CyberWire Daily

The widely expected, intense Russian cyber campaign has yet to appear. "Protestware" as a dangerous turn in hacktivism. Information operations and the persistence of independent channels of news. Social media as an opsec problem.Lapsus$ may have hit Microsoft. A second Brazilian gang tries its hand at extortion. A snakey backdoor afflicts French organizations. AD Bryan Vorndran of the FBI Cyber Division on what the agency brings to the table in the cyberspace. Rick Howard considers infrastructure as code. Emsisoft offers a free decryptor for Diavol ransomware. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/54 Selected reading. Volodymyr Zelensky tells Russia to seek ‘meaningful’ peace talks or face catastrophic losses (The Telegraph) Cyber threats and the Ukraine conflict (Avast) Cyber ‘cold war’ rages online but Russia holds back on massive digital attacks (Times of Israel) Mar 13- Mar 19 Ukraine – Russia the silent cyber conflict (Security Affairs) Former CIA officer shows what a Russian cyberattack on the US would look like (Fox News) EU and US agencies warn that Russia could attack satellite communications networks (Security Affairs) Banks on alert for Russian reprisal cyberattacks on Swift (Ars Technica) Activists are targeting Russians with open-source “protestware” (MIT Technology Review) Cyber warfare gets real for satellite operators (SpaceNews) More Conti ransomware source code leaked on Twitter out of revenge (BleepingComputer) Open Source Maintainer Sabotages Code to Wipe Russian, Belarusian Computers (Vice) Anonymous has unleashed a successful cyberwar to undermine Putin's Ukraine invasion (Fortune) Some Russians are breaking through Putin’s digital iron curtain — leading to fights with friends and family (Washington Post) On Russia's VK, anti-war messages defy Vladimir Putin's Ukraine censors (Newsweek) Why Russia’s anti-war movement matters (Atlantic Council) Telegram Thrives Amid Russia’s Media Crackdown (Wall Street Journal) British soldiers are ordered off WhatsApp amid fears that sensitive military details could be accessed by Russian hackers (Daily Mail) Microsoft Investigating Claim of Breach by Extortion Gang (Vice) Hacking group that went after NVIDIA may have also attacked Microsoft (Windows Central) Microsoft Allegedly Breached by LAPSUS Group (Cyber Kendra) Lapsus$ gang sends a worrying message to would-be criminals (Register) TransUnion cyber attack – hackers demand R225 million ransom (Business Tech). TransUnion Confirms Data Breach at South Africa Business (SecurityWeek) UPDATE | TransUnion believes breach of 54 million SA records unrelated to current hack (Fin24) Banks move to protect consumers in wake of TransUnion cyberattack (TechCentral) Serpent, No Swiping! New Backdoor Targets French Entities with Unique Attack Chain (Proofpoint) Emsisoft releases free decryptor for the victims of the Diavol ransomware (Security Affairs) Learn more about your ad choices. Visit megaphone.fm/adchoices

Chief Security Strategist and VP of Global Threat Intelligence at FortiGuard Labs, Derek Manky, shares his story from programmer to cybersecurity and how it all came together. Derek started his career teaching programming because he had such a passion for it. When he joined Fortinet, Derek said putting where it "really started putting the rubber to the road and connecting my previous experience with programming and debugging and knowledge of operating systems and all that with real-world applications." Derek advises that it doesn't need to be complicated getting into the cybersecurity field and that there are many avenues to enter the field. He hopes to have made a real dent, or "hopefully a crater" in cyber crime when he ends his career. We thank Derek for sharing his story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

Guest Nathan Brubaker from Mandiant joins Dave Bittner on this episode to discuss Mandiant Threat Intelligence's research: "1 in 7 Ransomware Extortion Attacks Leak Critical Operational Technology Information." Data leaks have always been a concern for organizations. The exposure of sensitive information can result in damage to reputation, legal penalties, loss of intellectual property, and even impact the privacy of employees and customers. However, there is little research about the challenges posed to industrial organizations when threat actors disclose sensitive details about their OT security, production, operations, or technology. In 2021, Mandiant Threat Intelligence continued observing ransomware operators attempting to extort thousands of victims by disclosing terabytes of stolen information on shaming sites. This trend, which Mandiant Threat Intelligence refers to as “Multifaceted Extortion,” impacted over 1,300 organizations from critical infrastructure and industrial production sectors in just one year. Nathan walks us through their research and findings. The research can be found here: 1 in 7 Ransomware Extortion Attacks Leak Critical Operational Technology Information Learn more about your ad choices. Visit megaphone.fm/adchoices

Hacktivism and other cyberattacks continue against Russian targets, but some hacktivism that affects software supply chains may go too far. An initial access broker in the criminal-to-criminal market. BlackMatter may be working with BlackCat. CISA offers a warning and advice to SATCOM operators. NIST offers some guidance on industrial control system security. Johannes Ullrich reminds us to patch our backup tools. Our guest is Armando Saey from MISI with insights on maritime port security. And Rear Admiral Mehoff, call your office. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/53 Selected reading. Popular NPM Package Updated to Wipe Russia, Belarus Systems to Protest Ukraine Invasion (The Hacker News) Software Supply Chain Weakness: Snyk Warns of 'Deliberate Sabotage' of NPM Ecosystem (SecurityWeek) Russian government websites face ‘unprecedented’ wave of hacking attacks, ministry says (Washington Post) Ukraine’s Digital Ministry Is a Formidable War Machine (Wired) Exposing initial access broker with ties to Conti (Google) Experts Find Some Affiliates of BlackMatter Now Spreading BlackCat Ransomware (The Hacker News) Strengthening Cybersecurity of SATCOM Network Providers and Customers (CISA) NIST SPECIAL PUBLICATION 1800-10 Protecting Information and System Integrity in Industrial Control System Environments: Cybersecurity for the Manufacturing Sector (NIST) Hoax caller claiming to be Ukrainian PM got through to UK defence secretary (the Guardian) Russians target Priti Patel and Ben Wallace with fake video calls (The Telegraph) Learn more about your ad choices. Visit megaphone.fm/adchoices

