicious ELF files compiled for Debian Linux . The research states how the team identified a series of samples that target the WSL environment, were uploaded every two to three weeks and that they started as early as May 3, 2021 and go until August 22, 20221. The research can be found here: Windows Subsystem For Linux (WSL): Threats Still Lurk Below The (Sub)Surface No Longer Just Theory: Black Lotus Labs Uncovers Linux Executables Deployed As Stealth Windows Loaders Learn more about your ad choices. Visit megaphone.fm/adchoices

Looking at Russia's hybrid war as a cautionary example. Russia warns, again, that it will meet cyberattacks with appropriate retaliation. (China says "us too.") NSA and FBI warn of nation-state cyber threats. SentinelOne finds a Chinese APT that's been operating, quietly, for a decade. "Unpatchable" vulnerability in Apple chips reported. We’ve got more interviews from RSA Conference, including the FBI’s Cyber Section Chief David Ring, ExtraHop’s CEO, Patrick Dennis. And the overhead projector said, “Go Tigers.” For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/112 Selected reading. Top Senate Democrats sound the alarm about Russian interference in the 2022 midterms (Business Insider) Russia says West risks ‘direct military clash’ over cyberattacks (NBC News) Russia, China, oppose US cyber support of Ukraine (Register) #RSAC: NSA Outlines Threats from Russia, China and Ransomware (Infosecurity Magazine) FBI official: Chinese hackers boost recon efforts (The Record by Recorded Future) Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years (SentinelOne) MIT researchers uncover ‘unpatchable’ flaw in Apple M1 chips (TechCrunch) New Jersey school district forced to cancel final exams amid ransomware recovery effort (The Record by Recorded Future) Learn more about your ad choices. Visit megaphone.fm/adchoices

Another hacked broadcast in a hybrid war. Hunting forward as an exercise in threat intelligence collection and sharing. Cyber threats to the US midterm elections. Phishing for cryptocurrency. FakeCrack delivers a malicious payload to the unwary. Vacations are back. So is travel-themed phishbait. Ann Johnson from Microsoft shares insights on the trends she’s tracking here at RSA. Johannes Ullrich brings highlights from his RSA conference panel discussion. And Emotet returns, in the company of some old familiar criminal collaborators. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/111 Selected reading. Hacked Russian radio station broadcasts Ukrainian anthem (Washington Post) Ukraine Successfully Defends Its Cyberspace While Russia Leans Heavily on Guns, Bombs (CNET) Ukraine war: US cyber chief on Kyiv's advantage over Russia (Sky News) NSA Director Confirms Cyber Command 'Hunt Forward' Approach Applies to Russia (ClearanceJobs) Experts, NSA cyber director say ransomware could threaten campaigns in 2022 (CyberScoop) Ransomware, botnets could plague 2022 midterms, NSA cyber director says (The Record by Recorded Future) How Cyber Criminals Target Cryptocurrency (Proofpoint) Crypto stealing campaign spread via fake cracked software (Avast) Threat Actors Prepare Travel-Themed Phishing Lures for Summer Holidays (Hot for Security) Emotet Malware Returns in 2022 (Deep Instinct) Learn more about your ad choices. Visit megaphone.fm/adchoices

US officials continue to rate the threat of Russian cyberattack as high. Civilians in cyber war. Broadcast interference and propaganda. A Joint CISA/FBI warning of Chinese cyberespionage. What gets a vulnerability into the Known Exploited Vulnerabilities Catalog? Andrea Little Limbago from Interos and Mike Sentonas from Crowdstrike join us with previews of their RSA conference presentations. And, finally, some Jersey-based cyber campaigns (that’s the Bailiwick, not the Garden State). For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/110 Selected reading. Russian Cyber Threat Remains High, U.S. Officials Say (Wall Street Journal) Shields Up: The New Normal (CyberScoop) Russian Government, Cybercriminal Cooperation a 'Force Multiplier' (Decipher) Opinion The U.S.-Russia conflict is heating up — in cyberspace (Washington Post) Smartphones Blur the Line Between Civilian and Combatant (Wired) Russian Cyberattack Hits Wales-Ukraine Football Broadcast (Gov Info Security) People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices (CISA) US agencies detail the digital ‘plumbing’ used by Chinese state-sponsored hackers (The Record by Recorded Future) CISA Provides Criteria and Process for Updates to the KEV Catalog (CISA) Reducing the Significant Risk of Known Exploited Vulnerabilities (CISA) Jersey computers used in international cyber-attacks (Jersey Evening Post) Learn more about your ad choices. Visit megaphone.fm/adchoices

This joint Cybersecurity Advisory describes the ways in which People’s Republic of China state-sponsored cyber actors continue to exploit publicly known vulnerabilities in order to establish a broad network of compromised global infrastructure. These actors use the network to exploit a wide variety of targets worldwide, including public and private sector organizations. AA22-158A Alert, Technical Details, and Mitigations Refer to China Cyber Threat and Advisories, Internet Crime Complaint Center, and NSA Cybersecurity Guidance for previous reporting on People’s Republic of China state-sponsored malicious cyber activity. US government and critical infrastructure organizations should consider signing up for CISA’s cyber hygiene services, including vulnerability scanning, to help reduce exposure to threats. US Defense Industrial Base organizations should consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System (PDNS) services, vulnerability scanning, and threat intelligence collaboration. For more information on eligibility criteria and how to enroll in these services, email [email protected]. All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at [email protected] or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or [email protected]. Learn more about your ad choices. Visit megaphone.fm/adchoices

DDoS as a weapon in a hybrid war. Resilience in the defense of critical infrastructure. Offensive cyber operations against Russia. LockBit claims to have hit Mandiant, but their claim looks baseless. Rick Howard joins us with thoughts on trends he’s tracking at the RSA conference. Our guest is Dr. Diane Janosek from NSA with insights on personal resilience. Effects of ransomware on businesses. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/109 Selected reading. Ukraine at D+102: Ukraine's SSSCIP on cyber war. (The CyberWire) Major DDoS attacks increasing after invasion of Ukraine (SearchSecurity) The Russia–Ukraine War: Ukraine’s resistance in the face of hybrid warfare (Observer Research Foundation) Ukraine Symposium - U.S. Offensive Cyber Operations in Support of Ukraine (Lieber Institute: Articles of War) Russia ready to cooperate with all states in cyber domain (UNI India) LockBit 2.0 gang claims Mandiant as latest victim; Mandiant sees no evidence of it (CyberScoop) Mandiant: “No evidence” we were hacked by LockBit ransomware (BleepingComputer) Cybereason Ransomware True Cost to Business Study Reveals Organizations Pay Multiple Ransom Demands (Cybereason) Average Ransom Payment Up 71% This Year, Approaches $1 Million (Palo Alto Networks Blog) Learn more about your ad choices. Visit megaphone.fm/adchoices

