CyberWire Daily

CISA and the Multi-State Information Sharing & Analysis Center, or MS-ISAC are publishing this joint Cybersecurity Advisory in response to active exploitation of multiple Common Vulnerabilities and Exposures against Zimbra Collaboration Suite, an enterprise cloud-hosted collaboration software and email platform.AA22-228A Alert, Technical Details, and MitigationsVolexity’s Mass Exploitation of (Un)authenticated Zimbra RCE: CVE-2022-27925Hackers are actively exploiting password-stealing flaw in ZimbraCISA adds Zimbra email vulnerability to its exploited vulnerabilities catal…CVE-2022-27925 detailMass exploitation of (un)authenticated Zimbra RCE: CVE-2022-27925CVE-2022-37042 detailAuthentication bypass in MailboxImportServlet vulnerabilityCVE-2022-30333 detailUnRAR vulnerability exploited in the wild, likely against Zimbra serversZimbra Collaboration Kepler 9.0.0 patch 25 GA releaseZimbra UnRAR path traversalOperation EmailThief: Active exploitation of zero-day XSS vulnerability in…Hotfix available 5 Feb for zero-day exploit vulnerability in Zimbra 8.8.15All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov. Learn more about your ad choices. Visit megaphone.fm/adchoices

Microsoft identifies and disrupts Russian cyberespionage activity. An update on RedAlpha. An evil PLC proof-of-concept shows how programmable logic controllers could be "weaponized." Ben Yelin has an update on right to repair. Our guest is Arthur Lozinski of Oomnitza with a look at attack surface management maturity. And the Cl0p gang hits an English water utility (but tries to extort the wrong one–stuff happens, y’know?).For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/157Selected reading.Disrupting SEABORGIUM’s ongoing phishing operations (Microsoft SecurityMicrosoft disrupts Russian-linked hackers targeting NATO countries (Breaking Defense) Microsoft Announces Disruption of Russian Espionage APT (SecurityWeek) Microsoft disrupts Russia-linked hacking group targeting defense and intelligence orgs (The Record by Recorded Future) Microsoft shuts down accounts linked to Russian spies (Register)RedAlpha Conducts Multi-Year Credential Theft Campaign Targeting Global Humanitarian, Think Tank, and Government Organizations (Recorded Future)Hackers linked to China have been targeting human rights groups for years (MIT Technology Review) Evil PLC Attack: Using a Controller as Predator Rather than Prey (Claroty)Hackers attack UK water supplier but extort wrong victim (BleepingComputer)South Staffordshire Water victim of cyber attack, customers not at risk (Computing) South Staffordshire Water says it was target of cyber attack as criminals bungle extortion attempt (Sky News) Learn more about your ad choices. Visit megaphone.fm/adchoices

Shuckworm maintains its focus on Ukrainian targets. Killnet's DDoS and dubious proof-of-work. Iron Tiger's supply chain campaign. TikTok and national security. Dinah Davis from Arctic Wolf shares insights on Dark Utilities. Rick Howard digs into identity management. And an arrest in the case of the Tornado Cash crypto mixer.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/156Selected reading.Shuckworm: Russia-Linked Group Maintains Ukraine Focus (Symantec)Killnet Releases 'Proof' of its Attack Against Lockheed Martin (SecurityWeek) Killnet greift lettisches Parlament an (Tagesspiegel)Iron Tiger Compromises Chat Application Mimi, Targets Windows, Mac, and Linux Users (Trend Micro)How Frustration Over TikTok Has Mounted in Washington (New York Times)3 ways China's access to TikTok data is a security risk (CSO Online)Arrest of suspected developer of Tornado Cash (FIOD)Tornado Cash Developer Arrested After U.S. Sanctions the Cryptocurrency Mixer (The Hacker News)Arrested Tornado Cash developer is Alexey Pertsev, his wife confirms (The Block) Learn more about your ad choices. Visit megaphone.fm/adchoices

