The CyberWire

Threat intelligence analyst at Recorded Future, Charity Wright, shares her story from the army to her career today. Transitioning from the army to cybersecurity was an exciting change for her. During college she was recruited by the U.S army where she started her journey and learned new skills paving her pathway to threat intelligence where she is now. She shares that she works with a great team of junior analysts who are constantly checking each others biases which helps keep Charity grounded in her work. Charity spends her days keeping an eye on threats around the world where she says there is never a dull day in her line of work. We thank Charity for sharing her story with us.

Yanir Tsarimi from Orca Security, joins Dave to discuss how researchers have discovered a critical Azure Automation service vulnerability called AutoWarp. The security flaw was discovered this past March causing Yanir to leap into action announcing the issue to Microsoft who helped to swiftly resolve the cross-account vulnerability. The research shows how this serious flaw would allow attackers unauthorized access to other customer accounts and potentially full control over resources and data belonging to those accounts, as well as put multiple Fortune 500 companies and billions of dollars at risk. The research shares the crucial time line that the vulnerability was discovered as well as Microsofts response to the vulnerability. The research can be found here: AutoWarp: Critical Cross-Account Vulnerability in Microsoft Azure Automation Service

Was Conti's digital insurrection in Costa Rica misdirection? Google assesses a commercial spyware threat “with high confidence.” Continuing expectations of escalation in cyberspace. The limitations of an alliance of convenience. Fronton botnet shows versatility. Russian hacktivists hit Italian targets, again. Lazarus Group undertakes new SolarWinds exploitation. Crypters in the C2C market. CrateDepression supply chain attack. Johannes Ullrich describes an advance fee scam hitting crypto markets. Our guest is Marty Roesch, CEO of Netography and inventor of Snort. Canada to exclude Huawei from 5G networks on security grounds. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/97 Selected reading. Conti ransomware shuts down operation, rebrands into smaller units (BleepingComputer)  Protecting Android users from 0-Day attacks (Google)  Microsoft President: Cyber Space Has Become the New Domain of Warfare (Infosecurity Magazine) Twisted Panda: Chinese APT espionage operation against Russian's state-owned defense institutes (Check Point Research)  Chinese Hackers Tried to Steal Russian Defense Data, Report Says (New York Times)  China-linked Space Pirates APT targets the Russian aerospace industry (Security Affairs)  This Russian botnet does far more than DDoS attacks - and on a massive scale (ZDNet)  Pro-Russian hackers attack institutional websites in Italy, police say (Reuters)  Lazarus hackers target VMware servers with Log4Shell exploits (BleepingComputer) ITG23 Crypters Highlight Cooperation Between Cybercriminal Groups (Security Intelligence)  CrateDepression | Rust Supply-Chain Attack Infects Cloud CI Pipelines with Go Malware (SentinelOne)  Canada to ban Huawei/ZTE 5G equipment, joining Five Eyes allies (Reuters)

CISA is releasing this cybersecurity advisory to warn organizations that malicious cyber actors are exploiting CVE-2022-22954 and CVE-2022-22960. These vulnerabilities affect versions of VMware products. Successful exploitation permits malicious actors to trigger a server-side template injection that may result in remote code execution or escalation of privileges to root level access. Based on this activity, CISA expects malicious cyber actors to quickly develop a capability to exploit newly released VMware vulnerabilities CVE-2022-22972 and CVE-2022-22973 in the same impacted VMware products. AA22-138B Alert, Technical Details, and Mitigations AA22-138B.stix Emergency Directive 22-03 Mitigate VMware Vulnerabilities VMware Security Advisory VMSA-2022-0011 VMware Security Advisory VMSA-2022-0014 All organizations should report incidents and anomalous activity to CISA's 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI's 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.

Russian information operations surrounding the invasion of Ukraine. VMware patches vulnerabilities. F5 BIG-IP vulnerabilities undergoing active exploitation. Texas Department of Insurance clarifies facts surrounding its data incident. Robert M. Lee from Dragos is heading to Davos to talk ICS. Rick Howard speaks with author Chase Cunningham on his book "Cyber Warfare –Truth, Tactics and Strategies”. Robo-calling the Kremlin. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/96 Selected reading. Information Operations Surrounding the Russian Invasion of Ukraine (Mandiant)  CISA Issues Emergency Directive and Releases Advisory Related to VMware Vulnerabilities (CISA) Emergency Directive 22-03 (CISA)  Threat Actors Chaining Unpatched VMware Vulnerabilities for Full System Control (CISA)  Threat Actors Exploiting F5 BIG IP CVE-2022-1388 (CISA)  CISA Alert AA22-138A – Threat Actors Exploiting F5 BIG-IP CVE-2022-1388. (The CyberWire)  Additional facts: TDI data security event (Texas Department of Insurance)  This Hacktivist Site Lets You Prank Call Russian Officials (Wired) 

CISA and the Multi-State Information Sharing & Analysis Center (MS-ISAC), are releasing this joint Cybersecurity Advisory in response to active exploitation of CVE-2022-1388. This vulnerability is a critical iControl REST authentication bypass vulnerability affecting multiple versions of F5 Networks BIG-IP.  AA22-138A Alert, Technical Details, and Mitigations F5 Security Advisory K23605346 and indicators of compromise F5 guidance K11438344 for remediating a compromise Emerging Threats suricata signatures Palo Alto Networks Unit 42 Threat Brief: CVE-2022-1388. This brief includes indicators of compromise.  Cisco Talos Intelligence Group - Comprehensive Threat Intelligence: Threat Advisory: Critical F5 BIG-IP Vulnerability. This blog includes indicators of compromise. Note: due to the urgency to share this information, CISA and MS-ISAC have not yet validated this content. Randori's bash script. This script can be used to identify vulnerable instances of BIG-IP. Note: MS-ISAC has verified this bash script identifies vulnerable instances of BIG-IP.  All organizations should report incidents and anomalous activity to CISA's 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI's 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.

Chaos ransomware group declares for Russia. Hacktivists claim to have compromised Russian-manufactured ground surveillance robots. Conti's ongoing campaign against Costa Rica. The claimed "international" cyberattack against Nile dam was stopped. Rick Howard speaks with author Caroline Wong on her book “Security Metrics, a Beginner's Guide”. Our guests are Kathleen Smith and Rachel Bozeman, hosts of the new podcast, Security Cleared Jobs. And the cyber insurance market experiences a “reset.” For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/96 Selected reading. Chaos Ransomware Variant Sides with Russia (Fortinet Blog) Did hackers commandeer surveillance robots at a Russian airport? (The Daily Dot)  Russian Hacking Cartel Attacks Costa Rican Government Agencies (New York Times)  Costa Rican president claims collaborators are aiding Conti's ransomware extortion efforts (CyberScoop)  "We will overthrow the government" - Does Conti have help inside Costa Rica? (Tech Monitor)  Costa Ricans scrambled to pay taxes by hand after cyberattack took down country's collection system (Yahoo)  Ethiopia faces new cyberattacks on its Nile dam (Al-Monitor)  Cyber Insurers Raise Rates Amid a Surge in Costly Hacks (Wall Street Journal)

This joint cybersecurity advisory was coauthored by the cybersecurity authorities of the US, Canada, New Zealand, the Netherlands, and the UK. Cyber actors routinely exploit poor security configurations, weak controls, and other poor cyber hygiene practices to gain initial access or as part of other tactics to compromise a victim's system. This joint Cybersecurity Advisory identifies commonly exploited controls and practices, and includes best practices to mitigate these risks. AA22-137A Alert, Technical Details, and Mitigations White House Executive Order on Improving the Nation's Cybersecurity NCSC-NL Factsheet: Prepare for Zero Trust NCSC-NL Guide to Cyber Security Measures N-able Blog: Intrusion Detection System (IDS): Signature vs. Anomaly-Based NCSC-NL Guide to Cyber Security Measures National Institute of Standards and Technology SP 800-123 – Keeping Servers Secured NCSC-UK Guidance – Phishing Attacks: Defending Your Organisation  Open Web Application Security Project (OWASP) Proactive Controls: Enforce Access Controls All organizations should report incidents and anomalous activity to CISA's 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI's 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.

