CyberWire Daily

Propaganda engagements in Russia’s hybrid war against Ukraine. ICANN will not block the Internet in Russia. Hacktivists, real and pretended, achieve a nuisance-level of success in Russia’s war. Scams and misinformation circulate in Telegram. NVIDIA gets a most curious demand from a cyber gang. CISA’s ICS advisories. Johannes Ullrich looks at phishing pages on innocent websites. Our guest is Chase Snyder from ExtraHop to discuss implications of the cyber talent shortage. And, hey, newsflash, no matter what the texts on your phone might say, there’s no military draft in the US.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/43Selected readings.Putin Thought Ukraine Would Fall Quickly. An Airport Battle Proved Him Wrong (Wall Street Journal)Russia's chaotic and confusing invasion of Ukraine is baffling military analysts (CNBC) Last Vestiges of Russia’s Free Press Fall Under Kremlin Pressure (New York Times) Don’t mention the war: Russian state media sells the lie of Ukrainians shelling their own cities (The Telegraph) Russian troops in disarray and ‘crying’ in combat, radio messages reveal (The Telegraph) Demoralised Russian soldiers tell of anger at being ‘duped’ into war (the Guardian)The propaganda war has eclipsed cyberwar in Ukraine (MIT Technology Review)Ukraine's request to cut off Russia from the global internet has been rejected (CNN) No, the Army isn’t sending Ukraine draft notices via text (Army Times) Hackers Who Broke Into NVIDIA's Network Leak DLSS Source Code Online (Hacker News) Hackers warn Nvidia to open-source their GPU drivers or face data leak (Computing) Cybercriminals who breached Nvidia issue one of the most unusual demands ever (Ars Technica) BD Pyxis (CISA) BD Viper LT (CISA) IPCOMM ipDIO (CISA) Learn more about your ad choices. Visit megaphone.fm/adchoices

The UN condemns Russia’s war in Ukraine. Ukraine’s cyber volunteers appear to be operating under the direction of Kyiv’s Ministry of Defense, and may be targeting Russian infrastructure. Belarusian cyber operators are phishing with stolen Ukrainian credentials in a cyberespionage campaign. Task Force KleptoCapture. Infusion pumps found vulnerable to cyberattack. TeaBot is found in the Play Store. TCP middlebox reflection. Dan Prince from Lancaster University on trustworthy autonomous systems. Our guest is John Shegerian from ERI on the security angle of e-recycling. And no more Harleys for Mr. Putin.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/42Selected reading.Cyber Realism in a Time of WarRussian Hybrid War Report: Social platforms crack down on Kremlin media as Kremlin demands complianceRussia's war spurs corporate exodus, exposes business risksUsing DDoS, DanaBot targets Ukrainian Ministry of DefenseAsylum Ambuscade: State Actor Uses Compromised Private Ukrainian Military Emails to Target European Governments and Refugee MovementPhishing campaign targets European officials assisting in refugee operationsAnonymous vs. Russia: Hackers Say Space Agency Breached, More Than 1,500 Websites HitConti Ransomware Source Code LeakedHacker Group Anonymous Vows to Disrupt Russia's Internet — RT Websites Become 'Subject of Massive DDoS Attacks'Ukrainian cyber resistance group targets Russian power grid, railwaysArmy of Cyber Hackers Rise Up to Back UkraineU.S. Officials Detail Efforts to Enforce Raft of New Russia RulesTCP Middlebox Reflection: Coming to a DDoS Near YouTeaBot Android Banking Malware Spreads Again Through Google Play Store AppsInfusion Pump Vulnerabilities: Common Security Gaps Learn more about your ad choices. Visit megaphone.fm/adchoices