Christian Lees, CTO at Resecurity, shares his story and insight on coming into the cybersecurity world. He considers himself a late bloomer because he did not go to college until he was 23. He wasn’t sure of what he wanted to do, and a family friend gave him a computer and the rest was history, he says. He fell in love with computers and started working at different companies trying to get ahead. He says it's not always textbook, and sometimes you just need to cut your teeth on something to get where you're going. Throughout his journey, he was constantly questioning whether he made the right decision, and in the end he says you have to be willing to "define friction points in it, you may join security field, not knowing what you're gonna do, but by being that curious person and breaking things and putting it back together, you'll find the right way and just never stop being curious." We thank Christian for sharing his story. Learn more about your ad choices. Visit megaphone.fm/adchoices

Cybercriminals are motivated by one simple incentive - money. Their favorite tools are bots to leverage sophistication, scalability, and ease of use. The effect is the creation of the underground bot ecosystem. This community allows threat actors to work together and continually improve their tactics. They sell bypasses for rule-based anti-bot solutions to other less technical fraudsters.In this episode of CyberWire-X, the CyberWire's CSO, Chief Analyst, and Senior Fellow, Rick Howard, is joined in the first half by Hash Table member Etay Maor. Cato Networks’ Senior Director Security Strategy. They discuss this reality that has put defenders at a serious disadvantage and the mitigation steps to consider for future attacks.. In the second half of the show, CyberWire podcast host Dave Bittner talks with our episode sponsor Kasada's founder Sam Crowther talking about what he saw first-hand as a red teamer at a major Australian bank and what inspired him to reimagine bot mitigation with the founding principle of undermining the attacker’s ROI. Learn more about your ad choices. Visit megaphone.fm/adchoices

Ashley Taylor from SANS.edu, joins Dave to discuss fake job ads and methods to proactively detect these scams. The research shares how job seekers are under attack, with scammers posing as fake job recruiters to steal information from people who are interested in the job posting. The brands being impersonated as are at risk of losing credibility to their brand identity.The research shares exactly how these doppelgängers are posing a threat to job seekers and the best practices to detect these scams. It also shares how one company that works in medical device manufacturing industry has been a target for these scams. It concludes with sharing some of the ways to proactively spot these scams before they happen.The research can be found here:Doppelgängers: Finding Job Scammers Who Steal Brand Identities Learn more about your ad choices. Visit megaphone.fm/adchoices

The optempo of the war's cyber phase, and Ukraine’s response. Organizing and equipping hacktivists. Joint warning on Zeppelin ransomware. Update on the DoNot Team, APT-C-35. Rewards for Justice offers $10 million for information on Conti operators. Rob Boyce from Accenture shares insights from BlackHat. Caleb Barlow ponders closing the skills gap while shifting to remote work. And, hey, Mr. Target: pick one, OK?For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/155Selected reading.Black Hat 2022‑ Cyberdefense in a global threats era (WeLiveSecurity)How one Ukrainian ethical hacker is training 'cyber warriors' in the fight against Russia (The Record by Recorded Future)#StopRansomware: Zeppelin Ransomware (CISA)APT-C-35: New Windows Framework Revealed (Morphisec)The US Offers a $10M Bounty for Intel on Conti Ransomware Gang (Wired) Learn more about your ad choices. Visit megaphone.fm/adchoices

Zeppelin ransomware functions as a ransomware-as-a-service (RaaS), and since 2019, actors have used this malware to target a wide range of businesses and critical infrastructure organizations. Actors use remote desktop protocol (RDP), SonicWall firewall vulnerabilities, and phishing campaigns to gain initial access to victim networks and then deploy Zeppelin ransomware to encrypt victims’ files.AA22-223A Alert, Technical Details, and MitigationsZeppelin malware YARA signatureWhat is Zeppelin Ransomware? Steps to Prepare, Respond, and Prevent InfectionStopransomware.gov is a whole-of-government approach that gives one central location for ransomware resources and alerts.No-cost cyber hygiene services: Cyber Hygiene Services and Ransomware Readiness Assessment.This joint Cybersecurity Advisory is part of an ongoing #StopRansomware effort to publish advisories for network defenders that detail various ransomware variants and ransomware threat actors. These #StopRansomware advisories include recently and historically observed TTPs and IOCs to help organizations protect against ransomware. Visit stopransomware.gov to see all #StopRansomware advisories and to learn more about other ransomware threats and no-cost resources.All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov. Learn more about your ad choices. Visit megaphone.fm/adchoices