An assessment of the Russian cyber threat. NATO's Article 5 in cyberspace. Conti's ransomware attack against Costa Rica spreads, in scope and effect. Bluetooth vulnerabilities demonstrated in proof-of-concept. CISA and its international partners urge following best practices to prevent threat actors from gaining initial access. Joe Carrigan looks at updates to the FIDO alliance. Rick Howard and Ben Rothke discuss author Andrew Stewart's book "A Vulnerable System: The History of Information Security in the Computer Age". And,the doctor was in, but wow, was he also way out of line. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/95 Selected reading. Russia Planned a Major Military Overhaul. Ukraine Shows the Result. (New York Times)  The Cyberwar Against Pro-Ukrainian Countries is Real. Here's What to Do (CSO Online)  Collective cyber defence and attack: NATO's Article 5 after the Ukraine conflict (European Leadership Network)  Cyber attack on Costa Rica grows as more agencies hit, president says (Reuters) Ransomware gang threatens to ‘overthrow' new Costa Rica government, raises demand to $20 million (The Record by Recorded Future)  Hacker Shows Off a Way to Unlock Tesla Models, Start Cars (Bloomberg) NCC Group uncovers Bluetooth Low Energy (BLE) vulnerability that puts millions of cars, mobile devices and locking systems at risk (NCC Group)  Technical Advisory – Tesla BLE Phone-as-a-Key Passive Entry Vulnerable to Relay Attacks (NCC Group Research)  Technical Advisory – Kwikset/Weiser BLE Proximity Authentication in Kevo Smart Locks Vulnerable to Relay Attacks (NCC Group Research) Technical Advisory – BLE Proximity Authentication Vulnerable to Relay Attacks (NCC Group Research)  Alert (AA22-137A) Weak Security Controls and Practices Routinely Exploited for Initial Access (CISA) Hacker and Ransomware Designer Charged for Use and Sale of Ransomware, and Profit Sharing Arrangements with Cybercriminals (U.S. Attorney's Office for the Eastern District of New York)  US prosecutors allege Venezuelan doctor is ransomware mastermind (ZDNet)  'Multi-tasking doctor' was mastermind behind 'Thanos' ransomware builder, DOJ says (The Record by Recorded Future)  U.S. Charges Venezuelan Doctor for Using and Selling Thanos Ransomware (The Hacker News)

Users are advised to patch Zyxel firewalls. Battlefield failure and popular morale in Russia's hybrid war. Nuisance-level hacktivism in the hybrid war. Sweden and Finland move closer to NATO membership; concern over possible Russian cyberattacks rises. Intelligence, disinformation, or wishful thinking? Conti calls for rebellion in Costa Rica. PayOrGrief is just rebranded DoppelPaymer. Anonymous action in Sri Lanka seems indiscriminate and counterproductive. Dinah Davis from Arctic Wolf examines cyber security for startups. Rick Howard looks at two factor authentication. And a judge says cryptocurrency can't be used to evade sanctions. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/94 Selected reading. Critical Vulnerability Allows Remote Hacking of Zyxel Firewalls (SecurityWeek)  Zyxel security advisory for OS command injection vulnerability of firewalls (Zyxel)  Growing evidence of a military disaster on the Donets pierces a pro-Russian bubble. (New York Times)  OpRussia update: Anonymous breached other organizations (Security Affairs)  Italy prevents pro-Russian hacker attacks during Eurovision contest (Reuters)  Finland, Sweden's NATO moves prompt fears of Russian cyberattacks (The Hill)  Coup to remove cancer-stricken Putin underway in Russia, Ukrainian intelligence chief says (Fortune)  Conti ransomware gang calls for Costa Rican citizens to revolt if government doesn't pay (SC Magazine)  Anonymous wanted to help Sri Lankans. Their hacks put many in grave danger (Rest of World)  U.S. issues charges in first criminal cryptocurrency sanctions case (Washington Post)

According to the zero trust philosophy, we all assume that our networks are already compromised and try to design them to limit the damage if it turns out to be so. In this episode of CyberWire-X, we've invited subject matter experts, Amanda Fennell, the Chief Information Officer and Chief Security Officer of Relativity, and Galeal Zino, CEO of episode Sponsor NetFoundry, to the Cyberwire Hash Table to discuss all the ways to think about the solution in the modern era: Software Defined Perimeter (SDP), Secure Access Service Edge (SASE), identity and authorization, and private WAN, all through a First Principle lens.

Principal consultant and pen tester at Secureworks, Eric Escobar, shares his career path translating his childhood favorite Legos to civil engineering and pivoting to cybersecurity. Eric was always headed toward engineering and got both his bachelor and master degrees in civil engineering. Upon breaking into a network with a friend, he was bitten by the cybersecurity bug. Making the switch to the red team and basically becoming a bankrobber for hire, Eric tests the security of many companies' networks. He feels that curiosity is an essential trait for cybersecurity and collaboration is key as no one person knows everything. He advises those interested in cybersecurity to just start. We thank Eric for sharing his story with us.

Dr. May Wang, Chief Technology Officer at Palo Alto Networks, joins Dave Bittner to discuss their findings detailed in Unit 42's "Know Your Infusion Pump Vulnerabilities and Secure Your Healthcare Organization" research. Unit 42 recently set out to better understand how well hospitals and other healthcare providers are doing in securing smart infusion pumps, which are network-connected devices that deliver medications and fluids to patients. This topic is of critical concern because security lapses in these devices have the potential to put lives at risk or expose sensitive patient data. Unit 42's discovery of security gaps in three out of four infusion pumps that they reviewed highlights the need for the healthcare industry to redouble efforts to protect against known vulnerabilities, while diligently following best practices for infusion pumps and hospital networks. May walks us through Unit 42's work. The research can be found here: Know Your Infusion Pump Vulnerabilities and Secure Your Healthcare Organization

Ukraine holds its first war crimes trial. Are there war crimes in cyberspace? Iranian cyberespionage (and a possible APT side-hustle). Roblox seems to have been used to introduce a backdoor. CISA issues ICS advisories. Darkweb C2C trader sentenced. The last conspirator in the strange case of the eBay newsletter takes a guilty plea. Carole Theriault looks at Google's new approach to cookies in Europe. Our guest is Mary Writz of ForgeRock on the growing importance of mobile device authentication security. And CIA gets a CISO. For links to all of today's stories check out our CyberWire daily news briefing: httpshttps://thecyberwire.com/newsletters/daily-briefing/11/93 Selected reading. Ukraine to put first Russian soldier on trial for war crimes | DW | 12.05.2022 (Deutsche Welle) Russian soldier on trial in first Ukraine war-crimes case (AP NEWS) First Russian soldier goes on trial in Ukraine for war crimes (the Guardian)  The Case for War Crimes Charges Against Russia's Sandworm Hackers (Wired) Iranian hackers exposed in a highly targeted espionage campaign (BleepingComputer)  Iranian APT Cobalt Mirage launching ransomware attacks (SearchSecurity) Iranian Hackers Leveraging BitLocker and DiskCryptor in Ransomware Attacks (The Hacker News)  Iranian Cyberspy Group Launching Ransomware Attacks Against US (SecurityWeek)  Please Confirm You Received Our APT | FortiGuard Labs  (Fortinet Blog)  Roblox Exploited with Trojans from Scripting Engine (Avanan) Ukrainian cybercriminal sentenced to 4 years in U.S. prison for credential theft scheme (CyberScoop) Ukrainian sentenced to 4 years for selling hacked passwords (The Record by Recorded Future)  Ex-eBay exec charged with harassing newsletter publishers pleads guilty (Reuters) CIA selects new CISO with deep private sector experience (The Record by Recorded Future)

