CyberWire Daily

Looking at Russia's hybrid war as a cautionary example. Russia warns, again, that it will meet cyberattacks with appropriate retaliation. (China says "us too.") NSA and FBI warn of nation-state cyber threats. SentinelOne finds a Chinese APT that's been operating, quietly, for a decade. "Unpatchable" vulnerability in Apple chips reported. We’ve got more interviews from RSA Conference, including the FBI’s Cyber Section Chief David Ring, ExtraHop’s CEO, Patrick Dennis. And the overhead projector said, “Go Tigers.”For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/112Selected reading.Top Senate Democrats sound the alarm about Russian interference in the 2022 midterms (Business Insider) Russia says West risks ‘direct military clash’ over cyberattacks (NBC News)Russia, China, oppose US cyber support of Ukraine (Register) #RSAC: NSA Outlines Threats from Russia, China and Ransomware (Infosecurity Magazine) FBI official: Chinese hackers boost recon efforts (The Record by Recorded Future) Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years (SentinelOne) MIT researchers uncover ‘unpatchable’ flaw in Apple M1 chips (TechCrunch)New Jersey school district forced to cancel final exams amid ransomware recovery effort (The Record by Recorded Future) Learn more about your ad choices. Visit megaphone.fm/adchoices

Another hacked broadcast in a hybrid war. Hunting forward as an exercise in threat intelligence collection and sharing. Cyber threats to the US midterm elections. Phishing for cryptocurrency. FakeCrack delivers a malicious payload to the unwary. Vacations are back. So is travel-themed phishbait. Ann Johnson from Microsoft shares insights on the trends she’s tracking here at RSA. Johannes Ullrich brings highlights from his RSA conference panel discussion. And Emotet returns, in the company of some old familiar criminal collaborators.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/111Selected reading.Hacked Russian radio station broadcasts Ukrainian anthem (Washington Post) Ukraine Successfully Defends Its Cyberspace While Russia Leans Heavily on Guns, Bombs (CNET)Ukraine war: US cyber chief on Kyiv's advantage over Russia (Sky News)NSA Director Confirms Cyber Command 'Hunt Forward' Approach Applies to Russia (ClearanceJobs) Experts, NSA cyber director say ransomware could threaten campaigns in 2022 (CyberScoop)Ransomware, botnets could plague 2022 midterms, NSA cyber director says (The Record by Recorded Future)How Cyber Criminals Target Cryptocurrency (Proofpoint)Crypto stealing campaign spread via fake cracked software (Avast)Threat Actors Prepare Travel-Themed Phishing Lures for Summer Holidays (Hot for Security)Emotet Malware Returns in 2022 (Deep Instinct) Learn more about your ad choices. Visit megaphone.fm/adchoices

US officials continue to rate the threat of Russian cyberattack as high. Civilians in cyber war. Broadcast interference and propaganda. A Joint CISA/FBI warning of Chinese cyberespionage. What gets a vulnerability into the Known Exploited Vulnerabilities Catalog? Andrea Little Limbago from Interos and Mike Sentonas from Crowdstrike join us with previews of their RSA conference presentations. And, finally, some Jersey-based cyber campaigns (that’s the Bailiwick, not the Garden State).For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/110Selected reading.Russian Cyber Threat Remains High, U.S. Officials Say (Wall Street Journal)Shields Up: The New Normal (CyberScoop)Russian Government, Cybercriminal Cooperation a 'Force Multiplier' (Decipher) Opinion The U.S.-Russia conflict is heating up — in cyberspace (Washington Post) Smartphones Blur the Line Between Civilian and Combatant (Wired)Russian Cyberattack Hits Wales-Ukraine Football Broadcast (Gov Info Security) People’s Republic of China State-Sponsored Cyber Actors Exploit Network Providers and Devices (CISA)US agencies detail the digital ‘plumbing’ used by Chinese state-sponsored hackers (The Record by Recorded Future) CISA Provides Criteria and Process for Updates to the KEV Catalog (CISA)Reducing the Significant Risk of Known Exploited Vulnerabilities (CISA)Jersey computers used in international cyber-attacks (Jersey Evening Post) Learn more about your ad choices. Visit megaphone.fm/adchoices