Not-so-deepfakes debunked. Hacktivism and information warfare in Russia’s war against Ukraine. The prospect of an age of “splinternets.” Germany warns of risks from Kaspersky security products. Disruption of Ukrainian ISPs. David Dufour from Webroot on cyberattacks hitting the automotive sector. Carole Theriault ponders parental disclosure of tracking their kids. Three new wrinkles to social engineering. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/52 Selected reading. Russia and Ukraine ‘draw up 15-point peace plan’ (The Telegraph) Deepfake video of Zelenskyy could be 'tip of the iceberg' in info war, experts warn (NPR.org) The Russia-Ukraine War And The Revival Of Hacktivism (Digital Shadows) In a Chilling Threat, Putin Vows to Rid Russia of ‘Traitors’ (Bloomberg) Russia is risking the creation of a “splinternet”—and it could be irreversible (MIT Technology Review) Traffic interception and MitM attacks among security risks of Russian TLS certs (CSO Online) Germany's BSI warns against Kaspersky AV over spying concerns (CSO Online) Major Ukrainian Internet Provider Triolan Suffers Severe Cyber Attacks and Infrastructure Destruction During Russian Invasion (CPO Magazine) The Attack of the Chameleon Phishing Page (Trustwave) The Email Bait … and Phish: Instagram Phishing Attack (Armorblox) Using CAPTCHA Forms to Bypass Filters (Avanan) Learn more about your ad choices. Visit megaphone.fm/adchoices

Ukrainian President Zelenskyy addresses the US Congress, as intelligence services, contractors, and hacktivists wage their part of a hybrid war. BlackBerry describes LokiLocker, a new strain of ransomware that’s not Iranian, but would have you think it is. CISA and the FBI warn of a Russian cyber campaign. Nigeria arrests an alleged advance-fee scam artist (he’s been wanted for some time.) For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/51 Learn more about your ad choices. Visit megaphone.fm/adchoices

Biowar disinformation. A new wiper is discovered in Ukrainian systems. Cyber criminals look for letters of marque from both sides (and some of them are looking like hacktivists). Ukrainian cybersecurity firms and intelligence services mobilize against Russia. Ben Yelin evaluates cyber engagements in the crisis. A protester crashes a Russian news broadcast. DDoS attack takes down Israeli sites. China claims to have “captured” NSA hacking tools. Our guest is Ben Brook CEO of Transcend with a look at data privacy. Recent trends in cybercrime. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/50 Selected reading. Researchers find new destructive wiper malware in Ukraine (The Verge) Cloud Native Technologies Used in Russia-Ukraine Cyber Attacks (Aqua Security) Financially motivated threat actors willing to go after Russian targets (Help Net Security) Kyiv’s hackers seize their wartime moment (POLITICO) Global Incident Report: Threat Actors Divide Along Ideological Lines over the Russia-Ukraine Conflict on Underground Forums (Accenture) Political fallout in cybercrime circles upping the threat to Western targets (CyberScoop) A protester storms a live broadcast on Russia’s most-watched news show, yelling, ‘Stop the war!’ (New York Times) Denial-of-service attack knocked Israeli government sites offline (CyberScoop) China claims it captured NSA spy tool that already leaked (Register) Ransomware Variants Q4 2021 (Intel471.com) Cequence Security Releases Report Revealing Top 3 Attack Trends in API Security (Cequence) Learn more about your ad choices. Visit megaphone.fm/adchoices

The situation in Russia’s war against Ukraine, and Mr. Putin’s frustration with his intelligence services. Provocations, state-hacking, and influence operations in a hybrid war. Lapsus$ hits Ubisoft with ransomware. LockBit hits Bridgestone America. The Escobar banking Trojan is out in the wild. Kaspersky source apparently not compromised after all. Dan Prince wonders if we are properly preparing for the roles of tomorrow? Rick Howard is pulling on the kill chain. And the wayward aim of public opinion. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/49 Selected reading. After more than two weeks of war, the Russian military grinds forward at a heavy cost (Washington Post) Ukraine war latest: Talks resume as Russia strikes Kyiv (BBC News) US view of Putin: Angry, frustrated, likely to escalate war (AP NEWS) Kremlin arrests FSB chiefs in fallout from Ukraine chaos (Times) Russian Cyber Restraint in Ukraine Puzzles Experts (SecurityWeek) Russia's cyber offensive against Ukraine has been limited so far. Experts are divided on why (KESQ) ‘ Not the time to go poking around’: How former U.S. hackers view dealing with Russia (POLITICO) We're seeing 800% increase in cyberattacks, says MSP (Register) Russia makes claims of US-backed biological weapon plot at UN (the Guardian) Russian media spreading disinformation about US bioweapons as troops mass near Ukraine (Bulletin of the Atomic Scientists) Russian TikTok Influencers Are Being Paid to Spread Kremlin Propaganda (Vice) The White House is briefing TikTok stars about the war in Ukraine (Washington Post) Android malware Escobar steals your Google Authenticator MFA codes (BleepingComputer) Google Attempts to Explain Surge in Chrome Zero-Day Exploitation (SecurityWeek) Google: We're spotting more Chrome browser zero-day flaws in the wild. Here's why (ZDNet). Ubisoft says it experienced a ‘cyber security incident’, and the purported Nvidia hackers are taking credit (The Verge) UPDATE 1-Japan's Denso hit by apparent ransomware attack - NHK (Reuters) LockBit ransomware group claims to have hacked Bridgestone Americas (Security Affairs) Learn more about your ad choices. Visit megaphone.fm/adchoices

Cybersecurity Associate Consultant at BARR Advisory, Kristin Strand, shares her journey from the military to teaching and now to cybersecurity. Kristin shares how she'd wanted to be a teacher since she was young. She joined the Army to help pay for college and throughout her career has taken advantage of programs to help her move on to her next challenge. From teaching, Kristin decided to transition to IT and came to cybersecurity through a Department of Labor program. She's also currently training to be a drill sergeant. Kristin advises you stand firm to your goals and know what you want. It will come around. We thank Kristin for sharing her story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

Guest Jon DiMaggio, Chief Security Strategist at Analyst1, joins Dave Bittner to discuss his team's research "A History of REvil" that chronicles the rise and fall of REvil. The REvil gang is an organized criminal enterprise based primarily out of Russia that runs a Ransomware as a Service (RaaS) operation. The core members of the gang reside and operate out of Russia. REvil leverages hackers for hire, known as affiliates, to conduct the breach, steal victim data, delete backups, and infect victim systems with ransomware for a share of the profits. Affiliates primarily stem across eastern Europe, though a small percentage operate outside that region. In return, the core gang maintains and provides the ransomware payload, hosts the victim data leak/auction site, facilitates victim communication and payment services, and distributes the decryption key. In simpler terms, the core gang are the service provider and persona behind the operation, while the affiliates are the hired muscle facilitating attacks. Jon walks us through the team's findings and details REvil's story. The research can be found here: A History of REvil Learn more about your ad choices. Visit megaphone.fm/adchoices

