CyberWire Daily

Palo Alto describes the Black Basta ransomware-as-a-service operation. Okta on Scatter Swine, the threat actor that compromised Twilio. Microsoft describes Nobelium's new approach to establishing persistence. Russia's war against Ukraine has induced stresses in the cyber underworld. LastPass discloses a security incident. Josh Ray from Accenture on cyber crime and the cost-of-living crisis. Our own Dave Bittner sits down with Chris Handman from TerraTrue to discuss how he works to transform legal teams into advocates and collaborators that can ensure privacy is baked in every step of the way. And CISA adds ten entries to its Known Exploited Vulnerabilities Catalog.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/165Selected reading.Threat Assessment: Black Basta Ransomware (Palo Alto Networks Unit 42)MagicWeb: NOBELIUM’s post-compromise trick to authenticate as anyone (Microsoft Threat Intelligence Center)Microsoft Uncovers New Post-Compromise Malware Used by Nobelium Hackers (The Hacker News)Microsoft: Russian hackers gain powerful 'MagicWeb' authentication bypass (ZDNET)Detecting Scatter Swine: Insights into a relentless phishing campaign (Okta Security)Twilio hackers hit over 130 orgs in massive Okta phishing attack (BleepingComputer)Twilio says breach also compromised Authy two-factor app users (TechCrunch)How the war in Ukraine is reshaping the dark web (New Statesman)Notice of Recent Security Incident (The LastPass Blog)LastPass Says Source Code Stolen in Data Breach (SecurityWeek)LastPass developer systems hacked to steal source code (BleepingComputer) Learn more about your ad choices. Visit megaphone.fm/adchoices

Ukrainian and Russian cyber operations at six months. Oktapus criminal campaign compromises 9931 accounts in more than 130 organizations. Exotic Lily and Bumblebee Loader. Insights derived from DNS traffic. Chris Novak from Verizon on DHS Cyber Safety Review Board's report on the Log4j investigation that Verizon conducted. Dave Bittner sits down with our guest Dr. Scott Crowder, CTO and VP, Quantum Computing, Technical Strategy and Transformation for IBM Systems to discuss the increasingly urgent need for industries to prepare for security threats that quantum could unleash. And the US Department of Homeland Security shutters its Disinformation Governance Board.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/164Selected reading.How Ukraine used Russia’s digital playbook against the Kremlin (POLITICO)Ukraine's volunteer 'IT army' responds to Russian hackers, minister says (ABC News) Overview of the Cyber Weapons Used in the Ukraine - Russia War (Trustwave) How Russia-Ukraine cyberwar is impacting orgs: Two-thirds say they have been targeted (VentureBeat)Twilio hackers breached over 130 organizations during months-long hacking spree (TechCrunch)Roasting 0ktapus: The phishing campaign going after Okta identity credentials (Group-IB)Bumblebee Malware Loader: Deep Instinct Prevents Attack Pre-Execution (Deep Instinct)Akamai’s Insights on DNS in Q2 2022 (Akamai)Following HSAC Recommendation, DHS terminates Disinformation Governance Board (US Department of Homeland Security)Homeland Security Scraps Disinformation Board Attacked by GOP (Bloomberg) Learn more about your ad choices. Visit megaphone.fm/adchoices

A medical center near Paris comes under ransomware attack, and refuses to pay up. Lessons for the fifth domain from six months of hybrid war. Deepfake scams appear to have arrived. Deepen Desai from Zscaler with introduction to our audience. Dave Bittner sits down with Gil Hoffer, CTO and Co-founder of Salto to discuss “Who Hacked Slack?.” And Threat actors prepare to exploit Hikvision camera vulnerability.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/163Selected reading.Cyber attackers disrupt services at French hospital, demand $10 million ransom (France 24)French hospital hit by $10M ransomware attack, sends patients elsewhere (BleepingComputer)DECLENCHEMENT DU PLAN BLANC DIMANCHE 21 AOUT 2022 (CHSF - Centre Hospitalier Sud Francilien)Ukraine at D+181: Independence Day and six months of war. (CyberWire) Six months, twenty-three lessons: What the world has learned from Russia’s war in Ukraine (Atlantic Council) Hackers Used Deepfake of Binance CCO to Perform Exchange Listing Scams (Bitcoin News)Hackers Use Deepfakes of Binance Exec to Scam Multiple Crypto Projects (Gizmodo) Binance's CEO said thousands of people are falsely claiming to be his employees on LinkedIn. Experts warn it's an example of the platform's growing problem with fake accounts. (Business Insider)Twitter’s Ex-Security Head Files Whistleblower Complaint (Wall Street Journal)Twitter is vulnerable to Russian and Chinese influence, whistleblower says (CNN)Over 80,000 exploitable Hikvision cameras exposed online (BleepingComputer)Experts warn of widespread exploitation involving Hikvision cameras (The Record by Recorded Future) Hikvision Surveillance Cameras Vulnerabilities (CYFIRMA) Learn more about your ad choices. Visit megaphone.fm/adchoices

