CyberWire Daily

Users are advised to patch Zyxel firewalls. Battlefield failure and popular morale in Russia’s hybrid war. Nuisance-level hacktivism in the hybrid war. Sweden and Finland move closer to NATO membership; concern over possible Russian cyberattacks rises. Intelligence, disinformation, or wishful thinking? Conti calls for rebellion in Costa Rica. PayOrGrief is just rebranded DoppelPaymer. Anonymous action in Sri Lanka seems indiscriminate and counterproductive. Dinah Davis from Arctic Wolf examines cyber security for startups. Rick Howard looks at two factor authentication. And a judge says cryptocurrency can’t be used to evade sanctions.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/94Selected reading.Critical Vulnerability Allows Remote Hacking of Zyxel Firewalls (SecurityWeek) Zyxel security advisory for OS command injection vulnerability of firewalls (Zyxel) Growing evidence of a military disaster on the Donets pierces a pro-Russian bubble. (New York Times) OpRussia update: Anonymous breached other organizations (Security Affairs) Italy prevents pro-Russian hacker attacks during Eurovision contest (Reuters) Finland, Sweden’s NATO moves prompt fears of Russian cyberattacks (The Hill) Coup to remove cancer-stricken Putin underway in Russia, Ukrainian intelligence chief says (Fortune) Conti ransomware gang calls for Costa Rican citizens to revolt if government doesn't pay (SC Magazine) Anonymous wanted to help Sri Lankans. Their hacks put many in grave danger (Rest of World) U.S. issues charges in first criminal cryptocurrency sanctions case (Washington Post) Learn more about your ad choices. Visit megaphone.fm/adchoices

According to the zero trust philosophy, we all assume that our networks are already compromised and try to design them to limit the damage if it turns out to be so. In this episode of CyberWire-X, we’ve invited subject matter experts, Amanda Fennell, the Chief Information Officer and Chief Security Officer of Relativity, and Galeal Zino, CEO of episode Sponsor NetFoundry, to the Cyberwire Hash Table to discuss all the ways to think about the solution in the modern era: Software Defined Perimeter (SDP), Secure Access Service Edge (SASE), identity and authorization, and private WAN, all through a First Principle lens. Learn more about your ad choices. Visit megaphone.fm/adchoices

Principal consultant and pen tester at Secureworks, Eric Escobar, shares his career path translating his childhood favorite Legos to civil engineering and pivoting to cybersecurity. Eric was always headed toward engineering and got both his bachelor and master degrees in civil engineering. Upon breaking into a network with a friend, he was bitten by the cybersecurity bug. Making the switch to the red team and basically becoming a bankrobber for hire, Eric tests the security of many companies' networks. He feels that curiosity is an essential trait for cybersecurity and collaboration is key as no one person knows everything. He advises those interested in cybersecurity to just start. We thank Eric for sharing his story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

Dr. May Wang, Chief Technology Officer at Palo Alto Networks, joins Dave Bittner to discuss their findings detailed in Unit 42's "Know Your Infusion Pump Vulnerabilities and Secure Your Healthcare Organization" research. Unit 42 recently set out to better understand how well hospitals and other healthcare providers are doing in securing smart infusion pumps, which are network-connected devices that deliver medications and fluids to patients. This topic is of critical concern because security lapses in these devices have the potential to put lives at risk or expose sensitive patient data.Unit 42's discovery of security gaps in three out of four infusion pumps that they reviewed highlights the need for the healthcare industry to redouble efforts to protect against known vulnerabilities, while diligently following best practices for infusion pumps and hospital networks. May walks us through Unit 42's work.The research can be found here:Know Your Infusion Pump Vulnerabilities and Secure Your Healthcare Organization Learn more about your ad choices. Visit megaphone.fm/adchoices

Ukraine holds its first war crimes trial. Are there war crimes in cyberspace? Iranian cyberespionage (and a possible APT side-hustle). Roblox seems to have been used to introduce a backdoor. CISA issues ICS advisories. Darkweb C2C trader sentenced. The last conspirator in the strange case of the eBay newsletter takes a guilty plea. Carole Theriault looks at Google’s new approach to cookies in Europe. Our guest is Mary Writz of ForgeRock on the growing importance of mobile device authentication security. And CIA gets a CISO.For links to all of today's stories check out our CyberWire daily news briefing:httpshttps://thecyberwire.com/newsletters/daily-briefing/11/93Selected reading.Ukraine to put first Russian soldier on trial for war crimes | DW | 12.05.2022 (Deutsche Welle)Russian soldier on trial in first Ukraine war-crimes case (AP NEWS)First Russian soldier goes on trial in Ukraine for war crimes (the Guardian) The Case for War Crimes Charges Against Russia’s Sandworm Hackers (Wired)Iranian hackers exposed in a highly targeted espionage campaign (BleepingComputer) Iranian APT Cobalt Mirage launching ransomware attacks (SearchSecurity)Iranian Hackers Leveraging BitLocker and DiskCryptor in Ransomware Attacks (The Hacker News) Iranian Cyberspy Group Launching Ransomware Attacks Against US (SecurityWeek) Please Confirm You Received Our APT | FortiGuard Labs  (Fortinet Blog) Roblox Exploited with Trojans from Scripting Engine (Avanan)Ukrainian cybercriminal sentenced to 4 years in U.S. prison for credential theft scheme (CyberScoop)Ukrainian sentenced to 4 years for selling hacked passwords (The Record by Recorded Future) Ex-eBay exec charged with harassing newsletter publishers pleads guilty (Reuters)CIA selects new CISO with deep private sector experience (The Record by Recorded Future) Learn more about your ad choices. Visit megaphone.fm/adchoices