Killnet hits Italian targets. Access to RuTube is restored. Hacktivism in the hybrid war. Emotet surges. Clearing up the confusion of NPM dependency confusion attacks. Tim Eades from Cyber Mentor Fund on finding the right investors. Our guest is Michael DeBolt of Intel 471 on the growing interest in Biometrics in the criminal underground. And cybercrime and punishment, Florida-man edition. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/92 Selected reading. Ukraine maps reveal how much territory Russia has lost in just a few days (Newsweek)  Pro-Russian hackers target Italy institutional websites -ANSA news agency (Reuters)  Russian cyber experts restore RuTube access after three-day outage (Reuters)  They Fled Ukraine to Keep Their Cyber Startup Alive. Now, They're Hacking Back. (Wall Street Journal) Ukraine hacktivism 'problematic' for security teams says NSA cyber chief (Tech Monitor) HP Wolf Security Threat Insights Report Q1 2022 | HP Wolf Security (HP Wolf Security) npm supply chain attack targets Germany-based companies with dangerous backdoor malware (JFrog) SaaS App Vanity URLs Can Be Spoofed for Phishing, Social Engineerin (SecurityWeek) Trio Of Cybercriminals Sentenced For Conspiracy To Commit Fraud And Aggravated Identity Theft (US Attorney for the Middle District of Florida)

The cybersecurity authorities of the UK, Australia, Canada, New Zealand, and the US have observed a recent increase in malicious cyber activity against managed service providers (MSPs). Allied cybersecurity authorities expect state-sponsored cyber actors to increase their targeting of MSPs in an attempt to exploit provider-customer trust relationships. This advisory includes security guidance tailored for both MSPs and their customers.  AA22-131A Alert, Technical Details, and Mitigations Technical Approaches to Uncovering and Remediating Malicious Activity Mitigations and Hardening Guidance for MSPs and Small- and Mid-sized Businesses APTs Targeting IT Service Provider Customers ACSC's Managed Service Providers: How to manage risk to customer networks  Global Targeting of Enterprise Managed Service Providers Cyber Security Considerations for Consumers of Managed Services  How to Manage Your Security When Engaging a Managed Service Provider Kaseya Ransomware Attack: Guidance for Affected MSPs and their Customers Baseline Cyber Security Controls for Small and Medium Organizations Actions to take when the cyber threat is heightened Top 10 IT Security Action Items to Protect Internet Connected Networks and Information CCCS's Alert: Malicious Cyber Activity Targeting Managed Service Providers  CISA Cybersecurity Alert: APT Activity Exploiting MSPs (2018) CISA Cyber Essentials and CISA Cyber Resource Hub  Improving Cybersecurity of Managed Service Providers  Shields Up Technical Guidance All organizations should report incidents and anomalous activity to CISA's 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI's 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov.

There's international consensus on the cyberattack against Viasat. Kaspersky remains under investigation. The Nerbian RAT is out. NPM dependencies are exploited, but to what end? Caleb Barlow examines Russia's future on the internet. Our guest is Deepen Desai from Zscaler with the latest phishing research. And new advisories from CISA and its partners. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/91 Selected reading. Nerbian RAT Using COVID-19 Themes Features Sophisticated Evasion Techniques (Proofpoint) NPM dependency confusion hacks target German firms (ReversingLabs) npm Supply Chain Attack Targeting Germany-Based Companies (JFrog) Adminer in Industrial Products (CISA) Eaton Intelligent Power Protector (CISA)  Eaton Intelligent Power Manager Infrastructure (CISA)  Eaton Intelligent Power Manager (CISA) AVEVA InTouch Access Anywhere and Plant SCADA Access Anywhere (CISA)  Mitsubishi Electric MELSOFT GT OPC UA (CISA)  CISA Adds One Known Exploited Vulnerability to Catalog (CISA)  Alert (AA22-131A) Protecting Against Cyber Threats to Managed Service Providers and their Customers (CISA) Protecting Against Cyber Threats to Managed Service Providers and their Customers (CISA) Russia downed satellite internet in Ukraine -Western officials (Reuters)  US and its allies say Russia waged cyberattack that took out satellite network (Ars Technica)  Western powers blame Russia for Ukraine satellite hack (The Record by Recorded Future)  Russian cyber operations against Ukraine: Declaration by the High Representative on behalf of the European Union (European Council)  Attribution of Russia's Malicious Cyber Activity Against Ukraine - United States Department of State (United States Department of State)  U.S. Government Attributes Cyberattacks on SATCOM Networks to Russian State-Sponsored Malicious Cyber Actors (CISA) Russia behind cyber-attack with Europe-wide impact an hour before Ukraine invasion (GOV.UK) Estonia joins the statement of attribution on cyberattacks against Ukraine (Ministry of Foreign Affairs, Republic of Estonia)  Statement on Russia's malicious cyber activity affecting Europe and Ukraine (Canada.ca)  Attribution to Russia for malicious cyber activity against European networks (Australian Government Department of Foreign Affairs and Trade)  Russia hacked an American satellite company one hour before the Ukraine invasion (MIT Technology Review)  NSA Probing Reach of Software From Russia's Kaspersky in US Systems (Bloomberg) 

A quick introductory note on Russia's hybrid war against Ukraine. Russian television schedules hacked to display anti-war message. Phishing campaign distributes Jester Stealer in Ukraine. European Council formally attributes cyberattack on Viasat to Russia. Costa Rica declares a state of emergency as Conti ransomware cripples government sites. DCRat and the C2C markets. The gang behind REvil does indeed seem to be back. More Joker-infested apps found in Google Play. Guest Nick Adams from Differential Ventures discusses what will drive continued growth of cybersecurity beyond attack surfaces and governance from a VC's perspective. Partner Ben Yelin from UMD CHHS on digital privacy concerns in the aftermath of the potential overturn of Roe vs Wade. And Spain's spyware scandal takes down an intelligence chief. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/90 Selected reading. Ukraine morning briefing: Five developments as Joe Biden warns Vladimir Putin has 'no way out' (The Telegraph) Viewpoint: Putin now faces only different kinds of defeat (BBC News)  Putin's Victory Day speech gives no clue on Ukraine escalation (Reuters)  On Victory Day, Putin defends war on Ukraine as fight against ‘Nazis' (Washington Post)  In Speech, Putin Shows Reluctance in Demanding Too Much of Russians (New York Times)  Putin's parade shows he "is going to continue at whatever cost" in Ukraine (Newsweek) Russia's display of military might sent the West a strong message – just not the one Putin intended (The Telegraph) Russian TV Schedules Hacked on Victory Day to Show Anti-War Messages (HackRead)  Russian TV hacked to say ‘blood of Ukrainians is on your hands' (The Telegraph)  Mass Distribution of Self-Destructing Malware in Ukraine (BankInfoSecurity)  Russian cyber operations against Ukraine: Declaration by the High Representative on behalf of the European Union (European Council)

