CyberWire Daily

Russian government agencies are buying VPNs. CISA and its partners warn about the Karakurt extortion group. Clipminer is out in the wild. GootLoader expands its payloads and targeting. Carole Theriault has the latest on fraudsters imitating law enforcement. Kevin Magee from Microsoft on security incentives by way of insurance. And leak brokers and booters shut down.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/106Selected reading.White House: cyber activity not against Russia policy (Reuters) Some see cyberwar in Ukraine. Others see just thwarted attacks. (Washington Post) ESET Threat Report details targeted attacks connected to the Russian invasion of Ukraine and how the war changed the threat landscape (ESET) Ukraine - 100 days of war in cyberspace (CyberPeace Institute) Russian VPN Spending (Top 10 VPN)Karakurt Data Extortion Group (CISA)Karakurt Data Extortion Group (CISA) US Agencies: Karakurt extortion group demanding up to $13 million in attacks (The Record by Recorded Future)Clipminer Botnet Makes Operators at Least $1.7 Million (Symantec Enterprise Blog)GootLoader Expands its Payloads Infecting a Law Firm with IcedID (eSentire) WeLeakInfo.to and Related Domain Names Seized (US Department of Justice) Learn more about your ad choices. Visit megaphone.fm/adchoices

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Department of the Treasury (Treasury), and the Financial Crimes Enforcement Network (FinCEN) are releasing this joint Cybersecurity Advisory to provide information about the Karakurt data extortion group, also known as the Karakurt Team and Karakurt Lair. Karakurt actors have employed a variety of TTPs, creating significant challenges for defense and mitigation. Karakurt victims have not reported encryption of compromised machines or files; rather, Karakurt actors claim to steal data and threaten to auction it or release it to the public unless they receive payment.AA22-152A Alert, Technical Details, and MitigationsCISA-Multi-State Information Sharing and Analysis Center (MS-ISAC) Joint Ransomware GuideData Integrity: Detecting and Responding to Ransomware and Other Destructive Events. Stopransomware.gov CISA's Ransomware Readiness AssessmentCISA's cyber hygiene servicesFinCEN Advisory to Financial Institutions on Cyber-Events and Cyber-Enabled CrimeFinCEN Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom PaymentsAll organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov. Learn more about your ad choices. Visit megaphone.fm/adchoices

Costa Rica's healthcare system comes under renewed ransomware attack. Cyber phases of the hybrid war. Charity fraud exploits sympathy for Ukraine. US FBI attributes last year's attack on Boston Children's Hospital to Iran. CISOs surveyed on their challenges (and they're particularly worried about exposure to 3rd-party risk). Robert M. Lee joins us for the launch of the new Control Loop podcast. Josh Ray from Accenture looks at ransomware trends. Razzlekhan and Dutch: a cryptocurrency love song.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/105Selected reading.Latest cyberattack in Costa Rica targets hospital system (Reuters)Costa Rica’s public health agency hit by Hive ransomware (BleepingComputer)Costa Rican Social Security Fund hit with ransomware attack (The Record by Recorded Future)Costa Rica May Be Pawn in Conti Ransomware Group’s Bid to Rebrand, Evade Sanctions (KrebsOnSecurity)Ukraine joins its first NATO cyber defense center meeting (TheHill)US military hackers conducting offensive operations in support of Ukraine, says head of Cyber Command (Sky News)The FBI Warns of Scammers Soliciting Donations Related to the Crisis in Ukraine (Internet Crime Complaint Center (IC3))FBI director blames Iran for ‘despicable’ attempted cyberattack on Boston Children’s Hospital (CNN)Hackers ransom 1,200 exposed Elasticsearch databases (TechTarget)The CISOs Report (Security Current)New York couple accused of laundering $4.5 bln in crypto still in plea talks (Reuters) Learn more about your ad choices. Visit megaphone.fm/adchoices