An update on the hybrid war in Ukraine. Allegations of war crimes and Russian disinformation. Chemical, biological, and radiological weapons disinformation. Preparing for cyberattacks. Cyber operations against Russia. GPS interference reported along Finland’s border. Conti and its users are still up and active. CISA releases twenty-four ICS security advisories. Malek Ben Salem from Accenture on deception systems. Our guest is Joe Payne from Code42 on data exposure. An extradition in the NetWalker case. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/48 Selected reading. Russia 'did not attack Ukraine' says Lavrov after meeting Kuleba (euronews) Read the latest cybersecurity analysis (Accenture) Where conflict is reported in Ukraine right now (The Telegraph) How U.S. Bioweapons in Ukraine Became Russia’s New Big Lie (Foreign Policy) Russian embassy demands Meta stop 'extremist activities' (NASDAQ:FB) (SeekingAlpha) Transparency Org Releases Alleged Leak of Russian Censorship Agency (Vice) SecurityScorecard Discovers new botnet, ‘Zhadnost,’ responsible for… (SecurityScorecard) Inside the Russian cyber war on Ukraine that never was (Task & Purpose) Report: Recent 10x Increase in Cyberattacks on Ukraine (KrebsOnSecurity) Russian defense firm Rostec shuts down website after DDoS attack (BleepingComputer) The Spectacular Collapse of Putin’s Disinformation Machinery (Wired) Will Russians Choose Truth or Lies? Ukraine’s Fate Depends on Them (Bloomberg) Finnish govt agency warns of unusual aircraft GPS interference (BleepingComputer) Corporate website contact forms used to spread BazarBackdoor malware (BleepingComputer) U.S. Warns of Conti Ransomware Attacks as Gang Deals With Leak Fallout (SecurityWeek) Ex Canadian government worker extradited to U.S. to face more ransomware charges (CBC) Former Canadian Government Employee Extradited to the United States to Face Charges for Dozens of Ransomware Attacks Resulting in the Payment of Tens of Millions of Dollars in Ransoms (US Department of Justice) Learn more about your ad choices. Visit megaphone.fm/adchoices

Prebunking a provocation. A spot report on the cyber phases of a hybrid war. Google stops a Judgment Panda campaign against US Government Gmail users. Symantec continues to track the origins and uses of the Daxin backdoor. CISA updates its Conti alert. Josh Ray from Accenture has tips on Log4J. Our guest is Chetan Conikee of ShiftLeft with strategies for reducing attackability. And law northeast of the Pecos, as an alleged member of REVil is arraigned in Texas. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/47 Selected reading. Vladimir Putin ‘plotting chemical weapons attack in Ukraine’ (The Telegraph) White House warns Russia could use chemical weapons in Ukraine (TheHill) Russia, China May Be Coordinating Cyber Attacks: SaaS Security Firm (eSecurityPlanet) More Than 5 Million Anti-Propaganda Text Messages Sent to Russians in Anonymous Information Warfare (Hstoday) Anonymous hacked Russian cams, websites, announced a clamorous leak (Security Affairs) EXCLUSIVE BNP Paribas bars Russia-based staff from computer systems as cyber attack fears grow (Reuters) CISA updates Conti ransomware alert with nearly 100 domain names (BleepingComputer) Google Blocks Chinese Phishing Campaign Targeting U.S. Government (SecurityWeek) Symantec tracked down one developer of ‘China’s most advanced piece of malware’ (Sc Magazine) Daxin Backdoor: In-Depth Analysis, Part One (Symantec) Daxin Backdoor: In-Depth Analysis, Part Two (Symantec) Sodinokibi/REvil Ransomware Defendant Extradited to United States and Arraigned in Texas (US Department of Justice) Learn more about your ad choices. Visit megaphone.fm/adchoices

Zelenskyy addresses the House of Commons. Cyber operations in Russia's war against Ukraine. Chinese cyber espionage campaign hits six US state governments (but it might be an APT side-hustle). A surge in mobile malware. Joe Carrigan looks at derestricting your software. Our guest Bob Dudley discusses cyberattacks against the European energy sector. And a quick look back at Patch Tuesday. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/46 Selected reading. Volodymyr Zelensky speech: Ukrainian President vows to fight Russians in 'forests, fields and on shores' as he channels Winston Churchill (The Telegraph) Putin’s Endgame Starts to Look Like Reducing Ukraine to Rubble (Bloomberg Live Updates: Biden Bans Russian Oil Imports and Major U.S. Brands Close Outlets (New York Times) The March 2022 Security Update Review (Zero Day Initiative) EU countries call for cybersecurity emergency response fund -document (Reuters) Annual Threat Assessment of the U.S. Intelligence Community (Office of the Director of National Intelligence) PTC Axeda agent and Axeda Desktop Server | (CISA) AVEVA System Platform (CISA) Sensormatic PowerManage (CISA) Learn more about your ad choices. Visit megaphone.fm/adchoices

Updates from the UK’s Ministry of Defense on Russia’s War in Ukraine. Influence operations: the advantage still seems to go to Ukraine, as Russian efforts look inward. Assessing the effects of hacktivism and cyber operations in the hybrid war. Privateering: Conti, Ragnar Locker, and (probably) others. Mustang Panda rears up in European diplomatic networks. Ransomware hits a Romanian fuel distributor. Andrea Little Limbago from Interos on data traps. Carole Theriault tracks the fight against deepfakes. Vulnerabilities found in UPS devices. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/45 Learn more about your ad choices. Visit megaphone.fm/adchoices

