CyberWire Daily

An update on the war in Ukraine as Victory Day approaches. President Lukashenka on the war next door. Hackivists in the battlespace. Raspberry Robin and a USB worm. A carefully operated credential phishing campaign. Another ICS security alert from CISA. Dinah Davis from Arctic Wolf on reflection amplification techniques. Carole Theriault examines zero trust architecture access policies. Happy Mother’s Day (and stay safe online). For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/88 Selected reading. Mariupol steel mill battle rages as Ukraine repels attacks (Military Times) Why the battle for Mariupol is important for Vladimir Putin. (New York Times) A race against time in Ukraine as Russia advances, West sends weapons (Washington Post) The AP Interview: Belarus admits Russia's war 'drags on' (AP NEWS) Russia’s ally Belarus criticises war effort for ‘dragging on’ (The Telegraph) NSA cyber boss seeks to discourage vigilante hacking against Russia (Defense News) Shields Up: Russian Cyberattacks Headed Our Way (JD Supra) Raspberry Robin gets the worm early (Red Canary) VIP3R: New actor. Old story. Great success. (Menlo Security) Johnson Controls Metasys (CISA) Top 3 Mother’s Day Scam Sites – Be Smart When Buying Gifts (Trend Micro News) Learn more about your ad choices. Visit megaphone.fm/adchoices

Hacktivisim and privateering in Moscow, Kyiv, and Minsk. Log4j vulnerabilities are more widespread than initially thought. US Cyber Command deployed a "hunt forward" team to Lithuania. CISA adds five vulnerabilities to its Known Exploited Vulnerabilities Catalog. Jen Miller-Osborn from Palo Alto Networks discusses the findings from the Center for Digital Government's survey on Getting Ahead of Ransomware. Grayson Milbourne of Webroot/OpenText discusses OpenText's 2022 BrightCloud Threat Report. And Anonymous leaks emails allegedly belonging to the Nauru Police Force. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/87 Selected reading. Russian ally Belarus launches military quick-response drills (Washington Post) Putin’s Ukraine War: Desperate Belarus dictator strikes back (Atlantic Council) Russian ransomware group claims attack on Bulgarian refugee agency (CyberScoop) Russia and Ukraine Conflict Q&A | Cybersixgill (Cybersixgill) Threat Advisory: New Log4j Exploit Demonstrates a Hidden Blind Spot in the Global Digital Supply Chain (Cequence) Anonymous Leak 82GB of Police Emails Against Australia's Offshore Detention (HackRead) Learn more about your ad choices. Visit megaphone.fm/adchoices

An upswing in malware deployed against targets in Eastern Europe. Cozy Bear is typosquatting. CuckooBees swarm around intellectual property. Tracking the DPRK’s hackers. Quiet persistence in corporate networks. CISA issues an ICS advisory. Caleb Barlow on backup communications for your business during this period of "shields up." Duncan Jones from Cambridge Quantum sits down with Dave to discuss the NIST algorithm finalist Rainbow vulnerability. And, hey, officer, honest, it was just a Squirtle…. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/86 Selected reading. Update on cyber activity in Eastern Europe (Google) Multiple government hacking groups stay busy targeting Ukraine and the region, Google researchers say (CyberScoop) Google: Nation-state phishing campaigns expanding to target Eastern Europe orgs (The Record by Recorded Future) SolarWinds hackers set up phony media outlets to trick targets (CyberScoop) SOLARDEFLECTION C2 Infrastructure Used by NOBELIUM in Company Brand Misuse (Recorded Future) Experts discover a Chinese-APT cyber espionage operation targeting US organizations (VentureBeat) Operation CuckooBees: Cybereason Uncovers Massive Chinese Intellectual Property Theft Operation (Cybereason Nocturnus) Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques (Cybereason) Chinese hackers cast wide net for trade secrets in US, Europe and Asia, researchers say (CNN) Researchers tie ransomware families to North Korean cyber-army (The Record by Recorded Future) The Hermit Kingdom’s Ransomware Play (Trellix) New espionage group is targeting corporate M&A (TechCrunch) Cyberespionage Group Targeting M&A, Corporate Transactions Personnel (SecurityWeek) UNC3524: Eye Spy on Your Email (Mandiant) Yokogawa CENTUM and ProSafe-RS (CISA) Cops ignored call to nearby robbery, preferring to hunt Pokémon (Graham Cluley) Learn more about your ad choices. Visit megaphone.fm/adchoices

Russia reroutes Internet traffic in occupied regions of Ukraine through Russian services. The Stormous gang, hacking on behalf of Russia. DNS poisoning risk. Updates on Chinese cyberespionage campaigns. Our guest Chetan Mathur of Next Pathway finds similarities between the cloud industry and the 1849 California Gold Rush. Eldan Ben-Haim of Apiiro on why cybersecurity is largely a culture issue. Notes on ransomware operations. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/85 Selected reading. Microsoft sees Russian cyberattacks on Ukraine 'getting more and more disruptive' (Inside Defense) Sergey Lavrov claims Hitler had 'Jewish blood' (The Telegraph) Lavrov’s anti-Semitic outburst exposes absurdity of Russia’s “Nazi Ukraine” claims (Atlantic Council) Russia likens Zelensky to Hitler as Mariupol says Russia worse than Nazis (Newsweek) Russia reroutes internet in occupied Ukrainian territory through Russian telcos (The Record by Recorded Future) Stormous: The Pro-Russian, Clout Hungry Ransomware Gang Targets the US and Ukraine (Trustwave) Zhadnost ‘stamps’ out Ukrainian National Postal Service’s website. (SecurityScorecard) Industrial cybersecurity researchers, looking for help, go public with unpatched IoT bug (The Record by Recorded Future) Nozomi Networks Discovers Unpatched DNS Bug in Popular C Standard Library Putting IoT at Risk (Nozomi Networks) Chinese "Override Panda" Hackers Resurface With New Espionage Attacks (The Hacker News) Chinese Hackers Caught Exploiting Popular Antivirus Products to Target Telecom Sector (The Hacker News) New Black Basta Ransomware Possibly Linked to Conti Group (SecurityWeek) Experts Analyze Conti and Hive Ransomware Gangs' Chats With Their Victims (The Hacker News) Conti and Hive ransomware operations: What we learned from these groups' victim chats (Cisco Talos) Conti and Hive ransomware operations: (Cisco Talos) Learn more about your ad choices. Visit megaphone.fm/adchoices

Security executives need visibility into their real cyber risk in real time. But with the flood of vulnerability alerts, how can organizations pinpoint impactful security gaps? To meet this challenge, security teams are shifting to an exploit-centric approach to security validation to expose potential threats from ransomware, leaked credentials, phishing, & more. On this episode, of CyberWire-X, we explore how automation can help teams make this shift to prioritize remediation based on bottom line business impact. Rick Howard, the CyberWire's CSO, Chief Analyst and Senior Fellow, discusses the topic with Rick Doten, CISO, Carolina Complete Health and CyberWire Hash Table member, while Dave Bittner, CyberWire podcast host, engages with Sponsor Pentera's Jay Mar-Tang, Sales Engineering Manager for the Americas, about automated security validation. Learn more about your ad choices. Visit megaphone.fm/adchoices

Cable sabotage in France remains under investigation. Spearphishing by Cozy Bear. Widespread and damaging Russian cyberattacks have yet to appear, but criminals find a new field of activity. Hacktivism and privateering. The legal and prudential limits to hacktivism. Applying lessons learned from an earlier cyberwar. Romanian authorities say last week’s DDoS incident was retaliation for Bucharest’s support of Kyiv. Rick Howard is dropping some SBOMS. Carole Theriault reports on virtual kidnappings. REvil seems to be back after all. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/84 Selected reading. How the French fiber optic cable attacks accentuate critical infrastructure vulnerabilities (CyberScoop) Russian hackers compromise embassy emails to target governments (BleepingComputer) Ukraine's defense applies lessons from a 15-year-old cyberattack on Estonia (NPR) Feared Russian cyberattacks against US have yet to materialize (C4ISRNet) Hacking Russia was off-limits. The Ukraine war made it a free-for-all. (Washington Post) A YouTuber is promoting DDoS attacks on Russia — how legal is this? (BleepingComputer) Ukraine’s Digital Fight Goes Global (Foreign Affairs) Romanian government says websites attacked by pro-Russian group (The Record by Recorded Future) REvil ransomware returns: New malware sample confirms gang is back (BleepingComputer) Learn more about your ad choices. Visit megaphone.fm/adchoices