The US Treasury Department sanctions a cryptocurrency mixer. Rewards for Justice is interested in Conti. US tractor manufacturer AGCO was hit by a ransomware attack. Russian hacktivism hits German targets and threatens the UK. A Russian diplomatic account was apparently hijacked. Tracking Cobalt Strike servers used against Ukraine. Dinah Davis from Arctic Wolf defends against DDOS attacks. Rick Howard looks at Single Sign On. And no apology for you, Mr. Bennett. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/89 Selected reading. U.S. Treasury Issues First-Ever Sanctions on a Virtual Currency Mixer, Targets DPRK Cyber Threats (U.S. Department of the Treasury) Reward Offers for Information to Bring Conti Ransomware Variant Co-Conspirators to Justice (United States Department of State) AGCO ransomware attack disrupts tractor sales during U.S. planting season (Reuters) Agricultural equipment maker AGCO reports ransomware attack (The Record by Recorded Future) Russia's chief diplomat in Scotland condemns Ukraine invasion in social media post (The Telegraph)   Pro-Russian Hackers Hit German Government Sites, Spiegel Says (Bloomberg) Tracking Cobalt Strike Servers Used in Cyberattacks on Ukraine (IronNet) Russia tensions with Israel may intensify as Kremlin denies Putin's apology (Newsweek)

Chief security officer and chief information officer at Relativity, Amanda Fennel shares her story from archeology to cybersecurity. She shares the path that lead her towards becoming an archeologist and how it turned out not being exactly what she expected. She then shares how she got into the cyber business and how her past has impacted what she's doing now. She describes how she would like to be remembered in the cyber world, she says "I do hope that I left things better than I found them, not just the security of a product or a company, but I believe strongly that every person has a little cyber warrior inside of them." We thank Amanda for sharing her story.

Tushar Richabadas from Barracuda joins Dave Bittner to discuss their findings detailed in their "Threat Spotlight: Attacks on Log4Shell vulnerabilities." Their research shows the percentage of attackers targeting the vulnerabilities, and shows where the dips and spikes are over the course of the past couple of months. The research has also gathered where the attackers main IP addresses are located, with 83% of them located in the United States. They breakdown what this malware can do and how to protect yourself against it. They say "Due to the growing number of vulnerabilities found in web applications, it is getting progressively more complex to protect against attacks." The research can be found here: Threat Spotlight: Attacks on Log4Shell vulnerabilities

An update on the war in Ukraine as Victory Day approaches. President Lukashenka on the war next door. Hackivists in the battlespace. Raspberry Robin and a USB worm. A carefully operated credential phishing campaign. Another ICS security alert from CISA. Dinah Davis from Arctic Wolf on reflection amplification techniques. Carole Theriault examines zero trust architecture access policies. Happy Mother's Day (and stay safe online). For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/88 Selected reading. Mariupol steel mill battle rages as Ukraine repels attacks (Military Times)  Why the battle for Mariupol is important for Vladimir Putin. (New York Times) A race against time in Ukraine as Russia advances, West sends weapons (Washington Post) The AP Interview: Belarus admits Russia's war 'drags on' (AP NEWS) Russia's ally Belarus criticises war effort for ‘dragging on' (The Telegraph) NSA cyber boss seeks to discourage vigilante hacking against Russia (Defense News) Shields Up: Russian Cyberattacks Headed Our Way (JD Supra) Raspberry Robin gets the worm early (Red Canary)  VIP3R: New actor. Old story. Great success. (Menlo Security) Johnson Controls Metasys (CISA)  Top 3 Mother's Day Scam Sites – Be Smart When Buying Gifts (Trend Micro News)

Hacktivisim and privateering in Moscow, Kyiv, and Minsk. Log4j vulnerabilities are more widespread than initially thought. US Cyber Command deployed a "hunt forward" team to Lithuania. CISA adds five vulnerabilities to its Known Exploited Vulnerabilities Catalog. Jen Miller-Osborn from Palo Alto Networks discusses the findings from the Center for Digital Government's survey on Getting Ahead of Ransomware. Grayson Milbourne of Webroot/OpenText discusses OpenText's 2022 BrightCloud Threat Report. And Anonymous leaks emails allegedly belonging to the Nauru Police Force. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/87 Selected reading. Russian ally Belarus launches military quick-response drills (Washington Post) Putin's Ukraine War: Desperate Belarus dictator strikes back (Atlantic Council) Russian ransomware group claims attack on Bulgarian refugee agency (CyberScoop) Russia and Ukraine Conflict Q&A | Cybersixgill (Cybersixgill) Threat Advisory: New Log4j Exploit Demonstrates a Hidden Blind Spot in the Global Digital Supply Chain (Cequence) Anonymous Leak 82GB of Police Emails Against Australia's Offshore Detention (HackRead)

An upswing in malware deployed against targets in Eastern Europe. Cozy Bear is typosquatting. CuckooBees swarm around intellectual property. Tracking the DPRK's hackers. Quiet persistence in corporate networks. CISA issues an ICS advisory. Caleb Barlow on backup communications for your business during this period of "shields up." Duncan Jones from Cambridge Quantum sits down with Dave to discuss the NIST algorithm finalist Rainbow vulnerability. And, hey, officer, honest, it was just a Squirtle…. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/86 Selected reading. Update on cyber activity in Eastern Europe (Google)  Multiple government hacking groups stay busy targeting Ukraine and the region, Google researchers say (CyberScoop) Google: Nation-state phishing campaigns expanding to target Eastern Europe orgs (The Record by Recorded Future) SolarWinds hackers set up phony media outlets to trick targets (CyberScoop)  SOLARDEFLECTION C2 Infrastructure Used by NOBELIUM in Company Brand Misuse (Recorded Future)  Experts discover a Chinese-APT cyber espionage operation targeting US organizations (VentureBeat) Operation CuckooBees: Cybereason Uncovers Massive Chinese Intellectual Property Theft Operation (Cybereason Nocturnus)  Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques (Cybereason)  Chinese hackers cast wide net for trade secrets in US, Europe and Asia, researchers say (CNN)  Researchers tie ransomware families to North Korean cyber-army (The Record by Recorded Future) The Hermit Kingdom's Ransomware Play (Trellix) New espionage group is targeting corporate M&A (TechCrunch)  Cyberespionage Group Targeting M&A, Corporate Transactions Personnel (SecurityWeek)  UNC3524: Eye Spy on Your Email (Mandiant)  Yokogawa CENTUM and ProSafe-RS (CISA)  Cops ignored call to nearby robbery, preferring to hunt Pokémon (Graham Cluley)