Ukraine offers an update on the cyber phases of Russia's hybrid war. Atlassian patches a Confluence critical vulnerability. CISA releases ICS advisory on voting systems. A "State-aligned" phishing campaign tried to exploit Follina. Is Electronic warfare a blunt instrument in the ether? Verizon’s Chris Novak stops by with thoughts on making the most of your trip to the RSA conference. Our guest is Tom Garrison from Intel with a look at hardware security. And a Russia-aligned group says they’re not just hacktivists; they’re "Cyber Spetsnaz." For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/108 Selected reading. Remarks by Victor Zhorov, deputy head of SSSCIP. (SSSCIP) US military hackers conducting offensive operations in support of Ukraine, says head of Cyber Command (Sky News) Russian ministry website appears hacked; RIA reports users data protected (Reuters) Confluence Security Advisory 2022-06-02 (Atlassian) Atlassian Releases New Versions of Confluence Server and Data Center to Address CVE-2022-26134 (CISA) Patch released for exploited Atlassian zero-day vulnerability (The Record by Recorded Future) CISA Releases Security Advisory on Dominion Voting Systems Democracy Suite ImageCast X (CISA) State-Backed Hackers Exploit Microsoft 'Follina' Bug to Target Entities in Europe and U.S (The Hacker News) Deadly secret: Electronic warfare shapes Russia-Ukraine war (AP NEWS) Exclusive: Pro-Russia group ‘Cyber Spetsnaz’ is attacking government agencies (Security Affairs) Learn more about your ad choices. Visit megaphone.fm/adchoices

For this Cyberwire-X episode, we are talking about the failure of perimeter defense as an architecture where, since the 1990s when it was invented, the plan was to keep everything out. That model never really worked that well since we had to poke holes in the perimeter to allow employees, contractors, and partners to do legitimate business with us. Those same holes could be exploited by the bad guys, too. The question is, what are we doing instead? What is the security architecture, the strategy, and the tactics that we are all using today that is more secure than perimeter defense? In the first part of the show, Rick Howard, the CyberWire’s CSO, Chief Analyst, and Senior Fellow, talks with Jerry Archer, the Sallie Mae CSO and CyberWire Hash Table member, and, in the second half of the show, the CyberWire's podcast host Dave Bittner talks with Mike Ernst, episode sponsor ExtraHop’s Vice President of Sales Engineering, to discuss Software Defined Perimeter and intrusion kill chain prevention strategy. Learn more about your ad choices. Visit megaphone.fm/adchoices

Executive Vice President at Concentric, Laura Hoffner shares her story about working as a Naval Intelligence Officer and supporting special operations around the globe for 12 years, to now, where she transitioned to the Naval Reserves and joined the Concentric team. Laura knew since she was in the seventh grade she wanted to work with SEALs and work in intelligence. She set her goals high and achieved them shortly after graduating college. She credits being a Naval Intelligence Officer to helping her get to where she is today and says how much she is enjoying working with Concentric, saying she's "ultimately just incredibly benefiting from unbelievable mentors at the company itself." We thank Laura for sharing her story. Learn more about your ad choices. Visit megaphone.fm/adchoices

Scott Fanning from CrowdStrike's research team, joins Dave to discuss their work on "LemonDuck Targets Docker for Cryptomining Operations." LemonDuck is a well-known cryptomining botnet, and research suggests attackers are attracted to the monetary gain from the recent boom in cryptocurrency. LemonDuck was caught trying to disguise it's attack against Docker by running an anonymous mining operation by the use of proxy pools. Scott shares how it’s unknown which organizations have been targeted and just how much cryptocurrency has been stolen. The research can be found here: LemonDuck Targets Docker for Cryptomining Operations Learn more about your ad choices. Visit megaphone.fm/adchoices

Moscow wants attention to be paid to its messengers. Western support for Ukraine in cyberspace. US remains on alert for Russian cyberattacks. Iran: anti-government hacktivism and Tehran-sponsored cyber ops. Rebranding as sanctions evasion. A gangland threat to firmware. Johannes Ullrich from SANS on security of browsers caching passwords. Dave Bittner sits down with Perry Carpenter to discuss his new book, "The Security Culture Playbook: An Executive Guide To Reducing Risk and Developing Your Human Defense Layer,''co-author was Kai Roer.. And CISA adds an Atlassian issue to its Known Exploited Vulnerabilities Catalog. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/107 Selected reading. Russia summons heads of U.S. media outlets, warns of 'stringent measures' (Reuters) US confirms military hackers have conducted cyber operations in support of Ukraine (CNN) Advancing security across Central and Eastern Europe (Google) US Justice Department Braces for More Russian Cyberattacks (VOA) Russia, backed by ransomware gangs, actively targeting US, FBI director says (Cybersecurity Dive) Exiled Iran Group Claims Tehran Hacking Attack (SecurityWeek) Exposing POLONIUM activity and infrastructure targeting Israeli organizations (Microsoft Security) To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions (Mandiant) Russia-Linked Ransomware Groups Are Changing Tactics to Dodge Crackdowns (Wall Street Journal) Conti Targets Critical Firmware (Eclypsium) Atlassian: Unpatched critical Confluence flaw under attack (Register) CISA Adds One Known Exploited Vulnerability (CVE-2022-26134) to Catalog (CISA) Learn more about your ad choices. Visit megaphone.fm/adchoices

Russian government agencies are buying VPNs. CISA and its partners warn about the Karakurt extortion group. Clipminer is out in the wild. GootLoader expands its payloads and targeting. Carole Theriault has the latest on fraudsters imitating law enforcement. Kevin Magee from Microsoft on security incentives by way of insurance. And leak brokers and booters shut down. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/106 Selected reading. White House: cyber activity not against Russia policy (Reuters) Some see cyberwar in Ukraine. Others see just thwarted attacks. (Washington Post) ESET Threat Report details targeted attacks connected to the Russian invasion of Ukraine and how the war changed the threat landscape (ESET) Ukraine - 100 days of war in cyberspace (CyberPeace Institute) Russian VPN Spending (Top 10 VPN) Karakurt Data Extortion Group (CISA) Karakurt Data Extortion Group (CISA) US Agencies: Karakurt extortion group demanding up to $13 million in attacks (The Record by Recorded Future) Clipminer Botnet Makes Operators at Least $1.7 Million (Symantec Enterprise Blog) GootLoader Expands its Payloads Infecting a Law Firm with IcedID (eSentire) WeLeakInfo.to and Related Domain Names Seized (US Department of Justice) Learn more about your ad choices. Visit megaphone.fm/adchoices