Chief security strategist from Analyst1, Jon DiMaggio shares his story on how he grew to become apart of the cybersecurity world. He describes different jobs that paved the way to the knowledge he has one the industry right now, and he even shares about an experience that led him to path that split and which decision he would make, would be crucial in his career. He explains which way he ended up going and how a critical part of his career helped to determine that path. He say's "there's two paths when you have that happen, you can either let it defeat you, or you know, you come back swinging." We thank Jon for sharing his story. Learn more about your ad choices. Visit megaphone.fm/adchoices

The move to cloud has great potential to improve security, but the required process and cultural changes can be daunting. There are a vast number of critical vulnerabilities that make it to production and demand more effective mitigations. Although “shifting security left” should help, organizations are not able to achieve this quickly enough, and “shifting left” does not account for runtime threats. Organizations must strive to improve the prioritization of vulnerabilities to ensure the most dangerous flaws are fixed early. But even then, some risk will be accepted, and a threat detection and response program is required for full security coverage. On this episode of CyberWire-X, host Rick Howard, the CyberWire's CSO, Chief Analyst and Senior Fellow, explores how to secure your software development lifecycle, how to use a maturity model like BSIM, where do containers fit in that process, and the Sysdig 2022 Cloud-Native Security and Usage report. Joining Rick on this episode are Tom Quinn, CISO at T. Rowe Price and CyberWire Hash Table member, and from episode sponsor Sysdig is their Director of Thought Leadership, Anna Belak, to discuss their experiences and real world data, as well as practical approaches to managing cloud risk. Learn more about your ad choices. Visit megaphone.fm/adchoices

Vikram Thakur of Symantec Threat Hunter team joins Dave Bittner to discuss their work on Daxin, a new and the most advanced piece of malware researchers have seen from China-linked actors. Symantec said " There is strong evidence to suggest the malware, Backdoor.Daxin, which allows the attacker to perform various communications and data-gathering operations on the infected computer, has been used as recently as November 2021 by attackers linked to China." They go on to explain how Daxin is used to target organizations and governments of strategic interest to China and how those agencies can protect themselves. Symantec also discusses how this is the most advanced piece of malware their researchers have seen. The research can be found here: Daxin: Stealthy Backdoor Designed for Attacks Against Hardened Networks Learn more about your ad choices. Visit megaphone.fm/adchoices

Russian and Ukrainian operators exchange cyberattacks. Wiper malware: contained, but a potentially resurgent threat. #OpRussia update. DDoS in Romania. Flash loan caper hits a DeFi platform. Coca-Cola investigates Stormous breach claims. CISA issues two new ICS advisories. Caleb Barlow on cleaning up the digital exhaust of your home. Our guests are Freddy Dezeure and George Webster on reporting cyber risk to boards. A Declaration for the Future of the Internet. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/83 Selected reading. Russian missiles bombard Kyiv during UN chief’s visit (The Telegraph) Zelenskiy urges ‘strong response’ after Russia strikes Kyiv during UN Ukraine visit (the Guardian) Anonymous hacked Russian PSCB Commercial Bank and companies in the energy sector (Security Affairs) Ongoing DDoS attacks from compromised sites hit Ukraine (Security Affairs) Ukraine’s Digital Battle With Russia Isn’t Going as Expected (Wired) CISA and FBI Update Advisory on Destructive Malware Targeting Organizations in Ukraine (CISA) Government and researchers keep US attention on Russia's cyber activity in Ukraine (The Record by Recorded Future) CISA Adds New Russian Malware to Cyber Advisory (Nextgov) An Overview of the Increasing Wiper Malware Threat (Fortinet Blog) Cyber Attacks Hit Romanian Government Websites (Balkan Insight) More than $13 million stolen from DeFi platform Deus Finance (The Record by Recorded Future) Coca-Cola Investigates Hacking Claim (Wall Street Journal) Coca-Cola investigating data breach claims by Stormous group (Computing) Has 'clown show' hacking gang Stormous really breached Coca-Cola? (Tech Monitor) Delta Electronics DIAEnergie (CISA) Johnson Controls Metasys (CISA) 1 A Declaration for the Future of the Internet (The White House) FACT SHEET: United States and 60 Global Partners Launch Declaration for the Future of the Internet (The White House) US joins 55 nations to set rules for internet, with eye on China and Russia (South China Morning Post) China, India, Russia missing from future of internet pledge by US, EU, and 33 others (ZDNet) US, partners launch plan for 'future' of internet, as China, Russia use 'dangerous' malign practices (Fox News) U.S. joins 55 nations to set new global rules for the internet (Reuters) Reporting Cyber Risk to Boards. Board Edition. Reporting Cyber Risk to Boards. CISO Edition. Learn more about your ad choices. Visit megaphone.fm/adchoices

Microsoft summarizes the scale of Russian cyberattacks against Ukraine. Russian cyber capabilities should be neither overestimated nor underestimated. Russia has also come under cyberattack during its hybrid war. Chinese intelligence services are paying close attention to Russian targets. The Five Eyes advise us on “routinely exploited vulnerabilities.” Physical sabotage as cyberattack. Linda Gray-Martin and Britta Glade from RSA discuss what’s new at RSAC and cybersecurity trends. Marc van Zadelhoff of Devo talks about their new podcast Cyber CEOs Decoded coming to the CyberWire network. And, hey kids, name that mascot. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/82 Selected reading. Special Report: Ukraine (Microsoft) Russian Cyber Capabilities Have ‘Reached Their Full Potential,’ Ukrainian Official Says (Wall Street Journal) Industroyer2: Nozomi Networks Labs Analyzes the IEC 104 Payload (Nozomi Networks) Russia Is Being Hacked at an Unprecedented Scale (Wired) BRONZE PRESIDENT targets Russian speakers with updated PlugX - Blog (Secureworks) CISA, FBI, NSA, and International Partners Warn Organizations of Top Routinely Exploited Vulnerabilities (National Security Agency/Central Security Service) The Air Force is trusting the internet to name its ridiculous new cybersecurity mascot (Task & Purpose) Learn more about your ad choices. Visit megaphone.fm/adchoices

Heard on the Baltimore waterfront. Privateering against Western brands. An update on sanctions and counter sanctions. Stonefly, straight outta Pyongyang. Lazarus is also back (and not in the good way). Richard Hummel from NETSCOUT discusses their bi-annual Threat Intel Report. Jon DiMaggio from Analyst1 joins us to discuss his new book, “The Art of Cyberwarfare - An Investigator’s Guide to Espionage, Ransomware, and Organized Cybercrime.” And the US Department of State has added six Russian GRU officers to its Rewards for Justice program. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/81 Selected reading. Britain says Ukraine controls majority of its airspace (Reuters) Latest strikes on Russia hint daring Ukraine is not intimidated by the Kremlin (The Telegraph) West gearing up to help Ukraine for ‘long haul’, says US defence secretary (the Guardian) U.S., allies promise to keep backing Ukraine in its war with Russia (Washington Post) Russia-linked hackers claim to have breached Coca-Cola Company (CyberNews) Stormous ransomware gang claims to have hacked Coca-Cola (Security Affairs) Chinese drone-maker DJI quits Russia and Ukraine (Register) Russia to Cut Gas to Poland and Bulgaria, Making Energy a Weapon (Bloomberg) Russia cuts off gas to Poland, Bulgaria, stoking tensions with E.U. over Ukraine (Washington Post) Why Russia’s Economy Is Holding On (Foreign Policy) Stonefly: North Korea-linked Spying Operation Continues to Hit High-value Targets (Symantec) A "Naver"-ending game of Lazarus APT (Zscaler) U.S. offers $10 mln reward for information on Russian intelligence officers -State Dept (Reuters) US offering $10 million for info on Russian military hackers accused of NotPetya attacks (The Record by Recorded Future) Rewards for Justice – Reward Offer for Information on Russian Military Intelligence Officers Conducting Malicious Activity Against U.S. Critical Infrastructure - United States Department of State (United States Department of State) Learn more about your ad choices. Visit megaphone.fm/adchoices

