CyberWire Daily

Distributed denial-of-service attacks against Lithuania. Dark Crystal RAT described. Iranian steel mill suspends production due to cyberattack. Bumblebee rising. CISA adds to its Known Exploited Vulnerabilities Catalog. Music pirate sites brought down by US and Brazilian authorities. Joe Carrigan looks at Apple’s private access tokens. Mister Security Answer Person John Pescatore drops some sboms. And where do Russian intelligence officers go after they’ve been PNGed?For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/123Selected reading.Lithuania targeted by massive Russian cyberattack over transit blockade (Newsweek)Russia's Killnet hacker group says it attacked Lithuania (Reuters)Killnet, Kaliningrad, and Lithuania’s Transport Standoff With Russia (Flashpoint)Ukraine Targeted by Dark Crystal RAT (DCRat) | FortiGuard Labs (Fortinet Blog)Cyberattack Forces Iran Steel Company to Halt Production (SecurityWeek)Iran’s steel industry halted by cyberattack (Jerusalem Post)Bumblebee: New Loader Rapidly Assuming Central Position in Cyber-crime Ecosystem (Broadcom Software Blogs)CISA Adds Eight Known Exploited Vulnerabilities to Catalog (CISA) US, Brazil seize 272 websites used to illegally download music (BleepingComputer) Swiss intel service: Watch out for redeployed Russian spies (AP News) Learn more about your ad choices. Visit megaphone.fm/adchoices

Lithuania sustains a major DDoS attack. Lessons from NotPetya. Conti's brand appears to have gone into hiding. Online extortion now tends to skip the ransomware proper. Josh Ray from Accenture on how social engineering is evolving for underground threat actors. Rick Howard looks at Chaos Engineering. US financial institutions conduct a coordinated cybersecurity exercise.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/122Selected reading.Russia's Killnet hacker group says it attacked Lithuania (Reuters)The hacker group KillNet has published an ultimatum to the Lithuanian authorities (TDPel Media) 5 years after NotPetya: Lessons learned (CSO Online) The cyber security impact of Operation Russia by Anonymous (ComputerWeekly)Conti ransomware finally shuts down data leak, negotiation sites (BleepingComputer)The Conti Enterprise: ransomware gang that published data belonging to 850 companies (Group-IB)Fake copyright infringement emails install LockBit ransomware (BleepingComputer)NCC Group Monthly Threat Pulse – May 2022 (NCC Group)We're now truly in the era of ransomware as pure extortion without the encryption (Register)Wall Street Banks Quietly Test Cyber Defenses at Treasury’s Direction (Bloomberg) Learn more about your ad choices. Visit megaphone.fm/adchoices

Richard Melick, Director of Threat Reporting for Zimperium, talks about his journey, from working in the military to moving up to the big screens. He shares that he's been in the business of solving unique cybersecurity problems for so long that he has found his own path that works very well for him. He says, "if I go to a unique problem and try to solve it, I find that I'm solving it the same way that I would've solved it five years ago, because I found my pattern." Richard reflects on his time working in the industry, from moving away from the military and into different roles over the years. He notes that giving credit where credit is due, to those who deserve it, is how you keep the audience engaged as a storyteller. We thank Richard for sharing his story. Learn more about your ad choices. Visit megaphone.fm/adchoices

Alan Neville, a Threat Intelligence Analyst from Symantec Broadcom, joins Dave to discuss their research "Lazarus Targets Chemical Sector." Symantec has observed the North Korea-linked threat group known as Lazarus conducting an espionage campaign targeting organizations operating within the chemical sector.The campaign appears to be a continuation of the group's activity called Operation Dream Job, which Symantec first came across in August of 2020. The research states "evidence includes file hashes, file names, and tools that were observed in previous Dream Job campaigns."The research can be found here:Lazarus Targets Chemical Sector Learn more about your ad choices. Visit megaphone.fm/adchoices

Lithuania's NKSC warns of increased DDoS threat. Limited Russian success in the cyber phases of its hybrid war. Another warning of spyware in use against targets in Italy and Kazakhstan. Hey, critical infrastructure operators: CISA’s got tabletop exercises for you. Kevin Magee from Microsoft has advice for recent grads. A look back the year since Colonial Pipeline with Padraic O'Reilly of CyberSaint. And sometimes ransomware is just a spy’s way of saying, “nothing up my sleeve…”For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/121Selected reading.Lithuania warns of rise in DDoS attacks against government sites (BleepingComputer) Defending Ukraine: Early Lessons from the Cyber War (Microsoft) Why think tanks are such juicy targets for cyberspies (The Record by Recorded Future)The war in Ukraine is showing the limits of cyberattacks (Tech Monitor)Spyware vendor targets users in Italy and Kazakhstan (Google Threat Analysis Group)BRONZE STARLIGHT Ransomware Operations Use HUI Loader (SecureWorks)CISA Tabletop Exercises Packages (CTEP) (CISA)CISA Tabletop Exercise Package (CTEP) Workshop (Government Technology) Learn more about your ad choices. Visit megaphone.fm/adchoices

CISA and the US Coast Guard Cyber Command are releasing this joint Cybersecurity Advisory to warn network defenders that cyber threat actors, including state-sponsored APT actors, have continued to exploit CVE-2021-44228 (Log4Shell) in VMware Horizon and Unified Access Gateway servers to obtain initial access to organizations that did not apply available patches or workarounds.AA22-174A Alert, Technical Details, and MitigationsMalware Analysis Report 10382254-1 stixMalware Analysis Report 10382580-1 stixCISA’s Apache Log4j Vulnerability Guidance webpageJoint CSA Mitigating Log4Shell and Other Log4j-Related VulnerabilitiesCISA’s database of known vulnerable services on the CISA GitHub pageSee National Security Agency (NSA) and Australian Signals Directorate (ASD) guidance Block and Defend Web Shell Malware for additional guidance on hardening internet-facing systems.All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov. Learn more about your ad choices. Visit megaphone.fm/adchoices

