CyberWire Daily

The US and the UK warn of impending Russian cyberattacks, and Russia responds with warnings against “banditry,” crime, and bad manners. CISA issues two new ICS advisories. Microsoft confirms a Lapsus$ gang incident, and so does Okta, but Okta’s case is more complicated. Josh Ray from Accenture on the cyber workforce. Our guest is Tom Gaffney from F-Secure with some ways to reduce digital anxietySecureworks takes a look at the criminal ecosystem around Conti.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/56Selected reading.Ukraine war has put our relationship with US at breaking point - Russia (Daily Post Nigeria) Kremlin dismisses U.S. warning of potential Russian cyber attacks (Reuters) .As Biden puts US on alert, Russia seeks talks to help prevent cyber war (Newsweek) U.K. echoes Biden warning on Russian cyberattacks (The Record by Recorded Future) Biden: Russia mulling cyberattacks on US (C4ISRNet) National Security Advisor details new intelligence on potential Russian cyberattacks (FOX 5 DC)The Threat of Russian Cyberattacks Looms Large (The New Yorker) FBI sees growing Russian hacker interest in US energy firms (AP NEWS) CISA Call with Critical Infrastructure Partners on Potential Russian Cyberattacks Against the U.S. (YouTube) CISA highlights new reporting hotline amid warnings about potential Russian cyber attacks (Federal News Network)Delta Electronics DIAEnergie (CISA) Delta Electronics DIAEnergie (Update B) (CISA) Microsoft, Okta Investigating Data Theft Claims (SecurityWeek) Hackers hit authentication firm Okta, customers 'may have been impacted' (Reuters) 'This Is Really, Really Bad': Lapsus$ Gang Claims Okta Hack (Wired).Okta ‘identifying and contacting’ customers potentially affected by Lapsus$ breach (The Record by Recorded Future) Okta Investigates Report of Security Breach, Says It Finds No Evidence of New Attack (Wall Street Journal) Fury As Okta—The Company That Manages 100 Million Logins—Fails To Tell Customers About Breach For Months (Forbes) Cloudflare’s investigation of the January 2022 Okta compromise (Cloudflare Blog).Updated Okta Statement on LAPSUS$ (Okta) GOLD ULRICK leaks reveal organizational structure and relationships (Secureworks) Details of Conti ransomware affiliate released (ComputerWeekly.com) More can be done to curb misuse of Cobalt Strike, expert says (VentureBeat) Learn more about your ad choices. Visit megaphone.fm/adchoices

White House warns of large-scale Russian cyberattacks. Browser-in-the-Browser attacks. New Conti affiliate described. Android malware “Facestealer” described. Android malware “Facestealer” described. Microsoft and Okta investigate possible Lapsus$ attacks. Arid Gopher is out in the wild. Our guest is Swathi West of Barr Advisory on opportunities for the underrepresented in cybersecurity. Joe Carrigan wonders if we can’t just get rid of passwords once and for all. And advancing censorship by finding “extremism” and “Russophobia” in Meta’s platforms.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/55Selected reading.Russia's hybrid war with Ukraine: strategy, norms, and alliances (The CyberWire)Statement by President Biden on our Nation’s Cybersecurity (The White House) FACT SHEET: Act Now to Protect Against Potential Cyberattacks (The White House) Statement from CISA Director Easterly on Potential Russian Cyberattacks Against the United States (CISA) Press Briefing by Press Secretary Jen Psaki and Deputy NSA for Cyber and Emerging Technologies Anne Neuberger, March 21, 2022 (The White House) Statement from Secretary Mayorkas on Cybersecurity Preparedness (US Department of Homeland Security) Conti Affiliate Exposed: New Domain Names, IP Addresses and Email… (eSentire) New Phishing toolkit lets anyone create fake Chrome browser windows (BleepingComputer).New Browser-in-the Browser (BITB) Attack Makes Phishing Nearly Undetectable (The Hacker News)Arid Gopher: Newest Micropsia Malware Variant (Deep Instinct) Spyware dubbed Facestealer infects 100,000+ Google Play users (Pradeo) Okta confirms investigation into potential breach (The Record by Recorded Future) Microsoft investigating alleged Lapsus$ hack of Azure DevOps source code repositories (Computing) Russian War Report: Meta officially declared “extremist organization” in Russia (Atlantic Council)  Learn more about your ad choices. Visit megaphone.fm/adchoices