Killnet hits Italian targets. Access to RuTube is restored. Hacktivism in the hybrid war. Emotet surges. Clearing up the confusion of NPM dependency confusion attacks. Tim Eades from Cyber Mentor Fund on finding the right investors. Our guest is Michael DeBolt of Intel 471 on the growing interest in Biometrics in the criminal underground. And cybercrime and punishment, Florida-man edition.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/92Selected reading.Ukraine maps reveal how much territory Russia has lost in just a few days (Newsweek) Pro-Russian hackers target Italy institutional websites -ANSA news agency (Reuters) Russian cyber experts restore RuTube access after three-day outage (Reuters) They Fled Ukraine to Keep Their Cyber Startup Alive. Now, They’re Hacking Back. (Wall Street Journal)Ukraine hacktivism 'problematic' for security teams says NSA cyber chief (Tech Monitor)HP Wolf Security Threat Insights Report Q1 2022 | HP Wolf Security (HP Wolf Security)npm supply chain attack targets Germany-based companies with dangerous backdoor malware (JFrog)SaaS App Vanity URLs Can Be Spoofed for Phishing, Social Engineerin (SecurityWeek)Trio Of Cybercriminals Sentenced For Conspiracy To Commit Fraud And Aggravated Identity Theft (US Attorney for the Middle District of Florida) Learn more about your ad choices. Visit megaphone.fm/adchoices

The cybersecurity authorities of the UK, Australia, Canada, New Zealand, and the US have observed a recent increase in malicious cyber activity against managed service providers (MSPs). Allied cybersecurity authorities expect state-sponsored cyber actors to increase their targeting of MSPs in an attempt to exploit provider-customer trust relationships. This advisory includes security guidance tailored for both MSPs and their customers. AA22-131A Alert, Technical Details, and MitigationsTechnical Approaches to Uncovering and Remediating Malicious ActivityMitigations and Hardening Guidance for MSPs and Small- and Mid-sized BusinessesAPTs Targeting IT Service Provider CustomersACSC's Managed Service Providers: How to manage risk to customer networks Global Targeting of Enterprise Managed Service ProvidersCyber Security Considerations for Consumers of Managed Services How to Manage Your Security When Engaging a Managed Service ProviderKaseya Ransomware Attack: Guidance for Affected MSPs and their CustomersBaseline Cyber Security Controls for Small and Medium OrganizationsActions to take when the cyber threat is heightenedTop 10 IT Security Action Items to Protect Internet Connected Networks and InformationCCCS's Alert: Malicious Cyber Activity Targeting Managed Service Providers CISA Cybersecurity Alert: APT Activity Exploiting MSPs (2018)CISA Cyber Essentials and CISA Cyber Resource Hub Improving Cybersecurity of Managed Service Providers Shields Up Technical GuidanceAll organizations should report incidents and anomalous activity to CISA’s 24/7 Operations Center at central@cisa.dhs.gov or (888) 282-0870 and to the FBI via your local FBI field office or the FBI’s 24/7 CyWatch at (855) 292-3937 or CyWatch@fbi.gov. Learn more about your ad choices. Visit megaphone.fm/adchoices