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury (Treasury), and the Financial Crimes Enforcement Network (FinCEN) are releasing this joint Cybersecurity Advisory to provide information about the Karakurt data extortion group, also known as the Karakurt Team and Karakurt Lair. Karakurt actors have employed a variety of TTPs, creating significant challenges for defense and mitigation. Karakurt victims have not reported encryption of compromised machines or files; rather, Karakurt actors claim to steal data and threaten to auction it or release it to the public unless they receive payment. AA22-152A Alert, Technical Details, and Mitigations CISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware Guide Data Integrity: Detecting and Responding to Ransomware and Other Destructive Events. Stopransomware.gov CISA's Ransomware Readiness Assessment CISA's cyber hygiene services FinCEN Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled Crime FinCEN Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at [email protected] or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or [email protected]. Learn more about your ad choices. Visit megaphone.fm/adchoices

Costa Rica's healthcare system comes under renewed ransomware attack. Cyber phases of the hybrid war. Charity fraud exploits sympathy for Ukraine. US FBI attributes last year's attack on Boston Children's Hospital to Iran. CISOs surveyed on their challenges (and they're particularly worried about exposure to 3rd-party risk). Robert M. Lee joins us for the launch of the new Control Loop podcast. Josh Ray from Accenture looks at ransomware trends. Razzlekhan and Dutch: a cryptocurrency love song. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/105 Selected reading. Latest cyberattack in Costa Rica targets hospital system (Reuters) Costa Rica’s public health agency hit by Hive ransomware (BleepingComputer) Costa Rican Social Security Fund hit with ransomware attack (The Record by Recorded Future) Costa Rica May Be Pawn in Conti Ransomware Group’s Bid to Rebrand, Evade Sanctions (KrebsOnSecurity) Ukraine joins its first NATO cyber defense center meeting (TheHill) US military hackers conducting offensive operations in support of Ukraine, says head of Cyber Command (Sky News) The FBI Warns of Scammers Soliciting Donations Related to the Crisis in Ukraine (Internet Crime Complaint Center (IC3)) FBI director blames Iran for ‘despicable’ attempted cyberattack on Boston Children’s Hospital (CNN) Hackers ransom 1,200 exposed Elasticsearch databases (TechTarget) The CISOs Report (Security Current) New York couple accused of laundering $4.5 bln in crypto still in plea talks (Reuters) Learn more about your ad choices. Visit megaphone.fm/adchoices

Sanctions, blockades, and their effects on the world economy. Western nations remain on alert for Russian cyber attacks. REvil prosecution has reached a dead end. Microsoft issues mitigations for a recent zero-day. John Pescatore’s Mr. Security Answer Person is back, looking at authentication. Joe Carrigan looks at new browser vulnerabilities. Notes from the underworld. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/104 Selected reading. In big bid to punish Moscow, EU bans most Russia oil imports (AP NEWS) EU, resolving a deadlock, in deal to cut most Russia oil imports (Reuters The E.U.’s embargo will bruise Russia’s oil industry, but for now it is doing fine. (New York Times) Russia’s Black Sea Blockade Will Turbocharge the Global Food Crisis (Foreign Policy) Russia’s Invasion Unleashes ‘Perfect Storm’ in Global Agriculture (Foreign Policy) ‘War in Ukraine Means Hunger in Africa’ (Foreign Policy) Afghanistan’s Hungry Will Pay the Price for Putin’s War (Foreign Policy) Remote bricking of Ukrainian tractors raises agriculture security concerns (CSO Online) Major supermarkets 'uniquely vulnerable' as Russian cyber attacks rise (ABC) Italy warns organizations to brace for incoming DDoS attacks (BleepingComputer) Whitepaper - PIPEDREAM: CHERNOVITE's Emerging Malware Targeting Industrial Environments (Dragos). Experts believe that Russian Gamaredon APT could fuel a new round of DDoS attacks (IT Security News) Putin horror warning over 'own goal' attack on UK coming back to haunt Kremlin (Express.co.uk) Putin plot: UK hospitals at risk of chilling ‘sleeper cell’ attack by Russia (Express) Will Russia Launch a New Cyber Attack on America? (The National Interest) Hackers wage war on Russia’s largest bank (The Telegraph) REvil prosecutions reach a 'dead end,' Russian media reports (CyberScoop) Microsoft Office zero-day "Follina"—it’s not a bug, it’s a feature! (It's a bug) (Malwarebytes Labs). Microsoft Word struck by zero-day vulnerability (Register) Clop ransomware gang is back, hits 21 victims in a single month (BleepingComputer) Conti ransomware explained: What you need to know about this aggressive criminal group (CSO Online) Learn more about your ad choices. Visit megaphone.fm/adchoices

Chief Information Security Officer at Immuta, Michael Scott shares his story from working at a forgotten internet service provider to leading the security fight for major food chain restaurants. Michael explains how the different roles at various companies he has worked with paved his way to where he is now at Immuta. He works with a group of colleagues and he leads in a different style, describing that "It really is just a collection of a lot of, we call humble intellects" working with him. Michael attributes adversity to being a cornerstone of existence in the security community, and explains how that helps him keep up the fight. We thank Michael for sharing his story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

Dick O'Brien from Symantec's threat hunter team, joins Dave to discuss their work on "Stonefly: North Korea-linked spying operation continues to hit high-value targets." Stonefly specializes in mounting highly selective targeted attacks against targets that could yield intelligence to assist strategically important sectors. Symantec found that The attackers breached an engineering firm in February 2022, most likely by exploiting the Log4j vulnerability, Their research describes who these high value targets are and ways to prevent this malware from breaching any more companies as well as indications that you could be compromised. The research can be found here: Stonefly: North Korea-linked Spying Operation Continues to Hit High-value Targets Learn more about your ad choices. Visit megaphone.fm/adchoices

Pro-Russian DDoS attacks. Sanctions and their effect on ransomware. BlackCat wants $5 million from Carinthia. A fraudster pressures Verizon. Spain will tighten judicial review of intelligence services. Johannes Ullrich looks at VSTO Office Files. Our guests are Cecilia Marinier and Niloo Howe with a preview of the RSAC Innovation Sandbox. CISA releases ICS advisories and with its partners issue guidelines for evaluating 5G implementation. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/103 Selected reading. Hacktivists Expanding DDoS Attacks as Part of International Cyber Warfare Strategy (Imperva) Cyberattacks against UK CNI increase amidst Russia-Ukraine war (Intelligent CIO Europe) A cyberwar is already happening in Ukraine, Microsoft analysts say (NPR.org) NSA: Sanctions on Russia Having a Positive Effect on Ransomware Attacks, Attempts Down Due to Difficulty Collecting Ransom Payments (CPO Magazine) BlackCat/ALPHV ransomware asks $5 million to unlock Austrian state (BleepingComputer) Hacker Steals Database of Hundreds of Verizon Employees (Vice) Drupal Releases Security Updates (CISA) Keysight N6854A Geolocation server and N6841A RF Sensor software (CISA) Horner Automation Cscape Csfont (CISA) Spain vows legal reforms in wake of spying allegations (MSN) Spain’s PM vows to reform intelligence services following phone hacking scandal (The Record by Recorded Future) Spain set to strengthen oversight of secret services after NSO spying scandal (Times of Israel) CISA and DoD Release 5G Security Evaluation Process Investigation Study (CISA) Learn more about your ad choices. Visit megaphone.fm/adchoices

