New DPRK ransomware op. States target media. Gangland goes to war. "Cyber world war." CISA releases 30 ICS security advisories.

Summary

By the CyberWire staff

At a glance.

New DPRK ransomware operation.
Intelligence services targeting media organizations.
Gangland goes to war.
"Cyber world war."
CISA releases 30 ICS security advisories.

A North Korean ransomware operation.

Microsoft describes an emerging North Korean ransomware operation it tracks as DEV-0530 that's using a relatively new strain of ransomware called "H0lyGh0st." The blasphemous name, Microsoft points out, is the hood's own choice, not Redmond's. DEV-0530, a provisional designation assigned until more is known about the group, is noteworthy in that it appears to be entirely financially motivated, and in that it selects small and midsized businesses as its targets. "MSTIC [the Microsoft Threat Intelligence Center] assesses that DEV-0530 has connections with another North Korean-based group tracked as PLUTONIUM (aka DarkSeoul or Andariel). While the use of H0lyGh0st ransomware in campaigns is unique to DEV-0530, MSTIC has observed communications between the two groups, as well as DEV-0530 using tools created exclusively by PLUTONIUM."

The gang's communications with its victims and others cop an altruistic and humanitarian line, claiming to be helping its victims improve their security posture (as if they were white-hat pentesters) and to be contributing to an egalitarian leveling of rich and poor to the advantage of the poor (as if they were Robin Hood).

The group is asking for between 1.2 and 5 Bitcoin in ransom (roughly $25,000 to $104,000 at current conversion rates), but so far, Microsoft says, their wallet seems to have remained empty, even though DEV-0530 has shown a willingness to negotiate their asking price.

Pyongyang has long used cybercrime as a source of income to redress the financial pressures it labors under due to the decades of international sanctions that have crippled the DPRK's economy. It's even more difficult to separate North Korean intelligence and security services from criminal activity than it is to tell the Russian privateers apart from the Russian organs, but this latest campaign is sufficiently ambiguous to suggest that it might be the work of a gang that's obtained access to some state actors' tools, or even the work of state actors who are moonlighting for personal gain. North Korean state actors have usually cast a broader net; DEV-0530 seems more tightly focused in its target selection. The activity remains under study, but in the meantime Microsoft has offered indicators of compromise and some advice for defenders.

Media organizations targeted by state actors.

Late yesterday Proofpoint released a study of recent activity by state actors directed against media organizations. The researchers find that China, North Korea, Turkey, and Iran have been particularly active in prospecting media organizations. "Proofpoint researchers have observed APT actors since early 2021 regularly targeting and posing as journalists and media organizations to advance their state-aligned collection requirements and initiatives." Journalists' social media accounts have been of particular interest to the threat groups.

Criminal gangs at war.

The most notorious early adherent to the Russian cause among the cyber gangs was the now (possibly) defunct, dispersed, and rebranded Conti, which on February 25th announced its "full support of the Russian government" and promised to use all the resources at its disposal against enemy infrastructure. This prompted a wave of doxing in which disaffected and possibly foreign Conti collaborators released the gang's internal chatter through their @ContiLeaks account. Cyjax, which was following developments, notes, "This leak caused significant unrest within the group, with the @ContiLeaks account itself tweeting: 'We know everything about you Conti, go to panic, you can[‘t] even trust your gf, we against you!'" Conti itself did a bit of back-pedaling for damage control, backing down from its promises of unconditional cyber war to a more measured claim that it would only target Western warmongers, but the reputational damage had been done, and may have contributed to the gang's subsequent occultation.

On March 4th, shortly after Conti's ill-advised patriotic screed, researchers at Cyjax noticed another leak-and-dump operation targeting a different Russian gang: Trickbot. The leakers tweeted under the name @trickleaks, and the main point of their doxing was to expose the close connection between Trickbot's criminal operators and Russia's FSB security service. @trickleaks announced itself to the world with the tweet, “We have evidence of the FSB’s cooperation with members of the Trickbot criminal group (Wizard Spider, Maze, Conti, Diavol, Ruyk).” The close collaboration between gangland and the Russian security service isn't surprising, but the degree of organization and interconnection among apparently disparate criminal groups is, Cyjax thinks, useful news that will help organizations defend themselves against organized cybercrime in the future. Gangland seems to have more mutual dependencies than had been generally appreciated.

A "cyber world war?"

The name seems a bit overheated, and a cyber war isn't, after all, as damaging as a full kinetic war (even when cyber attacks have kinetic effects), but in terms of scope the name doesn't seem too far off.

For example, Canada's Communications Security Establishment (CSE) yesterday warned that the current Russian cyber threat is not to be underestimated. The National Post quotes a CSE report as saying, “the scope and severity of cyber operations related to the Russian invasion of Ukraine has almost certainly been more sophisticated and widespread than has been reported in open sources.” The most immediate threat is heightened cyberespionage, but attacks against critical infrastructure are also held to be a real possibility. Canada has been an early, consistent, and strong supporter of Ukraine during the present war. Canada is also home to a large Ukrainian diaspora.

Politico has a long interview with Yurii Shchyhol, who directs Ukraine's State Service of Special Communications and Information Protection, the SSSCIP, which Politico describes as roughly equivalent in terms of its responsibilities to the US Cybersecurity and Infrastructure Security Agency (CISA). The article aims to describe what it characterizes as a generally successful Ukrainian defensive effort in cyberspace, and summarizes the Ukrainian view of how to fight Russia in cyberspace: first of all, isolate it, and deny it access to resources and technology.