Sanctions, blockades, and their effects on the world economy. Western nations remain on alert for Russian cyber attacks. REvil prosecution has reached a dead end. Microsoft issues mitigations for a recent zero-day. John Pescatore’s Mr. Security Answer Person is back, looking at authentication. Joe Carrigan looks at new browser vulnerabilities. Notes from the underworld.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/104Selected reading.In big bid to punish Moscow, EU bans most Russia oil imports (AP NEWS) EU, resolving a deadlock, in deal to cut most Russia oil imports (ReutersThe E.U.’s embargo will bruise Russia’s oil industry, but for now it is doing fine. (New York Times) Russia’s Black Sea Blockade Will Turbocharge the Global Food Crisis (Foreign Policy) Russia’s Invasion Unleashes ‘Perfect Storm’ in Global Agriculture (Foreign Policy) ‘War in Ukraine Means Hunger in Africa’ (Foreign Policy)Afghanistan’s Hungry Will Pay the Price for Putin’s War (Foreign Policy)Remote bricking of Ukrainian tractors raises agriculture security concerns (CSO Online)Major supermarkets 'uniquely vulnerable' as Russian cyber attacks rise (ABC)Italy warns organizations to brace for incoming DDoS attacks (BleepingComputer)Whitepaper - PIPEDREAM: CHERNOVITE's Emerging Malware Targeting Industrial Environments (Dragos).Experts believe that Russian Gamaredon APT could fuel a new round of DDoS attacks (IT Security News) Putin horror warning over 'own goal' attack on UK coming back to haunt Kremlin (Express.co.uk) Putin plot: UK hospitals at risk of chilling ‘sleeper cell’ attack by Russia (Express) Will Russia Launch a New Cyber Attack on America? (The National Interest) Hackers wage war on Russia’s largest bank (The Telegraph) REvil prosecutions reach a 'dead end,' Russian media reports (CyberScoop) Microsoft Office zero-day "Follina"—it’s not a bug, it’s a feature! (It's a bug) (Malwarebytes Labs).Microsoft Word struck by zero-day vulnerability (Register) Clop ransomware gang is back, hits 21 victims in a single month (BleepingComputer)Conti ransomware explained: What you need to know about this aggressive criminal group (CSO Online)  Learn more about your ad choices. Visit megaphone.fm/adchoices

Chief Information Security Officer at Immuta, Michael Scott shares his story from working at a forgotten internet service provider to leading the security fight for major food chain restaurants. Michael explains how the different roles at various companies he has worked with paved his way to where he is now at Immuta. He works with a group of colleagues and he leads in a different style, describing that "It really is just a collection of a lot of, we call humble intellects" working with him. Michael attributes adversity to being a cornerstone of existence in the security community, and explains how that helps him keep up the fight. We thank Michael for sharing his story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

Dick O'Brien from Symantec's threat hunter team, joins Dave to discuss their work on "Stonefly: North Korea-linked spying operation continues to hit high-value targets." Stonefly specializes in mounting highly selective targeted attacks against targets that could yield intelligence to assist strategically important sectors.Symantec found that The attackers breached an engineering firm in February 2022, most likely by exploiting the Log4j vulnerability, Their research describes who these high value targets are and ways to prevent this malware from breaching any more companies as well as indications that you could be compromised.The research can be found here:Stonefly: North Korea-linked Spying Operation Continues to Hit High-value Targets Learn more about your ad choices. Visit megaphone.fm/adchoices

Pro-Russian DDoS attacks. Sanctions and their effect on ransomware. BlackCat wants $5 million from Carinthia. A fraudster pressures Verizon. Spain will tighten judicial review of intelligence services. Johannes Ullrich looks at VSTO Office Files. Our guests are Cecilia Marinier and Niloo Howe with a preview of the RSAC Innovation Sandbox. CISA releases ICS advisories and with its partners issue guidelines for evaluating 5G implementation.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/103Selected reading.Hacktivists Expanding DDoS Attacks as Part of International Cyber Warfare Strategy (Imperva) Cyberattacks against UK CNI increase amidst Russia-Ukraine war (Intelligent CIO Europe) A cyberwar is already happening in Ukraine, Microsoft analysts say (NPR.org)NSA: Sanctions on Russia Having a Positive Effect on Ransomware Attacks, Attempts Down Due to Difficulty Collecting Ransom Payments (CPO Magazine) BlackCat/ALPHV ransomware asks $5 million to unlock Austrian state (BleepingComputer) Hacker Steals Database of Hundreds of Verizon Employees (Vice) Drupal Releases Security Updates (CISA)Keysight N6854A Geolocation server and N6841A RF Sensor software (CISA) Horner Automation Cscape Csfont (CISA) Spain vows legal reforms in wake of spying allegations (MSN)Spain’s PM vows to reform intelligence services following phone hacking scandal (The Record by Recorded Future) Spain set to strengthen oversight of secret services after NSO spying scandal (Times of Israel) CISA and DoD Release 5G Security Evaluation Process Investigation Study (CISA) Learn more about your ad choices. Visit megaphone.fm/adchoices

