CyberWire Daily

There’s a new loader identified in wiper campaigns. President Putin complains of sanctions and cyberattacks, and vows to increase Russia's cybersecurity. Coordinated inauthenticity at scale. Killnet crows large over Italian operations. Conti's dissolution doesn't mean its operators' disappearance. Rick Howard looks at software defined perimeters. Dinah Davis from Arctic Wolf on how ransomware groups are upping their game to nation state levels. And happy birthday, US Cyber Command...but we're not necessarily wishing you a moonshot for your birthday present.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/99Selected reading.Sandworm uses a new version of ArguePatch to attack targets in Ukraine (WeLiveSecurity) Putin complains about barrage of cyberattacks (Military Times)Putin promises to bolster Russia's IT security in face of cyber attacks (Reuters)Russia keeps getting hacked (Mashable) Putin is bringing his disinformation war to Ukraine (Newsweek) Putin is bringing his disinformation war to Ukraine (Newsweek)Russian government procured powerful botnet to shift social media trending topics (The Record by Recorded Future)Fronton: Russian IoT Botnet Designed to Run Social Media Disinformation Campaigns (The Hacker News) Russian Hackers Claim Responsibility for Attacks on Italian Government Websites (Wall Street Journal)Anonymous Declares Cyber-War on Pro-Russian Hacker Gang Killnet (Infosecurity Magazine) DisCONTInued: The End of Conti’s Brand Marks New Chapter For Cybercrime Landscape (AdvIntel) Notorious cybercrime gang Conti 'shuts down,' but its influence and talent are still out there (The Record by Recorded Future)Could a Cyber Attack Overthrow a Government? Conti Ransomware Group Now Threatening To Topple Costa Rican Government if Ransom Not Paid (CPO Magazine) Fears grow after ransomware attack on Costa Rica escalates (TechCrunch) US Cyber Command’s birthday (US Cyber Command)U.S. Needs New 'Manhattan Project' to Avoid Cyber Catastrophe | Opinion (Newsweek)Cyber pros are fed up with talk about a cyber-Manhattan Project (Washington Post) Learn more about your ad choices. Visit megaphone.fm/adchoices

Threat intelligence analyst at Recorded Future, Charity Wright, shares her story from the army to her career today. Transitioning from the army to cybersecurity was an exciting change for her. During college she was recruited by the U.S army where she started her journey and learned new skills paving her pathway to threat intelligence where she is now. She shares that she works with a great team of junior analysts who are constantly checking each others biases which helps keep Charity grounded in her work. Charity spends her days keeping an eye on threats around the world where she says there is never a dull day in her line of work. We thank Charity for sharing her story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

Yanir Tsarimi from Orca Security, joins Dave to discuss how researchers have discovered a critical Azure Automation service vulnerability called AutoWarp. The security flaw was discovered this past March causing Yanir to leap into action announcing the issue to Microsoft who helped to swiftly resolve the cross-account vulnerability.The research shows how this serious flaw would allow attackers unauthorized access to other customer accounts and potentially full control over resources and data belonging to those accounts, as well as put multiple Fortune 500 companies and billions of dollars at risk. The research shares the crucial time line that the vulnerability was discovered as well as Microsofts response to the vulnerability.The research can be found here:AutoWarp: Critical Cross-Account Vulnerability in Microsoft Azure Automation Service Learn more about your ad choices. Visit megaphone.fm/adchoices

Was Conti’s digital insurrection in Costa Rica misdirection? Google assesses a commercial spyware threat “with high confidence.” Continuing expectations of escalation in cyberspace. The limitations of an alliance of convenience. Fronton botnet shows versatility. Russian hacktivists hit Italian targets, again. Lazarus Group undertakes new SolarWinds exploitation. Crypters in the C2C market. CrateDepression supply chain attack. Johannes Ullrich describes an advance fee scam hitting crypto markets. Our guest is Marty Roesch, CEO of Netography and inventor of Snort. Canada to exclude Huawei from 5G networks on security grounds.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/98Selected reading.Conti ransomware shuts down operation, rebrands into smaller units (BleepingComputer) Protecting Android users from 0-Day attacks (Google) Microsoft President: Cyber Space Has Become the New Domain of Warfare (Infosecurity Magazine)Twisted Panda: Chinese APT espionage operation against Russian’s state-owned defense institutes (Check Point Research) Chinese Hackers Tried to Steal Russian Defense Data, Report Says (New York Times) China-linked Space Pirates APT targets the Russian aerospace industry (Security Affairs) This Russian botnet does far more than DDoS attacks - and on a massive scale (ZDNet) Pro-Russian hackers attack institutional websites in Italy, police say (Reuters) Lazarus hackers target VMware servers with Log4Shell exploits (BleepingComputer)ITG23 Crypters Highlight Cooperation Between Cybercriminal Groups (Security Intelligence) CrateDepression | Rust Supply-Chain Attack Infects Cloud CI Pipelines with Go Malware (SentinelOne) Canada to ban Huawei/ZTE 5G equipment, joining Five Eyes allies (Reuters) Learn more about your ad choices. Visit megaphone.fm/adchoices