Russia reroutes Internet traffic in occupied regions of Ukraine through Russian services. The Stormous gang, hacking on behalf of Russia. DNS poisoning risk. Updates on Chinese cyberespionage campaigns. Our guest Chetan Mathur of Next Pathway finds similarities between the cloud industry and the 1849 California Gold Rush. Eldan Ben-Haim of Apiiro on why cybersecurity is largely a culture issue. Notes on ransomware operations. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/85 Selected reading. Microsoft sees Russian cyberattacks on Ukraine 'getting more and more disruptive' (Inside Defense)  Sergey Lavrov claims Hitler had 'Jewish blood' (The Telegraph) Lavrov's anti-Semitic outburst exposes absurdity of Russia's “Nazi Ukraine” claims (Atlantic Council)  Russia likens Zelensky to Hitler as Mariupol says Russia worse than Nazis (Newsweek)  Russia reroutes internet in occupied Ukrainian territory through Russian telcos (The Record by Recorded Future)  Stormous: The Pro-Russian, Clout Hungry Ransomware Gang Targets the US and Ukraine (Trustwave) Zhadnost ‘stamps' out Ukrainian National Postal Service's website. (SecurityScorecard)  Industrial cybersecurity researchers, looking for help, go public with unpatched IoT bug (The Record by Recorded Future)  Nozomi Networks Discovers Unpatched DNS Bug in Popular C Standard Library Putting IoT at Risk (Nozomi Networks) Chinese "Override Panda" Hackers Resurface With New Espionage Attacks (The Hacker News)  Chinese Hackers Caught Exploiting Popular Antivirus Products to Target Telecom Sector (The Hacker News)  New Black Basta Ransomware Possibly Linked to Conti Group (SecurityWeek)  Experts Analyze Conti and Hive Ransomware Gangs' Chats With Their Victims (The Hacker News)  Conti and Hive ransomware operations: What we learned from these groups' victim chats (Cisco Talos)  Conti and Hive ransomware operations: (Cisco Talos)

Security executives need visibility into their real cyber risk in real time. But with the flood of vulnerability alerts, how can organizations pinpoint impactful security gaps? To meet this challenge, security teams are shifting to an exploit-centric approach to security validation to expose potential threats from ransomware, leaked credentials, phishing, & more.  On this episode, of CyberWire-X, we explore how automation can help teams make this shift to prioritize remediation based on bottom line business impact. Rick Howard, the CyberWire's CSO, Chief Analyst and Senior Fellow, discusses the topic with Rick Doten, CISO, Carolina Complete Health and CyberWire Hash Table member, while Dave Bittner, CyberWire podcast host, engages with Sponsor Pentera's Jay Mar-Tang, Sales Engineering Manager for the Americas, about automated security validation.

Cable sabotage in France remains under investigation. Spearphishing by Cozy Bear. Widespread and damaging Russian cyberattacks have yet to appear, but criminals find a new field of activity. Hacktivism and privateering. The legal and prudential limits to hacktivism. Applying lessons learned from an earlier cyberwar. Romanian authorities say last week's DDoS incident was retaliation for Bucharest's support of Kyiv. Rick Howard is dropping some SBOMS. Carole Theriault reports on virtual kidnappings. REvil seems to be back after all. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/84 Selected reading. How the French fiber optic cable attacks accentuate critical infrastructure vulnerabilities (CyberScoop)  Russian hackers compromise embassy emails to target governments (BleepingComputer)  Ukraine's defense applies lessons from a 15-year-old cyberattack on Estonia (NPR)  Feared Russian cyberattacks against US have yet to materialize (C4ISRNet) Hacking Russia was off-limits. The Ukraine war made it a free-for-all. (Washington Post)  A YouTuber is promoting DDoS attacks on Russia — how legal is this? (BleepingComputer) Ukraine's Digital Fight Goes Global (Foreign Affairs) Romanian government says websites attacked by pro-Russian group (The Record by Recorded Future)  REvil ransomware returns: New malware sample confirms gang is back (BleepingComputer)

Chief security strategist from Analyst1, Jon DiMaggio shares his story on how he grew to become apart of the cybersecurity world. He describes different jobs that paved the way to the knowledge he has one the industry right now, and he even shares about an experience that led him to path that split and which decision he would make, would be crucial in his career. He explains which way he ended up going and how a critical part of his career helped to determine that path. He say's "there's two paths when you have that happen, you can either let it defeat you, or you know, you come back swinging." We thank Jon for sharing his story.

The move to cloud has great potential to improve security, but the required process and cultural changes can be daunting. There are a vast number of critical vulnerabilities that make it to production and demand more effective mitigations. Although “shifting security left” should help, organizations are not able to achieve this quickly enough, and “shifting left” does not account for runtime threats. Organizations must strive to improve the prioritization of vulnerabilities to ensure the most dangerous flaws are fixed early. But even then, some risk will be accepted, and a threat detection and response program is required for full security coverage. On this episode of CyberWire-X, host Rick Howard, the CyberWire's CSO, Chief Analyst and Senior Fellow, explores how to secure your software development lifecycle, how to use a maturity model like BSIM, where do containers fit in that process, and the Sysdig 2022 Cloud-Native Security and Usage report. Joining Rick on this episode are Tom Quinn, CISO at T. Rowe Price and CyberWire Hash Table member, and from episode sponsor Sysdig is their Director of Thought Leadership, Anna Belak, to discuss their experiences and real world data, as well as practical approaches to managing cloud risk. 

Vikram Thakur of Symantec Threat Hunter team joins Dave Bittner to discuss their work on Daxin, a new and the most advanced piece of malware researchers have seen from China-linked actors. Symantec said " There is strong evidence to suggest the malware, Backdoor.Daxin, which allows the attacker to perform various communications and data-gathering operations on the infected computer, has been used as recently as November 2021 by attackers linked to China." They go on to explain how Daxin is used to target organizations and governments of strategic interest to China and how those agencies can protect themselves. Symantec also discusses how this is the most advanced piece of malware their researchers have seen. The research can be found here: Daxin: Stealthy Backdoor Designed for Attacks Against Hardened Networks

Russian and Ukrainian operators exchange cyberattacks. Wiper malware: contained, but a potentially resurgent threat. #OpRussia update. DDoS in Romania. Flash loan caper hits a DeFi platform. Coca-Cola investigates Stormous breach claims. CISA issues two new ICS advisories. Caleb Barlow on cleaning up the digital exhaust of your home. Our guests are Freddy Dezeure and George Webster on reporting cyber risk to boards. A Declaration for the Future of the Internet. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/83 Selected reading. Russian missiles bombard Kyiv during UN chief's visit (The Telegraph)  Zelenskiy urges ‘strong response' after Russia strikes Kyiv during UN Ukraine visit (the Guardian)  Anonymous hacked Russian PSCB Commercial Bank and companies in the energy sector (Security Affairs)  Ongoing DDoS attacks from compromised sites hit Ukraine (Security Affairs)  Ukraine's Digital Battle With Russia Isn't Going as Expected (Wired)  CISA and FBI Update Advisory on Destructive Malware Targeting Organizations in Ukraine (CISA)  Government and researchers keep US attention on Russia's cyber activity in Ukraine (The Record by Recorded Future)  CISA Adds New Russian Malware to Cyber Advisory (Nextgov)  An Overview of the Increasing Wiper Malware Threat (Fortinet Blog)  Cyber Attacks Hit Romanian Government Websites (Balkan Insight)  More than $13 million stolen from DeFi platform Deus Finance (The Record by Recorded Future)  Coca-Cola Investigates Hacking Claim (Wall Street Journal)  Coca-Cola investigating data breach claims by Stormous group (Computing)  Has 'clown show' hacking gang Stormous really breached Coca-Cola? (Tech Monitor)  Delta Electronics DIAEnergie (CISA)  Johnson Controls Metasys (CISA) 1 A Declaration for the Future of the Internet (The White House)  FACT SHEET: United States and 60 Global Partners Launch Declaration for the Future of the Internet (The White House)  US joins 55 nations to set rules for internet, with eye on China and Russia (South China Morning Post) China, India, Russia missing from future of internet pledge by US, EU, and 33 others (ZDNet)  US, partners launch plan for 'future' of internet, as China, Russia use 'dangerous' malign practices (Fox News)  U.S. joins 55 nations to set new global rules for the internet (Reuters)