Tracing the history of the cyber phases of the hybrid war, Shchyhol said that Russia's cyber campaign preceded the physical invasion by more than a month. "For Ukrainians, the first cyber world war started on Jan. 14, 2022, when there were attacks launched at the websites owned by state authorities. Twenty websites were defaced, and more than 90 information systems belonging to those government authorities were damaged." Attacks against Viasat ground terminals disabled the satellite-borne Internet provider a matter of hours before the invasion itself.

Shchyhol thinks the Russian cyber campaign has been well-resourced, but also that it's used familiar tools: "In terms of their technical capabilities, so far the attackers have been using modified viruses and software that we’ve been exposed to before, like the “Indestroyer2” virus, when they targeted and damaged our energy station here. It’s nothing more than a modification of the virus they developed back in 2017. We all have to be aware that those enemy hackers are very well-sponsored and have access to unlimited finances, especially when they want to take something off the shelf and modify it and update it." He emphasized the importance of denying Russia access to the "civilized world's" security companies and IT infrastructure, and in restricting Russia's participation in international IT organizations like the International Telecommunications Union.

He had some interesting if guarded disclosures about the help Ukraine is receiving from NSA and US Cyber Command:

"It’s an ongoing, continuous war, including the war in cyberspace. That’s why I won’t share any details with you, but let me tell you that we do enjoy continuous cooperation. There is a constant synergy with them, both in terms of providing us with the assistance that we need to ensure proper protection and safety of our websites and our cyberspace, especially of government institutions and military-related installations, but also they help us with their experts, some of whom are on-site here in Ukraine and are providing on-going consultations.

"Like in further supply of heavy weapons and other forms of weaponry, the same is true for cybersecurity. We expect that level of assistance, of those supplies, will only increase because only in this manner can we together ensure our joint victory against our common enemy."

Above all, Shchyhol warns against any relaxation of vigilance. He expects the war to continue, and that operational pauses happen in cyberspace much as they do in physical space:

"That’s why we all have to be ready for the following scenario to unfold: Those western countries and companies that are supporting the Ukrainian fight against Russia will be and are already under the constant threat of cyberattacks. This cyberwar will continue even after the conventional war stops.

"The fact that in the last two months there was a relative lull in the number and quality of cyberattacks of our enemy, both against Ukraine and the rest of the world, only follows the usual Russian tactics, which are that they are accumulating efforts and resources, readying themselves for a new attack which will be coming. It will be widespread, probably global. Right now our task here is not to miss it, to stay awake and aware to that threat."

The CyberWire's continuing coverage of the unfolding crisis in Ukraine may be found here.

CISA releases thirty ICS security advisories.

Yesterday afternoon the US Cybersecurity and Infrastructure Security Agency (CISA) released an unusually large number of ICS advisories, thirty in all. They include one mitigation for a vulnerability in an Open Design Alliance system. The other twenty-nine involved Siemens products.

Dateline Moscow, Kyiv: Cyber gangs and a global cyber war.

Ukraine at D+141: Imprecision, gangs, and global cyber war. (The CyberWire) Indiscriminate Russian fire draws continuing international condemnation, but such fire may represent the only level of precision available to Russian fire support and strike systems. Trickbot is described as a criminal organization that works in close cooperation with the FSB. And Ukraine's SSSCIP describes its approach to what it characterizes as a cyber world war.

Russia-Ukraine war: List of key events, day 142 (Al Jazeera) As the Russia-Ukraine war enters its 142nd day, we take a look at the main developments.

Ukraine's new US rockets are causing fresh problems for Russia (CNN) There's a new and potentially very significant factor in the Ukrainian conflict: the Ukrainians' ability to use recently supplied Western systems to hit Russian command posts, logistical hubs and ammunition dumps a long way beyond the front lines.

Ukraine condemns Russia strike that killed 23 in 'ordinary, peaceful' city (Reuters) Russian missiles struck the Ukrainian city of Vinnytsia far behind the frontlines on Thursday in an attack which Ukrainian officials called a war crime and said had killed at least 23 people, including three children.

Russia-Ukraine war live: children among the dead as rescuers search for dozens missing in Vinnytsia attack (the Guardian) At least 23 people confirmed dead in Russian missile attack

Russia-Ukraine crisis live updates | Ukrainian rescue teams hunt for survivors in Vinnytsia (The Hindu) Here are the latest developments from the ongoing Russia-Ukraine conflict on July 15

Ukrainian city cleans up and grieves after Russian missile attack (Reuters) By Sergiy Voloshyn and Valentyn Ogirenko

G20: Canada claims Russian delegation are personally responsible for ‘war crimes’ in Ukraine (the Guardian) Minister’s accusation comes day after US Treasury secretary says Putin government officials ‘have no place’ at talks

US, Canada Condemn Russia's War on Ukraine at Indonesia G20 Talks (VOA) Finance ministers accuse Russian officials of complicity in atrocities committed during the war

Russian officials at G20 accused of war crimes after missile strike on Vinnytsia (ABC) US and Canadian officials tell Russian officials at the G20 summit they share responsibility for civilian deaths in Ukraine, as Volodymyr Zelenskyy warns the death toll from a Russian strike on the city of Vinnytsia could rise.