"Pantsdown" in QCT Baseboard Management Controllers. A warning on ChromeLoader. Conti updates. Ransomware’s effect on SpiceJet. CISA's Known Exploited Vulnerabilities Catalog expands, again. Kyiv honors Google. Josh Ray from Accenture reminds us it’s military appreciation month. Our guest is Melissa Bischoping of Tanium with lessons learned from the American Dental Association ransomware attack. And a poacher turned gamekeeper? For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/102 Selected reading. Critical 'Pantsdown' BMC Vulnerability Affects QCT Servers Used in Data Centers (The Hacker News) ChromeLoader: a pushy malvertiser (Red Canary) Conti leaks data stolen during January attack on Oregon county (The Record by Recorded Future) Is the Conti Ransomware Gang Stronger Apart Then Together? (OODA Loop) SpiceJet: Passengers stranded as India airline hit by ransomware attack (BBC News) SpiceJet's woes continue as ransomware attack delays flights (The Loadstar) . SpiceJet's brush with ransomware is a timely reminder to protect yourself against this cyber menace (cnbctv18.com CISA Adds 34 Known Exploited Vulnerabilities to Catalog (CISA) Mykhailo Fedorov presented the first "Peace prize" to Google (Digital Gov) Notorious Vietnamese hacker turns government cyber agent (France 24) Learn more about your ad choices. Visit megaphone.fm/adchoices

More cyberespionage targets Russian networks. Lincoln Project veterans visit Ukraine with advice on conducting an influence campaign against President Putin. A politically motivated DDoS attack hits the Port of London Authority website. Is REvil back and looking into new criminal techniques, or is a recent DDoS campaign the work of impostors? RansomHouse may be operated by frustrated bounty hunters. Kevin Magee from Microsoft sets his security sights toward space. Our guest is Mathieu Gorge of VigiTrust to discuss the threat of printer hacks. Operation Delilah trims SilverTerrier’s locks. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/101 Selected reading. Unknown APT group has targeted Russia repeatedly since Ukraine invasion (Malwarebytes Labs) Hackers target Russian govt with fake Windows updates pushing RATs (BleepingComputer) Researchers Find New Malware Attacks Targeting Russian Government Entities (The Hacker News) Ukraine May Use Lincoln Project's Anti-Trump Tactics Against Putin (Newsweek) Pro-Iran Group ALtahrea Hits Port of London Website by DDoS Attack (HackRead) REvil Resurgence? Or a Copycat? (Akamai) RansomHouse: Bug bounty hunters gone rogue? (Help Net Security) Data theft gang RansomHouse might be 'frustrated' white hat hackers, researchers claim (Tech Monitor) CISA Adds 20 Known Exploited Vulnerabilities to Catalog (CISA) CISA adds 41 flaws to its Known Exploited Vulnerabilities Catalog (Security Affairs) Rockwell Automation Logix Controllers (CISA) Matrikon OPC Server (CISA) Mitsubishi Electric FA Engineering Software Products (Update D) (CISA) Mitsubishi Electric Factory Automation Engineering Products (Update F) (CISA) Suspected head of cybercrime gang arrested in Nigeria (Interpol) Interpol arrests alleged leader of the SilverTerrier BEC gang (BleepingComputer) INTERPOL hauls in alleged Nigerian cybercrime ringleader (CyberScoop) Operation Delilah: Unit 42 Helps INTERPOL Identify Nigerian Business Email Compromise Actor (Unit42) Learn more about your ad choices. Visit megaphone.fm/adchoices

Verizon's 2022 Data Breach Investigation Report shows a sharp rise in ransomware. Origins of the Chaos ransomware operation. The GuLoader campaign uses bogus purchase orders. Security researchers are targeted in a malware campaign. Hyperlocal disinformation. Turla reconnaissance has been detected in Austrian and Estonian networks. Ben Yelin describes a content moderation fight that may be headed to the supreme court. Our guest is Richard Melick from Zimperium to discuss threats to mobile security. Robin Hood (or not). For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/100 Selected reading. 2022 Data Breach Investigations Report (Verizon Business) Yashma Ransomware, Tracing the Chaos Family Tree (BlackBerry) Spoofed Saudi Purchase Order Drops GuLoader: Part 1 (Fortinet Blog) Malware Campaign Targets InfoSec Community: Threat Actor Uses Fake Proof of Concept to Deliver Cobalt-Strike Beacon (Cyble) Network of hyperlocal Russian Telegram channels spew disinformation in occupied Ukraine (CyberScoop) Russian hackers perform reconnaissance against Austria, Estonia (BleepingComputer) New ransomware forces victims to donate to poor (The Independent) Learn more about your ad choices. Visit megaphone.fm/adchoices

There’s a new loader identified in wiper campaigns. President Putin complains of sanctions and cyberattacks, and vows to increase Russia's cybersecurity. Coordinated inauthenticity at scale. Killnet crows large over Italian operations. Conti's dissolution doesn't mean its operators' disappearance. Rick Howard looks at software defined perimeters. Dinah Davis from Arctic Wolf on how ransomware groups are upping their game to nation state levels. And happy birthday, US Cyber Command...but we're not necessarily wishing you a moonshot for your birthday present. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/99 Selected reading. Sandworm uses a new version of ArguePatch to attack targets in Ukraine (WeLiveSecurity) Putin complains about barrage of cyberattacks (Military Times) Putin promises to bolster Russia's IT security in face of cyber attacks (Reuters) Russia keeps getting hacked (Mashable) Putin is bringing his disinformation war to Ukraine (Newsweek) Putin is bringing his disinformation war to Ukraine (Newsweek) Russian government procured powerful botnet to shift social media trending topics (The Record by Recorded Future) Fronton: Russian IoT Botnet Designed to Run Social Media Disinformation Campaigns (The Hacker News) Russian Hackers Claim Responsibility for Attacks on Italian Government Websites (Wall Street Journal) Anonymous Declares Cyber-War on Pro-Russian Hacker Gang Killnet (Infosecurity Magazine) DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape (AdvIntel) Notorious cybercrime gang Conti 'shuts down,' but its influence and talent are still out there (The Record by Recorded Future) Could a Cyber Attack Overthrow a Government? Conti Ransomware Group Now Threatening To Topple Costa Rican Government if Ransom Not Paid (CPO Magazine) Fears grow after ransomware attack on Costa Rica escalates (TechCrunch) US Cyber Command’s birthday (US Cyber Command) U.S. Needs New 'Manhattan Project' to Avoid Cyber Catastrophe | Opinion (Newsweek) Cyber pros are fed up with talk about a cyber-Manhattan Project (Washington Post) Learn more about your ad choices. Visit megaphone.fm/adchoices