Iranian APT data extraction tool described. LockBit gang comes under DDoS. Twitter whistleblower security claims made public. Poland and Ukraine conclude cybersecurity agreement. Greek national natural gas supplier under criminal cyberattack. Update to the Joint Alert on Zimbra exploitation. Addition to CISA's Known Exploited Vulnerabilities Catalog. Johannes Ullrich from SANS on Control Plane vs. Data Plane vulnerabilities. Our guest is David Nosibor, Platform Solutions Lead for UL to discuss SafeCyber Phase II. And, finally, targeting and trolling, with an excursus on Speedos. Really.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/162Selected reading.New Iranian APT data extraction tool (Google)LockBit gang hit by DDoS attack after Entrust leaks (Register) Former security chief claims Twitter buried ‘egregious deficiencies’ (Washington Post) Ex-Twitter exec blows the whistle, alleging reckless and negligent cybersecurity policies (CNN) Twitter’s Ex-Security Head Files Whistleblower Complaint (Wall Street Journal)Deception, Bots, and Foreign Agents: The Twitter Whistleblower’s Biggest Allegations (Time)The Ministry of Digital Transformation, State Service of Special Communication and Information Protection and the Council of Ministers of the Republic of Poland signed Memorandum of understanding in the cybersecurity field. (State Service of Special Communication and Information Protection) Greek natural gas operator suffers ransomware-related data breach (BleepingComputer) Greek gas operator refuses to negotiate with ransomware group after attack (The Record by Recorded Future)Announcement | (DESF)Threat Actors Exploiting Multiple CVEs Against Zimbra Collaboration Suite (CISA) US government really hopes you've patched your Zimbra server (Register)CISA Adds One Known Exploited Vulnerabilities to Catalog (CISA) Speedo-wearing Russian tourists leak defence secrets on Twitter (The Telegraph) Learn more about your ad choices. Visit megaphone.fm/adchoices

Bogus DDoS protection pages distribute malware. Estonia deals with DDoS attacks. Roskomnadzor's Internet panopticon. Rick Howard on the RSA Security Breach of 2011 and the Equifax breach of 2017. Caleb Barlow on what does a recession mean for cyber security venture capital and what is the impact of this on the industry? And data-tampering attacks are regarded as a growing risk.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/161Selected reading.WordPress sites hacked with fake Cloudflare DDoS alerts pushing malware (BleepingComputer)Fake DDoS Pages On WordPress Sites Lead to Drive-By-Downloads (Sucuri Blog)Car blast kills daughter of Russian known as 'Putin's brain' (AP NEWS)Russia blames Kyiv for killing daughter of ‘Putin’s Rasputin’, but the truth may be closer to home (The Telegraph)Alexander Dugin's daughter killed by anti-war Russians: Former state deputy (Newsweek)Estonia Repels Biggest Cyber-Attack Since 2007 (Infosecurity Magazine) Estonia's Battle Against a Deluge of DDoS Attacks (Infosecurity Magazine)Latvia Starts Removing Soviet Monument in Challenge to Russia (Bloomberg)Data-tampering attacks are a 'nightmare' threat that's hard to detect (Protocol) Learn more about your ad choices. Visit megaphone.fm/adchoices

Roya Gordon, a Security Research Evangelist at ICS cybersecurity firm Nozomi Networks, started her career as an intelligence specialist in the U.S. Navy. After her time serving, Roya spent time as a Control Systems Cybersecurity Analyst at the Idaho National Laboratory and then took the role of Cyber Threat Intelligence Manager at Accenture. She shares her story after the NSA accepted her and then quickly diverted, creating a new path for Roya to follow. She shares the jobs she went after along the way, leading up to Nozomi Networks and how she wishes to be a trailblazer for young black women everywhere. She hopes to shape young women's minds on what the cybersecurity industry is actually like, in hopes that she can be a figure people look up to. We thank Roya for sharing her story. Learn more about your ad choices. Visit megaphone.fm/adchoices

Dick O'Brien from Symantec, a part of Broadcom Software, joins Dave to discuss how the cyber-criminal operation, Clipminer Botnet, makes operators behind it at least $1.7 million. Symantec's research says "The malware being used, tracked as Trojan.Clipminer, has a number of similarities to another crypto-mining Trojan called KryptoCibule, suggesting it may be a copycat or evolution of that threat."Symantec determined that the malware has the ability to mine for cryptocurrency using compromised computers’ resources. They also share a way to protect against the cyber-criminal operation, as well as sharing some indicators you could be compromised.The research can be found here:Clipminer Botnet Makes Operators at Least $1.7 Million Learn more about your ad choices. Visit megaphone.fm/adchoices