Russian influence operations fail as few support Russia's war of aggression. Ukraine will become a "contributing participant" in NATO's CCDCOE. Ukrainian cyberattacks, and the marshaling of hacktivists. Russian cyberattacks: surprisingly restrained and unsurprisingly supported by criminal organizations like Conti. The FBI’s Bryan Vorndran joins us with insights on the work his team did on Sodinokibi. Rick Howard looks at vulnerability management. Lapsu$ gang releases data taken from NVIDIA and Samsung in separate extortion incidents. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/44 Selected reading. What Happened on Day 11 of Russia’s Invasion of Ukraine (New York Times) Putin says Ukraine's future in doubt as cease-fires collapse After temporary cease-fires break down, Putin threatens Ukraine’s government (AP NEWS) Ukraine to join NATO cyber defence centre as 'contributing participant' (Reuters) Putin Is Raising an Iron Firewall Around Russia (Bloomberg) Three reasons Moscow isn't taking down Ukraine's cell networks (POLITICO) Hacktivists Stoke Pandemonium Amid Russia’s War in Ukraine (Wired) DDoS hacktivism: A highly risky exercise (Avast) This Ukrainian cyber firm is offering hackers bounties for taking down Russian sites (The Record by Recorded Future) Ukraine Cyber Official: We Only Attack Military Targets (SecurityWeek) Volunteer Hackers Converge on Ukraine Conflict With No One in Charge (New York Times) Russia shares list of 17,000 IPs allegedly DDoSing Russian orgs (BleepingComputer) Ukraine's 'IT army' targets Belarus railway network, Russian GPS (Reuters) HawkEye 360 detects GPS interference in Ukraine (SpaceNews) Hackers are being forced to pick sides in the Russia-Ukraine war (KTVH) Nvidia allegedly hacks back (Avast) Credentials of 71,000 NVIDIA Employees Leaked Following Cyberattack (SecurityWeek) Leaked stolen Nvidia cert can code-sign Windows malware (Register) Hackers claim massive Samsung leak, including encryption keys and source code (Android Police) Lapsus$ group leaks 190GB of Samsung data, source code (Computing) Samsung’s secret data leaks after devastating cyberattack (SamMobile) Learn more about your ad choices. Visit megaphone.fm/adchoices

Founder and CTO of ShiftLeft, Chetan Conikee shares his story from computer science to founding his own company. When choosing a career, Chetan notes that "the liking and doing has to matter and be in conjunction with each other." Explaining the parallels in his home country of India and where he studied his for his masters in the US, Chetan stresses the need to find someone who inspires you to follow and learn from. On being an entrepreneur, he says, "The entrepreneurial mindset is a sum total of many sufferings that lead to success." Chethan advises you take time out to write narratives so that you are remembered and so that others following a similar path may learn from you. We thank Chetan for sharing his story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

Modern enterprises have evolved drastically over the last two years as a result of the global pandemic. Due in part to organizations pivoting quickly to new business models by migrating apps and services to the cloud to enable hybrid and remote workforces, the “new” office has quickly become the web browser. Today, business users are spending an average of 75% of their workday in a browser – that’s where productivity takes place! But the digital enhancements of the last two years have ushered in widespread transformation that expanded attack surfaces and created new opportunities for cyber miscreants, giving rise to Highly Evasive Advanced Threats (HEAT). During this episode of CyberWire-X, the CyberWire's Dave Bittner speaks with Dan Prince, Senior Lecturer in Security and Protection Science at the School of Computing and Communications at Lancaster University, about the topic. Show Sponsor Menlo Security's Nick Edwards and Dave explore what HEAT attacks are, how they work, and why they’re resulting in the rise of ransomware attacks and account takeovers. Learn more about your ad choices. Visit megaphone.fm/adchoices

Guest Mike Benjamin, VP of Security Research at Fastly, joins Dave Bittner to talk about the Fastly Security Research Team's work on "Open redirects: real-world abuse and recommendations." Open URL redirection is a class of web application security problems that makes it easier for attackers to direct users to malicious resources. This vulnerability class, also known as “open redirects,” arises when an application allows attackers to pass information to the app that results in users being sent to another location. That location can be an attacker-controlled website or server used to distribute malware, trick a user into trusting a link, execute malicious code in a trusted way, drive ad fraud, or even perform SEO manipulation. Knowing how an open redirect can be abused is helpful — but knowing how to design around it in the first place is even more important. Mike walks us through what his team uncovered, explains how redirects are used, how they can be abused, and how you can prevent that abuse. The research can be found here: Open redirects: real-world abuse and recommendations Learn more about your ad choices. Visit megaphone.fm/adchoices

Propaganda engagements in Russia’s hybrid war against Ukraine. ICANN will not block the Internet in Russia. Hacktivists, real and pretended, achieve a nuisance-level of success in Russia’s war. Scams and misinformation circulate in Telegram. NVIDIA gets a most curious demand from a cyber gang. CISA’s ICS advisories. Johannes Ullrich looks at phishing pages on innocent websites. Our guest is Chase Snyder from ExtraHop to discuss implications of the cyber talent shortage. And, hey, newsflash, no matter what the texts on your phone might say, there’s no military draft in the US. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/43 Selected readings. Putin Thought Ukraine Would Fall Quickly. An Airport Battle Proved Him Wrong (Wall Street Journal) Russia's chaotic and confusing invasion of Ukraine is baffling military analysts (CNBC) Last Vestiges of Russia’s Free Press Fall Under Kremlin Pressure (New York Times) Don’t mention the war: Russian state media sells the lie of Ukrainians shelling their own cities (The Telegraph) Russian troops in disarray and ‘crying’ in combat, radio messages reveal (The Telegraph) Demoralised Russian soldiers tell of anger at being ‘duped’ into war (the Guardian) The propaganda war has eclipsed cyberwar in Ukraine (MIT Technology Review) Ukraine's request to cut off Russia from the global internet has been rejected (CNN) No, the Army isn’t sending Ukraine draft notices via text (Army Times) Hackers Who Broke Into NVIDIA's Network Leak DLSS Source Code Online (Hacker News) Hackers warn Nvidia to open-source their GPU drivers or face data leak (Computing) Cybercriminals who breached Nvidia issue one of the most unusual demands ever (Ars Technica) BD Pyxis (CISA) BD Viper LT (CISA) IPCOMM ipDIO (CISA) Learn more about your ad choices. Visit megaphone.fm/adchoices