This joint Cybersecurity Advisory describes the ways in which People’s Republic of China state-sponsored cyber actors continue to exploit publicly known vulnerabilities in order to establish a broad network of compromised global infrastructure. These actors use the network to exploit a wide variety of targets worldwide, including public and private sector organizations.AA22-158A Alert, Technical Details, and MitigationsRefer to China Cyber Threat and Advisories, Internet Crime Complaint Center, and NSA Cybersecurity Guidance for previous reporting on People’s Republic of China state-sponsored malicious cyber activity.US government and critical infrastructure organizations should consider signing up for CISA’s cyber hygiene services, including vulnerability scanning, to help reduce exposure to threats.US Defense Industrial Base organizations should consider signing up for the NSA Cybersecurity Collaboration Center’s DIB Cybersecurity Service Offerings, including Protective Domain Name System (PDNS) services, vulnerability scanning, and threat intelligence collaboration. For more information on eligibility criteria and how to enroll in these services, email dib_defense@cyber.nsa.gov.All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov. Learn more about your ad choices. Visit megaphone.fm/adchoices

DDoS as a weapon in a hybrid war. Resilience in the defense of critical infrastructure. Offensive cyber operations against Russia. LockBit claims to have hit Mandiant, but their claim looks baseless. Rick Howard joins us with thoughts on trends he’s tracking at the RSA conference. Our guest is Dr. Diane Janosek from NSA with insights on personal resilience. Effects of ransomware on businesses.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/109Selected reading.Ukraine at D+102: Ukraine's SSSCIP on cyber war. (The CyberWire) Major DDoS attacks increasing after invasion of Ukraine (SearchSecurity) The Russia–Ukraine War: Ukraine’s resistance in the face of hybrid warfare (Observer Research Foundation)Ukraine Symposium - U.S. Offensive Cyber Operations in Support of Ukraine (Lieber Institute: Articles of War) Russia ready to cooperate with all states in cyber domain (UNI India)LockBit 2.0 gang claims Mandiant as latest victim; Mandiant sees no evidence of it (CyberScoop)Mandiant: “No evidence” we were hacked by LockBit ransomware (BleepingComputer) Cybereason Ransomware True Cost to Business Study Reveals Organizations Pay Multiple Ransom Demands (Cybereason)Average Ransom Payment Up 71% This Year, Approaches $1 Million (Palo Alto Networks Blog) Learn more about your ad choices. Visit megaphone.fm/adchoices

Ukraine offers an update on the cyber phases of Russia's hybrid war. Atlassian patches a Confluence critical vulnerability. CISA releases ICS advisory on voting systems. A "State-aligned" phishing campaign tried to exploit Follina. Is Electronic warfare a blunt instrument in the ether? Verizon’s Chris Novak stops by with thoughts on making the most of your trip to the RSA conference. Our guest is Tom Garrison from Intel with a look at hardware security. And a Russia-aligned group says they’re not just hacktivists; they’re "Cyber Spetsnaz."For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/108Selected reading.Remarks by Victor Zhorov, deputy head of SSSCIP. (SSSCIP)US military hackers conducting offensive operations in support of Ukraine, says head of Cyber Command (Sky News)Russian ministry website appears hacked; RIA reports users data protected (Reuters)Confluence Security Advisory 2022-06-02 (Atlassian)Atlassian Releases New Versions of Confluence Server and Data Center to Address CVE-2022-26134 (CISA) Patch released for exploited Atlassian zero-day vulnerability (The Record by Recorded Future) CISA Releases Security Advisory on Dominion Voting Systems Democracy Suite ImageCast X (CISA) State-Backed Hackers Exploit Microsoft 'Follina' Bug to Target Entities in Europe and U.S (The Hacker News)Deadly secret: Electronic warfare shapes Russia-Ukraine war (AP NEWS) Exclusive: Pro-Russia group ‘Cyber Spetsnaz’ is attacking government agencies (Security Affairs) Learn more about your ad choices. Visit megaphone.fm/adchoices