British aid worker held by Russian-backed Ukraine separatists reported dead (the Guardian) Paul Urey, who was captured and accused of being a mercenary, has died, Donetsk official says

Fiona Hill: Putin’s Running Out of Time (Foreign Policy) A top Russia advisor to three U.S. presidents explains why the world shouldn’t fall for Moscow’s narrative that it can wait out the West in…

Inside The Russian Cybergang Thought To Be Attacking Ukraine—The Trickbot Leaks (Forbes) Exclusive: Months of detailed analysis by threat intelligence specialists has resulted in a rare glimpse inside the Russian cybergang with Ukraine in the crosshairs.

Who is Trickbot? (Cyjax) Since the start of the Russia-Ukraine conflict, Russian based cybercrime groups have been placed into a difficult position. With many groups being comprised of a variety of different nationalities, the various members need to make decisions on allegiance. Leading the charge was the Conti ransomware group who decided on 25 February 2022 to make a … Continued

Who is Trickbot? (Cyjax) Analysis of the Trickbot Leaks

NATO and the European Union work together to counter cyber threats (NATO) Following the NATO Summit in Madrid last month, senior officials from NATO and the European Union (EU) met today (14 July 2022) to take stock of recent developments in the cyber threat landscape and explore further areas of engagement on cyber defence.

The Man at the Center of the New Cyber World War (POLITICO) Yurii Shchyhol’s job is to protect Ukraine against ongoing Russia cyberattacks. But the war he’s fighting is global, he says — and he has some advice for the rest of us.

Russian cyber threat to Canada worse than previously reported: CSE (National Post) The agency warned Russia is also 'in the process of developing cyber capabilities against targets' in the E.U. and NATO, including Canada

EU Privacy Regulators Are Scrutinizing Data Flows to Russia (Wall Street Journal) Regulators are monitoring legal changes in Russia and how they could affect any data being moved through from the EU, according to the European Data Protection Board, the umbrella group of authorities from the bloc.

Disinformation is being used in the Ukrainian war more than in any other conflict so far - Google (Baltic Times) RIGA - More than in any other conflict so far, disinformation is being used as a weapon in the war in Ukraine, which requires a lot of effort by...

Russia jails opposition figure for criticizing its military (ABC News) A court in Russia has ruled to remand a prominent opposition politician in custody pending an investigation and trial over his public criticism of Russia’s military actions in Ukraine

The Gorinov Case Sets New Benchmark in the Kremlin’s War against Dissent (Wilson Center) On July 8, 2022, a Moscow court handed down its first prison sentence to an antiwar dissenter. It jailed Alexei Gorinov, a Moscow municipal councilor, for an astonishing seven years for speaking out against Russia’s invasion of Ukraine at a local council meeting.

Europe’s Tiny Steps Won’t Solve Its Energy Emergency (Foreign Policy) The bad policies that created the crisis are still in place.

Attacks, Threats, and Vulnerabilities

North Korean threat actor targets small and midsize businesses with H0lyGh0st ransomware (Microsoft Security) A group of actors originating from North Korea that Microsoft Threat Intelligence Center (MSTIC) tracks as DEV-0530 has been developing and using ransomware in attacks since June 2021. This group, which calls itself H0lyGh0st, utilizes a ransomware payload with the same name for its campaigns and has successfully compromised small businesses in multiple countries as early as September 2021.

Microsoft links Holy Ghost ransomware operation to North Korean hackers (BleepingComputer) For more than a year, North Korean hackers have been running a ransomware operation called HolyGhost, attacking small businesses in various countries.

Above the Fold and in Your Inbox: Tracing State-Aligned Activity Targeting Journalists, Media (Proofpoint) Those involved in media make for appealing targets given the unique access, information, and insights they can provide on topics of state-designated import. Proofpoint researchers have observed APT actors since early 2021 regularly targeting and posing as journalists and media organizations to advance their state-aligned collection requirements and initiatives.

Chinese hackers targeted U.S. political reporters just ahead of Jan. 6 attack, researchers say (CyberScoop) The previously unreported campaigns represent one of several ongoing nation-state attempts to hack journalists, the researchers said.

Journalists Emerge as Favored Attack Target for APTs (Threatpost) Since 2021, various state-aligned threat groups have turned up their targeting of journalists to siphon data and credentials and also track them.

A New Attack Can Unmask Anonymous Users on Any Major Browser (Wired) Researchers have found a way to use the web's basic functions to identify who visits a site—without the user detecting the hack.

PayPal-themed phishing kit allows complete identity theft (Help Net Security) By misusing the PayPal logo and general design, the phishing kit is aimed at collecting info that can be used to steal the victims' identity.

PayPal phishing kit added to hacked WordPress sites for full ID theft (BleepingComputer) A newly discovered phishing kit targeting PayPal users is trying to steal a large set of personal information from victims that includes government identification documents and photos.

Apple ID Phishing Scams: Code / Password Reset Email & Fake Security Alert Text (Trend Micro News) How do Apple ID Password / Code Reset Email Scams Work? How to Protect Yourself?

Stealthy OpenDocument Malware Deployed Against Latin American Hotels (HP Wolf Security) Don’t let cyber threats get the best of you. Read our post, Stealthy OpenDocument Malware Deployed Against Latin American Hotels, to learn more about cyber threats and cyber security.