There’s international consensus on the cyberattack against Viasat. Kaspersky remains under investigation. The Nerbian RAT is out. NPM dependencies are exploited, but to what end? Caleb Barlow examines Russia’s future on the internet. Our guest is Deepen Desai from Zscaler with the latest phishing research. And new advisories from CISA and its partners.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/91Selected reading.Nerbian RAT Using COVID-19 Themes Features Sophisticated Evasion Techniques (Proofpoint)NPM dependency confusion hacks target German firms (ReversingLabs)npm Supply Chain Attack Targeting Germany-Based Companies (JFrog)Adminer in Industrial Products (CISA)Eaton Intelligent Power Protector (CISA) Eaton Intelligent Power Manager Infrastructure (CISA) Eaton Intelligent Power Manager (CISA)AVEVA InTouch Access Anywhere and Plant SCADA Access Anywhere (CISA) Mitsubishi Electric MELSOFT GT OPC UA (CISA) CISA Adds One Known Exploited Vulnerability to Catalog (CISA) Alert (AA22-131A) Protecting Against Cyber Threats to Managed Service Providers and their Customers (CISA)Protecting Against Cyber Threats to Managed Service Providers and their Customers (CISA)Russia downed satellite internet in Ukraine -Western officials (Reuters) US and its allies say Russia waged cyberattack that took out satellite network (Ars Technica) Western powers blame Russia for Ukraine satellite hack (The Record by Recorded Future) Russian cyber operations against Ukraine: Declaration by the High Representative on behalf of the European Union (European Council) Attribution of Russia’s Malicious Cyber Activity Against Ukraine - United States Department of State (United States Department of State) U.S. Government Attributes Cyberattacks on SATCOM Networks to Russian State-Sponsored Malicious Cyber Actors (CISA)Russia behind cyber-attack with Europe-wide impact an hour before Ukraine invasion (GOV.UK)Estonia joins the statement of attribution on cyberattacks against Ukraine (Ministry of Foreign Affairs, Republic of Estonia) Statement on Russia’s malicious cyber activity affecting Europe and Ukraine (Canada.ca) Attribution to Russia for malicious cyber activity against European networks (Australian Government Department of Foreign Affairs and Trade) Russia hacked an American satellite company one hour before the Ukraine invasion (MIT Technology Review) NSA Probing Reach of Software From Russia’s Kaspersky in US Systems (Bloomberg)  Learn more about your ad choices. Visit megaphone.fm/adchoices

A quick introductory note on Russia’s hybrid war against Ukraine. Russian television schedules hacked to display anti-war message. Phishing campaign distributes Jester Stealer in Ukraine. European Council formally attributes cyberattack on Viasat to Russia. Costa Rica declares a state of emergency as Conti ransomware cripples government sites. DCRat and the C2C markets. The gang behind REvil does indeed seem to be back. More Joker-infested apps found in Google Play. Guest Nick Adams from Differential Ventures discusses what will drive continued growth of cybersecurity beyond attack surfaces and governance from a VC's perspective. Partner Ben Yelin from UMD CHHS on digital privacy concerns in the aftermath of the potential overturn of Roe vs Wade. And Spain’s spyware scandal takes down an intelligence chief.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/90Selected reading.Ukraine morning briefing: Five developments as Joe Biden warns Vladimir Putin has 'no way out' (The Telegraph)Viewpoint: Putin now faces only different kinds of defeat (BBC News) Putin's Victory Day speech gives no clue on Ukraine escalation (Reuters) On Victory Day, Putin defends war on Ukraine as fight against ‘Nazis’ (Washington Post) In Speech, Putin Shows Reluctance in Demanding Too Much of Russians (New York Times) Putin's parade shows he "is going to continue at whatever cost" in Ukraine (Newsweek)Russia’s display of military might sent the West a strong message – just not the one Putin intended (The Telegraph)Russian TV Schedules Hacked on Victory Day to Show Anti-War Messages (HackRead) Russian TV hacked to say ‘blood of Ukrainians is on your hands’ (The Telegraph) Mass Distribution of Self-Destructing Malware in Ukraine (BankInfoSecurity) Russian cyber operations against Ukraine: Declaration by the High Representative on behalf of the European Union (European Council) Learn more about your ad choices. Visit megaphone.fm/adchoices

The US Treasury Department sanctions a cryptocurrency mixer. Rewards for Justice is interested in Conti. US tractor manufacturer AGCO was hit by a ransomware attack. Russian hacktivism hits German targets and threatens the UK. A Russian diplomatic account was apparently hijacked. Tracking Cobalt Strike servers used against Ukraine. Dinah Davis from Arctic Wolf defends against DDOS attacks. Rick Howard looks at Single Sign On. And no apology for you, Mr. Bennett.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/89Selected reading.U.S. Treasury Issues First-Ever Sanctions on a Virtual Currency Mixer, Targets DPRK Cyber Threats (U.S. Department of the Treasury)Reward Offers for Information to Bring Conti Ransomware Variant Co-Conspirators to Justice (United States Department of State)AGCO ransomware attack disrupts tractor sales during U.S. planting season (Reuters)Agricultural equipment maker AGCO reports ransomware attack (The Record by Recorded Future)Russia’s chief diplomat in Scotland condemns Ukraine invasion in social media post (The Telegraph)  Pro-Russian Hackers Hit German Government Sites, Spiegel Says (Bloomberg)Tracking Cobalt Strike Servers Used in Cyberattacks on Ukraine (IronNet)Russia tensions with Israel may intensify as Kremlin denies Putin's apology (Newsweek) Learn more about your ad choices. Visit megaphone.fm/adchoices