The widely expected, intense Russian cyber campaign has yet to appear. "Protestware" as a dangerous turn in hacktivism. Information operations and the persistence of independent channels of news. Social media as an opsec problem.Lapsus$ may have hit Microsoft. A second Brazilian gang tries its hand at extortion. A snakey backdoor afflicts French organizations. AD Bryan Vorndran of the FBI Cyber Division on what the agency brings to the table in the cyberspace. Rick Howard considers infrastructure as code. Emsisoft offers a free decryptor for Diavol ransomware.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/54Selected reading.Volodymyr Zelensky tells Russia to seek ‘meaningful’ peace talks or face catastrophic losses (The Telegraph)Cyber threats and the Ukraine conflict (Avast)Cyber ‘cold war’ rages online but Russia holds back on massive digital attacks (Times of Israel) Mar 13- Mar 19 Ukraine – Russia the silent cyber conflict (Security Affairs) Former CIA officer shows what a Russian cyberattack on the US would look like (Fox News) EU and US agencies warn that Russia could attack satellite communications networks (Security Affairs) Banks on alert for Russian reprisal cyberattacks on Swift (Ars Technica) Activists are targeting Russians with open-source “protestware” (MIT Technology Review) Cyber warfare gets real for satellite operators (SpaceNews)More Conti ransomware source code leaked on Twitter out of revenge (BleepingComputer) Open Source Maintainer Sabotages Code to Wipe Russian, Belarusian Computers (Vice) Anonymous has unleashed a successful cyberwar to undermine Putin's Ukraine invasion (Fortune) Some Russians are breaking through Putin’s digital iron curtain — leading to fights with friends and family (Washington Post) On Russia's VK, anti-war messages defy Vladimir Putin's Ukraine censors (Newsweek)Why Russia’s anti-war movement matters (Atlantic Council) Telegram Thrives Amid Russia’s Media Crackdown (Wall Street Journal) British soldiers are ordered off WhatsApp amid fears that sensitive military details could be accessed by Russian hackers (Daily Mail)Microsoft Investigating Claim of Breach by Extortion Gang (Vice) Hacking group that went after NVIDIA may have also attacked Microsoft (Windows Central) Microsoft Allegedly Breached by LAPSUS Group (Cyber Kendra) Lapsus$ gang sends a worrying message to would-be criminals (Register) TransUnion cyber attack – hackers demand R225 million ransom (Business Tech).TransUnion Confirms Data Breach at South Africa Business (SecurityWeek) UPDATE | TransUnion believes breach of 54 million SA records unrelated to current hack (Fin24) Banks move to protect consumers in wake of TransUnion cyberattack (TechCentral) Serpent, No Swiping! New Backdoor Targets French Entities with Unique Attack Chain (Proofpoint) Emsisoft releases free decryptor for the victims of the Diavol ransomware (Security Affairs) Learn more about your ad choices. Visit megaphone.fm/adchoices

Chief Security Strategist and VP of Global Threat Intelligence at FortiGuard Labs, Derek Manky, shares his story from programmer to cybersecurity and how it all came together. Derek started his career teaching programming because he had such a passion for it. When he joined Fortinet, Derek said putting where it "really started putting the rubber to the road and connecting my previous experience with programming and debugging and knowledge of operating systems and all that with real-world applications." Derek advises that it doesn't need to be complicated getting into the cybersecurity field and that there are many avenues to enter the field. He hopes to have made a real dent, or "hopefully a crater" in cyber crime when he ends his career. We thank Derek for sharing his story with us.  Learn more about your ad choices. Visit megaphone.fm/adchoices