BlackCat Ransomware Group Deploys Brute Ratel Pen Testing Kit (Infosecurity Magazine) The BlackCat ransomware group has deployed a new binary to help with its intrusion efforts

Videogame maker Bandai Namco confirms cyber attack (ComputerWeekly.com) Bandai Namco, developer of videogames including Pac-Man, Tekken and Dark Souls, has broken days of silence to confirm it has been hit by a cyber attack.

Bandai Namco finally confirms massive cyber attack as ransomware outfit claims responsibility (IT PRO) AlphV/BlackCat claims "data is coming soon" to its deep web blog in a suspected double-extortion ransomware attack

Canadian airlines suffer delays and cancellations due to Zayo outage (The Record by Recorded Future) Several flights across Western Canada have been canceled or delayed due to an internet outage affecting the air navigation service provider NAV Canada.

Twitter is back after a major outage (The Verge) Twitter is not accessible on web or mobile right now.

Data breaches explained: Types, examples, and impact (CSO Online) A data breach is a security incident in which a malicious actor breaks through security measures to illicitly access data. The costs and consequences for the companies and individuals can be significant and long-lasting.

Phone, email and Social Security numbers may have been stolen from Mooresville schools (The Reporter Times) The school system reported a disruption and a ransomware group has claimed it hacked into and stole student data.

Security Patches, Mitigations, and Software Updates

July Patch Tuesday 2022: Updates and Analysis (CrowdStrike) The CrowdStrike Falcon Spotlight team analyzes July's vulnerabilities, and offers insights into vulnerabilities and patches affecting Microsoft products so far this year.

Juniper Networks Releases Security Updates for Multiple Products (CISA) Juniper Networks has released security updates to address vulnerabilities affecting multiple products. An attacker could exploit some of these vulnerabilities to take control of an affected system. CISA encourages users and administrators to review the Juniper Networks security advisories page and apply the necessary updates.

Siemens SCALANCE X Switch Devices (CISA) 1. EXECUTIVE SUMMARY CVSS v3 9.6 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: SCALANCE X Switch Devices Vulnerabilities: Use of Insufficiently Random Values, Classic Buffer Overflow 2.

Siemens SICAM GridEdge (CISA) 1. EXECUTIVE SUMMARY CVSS v3 6.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: SICAM GridEdge Vulnerability: Exposure of Resource to Wrong Sphere 2. RISK EVALUATION The SICAM GridEdge software contains an improper access control vulnerability, which could allow persons with local access to the host system to inject an SSH key.

Siemens SIMATIC MV500 Devices (CISA) 1. EXECUTIVE SUMMARY CVSS v3 8.0 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: SIMATIC MV500 Devices Vulnerabilities: Insufficient Session Expiration, Missing Authentication for Critical Function 2.

Siemens Simcenter Femap (CISA) 1. EXECUTIVE SUMMARY CVSS v3 7.8 ATTENTION: Low attack complexity Vendor: Siemens Equipment: Simcenter Femap Vulnerability: Out-of-bounds Write 2. RISK EVALUATION If a user is tricked into opening a malicious file with the affected application, then this vulnerability could allow remote code execution.

Siemens RUGGEDCOM ROX (CISA) 1. EXECUTIVE SUMMARY CVSS v3 7.2 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: RUGGEDCOM ROX Vulnerability: Command Injection 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker with administrative privileges to gain root access.

Siemens Mendix Excel Importer (CISA) 1. EXECUTIVE SUMMARY CVSS v3 6.5 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: Mendix Excel Importer Module Vulnerability: XML Entity Expansion 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to compromise the availability of the affected component.

Siemens Datalogics File Parsing Vulnerability (CISA) 1. EXECUTIVE SUMMARY CVSS v3 7.8 ATTENTION: Low attack complexity Vendor: Siemens Equipment: Teamcenter Visualization and JT2Go Vulnerability: Heap-based buffer Overflow 2. RISK EVALUATION Successful exploitation of this vulnerability could crash a system or potentially lead to arbitrary code execution if a user opens a malicious PDF file.

Siemens PADS Standard/Plus Viewer (CISA) 1. EXECUTIVE SUMMARY CVSS v3 7.8 ATTENTION: Low attack complexity Vendor: Siemens Equipment: PADS Standard/Plus Viewer Vulnerabilities: Out-of-bounds Read, Out-of-bounds Write, Improper Restriction of Operations within the Bounds of a Memory Buffer 2.

Simcenter Femap and Parasolid (CISA) 1. EXECUTIVE SUMMARY CVSS v3 7.8 ATTENTION: Low attack complexity Vendor: Siemens Equipment: Simcenter Femap and Parasolid Vulnerability: Out-of-bounds Read 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to perform remote code execution in the context of the current process of the application through an out-of-bounds read.

Siemens Mendix Applications (CISA) 1. EXECUTIVE SUMMARY CVSS v3 6.5 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: Mendix Applications Vulnerability: Injection 2. RISK EVALUATION Successful exploitation of this vulnerability could allow a malicious user to leak sensitive information if the Workflow visual language of Mendix is used.