Heightened cyber tension as Quds Day approaches. Costa Rican electrical utility suffers from Conti ransomware. Emotet’s operators seem to be exploring new possibilities. North Korean cyber operators target journalists who cover the DPRK. A guilty plea in a strange case of corporate-connected cyberstalking. Bel Yelin ponders the potential Twitter takeover. Mr. Security Answer Person John Pescatore addresses questions about vendors. And cybercrime, run like a business. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/80 Selected reading. Russia’s invasion of Ukraine: List of key events from day 62 (Al Jazeera) Ukraine takes war behind enemy lines as Russian fuel depots set ablaze (The Telegraph) Russia pounds eastern Ukraine as West promises Kyiv new arms (AP NEWS) Finland, Sweden to begin NATO application in May, say local media reports (Reuters) ‘Thanks, Putin’: Finnish and Swedish Lawmakers Aim for NATO Membership (Foreign Policy) World War Three now a 'real' danger, Russian foreign minister Sergei Lavrov warns (The Telegraph) Moscow cites risk of nuclear war as U.S., allies pledge heavier arms for Ukraine (Reuters) Russia Warns of Nuclear War Risk as Ukraine Talks Go On (Bloomberg) From Jordan to Japan: US invites 14 non-NATO nations to Ukraine defense summit (Breaking Defense) State TV says Iran foiled cyberattacks on public services (AP NEWS) State TV Says Iran Foiled Cyberattacks on Public Services (SecurityWeek) Iranian hackers claim they’ve hit the Bank of Israel - but ‘no proof,’ cyber authority says (Haaretz) North Korean hackers targeting journalists with novel malware (BleepingComputer) The ink-stained trail of GOLDBACKDOOR (Stairwell) Conti ransomware cripples systems of electricity manager in Costa Rican town (The Record by Recorded Future) Emotet Tests New Delivery Techniques (Proofpoint) Ex-eBay exec pleads guilty to harassing couple whose newsletter raised ire (Reuters) Mastermind of Natick couple’s harassment pleads guilty (Boston Globe) Former eBay Executive Pleads Guilty to His Role in Cyberstalking Campaign (US Department of Justice) Cyberkriminelle bieten Schadsoftware kostenlos an (IT-Markt) Learn more about your ad choices. Visit megaphone.fm/adchoices

Anonymous counts coup with their #OpRussia campaign. Alternative energy suppliers in Europe sustain cyberattacks. What Lapsus$ internal chatter reveals. Costa Rica won’t pay Conti’s ransom. Rick Howard hits the history books. Our guest is Paul Giorgi of XM Cyber with a look at multi-cloud hopping. Locked Shields wraps up. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/79 Selected reading. Ukraine's Postal Service DDOS'd After Printing Moskova Stamps (Gizmodo) Since declaring cyber war on Russia Anonymous leaked 5.8 TB of Russian data (Security Affairs) European Wind-Energy Sector Hit in Wave of Hacks (Wall Street Journal) Schneider Electric says no evidence that Incontroller/Pipedream malware exploits vulnerabilities (MarketScreener) Aid groups helping Ukraine face both cyber and physical threats (CNN) Leaked Chats Show LAPSUS$ Stole T-Mobile Source Code (KrebsOnSecurity) Lapsus$ hackers breached T-Mobile’s systems and stole its source code (The Verge) Lapsus$ hackers targeted T-Mobile (TechCrunch) FBI Warns of Targeted Cyberattacks on Food Plants Amid Heightened Coverage of Fires (NTD) Ransomware Attacks on Agricultural Cooperatives Potentially Timed to Critical Seasons (IC3) Cyberattack causes chaos in Costa Rica government systems (ABC News) Finland wins NATO cyber defense competition (C4ISRNet) Learn more about your ad choices. Visit megaphone.fm/adchoices

Operational technology cybersecurity strategist from Nozomi Networks, Danielle Jablanski shares her story of building a target map to end up where she is today. She shares how she started in college and how different paths in life got her to be on the target of success where she is today. She says " you build out that kind of target of where you want to be, and understand that getting to that point might mean doing things you don't enjoy for a number of years, but figuring that out is another way to get to that target without having like a clear bullseye" She goes on to explain how this target map is helping her to create real change and ultimately makes an impact. We thank Danielle for sharing her story. Learn more about your ad choices. Visit megaphone.fm/adchoices

John Hammond from Huntress joins Dave Bittner on this episode to discuss malware known as BABYSHARK and how it is swimming out for blood once again. Huntress's research says "This activity aligns with known tradecraft attributed to North Korean threat actors targeting national security think tanks." Huntress also adds that the activity was spotted on February 16th and immediately their ThreatOps team began following the trail of breadcrumbs. They said "This led them to uncover the malware that was set to target specifically this organization–and certain influential individuals within it." The research can be found here: Targeted APT Activity: BABYSHARK Is Out for Blood Learn more about your ad choices. Visit megaphone.fm/adchoices

A look at Russian malware used against Ukrainian targets. Actual and potential targets harden themselves against Russia cyberattacks. Sanctions and the criminal underworld. Conti’s fortunes. A credential stealer resurfaces in corporate networks. BlackCat ransomware warning. Tomer Bar from SafeBreach discusses MuddyWaters. Dr. Christopher Emdin previews his new book STEM, STEAM, Make, Dream. CISA releases three more ICS security advisories. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/78 Selected reading. Russia outlines when Ukraine war will end (Newsweek) Russia racing against clock to win Ukraine war before May 9 'Victory Day' (Newsweek) A deeper look at the malware being used on Ukrainian targets (The Record by Recorded Future) Ukraine ramps up cyber defences to slow surge in attacks (The Straits Times) Five Eyes Alert Warns of Heightened Risk of Russian Cyber Attacks (Bloomberg) Preparing for Energy Industry Cyberattacks (Wall Street Journal) US sets dangerous precedents in cyberspace (Global Times) Russia’s War in Ukraine Has Complicated the Means Through Which Cybercriminals Launder Funds. Here’s How They’re Adapting (Flashpoint) U.S. Treasury Designates Facilitators of Russian Sanctions Evasion (U.S. Department of the Treasury) Russia says nyet, sanctions Mark Zuckerberg, LinkedIn’s Roslansky, VP Harris and other US leaders (TechCrunch) Russia’s War in Ukraine Has Complicated the Means Through Which Cybercriminals Launder Funds. Here’s How They’re Adapting (Flashpoint) GOLD ULRICK continues Conti operations despite public disclosures (Secureworks) Costa Rica's Alvarado says cyber​​attacks seek to destabilize country as government transitions (Reuters) Hackers Spearphish Corporate Hiring Managers with Poisoned Resumes, Infecting Them with the More_Eggs Malware, Warns eSentire (eSentire) BlackCat/ALPHV Ransomware Indicators of Compromise (IC3) FBI: BlackCat ransomware breached at least 60 entities worldwide (BleepingComputer) Delta Electronics ASDA-Soft (CISA) Johnson Controls Metasys SCT Pro (CISA) Hitachi Energy MicroSCADA Pro/X SYS600 (CISA) Learn more about your ad choices. Visit megaphone.fm/adchoices

A renewed Five Eyes’ warning about potential Russian cyberattacks. The FBI warns of the threat of ransomware attacks against the agriculture sector. REvil may be back in business. Carole Theriault shares insights on bug bounty programs. Our own Rick Howard checks in with Zack Barack from Coralogix on where things stand with XDR. And beware of threats of Facebook account suspension. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/77 Selected reading. Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure US and allies warn of Russian hacking threat to critical infrastructure REvil's TOR sites come alive to redirect to new ransomware operation ( FBI Warns of Ransomware Attacks on Farming Co-ops During Planting, Harvest Seasons ( Phishing Site on Facebook Domain Used to Steal Credentials Learn more about your ad choices. Visit megaphone.fm/adchoices

A Shuckworm update. Pegasus spyware found in UK government officials’ phones. CISA issues six ICS security alerts and adds three entries to its Known Exploited Vulnerabilities Catalog. Gangs succeed when criminals run them like a business. Julian Assange moves closer to extradition to the US. Tim Eades from Cyber Mentor Fund on cyber valuations. Our guest is Wes Mullins from deepwatch discussing adversary simulations. And a guilty plea in a high-profile cyberstalking case. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/76 Selected reading. Shuckworm: Espionage Group Continues Intense Campaign Against Ukraine UK Government Reportedly Infected With NSO Group Spyware ‘CatalanGate’ Spyware Infections Tied to NSO Group Pegasus Spyware and Citizen Surveillance: What You Need to Know Julian Assange extradition order issued by London court, moving WikiLeaks founder closer to US transfer . Former eBay executive to plead guilty to cyberstalking campaign targeting couple Learn more about your ad choices. Visit megaphone.fm/adchoices