Killnet claims a DDoS campaign against Estonia. The head of GCHQ calls Russian cyber operations a failure. US Cyber Command concludes its "hunt forward" mission in cooperation with Croatia. A criminal gang targets the travel and hospitality sectors. Thomas Pace of NetRise shares insights on firmware vulnerabilities. Daniel Floyd from BlackCloak on Quantifying the Business Need for Digital Executive Protection. CISA issues five ICS security advisories.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/160Selected reading.Estonia says it repelled major cyber attack after removing Soviet monuments (Reuters)There’s a chance regular people didn’t even notice: expert on Russian cyber attack (TVP World) Estonia says it repelled a major cyberattack claimed by Russian hackers. (New York Times)The head of GCHQ says Vladimir Putin is losing the information war in Ukraine (The Economist)Cyber Command deployed 'hunt forward' defenders to Croatia to help secure systems (The Record by Recorded Future)U.S. Cyber Command completes defensive cyber mission in Croatia (CyberScoop)You Can’t Audit Me: APT29 Continues Targeting Microsoft 365 (Mandiant)Reservations Requested: TA558 Targets Hospitality and Travel (Proofpoint)Cybercrime Group TA558 Ramps Up Email Attacks Against Hotels (Decipher)CISA Adds Seven Known Exploited Vulnerabilities to Catalog (CISA) Siemens Linux-based Products (Update G) (CISA)Siemens Industrial Products LLDP (Update B) (CISA)Siemens OpenSSL Affected Industrial Products (CISA)Mitsubishi Electric MELSEC Q and L Series (CISA)Mitsubishi Electric GT SoftGOT2000 (CISA) Learn more about your ad choices. Visit megaphone.fm/adchoices

BlackByte is back. Iran suspected of cyber operations against four Israeli sectors. A look at wipers as a tool in hybrid war. A Russian cyber ops scorecard. Josh Ray from Accenture on how dark web actors are focusing on VPNs. Our guest is Corey Nachreiner from WatchGuard with findings of their latest Internet Security Report. Cyber war clauses coming to cyber insurance policies.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/159Selected reading.BlackByte ransomware gang is back with new extortion tactics (BleepingComputer) Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors | Mandiant (Mandiant)Russia-Ukraine cyberwar creates new malware threats  (VentureBeat)Global Threat Landscape Report: A Semiannual Report by FortiGuard Labs (Fortinet) Overview of the Cyber Weapons Used in the Ukraine - Russia War (Trustwave SpiderLabs)Lloyd’s sets requirements for state-backed cyber attack exclusions (Insurance Day) Learn more about your ad choices. Visit megaphone.fm/adchoices

A DDoS attack against a Ukrainian nuclear power provider. The US Army draws some lessons from the cyber phases of Russia's hybrid war. Vulnerabilities in Zimbra are undergoing widespread exploitation.Reports of new Lazarus Group activity. CISA releases eight ICS security advisories. Carole Theriault looks at scammers and cryptocurrencies. Our guest is Jennifer Reed from Aviatrix on the changing landscape of cloud security. And the SEC charges three with insider trading during the 2017 Equifax breach.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/158Selected reading.Ukrainian Nuclear Operator Accuses Russians Hackers Of Attacking Its Website (RadioFreeEurope/RadioLiberty)Ukraine nuclear power company says Russia attacked website (Al Jazeera)Ukraine Nuclear Operator Reports Cyberattack on Its Website (The Defense Post)How electronic warfare is reshaping the war between Russia and Ukraine (The Record by Recorded Future)Army lesson from Ukraine war: cyber, EW capabilities not decisive on their own (FedScoop)Learning from Ukraine, Army cyber schoolhouse focuses on electromagnetic spectrum (Breaking Defense)Cyber and full-spectrum operations push the Great Power conflict left of boom (Breaking Defense)Microsoft Exchange alternative Zimbra is getting widely exploited, 1000s hit (The Stack)CISA Alert AA22-228A – Threat actors exploiting multiple CVEs against Zimbra Collaboration suit (CyberWire)Threat Actors Exploiting Multiple CVEs Against Zimbra Collaboration Suite (CISA)A signed Mac executable… (ESET)Yokogawa CENTUM Controller FCS (CISA)LS ELECTRIC PLC and XG5000 (CISA)Delta Industrial Automation DRAS (CISA)Softing Secure Integration Server (CISA)B&R Industrial Automation Automation Studio 4 (CISA)Emerson Proficy Machine Edition (CISA)Sequi PortBloque S (CISA)Siemens Industrial Products with OPC UA (CISA)U.S. SEC charges 3 people with insider trading tied to Equifax hack (Reuters) SEC Charges Three Chicago-Area Residents with Insider Trading Around Equifax Data Breach Announcement (US Securities and Exchange Commission) Learn more about your ad choices. Visit megaphone.fm/adchoices