CISA is releasing this cybersecurity advisory to warn organizations that malicious cyber actors are exploiting CVE-2022-22954 and CVE-2022-22960. These vulnerabilities affect versions of VMware products. Successful exploitation permits malicious actors to trigger a server-side template injection that may result in remote code execution or escalation of privileges to root level access. Based on this activity, CISA expects malicious cyber actors to quickly develop a capability to exploit newly released VMware vulnerabilities CVE-2022-22972 and CVE-2022-22973 in the same impacted VMware products.AA22-138B Alert, Technical Details, and MitigationsAA22-138B.stixEmergency Directive 22-03 Mitigate VMware VulnerabilitiesVMware Security Advisory VMSA-2022-0011VMware Security Advisory VMSA-2022-0014All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov. Learn more about your ad choices. Visit megaphone.fm/adchoices

Russian information operations surrounding the invasion of Ukraine. VMware patches vulnerabilities. F5 BIG-IP vulnerabilities undergoing active exploitation. Texas Department of Insurance clarifies facts surrounding its data incident. Robert M. Lee from Dragos is heading to Davos to talk ICS. Rick Howard speaks with author Chase Cunningham on his book "Cyber Warfare –Truth, Tactics and Strategies”. Robo-calling the Kremlin.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/97Selected reading.Information Operations Surrounding the Russian Invasion of Ukraine (Mandiant) CISA Issues Emergency Directive and Releases Advisory Related to VMware Vulnerabilities (CISA)Emergency Directive 22-03 (CISA) Threat Actors Chaining Unpatched VMware Vulnerabilities for Full System Control (CISA) Threat Actors Exploiting F5 BIG IP CVE-2022-1388 (CISA) CISA Alert AA22-138A – Threat Actors Exploiting F5 BIG-IP CVE-2022-1388. (The CyberWire) Additional facts: TDI data security event (Texas Department of Insurance) This Hacktivist Site Lets You Prank Call Russian Officials (Wired)  Learn more about your ad choices. Visit megaphone.fm/adchoices

CISA and the Multi-State Information Sharing & Analysis Center (MS-ISAC), are releasing this joint Cybersecurity Advisory in response to active exploitation of CVE-2022-1388. This vulnerability is a critical iControl REST authentication bypass vulnerability affecting multiple versions of F5 Networks BIG-IP. AA22-138A Alert, Technical Details, and MitigationsF5 Security Advisory K23605346 and indicators of compromiseF5 guidance K11438344 for remediating a compromiseEmerging Threats suricata signaturesPalo Alto Networks Unit 42 Threat Brief: CVE-2022-1388. This brief includes indicators of compromise. Cisco Talos Intelligence Group - Comprehensive Threat Intelligence: Threat Advisory: Critical F5 BIG-IP Vulnerability. This blog includes indicators of compromise. Note: due to the urgency to share this information, CISA and MS-ISAC have not yet validated this content.Randori’s bash script. This script can be used to identify vulnerable instances of BIG-IP. Note: MS-ISAC has verified this bash script identifies vulnerable instances of BIG-IP. All organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov. Learn more about your ad choices. Visit megaphone.fm/adchoices