"Pantsdown" in QCT Baseboard Management Controllers. A warning on ChromeLoader. Conti updates. Ransomware’s effect on SpiceJet. CISA's Known Exploited Vulnerabilities Catalog expands, again. Kyiv honors Google. Josh Ray from Accenture reminds us it’s military appreciation month. Our guest is Melissa Bischoping of Tanium with lessons learned from the American Dental Association ransomware attack. And a poacher turned gamekeeper?For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/102Selected reading.Critical 'Pantsdown' BMC Vulnerability Affects QCT Servers Used in Data Centers (The Hacker News)ChromeLoader: a pushy malvertiser (Red Canary) Conti leaks data stolen during January attack on Oregon county (The Record by Recorded Future) Is the Conti Ransomware Gang Stronger Apart Then Together? (OODA Loop) SpiceJet: Passengers stranded as India airline hit by ransomware attack (BBC News) SpiceJet's woes continue as ransomware attack delays flights (The Loadstar) .SpiceJet's brush with ransomware is a timely reminder to protect yourself against this cyber menace (cnbctv18.comCISA Adds 34 Known Exploited Vulnerabilities to Catalog (CISA) Mykhailo Fedorov presented the first "Peace prize" to Google (Digital Gov)  Notorious Vietnamese hacker turns government cyber agent (France 24) Learn more about your ad choices. Visit megaphone.fm/adchoices

More cyberespionage targets Russian networks. Lincoln Project veterans visit Ukraine with advice on conducting an influence campaign against President Putin. A politically motivated DDoS attack hits the Port of London Authority website. Is REvil back and looking into new criminal techniques, or is a recent DDoS campaign the work of impostors? RansomHouse may be operated by frustrated bounty hunters. Kevin Magee from Microsoft sets his security sights toward space. Our guest is Mathieu Gorge of VigiTrust to discuss the threat of printer hacks. Operation Delilah trims SilverTerrier’s locks.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/101Selected reading.Unknown APT group has targeted Russia repeatedly since Ukraine invasion (Malwarebytes Labs) Hackers target Russian govt with fake Windows updates pushing RATs (BleepingComputer) Researchers Find New Malware Attacks Targeting Russian Government Entities (The Hacker News) Ukraine May Use Lincoln Project's Anti-Trump Tactics Against Putin (Newsweek)Pro-Iran Group ALtahrea Hits Port of London Website by DDoS Attack (HackRead)REvil Resurgence? Or a Copycat? (Akamai)RansomHouse: Bug bounty hunters gone rogue? (Help Net Security) Data theft gang RansomHouse might be 'frustrated' white hat hackers, researchers claim (Tech Monitor)CISA Adds 20 Known Exploited Vulnerabilities to Catalog (CISA) CISA adds 41 flaws to its Known Exploited Vulnerabilities Catalog (Security Affairs) Rockwell Automation Logix Controllers (CISA) Matrikon OPC Server (CISA) Mitsubishi Electric FA Engineering Software Products (Update D) (CISA) Mitsubishi Electric Factory Automation Engineering Products (Update F) (CISA) Suspected head of cybercrime gang arrested in Nigeria (Interpol)Interpol arrests alleged leader of the SilverTerrier BEC gang (BleepingComputer) INTERPOL hauls in alleged Nigerian cybercrime ringleader (CyberScoop) Operation Delilah: Unit 42 Helps INTERPOL Identify Nigerian Business Email Compromise Actor (Unit42) Learn more about your ad choices. Visit megaphone.fm/adchoices

Verizon's 2022 Data Breach Investigation Report shows a sharp rise in ransomware. Origins of the Chaos ransomware operation. The GuLoader campaign uses bogus purchase orders. Security researchers are targeted in a malware campaign. Hyperlocal disinformation. Turla reconnaissance has been detected in Austrian and Estonian networks. Ben Yelin describes a content moderation fight that may be headed to the supreme court. Our guest is Richard Melick from Zimperium to discuss threats to mobile security. Robin Hood (or not).For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/100Selected reading.2022 Data Breach Investigations Report (Verizon Business) Yashma Ransomware, Tracing the Chaos Family Tree (BlackBerry)Spoofed Saudi Purchase Order Drops GuLoader: Part 1 (Fortinet Blog) Malware Campaign Targets InfoSec Community: Threat Actor Uses Fake Proof of Concept to Deliver Cobalt-Strike Beacon (Cyble)Network of hyperlocal Russian Telegram channels spew disinformation in occupied Ukraine (CyberScoop) Russian hackers perform reconnaissance against Austria, Estonia (BleepingComputer)New ransomware forces victims to donate to poor (The Independent) Learn more about your ad choices. Visit megaphone.fm/adchoices