The UN condemns Russia’s war in Ukraine. Ukraine’s cyber volunteers appear to be operating under the direction of Kyiv’s Ministry of Defense, and may be targeting Russian infrastructure. Belarusian cyber operators are phishing with stolen Ukrainian credentials in a cyberespionage campaign. Task Force KleptoCapture. Infusion pumps found vulnerable to cyberattack. TeaBot is found in the Play Store. TCP middlebox reflection. Dan Prince from Lancaster University on trustworthy autonomous systems. Our guest is John Shegerian from ERI on the security angle of e-recycling. And no more Harleys for Mr. Putin. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/42 Selected reading. Cyber Realism in a Time of War Russian Hybrid War Report: Social platforms crack down on Kremlin media as Kremlin demands compliance Russia's war spurs corporate exodus, exposes business risks Using DDoS, DanaBot targets Ukrainian Ministry of Defense Asylum Ambuscade: State Actor Uses Compromised Private Ukrainian Military Emails to Target European Governments and Refugee Movement Phishing campaign targets European officials assisting in refugee operations Anonymous vs. Russia: Hackers Say Space Agency Breached, More Than 1,500 Websites Hit Conti Ransomware Source Code Leaked Hacker Group Anonymous Vows to Disrupt Russia's Internet — RT Websites Become 'Subject of Massive DDoS Attacks' Ukrainian cyber resistance group targets Russian power grid, railways Army of Cyber Hackers Rise Up to Back Ukraine U.S. Officials Detail Efforts to Enforce Raft of New Russia Rules TCP Middlebox Reflection: Coming to a DDoS Near You TeaBot Android Banking Malware Spreads Again Through Google Play Store Apps Infusion Pump Vulnerabilities: Common Security Gaps Learn more about your ad choices. Visit megaphone.fm/adchoices

Russia’s invasion in Ukraine is still slow, but it’s grown more brutal. Sanctions are beginning to hit Russia hard. The cyber phase of this hybrid war seems more informational than destructive, which is surprising. Big Tech has taken Ukraine’s side, and some Russian companies face a tough balancing act. Our guest is Lavi Lazarovitz from CyberArk with predictions on supply chain security. Malek Ben Salem from Accenture on deploying effective deception systems. And ransomware continues to pester major corporations. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/41 Selected reading. Ukraine at D+6: Shocking and awful. (The CyberWire) The Fog of Cyberwar Descends on Ukraine and Russia (Bloomberg) Russian Electric Vehicle Chargers Hacked, Tell Users ‘PUTIN IS A DICKHEAD’ (Vice) Western Sanctions Bite Russian Economy, but Pose Unpredictable Risks (Wall Street Journal) Targeted APT Activity: BABYSHARK Is Out for Blood (Huntress) 5 New Vulnerabilities Discovered in PJSIP Open Source Library (JFrog) Nvidia says hackers are leaking company data after ransomware attack (TechCrunch) Insurer Aon falls victim to a cyber attack (Computing) Toyota to restart Japan production after cyberattack on supplier triggers one-day halt (The Edge Markets) Cyberattack on Toyota's supply chain shuts all its factories in Japan for 24 hours (CNN) Learn more about your ad choices. Visit megaphone.fm/adchoices

Stalled columns, rocket fire, and negotiation over Ukraine. Two new pieces of malware found in use against Ukrainian targets. Ben Yelin joins us with analysis. Dealing with WhisperGate and HermeticWiper. The muted cyber phases of a hybrid war. Leaked files reveal Conti as a privateer. Sanctions move from deterrence to economic "war of attrition." Daxin: a backdoor that hides in normal network traffic. Registration-bombing lets fraud hide in the weeds. Our guest is Tresa Stephens from Allianz on the elevated concern for cyber risk among business leaders. And Razzlekhan talking a deal? Resources Ukraine Fighting Overshadows Chance of Russia Talks’ Success (Bloomberg) Both sides agree to second set of talks even as fighting rages. Russia suffers market seizure as ruble plunges on sanctions. After a Fumbled Start, Russian Forces Hit Harder in Ukraine (New York Times) After days of miscalculation about Ukraine’s resolve to fight, Russian forces are turning toward an old pattern of opening fire on cities and mounting sieges. The dire predictions about a Russian cyber onslaught haven’t come true in Ukraine. At least not yet. (Washington Post) For more than a decade, military commanders and outside experts have laid out blueprints for how cyberwar would unfold: military and civilian networks would be knocked offline, cutting-edge software would sabotage power plants, and whole populations would be unable to get money, gas or refrigerated food. A Free-for-All But No Crippling Cyberattacks in Ukraine War (SecurityWeek) In the early days of the war in Ukraine, Russia's ability to create mayhem through malware hasn’t had much of a noticeable impact CISA, FBI Issue Warnings on WhisperGate, HermeticWiper Attacks (SecurityWeek) The two U.S. agencies warn that both malware families were used in destructive cyberattacks targeting organizations in Ukraine. Anonymous Hacker Group Targets Russian State Media (SecurityWeek) Hacker group Anonymous claimed responsibility on for disrupting the work of websites of pro-Kremlin Russian media in protest of the invasion of Ukraine. Ukraine’s Volunteer ‘IT Army’ Is Hacking in Uncharted Territory (Wired) The country has enlisted thousands of cybersecurity professionals in the war effort against Russia. After Conti backs war, ransomware gangs realize peril of patriotism amid infighting (SC Magazine) Ransomware is actually a complex global economy. Different groups design ransomware and license that ransomware for use in attacks, with the latter often using many different vendors of the former. So while the designers of Conti may be Russian, the affiliate groups using Conti may include Ukrainians. And like in any business, there is peril in angering the consumer. A ransomware group paid the price for backing Russia (The Verge) Is proximity to the Putin regime becoming a liability? U.N. General Assembly set to isolate Russia over Ukraine invasion (Reuters) The 193-member United Nations General Assembly began meeting on the crisis in Ukraine on Monday ahead of a vote this week to isolate Russia by deploring its "aggression against Ukraine" and demanding Russian troops stop fighting and withdraw. Russia defends invasion during emergency UN General Assembly (Deutsche Welle) A clear majority of UN member states are expected to vote to condemn Russia's actions as Moscow becomes increasingly isolated internationally. The New Russian Sanctions Playbook (Foreign Affairs) Deterrence is out, and economic attrition is in. Russia seeks to halt investor stampede as sanctions hammer economy (Reuters) Russia said it was placing temporary curbs on foreigners seeking to exit Russian assets on Tuesday, putting the brakes on an accelerating investor exodus driven by crippling Western sanctions imposed over the invasion of Ukraine. For links to all of today's stories check out CyberWire daily news briefing for March 1, 2022. Learn more about your ad choices. Visit megaphone.fm/adchoices