In a hybrid war, sometimes it’s about the timing. Not quite all quiet on the cyber front. Pyongyang is phishing for crypto wallets (and your NFTs, and other blockchained valuables). Emotet really likes those malicious macros. Joe Carrigan looks at prompt bombing. Bec McKeown from Immersive Labs explains human cyber capabilities. And it’s our anniversary this week: celebrate with us. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/75 Selected reading. Ukraine Update: Zelenskiy Says Battle for Donbas Has Begun (Bloomberg) Ukraine at D+50: Russian reconstitution continues as shields stay up for ICS attacks. (The CyberWire) Military intel chief believes Russia not to achieve any wins in Ukraine by Easter as Kremlin wishes (Ukrinform) Ukraine War Divides Orthodox Faithful (New York Times) US officials ramp up warnings about Russian cyberattacks (The Hill) NATO Plays Cyberwar to Prep for a Real Russian Attack (Gizmodo) FS-ISAC Leads Financial Sector in Global Live-Fire Cyber Exercise Locked Shields (PR Newswire) If anyone understands Russian cyber dangers, it's Estonia's former president (Washington Post) North Korean State-Sponsored APT Targets Blockchain Companies (CISA) TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies (CISA) US warns of Lazarus hackers using malicious cryptocurrency apps (BleepingComputer) Trends in the Recent Emotet Maldoc Outbreak | FortiGuard Labs (Fortinet Blog) Learn more about your ad choices. Visit megaphone.fm/adchoices

Nuisance-level cyberattacks continue on both sides of Russia’s hybrid war against Ukraine. Face-saving disinformation. “CatalanGate.” Industrial Spy says it caters to its victims’ competitors. More on what’s been learned from Conti’s leaked chatter. Rewards for Justice offers $5 million for tips on DPRK cyber ops. Awais Rashid on supply chain risk management. Our guest is Jack Chapman from Egress to discuss a 232% increase in LInkedIn phishing attacks. And Exercise Locked Shields begins tomorrow. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/74 Selected reading. Occupants send computer viruses allegedly on behalf of SBU (Interfax-Ukraine) Ransomware groups go after a new target: Russian organizations (The Record by Recorded Future). Currency.com Targeted in Failed Cyber-Attack (Accesswire) Russia says missile attacks on Kyiv will increase (Military Times) Film and photos appear to show Russian cruiser Moskva shortly before it sank (the Guardian) CatalanGate: Extensive Mercenary Spyware Operation against Catalans Using Pegasus and Candiru (The Citizen Lab) New Industrial Spy stolen data market promoted through cracks, adware (BleepingComputer) Event Overview: CONTI Leaks 2022 (BlueVoyant) U.S. offers $5 million for info on North Korean cyber operators (The Record by Recorded Future) North Korea: Up to $5 Million Reward (US State Department) World´s Largest International Live-Fire Cyber Exercise launches in Tallinn (CCDCOE) Learn more about your ad choices. Visit megaphone.fm/adchoices

At the Hack the Port 2022 event, the CyberWire held a CyberWire Live event. CyberWire Daily Podcast host Dave Bittner was joined by Roya Gordon, OT/IoT Security Research Evangelist at Nozomi Networks, and Christian Lees, CTO at Resecurity. During this fireside chat format session, Dave and our guests discussed ICS, OT cybersecurity, the role of security research and demos, supply chain compromise, and IT/OT security trends among other things. Thanks to the team at MISI/DreamPort for this opportunity. Learn more about your ad choices. Visit megaphone.fm/adchoices

Co-founder and CTO of Virsec, Satya Gupta shares his story of how he has over 25 years of expertise in embedded systems, network security and systems architecture. He also talks about how a colleague of his told him something that resinated with him, he said " that was really a remarkable statement that I heard from that person. You rise to the point where you can actually contribute." He also discusses how he got into the startup atmosphere and how different scenarios in his life helped to lead him to the successful man he has become in the cyber community. We thank Satya for sharing his story. Learn more about your ad choices. Visit megaphone.fm/adchoices

Alan Neville from Symantec/Broadcom joins Dave Bittner on this episode to discuss Antlion, a Chinese state-backed hacker group, are using custom backdoors to target financial institutions in Taiwan. Symantec's blog shares the research behind the attacks and how the backdoor allowed the attackers to run WMI commands remotely. Symantec's research showed that "The goal of this campaign appears to have been espionage, as we saw the attackers exfiltrating data and staging data for exfiltration from infected networks." They have since found that this attack has been going on over the course of the past 18 months, in which 250 days were spent on the financial organization and around 175 days were spent on the manufacturing organization. The research can be found here: Antlion: Chinese APT Uses Custom Backdoor to Target Financial Institutions in Taiwan Learn more about your ad choices. Visit megaphone.fm/adchoices

Further developments in the Incontroller/Pipedream industrial control system threat. Conti claims responsibility for the Nordex hack. The half-a-billion stolen from Ronin went to the Lazarus Group. And indictments in an influence ops case. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/73 Selected reading. Ukraine war: Russia threatens to step up attacks on Kyiv (BBC News) Live Updates: Russia Sets Stage for Battle to Control Ukraine’s East (New York Times) Russian Troops Risk Repeating Blunders If They Try for May 9 Win (Bloomberg) Why Putin may be aiming to declare victory over Ukraine on May 9 (Fortune) What Victory Day means for Russian identity (Washington Post) Spy games: expulsion of diplomats shines light on Russian espionage (the Guardian) Finland and Sweden pursue unlinked NATO membership (Defense News) What Finland Can Offer NATO (Foreign Policy) U.S. warns energy firms of a rapidly advancing hacking threat (E&E News) Wind turbine firm Nordex hit by Conti ransomware attack (BleepingComputer) Karakurt revealed as data extortion arm of Conti cybercrime syndicate (BleepingComputer) Threat Spotlight: Conti Ransomware Group Behind the Karakurt Hacking Team (Infinitum) US agency attributes $540 million Ronin hack to North Korean APT group (The Record by Recorded Future) North Korea Designation Update (U.S. Department of the Treasury) Russian legislator, staff accused of trying to influence US lawmakers: DOJ (Newsweek) Russian Legislator and Two Staff Members Charged with Conspiring to Have U.S. Citizen Act as an Illegal Agent of the Russian Government in the United States (US Department of Justice) Learn more about your ad choices. Visit megaphone.fm/adchoices

A nation-state threat actor (probably Russian) targets industrial systems. A quick look at the GRU's earlier attempt against Ukraine's power grid. The difficulty of recovering from a credible threat to industrial systems. Lazarus Group resumes Operation Dream Job. OldGremlin speaks Russian, and it holds Russian companies for ransom. Carole Theriault looks at research on lie detection. Josh Ray from Accenture drops some SBOMs. And another look at the privateers in the Conti gang. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/72 Selected reading. Ukraine Update: U.S., EU to Send More Arms; Warship Damaged (Bloomberg) INCONTROLLER: New State-Sponsored Cyber Attack Tools Target Multiple Industrial Control Systems (Mandiant). PIPEDREAM: CHERNOVITE's Emerging Malware Targeting Industrial Environments | Dragos (Dragos) APT Cyber Tools Targeting ICS/SCADA Devices (CISA) U.S. warns newly discovered malware could sabotage energy plants (Washington Post) Industroyer2 Targets Ukraine’s Electric Grid: Here’s How Companies Can Stay Protected and Resilient (Nozomi Networks) Wind Turbine Giant Nordex Hit By Cyber-Attack (Infosecurity Magazine) Lazarus Targets Chemical Sector (Symantec) Old Gremlins, new methods (Group-IB) Leaked documents show notorious ransomware group has an HR department, performance reviews and an 'employee of the month' (CNBC) Learn more about your ad choices. Visit megaphone.fm/adchoices

Indestroyer2 and Ukraine's power grid. More on last week's distributed denial-of-service attack against Finland. Anonymous claims to have doxed Russia's Ministry of Culture. Hafnium gets evasive. Enemybot is under development but worth keeping an eye on. Changing the phish hook. Patch Tuesday notes. Tim Eades from Cyber Mentor Fund on digital & security transformations. Our guest is Aaron Shilts from NetSPI onproactive public-private sector security collaboration. Sanctions evasion is serious business. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/71 Selected reading. Why Russia’s Cyber Warriors Haven't Crippled Ukraine (The National Interest) In Ukraine, a ‘Full-Scale Cyberwar’ Emerges (Wall Street Journal) Russian hackers tried to bring down Ukraine’s power grid to help the invasion (MIT Technology Review) Russia's Sandworm Hackers Attempted a Third Blackout in Ukraine (Wired) Ukraine Thwarts Cyberattack on Electric Grid, Officials Say (Wall Street Journal) Zhadnost strikes again… this time in Finland. (SecurityScorecard) Anonymous Hits Russian Ministry of Culture- Leaks 446GB of Data (HackRead) Tarrask malware uses scheduled tasks for defense evasion (Microsoft Security Blog) Enemybot: A Look into Keksec's Latest DDoS Botnet (Fortinet Blog) Enemybot: a new Mirai, Gafgyt hybrid botnet joins the scene (ZDNet) Qbot malware switches to new Windows Installer infection vector (BleepingComputer) Microsoft Releases April 2022 Security Updates (CISA) Google Releases Security Updates for Chrome (CISA) Citrix Releases Security Updates for Multiple Products (CISA) Apache Releases Security Advisory for Struts 2 (CISA) Valmet DNA (CISA) Mitsubishi Electric MELSEC-Q Series C Controller Module (CISA) Inductive Automation Ignition (CISA) Mitsubishi Electric GT25-WLAN (CISA) Aethon TUG Home Base Server (CISA) U.S. crypto researcher sentenced to five years for helping North Korea evade sanctions (Reuters) Learn more about your ad choices. Visit megaphone.fm/adchoices