Open Design Alliance Drawings SDK (CISA) 1. EXECUTIVE SUMMARY CVSS v3 7.8 ATTENTION: Low attack complexity Vendor: Open Design Alliance Equipment: Drawings SDK Vulnerability: Out-of-Bounds Read 2. RISK EVALUATION Successful exploitation of this vulnerability could allow a user to open a malicious DWG file that could lead to the application crashing or to an arbitrary code execution.

Siemens SRCS VPN Feature in SIMATIC CP Devices (CISA) 1. EXECUTIVE SUMMARY CVSS v3 10.0 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: SIMATIC CP Devices Vulnerabilities: Heap-based Buffer Overflow, Command Injection, Code Injection 2.

Siemens Mendix (CISA) 1. EXECUTIVE SUMMARY CVSS v3 4.9 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: Mendix Vulnerability: Improper Access Control 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to change the user’s password bypassing password validations within a Mendix application.

Siemens CPC80 Firmware of SICAM A8000 (CISA) 1. EXECUTIVE SUMMARY CVSS v3 7.5 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: CPC80 Firmware of SICAM A8000 Vulnerability: Missing Release of Resource after Effective Lifetime 2. RISK EVALUATION Successful exploitation of this vulnerability could crash the device being accessed; a buffer overflow condition may allow remote code execution.

Siemens SIMATIC eaSie Core Package (CISA) 1. EXECUTIVE SUMMARY CVSS v3 10.0 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: SIMATIC eaSie Vulnerabilities: Improper Input Validation, Missing Authentication for Critical Function 2.

Siemens EN100 Ethernet Module (CISA) 1. EXECUTIVE SUMMARY CVSS v3 8.6 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: EN100 Ethernet Module Vulnerability: Improper Restriction of Operations within the Bounds of a Memory Buffer. 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to crash the affected application leading to a denial-of-service condition.

Siemens Opcenter Quality (CISA) 1. EXECUTIVE SUMMARY CVSS v3 9.6 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: Opcenter Quality Vulnerability: Incorrect Implementation of Authentication Algorithm. 2. RISK EVALUATION Successful exploitation of this vulnerability could allow unauthenticated access to the application or cause denial of service condition for existing users.

Siemens RUGGEDCOM ROS (CISA) 1. EXECUTIVE SUMMARY CVSS v3 8.0 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: RUGGEDCOM ROS Vulnerability: Improper Control of Generation of Code 2. RISK EVALUATION Successful exploitation of this vulnerability could cause malicious behavior through legitimate user accounts accessing certain web resources on affected devices.

Siemens Industrial Products Intel CPUs (Update A) (CISA) 1. EXECUTIVE SUMMARY CVSS v3 7.5 ATTENTION: Low attack complexity Vendor: Siemens Equipment: SIMATIC, SINUMERIK Vulnerabilities: Missing Encryption of Sensitive Data 2. UPDATE INFORMATION This updated advisory is a follow-up to the original advisory titled ICSA-21-222-05 Siemens Industrial Products Intel CPU that was published August 10, 2021, to the ICS webpage on www.cisa.gov/uscert.

Siemens SIMATIC Industrial Products (Update B) (CISA) 1. EXECUTIVE SUMMARY CVSS v3 7.5 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: Siemens SIMATIC Industrial Products Vulnerabilities: Operation on a Resource after Expiration or Release, Missing Release of Memory after Effective Lifetime 2.

Siemens SCALANCE X (Update D) (CISA) 1. EXECUTIVE SUMMARY CVSS v3 5.4 ATTENTION: Exploitable remotely Vendor: Siemens Equipment: SCALANCE X Vulnerability: Expected Behavior Violation 2. UPDATE INFORMATION This updated advisory is a follow-up to the advisory update titled ICSA-19-085-01 Siemens SCALANCE X (Update C) that was published October 14, 2021, to the ICS webpage on us-cert.gov.

Siemens TIA Administrator (Update A) (CISA) 1. EXECUTIVE SUMMARY CVSS v3 7.5 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: SIMATICS PCS neo (Admin Console), SINTEPLAN, TIA Portal Vulnerability: Uncontrolled Resource Consumption 2.

Siemens VxWorks-based Industrial Products (Update C) (CISA) 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: Wind River VxWorks-based Industrial Products Vulnerability: Heap-based Buffer Overflow 2.

Siemens PROFINET Stack Integrated on Interniche Stack (Update B) (CISA) 1. EXECUTIVE SUMMARY CVSS v3 5.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: PROFINET Stack Integrated on Interniche Stack Vulnerability: Uncontrolled Resource Consumption 2.

Siemens Industrial Products with OPC UA (Update A) (CISA) 1. EXECUTIVE SUMMARY CVSS v3 6.5 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: SIMATIC NET PC, SITOP Manager, TeleControl Server Basic Vulnerability: Null Pointer Dereference 2.

Siemens Mendix (Update B) (CISA) 1. EXECUTIVE SUMMARY CVSS v3 5.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: Mendix Vulnerability: Exposure of Sensitive Information to an Unauthorized Actor 2. UPDATE INFORMATION This updated advisory is a follow-up to the original advisory titled ICSA-22-104-07 Siemens Mendix (Update A) that was published June 16, 2022, on the ICS webpage on cisa.gov/ics.

