CyberWire Daily

Ryan Kovar from Splunk sits down with Dave to discuss their findings in "Truth in Malvertising?" that contradict the LockBit group's encryption speed claims. Splunk's SURGe team recently released a whitepaper, blog, and video that outlined the encryption speeds of 10 different ransomware families. During their research they cam across Lockbit doing the same thing. After completing the research, the researchers came back to test the veracity of LockBit’s findings.The research showed three interesting finds. The first find showed that LockBit’s fastest and slowest samples were closely aligned between the tests, but the other results were very different. They also found that LockBit continues to be the fastest ransomware, but LockBit 2.0 was more efficient yet slower than its previous counterpart, LockBit 1.0. Lastly, once ransomware gets to the point of encrypting your systems, it’s too late.The research can be found here:Truth in Malvertising? Learn more about your ad choices. Visit megaphone.fm/adchoices

REvil (or an impostor, or successor) may be back. A Paris-area medical center continues to work to recover from cyber extortion. An assessment of Russian failure (or disinclination) to mount effective cyber campaigns. Cyber criminals find wartime to be a tough time. Josh Ray from Accenture looks at cyber threats to the rail industry. Our guest is Dan Murphy of Invicti making the case that not all vulnerabilities are created equal. And Yandex Taxi’s app was hacked in a nuisance attack.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/170Selected reading.REvil says they breached electronics giant Midea Group (Cybernews)Paralysed French hospital fights cyber attack as hackers lower ransom demand (RFI)French hospital hit by $10M ransomware attack, sends patients elsewhere (BleepingComputer)Hacks tied to Russia and Ukraine war have had minor impact, researchers say (The Record by Recorded Future) Getting Bored of Cyberwar: Exploring the Role of the Cybercrime Underground in the Russia-Ukraine Conflict (arXiv:2208.10629v2) Why Russia's cyber war in Ukraine hasn't played out as predicted (New Atlas)Cyber key in Ukraine war, says spy chief (The Canberra Times) Montenegro Sent Back to Analog by Unprecedented Cyber Attacks (Balkan Insight)Montenegro blames criminal gang for cyber attacks on government (EU Reporter)Ransomware Attack Sends Montenegro Reaching Out to NATO Partners (Bloomberg) “I’m tired of living in poverty” – Russian-Speaking Cyber Criminals Feeling the Economic Pinch (Digital Shadows)Yandex Taxi hack creates huge traffic jam in Moscow (Cybernews)Anonymous hacked Russia's largest taxi firm and caused a massive traffic jam (Daily Star) Learn more about your ad choices. Visit megaphone.fm/adchoices

The BianLian ransomware gang is better at coding than at the business of crime. The Attack on Montenegro seems to be ransomware. A look at Ragnar Locker's current interests. Recruiting for gangland gets allusive, but those who know, well, they know. Our guest is Dan Lanir of OPSWAT with insights on recent federal legislation supporting cyber jobs. Ben Yelin lexamines a lawsuit filed by the FTC against an online data broker. And it’s Insider Threat Month, so keep an eye on yourself.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/169Selected reading.BianLian Ransomware Gang Gives It a Go! ([redacted]) Montenegro blames criminal gang for cyber attacks on government (Reuters) FBI's team to investigate massive cyberattack in Montenegro (AP NEWS) US issues rare security alert as Montenegro battles ransomware (TechCrunch) Cuba ransomware group claims attack on Montenegro government (IT PRO) Cuba Ransomware Team claims credit for attack on Montenegro (Databreaches.net) Montenegro blames Cuba ransomware for cyberattack (Cybernews) Cybercriminals Apparently Involved in Russia-Linked Attack on Montenegro Government (SecurityWeek)THREAT ANALYSIS REPORT: Ragnar Locker Ransomware Targeting the Energy Sector (Cybereason)Behind the News: The Ragnar Locker Attack on Greek Natural Gas Supplier DESFA - Radiflow (Radiflow)Mobile App Supply Chain Vulnerabilities Could Endanger Sensitive Business Information (Broadcom Software Blogs / Threat Intelligence) “Looking for pentesters”: How Forum Life Has Conformed to the Ransomware Ban (Digital Shadows) NCSC and Federal Partners Focus on Countering Risk in Digital Spaces during National Insider Threat Awareness Month 2022 (ODNI) Learn more about your ad choices. Visit megaphone.fm/adchoices