Microsoft summarizes the scale of Russian cyberattacks against Ukraine. Russian cyber capabilities should be neither overestimated nor underestimated. Russia has also come under cyberattack during its hybrid war. Chinese intelligence services are paying close attention to Russian targets. The Five Eyes advise us on “routinely exploited vulnerabilities.” Physical sabotage as cyberattack. Linda Gray-Martin and Britta Glade from RSA discuss what's new at RSAC and cybersecurity trends. Marc van Zadelhoff of Devo talks about their new podcast Cyber CEOs Decoded coming to the CyberWire network. And, hey kids, name that mascot. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/82 Selected reading. Special Report: Ukraine (Microsoft)  Russian Cyber Capabilities Have ‘Reached Their Full Potential,' Ukrainian Official Says (Wall Street Journal)  Industroyer2: Nozomi Networks Labs Analyzes the IEC 104 Payload (Nozomi Networks)  Russia Is Being Hacked at an Unprecedented Scale (Wired) BRONZE PRESIDENT targets Russian speakers with updated PlugX - Blog (Secureworks) CISA, FBI, NSA, and International Partners Warn Organizations of Top Routinely Exploited Vulnerabilities (National Security Agency/Central Security Service)  The Air Force is trusting the internet to name its ridiculous new cybersecurity mascot (Task & Purpose)

Heard on the Baltimore waterfront. Privateering against Western brands. An update on sanctions and counter sanctions. Stonefly, straight outta Pyongyang. Lazarus is also back (and not in the good way). Richard Hummel from NETSCOUT discusses their bi-annual Threat Intel Report. Jon DiMaggio from Analyst1 joins us to discuss his new book, “The Art of Cyberwarfare - An Investigator's Guide to Espionage, Ransomware, and Organized Cybercrime.” And the US Department of State has added six Russian GRU officers to its Rewards for Justice program. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/81 Selected reading. Britain says Ukraine controls majority of its airspace (Reuters)  Latest strikes on Russia hint daring Ukraine is not intimidated by the Kremlin (The Telegraph)  West gearing up to help Ukraine for ‘long haul', says US defence secretary (the Guardian)  U.S., allies promise to keep backing Ukraine in its war with Russia (Washington Post)  Russia-linked hackers claim to have breached Coca-Cola Company (CyberNews) Stormous ransomware gang claims to have hacked Coca-Cola (Security Affairs)  Chinese drone-maker DJI quits Russia and Ukraine (Register)  Russia to Cut Gas to Poland and Bulgaria, Making Energy a Weapon (Bloomberg)  Russia cuts off gas to Poland, Bulgaria, stoking tensions with E.U. over Ukraine (Washington Post)  Why Russia's Economy Is Holding On (Foreign Policy)  Stonefly: North Korea-linked Spying Operation Continues to Hit High-value Targets (Symantec) A "Naver"-ending game of Lazarus APT (Zscaler) U.S. offers $10 mln reward for information on Russian intelligence officers -State Dept (Reuters) US offering $10 million for info on Russian military hackers accused of NotPetya attacks (The Record by Recorded Future)  Rewards for Justice – Reward Offer for Information on Russian Military Intelligence Officers Conducting Malicious Activity Against U.S. Critical Infrastructure - United States Department of State (United States Department of State)

Heightened cyber tension as Quds Day approaches. Costa Rican electrical utility suffers from Conti ransomware. Emotet's operators seem to be exploring new possibilities. North Korean cyber operators target journalists who cover the DPRK. A guilty plea in a strange case of corporate-connected cyberstalking. Bel Yelin ponders the potential Twitter takeover. Mr. Security Answer Person John Pescatore addresses questions about vendors. And cybercrime, run like a business. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/80 Selected reading. Russia's invasion of Ukraine: List of key events from day 62 (Al Jazeera)  Ukraine takes war behind enemy lines as Russian fuel depots set ablaze (The Telegraph)  Russia pounds eastern Ukraine as West promises Kyiv new arms (AP NEWS)  Finland, Sweden to begin NATO application in May, say local media reports (Reuters)  ‘Thanks, Putin': Finnish and Swedish Lawmakers Aim for NATO Membership (Foreign Policy)  World War Three now a 'real' danger, Russian foreign minister Sergei Lavrov warns (The Telegraph)  Moscow cites risk of nuclear war as U.S., allies pledge heavier arms for Ukraine (Reuters)  Russia Warns of Nuclear War Risk as Ukraine Talks Go On (Bloomberg)  From Jordan to Japan: US invites 14 non-NATO nations to Ukraine defense summit (Breaking Defense) State TV says Iran foiled cyberattacks on public services (AP NEWS) State TV Says Iran Foiled Cyberattacks on Public Services (SecurityWeek) Iranian hackers claim they've hit the Bank of Israel - but ‘no proof,' cyber authority says (Haaretz) North Korean hackers targeting journalists with novel malware (BleepingComputer) The ink-stained trail of GOLDBACKDOOR (Stairwell) Conti ransomware cripples systems of electricity manager in Costa Rican town (The Record by Recorded Future)  Emotet Tests New Delivery Techniques (Proofpoint)  Ex-eBay exec pleads guilty to harassing couple whose newsletter raised ire (Reuters) Mastermind of Natick couple's harassment pleads guilty (Boston Globe)  Former eBay Executive Pleads Guilty to His Role in Cyberstalking Campaign (US Department of Justice)  Cyberkriminelle bieten Schadsoftware kostenlos an (IT-Markt)

Anonymous counts coup with their #OpRussia campaign. Alternative energy suppliers in Europe sustain cyberattacks. What Lapsus$ internal chatter reveals. Costa Rica won't pay Conti's ransom. Rick Howard hits the history books. Our guest is Paul Giorgi of XM Cyber with a look at multi-cloud hopping. Locked Shields wraps up. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/79 Selected reading. Ukraine's Postal Service DDOS'd After Printing Moskova Stamps (Gizmodo)  Since declaring cyber war on Russia Anonymous leaked 5.8 TB of Russian data (Security Affairs) European Wind-Energy Sector Hit in Wave of Hacks (Wall Street Journal)  Schneider Electric says no evidence that Incontroller/Pipedream malware exploits vulnerabilities (MarketScreener)  Aid groups helping Ukraine face both cyber and physical threats (CNN)  Leaked Chats Show LAPSUS$ Stole T-Mobile Source Code (KrebsOnSecurity)  Lapsus$ hackers breached T-Mobile's systems and stole its source code (The Verge) Lapsus$ hackers targeted T-Mobile (TechCrunch) FBI Warns of Targeted Cyberattacks on Food Plants Amid Heightened Coverage of Fires (NTD)  Ransomware Attacks on Agricultural Cooperatives Potentially Timed to Critical Seasons (IC3)  Cyberattack causes chaos in Costa Rica government systems (ABC News)  Finland wins NATO cyber defense competition (C4ISRNet)

Operational technology cybersecurity strategist from Nozomi Networks, Danielle Jablanski shares her story of building a target map to end up where she is today. She shares how she started in college and how different paths in life got her to be on the target of success where she is today. She says " you build out that kind of target of where you want to be, and understand that getting to that point might mean doing things you don't enjoy for a number of years, but figuring that out is another way to get to that target without having like a clear bullseye" She goes on to explain how this target map is helping her to create real change and ultimately makes an impact. We thank Danielle for sharing her story.