Siemens OpenSSL Affected Industrial Products (Update A) (CISA) 1. EXECUTIVE SUMMARY CVSS v3 7.5 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: Multiple industrial products Vulnerability: Infinite Loop 2. UPDATE INFORMATION This updated advisory is a follow-up to the original advisory titled ICSA-22-167-14 Siemens OpenSSL Affected Industrial Products that was published June 16, 2022, on the ICS webpage on cisa.gov/ics.

Siemens SIMATIC WinCC (Update E) (CISA) 1. EXECUTIVE SUMMARY CVSS v3 9.9 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: SIMATIC WinCC Vulnerabilities: Path Traversal, Insertion of Sensitive Information into Log File 2.

Siemens Industrial PCs and CNC devices (Update A) (CISA) 1. EXECUTIVE SUMMARY CVSS v3 7.8 ATTENTION: Low attack complexity Vendor: Siemens Equipment: Industrial PCs and CNC devices Vulnerabilities: Improper Input Validation, Improper Authentication, Improper Isolation of Shared Resources on System-on-a-Chip, Improper Privilege Management 2.

Siemens Industrial Products (Update A) (CISA) 1. EXECUTIVE SUMMARY CVSS v3 7.5 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: OPC Foundation Local Discovery Server of several industrial products Vulnerability: Improper Restriction of Operations within the Bounds of a Memory Buffer 2.

Trends

The ‘Shamanification’ of the Tech CEO (Wired) From fruit-only diets to dopamine fasting, Silicon Valley founders flaunt self-deprivation like a misguided pursuit of wellness. But there’s more to it.

Marketplace

Bishop Fox Secures $75 Million in Growth Funding from Carrick Capital Partners (GlobeNewswire News Room) Offensive security leader continues to defy market and economic trends with record growth and recognized innovation...

Crosslake Technologies Announces Acquisition of Cybersecurity Advisory Firm VantagePoint (Business Wire) Crosslake Technologies, a top tech advisor to private equity firms, made its third acquisition with the purchase of cybersecurity advisor VantagePoint

Upstart blockchain unicorn Aptos Labs is already facing a $1 billion ownership fight (Silicon Valley Business Journal) Aptos Labs is only eight months old, but it's already worth $1 billion — and its CEO is facing a $1 billion lawsuit related to its founding.

How to land a cybersecurity job with the federal government (Fortune) Senior homeland security officials recently estimated that the federal government had 1,500-plus open cybersecurity roles.

Dataminr Appoints Dave DeWalt as Chair of its New Corporate Market Advisory Board and Forges Strategic Partnership with NightDragon (PR Newswire) Dataminr, the world's leading real-time information discovery platform, today announced a new strategic advisory partnership with NightDragon,...

Red Canary Appoints New CFO as Company Continues to Grow at 3x the Pace of Overall MDR Market (PR Newswire) Red Canary, the Managed Detection & Response trailblazer, today announced the appointment of John Ritchie as its Chief Financial Officer. With...

DIGISTOR® Adds Cybersecurity Technology Specialist as Director of Applications Engineering (DIGISTOR) Ben Warner will liaise with customers to counsel and prioritize Data at Rest security solutions

Products, Services, and Solutions

Bolster, Inc. Launches Four New Digital Risk Protection Capabilities (PR Newswire) Bolster, Inc., the automated digital risk protection company, announced today the addition of four new platform modules: social media, app...

Horizen Launches No-Code Tokenization Platform, TokenMint, on Mainnet (BusinessWire) Horizen, a privacy-focused zero-knowledge network of blockchains powered by the largest node system, announced the mainnet launch of its no-code token

External Attack Surface Management Tool SCOUT Increases Visibility into Organizations' Expanding Attack Surfaces Automated, Continuous Monitoring (PR Newswire) Arctonyx, a cybersecurity products company operating in the greater Washington, D.C. area, announced the official launch of SCOUT, an External...

SOC Prime Delivers New Smoking Guns Sigma Rules List (Business Wire) SOC Prime, the provider of the world’s largest and most advanced threat detection marketplace, today announced the availability of Smoking Guns Sigma

Contrast Security Unlocks the Power of Serverless Technology at AWS re:Inforce Conference (PR Newswire) Contrast Security (Contrast), the leader in code security that empowers developers to secure-as-they code, today announced its lineup of events...

Top 10 cyber security platforms (Technology Magazine) As cyber attacks become more complex, it has never been more crucial for businesses to invest in cyber. Here, we take a look at the top cyber platforms

Keysight Cyber Training Simulator Provides Universities a Realistic Turnkey Cyber Range (Yahoo) SANTA ROSA, Calif., July 14, 2022--Keysight Technologies, Inc. (NYSE: KEYS), a leading technology company that delivers advanced design and validation solutions to help accelerate innovation to connect and secure the world, has introduced Keysight Cyber Training Simulator (KCTS), a comprehensive, turnkey cyber range that simulates real-world traffic using the company’s BreakingPoint solution.