While multi-cloud brings significant benefits, it also poses serious security risks. And identity is the reason. Each cloud platform, such as Azure, Google, and AWS, uses proprietary identity systems, and the lack of interoperability makes it unruly to manage. These disparate systems can’t talk to each other resulting in a fragmented environment full of identity silos — the perfect way for an attacker to get in and cause destruction.In this episode of CyberWire-X, the CyberWire's CSO, Chief Analyst, and Senior Fellow, Rick Howard, is joined in the first half by Hash Table member Rick Doten, the CISO for Healthcare Enterprises and Centene. In the second half of the show, CyberWire podcast host Dave Bittner talks with our episode sponsor Strata Identity's CEO and Co-founder Eric Olden. Both sets of discussions center around the challenges to identity management caused by the rapid shift to multi-cloud.  Learn more about your ad choices. Visit megaphone.fm/adchoices

Chrome extensions steal browser data. A business email compromise attack is under investigation in Kentucky. Belarusian Cyber Partisans claim to have a complete Belarusian passport database. Organizing a cyber militia. CISA releases twelve ICS security advisories. Our guest is Asaf Kochan of Sentra on overemphasizing “the big one.” Carole Theriault cautions against getting ahead of yourself in the cryptocurrency supply chain. Cosplaying" hardware. And Canada welcomes a new SIGINT boss.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/168Selected reading.Chrome extensions with 1.4 million installs steal browsing data (BleepingComputer) Malicious Cookie Stuffing Chrome Extensions with 1.4 Million Users (McAfee Blog) Police investigate electronic theft of federal funds (City of Lexington) FBI, Secret Service join Kentucky investigation into $4 million cybercrime theft (The Record by Recorded Future)Russian hackers blamed for ongoing Montenegro cyberattack (Tech Monitor)“For the 1st time in human history a #hacktivist collective obtained passport info of the ALL country's citizens.” (Cyber Partisans)Inside the IT Army of Ukraine, ‘A Hub for Digital Resistance’ (The Record by Recorded Future) Ukraine takes down cybercrime group hitting crypto fraud victims (BleepingComputer) Hitachi Energy FACTS Control Platform (FCP) Product (CISA)Hitachi Energy Gateway Station (GWS) Product (CISA)Hitachi Energy MSM Product (CISA).Hitachi Energy RTU500 series (CISA)Fuji Electric D300win (CISA)Honeywell ControlEdge (CISA)Honeywell Experion LX (CISA)Honeywell Trend Controls Inter-Controller Protocol (CISA)Omron CX-Programmer (CISA)PTC Kepware KEPServerEX (CISA)Sensormatic Electronics iSTAR (CISA)Mitsubishi Electric GT SoftGOT2000 (CISA)Walmart Sells Fake 30TB Hard Drive That’s Actually Two Small SD Cards in a Trench Coat (Vice) Learn more about your ad choices. Visit megaphone.fm/adchoices

Cyberespionage around the South China Sea. Oktapus and the Twilio compromise. Montenegro works to recover from a Russian cyber offensive. A big Russian streaming platform sustains a data leak. Ann Johnson of the Afternoon Cyber Tea podcast speaks with Dave DeWalt of NightDragon and Jay Leek of both Syn Ventures and Clear Sky Security about cyber capital investment. Mr. Security Answer Person John Pescatore examines the allure of the healthcare industry for ransomware operators. And the LockBit gang looks beyond double extortion.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/167Selected reading.Rising Tide: Chasing the Currents of Espionage in the South China Sea (Proofpoint) Why the Twilio Breach Cuts So Deep (WIRED)Tentacles of ‘0ktapus’ Threat Group Victimize 130 Firms (Threatpost)Hackers used Twilio breach to intercept Okta onetime passwords (SiliconANGLE)Okta Impersonation Technique Could be Utilized by Attackers (SecurityWeek)Ukraine launches counter-offensive to retake Kherson from Russia (The Telegraph)Russia-Ukraine war: Kremlin insists invasion going to plan despite counterattacks; first grain ship docks in Africa – live (the Guardian)Montenegro says Russian cyberattacks threaten key state functions (BleepingComputer)Montenegro struggles to recover from cyberattack that officials blame on Russia (The Record by Recorded Future)Leading Russian streaming platform suffers data leak allegedly impacting 44 million users (The Record by Recorded Future) LockBit ransomware mulls triple extortion following DDoS attack (SC Media) Learn more about your ad choices. Visit megaphone.fm/adchoices

