CyberWire Daily

Guest Michael DeBolt from Intel 471 joins Dave Bittner on this episode to discuss one of the most popular commodity malware loaders on the underground – PrivateLoader. The blog provides an analysis of campaigns since May 2021, full details on a Pay-per-install (PPI) malware service, the methods operators employ to obtain “installs,” and insights on the malware families the service delivers.On Intel 471's blog, it shows the breakdown of how the PrivateLoader download is delivered and how it works. The blog states "Visitors are lured into clicking a “Download Crack” or “Download Now” button to obtain an allegedly cracked version of the software." Michael explains more about this popular commodity malware loader.The research can be found here:PrivateLoader: The first step in many malware schemes Learn more about your ad choices. Visit megaphone.fm/adchoices

Attempting to evolve rules of cyber conduct during a hot hybrid war. Waiting for major Russian cyber operations. Viasat terminals were hit by wiper malware. Patches and detection scripts for Spring4shell. Warning of ransomware threat to local governments. Emergency data requests under Senatorial scrutiny. NSA employee charged with mishandling classified material. Andrea Little Limbago from Interos on Bots, Warriors and Trolls. Rick Howard speaks with Maretta Morovitz on cyber deception. And no April Foolin’ hereFor links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/63Selected reading.Russia’s War Lacks a Battlefield Commander, U.S. Officials Say (New York Times) Putin may be self-isolating from his military advisers, says White House (The Telegraph) Confronting Russian Cyber Censorship (Wilson Center) Zelensky Fires Two Generals (Wall Street Journal) French intelligence chief Vidaud fired over Russian war failings (BBC News) Cyber War Talks Heat Up at UN With Russia at Table (Bloomberg.com)Foreign Ministry statement on continued cyberattack by the “collective West” (Ministry of Foreign Affairs of the Russian Federation) New Protestware Found Lurking in Highly Popular NPM Package (Checkmarx.com)Russia targeting Ukraine, countries opposing war in cyberspace (Jerusalem Post)Conti Leaks: Examining the Panama Papers of Ransomware (Trellix) British intelligence agencies: Moscow continuously attacks Ukraine in cyberspace (The Times Hub)AcidRain | A Modem Wiper Rains Down on Europe (SentinelOne)SentinelOne finds ties between Viasat hack and Russian actor (SC Magazine)ExtraHop CEO: Expect a Russian cyber response to sanctions (Register)Treasury sanctions Russian research center blamed for Trisis malware (CyberScoop) Treasury Targets Sanctions Evasion Networks and Russian Technology Companies Enabling Putin’s War (U.S. Department of the Treasury)Evgeny Viktorovich Gladkikh – Rewards For JusticeArtboard 4Artboard 4 (Rewards for Justice) Spring confirms ‘Spring4Shell’ zero-day, releases patched update (The Record by Recorded Future) Spring4Shell (CVE-2022-22965): Are you vulnerable to this Zero Day? (Cyber Security Works) Ransomware Attacks Straining Local US Governments and Public Services (IC3) Senate’s Wyden Probes Use of Forged Legal Requests by Hackers (Bloomberg) NSA Employee Charged with Mishandling Classified Material (Military.com)National Security Agency Employee Indicted for Willful Transmission and Retention of National Defense Information (US Department of Justice) National Security Agency Employee Facing Federal Indictment for Willful Transmission and Retention of National Defense Information (US Department of Justice) Learn more about your ad choices. Visit megaphone.fm/adchoices

Russian cyber operators collect against domestic targets. More details on the Viasat hack. Ukrainian hacktivists say they can interfere with Russian geolocation. Spring4shell is another remote-code-execution problem. The Remcos Trojan is seeing a resurgence. Malicious links distributed via Calendly. Johannes Ullrich from SANS on attack surface detection. Our guest is Fleming Shi from Barracuda on cybersecurity champions. Phishing with “emergency data requests.” Lapsus$ may be back from vacation.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/62Selected reading.Vladimir Putin is being lied to by his advisers, says GCHQ (The Telegraph) U.S. intelligence suggests that Putin’s advisers misinformed him on Ukraine. (New York Times) White House: Intel shows Putin misled by advisers on Ukraine (AP NEWS) Russian troops sabotaging their own equipment and refusing orders in Ukraine, UK spy chief says (CNBC) Phishing campaign targets Russian govt dissidents with Cobalt Strike (BleepingComputer) KA-SAT Network cyber attack overview (Viasat.com) Tracking cyber activity in Eastern Europe (Google)Ukrainian Hackers Take Aim at Russian Artillery, Navigation Signals (Defense One) Russian efforts in Ukraine have not yet spilled over into cyberattacks on US, says lawmaker (C4ISRNet)New Spring Framework RCE Vulnerability Confirmed - What to do? (Sonatype) New Spring4Shell Zero-Day Vulnerability Confirmed: What it is and how to be prepared (Contrast Security)Spring Core on JDK9+ is vulnerable to remote code execution (Praetorian) Spring4Shell: No need to panic, but mitigations are advised (Help Net Security) Remcos Trojan: Analyzing the Attack Chain (Morphisec) Apple and Meta Gave User Data to Hackers Who Used Forged Legal Requests (Bloomberg) Fresh Phish: Phishers Schedule Victims on Calendar App (INKY) Lapsus$ claims Globant as its latest breach victim (TechCrunch) Learn more about your ad choices. Visit megaphone.fm/adchoices