Threat intelligence analyst at Recorded Future, Charity Wright, shares her story from the army to her career today. Transitioning from the army to cybersecurity was an exciting change for her. During college she was recruited by the U.S army where she started her journey and learned new skills paving her pathway to threat intelligence where she is now. She shares that she works with a great team of junior analysts who are constantly checking each others biases which helps keep Charity grounded in her work. Charity spends her days keeping an eye on threats around the world where she says there is never a dull day in her line of work. We thank Charity for sharing her story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

Yanir Tsarimi from Orca Security, joins Dave to discuss how researchers have discovered a critical Azure Automation service vulnerability called AutoWarp. The security flaw was discovered this past March causing Yanir to leap into action announcing the issue to Microsoft who helped to swiftly resolve the cross-account vulnerability. The research shows how this serious flaw would allow attackers unauthorized access to other customer accounts and potentially full control over resources and data belonging to those accounts, as well as put multiple Fortune 500 companies and billions of dollars at risk. The research shares the crucial time line that the vulnerability was discovered as well as Microsofts response to the vulnerability. The research can be found here: AutoWarp: Critical Cross-Account Vulnerability in Microsoft Azure Automation Service Learn more about your ad choices. Visit megaphone.fm/adchoices

Was Conti’s digital insurrection in Costa Rica misdirection? Google assesses a commercial spyware threat “with high confidence.” Continuing expectations of escalation in cyberspace. The limitations of an alliance of convenience. Fronton botnet shows versatility. Russian hacktivists hit Italian targets, again. Lazarus Group undertakes new SolarWinds exploitation. Crypters in the C2C market. CrateDepression supply chain attack. Johannes Ullrich describes an advance fee scam hitting crypto markets. Our guest is Marty Roesch, CEO of Netography and inventor of Snort. Canada to exclude Huawei from 5G networks on security grounds. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/98 Selected reading. Conti ransomware shuts down operation, rebrands into smaller units (BleepingComputer) Protecting Android users from 0-Day attacks (Google) Microsoft President: Cyber Space Has Become the New Domain of Warfare (Infosecurity Magazine) Twisted Panda: Chinese APT espionage operation against Russian’s state-owned defense institutes (Check Point Research) Chinese Hackers Tried to Steal Russian Defense Data, Report Says (New York Times) China-linked Space Pirates APT targets the Russian aerospace industry (Security Affairs) This Russian botnet does far more than DDoS attacks - and on a massive scale (ZDNet) Pro-Russian hackers attack institutional websites in Italy, police say (Reuters) Lazarus hackers target VMware servers with Log4Shell exploits (BleepingComputer) ITG23 Crypters Highlight Cooperation Between Cybercriminal Groups (Security Intelligence) CrateDepression | Rust Supply-Chain Attack Infects Cloud CI Pipelines with Go Malware (SentinelOne) Canada to ban Huawei/ZTE 5G equipment, joining Five Eyes allies (Reuters) Learn more about your ad choices. Visit megaphone.fm/adchoices

CISA is releasing this cybersecurity advisory to warn organizations that malicious cyber actors are exploiting CVE-2022-22954 and CVE-2022-22960. These vulnerabilities affect versions of VMware products. Successful exploitation permits malicious actors to trigger a server-side template injection that may result in remote code execution or escalation of privileges to root level access. Based on this activity, CISA expects malicious cyber actors to quickly develop a capability to exploit newly released VMware vulnerabilities CVE-2022-22972 and CVE-2022-22973 in the same impacted VMware products. AA22-138B Alert, Technical Details, and Mitigations AA22-138B.stix Emergency Directive 22-03 Mitigate VMware Vulnerabilities VMware Security Advisory VMSA-2022-0011 VMware Security Advisory VMSA-2022-0014 All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at [email protected] or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or [email protected]. Learn more about your ad choices. Visit megaphone.fm/adchoices

Russian information operations surrounding the invasion of Ukraine. VMware patches vulnerabilities. F5 BIG-IP vulnerabilities undergoing active exploitation. Texas Department of Insurance clarifies facts surrounding its data incident. Robert M. Lee from Dragos is heading to Davos to talk ICS. Rick Howard speaks with author Chase Cunningham on his book "Cyber Warfare –Truth, Tactics and Strategies”. Robo-calling the Kremlin. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/97 Selected reading. Information Operations Surrounding the Russian Invasion of Ukraine (Mandiant) CISA Issues Emergency Directive and Releases Advisory Related to VMware Vulnerabilities (CISA) Emergency Directive 22-03 (CISA) Threat Actors Chaining Unpatched VMware Vulnerabilities for Full System Control (CISA) Threat Actors Exploiting F5 BIG IP CVE-2022-1388 (CISA) CISA Alert AA22-138A – Threat Actors Exploiting F5 BIG-IP CVE-2022-1388. (The CyberWire) Additional facts: TDI data security event (Texas Department of Insurance) This Hacktivist Site Lets You Prank Call Russian Officials (Wired) Learn more about your ad choices. Visit megaphone.fm/adchoices

CISA and the Multi-State Information Sharing & Analysis Center (MS-ISAC), are releasing this joint Cybersecurity Advisory in response to active exploitation of CVE-2022-1388. This vulnerability is a critical iControl REST authentication bypass vulnerability affecting multiple versions of F5 Networks BIG-IP. AA22-138A Alert, Technical Details, and Mitigations F5 Security Advisory K23605346 and indicators of compromise F5 guidance K11438344 for remediating a compromise Emerging Threats suricata signatures Palo Alto Networks Unit 42 Threat Brief: CVE-2022-1388. This brief includes indicators of compromise. Cisco Talos Intelligence Group - Comprehensive Threat Intelligence: Threat Advisory: Critical F5 BIG-IP Vulnerability. This blog includes indicators of compromise. Note: due to the urgency to share this information, CISA and MS-ISAC have not yet validated this content. Randori’s bash script. This script can be used to identify vulnerable instances of BIG-IP. Note: MS-ISAC has verified this bash script identifies vulnerable instances of BIG-IP. All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at [email protected] or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or [email protected]. Learn more about your ad choices. Visit megaphone.fm/adchoices