GRU deploys Industroyer2 against the Ukrainian energy sector. NB65 counts coup against Roscosmos. Anonymous doxes three more Russian companies. President Putin purges the FSB’s Fifth Service. CISA warns of an exploited firewall vulnerability. Medical robots’ vulnerabilities are remediated. A Cyber Civil Defense effort in the US. Ben Yelin on newly passed cyber legislation. Our guest is Chase Snyder from ExtraHop to discuss their recent Cyber Confidence Index. And good riddance to RaidForums. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/70 Selected reading. Russia’s Reset (New York Times) Russia will not pause military operation in Ukraine for peace talks (Reuters) Industroyer2: Industroyer reloaded | WeLiveSecurity (WeLiveSecurity) CERT-UA warns of large-scale cyber attack on energy sector (Interfax-Ukraine) Russia's space programme hit by western cyber attack (The Telegraph) Anonymous Hits 3 Russian Entities, Leaks 400 GB Worth of Emails (HackRead) Russia’s Ukraine Propaganda Has Turned Fully Genocidal (Foreign Policy) Russia-Ukraine latest news: Vladimir Putin vows ‘clear and noble’ aims of Russian invasion will be achieved (The Telegraph) CISA warns orgs of WatchGuard bug exploited by Russian state hackers (BleepingComputer) CISA Adds Eight Known Exploited Vulnerabilities to Catalog (CISA) Cynerio Discovers and Discloses JekyllBot:5, a Series of Critical Zero-Day Vulnerabilities Allowing Attackers to Remotely Control Hospital Robots (Cynerio) Craig Newmark Philanthropies Pledges $50 Million to Cyber Civil Defense (Global Cyber Alliance) Learn more about your ad choices. Visit megaphone.fm/adchoices

US National Security Advisor says atrocities were part of Russia's plan. Russian commanders seek to keep troops away from dangerous sections of the Internet. Cyberattacks in Finland may be a shot across Helsinki's bow. CERT-UA warns of a phishing campaign. Hacktivists hit Russian organizations. Mixed reviews for US preemptive measures against GRU botnets. Sharkbot-infested apps ejected from Google Play. Johannes Ullrich from SANS on malicious ISO files embedded in HTML. Our guest is Neal Dennis from Cyware on threat intel sharing with members of Auto-ISAC. What you should do when your Shields are Up. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/69 Selected reading. Russia Shuffles Command in Ukraine as Thousands Flee the East (New York Times) Sullivan: Intel indicates plan from ‘highest levels’ of Russian government to target civilians (The Hill) Russian soldiers banned from social media as ‘uncomfortable truths’ drain their morale (The Telegraph) West Seeks to Pierce Russia’s Digital Iron Curtain (Foreign Policy) YouTube blocks Russian parliament channel, drawing ire from officials (Reuters) U.S. quietly paying millions to send Starlink terminals to Ukraine, contrary to SpaceX claims (Washington Post) Hackers use Conti's leaked ransomware to attack Russian companies (BleepingComputer) Державна служба спеціального зв’язку та захисту інформації України (GUR) How Russia's Invasion Triggered a US Crackdown on Its Hackers (Wired) The U.S. Opens a Risky New Front in Cyberdefense (Bloomberg) Meet the 1,300 librarians racing to back up Ukraine’s digital archives (Washington Post) The Race to Save Posts That May Prove Russian War Crimes (Wired) Exclusive: Senior EU officials were targeted with Israeli spyware (Reuters) SharkBot Android Malware Continues Popping Up on Google Play (SecurityWeek) SharkBot Banking Trojan spreads through fake AV apps on Google Play (Security Affairs) Sharing Cyber Event Information: Observe, Act, Report (CISA) Learn more about your ad choices. Visit megaphone.fm/adchoices

Founder and general partner of Rain Capital, Chenxi shares her story and how she conquered and got over the obstacle of fear to reach her goals in life. " I realized a lot of times my obstacle is my own fear rather than a real obstacle" Wang states, she also shares her story of breaking glass ceilings as a female founder and working in the field of cybersecurity. She hopes to be remembered for being a kind person and developing her own venture fund, as she shares her story to the top, she states what she does and how she got to be where she is today. We thank Chenxi for sharing her story. Learn more about your ad choices. Visit megaphone.fm/adchoices

Alon Zahavi from CyberArk, joins Dave Bittner on this episode to discuss CyberArk's work in conjunction with Patch Tuesday. CyberArk published about how Docker inadvertently created a new vulnerability and what happens when it's exploited. CyberArk's research concluded that an attacker may execute files with capabilities or setuid files in order to escalate its privileges up to root level. CyberArk found the new vuln in some of Microsoft’s Docker images, caused by misuse of Linux capabilities, a powerful additional layer of security that gives admins the ability to assign capabilities and privileges to processes and files in the Linux system The research can be found here: How Docker Made Me More Capable and the Host Less Secure Learn more about your ad choices. Visit megaphone.fm/adchoices

Russian disinformation in its war against Ukraine. Overhead imagery and electronic intercepts suggest that Russian atrocities are matters of policy and strategy. Microsoft disrupts GRU cyber operations. Facebook takes down Iranian coordinated inauthenticity. India’s Power Ministry says it stopped a Chinese cyberattack. Dave Dufour from Webroot on evolving attack mechanisms. Our guest is Dan Petro of Bishop Fox with a warning for document redaction. Grid security and the value of exercises. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/68 Selected reading. Putin’s ‘probably given up’ on Kyiv as Ukraine war enters new phase (Defense News) Ukraine says 39 killed in rocket strike on rail evacuation hub (Reuters) Russian rocket attack on Kramatorsk train station kills dozens—Ukraine (Newsweek) Possible Evidence of Russian Atrocities: German Intelligence Intercepts Radio Traffic Discussing the Murder of Civilians in Bucha (Der Spiegel) Germany intercepts Russian talk of indiscriminate killings in Ukraine (Washington Post) Microsoft says it disrupted Russian cyberattacks targeting Ukraine, West (The Hill) Disrupting cyberattacks targeting Ukraine - Microsoft On the Issues (Microsoft On the Issues) GridEx VI Lessons Learned Report (NERC) Power Grid Stress Test Finds Low-Tech Needs for High-Tech Problems (Wall Street Journal) Dire grid hacking scenario sparked “shields up” approach to Russian threat (Medium) Learn more about your ad choices. Visit megaphone.fm/adchoices

An update on US cyber defensive operations and the war in Ukraine. You can’t tell your oligarchs without a scorecard. Google ejects data-harvesting apps from Play. China preps the cyber battlespace against India’s power grid. More moves against Hydra Market. Bearded Barbie’s catphishing. Betsy Carmelite from BAH on a blueprint for achieving a secure and resilient dot gov. Our guest is Padraic O'Reilly from CyberSaint with a fresh look at ransomware. And your majesty, meet this here dissident, who also needs to move money for the best of reasons…. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/67 Selected reading. Pentagon: Russia has fully withdrawn from Kyiv, Chernihiv (Washington Post) Zelenskyy tells UN: Act now on Russia or dissolve yourself altogether (Atlantic Council) DoJ takes down Russian botnet that targeted WatchGuard and Asus routers (ZDNet) FBI Disables "Cyclops Blink" Botnet Controlled by Russian Intelligence Agency (SecurityWeek) Justice Department Announces Court-Authorized Disruption of Botnet Controlled by the Russian Federation’s Main Intelligence Directorate (GRU) (US Department of Justice) Adversarial Threat Report (Meta) Facebook cracks down on covert influence networks targeting Ukraine (Washington Post) Russian-backed hackers broke into Facebook accounts of Ukrainian military officials (CBS News) Britain slaps sanctions on Russia’s biggest bank (The Telegraph) Russia hit with new round of U.S. sanctions as Biden decries 'major war crimes' (Reuters) U.S. to Sanction Putin Children, Banks Over Bucha Atrocities (Bloomberg) The Forbes Ultimate Guide To Russian Oligarchs (Forbes) Suspected Chinese Hackers Collect Intelligence From India’s Grid (Bloomberg) Continued Targeting of Indian Power Grid Assets by Chinese State-Sponsored Activity Group (Recorded Future) Operation Bearded Barbie: APT-C-23 Campaign Targeting Israeli Officials (Cybereason) Google Bans Apps With Hidden Data-Harvesting Software (Wall Street Journal) The Nigerian Prince Scam, with a Russian Twist (Avanan) Learn more about your ad choices. Visit megaphone.fm/adchoices