Taking down bot farms. Russia says the US is the aggressor in cyberspace. Influence operations, arriving at Mach 10. The call is coming from inside the house! Cyber incidents affect aviation services. CISA posts ICS control system advisories. I welcome Tim Eades from the Cyber Mentor Fund. Our guest is Alex Holland from HP Wolf Security describing a new wave of attacks. And Sanctions are also biting Russian cyber gangs.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/61Selected reading.Ukraine dismantles 5 disinformation bot farms, seizes 10,000 SIM cards (BleepingComputer)Russia accuses U.S. of massive 'cyber aggression' (Reuters) Russia Has Fired 'Multiple' Hypersonic Missiles Into Ukraine, US General Confirms (Defense One) BREAKING: Russian Aviation Authority Suffers Cyberattack (Mentour Pilot) Bradley Airport Website Suffers Cyber Attack (NBC Connecticut) Philips e-Alert (CISA) Rockwell Automation ISaGRAF (CISA) Omron CX-Position (CISA) Hitachi Energy LinkOne WebView (CISA)Modbus Tools Modbus Slave (CISA) Delta Electronics DIAEnergie (CISA)“Your rubles will only be good for lighting a fire”: Cybercriminals reel from impact of sanctions (Digital Shadows) Sanctions Hitting Russian Cyber-Criminals Hard (Infosecurity Magazine)  Learn more about your ad choices. Visit megaphone.fm/adchoices

A cyberattack takes down a major Ukrainian Internet provider. GhostWriter is said to deploy Cobalt Strike against the Ukrainian government. Anonymous makes some large claims. This just in: spies drive drunk: Ukrainian intelligence doxes FSB officers. Conventional criminals continue to exploit sympathy for Ukraine in social engineering scams. Red-Lili automates software supply-chain attacks. Ben Yelin considers Russian cyber capabilities. Mr. Security Answer Person John Pescatore addresses security automation. And CISA offers mitigation guidance on risks to uninterruptible power supplies.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/60Selected reading.Russia says it will scale back near Kyiv as talks progress (AP NEWS) Ukraine Claims Some Battle Successes as Russia Focuses on Another Front (New York Times) Ukrainian telecom company's internet service disrupted by 'powerful' cyberattack (Reuters) ‘Most Severe’ Cyberattack Since Russian Invasion Crashes Ukraine Internet Provider (Forbes) GhostWriter APT targets state entities of Ukraine with Cobalt Strike Beacon  (Security Affairs) Secret World of Pro-Russia Hacking Group Exposed in Leak (Wall Street Journal) Anonymous is working on a huge data dump that will blow Russia away (Security Affairs)While Twitter suspends Anonymous accounts, the group hacked VGTRK Russian Television and Radio (Security Affairs)Names and addresses of 620 FSB officers published in data breach (Times) Russian spies unmasked in embarrassing blow for Vladimir Putin (The Telegraph) New Conversation Hijacking Campaign Delivering IcedID (Intezer)Spoofed Invoice Used to Drop IcedID (Fortinet Blog) A Beautiful Factory for Malicious Packages (Checkmarx) School of Hard Knocks: Job Fraud Threats Target University Students (Proofpoint) Mitigating Attacks Against Uninterruptible Power Supply Devices (CISA Insights) Learn more about your ad choices. Visit megaphone.fm/adchoices

Preparing for the spread of cyberattacks. A look at Cyber operations in the hybrid war. C3 and electronic warfare. The Republic of the Marshall Islands suffers rolling DDoS attacks. Okta gives a detailed account of its experience with the Lapsus$ Group. Lapsus$ under the law enforcement microscope. The FCC sanctions Kaspersky. Malek Ben Salem from Accenture on getting full potential from deception systems. Our guest is Greg Scasny of Blueshift Cybersecurity with remote workforce security concerns. And CISA adds to its Known Exploited Vulnerabilities Catalog.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/59Selected reading.‘Preparation, not panic’: Top US cyber official asks Americans to look out for Russian hacking efforts CNNRussia hacked Ukrainian satellite communications, officials believe BBC NewsChinese cyberattacks on NATO countries increase 116% since Russia's invasion of Ukraine: study Fox BusinessWhy hasn't Russia used its 'full scope' of electronic warfare?Breaking DefenseRussian troops’ tendency to talk on unsecured lines is proving costly Washington PostMarshall Islands telecom service hit by cyber attack RNZOkta: "We made a mistake" delaying the Lapsus$ hack disclosure BleepingComputerWho is LAPSUS$, the Big, Bad Cybercrime Gang Hacking Tech's Biggest Companies? GizmodoFCC puts Kaspersky on security threat list, says it poses “unacceptable risk“ Ars TechnicaU.S. FCC adds Russia's Kaspersky, China telecom firms to national security threat list ReutersCISA Adds 66 Known Exploited Vulnerabilities to Catalog CISA Learn more about your ad choices. Visit megaphone.fm/adchoices