Chaos ransomware group declares for Russia. Hacktivists claim to have compromised Russian-manufactured ground surveillance robots. Conti's ongoing campaign against Costa Rica. The claimed "international" cyberattack against Nile dam was stopped. Rick Howard speaks with author Caroline Wong on her book “Security Metrics, a Beginner's Guide”. Our guests are Kathleen Smith and Rachel Bozeman, hosts of the new podcast, Security Cleared Jobs. And the cyber insurance market experiences a “reset.”For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/96Selected reading.Chaos Ransomware Variant Sides with Russia (Fortinet Blog)Did hackers commandeer surveillance robots at a Russian airport? (The Daily Dot) Russian Hacking Cartel Attacks Costa Rican Government Agencies (New York Times) Costa Rican president claims collaborators are aiding Conti's ransomware extortion efforts (CyberScoop) "We will overthrow the government" - Does Conti have help inside Costa Rica? (Tech Monitor) Costa Ricans scrambled to pay taxes by hand after cyberattack took down country’s collection system (Yahoo) Ethiopia faces new cyberattacks on its Nile dam (Al-Monitor) Cyber Insurers Raise Rates Amid a Surge in Costly Hacks (Wall Street Journal) Learn more about your ad choices. Visit megaphone.fm/adchoices

This joint cybersecurity advisory was coauthored by the cybersecurity authorities of the US, Canada, New Zealand, the Netherlands, and the UK. Cyber actors routinely exploit poor security configurations, weak controls, and other poor cyber hygiene practices to gain initial access or as part of other tactics to compromise a victim’s system. This joint Cybersecurity Advisory identifies commonly exploited controls and practices, and includes best practices to mitigate these risks.AA22-137A Alert, Technical Details, and MitigationsWhite House Executive Order on Improving the Nation’s CybersecurityNCSC-NL Factsheet: Prepare for Zero TrustNCSC-NL Guide to Cyber Security MeasuresN-able Blog: Intrusion Detection System (IDS): Signature vs. Anomaly-BasedNCSC-NL Guide to Cyber Security MeasuresNational Institute of Standards and Technology SP 800-123 – Keeping Servers SecuredNCSC-UK Guidance – Phishing Attacks: Defending Your Organisation Open Web Application Security Project (OWASP) Proactive Controls: Enforce Access ControlsAll organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov. Learn more about your ad choices. Visit megaphone.fm/adchoices

An assessment of the Russian cyber threat. NATO's Article 5 in cyberspace. Conti's ransomware attack against Costa Rica spreads, in scope and effect. Bluetooth vulnerabilities demonstrated in proof-of-concept. CISA and its international partners urge following best practices to prevent threat actors from gaining initial access. Joe Carrigan looks at updates to the FIDO alliance. Rick Howard and Ben Rothke discuss author Andrew Stewart's book "A Vulnerable System: The History of Information Security in the Computer Age". And,the doctor was in, but wow, was he also way out of line.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/95Selected reading.Russia Planned a Major Military Overhaul. Ukraine Shows the Result. (New York Times) The Cyberwar Against Pro-Ukrainian Countries is Real. Here’s What to Do (CSO Online) Collective cyber defence and attack: NATO’s Article 5 after the Ukraine conflict (European Leadership Network) Cyber attack on Costa Rica grows as more agencies hit, president says (Reuters)Ransomware gang threatens to ‘overthrow’ new Costa Rica government, raises demand to $20 million (The Record by Recorded Future) Hacker Shows Off a Way to Unlock Tesla Models, Start Cars (Bloomberg)NCC Group uncovers Bluetooth Low Energy (BLE) vulnerability that puts millions of cars, mobile devices and locking systems at risk (NCC Group) Technical Advisory – Tesla BLE Phone-as-a-Key Passive Entry Vulnerable to Relay Attacks (NCC Group Research) Technical Advisory – Kwikset/Weiser BLE Proximity Authentication in Kevo Smart Locks Vulnerable to Relay Attacks (NCC Group Research)Technical Advisory – BLE Proximity Authentication Vulnerable to Relay Attacks (NCC Group Research) Alert (AA22-137A) Weak Security Controls and Practices Routinely Exploited for Initial Access (CISA)Hacker and Ransomware Designer Charged for Use and Sale of Ransomware, and Profit Sharing Arrangements with Cybercriminals (U.S. Attorney’s Office for the Eastern District of New York) US prosecutors allege Venezuelan doctor is ransomware mastermind (ZDNet) 'Multi-tasking doctor' was mastermind behind 'Thanos' ransomware builder, DOJ says (The Record by Recorded Future) U.S. Charges Venezuelan Doctor for Using and Selling Thanos Ransomware (The Hacker News) Learn more about your ad choices. Visit megaphone.fm/adchoices