Russian cyber operations in Southeastern Europe. The challenge of containing the cyber phases of a hybrid war. Russian and Chinese cyber activity in Latin America. Greenwashing influence operations. Rick Howard looks at risk probabilities. Dinah Davis from Arctic Wolf looks at ransomware payment myths. And an Iranian threat actor exploits Log4j vulnerabilities against Israeli targets.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/166Selected reading.Russia blamed for wave of hacker attacks in Southeast Europe (BNE)Montenegro declares it is in 'hybrid war' with Russia after massive cyber attack (Metro)Montenegro reports massive Russian cyberattack against govt (ABC News)Montenegro Reports Massive Russian Cyberattack Against Govt (AP via SecurityWeek)Montenegro's state infrastructure hit by cyber attack -officials (Reuters) Cyber Element in the Russia-Ukraine War & its Global Implications (Modern Diplomacy)Swiss secret service worried about Russian cyber operations (SWI swissinfo.ch)China and Russia Step Up Cyber Presence in Latin America (Diálogo Américas)Dominican Republic refuses to pay ransom after attack on agrarian institute (The Record by Recorded Future) China-Linked Bots Attacking Rare Earths Producer ‘Every Day’ (Bloomberg) Iranian Hackers Exploiting Unpatched Log4j 2 Bugs to Target Israeli Organizations (The Hacker News)MERCURY leveraging Log4j 2 vulnerabilities in unpatched systems to target Israeli organizations (Microsoft Threat Intelligence Center)Iran exploiting Log4j 2 weakness to attack Israel, says Microsoft (Israel Defense) Learn more about your ad choices. Visit megaphone.fm/adchoices

David Nosibor, Product Lead for SafeCyber at UL Solutions, started his career in a unique way by not letting himself be pigeonholed. Within his company, David was able to grow to the position he is in now and says that his position feels like a lot of roles tied into one. He says that on any given day he is tackling all sorts of elements, such as marketing, operations, working with the engineering team, figuring out ways to acquire customers, retain them, and also working on sales and business development capabilities. He also says that constantly learning and getting new opportunities was how he ended up being where he is today. David states that staying focused and being on the lookout for ways to accomplish the mission is the best way for him in his company to democratize product security. He quotes the famous singer Sean Carter in saying that he firmly believes in taking calculated risks to get where you need to be going. We thank David for sharing his story. Learn more about your ad choices. Visit megaphone.fm/adchoices

Nick Ascoli from ForeTrace in a partnership with PIXM sits down with Dave to provide insight on their team's work on "Phishing tactics: how a threat actor stole 1 million credentials in 4 months." During routine analysis, researchers discovered the connection between the pages using PIXM’s deep html analysis feature, which enabled them to view and analyze the underlying code on the pages after they were flagged as phishing. This led to the ensuing investigation, which was led by PIXM’s threat research team with assistance from Nick Ascoli.The research states "we uncovered a campaign whose scale has potentially impacted hundreds of millions of facebook users, and whose complexity offer insight into the evolving nature of phishing operations, especially from a technical perspective."The research can be found here:Phishing tactics: how a threat actor stole 1M credentials in 4 months Learn more about your ad choices. Visit megaphone.fm/adchoices

Palo Alto describes the Black Basta ransomware-as-a-service operation. Okta on Scatter Swine, the threat actor that compromised Twilio. Microsoft describes Nobelium's new approach to establishing persistence. Russia's war against Ukraine has induced stresses in the cyber underworld. LastPass discloses a security incident. Josh Ray from Accenture on cyber crime and the cost-of-living crisis. Our own Dave Bittner sits down with Chris Handman from TerraTrue to discuss how he works to transform legal teams into advocates and collaborators that can ensure privacy is baked in every step of the way. And CISA adds ten entries to its Known Exploited Vulnerabilities Catalog.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/165Selected reading.Threat Assessment: Black Basta Ransomware (Palo Alto Networks Unit 42)MagicWeb: NOBELIUM’s post-compromise trick to authenticate as anyone (Microsoft Threat Intelligence Center)Microsoft Uncovers New Post-Compromise Malware Used by Nobelium Hackers (The Hacker News)Microsoft: Russian hackers gain powerful 'MagicWeb' authentication bypass (ZDNET)Detecting Scatter Swine: Insights into a relentless phishing campaign (Okta Security)Twilio hackers hit over 130 orgs in massive Okta phishing attack (BleepingComputer)Twilio says breach also compromised Authy two-factor app users (TechCrunch)How the war in Ukraine is reshaping the dark web (New Statesman)Notice of Recent Security Incident (The LastPass Blog)LastPass Says Source Code Stolen in Data Breach (SecurityWeek)LastPass developer systems hacked to steal source code (BleepingComputer) Learn more about your ad choices. Visit megaphone.fm/adchoices