Chaos ransomware group declares for Russia. Hacktivists claim to have compromised Russian-manufactured ground surveillance robots. Conti's ongoing campaign against Costa Rica. The claimed "international" cyberattack against Nile dam was stopped. Rick Howard speaks with author Caroline Wong on her book “Security Metrics, a Beginner's Guide”. Our guests are Kathleen Smith and Rachel Bozeman, hosts of the new podcast, Security Cleared Jobs. And the cyber insurance market experiences a “reset.” For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/96 Selected reading. Chaos Ransomware Variant Sides with Russia (Fortinet Blog) Did hackers commandeer surveillance robots at a Russian airport? (The Daily Dot) Russian Hacking Cartel Attacks Costa Rican Government Agencies (New York Times) Costa Rican president claims collaborators are aiding Conti's ransomware extortion efforts (CyberScoop) "We will overthrow the government" - Does Conti have help inside Costa Rica? (Tech Monitor) Costa Ricans scrambled to pay taxes by hand after cyberattack took down country’s collection system (Yahoo) Ethiopia faces new cyberattacks on its Nile dam (Al-Monitor) Cyber Insurers Raise Rates Amid a Surge in Costly Hacks (Wall Street Journal) Learn more about your ad choices. Visit megaphone.fm/adchoices

This joint cybersecurity advisory was coauthored by the cybersecurity authorities of the US, Canada, New Zealand, the Netherlands, and the UK. Cyber actors routinely exploit poor security configurations, weak controls, and other poor cyber hygiene practices to gain initial access or as part of other tactics to compromise a victim’s system. This joint Cybersecurity Advisory identifies commonly exploited controls and practices, and includes best practices to mitigate these risks. AA22-137A Alert, Technical Details, and Mitigations White House Executive Order on Improving the Nation’s Cybersecurity NCSC-NL Factsheet: Prepare for Zero Trust NCSC-NL Guide to Cyber Security Measures N-able Blog: Intrusion Detection System (IDS): Signature vs. Anomaly-Based NCSC-NL Guide to Cyber Security Measures National Institute of Standards and Technology SP 800-123 – Keeping Servers Secured NCSC-UK Guidance – Phishing Attacks: Defending Your Organisation Open Web Application Security Project (OWASP) Proactive Controls: Enforce Access Controls All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at [email protected] or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or [email protected]. Learn more about your ad choices. Visit megaphone.fm/adchoices

An assessment of the Russian cyber threat. NATO's Article 5 in cyberspace. Conti's ransomware attack against Costa Rica spreads, in scope and effect. Bluetooth vulnerabilities demonstrated in proof-of-concept. CISA and its international partners urge following best practices to prevent threat actors from gaining initial access. Joe Carrigan looks at updates to the FIDO alliance. Rick Howard and Ben Rothke discuss author Andrew Stewart's book "A Vulnerable System: The History of Information Security in the Computer Age". And,the doctor was in, but wow, was he also way out of line. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/95 Selected reading. Russia Planned a Major Military Overhaul. Ukraine Shows the Result. (New York Times) The Cyberwar Against Pro-Ukrainian Countries is Real. Here’s What to Do (CSO Online) Collective cyber defence and attack: NATO’s Article 5 after the Ukraine conflict (European Leadership Network) Cyber attack on Costa Rica grows as more agencies hit, president says (Reuters) Ransomware gang threatens to ‘overthrow’ new Costa Rica government, raises demand to $20 million (The Record by Recorded Future) Hacker Shows Off a Way to Unlock Tesla Models, Start Cars (Bloomberg) NCC Group uncovers Bluetooth Low Energy (BLE) vulnerability that puts millions of cars, mobile devices and locking systems at risk (NCC Group) Technical Advisory – Tesla BLE Phone-as-a-Key Passive Entry Vulnerable to Relay Attacks (NCC Group Research) Technical Advisory – Kwikset/Weiser BLE Proximity Authentication in Kevo Smart Locks Vulnerable to Relay Attacks (NCC Group Research) Technical Advisory – BLE Proximity Authentication Vulnerable to Relay Attacks (NCC Group Research) Alert (AA22-137A) Weak Security Controls and Practices Routinely Exploited for Initial Access (CISA) Hacker and Ransomware Designer Charged for Use and Sale of Ransomware, and Profit Sharing Arrangements with Cybercriminals (U.S. Attorney’s Office for the Eastern District of New York) US prosecutors allege Venezuelan doctor is ransomware mastermind (ZDNet) 'Multi-tasking doctor' was mastermind behind 'Thanos' ransomware builder, DOJ says (The Record by Recorded Future) U.S. Charges Venezuelan Doctor for Using and Selling Thanos Ransomware (The Hacker News) Learn more about your ad choices. Visit megaphone.fm/adchoices

Users are advised to patch Zyxel firewalls. Battlefield failure and popular morale in Russia’s hybrid war. Nuisance-level hacktivism in the hybrid war. Sweden and Finland move closer to NATO membership; concern over possible Russian cyberattacks rises. Intelligence, disinformation, or wishful thinking? Conti calls for rebellion in Costa Rica. PayOrGrief is just rebranded DoppelPaymer. Anonymous action in Sri Lanka seems indiscriminate and counterproductive. Dinah Davis from Arctic Wolf examines cyber security for startups. Rick Howard looks at two factor authentication. And a judge says cryptocurrency can’t be used to evade sanctions. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/94 Selected reading. Critical Vulnerability Allows Remote Hacking of Zyxel Firewalls (SecurityWeek) Zyxel security advisory for OS command injection vulnerability of firewalls (Zyxel) Growing evidence of a military disaster on the Donets pierces a pro-Russian bubble. (New York Times) OpRussia update: Anonymous breached other organizations (Security Affairs) Italy prevents pro-Russian hacker attacks during Eurovision contest (Reuters) Finland, Sweden’s NATO moves prompt fears of Russian cyberattacks (The Hill) Coup to remove cancer-stricken Putin underway in Russia, Ukrainian intelligence chief says (Fortune) Conti ransomware gang calls for Costa Rican citizens to revolt if government doesn't pay (SC Magazine) Anonymous wanted to help Sri Lankans. Their hacks put many in grave danger (Rest of World) U.S. issues charges in first criminal cryptocurrency sanctions case (Washington Post) Learn more about your ad choices. Visit megaphone.fm/adchoices