There’s a maneuver lull in Russia’s hybrid war against Ukraine, but fire and cyber ops continue. The US provides cyber assistance to Ukraine. The Cicada call of Stone Panda. Phony e-commerce sites seek to harvest banking credentials. CISA offers some advice and some guidance. Hydra Market sanctioned. Awais Rashid from Bristol University on anonymous communication systems. Our guest is Armaan Mahbod of DTEX Systems with a look at supermalicious insiders. And the most popular password is... For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/66 Selected reading. Russian military ‘weeks’ from being ready for new push as war takes its toll (The Telegraph) Russia's failure to take down Kyiv was a defeat for the ages (AP NEWS) U.S. Cyber Command providing cyber expertise and intelligence in Ukraine's fight against Russia (FedScoop) Cyber Command chief: U.S. has 'stepped up' to protect Ukraine's networks (The Record by Recorded Future) How Ukraine has defended itself against cyberattacks – lessons for the US (FIU News) Cicada: Chinese APT Group Widens Targeting in Recent Espionage Activity (Symantec) Fake e‑shops on the prowl for banking credentials using Android malware (WeLiveSecurity) CISA adds Spring4Shell vulnerability, Apple zero-days to exploited catalog (The Record by Recorded Future) LifePoint Informatics Patient Portal (CISA) Rockwell Automation ISaGRAF (CISA) Johnson Controls Metasys (CISA) Philips Vue PACS (Update A) (CISA) Treasury Sanctions Russia-Based Hydra, World’s Largest Darknet Market, and Ransomware-Enabling Virtual Currency Exchange Garantex (U.S. Department of the Treasury) Most Common Passwords 2022 - Is Yours on the List? (CyberNews) Learn more about your ad choices. Visit megaphone.fm/adchoices

Disinformation at the UN. Russian cyber operations against Ukraine. Bravo, BKA: German police take down a major contraband market. Under arrest but still in business? At least someone’s carrying on for Lapsus$. Compromise at Mailchimp. Joe Carrigan describes Javascript vulnerabilities. Carole Theriault with an eye on romance scams through the lens of Netflix's "The Tinder Swindler". And a well-known gang branches out. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/65 Selected reading. Live Updates: U.N. Security Council to Meet as Evidence of War Crimes Mounts (New York Times) Elephant Framework Delivered in Phishing Attacks against Ukrainian Organizations (Intezer) Germany takes down Hydra, world's largest darknet market (BleepingComputer) LAPSUS$ hacks continue despite two hacker suspects in court (Naked Security) FIN7 hackers evolve toolset, work with multiple ransomware gangs (BleepingComputer) Notorious hacking group FIN7 adds ransomware to its repertoire (CyberScoop) Hackers breach MailChimp's internal tools to target crypto customers (BleepingComputer) Email marketing giant Mailchimp has confirmed a data breach (TechCrunch) Learn more about your ad choices. Visit megaphone.fm/adchoices

Doxing, trolling, and censorship in a hybrid war. Western organizations remain on alert for a Russian cyber campaign. Known Russian threat actors continue operations against Ukraine proper. Borat RAT described. Welcome the US State Department’s Bureau of Cyberspace and Digital Policy. National Supply Chain Integrity Month. Your wild ways will break your mother’s heart. Rick Howard weighs in on Shields Up. Josh Ray from Accenture on ideological differences on underground forums. And fast food as an OPSEC issue (and an OSINT source). For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/64 Selected reading. Ukraine intelligence leaks names of 620 alleged Russian FSB agents (Security Affairs) Anonymous leaked 15 GB of data allegedly stolen from the Russian Orthodox Church (Security Affairs) Listen Now: Deputy national security adviser talks about the risk of Russia waging cyberwar (NPR One) Inside Cyber Front Z, the ‘People’s Movement’ Spreading Russian Propaganda (Vice) Ukraine Accuses Russia of Using WhatsApp Bot Farm to Ask Military to Surrender (Vice) ‘It’s like 1937’: Informants denounce anti-Ukraine war Russians (The Telegraph) Cyber Espionage Actor Deploying Malware Using Excel (Bank Info Security) New Borat remote access malware is no laughing matter (BleepingComputer) Deep Dive Analysis – Borat RAT (Cyble) Establishment of the Bureau of Cyberspace and Digital Policy (United States Department of State) Supply Chain Integrity Month (CISA) April is National Supply Chain Integrity Month. As Russia Plots Its Next Move, an AI Listens to the Chatter (Wired) Data leak from Russian delivery app shows dining habits of the secret police (The Verge) Learn more about your ad choices. Visit megaphone.fm/adchoices

In this CyberWire-X episode, host Rick Howard, the CyberWire's CSO, Chief Analyst and Senior Fellow, explores the state of XDR. Joining Rick on this episode are Ted Wagner, SAP National Security Services CISO and CyberWire Hash Table member, and from episode sponsor Trellix are Bryan Palma, the Trellix Chief Executive Officer, and John Fokker, the Trellix Head of Cyber Investigations. Listen as Rick and guests discuss XDR, SASE, SIEM, and SOAR. Learn more about your ad choices. Visit megaphone.fm/adchoices

Chief intelligence officer at Intel 471, Michael shares his story where he started as an actor and quickly changed over to intelligence and what the transition was like for him. Michael grew up wanting to be an actor and even was able to land some acting jobs, after going into the Marine Corps he decided to leave acting behind and start a new path in his journey. He says looking for a purpose really helped to shape him, saying "looking back on it, I feel like my life purpose has really been all about kind of this relentless pursuit of justice" and how the risks in his life has helped to right the wrongs of the world. We thank Michael for sharing his story. Learn more about your ad choices. Visit megaphone.fm/adchoices

Guest Michael DeBolt from Intel 471 joins Dave Bittner on this episode to discuss one of the most popular commodity malware loaders on the underground – PrivateLoader. The blog provides an analysis of campaigns since May 2021, full details on a Pay-per-install (PPI) malware service, the methods operators employ to obtain “installs,” and insights on the malware families the service delivers. On Intel 471's blog, it shows the breakdown of how the PrivateLoader download is delivered and how it works. The blog states "Visitors are lured into clicking a “Download Crack” or “Download Now” button to obtain an allegedly cracked version of the software." Michael explains more about this popular commodity malware loader. The research can be found here: PrivateLoader: The first step in many malware schemes Learn more about your ad choices. Visit megaphone.fm/adchoices

Attempting to evolve rules of cyber conduct during a hot hybrid war. Waiting for major Russian cyber operations. Viasat terminals were hit by wiper malware. Patches and detection scripts for Spring4shell. Warning of ransomware threat to local governments. Emergency data requests under Senatorial scrutiny. NSA employee charged with mishandling classified material. Andrea Little Limbago from Interos on Bots, Warriors and Trolls. Rick Howard speaks with Maretta Morovitz on cyber deception. And no April Foolin’ here For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/63 Selected reading. Russia’s War Lacks a Battlefield Commander, U.S. Officials Say (New York Times) Putin may be self-isolating from his military advisers, says White House (The Telegraph) Confronting Russian Cyber Censorship (Wilson Center) Zelensky Fires Two Generals (Wall Street Journal) French intelligence chief Vidaud fired over Russian war failings (BBC News) Cyber War Talks Heat Up at UN With Russia at Table (Bloomberg.com) Foreign Ministry statement on continued cyberattack by the “collective West” (Ministry of Foreign Affairs of the Russian Federation) New Protestware Found Lurking in Highly Popular NPM Package (Checkmarx.com) Russia targeting Ukraine, countries opposing war in cyberspace (Jerusalem Post) Conti Leaks: Examining the Panama Papers of Ransomware (Trellix) British intelligence agencies: Moscow continuously attacks Ukraine in cyberspace (The Times Hub) AcidRain | A Modem Wiper Rains Down on Europe (SentinelOne) SentinelOne finds ties between Viasat hack and Russian actor (SC Magazine) ExtraHop CEO: Expect a Russian cyber response to sanctions (Register) Treasury sanctions Russian research center blamed for Trisis malware (CyberScoop) Treasury Targets Sanctions Evasion Networks and Russian Technology Companies Enabling Putin’s War (U.S. Department of the Treasury) Evgeny Viktorovich Gladkikh – Rewards For JusticeArtboard 4Artboard 4 (Rewards for Justice) Spring confirms ‘Spring4Shell’ zero-day, releases patched update (The Record by Recorded Future) Spring4Shell (CVE-2022-22965): Are you vulnerable to this Zero Day? (Cyber Security Works) Ransomware Attacks Straining Local US Governments and Public Services (IC3) Senate’s Wyden Probes Use of Forged Legal Requests by Hackers (Bloomberg) NSA Employee Charged with Mishandling Classified Material (Military.com) National Security Agency Employee Indicted for Willful Transmission and Retention of National Defense Information (US Department of Justice) National Security Agency Employee Facing Federal Indictment for Willful Transmission and Retention of National Defense Information (US Department of Justice) Learn more about your ad choices. Visit megaphone.fm/adchoices