Guest Nathan Brubaker from Mandiant joins Dave Bittner on this episode to discuss Mandiant Threat Intelligence's research: "1 in 7 Ransomware Extortion Attacks Leak Critical Operational Technology Information." Data leaks have always been a concern for organizations. The exposure of sensitive information can result in damage to reputation, legal penalties, loss of intellectual property, and even impact the privacy of employees and customers. However, there is little research about the challenges posed to industrial organizations when threat actors disclose sensitive details about their OT security, production, operations, or technology.In 2021, Mandiant Threat Intelligence continued observing ransomware operators attempting to extort thousands of victims by disclosing terabytes of stolen information on shaming sites. This trend, which Mandiant Threat Intelligence refers to as “Multifaceted Extortion,” impacted over 1,300 organizations from critical infrastructure and industrial production sectors in just one year. Nathan walks us through their research and findings.The research can be found here:1 in 7 Ransomware Extortion Attacks Leak Critical Operational Technology Information Learn more about your ad choices. Visit megaphone.fm/adchoices

Hacktivism and other cyberattacks continue against Russian targets, but some hacktivism that affects software supply chains may go too far. An initial access broker in the criminal-to-criminal market. BlackMatter may be working with BlackCat. CISA offers a warning and advice to SATCOM operators. NIST offers some guidance on industrial control system security. Johannes Ullrich reminds us to patch our backup tools. Our guest is Armando Saey from MISI with insights on maritime port security. And Rear Admiral Mehoff, call your office.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/53Selected reading.Popular NPM Package Updated to Wipe Russia, Belarus Systems to Protest Ukraine Invasion (The Hacker News) Software Supply Chain Weakness: Snyk Warns of 'Deliberate Sabotage' of NPM Ecosystem (SecurityWeek) Russian government websites face ‘unprecedented’ wave of hacking attacks, ministry says (Washington Post) Ukraine’s Digital Ministry Is a Formidable War Machine (Wired)Exposing initial access broker with ties to Conti (Google) Experts Find Some Affiliates of BlackMatter Now Spreading BlackCat Ransomware (The Hacker News)Strengthening Cybersecurity of SATCOM Network Providers and Customers (CISA) NIST SPECIAL PUBLICATION 1800-10 Protecting Information and System Integrity in Industrial Control System Environments: Cybersecurity for the Manufacturing Sector (NIST)Hoax caller claiming to be Ukrainian PM got through to UK defence secretary (the Guardian) Russians target Priti Patel and Ben Wallace with fake video calls (The Telegraph)  Learn more about your ad choices. Visit megaphone.fm/adchoices

Not-so-deepfakes debunked. Hacktivism and information warfare in Russia’s war against Ukraine. The prospect of an age of “splinternets.” Germany warns of risks from Kaspersky security products. Disruption of Ukrainian ISPs. David Dufour from Webroot on cyberattacks hitting the automotive sector. Carole Theriault ponders parental disclosure of tracking their kids. Three new wrinkles to social engineering.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/52Selected reading.Russia and Ukraine ‘draw up 15-point peace plan’ (The Telegraph) Deepfake video of Zelenskyy could be 'tip of the iceberg' in info war, experts warn (NPR.org) The Russia-Ukraine War And The Revival Of Hacktivism (Digital Shadows) In a Chilling Threat, Putin Vows to Rid Russia of ‘Traitors’ (Bloomberg)Russia is risking the creation of a “splinternet”—and it could be irreversible (MIT Technology Review) Traffic interception and MitM attacks among security risks of Russian TLS certs (CSO Online) Germany's BSI warns against Kaspersky AV over spying concerns (CSO Online) Major Ukrainian Internet Provider Triolan Suffers Severe Cyber Attacks and Infrastructure Destruction During Russian Invasion (CPO Magazine)The Attack of the Chameleon Phishing Page (Trustwave) The Email Bait … and Phish: Instagram Phishing Attack (Armorblox) Using CAPTCHA Forms to Bypass Filters (Avanan) Learn more about your ad choices. Visit megaphone.fm/adchoices