KillMilk says his crew downed Lockheed Martin's website. Industroyer2, and what became of it. CISA releases its election cybersecurity toolkit. Post-incident disruption at Britain’s NHS. Carl Wright of AttackIQ shares strategies for CISOs to successfully prepare for the next attack. Dr. Christopher Pierson from Blackcloak joins us from Black Hat. And Cisco seems to have thwarted a security incident.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/154Selected reading.Russian hacking group claims attack on Lockheed Martin (SiliconANGLEHIMARS-Maker Lockheed Martin "confident" against Russian hackers (Newsweek)Industroyer2: How Ukraine avoided another blackout attack (SearchSecurity)Researchers Look Inside Russian Malware Targeting Ukrainian Power Grid (PCMAG)CISA Releases Toolkit of Free Cybersecurity Resources for Election Community (CISA)Cybersecurity Toolkit to Protect Elections (CISA) NHS staff told to plan for three weeks of disruption following cyberattack (Computing)Major NHS IT outage to last for three weeks (The Independent)Exclusive: NHS chiefs fear cyber attackers have accessed patient data (Health Service Journal) Cisco Event Response: Corporate Network Security Incident (Cisco)Cisco Talos shares insights related to recent cyber attack on Cisco (Cisco Talos)Cisco confirms May attack by Yanluowang ransomware group (The Record by Recorded Future)Cisco Hit by Cyberattack From Hacker Linked to Lapsus$ Gang (Bloomberg)Cisco's own network compromised by gang with Lapsus$ links (Register) Cisco hacked by Yanluowang ransomware gang, 2.8GB allegedly stolen (BleepingComputer) Learn more about your ad choices. Visit megaphone.fm/adchoices

Patch notes, and the risks associated with failure to patch. Finland's parliament comes under cyberattack. Killnet says there will be blood, but they may just be grandstanding for the home crowd. Cyberattacks against a UK firm that's criticized Russia's war. We’re joined by FBI Cyber Division AD Bryan Vorndran and Adam Hickey, deputy assistant attorney general for the National Security Division with an introduction to Watchguard. Our guest is Matthew Warner from Blumira with tips on avoiding burnout. And not all criminal organizations are working for Russia.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/153Selected reading.Already Exploited Zero-Day Headlines Microsoft Patch Tuesday (SecurityWeek) Microsoft August 2022 Patch Tuesday fixes exploited zero-day, 121 flaws (BleepingComputer).IBM Patches High-Severity Vulnerabilities in Cloud, Voice, Security Products (SecurityWeek)Adobe Patch Tuesday: Code Execution Flaws in Acrobat, Reader (SecurityWeek) ICS Patch Tuesday: Siemens, Schneider Electric Fix Only 11 Vulnerabilities (SecurityWeek) VMSA-2022-0022 (VMware) Emerson OpenBSI (CISA) Emerson ControlWave (CISA)Mitsubishi Electric GT SoftGOT2000 (CISA) Multiple attackers increase pressure on victims, complicate incident response (Sophos News)Life After Death—SmokeLoader Continues to Haunt Using Old Vulnerabilities (Fortinet Blog) NBI launches probe into attack on Finnish Parliament site (Yle)Russian hacker warns cyberwarfare will turn deadly (Newsweek) Russian hacker warns cyberwarfare will turn deadly (Newsweek)Suspected Russian cyber attack on British soil as firm subjected to ‘daily’ hacks (The Telegraph)Meet DUMPS Forum: A pro-Ukraine, anti-Russia cybercriminal forum | Digital Shadows (Digital Shadows) Learn more about your ad choices. Visit megaphone.fm/adchoices