Principal consultant and pen tester at Secureworks, Eric Escobar, shares his career path translating his childhood favorite Legos to civil engineering and pivoting to cybersecurity. Eric was always headed toward engineering and got both his bachelor and master degrees in civil engineering. Upon breaking into a network with a friend, he was bitten by the cybersecurity bug. Making the switch to the red team and basically becoming a bankrobber for hire, Eric tests the security of many companies' networks. He feels that curiosity is an essential trait for cybersecurity and collaboration is key as no one person knows everything. He advises those interested in cybersecurity to just start. We thank Eric for sharing his story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

According to the zero trust philosophy, we all assume that our networks are already compromised and try to design them to limit the damage if it turns out to be so. In this episode of CyberWire-X, we’ve invited subject matter experts, Amanda Fennell, the Chief Information Officer and Chief Security Officer of Relativity, and Galeal Zino, CEO of episode Sponsor NetFoundry, to the Cyberwire Hash Table to discuss all the ways to think about the solution in the modern era: Software Defined Perimeter (SDP), Secure Access Service Edge (SASE), identity and authorization, and private WAN, all through a First Principle lens. Learn more about your ad choices. Visit megaphone.fm/adchoices

Dr. May Wang, Chief Technology Officer at Palo Alto Networks, joins Dave Bittner to discuss their findings detailed in Unit 42's "Know Your Infusion Pump Vulnerabilities and Secure Your Healthcare Organization" research. Unit 42 recently set out to better understand how well hospitals and other healthcare providers are doing in securing smart infusion pumps, which are network-connected devices that deliver medications and fluids to patients. This topic is of critical concern because security lapses in these devices have the potential to put lives at risk or expose sensitive patient data. Unit 42's discovery of security gaps in three out of four infusion pumps that they reviewed highlights the need for the healthcare industry to redouble efforts to protect against known vulnerabilities, while diligently following best practices for infusion pumps and hospital networks. May walks us through Unit 42's work. The research can be found here: Know Your Infusion Pump Vulnerabilities and Secure Your Healthcare Organization Learn more about your ad choices. Visit megaphone.fm/adchoices

Ukraine holds its first war crimes trial. Are there war crimes in cyberspace? Iranian cyberespionage (and a possible APT side-hustle). Roblox seems to have been used to introduce a backdoor. CISA issues ICS advisories. Darkweb C2C trader sentenced. The last conspirator in the strange case of the eBay newsletter takes a guilty plea. Carole Theriault looks at Google’s new approach to cookies in Europe. Our guest is Mary Writz of ForgeRock on the growing importance of mobile device authentication security. And CIA gets a CISO. For links to all of today's stories check out our CyberWire daily news briefing: httpshttps://thecyberwire.com/newsletters/daily-briefing/11/93 Selected reading. Ukraine to put first Russian soldier on trial for war crimes | DW | 12.05.2022 (Deutsche Welle) Russian soldier on trial in first Ukraine war-crimes case (AP NEWS) First Russian soldier goes on trial in Ukraine for war crimes (the Guardian) The Case for War Crimes Charges Against Russia’s Sandworm Hackers (Wired) Iranian hackers exposed in a highly targeted espionage campaign (BleepingComputer) Iranian APT Cobalt Mirage launching ransomware attacks (SearchSecurity) Iranian Hackers Leveraging BitLocker and DiskCryptor in Ransomware Attacks (The Hacker News) Iranian Cyberspy Group Launching Ransomware Attacks Against US (SecurityWeek) Please Confirm You Received Our APT | FortiGuard Labs (Fortinet Blog) Roblox Exploited with Trojans from Scripting Engine (Avanan) Ukrainian cybercriminal sentenced to 4 years in U.S. prison for credential theft scheme (CyberScoop) Ukrainian sentenced to 4 years for selling hacked passwords (The Record by Recorded Future) Ex-eBay exec charged with harassing newsletter publishers pleads guilty (Reuters) CIA selects new CISO with deep private sector experience (The Record by Recorded Future) Learn more about your ad choices. Visit megaphone.fm/adchoices

Killnet hits Italian targets. Access to RuTube is restored. Hacktivism in the hybrid war. Emotet surges. Clearing up the confusion of NPM dependency confusion attacks. Tim Eades from Cyber Mentor Fund on finding the right investors. Our guest is Michael DeBolt of Intel 471 on the growing interest in Biometrics in the criminal underground. And cybercrime and punishment, Florida-man edition. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/92 Selected reading. Ukraine maps reveal how much territory Russia has lost in just a few days (Newsweek) Pro-Russian hackers target Italy institutional websites -ANSA news agency (Reuters) Russian cyber experts restore RuTube access after three-day outage (Reuters) They Fled Ukraine to Keep Their Cyber Startup Alive. Now, They’re Hacking Back. (Wall Street Journal) Ukraine hacktivism 'problematic' for security teams says NSA cyber chief (Tech Monitor) HP Wolf Security Threat Insights Report Q1 2022 | HP Wolf Security (HP Wolf Security) npm supply chain attack targets Germany-based companies with dangerous backdoor malware (JFrog) SaaS App Vanity URLs Can Be Spoofed for Phishing, Social Engineerin (SecurityWeek) Trio Of Cybercriminals Sentenced For Conspiracy To Commit Fraud And Aggravated Identity Theft (US Attorney for the Middle District of Florida) Learn more about your ad choices. Visit megaphone.fm/adchoices

The cybersecurity authorities of the UK, Australia, Canada, New Zealand, and the US have observed a recent increase in malicious cyber activity against managed service providers (MSPs). Allied cybersecurity authorities expect state-sponsored cyber actors to increase their targeting of MSPs in an attempt to exploit provider-customer trust relationships. This advisory includes security guidance tailored for both MSPs and their customers. AA22-131A Alert, Technical Details, and Mitigations Technical Approaches to Uncovering and Remediating Malicious Activity Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses APTs Targeting IT Service Provider Customers ACSC's Managed Service Providers: How to manage risk to customer networks Global Targeting of Enterprise Managed Service Providers Cyber Security Considerations for Consumers of Managed Services How to Manage Your Security When Engaging a Managed Service Provider Kaseya Ransomware Attack: Guidance for Affected MSPs and their Customers Baseline Cyber Security Controls for Small and Medium Organizations Actions to take when the cyber threat is heightened Top 10 IT Security Action Items to Protect Internet Connected Networks and Information CCCS's Alert: Malicious Cyber Activity Targeting Managed Service Providers CISA Cybersecurity Alert: APT Activity Exploiting MSPs (2018) CISA Cyber Essentials and CISA Cyber Resource Hub Improving Cybersecurity of Managed Service Providers Shields Up Technical Guidance All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at [email protected] or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or [email protected]. Learn more about your ad choices. Visit megaphone.fm/adchoices