Ukrainian resistance may have stalled the Russian advance at key points. Cyber operations against Ukraine (and Russia). Diplomacy, now short of surrender? A SWIFT kick. Return of the privateers, now in the guise of patriotic hacktivists. Not all hacking is war-related. Josh Ray from Accenture on KillACK Backdoor Malware Continues to Evolve. Rick Howard revisits the cyber sand table. Criminals exploit Ukraine's suffering in social engineering campaigns. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/39 Learn more about your ad choices. Visit megaphone.fm/adchoices

Principal in PricewaterhouseCoopers Cyber Risk and Regulatory Practice, Sloane Menkes, shares her story of how non-linear math helped to shape her life and career. Sloane credits a high school classmate for inspiring her mantra "What is the 2%?" that she employs when she feels like things are shutting down. She talks about her experiences in calculus class at the US AIr Force Academy that helped to enlighten her and inform the intuitive problem solving skill or way of thinking that she'd been employing in her life. She joined Office of Special Investigations and working with Howard Schmidt is where Sloane first started to get interested in cybersecurity. She shares what she loves about the consulting role is that the environment is constantly changing, and she offers some advice for women interested in cybersecurity. We thank Sloane for sharing her story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

Guest Dick O'Brien, Principal Editor at Symantec, joins Dave to discuss their team's research, "Noberus: Technical Analysis Shows Sophistication of New Rust-based Ransomware." Noberus is new ransomware used in mid-November attack, ConnectWise was likely infection vector. Symantec, a division of Broadcom Software, tracks this ransomware as Ransom.Noberus and our researchers first spotted it on a victim organization on November 18, 2021, with three variants of Noberus deployed by the attackers over the course of that attack. This would appear to show that this ransomware was active earlier than was previously reported, with MalwareHunterTeam having told BleepingComputer they first saw this ransomware on November 21. Noberus is an interesting ransomware because it is coded in Rust, and this is the first time we have seen a professional ransomware strain that has been used in real-world attacks coded in this programming language. Noberus appears to carry out the now-typical double extortion ransomware attacks where they first steal information from victim networks before encrypting files. Noberus adds the .sykffle extension to encrypted files. The research can be found here: Noberus: Technical Analysis Shows Sophistication of New Rust-based Ransomware Learn more about your ad choices. Visit megaphone.fm/adchoices

Russia’s full-scale invasion meets regular and irregular Ukrainian resistance. Public uses of intelligence products. Hybrid aggression and hybrid defense in cyberspace, as the civilized world imposed sanctions on Russia. Iran’s MuddyWater threat actor is back, with renewed cyberespionage. Good-bye to Trickbot. Carole Theriault wraps up her look at mobile device security. Rick Howard checks in with Matthew Sharp ( Logicworks) & "Rock" Lambros (RockCyber) on "The CISO Evolution". And some notes on the fog of war. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/38 Learn more about your ad choices. Visit megaphone.fm/adchoices

Russia opens a general war against Ukraine, with rocket fires, heavy forces, and a not-so-veiled threat to NATO. Cyber operations are serving as combat support and strategic disruption. While the war in Ukraine dominates the news, elsewhere in the world cybercrime and cyberespionage continue at their customary levels. Carole Theriault looks to the security of your mobile devices. And our guest is Dr. Chenxi Wang of Rain Capital with insights on the new NIST software supply chain security standards. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/37 Learn more about your ad choices. Visit megaphone.fm/adchoices

With diplomacy at a stand and Russian troops now openly in Ukraine, Western governments impose sanctions on Russia. A fresh round of distributed denial-of-service attacks against Ukraine. Cobalt Strike continues to be misused by criminals. A cyberattack has severely disrupted a major logistics firm. My conversation with Assistant Director Bryan Vorndran of the FBI Cyber Division. Our guest Ed Amoroso from TAG Cyber explains Research as a Service. And two looks at the recent and prospective state of industrial cybersecurity. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/36 Learn more about your ad choices. Visit megaphone.fm/adchoices

Russia escalates its hybrid war against Ukraine, with cyber implications for the rest of the world. Xenomorph banking Trojan hits European Android users. APT10’s months-long espionage campaign against Taiwan’s banks. Hive ransomware’s flawed encryption is good news. Trickbot’s place in the C2C market. Joe Carrigan shares the latest evolution of business email compromise. John Pescatore’s Mr. Security Answer Person returns. And there’s a right way and a wrong way to keep your teen offline. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/35 Learn more about your ad choices. Visit megaphone.fm/adchoices

As we break to observe Washington's birthday, our team thought you might like to try a sample of a CyberWire Pro podcast called Interview Selects. These podcasts are a series of extended interviews, exclusives, and a curated selection of our most engaging and informative interviews over the years, featuring cyber security professionals, journalists, authors and industry insiders. In this extended interview, Dave Bittner speaks with Kenneth Geers from NATO's CCD COE on "Cyber War in Perspective: Russian Aggression Against Ukraine." Like what you hear? Consider subscribing to CyberWire Pro for $99/year. Learn more. Learn more about your ad choices. Visit megaphone.fm/adchoices

Afternoon Cyber Tea with Ann Johnson is a CyberWire Network podcast created by Microsoft Security. It's a bi-weekly show that comes out every other Tuesday. We thought you would enjoy this episode in particular and hope you consider subscribing in your favorite podcast app. Diana Kelly, the co-founder, and CTO of SecurityCurve, a cybersecurity consulting firm, joins Ann Johnson on this episode of Afternoon Cyber Tea. Diana is a globally known security expert who donates much of her time volunteering in the cybersecurity community while also serving on the Association for Computing Machinery Ethics and Plagiarism Committee. Diana talks with Ann about helping inexperienced organizations get up to speed on the cybersecurity landscape, some of the current significant security and privacy hurdles currently plaguing the field, and some of the best practices to assist network defenders and users trying to combat botnet threats. In This Episode You Will Learn: How companies can protect themselves from new unsecure devices When security risks correspond with access management and IoT devices Why we need security programs to grow to a new level Some Questions We Ask: How should network defenders and users combat botnet threats? What types of universal IoT standards need to be created? What privacy hurdles are currently plaguing the field of IoT-connected devices? Resources: View Diana Kelly on LinkedIn View Ann Johnson on LinkedIn Related: Listen to: Security Unlocked: CISO Series with Bret Arsenault Listen to: Security Unlocked Afternoon Cyber Tea with Ann Johnson is produced by Microsoft and distributed as part of The CyberWire Network. Learn more about your ad choices. Visit megaphone.fm/adchoices