John Hammond from Huntress joins Dave Bittner on this episode to discuss malware known as BABYSHARK and how it is swimming out for blood once again. Huntress's research says "This activity aligns with known tradecraft attributed to North Korean threat actors targeting national security think tanks." Huntress also adds that the activity was spotted on February 16th and immediately their ThreatOps team began following the trail of breadcrumbs. They said "This led them to uncover the malware that was set to target specifically this organization–and certain influential individuals within it." The research can be found here: Targeted APT Activity: BABYSHARK Is Out for Blood

A look at Russian malware used against Ukrainian targets. Actual and potential targets harden themselves against Russia cyberattacks. Sanctions and the criminal underworld. Conti's fortunes. A credential stealer resurfaces in corporate networks. BlackCat ransomware warning. Tomer Bar from SafeBreach discusses MuddyWaters. Dr. Christopher Emdin previews his new book STEM, STEAM, Make, Dream. CISA releases three more ICS security advisories. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/78 Selected reading. Russia outlines when Ukraine war will end (Newsweek)  Russia racing against clock to win Ukraine war before May 9 'Victory Day' (Newsweek)  A deeper look at the malware being used on Ukrainian targets (The Record by Recorded Future) Ukraine ramps up cyber defences to slow surge in attacks (The Straits Times) Five Eyes Alert Warns of Heightened Risk of Russian Cyber Attacks (Bloomberg)  Preparing for Energy Industry Cyberattacks (Wall Street Journal) US sets dangerous precedents in cyberspace (Global Times)  Russia's War in Ukraine Has Complicated the Means Through Which Cybercriminals Launder Funds. Here's How They're Adapting (Flashpoint)  U.S. Treasury Designates Facilitators of Russian Sanctions Evasion (U.S. Department of the Treasury) Russia says nyet, sanctions Mark Zuckerberg, LinkedIn's Roslansky, VP Harris and other US leaders (TechCrunch)  Russia's War in Ukraine Has Complicated the Means Through Which Cybercriminals Launder Funds. Here's How They're Adapting (Flashpoint)  GOLD ULRICK continues Conti operations despite public disclosures (Secureworks)  Costa Rica's Alvarado says cyber​​attacks seek to destabilize country as government transitions (Reuters) Hackers Spearphish Corporate Hiring Managers with Poisoned Resumes, Infecting Them with the More_Eggs Malware, Warns eSentire (eSentire)  BlackCat/ALPHV Ransomware Indicators of Compromise (IC3)  FBI: BlackCat ransomware breached at least 60 entities worldwide (BleepingComputer)  Delta Electronics ASDA-Soft (CISA)  Johnson Controls Metasys SCT Pro (CISA)  Hitachi Energy MicroSCADA Pro/X SYS600 (CISA) 

A renewed Five Eyes' warning about potential Russian cyberattacks. The FBI warns of the threat of ransomware attacks against the agriculture sector. REvil may be back in business. Carole Theriault shares insights on bug bounty programs. Our own Rick Howard checks in with Zack Barack from Coralogix on where things stand with XDR. And beware of threats of Facebook account suspension. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/77 Selected reading. Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure US and allies warn of Russian hacking threat to critical infrastructure REvil's TOR sites come alive to redirect to new ransomware operation ( FBI Warns of Ransomware Attacks on Farming Co-ops During Planting, Harvest Seasons ( Phishing Site on Facebook Domain Used to Steal Credentials

A Shuckworm update. Pegasus spyware found in UK government officials' phones. CISA issues six ICS security alerts and adds three entries to its Known Exploited Vulnerabilities Catalog. Gangs succeed when criminals run them like a business. Julian Assange moves closer to extradition to the US. Tim Eades from Cyber Mentor Fund on cyber valuations. Our guest is Wes Mullins from deepwatch discussing adversary simulations. And a guilty plea in a high-profile cyberstalking case. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/76 Selected reading. Shuckworm: Espionage Group Continues Intense Campaign Against Ukraine UK Government Reportedly Infected With NSO Group Spyware ‘CatalanGate' Spyware Infections Tied to NSO Group Pegasus Spyware and Citizen Surveillance: What You Need to Know Julian Assange extradition order issued by London court, moving WikiLeaks founder closer to US transfer . Former eBay executive to plead guilty to cyberstalking campaign targeting couple

In a hybrid war, sometimes it's about the timing. Not quite all quiet on the cyber front. Pyongyang is phishing for crypto wallets (and your NFTs, and other blockchained valuables). Emotet really likes those malicious macros. Joe Carrigan looks at prompt bombing. Bec McKeown from Immersive Labs explains human cyber capabilities. And it's our anniversary this week: celebrate with us. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/75 Selected reading. Ukraine Update: Zelenskiy Says Battle for Donbas Has Begun (Bloomberg)  Ukraine at D+50: Russian reconstitution continues as shields stay up for ICS attacks. (The CyberWire) Military intel chief believes Russia not to achieve any wins in Ukraine by Easter as Kremlin wishes (Ukrinform) Ukraine War Divides Orthodox Faithful (New York Times)  US officials ramp up warnings about Russian cyberattacks (The Hill)  NATO Plays Cyberwar to Prep for a Real Russian Attack (Gizmodo)  FS-ISAC Leads Financial Sector in Global Live-Fire Cyber Exercise Locked Shields (PR Newswire)  If anyone understands Russian cyber dangers, it's Estonia's former president (Washington Post) North Korean State-Sponsored APT Targets Blockchain Companies (CISA)   TraderTraitor: North Korean State-Sponsored APT Targets Blockchain Companies (CISA)  US warns of Lazarus hackers using malicious cryptocurrency apps (BleepingComputer)  Trends in the Recent Emotet Maldoc Outbreak | FortiGuard Labs (Fortinet Blog)

Nuisance-level cyberattacks continue on both sides of Russia's hybrid war against Ukraine. Face-saving disinformation. “CatalanGate.” Industrial Spy says it caters to its victims' competitors. More on what's been learned from Conti's leaked chatter. Rewards for Justice offers $5 million for tips on DPRK cyber ops. Awais Rashid on supply chain risk management. Our guest is Jack Chapman from Egress to discuss a 232% increase in LInkedIn phishing attacks. And Exercise Locked Shields begins tomorrow. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/74 Selected reading. Occupants send computer viruses allegedly on behalf of SBU (Interfax-Ukraine) Ransomware groups go after a new target: Russian organizations (The Record by Recorded Future). Currency.com Targeted in Failed Cyber-Attack (Accesswire)  Russia says missile attacks on Kyiv will increase (Military Times)  Film and photos appear to show Russian cruiser Moskva shortly before it sank (the Guardian) CatalanGate: Extensive Mercenary Spyware Operation against Catalans Using Pegasus and Candiru (The Citizen Lab) New Industrial Spy stolen data market promoted through cracks, adware (BleepingComputer)  Event Overview: CONTI Leaks 2022 (BlueVoyant) U.S. offers $5 million for info on North Korean cyber operators (The Record by Recorded Future)  North Korea: Up to $5 Million Reward (US State Department) World´s Largest International Live-Fire Cyber Exercise launches in Tallinn (CCDCOE) 

At the Hack the Port 2022 event, the CyberWire held a CyberWire Live event. CyberWire Daily Podcast host Dave Bittner was joined by Roya Gordon, OT/IoT Security Research Evangelist at Nozomi Networks, and Christian Lees, CTO at Resecurity. During this fireside chat format session, Dave and our guests discussed ICS, OT cybersecurity, the role of security research and demos, supply chain compromise, and IT/OT security trends among other things. Thanks to the team at MISI/DreamPort for this opportunity.

Co-founder and CTO of Virsec, Satya Gupta shares his story of how he has over 25 years of expertise in embedded systems, network security and systems architecture. He also talks about how a colleague of his told him something that resinated with him, he said " that was really a remarkable statement that I heard from that person. You rise to the point where you can actually contribute." He also discusses how he got into the startup atmosphere and how different scenarios in his life helped to lead him to the successful man he has become in the cyber community. We thank Satya for sharing his story.