Executive Vice President at Concentric, Laura Hoffner shares her story about working as a Naval Intelligence Officer and supporting special operations around the globe for 12 years, to now, where she transitioned to the Naval Reserves and joined the Concentric team. Laura knew since she was in the seventh grade she wanted to work with SEALs and work in intelligence. She set her goals high and achieved them shortly after graduating college. She credits being a Naval Intelligence Officer to helping her get to where she is today and says how much she is enjoying working with Concentric, saying she's "ultimately just incredibly benefiting from unbelievable mentors at the company itself." We thank Laura for sharing her story. Learn more about your ad choices. Visit megaphone.fm/adchoices

For this Cyberwire-X episode, we are talking about the failure of perimeter defense as an architecture where, since the 1990s when it was invented, the plan was to keep everything out. That model never really worked that well since we had to poke holes in the perimeter to allow employees, contractors, and partners to do legitimate business with us. Those same holes could be exploited by the bad guys, too. The question is, what are we doing instead? What is the security architecture, the strategy, and the tactics that we are all using today that is more secure than perimeter defense? In the first part of the show, Rick Howard, the CyberWire’s CSO, Chief Analyst, and Senior Fellow, talks with Jerry Archer, the Sallie Mae CSO and CyberWire Hash Table member, and, in the second half of the show, the CyberWire's podcast host Dave Bittner talks with Mike Ernst, episode sponsor ExtraHop’s Vice President of Sales Engineering, to discuss Software Defined Perimeter and intrusion kill chain prevention strategy. Learn more about your ad choices. Visit megaphone.fm/adchoices

Scott Fanning from CrowdStrike's research team, joins Dave to discuss their work on "LemonDuck Targets Docker for Cryptomining Operations." LemonDuck is a well-known cryptomining botnet, and research suggests attackers are attracted to the monetary gain from the recent boom in cryptocurrency.LemonDuck was caught trying to disguise it's attack against Docker by running an anonymous mining operation by the use of proxy pools. Scott shares how it’s unknown which organizations have been targeted and just how much cryptocurrency has been stolen.The research can be found here:LemonDuck Targets Docker for Cryptomining Operations Learn more about your ad choices. Visit megaphone.fm/adchoices

Moscow wants attention to be paid to its messengers. Western support for Ukraine in cyberspace. US remains on alert for Russian cyberattacks. Iran: anti-government hacktivism and Tehran-sponsored cyber ops. Rebranding as sanctions evasion. A gangland threat to firmware. Johannes Ullrich from SANS on security of browsers caching passwords. Dave Bittner sits down with Perry Carpenter to discuss his new book, "The Security Culture Playbook: An Executive Guide To Reducing Risk and Developing Your Human Defense Layer,''co-author was Kai Roer.. And CISA adds an Atlassian issue to its Known Exploited Vulnerabilities Catalog.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/107Selected reading.Russia summons heads of U.S. media outlets, warns of 'stringent measures' (Reuters)US confirms military hackers have conducted cyber operations in support of Ukraine (CNN) Advancing security across Central and Eastern Europe (Google) US Justice Department Braces for More Russian Cyberattacks (VOA)Russia, backed by ransomware gangs, actively targeting US, FBI director says (Cybersecurity Dive) Exiled Iran Group Claims Tehran Hacking Attack (SecurityWeek)Exposing POLONIUM activity and infrastructure targeting Israeli organizations (Microsoft Security) To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions (Mandiant)Russia-Linked Ransomware Groups Are Changing Tactics to Dodge Crackdowns (Wall Street Journal) Conti Targets Critical Firmware (Eclypsium)Atlassian: Unpatched critical Confluence flaw under attack (Register) CISA Adds One Known Exploited Vulnerability (CVE-2022-26134) to Catalog (CISA) Learn more about your ad choices. Visit megaphone.fm/adchoices