There’s international consensus on the cyberattack against Viasat. Kaspersky remains under investigation. The Nerbian RAT is out. NPM dependencies are exploited, but to what end? Caleb Barlow examines Russia’s future on the internet. Our guest is Deepen Desai from Zscaler with the latest phishing research. And new advisories from CISA and its partners. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/91 Selected reading. Nerbian RAT Using COVID-19 Themes Features Sophisticated Evasion Techniques (Proofpoint) NPM dependency confusion hacks target German firms (ReversingLabs) npm Supply Chain Attack Targeting Germany-Based Companies (JFrog) Adminer in Industrial Products (CISA) Eaton Intelligent Power Protector (CISA) Eaton Intelligent Power Manager Infrastructure (CISA) Eaton Intelligent Power Manager (CISA) AVEVA InTouch Access Anywhere and Plant SCADA Access Anywhere (CISA) Mitsubishi Electric MELSOFT GT OPC UA (CISA) CISA Adds One Known Exploited Vulnerability to Catalog (CISA) Alert (AA22-131A) Protecting Against Cyber Threats to Managed Service Providers and their Customers (CISA) Protecting Against Cyber Threats to Managed Service Providers and their Customers (CISA) Russia downed satellite internet in Ukraine -Western officials (Reuters) US and its allies say Russia waged cyberattack that took out satellite network (Ars Technica) Western powers blame Russia for Ukraine satellite hack (The Record by Recorded Future) Russian cyber operations against Ukraine: Declaration by the High Representative on behalf of the European Union (European Council) Attribution of Russia’s Malicious Cyber Activity Against Ukraine - United States Department of State (United States Department of State) U.S. Government Attributes Cyberattacks on SATCOM Networks to Russian State-Sponsored Malicious Cyber Actors (CISA) Russia behind cyber-attack with Europe-wide impact an hour before Ukraine invasion (GOV.UK) Estonia joins the statement of attribution on cyberattacks against Ukraine (Ministry of Foreign Affairs, Republic of Estonia) Statement on Russia’s malicious cyber activity affecting Europe and Ukraine (Canada.ca) Attribution to Russia for malicious cyber activity against European networks (Australian Government Department of Foreign Affairs and Trade) Russia hacked an American satellite company one hour before the Ukraine invasion (MIT Technology Review) NSA Probing Reach of Software From Russia’s Kaspersky in US Systems (Bloomberg) Learn more about your ad choices. Visit megaphone.fm/adchoices

A quick introductory note on Russia’s hybrid war against Ukraine. Russian television schedules hacked to display anti-war message. Phishing campaign distributes Jester Stealer in Ukraine. European Council formally attributes cyberattack on Viasat to Russia. Costa Rica declares a state of emergency as Conti ransomware cripples government sites. DCRat and the C2C markets. The gang behind REvil does indeed seem to be back. More Joker-infested apps found in Google Play. Guest Nick Adams from Differential Ventures discusses what will drive continued growth of cybersecurity beyond attack surfaces and governance from a VC's perspective. Partner Ben Yelin from UMD CHHS on digital privacy concerns in the aftermath of the potential overturn of Roe vs Wade. And Spain’s spyware scandal takes down an intelligence chief. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/90 Selected reading. Ukraine morning briefing: Five developments as Joe Biden warns Vladimir Putin has 'no way out' (The Telegraph) Viewpoint: Putin now faces only different kinds of defeat (BBC News) Putin's Victory Day speech gives no clue on Ukraine escalation (Reuters) On Victory Day, Putin defends war on Ukraine as fight against ‘Nazis’ (Washington Post) In Speech, Putin Shows Reluctance in Demanding Too Much of Russians (New York Times) Putin's parade shows he "is going to continue at whatever cost" in Ukraine (Newsweek) Russia’s display of military might sent the West a strong message – just not the one Putin intended (The Telegraph) Russian TV Schedules Hacked on Victory Day to Show Anti-War Messages (HackRead) Russian TV hacked to say ‘blood of Ukrainians is on your hands’ (The Telegraph) Mass Distribution of Self-Destructing Malware in Ukraine (BankInfoSecurity) Russian cyber operations against Ukraine: Declaration by the High Representative on behalf of the European Union (European Council) Learn more about your ad choices. Visit megaphone.fm/adchoices

The US Treasury Department sanctions a cryptocurrency mixer. Rewards for Justice is interested in Conti. US tractor manufacturer AGCO was hit by a ransomware attack. Russian hacktivism hits German targets and threatens the UK. A Russian diplomatic account was apparently hijacked. Tracking Cobalt Strike servers used against Ukraine. Dinah Davis from Arctic Wolf defends against DDOS attacks. Rick Howard looks at Single Sign On. And no apology for you, Mr. Bennett. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/89 Selected reading. U.S. Treasury Issues First-Ever Sanctions on a Virtual Currency Mixer, Targets DPRK Cyber Threats (U.S. Department of the Treasury) Reward Offers for Information to Bring Conti Ransomware Variant Co-Conspirators to Justice (United States Department of State) AGCO ransomware attack disrupts tractor sales during U.S. planting season (Reuters) Agricultural equipment maker AGCO reports ransomware attack (The Record by Recorded Future) Russia’s chief diplomat in Scotland condemns Ukraine invasion in social media post (The Telegraph) Pro-Russian Hackers Hit German Government Sites, Spiegel Says (Bloomberg) Tracking Cobalt Strike Servers Used in Cyberattacks on Ukraine (IronNet) Russia tensions with Israel may intensify as Kremlin denies Putin's apology (Newsweek) Learn more about your ad choices. Visit megaphone.fm/adchoices

Chief security officer and chief information officer at Relativity, Amanda Fennel shares her story from archeology to cybersecurity. She shares the path that lead her towards becoming an archeologist and how it turned out not being exactly what she expected. She then shares how she got into the cyber business and how her past has impacted what she's doing now. She describes how she would like to be remembered in the cyber world, she says "I do hope that I left things better than I found them, not just the security of a product or a company, but I believe strongly that every person has a little cyber warrior inside of them." We thank Amanda for sharing her story. Learn more about your ad choices. Visit megaphone.fm/adchoices

Tushar Richabadas from Barracuda joins Dave Bittner to discuss their findings detailed in their "Threat Spotlight: Attacks on Log4Shell vulnerabilities." Their research shows the percentage of attackers targeting the vulnerabilities, and shows where the dips and spikes are over the course of the past couple of months. The research has also gathered where the attackers main IP addresses are located, with 83% of them located in the United States. They breakdown what this malware can do and how to protect yourself against it. They say "Due to the growing number of vulnerabilities found in web applications, it is getting progressively more complex to protect against attacks." The research can be found here: Threat Spotlight: Attacks on Log4Shell vulnerabilities Learn more about your ad choices. Visit megaphone.fm/adchoices