Ukrainian President Zelenskyy addresses the US Congress, as intelligence services, contractors, and hacktivists wage their part of a hybrid war. BlackBerry describes LokiLocker, a new strain of ransomware that’s not Iranian, but would have you think it is. CISA and the FBI warn of a Russian cyber campaign. Nigeria arrests an alleged advance-fee scam artist (he’s been wanted for some time.)For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/51 Learn more about your ad choices. Visit megaphone.fm/adchoices

Biowar disinformation. A new wiper is discovered in Ukrainian systems. Cyber criminals look for letters of marque from both sides (and some of them are looking like hacktivists). Ukrainian cybersecurity firms and intelligence services mobilize against Russia. Ben Yelin evaluates cyber engagements in the crisis. A protester crashes a Russian news broadcast. DDoS attack takes down Israeli sites. China claims to have “captured” NSA hacking tools. Our guest is Ben Brook CEO of Transcend with a look at data privacy. Recent trends in cybercrime.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/50Selected reading.Researchers find new destructive wiper malware in Ukraine (The Verge) Cloud Native Technologies Used in Russia-Ukraine Cyber Attacks (Aqua Security) Financially motivated threat actors willing to go after Russian targets (Help Net Security) Kyiv’s hackers seize their wartime moment (POLITICO) Global Incident Report: Threat Actors Divide Along Ideological Lines over the Russia-Ukraine Conflict on Underground Forums (Accenture)Political fallout in cybercrime circles upping the threat to Western targets (CyberScoop)A protester storms a live broadcast on Russia’s most-watched news show, yelling, ‘Stop the war!’ (New York Times)Denial-of-service attack knocked Israeli government sites offline (CyberScoop) China claims it captured NSA spy tool that already leaked (Register) Ransomware Variants Q4 2021 (Intel471.com) Cequence Security Releases Report Revealing Top 3 Attack Trends in API Security (Cequence)  Learn more about your ad choices. Visit megaphone.fm/adchoices

The situation in Russia’s war against Ukraine, and Mr. Putin’s frustration with his intelligence services. Provocations, state-hacking, and influence operations in a hybrid war. Lapsus$ hits Ubisoft with ransomware. LockBit hits Bridgestone America. The Escobar banking Trojan is out in the wild. Kaspersky source apparently not compromised after all. Dan Prince wonders if we are properly preparing for the roles of tomorrow? Rick Howard is pulling on the kill chain. And the wayward aim of public opinion.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/49Selected reading.After more than two weeks of war, the Russian military grinds forward at a heavy cost (Washington Post) Ukraine war latest: Talks resume as Russia strikes Kyiv (BBC News) US view of Putin: Angry, frustrated, likely to escalate war (AP NEWS) Kremlin arrests FSB chiefs in fallout from Ukraine chaos (Times) Russian Cyber Restraint in Ukraine Puzzles Experts (SecurityWeek)Russia's cyber offensive against Ukraine has been limited so far. Experts are divided on why (KESQ) ‘Not the time to go poking around’: How former U.S. hackers view dealing with Russia (POLITICO)We're seeing 800% increase in cyberattacks, says MSP (Register)Russia makes claims of US-backed biological weapon plot at UN (the Guardian) Russian media spreading disinformation about US bioweapons as troops mass near Ukraine (Bulletin of the Atomic Scientists) Russian TikTok Influencers Are Being Paid to Spread Kremlin Propaganda (Vice)The White House is briefing TikTok stars about the war in Ukraine (Washington Post) Android malware Escobar steals your Google Authenticator MFA codes (BleepingComputer) Google Attempts to Explain Surge in Chrome Zero-Day Exploitation (SecurityWeek) Google: We're spotting more Chrome browser zero-day flaws in the wild. Here's why (ZDNet).Ubisoft says it experienced a ‘cyber security incident’, and the purported Nvidia hackers are taking credit (The Verge)UPDATE 1-Japan's Denso hit by apparent ransomware attack - NHK (Reuters)LockBit ransomware group claims to have hacked Bridgestone Americas (Security Affairs) Learn more about your ad choices. Visit megaphone.fm/adchoices