Hacket Cyber Lets You Partner With Hackers with the ALLYGN Partner Pro (PRWeb) Hacket Cyber, a leader in penetration testing and offensive security services, has announced today the debut of the ALLYGN partner program for technology rese

Technologies, Techniques, and Standards

NSA Publishes Guidance on Characterizing Threats, Risks to DoD Microelectronics (National Security Agency/Central Security Service) The National Security Agency’s (NSA) Joint Federation Assurance Center Hardware Assurance Lab published a report on “DoD Microelectronics: Levels of Assurance Definitions and Applications” today to

Design and Innovation

CyberArk Execs: 9 Bets on What's Next in Identity Security (BankInfoSecurity) CyberArk has pushed beyond privileged access management to address broader identity use cases as the rise of machine identities creates new challenges. The company

Research and Development

Exploring Intelligent Ways to Redefine Defence Cybersecurity (Australian Cyber Security Magazine) Digital automation promises to accelerate productivity at a massive scale, but with networked digital infrastructure comes the risk of unexpected faults or malign activities due to undetected network vulnerabilities.

Academia

FAU Receives State Grant for Cybersecurity, IT Training (Florida Atlantic University) Florida Atlantic University was awarded more than $800,000 by the state of Florida to prepare students for jobs in the burgeoning fields of cybersecurity and information technology.

Legislation, Policy, and Regulation

China’s Surveillance State Hits Rare Resistance From Its Own Subjects (New York Times) Beijing’s swift move to censor news about one of the largest known data breaches shows keen awareness of how major security lapses can harm its credibility.

Britain’s Online Safety Bill set to be delayed (POLITICO) Boris Johnson’s exit throws content regulation law into doubt.

Biden's cyber strategy expected to boost federal role in protecting critical systems from hackers (CyberScoop) The national cyber director's office is leading the drafting of the document.

White House pushes for chips funding as Intel loses patience (The Verge) Congress has little time to approve $52 billion in chips funding

Langevin amendment to boost cyber defenses for critical infrastructure wins House approval (CyberScoop) The designated entities will be required to report how they manage cyber risk for critical assets.

Sen. Warner maneuvers to secure intelligence community backing of tech antitrust bill, sources say (CyberScoop) Critics say that in its quest to break up big tech, the legislation also opens the door to cyber and national security risks.

Simple Cyber Reporting Will Enable Better Governmentwide Response, Lawmaker Argues (Nextgov.com) Sen. Gary Peters discussed how streamlined reporting to CISA can clarify the cyber threat landscape to all U.S. networks.

Intel Agencies Embracing Social Media to Spread Message, Mission (MeriTalk) Federal intelligence agencies have grown increasingly comfortable with using social media tools to spread the word about their work, officials said this week.

NSA works to address ‘really concerning’ cyber threats (Government Matters) The National Security Agency (NSA) established a cybersecurity directorate in 2019 with the goal of protecting the Defense Department (DoD), national security systems and the defense industrial base from cyber attacks. NSA Director of Cybersecurity Rob Joyce oversees that directorate. There is a shared understanding around the world of the ‘really concerning’ cyber tactics China […]

Customer service at the National Security Agency (FCW) Steve Kelman finds a helping hand in the highly secretive spy shop.

Task force to combat scams targeting troops, veterans pitched by House lawmakers (Stars and Stripes) A joint task force to combat consumer fraud targeting service members and veterans was introduced by House lawmakers as an amendment to the National Defense Authorization Act.

Litigation, Investigation, and Law Enforcement

Amazon handed Ring footage to police without user consent (AP NEWS) Amazon has provided Ring doorbell footage to law enforcement 11 times this year without the user’s permission, a revelation that’s bound to raise more privacy and civil liberty concerns about its video-sharing agreements with police departments across the country.

Amazon finally admits giving cops Ring doorbell data without user consent (Ars Technica) Amazon Ring gave police data without user consent 11 times so far in 2022.

Amazon's Ring has provided doorbell footage to police without owners' consent 11 times so far this year (CNN) Amazon's smart-doorbell company, Ring, has provided surveillance footage to law enforcement without a warrant or the consent of doorbell-owners 11 times this year alone, according to a letter Amazon (AMZN) sent to Congress earlier this month.

Today I learned Amazon has a form so police can get my data without permission or a warrant (The Verge) If police convince Amazon it’s an emergency, they get access

Amazon gave Ring videos to police without owners’ permission (POLITICO) The revelation highlights the many ways that police can get footage from Ring doorbells, and how often it happens without consent.

Amazon Admits Giving Ring Camera Footage to Police Without a Warrant or Consent (The Intercept) In response to recent questions from Sen. Ed Markey, Amazon stated that it has provided police with user footage 11 times this year alone.

Log4j Software Flaw 'Endemic,' New Cyber Safety Panel Says (SecurityWeek) The Log4j vulnerability is an “endemic” problem that will pose security risks for potentially a decade or more, according to a new cybersecurity panel created by President Joe Biden.

Log4j software flaw 'endemic,' new cyber safety panel says (Washington Post) A computer vulnerability discovered last year in a ubiquitous piece of software is an “endemic” problem that will pose security risks for potentially a decade or more, according to a new cybersecurity panel created by President Joe Biden.

DHS warns: Expect Log4j risks for 'a decade or longer' (Register) Great, another thing that's gone endemic

Biden administration warns Log4J cyber flaw will linger for possibly ‘decade or longer’ (The Washington Times) The Biden administration is warning that a widespread cyber vulnerability discovered last year will linger for several years — perhaps more than a decade.

TikTok Use by Military Poses Security Risk, US Regulator Testifies (Bloomberg) FCC member Carr says location data may flow to Beijing. TikTok ‘pervasive’ on personal devices, Carr tells House panel.