Reviewing Russian cyber campaigns in the war against Ukraine, and the complexity of Ukraine's IT Army. ICEFALL advice and reactions. Carole Theriault looks at Hollywood’s relationship with VPNs. Podcast partner Robert M. Lee from Dragos provides a rundown on Pipedream. And CISA updates its Cloud Security Technical Reference Architecture.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/120Selected reading.[Blog] Defending Ukraine: Early Lessons from the Cyber War (Microsoft On the Issues)[Report] Defending Ukraine: Early Lessons from the Cyber War (Microsoft)Russian cyber spies attack Ukraine's allies, Microsoft says (Reuters) Research questions potentially dangerous implications of Ukraine's IT Army (CyberScoop)The IT Army of Ukraine Structure, Tasking, and Ecosystem (Center for Security Studies) CISA Releases Security Advisories Related to OT:ICEFALL (Insecure by Design) Report (CISA)Industry Reactions to 'OT:Icefall' Vulnerabilities Found in ICS Products (SecurityWeek) Cloud Security Technical Reference Architecture (CISA) Learn more about your ad choices. Visit megaphone.fm/adchoices

Fancy Bear sighted in Ukrainian in-boxes. Why Russian cyberattacks against Ukraine have fallen short of expectations. ToddyCat APT is active in European and Asian networks. ICEFALL ICS vulnerabilities described. CISA issues ICS vulnerability advisories. Europol makes nine collars. Andrea Little Limbago from Interos on The global state of data protection and sharing. Rick Howard speaks with Michelangelo Sidagni from NopSec on the Future of Vulnerability Management. We are shocked, shocked, to hear of corruption in the FSBFor links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/119Selected reading.Ukrainian cybersecurity officials disclose two new hacking campaigns (CyberScoop) Ukraine Warns of New Malware Campaign Tied to Russian Hackers (Bloomberg Law) Russian govt hackers hit Ukraine with Cobalt Strike, CredoMap malware (BleepingComputer) Opinion How Russia’s vaunted cyber capabilities were frustrated in Ukraine (Washington Post) New Toddycat APT Targets MS Exchange Servers in Europe and Asia (Infosecurity Magazine) Microsoft Exchange servers hacked by new ToddyCat APT gang (BleepingComputer)OT:ICEFALL: 56 Vulnerabilities Caused by Insecure-by-Design Practices in OT (Forescout)From Basecamp to Icefall: Secure by Design OT Makes Little Headway (SecurityWeek)Dozens of vulnerabilities threaten major OT device makers (Cybersecurity Dive) CISA releases 6 Industrial Control Systems Advisories (Cybersecurity and Infrastructure Security Agency) Phishing gang behind several million euros worth of losses busted in Belgium and the Netherlands (Europol)Подполковника УФСБ по Самарской области арестовали за кражу криптовалюты у хакера (TASS) Learn more about your ad choices. Visit megaphone.fm/adchoices

A Cyberattack is suspected of causing false alarms in Israel. Risk surface assessments. Renewed warning of the potential security risks of fitness apps. Cyber options may grow more attractive to Russia as kinetic operations stall. DDoS in St. Petersburg. Ben Yeling details a Senate bill restricting the sale of location data. Our guest is Jon Check from Raytheon's Intelligence and Space Division discussing the National Collegiate Cyber Defense Competition. A conviction in the Capital One hacking case.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/118Selected reading.Suspected cyberattack triggers sirens in Jerusalem, Eilat (Israel Hayom)Suspected Iranian Cyberattack on Israel Triggers Sirens (Haaretz)Iranian cyberattack may be behind false rocket warning sirens in Jerusalem (Jerusalem Post) Israel suspects Iranian cyber-attack behind false siren alerts (Middle East Monitor) Strava fitness app used to spy on Israeli military officials (Computing) Treasury's Adeyemo sees elevated cyber threats in wake of Russia's war in Ukraine (Reuters)More cyber warfare with Russia lies on the horizon (Interesting Engineering)Prolonged war may make Russia more cyber aggressive, US official says (C4ISRNet) What the Russia-Ukraine war means for the future of cyber warfare (The Hill) Complex Russian cyber threat requires we go back to basics (ComputerWeekly.com) Vladimir Putin speech delayed 'because of cyber-attack' as he hits out at 'economic blitzkrieg' against Russia (Scotsman)UPDATE 1-Putin's St Petersburg speech postponed by an hour after cyberattack (Yahoo)Think of the Russia-Ukraine conflict as a microcosm of the cyber war  (SC Magazine)The link between cyberattacks and war: Gartner (CRN Australia) Ex-Amazon Worker Convicted in Capital One Hacking (New York Times)Jury Convicts Seattle Woman in Massive Capital One Hack (SecurityWeek)Former Seattle tech worker convicted of wire fraud and computer intrusions (US Attorney’s Office, Western District of Washington) Learn more about your ad choices. Visit megaphone.fm/adchoices

As we break to observe the Juneteenth holiday, our team thought you might like to try a sample of a CyberWire Pro podcast called Interview Selects. These podcasts are a series of extended interviews, exclusives, and a curated selection of our most engaging and informative interviews over the years, featuring cyber security professionals, journalists, authors and industry insiders. In this extended interview, Dave Bittner speaks with FBI Cyber Section Chief David Ring at RSAC discussing FBI cyber strategy/role in the cyber ecosystem and private sector engagement. Like what you hear? Consider subscribing to CyberWire Pro for $99/year. Learn more. Learn more about your ad choices. Visit megaphone.fm/adchoices