Alan Neville from Symantec/Broadcom joins Dave Bittner on this episode to discuss Antlion, a Chinese state-backed hacker group, are using custom backdoors to target financial institutions in Taiwan. Symantec's blog shares the research behind the attacks and how the backdoor allowed the attackers to run WMI commands remotely. Symantec's research showed that "The goal of this campaign appears to have been espionage, as we saw the attackers exfiltrating data and staging data for exfiltration from infected networks." They have since found that this attack has been going on over the course of the past 18 months, in which 250 days were spent on the financial organization and around 175 days were spent on the manufacturing organization. The research can be found here: Antlion: Chinese APT Uses Custom Backdoor to Target Financial Institutions in Taiwan

Further developments in the Incontroller/Pipedream industrial control system threat. Conti claims responsibility for the Nordex hack. The half-a-billion stolen from Ronin went to the Lazarus Group. And indictments in an influence ops case. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/73 Selected reading. Ukraine war: Russia threatens to step up attacks on Kyiv (BBC News)  Live Updates: Russia Sets Stage for Battle to Control Ukraine's East (New York Times) Russian Troops Risk Repeating Blunders If They Try for May 9 Win (Bloomberg)  Why Putin may be aiming to declare victory over Ukraine on May 9 (Fortune)  What Victory Day means for Russian identity (Washington Post)  Spy games: expulsion of diplomats shines light on Russian espionage (the Guardian) Finland and Sweden pursue unlinked NATO membership (Defense News) What Finland Can Offer NATO (Foreign Policy) U.S. warns energy firms of a rapidly advancing hacking threat (E&E News)  Wind turbine firm Nordex hit by Conti ransomware attack (BleepingComputer)  Karakurt revealed as data extortion arm of Conti cybercrime syndicate (BleepingComputer) Threat Spotlight: Conti Ransomware Group Behind the Karakurt Hacking Team (Infinitum) US agency attributes $540 million Ronin hack to North Korean APT group (The Record by Recorded Future) North Korea Designation Update (U.S. Department of the Treasury)  Russian legislator, staff accused of trying to influence US lawmakers: DOJ (Newsweek)  Russian Legislator and Two Staff Members Charged with Conspiring to Have U.S. Citizen Act as an Illegal Agent of the Russian Government in the United States (US Department of Justice)

A nation-state threat actor (probably Russian) targets industrial systems. A quick look at the GRU's earlier attempt against Ukraine's power grid. The difficulty of recovering from a credible threat to industrial systems. Lazarus Group resumes Operation Dream Job. OldGremlin speaks Russian, and it holds Russian companies for ransom. Carole Theriault looks at research on lie detection. Josh Ray from Accenture drops some SBOMs. And another look at the privateers in the Conti gang. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/72 Selected reading. Ukraine Update: U.S., EU to Send More Arms; Warship Damaged (Bloomberg)  INCONTROLLER: New State-Sponsored Cyber Attack Tools Target Multiple Industrial Control Systems (Mandiant). PIPEDREAM: CHERNOVITE's Emerging Malware Targeting Industrial Environments | Dragos (Dragos)  APT Cyber Tools Targeting ICS/SCADA Devices (CISA)  U.S. warns newly discovered malware could sabotage energy plants (Washington Post)  Industroyer2 Targets Ukraine's Electric Grid: Here's How Companies Can Stay Protected and Resilient (Nozomi Networks) Wind Turbine Giant Nordex Hit By Cyber-Attack (Infosecurity Magazine) Lazarus Targets Chemical Sector (Symantec) Old Gremlins, new methods (Group-IB) Leaked documents show notorious ransomware group has an HR department, performance reviews and an 'employee of the month' (CNBC)

Indestroyer2 and Ukraine's power grid. More on last week's distributed denial-of-service attack against Finland. Anonymous claims to have doxed Russia's Ministry of Culture. Hafnium gets evasive. Enemybot is under development but worth keeping an eye on. Changing the phish hook. Patch Tuesday notes. Tim Eades from Cyber Mentor Fund on digital & security transformations. Our guest is Aaron Shilts from NetSPI onproactive public-private sector security collaboration. Sanctions evasion is serious business. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/71 Selected reading. Why Russia's Cyber Warriors Haven't Crippled Ukraine (The National Interest) In Ukraine, a ‘Full-Scale Cyberwar' Emerges (Wall Street Journal)  Russian hackers tried to bring down Ukraine's power grid to help the invasion (MIT Technology Review)  Russia's Sandworm Hackers Attempted a Third Blackout in Ukraine (Wired) Ukraine Thwarts Cyberattack on Electric Grid, Officials Say (Wall Street Journal)  Zhadnost strikes again… this time in Finland. (SecurityScorecard) Anonymous Hits Russian Ministry of Culture- Leaks 446GB of Data (HackRead)  Tarrask malware uses scheduled tasks for defense evasion (Microsoft Security Blog)  Enemybot: A Look into Keksec's Latest DDoS Botnet (Fortinet Blog)  Enemybot: a new Mirai, Gafgyt hybrid botnet joins the scene (ZDNet)  Qbot malware switches to new Windows Installer infection vector (BleepingComputer)  Microsoft Releases April 2022 Security Updates (CISA) Google Releases Security Updates for Chrome (CISA)  Citrix Releases Security Updates for Multiple Products (CISA) Apache Releases Security Advisory for Struts 2 (CISA)  Valmet DNA (CISA)  Mitsubishi Electric MELSEC-Q Series C Controller Module (CISA)  Inductive Automation Ignition (CISA)  Mitsubishi Electric GT25-WLAN (CISA)  Aethon TUG Home Base Server (CISA)  U.S. crypto researcher sentenced to five years for helping North Korea evade sanctions (Reuters)

GRU deploys Industroyer2 against the Ukrainian energy sector. NB65 counts coup against Roscosmos. Anonymous doxes three more Russian companies. President Putin purges the FSB's Fifth Service. CISA warns of an exploited firewall vulnerability. Medical robots' vulnerabilities are remediated. A Cyber Civil Defense effort in the US. Ben Yelin on newly passed cyber legislation. Our guest is Chase Snyder from ExtraHop to discuss their recent Cyber Confidence Index. And good riddance to RaidForums. For links to all of today's stories check out our CyberWire daily news briefing: https://thecyberwire.com/newsletters/daily-briefing/11/70 Selected reading. Russia's Reset (New York Times) Russia will not pause military operation in Ukraine for peace talks (Reuters)  Industroyer2: Industroyer reloaded | WeLiveSecurity (WeLiveSecurity) CERT-UA warns of large-scale cyber attack on energy sector (Interfax-Ukraine) Russia's space programme hit by western cyber attack (The Telegraph) Anonymous Hits 3 Russian Entities, Leaks 400 GB Worth of Emails (HackRead)  Russia's Ukraine Propaganda Has Turned Fully Genocidal (Foreign Policy)  Russia-Ukraine latest news: Vladimir Putin vows ‘clear and noble' aims of Russian invasion will be achieved (The Telegraph) CISA warns orgs of WatchGuard bug exploited by Russian state hackers (BleepingComputer) CISA Adds Eight Known Exploited Vulnerabilities to Catalog (CISA)  Cynerio Discovers and Discloses JekyllBot:5, a Series of Critical Zero-Day Vulnerabilities Allowing Attackers to Remotely Control Hospital Robots (Cynerio) Craig Newmark Philanthropies Pledges $50 Million to Cyber Civil Defense (Global Cyber Alliance)