Senior security engineer with the Johns Hopkins University Information Security Institute and the Institute for Assured Autonomy, Joe Carrigan, shares what he calls his life mistake and what spurred him to finally choose a career in technology. Throughout his life, Joe had interest in technology, he even worked at the computer lab in college, but never set his sights on that for a career. A conversation with a stranger guided him in that direction and he's been there ever since. As co-host of the CyberWire's Hacking Humans, Joe sees some heartbreaking results of scams and feels education of the public will help to prevent these. Joe reminds us to build our networks as they include people we can always go back to either when searching for a position or looking to fill one on our teams. We thank Joe for sharing his story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

If 2021 taught us anything, it’s that our supply chain–especially our technical supply chain–hangs in the balance of a very fragile system. The year came to a close with the announcement of the Log4j zero day. Talk about saving the best for last. On this episode of CyberWire-X, the CyberWire's Rick Howard speaks with Tom Quinn CISO at T. Rowe Price, about the topic. Show Sponsor ExtraHop’s Head of Product, Ted Driggs, joins the CyberWire's Dave Bittner to examine what Log4Shell tells us about the state of cyber defense going into 2022, and what enterprises can do to prepare. Through these conversations, we explore the challenges that enterprises had in patching the vulnerability, take a closer look at the advanced post-compromise threat activity spotted in the wild, and glean lessons that can be learned to build resilience against the next Log4j-style zero day. Learn more about your ad choices. Visit megaphone.fm/adchoices

Guest Marcelle Lee, Senior Security Researcher and Emerging Threats Lead, from SecureWorks joins Dave to share her team's work on "Ransoms Demanded for Hijacked Instagram Accounts." An extensive phishing campaign has targeted corporate Instagram accounts since approximately August 2021. The threat actors demand ransoms from the victims to restore access. Organizations typically focus on traditional enterprise cybersecurity threats. However, some threats are more subtle, targeting organizations on unexpected platforms. In October 2021, Secureworks Counter Threat Unit (CTU) researchers identified a phishing campaign that hijacks corporate Instagram accounts, as well as accounts of individual influencers who have a large number of followers. The threat actors then extort ransom payments from the victims. The activity continues at the time of the interview. The research can be found here: Ransoms Demanded for Hijacked Instagram Accounts Learn more about your ad choices. Visit megaphone.fm/adchoices

False flags and disinformation in Ukraine, as Western governments warn of the risk of both Russian escalation and the prospects of cyberattacks spreading beyond Ukraine’s borders. Log4j “Day-1” vulnerabilities exploited in the wild. Threat actors deployed a wiper in the course of hijacking Iranian television. The Kraken botnet is evolving, picking up an information-stealing capability. Our guest is Brittany Allen of Sift to discuss the DOJ seizing 3.6B worth of stolen crypto. Chris Novak from Verizon addresses Geopolitics and threat intelligence. And CISA launches a Catalog of Free Cybersecurity Services and Tools. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/34 Learn more about your ad choices. Visit megaphone.fm/adchoices

Provocation may have begun in Ukraine, and no one but Russia can see any signs of a Russian withdrawal of troops to garrison. Recent DDoS attacks in Ukraine are seen as an influence operation. The compromise of International Red Cross data has been tentatively attributed to an unnamed state actor. Johannes Ullirch from SANs shares a fancy phish. Our guests are Mike Theis and Stacy Hadeka from Hogan Lovells to discuss the cyber aspects of the False Claims Act. And Microsoft describes ice phishing: social engineering for a decentralized web3. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/33 Learn more about your ad choices. Visit megaphone.fm/adchoices

US agencies warn of Russian cyberespionage against cleared defense contractors. Updates on the Russian pressure against Ukraine. ShadowPad as China’s RAT of choice. BlackCat claims to have leaked data stolen in a double-extortion ransomware attack. Follow the bouncing QR code. Dinah Davis from Arctic Wolf on Canada’s government ransomware playbook. Rick Howard chats with Bill Mann from Styra on DevSecOps. And if you’re addicted to cryptocurrency speculation, the first step in recovery is admitting you’ve got a problem. (The second step is to step away from the phone.) For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/32 Learn more about your ad choices. Visit megaphone.fm/adchoices

Reports of cyberattacks against Ukrainian targets as the parties to the crisis resume negotiations. The US has been forthcoming with intelligence on Russia’s ambitions in the region; those revelations form part of an influence strategy. An apparent criminal group is targeting aviation and related sectors. BlackCat ransomware victims are having difficulty recovering. Why conditions favor romance scams. Ben Yelin looks at pending cyber breach notification laws. Our guest Padraic O'Reilly from CyberSaint on the effectiveness of Biden's plan to protect the water sector. And “beamers” defraud Roblox players. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/31 Learn more about your ad choices. Visit megaphone.fm/adchoices

The US and the UK warn of the possibility of false-flag provocations as Russia keeps the pressure on Ukraine. NATO members and others issue warnings of the threat of Russian cyber operations spilling over the Ukrainian border. Two US Senators want an accounting from the CIA over an alleged bulk collection operation. No charges filed in the case of a reporter who viewed a website source. Hacktivism and vigilantism. 49ers hacked. Daniel Prince from Lancaster University on improving security in agile health IoT development. Rick Howard targets supply chain issues with the hash table. And have a careful Valentine’s Day. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/30 Learn more about your ad choices. Visit megaphone.fm/adchoices

CEO and Founder of KeyCaliber, Roselle Safran, takes us on her circuitous career journey from startup to White House and back to startup again. With a degree in civil engineering, Roselle veered off into a more technical role at a startup and she says "caught the startup bug." After convincing a hiring manager that she could learn on the job, she transitioned to computer forensics and started on the path of cybersecurity. Roselle worked in government for the Department of Homeland Security and then to the Executive Office of the President leading all of the security operations. She jumped back into the world of startups and has stayed there. Roselle tells people interested in a career in cybersecurity to just apply. Learn as much as you can and go for it. We thank Roselle for sharing her story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