Russian cyber operators collect against domestic targets. More details on the Viasat hack. Ukrainian hacktivists say they can interfere with Russian geolocation. Spring4shell is another remote-code-execution problem. The Remcos Trojan is seeing a resurgence. Malicious links distributed via Calendly. Johannes Ullrich from SANS on attack surface detection. Our guest is Fleming Shi from Barracuda on cybersecurity champions. Phishing with “emergency data requests.” Lapsus$ may be back from vacation. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/62 Selected reading. Vladimir Putin is being lied to by his advisers, says GCHQ (The Telegraph) U.S. intelligence suggests that Putin’s advisers misinformed him on Ukraine. (New York Times) White House: Intel shows Putin misled by advisers on Ukraine (AP NEWS) Russian troops sabotaging their own equipment and refusing orders in Ukraine, UK spy chief says (CNBC) Phishing campaign targets Russian govt dissidents with Cobalt Strike (BleepingComputer) KA-SAT Network cyber attack overview (Viasat.com) Tracking cyber activity in Eastern Europe (Google) Ukrainian Hackers Take Aim at Russian Artillery, Navigation Signals (Defense One) Russian efforts in Ukraine have not yet spilled over into cyberattacks on US, says lawmaker (C4ISRNet) New Spring Framework RCE Vulnerability Confirmed - What to do? (Sonatype) New Spring4Shell Zero-Day Vulnerability Confirmed: What it is and how to be prepared (Contrast Security) Spring Core on JDK9+ is vulnerable to remote code execution (Praetorian) Spring4Shell: No need to panic, but mitigations are advised (Help Net Security) Remcos Trojan: Analyzing the Attack Chain (Morphisec) Apple and Meta Gave User Data to Hackers Who Used Forged Legal Requests (Bloomberg) Fresh Phish: Phishers Schedule Victims on Calendar App (INKY) Lapsus$ claims Globant as its latest breach victim (TechCrunch) Learn more about your ad choices. Visit megaphone.fm/adchoices

Taking down bot farms. Russia says the US is the aggressor in cyberspace. Influence operations, arriving at Mach 10. The call is coming from inside the house! Cyber incidents affect aviation services. CISA posts ICS control system advisories. I welcome Tim Eades from the Cyber Mentor Fund. Our guest is Alex Holland from HP Wolf Security describing a new wave of attacks. And Sanctions are also biting Russian cyber gangs. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/61 Selected reading. Ukraine dismantles 5 disinformation bot farms, seizes 10,000 SIM cards (BleepingComputer) Russia accuses U.S. of massive 'cyber aggression' (Reuters) Russia Has Fired 'Multiple' Hypersonic Missiles Into Ukraine, US General Confirms (Defense One) BREAKING: Russian Aviation Authority Suffers Cyberattack (Mentour Pilot) Bradley Airport Website Suffers Cyber Attack (NBC Connecticut) Philips e-Alert (CISA) Rockwell Automation ISaGRAF (CISA) Omron CX-Position (CISA) Hitachi Energy LinkOne WebView (CISA) Modbus Tools Modbus Slave (CISA) Delta Electronics DIAEnergie (CISA) “Your rubles will only be good for lighting a fire”: Cybercriminals reel from impact of sanctions (Digital Shadows) Sanctions Hitting Russian Cyber-Criminals Hard (Infosecurity Magazine) Learn more about your ad choices. Visit megaphone.fm/adchoices

A cyberattack takes down a major Ukrainian Internet provider. GhostWriter is said to deploy Cobalt Strike against the Ukrainian government. Anonymous makes some large claims. This just in: spies drive drunk: Ukrainian intelligence doxes FSB officers. Conventional criminals continue to exploit sympathy for Ukraine in social engineering scams. Red-Lili automates software supply-chain attacks. Ben Yelin considers Russian cyber capabilities. Mr. Security Answer Person John Pescatore addresses security automation. And CISA offers mitigation guidance on risks to uninterruptible power supplies. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/60 Selected reading. Russia says it will scale back near Kyiv as talks progress (AP NEWS) Ukraine Claims Some Battle Successes as Russia Focuses on Another Front (New York Times) Ukrainian telecom company's internet service disrupted by 'powerful' cyberattack (Reuters) ‘Most Severe’ Cyberattack Since Russian Invasion Crashes Ukraine Internet Provider (Forbes) GhostWriter APT targets state entities of Ukraine with Cobalt Strike Beacon (Security Affairs) Secret World of Pro-Russia Hacking Group Exposed in Leak (Wall Street Journal) Anonymous is working on a huge data dump that will blow Russia away (Security Affairs) While Twitter suspends Anonymous accounts, the group hacked VGTRK Russian Television and Radio (Security Affairs) Names and addresses of 620 FSB officers published in data breach (Times) Russian spies unmasked in embarrassing blow for Vladimir Putin (The Telegraph) New Conversation Hijacking Campaign Delivering IcedID (Intezer) Spoofed Invoice Used to Drop IcedID (Fortinet Blog) A Beautiful Factory for Malicious Packages (Checkmarx) School of Hard Knocks: Job Fraud Threats Target University Students (Proofpoint) Mitigating Attacks Against Uninterruptible Power Supply Devices (CISA Insights) Learn more about your ad choices. Visit megaphone.fm/adchoices

Preparing for the spread of cyberattacks. A look at Cyber operations in the hybrid war. C3 and electronic warfare. The Republic of the Marshall Islands suffers rolling DDoS attacks. Okta gives a detailed account of its experience with the Lapsus$ Group. Lapsus$ under the law enforcement microscope. The FCC sanctions Kaspersky. Malek Ben Salem from Accenture on getting full potential from deception systems. Our guest is Greg Scasny of Blueshift Cybersecurity with remote workforce security concerns. And CISA adds to its Known Exploited Vulnerabilities Catalog. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/59 Selected reading. ‘Preparation, not panic’: Top US cyber official asks Americans to look out for Russian hacking efforts CNN Russia hacked Ukrainian satellite communications, officials believe BBC News Chinese cyberattacks on NATO countries increase 116% since Russia's invasion of Ukraine: study Fox Business Why hasn't Russia used its 'full scope' of electronic warfare?Breaking Defense Russian troops’ tendency to talk on unsecured lines is proving costly Washington Post Marshall Islands telecom service hit by cyber attack RNZ Okta: "We made a mistake" delaying the Lapsus$ hack disclosure BleepingComputer Who is LAPSUS$, the Big, Bad Cybercrime Gang Hacking Tech's Biggest Companies? Gizmodo FCC puts Kaspersky on security threat list, says it poses “unacceptable risk“ Ars Technica U.S. FCC adds Russia's Kaspersky, China telecom firms to national security threat list Reuters CISA Adds 66 Known Exploited Vulnerabilities to Catalog CISA Learn more about your ad choices. Visit megaphone.fm/adchoices

Guest Dick O'Brien from Symantec joins Dave Bittner on this episode to discuss how "Shuckworm Continues Cyber-Espionage Attacks Against Ukraine." The Russia-linked Shuckworm group (aka Gamaredon, Armageddon) has been active since 2013 and is known to use phishing emails to distribute either freely available remote access tools. In July 2021, Symantec observed Shuckworm activity on an organization in Ukraine and this continued until August 2021. According to a November 2021 report from the Security Service of Ukraine (SSU), since 2014 the Shuckworm group has been responsible for over 5,000 attacks against more than 1,500 Ukrainian government systems. Dick walks us through Symantec's investigation. The research can be found here: Shuckworm Continues Cyber-Espionage Attacks Against Ukraine Learn more about your ad choices. Visit megaphone.fm/adchoices