Russia’s invasion in Ukraine is still slow, but it’s grown more brutal. Sanctions are beginning to hit Russia hard. The cyber phase of this hybrid war seems more informational than destructive, which is surprising. Big Tech has taken Ukraine’s side, and some Russian companies face a tough balancing act. Our guest is Lavi Lazarovitz from CyberArk with predictions on supply chain security. Malek Ben Salem from Accenture on deploying effective deception systems. And ransomware continues to pester major corporations.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/41Selected reading.Ukraine at D+6: Shocking and awful. (The CyberWire)The Fog of Cyberwar Descends on Ukraine and Russia (Bloomberg) Russian Electric Vehicle Chargers Hacked, Tell Users ‘PUTIN IS A DICKHEAD’ (Vice) Western Sanctions Bite Russian Economy, but Pose Unpredictable Risks (Wall Street Journal) Targeted APT Activity: BABYSHARK Is Out for Blood (Huntress) 5 New Vulnerabilities Discovered in PJSIP Open Source Library (JFrog) Nvidia says hackers are leaking company data after ransomware attack (TechCrunch) Insurer Aon falls victim to a cyber attack (Computing) Toyota to restart Japan production after cyberattack on supplier triggers one-day halt (The Edge Markets) Cyberattack on Toyota's supply chain shuts all its factories in Japan for 24 hours (CNN) Learn more about your ad choices. Visit megaphone.fm/adchoices

Stalled columns, rocket fire, and negotiation over Ukraine. Two new pieces of malware found in use against Ukrainian targets. Ben Yelin joins us with analysis. Dealing with WhisperGate and HermeticWiper. The muted cyber phases of a hybrid war. Leaked files reveal Conti as a privateer. Sanctions move from deterrence to economic "war of attrition." Daxin: a backdoor that hides in normal network traffic. Registration-bombing lets fraud hide in the weeds. Our guest is Tresa Stephens from Allianz on the elevated concern for cyber risk among business leaders. And Razzlekhan talking a deal?ResourcesUkraine Fighting Overshadows Chance of Russia Talks’ Success (Bloomberg) Both sides agree to second set of talks even as fighting rages. Russia suffers market seizure as ruble plunges on sanctions.After a Fumbled Start, Russian Forces Hit Harder in Ukraine (New York Times) After days of miscalculation about Ukraine’s resolve to fight, Russian forces are turning toward an old pattern of opening fire on cities and mounting sieges.The dire predictions about a Russian cyber onslaught haven’t come true in Ukraine. At least not yet. (Washington Post) For more than a decade, military commanders and outside experts have laid out blueprints for how cyberwar would unfold: military and civilian networks would be knocked offline, cutting-edge software would sabotage power plants, and whole populations would be unable to get money, gas or refrigerated food.A Free-for-All But No Crippling Cyberattacks in Ukraine War (SecurityWeek) In the early days of the war in Ukraine, Russia's ability to create mayhem through malware hasn’t had much of a noticeable impactCISA, FBI Issue Warnings on WhisperGate, HermeticWiper Attacks (SecurityWeek) The two U.S. agencies warn that both malware families were used in destructive cyberattacks targeting organizations in Ukraine.Anonymous Hacker Group Targets Russian State Media (SecurityWeek) Hacker group Anonymous claimed responsibility on for disrupting the work of websites of pro-Kremlin Russian media in protest of the invasion of Ukraine.Ukraine’s Volunteer ‘IT Army’ Is Hacking in Uncharted Territory (Wired) The country has enlisted thousands of cybersecurity professionals in the war effort against Russia.After Conti backs war, ransomware gangs realize peril of patriotism amid infighting (SC Magazine) Ransomware is actually a complex global economy. Different groups design ransomware and license that ransomware for use in attacks, with the latter often using many different vendors of the former. So while the designers of Conti may be Russian, the affiliate groups using Conti may include Ukrainians. And like in any business, there is peril in angering the consumer.A ransomware group paid the price for backing Russia (The Verge) Is proximity to the Putin regime becoming a liability?U.N. General Assembly set to isolate Russia over Ukraine invasion (Reuters) The 193-member United Nations General Assembly began meeting on the crisis in Ukraine on Monday ahead of a vote this week to isolate Russia by deploring its "aggression against Ukraine" and demanding Russian troops stop fighting and withdraw.Russia defends invasion during emergency UN General Assembly (Deutsche Welle) A clear majority of UN member states are expected to vote to condemn Russia's actions as Moscow becomes increasingly isolated internationally.The New Russian Sanctions Playbook (Foreign Affairs) Deterrence is out, and economic attrition is in.Russia seeks to halt investor stampede as sanctions hammer economy (Reuters) Russia said it was placing temporary curbs on foreigners seeking to exit Russian assets on Tuesday, putting the brakes on an accelerating investor exodus driven by crippling Western sanctions imposed over the invasion of Ukraine.For links to all of today's stories check out CyberWire daily news briefing for March 1, 2022. Learn more about your ad choices. Visit megaphone.fm/adchoices