Guests Avigayil Mechtinger and Ryan Robinson from Intezer discuss SysJoker malware, a backdoor that targets Windows, Linux and MacOS, Malware targeting multiple operating systems has become no exception in the malware threat landscape. Vermilion Strike, which was documented just last September, is among the latest examples until now. In December 2021, the team at Intezer discovered a new multi-platform backdoor that targets Windows, Mac, and Linux. The Linux and Mac versions are fully undetected in VirusTotal. Intezer named this backdoor SysJoker. SysJoker was first discovered during an active attack on a Linux-based web server of a leading educational institution. After further investigation, Intezer found that SysJoker also has Mach-O and Windows PE versions. Based on Command and Control (C2) domain registration and samples found in VirusTotal, Intezer estimates that the SysJoker attack was initiated during the second half of 2021. The research can be found here: New SysJoker Backdoor Targets Windows, Linux, and macOS Learn more about your ad choices. Visit megaphone.fm/adchoices

Update on Russia’s hybrid threat to Ukraine, with observations on possible international spillover. Vodafone Portugal continues its recovery. The FritzFrog peer-to-peer botnet is back, and has resumed operations against government, healthcare, and education targets. Caleb Barlow warns of attacks coming from inside your network. Our guest is Tom Boltman of Kovrr on the shift in the cyber insurance market due to ransomware. And there’s a new wrinkle in the old familiar Nigerian prince scam–did you know the UN was compensating victims by sending them ATM cards? Neither did the UN. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/29 Learn more about your ad choices. Visit megaphone.fm/adchoices

Ukraine takes down two botfarms pushing panic. Thoughts on hybrid warfare. Russia and China explain how we ought to see the political and online worlds. Digital frameups are reported in India. Lazarus phishes with bogus job offers. Espionage services looking for journalists’ sources. David Dufour from Webroot ponders the Metaverse. Our guest is Amanda Fennell, host of the Security Sandbox podcast. And public and private-sector warnings about ransomware. Learn more about your ad choices. Visit megaphone.fm/adchoices

Britain’s Foreign Office sustained a cyberattack last month (the details are secret). Poland stands up a Cyber Defense Force as Europe and North America raise their level of cyber readiness. Negotiations over the Russian pressure on Ukraine are likely to be protracted. Threats to multi-cloud environments. Patch Tuesday notes. Dinah Davis from Arctic Wolf on keeping kids safe online. Carole Theriault examines Mozilla’s Privacy Not Included campaign. And Razzlekhan rocks the mic with her mad skillz, or used to, anyway. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/27 Learn more about your ad choices. Visit megaphone.fm/adchoices

Diplomacy continues over the Russian threat to Ukraine. In the meantime, hacktivists and others are said to be receiving crowdfunding through alt-coin remittances. The Molerats are back, and they have some new tools. Right-to-left override is being seen again in the wild. Vodafone Portugal is taken offline by a cyberattack. Joe Carrigan on Meta’s ten billion dollar privacy hit. Our guest is Greg Otto from Intel 471 to discuss shifts in ransomware strains. And two arrests are made in a money-laundering case connected with the Bitfinex hack. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/26 Learn more about your ad choices. Visit megaphone.fm/adchoices

The FSB is active against Ukrainian targets as NATO continues to work out the cybersecurity assistance it will provide Kyiv. BlackCat is found to be connected to the DarkSide gang, either as a superseding affiliate or as a simple rebranding of the same old crew. The FBI issues an alert about LockBit. Kevin Magee from Microsoft on their final report on Nobellium and the Solar Winds attack. Rick Howard steers the hash table toward supply chains. And the US has indicted six call centers in India on charges related to some familiar scams. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/25 Learn more about your ad choices. Visit megaphone.fm/adchoices

Guest Danny Adamitis from Black Lotus Labs joins Dave to discuss their team's new research "New Konni Campaign Kicks the New Year Off by Targeting Russian Ministry of Foreign Affairs." Black Lotus Labs, the threat research team of Lumen Technologies, uncovered a series of targeted actions against the Russian Federation’s Ministry of Foreign Affairs (MID). Based upon the totality of information available and the close correlation with prior reporting, we assess with moderate confidence these actions leveraged the Konni malware, which has previously been associated with the Democratic People’s Republic of Korea, and were undertaken to establish access to the MID network for the purpose of espionage. This activity cluster demonstrates the patient and persistent nature of advanced actors in waging multi-phased campaigns against perceived high-value networks. After gaining access through stolen credentials, the actor was able to exploit trusted connections to distribute and load the malware, first by impersonating a government software program coinciding with new Covid mandates, and then through sending trojanized files from a compromised account. The research can be found here: New Konni Campaign Kicks Off The New Year By Targeting Russian Ministry Of Foreign Affairs Learn more about your ad choices. Visit megaphone.fm/adchoices

Primitive Bear is snuffling around Ukraine, and Russia may be preparing deepfake video to lend legitimacy to its claims with respect to its neighbor. European ports and other logistical installations are under attack by ransomware, apparently uncoordinated criminal activity. Daniel Prince from Lancaster University on safeguarding IoT in Healthcare. Our guest is Chris Wysopal of Veracode with research on increases in automation and componentization in software development. And a Chinese APT is said to be exploiting a Zimbra webmail cross-site-scripting zero-day, so users beware. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/24 Learn more about your ad choices. Visit megaphone.fm/adchoices

Ukraine and NATO increase their cyber readiness. Chinese cyberespionage has been looking closely at financial services in Taiwan. Hacktivists hit Iranian state television. Arid Viper is phishing for targets in the Palestinian Territories, and apparently doesn’t care who knows it. BlackCat ransomware implicated in attacks on German fuel distribution firms. Verizon’s Chris Novak shares his thoughts on the cyber talent pool. Our guest is Torin Sandall from Styra on Open Policy Agent. And, Bro, treat yourself to a pair of Vans. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/23 Learn more about your ad choices. Visit megaphone.fm/adchoices

Tensions between Russia and Ukraine, and between Russia and NATO, remain high as diplomacy is at a temporary impasse: both sides have stated their incompatible positions and are consulting with their allies. NATO prepares to render cyber assistance to Ukraine. An unspecified cyberattack affects gasoline distribution in Germany. The White Tur threat group borrows heavily from several APTs, but itself remains mysterious. Charming Kitten gets some new claws. Caleb Barlow on Harvard’s analysis of Equifax. Our guest is Gunter Ollmann from Devo discussing their third annual SOC Performance Report. And the Trickbot gang seems to be privateering in that old familiar way. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/22 Learn more about your ad choices. Visit megaphone.fm/adchoices