Guest Dick O'Brien from Symantec joins Dave Bittner on this episode to discuss how "Shuckworm Continues Cyber-Espionage Attacks Against Ukraine." The Russia-linked Shuckworm group (aka Gamaredon, Armageddon) has been active since 2013 and is known to use phishing emails to distribute either freely available remote access tools.In July 2021, Symantec observed Shuckworm activity on an organization in Ukraine and this continued until August 2021. According to a November 2021 report from the Security Service of Ukraine (SSU), since 2014 the Shuckworm group has been responsible for over 5,000 attacks against more than 1,500 Ukrainian government systems. Dick walks us through Symantec's investigation.The research can be found here:Shuckworm Continues Cyber-Espionage Attacks Against Ukraine Learn more about your ad choices. Visit megaphone.fm/adchoices

Fears of Russian escalation as Ukraine’s counteroffensive sees successes. Warnings of possible Russian cyberattacks gain context from attribution of the Viasat incident and two US unsealed indictments. CISA continues to recommend best practices. North Korean APTs exploit Chrome vulnerabilities. Mustang Panda is back. David Dufour from Webroot on ransomware gangs and cartels. Our guest is Liliana Monge of Sabio Coding Bootcamp on creating opportunities for those looking to pursue a career in tech. And boy, boy, your wild ways will break your mother’s heart.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/58Selected reading.Ukrainian forces advance east of Kyiv as Russians fall back (Reuters)Counteroffensive in Ukraine Shifts Dynamic of War (New York Times)Ukrainian forces claim to destroy a Russian landing ship. (New York Times) Putin's war in Ukraine nearing possibly more dangerous phase (AP NEWS) Syrians watch in horror as Putin deploys the Aleppo playbook in Ukraine (CNN) Joe Biden: We will respond in kind if Vladimir Putin uses chemical weapons in Ukraine (The Telegraph) A month into the Russian invasion, Ukraine is still mostly online (The Record by Recorded Future)Russian military behind hack of satellite communication devices in Ukraine at war’s outset, U.S. officials say (Washington Post) Hackers Attacked Satellite Terminals Through Management Network, Viasat Officials Say (Air Force Magazine)Four Russian Government Employees Charged in Two Historical Hacking Campaigns Targeting Critical Infrastructure Worldwide (US Department of Justice) US charges four Russian hackers over cyber-attacks on global energy sector (the Guardian) North Korean Actors Exploited Chrome Flaw to Target U.S. Orgs (Decipher) Countering threats from North Korea (Google)New Mustang Panda hacking campaign targets diplomats, ISPs (BleepingComputer) Chinese APT Combines Fresh Hodur RAT with Complex Anti-Detection (Threatpost)Lapsus$: Oxford teen accused of being multi-millionaire cyber-criminal (BBC News) Learn more about your ad choices. Visit megaphone.fm/adchoices

Concerns persist that President Putin will take his revenge in cyberspace for sanctions. Wiper attacks reported continuing in Ukraine. Russia also sustains cyberattacks. Lapsus$--living at home, with Mom. A carder kingpin finds his way onto the FBI’s Most Wanted List. Andrea Little Limbago from Interos on collective resilience. Our guest is Amit Shaked from Laminar Security on shadow data. Anonymous says it hit Nestlé, but Nestlé says it never happened.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/57Selected reading.As Ukraine invasion stalls, Putin looks to cyber for revenge attack on US (Newsweek)Threat looms of Russian attack on undersea cables to shut down West’s internet (France 24) A Mysterious Satellite Hack Has Victims Far Beyond Ukraine (Wired) Anonymous hacks unsecured printers to send anti-war messages across Russia (HackRead)'We want them to go to the Stone Age': Ukrainian coders are splitting their time between work and cyber warfare (CNBC) Teen Suspected by Cyber Researchers of Being Lapsus$ Mastermind (Bloomberg)Nestlé denies Anonymous hack, claiming it accidentally leaked data dump itself (Fortune) Nestlé says 'Anonymous' data leak actually a self-own (Register)Nestlé: You Can't Hack Us, We Leaked Our Own Data (Gizmodo) FBI adds Russian cybercrime market owner to most wanted list (BleepingComputer)United States of America v. Igor Dekhtyar (US District Court for the Eastern District of Texas) Learn more about your ad choices. Visit megaphone.fm/adchoices

In this CyberWire-X episode, host Dave Bittner chats with the judges of the Insider Risk Excellence Awards. The inaugural awards program, announced during last September's Insider Risk Summit, recognizes the best of the best in Insider Risk Management. They honor the work of individuals and organizations as they address Insider Risk in the most collaborative work environment we’ve ever seen. Judges Joe Payne, President and CEO, Code42 and Chairman, Insider Risk Summit and Wendy Overton, Director of Cyber Strategy and Insider Risk Leader, Optiv, talk about the growing Insider Risk problem, reveal the winners of each award category and pull back the curtain on how each of these Insider Risk trailblazers are making an impact.  Learn more about your ad choices. Visit megaphone.fm/adchoices