Fears of Russian escalation as Ukraine’s counteroffensive sees successes. Warnings of possible Russian cyberattacks gain context from attribution of the Viasat incident and two US unsealed indictments. CISA continues to recommend best practices. North Korean APTs exploit Chrome vulnerabilities. Mustang Panda is back. David Dufour from Webroot on ransomware gangs and cartels. Our guest is Liliana Monge of Sabio Coding Bootcamp on creating opportunities for those looking to pursue a career in tech. And boy, boy, your wild ways will break your mother’s heart. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/58 Selected reading. Ukrainian forces advance east of Kyiv as Russians fall back (Reuters) Counteroffensive in Ukraine Shifts Dynamic of War (New York Times) Ukrainian forces claim to destroy a Russian landing ship. (New York Times) Putin's war in Ukraine nearing possibly more dangerous phase (AP NEWS) Syrians watch in horror as Putin deploys the Aleppo playbook in Ukraine (CNN) Joe Biden: We will respond in kind if Vladimir Putin uses chemical weapons in Ukraine (The Telegraph) A month into the Russian invasion, Ukraine is still mostly online (The Record by Recorded Future) Russian military behind hack of satellite communication devices in Ukraine at war’s outset, U.S. officials say (Washington Post) Hackers Attacked Satellite Terminals Through Management Network, Viasat Officials Say (Air Force Magazine) Four Russian Government Employees Charged in Two Historical Hacking Campaigns Targeting Critical Infrastructure Worldwide (US Department of Justice) US charges four Russian hackers over cyber-attacks on global energy sector (the Guardian) North Korean Actors Exploited Chrome Flaw to Target U.S. Orgs (Decipher) Countering threats from North Korea (Google) New Mustang Panda hacking campaign targets diplomats, ISPs (BleepingComputer) Chinese APT Combines Fresh Hodur RAT with Complex Anti-Detection (Threatpost) Lapsus$: Oxford teen accused of being multi-millionaire cyber-criminal (BBC News) Learn more about your ad choices. Visit megaphone.fm/adchoices

Concerns persist that President Putin will take his revenge in cyberspace for sanctions. Wiper attacks reported continuing in Ukraine. Russia also sustains cyberattacks. Lapsus$--living at home, with Mom. A carder kingpin finds his way onto the FBI’s Most Wanted List. Andrea Little Limbago from Interos on collective resilience. Our guest is Amit Shaked from Laminar Security on shadow data. Anonymous says it hit Nestlé, but Nestlé says it never happened. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/57 Selected reading. As Ukraine invasion stalls, Putin looks to cyber for revenge attack on US (Newsweek) Threat looms of Russian attack on undersea cables to shut down West’s internet (France 24) A Mysterious Satellite Hack Has Victims Far Beyond Ukraine (Wired) Anonymous hacks unsecured printers to send anti-war messages across Russia (HackRead) 'We want them to go to the Stone Age': Ukrainian coders are splitting their time between work and cyber warfare (CNBC) Teen Suspected by Cyber Researchers of Being Lapsus$ Mastermind (Bloomberg) Nestlé denies Anonymous hack, claiming it accidentally leaked data dump itself (Fortune) Nestlé says 'Anonymous' data leak actually a self-own (Register) Nestlé: You Can't Hack Us, We Leaked Our Own Data (Gizmodo) FBI adds Russian cybercrime market owner to most wanted list (BleepingComputer) United States of America v. Igor Dekhtyar (US District Court for the Eastern District of Texas) Learn more about your ad choices. Visit megaphone.fm/adchoices

In this CyberWire-X episode, host Dave Bittner chats with the judges of the Insider Risk Excellence Awards. The inaugural awards program, announced during last September's Insider Risk Summit, recognizes the best of the best in Insider Risk Management. They honor the work of individuals and organizations as they address Insider Risk in the most collaborative work environment we’ve ever seen. Judges Joe Payne, President and CEO, Code42 and Chairman, Insider Risk Summit and Wendy Overton, Director of Cyber Strategy and Insider Risk Leader, Optiv, talk about the growing Insider Risk problem, reveal the winners of each award category and pull back the curtain on how each of these Insider Risk trailblazers are making an impact. Learn more about your ad choices. Visit megaphone.fm/adchoices

The US and the UK warn of impending Russian cyberattacks, and Russia responds with warnings against “banditry,” crime, and bad manners. CISA issues two new ICS advisories. Microsoft confirms a Lapsus$ gang incident, and so does Okta, but Okta’s case is more complicated. Josh Ray from Accenture on the cyber workforce. Our guest is Tom Gaffney from F-Secure with some ways to reduce digital anxietySecureworks takes a look at the criminal ecosystem around Conti. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/56 Selected reading. Ukraine war has put our relationship with US at breaking point - Russia (Daily Post Nigeria) Kremlin dismisses U.S. warning of potential Russian cyber attacks (Reuters) . As Biden puts US on alert, Russia seeks talks to help prevent cyber war (Newsweek) U.K. echoes Biden warning on Russian cyberattacks (The Record by Recorded Future) Biden: Russia mulling cyberattacks on US (C4ISRNet) National Security Advisor details new intelligence on potential Russian cyberattacks (FOX 5 DC) The Threat of Russian Cyberattacks Looms Large (The New Yorker) FBI sees growing Russian hacker interest in US energy firms (AP NEWS) CISA Call with Critical Infrastructure Partners on Potential Russian Cyberattacks Against the U.S. (YouTube) CISA highlights new reporting hotline amid warnings about potential Russian cyber attacks (Federal News Network) Delta Electronics DIAEnergie (CISA) Delta Electronics DIAEnergie (Update B) (CISA) Microsoft, Okta Investigating Data Theft Claims (SecurityWeek) Hackers hit authentication firm Okta, customers 'may have been impacted' (Reuters) 'This Is Really, Really Bad': Lapsus$ Gang Claims Okta Hack (Wired). Okta ‘identifying and contacting’ customers potentially affected by Lapsus$ breach (The Record by Recorded Future) Okta Investigates Report of Security Breach, Says It Finds No Evidence of New Attack (Wall Street Journal) Fury As Okta—The Company That Manages 100 Million Logins—Fails To Tell Customers About Breach For Months (Forbes) Cloudflare’s investigation of the January 2022 Okta compromise (Cloudflare Blog). Updated Okta Statement on LAPSUS$ (Okta) GOLD ULRICK leaks reveal organizational structure and relationships (Secureworks) Details of Conti ransomware affiliate released (ComputerWeekly.com) More can be done to curb misuse of Cobalt Strike, expert says (VentureBeat) Learn more about your ad choices. Visit megaphone.fm/adchoices

White House warns of large-scale Russian cyberattacks. Browser-in-the-Browser attacks. New Conti affiliate described. Android malware “Facestealer” described. Android malware “Facestealer” described. Microsoft and Okta investigate possible Lapsus$ attacks. Arid Gopher is out in the wild. Our guest is Swathi West of Barr Advisory on opportunities for the underrepresented in cybersecurity. Joe Carrigan wonders if we can’t just get rid of passwords once and for all. And advancing censorship by finding “extremism” and “Russophobia” in Meta’s platforms. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/55 Selected reading. Russia's hybrid war with Ukraine: strategy, norms, and alliances (The CyberWire) Statement by President Biden on our Nation’s Cybersecurity (The White House) FACT SHEET: Act Now to Protect Against Potential Cyberattacks (The White House) Statement from CISA Director Easterly on Potential Russian Cyberattacks Against the United States (CISA) Press Briefing by Press Secretary Jen Psaki and Deputy NSA for Cyber and Emerging Technologies Anne Neuberger, March 21, 2022 (The White House) Statement from Secretary Mayorkas on Cybersecurity Preparedness (US Department of Homeland Security) Conti Affiliate Exposed: New Domain Names, IP Addresses and Email… (eSentire) New Phishing toolkit lets anyone create fake Chrome browser windows (BleepingComputer). New Browser-in-the Browser (BITB) Attack Makes Phishing Nearly Undetectable (The Hacker News) Arid Gopher: Newest Micropsia Malware Variant (Deep Instinct) Spyware dubbed Facestealer infects 100,000+ Google Play users (Pradeo) Okta confirms investigation into potential breach (The Record by Recorded Future) Microsoft investigating alleged Lapsus$ hack of Azure DevOps source code repositories (Computing) Russian War Report: Meta officially declared “extremist organization” in Russia (Atlantic Council) Learn more about your ad choices. Visit megaphone.fm/adchoices