Ukrainian resistance may have stalled the Russian advance at key points. Cyber operations against Ukraine (and Russia). Diplomacy, now short of surrender? A SWIFT kick. Return of the privateers, now in the guise of patriotic hacktivists. Not all hacking is war-related. Josh Ray from Accenture on KillACK Backdoor Malware Continues to Evolve. Rick Howard revisits the cyber sand table. Criminals exploit Ukraine's suffering in social engineering campaigns.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/39 Learn more about your ad choices. Visit megaphone.fm/adchoices

Principal in PricewaterhouseCoopers Cyber Risk and Regulatory Practice, Sloane Menkes, shares her story of how non-linear math helped to shape her life and career. Sloane credits a high school classmate for inspiring her mantra "What is the 2%?" that she employs when she feels like things are shutting down. She talks about her experiences in calculus class at the US AIr Force Academy that helped to enlighten her and inform the intuitive problem solving skill or way of thinking that she'd been employing in her life. She joined Office of Special Investigations and working with Howard Schmidt is where Sloane first started to get interested in cybersecurity. She shares what she loves about the consulting role is that the environment is constantly changing, and she offers some advice for women interested in cybersecurity. We thank Sloane for sharing her story with us. Learn more about your ad choices. Visit megaphone.fm/adchoices

Guest Dick O'Brien, Principal Editor at Symantec, joins Dave to discuss their team's research, "Noberus: Technical Analysis Shows Sophistication of New Rust-based Ransomware." Noberus is new ransomware used in mid-November attack, ConnectWise was likely infection vector.Symantec, a division of Broadcom Software, tracks this ransomware as Ransom.Noberus and our researchers first spotted it on a victim organization on November 18, 2021, with three variants of Noberus deployed by the attackers over the course of that attack. This would appear to show that this ransomware was active earlier than was previously reported, with MalwareHunterTeam having told BleepingComputer they first saw this ransomware on November 21.Noberus is an interesting ransomware because it is coded in Rust, and this is the first time we have seen a professional ransomware strain that has been used in real-world attacks coded in this programming language. Noberus appears to carry out the now-typical double extortion ransomware attacks where they first steal information from victim networks before encrypting files. Noberus adds the .sykffle extension to encrypted files.The research can be found here:Noberus: Technical Analysis Shows Sophistication of New Rust-based Ransomware Learn more about your ad choices. Visit megaphone.fm/adchoices

Russia’s full-scale invasion meets regular and irregular Ukrainian resistance. Public uses of intelligence products. Hybrid aggression and hybrid defense in cyberspace, as the civilized world imposed sanctions on Russia. Iran’s MuddyWater threat actor is back, with renewed cyberespionage. Good-bye to Trickbot. Carole Theriault wraps up her look at mobile device security. Rick Howard checks in with Matthew Sharp ( Logicworks) & "Rock" Lambros (RockCyber) on "The CISO Evolution". And some notes on the fog of war.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/38 Learn more about your ad choices. Visit megaphone.fm/adchoices

Russia opens a general war against Ukraine, with rocket fires, heavy forces, and a not-so-veiled threat to NATO. Cyber operations are serving as combat support and strategic disruption. While the war in Ukraine dominates the news, elsewhere in the world cybercrime and cyberespionage continue at their customary levels. Carole Theriault looks to the security of your mobile devices. And our guest is Dr. Chenxi Wang of Rain Capital with insights on the new NIST software supply chain security standards.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/37 Learn more about your ad choices. Visit megaphone.fm/adchoices

With diplomacy at a stand and Russian troops now openly in Ukraine, Western governments impose sanctions on Russia. A fresh round of distributed denial-of-service attacks against Ukraine. Cobalt Strike continues to be misused by criminals. A cyberattack has severely disrupted a major logistics firm. My conversation with Assistant Director Bryan Vorndran of the FBI Cyber Division. Our guest Ed Amoroso from TAG Cyber explains Research as a Service. And two looks at the recent and prospective state of industrial cybersecurity.For links to all of today's stories check out our CyberWire daily news briefing:https://thecyberwire.com/newsletters/daily-briefing/11/36 Learn more about your ad choices. Visit megaphone.fm/adchoices