DOJ Poised to Rebuff Google Concessions, Clearing the Way for Antitrust Suit (Bloomberg) Justice Department is expected to file Google suit in weeks. Google has proposed spinning off part of its ad network.

Lawyers Suing Social Media Giants Turn to Products Liability Theories (New York Law Journal) A trending approach is gaining momentum as more and more plaintiffs allege that social media companies seek to addict their users.

Shields Health Sued Over Data Breach That Affected 2 Million (Bloomberg Law) Shields Health Care Group Inc. faces a proposed class action over a data breach that impacted 2 million people and more than 50 of the provider’s health care facilities.

Southwest Health data breach reported to FBI (Monroe Times) Southwest Health notified its patients last week that a data breach Jan. 11 may have released personal medical information.

Police monitor other cybersex dens after rescue of minors (Yahoo) THE Women and Children’s Protection Center (WCPC) Visayas Field Unit is monitoring other cybersex dens in Cebu City after eight minors, including a four-month-old baby, allegedly hired to do obscene acts, were rescued from a house in Barangay Luz Wednesday afternoon, July 13, 2022.Police Major Niño Lawrence Ibo, officer-in-charge of WCPC, said they were alarmed by the recent abuse of the underage girls whose nude photos have been uploaded to the social media for their customers, mostly foreigner

US urges speed in Booz Allen antitrust case as NSA intel contract nears (C4ISRNet) U.S. attorneys argue a speedier clip is necessary to preserve competition on a National Security Agency contract dubbed Optimal Decision, which deals with signals intelligence and simulation services.

Industry Events

For a complete running list of events, please visit the Event Tracker.

Events

Digital safety snacks: Protect yourself from online abuse with short videos and workshops (Virtual, Jun 13 - Jul 28, 2022) PEN America, the Online News Association, and the International Women’s Media Foundation have teamed up to create step-by-step videos and hands-on workshops to help you defend yourself against online abuse. We’ll explain how to protect your most sensitive accounts from hackers and how to dox yourself before someone else does. We want to empower you to feel safer and more secure while maintaining the public profile you need to do your job. This series will include eight short video episodes and four virtual workshops, when you can follow along to complete your digital wellness check, ask questions, and get help if you get stuck. You can join one, two or all four sessions.

The Diana Initiative Virtual Conference (Virtual, Jul 16, 2022) Back for the 6th year, The Diana Initiative is hosting a two-day diversity-driven conference committed to helping all underrepresented genders, sexualities, races and cultures in Information Security. The Diana Initiative features multiple speaker tracks, fully expanded villages with hands-on workshops, and a women-led Capture the Flag event.

Blackpoint ReCON 2022 (Virtual, Jul 21, 2022) Join the Blackpoint team for our second annual ReCON, where you will learn from cybersecurity experts about the threats we’ve seen, anticipated tactics our Adversary Pursuit Group (APG) is watching, and ways that you can bolster your defenses. When operating proactively, you’re able to maintain operations for all you protect, as well as elevate your business growth.

Hackers On Planet Earth (HOPE) (New York, New York, USA, Jul 22 - 24, 2022) The Hackers On Planet Earth (HOPE) conference, has run continuously since 1994, and is hosted by 2600 Magazine. We define hacking broadly: hardware, software, social engineering, artwork, and much more. Recent conferences have featured over 100 speakers and drawn several thousand attendees. If a hacking-related topic is in the public mind, we want to address it directly.

STEM Pioneers Rock! Dr. L. Jean Camp, Professor, Author, Innovator (Columbia and Virtual, Maryland, United State, Jul 25, 2022) Brought to you by NSA and Dreamport/MISI, the STEM Pioneers Rock series, highlights significant accomplishments of those who are "firsts" in their field. These individuals are responsible for attaining goals that opened doors for those who come behind them. In addition, we hope the "pioneers" we have identified encourage our workforce to "stay the course", improving retention statistics. Professor L. Jean Camp is a founder of the interdiscipline of economics of security. Her core contributions are in area of the social and economic implications of technologies of security and privacy. She is a leader in the investigation of the insider threat in the networked realm. Prof. Camp began her graduate studies in electrical engineering in North Carolina before moving to the Department of Engineering and Public Policy at Carnegie Mellon to complete her PhD in Engineering and Public Policy. Upon graduation she became a Senior Member of the Technical Staff at Sandia National Laboratories. She left Sandia National Laboratories for eight years as a professor at Harvard's Kennedy School, departing to lead the security group in the newly-formed School of Informatics at Indiana University. Professor Camp is the author of "Trust and Risk in Internet Commerce" (MIT Press), "Economics of Identity Theft" (Springer) and the editor of "Economics of Information Security" (Kluwer Academic). She has authored over one additional hundred works, including ninety peer-reviewed works and two dozen book chapters. She has made scores of invited presentations on five continents. Her patents are in the area of privacy-enhancing technologies. Her professional service has included terms on the Board of Directors of Computer Professionals for Social Responsibility, the Board of Governors of the IEEE Society on Social Implications of Technology, Alumni Board for Carnegie Mellon, Senior Member of the IEEE, and longstanding member of the USACM. See http://www.ljean.com/cv.html for more detailed information.

Sponsor & Support

Grow your brand, generate leads, and fill your funnel.

With the industry’s largest B2B podcast network, popular newsletters, and influential readers and listeners all over the world, companies trust the CyberWire to get the message out. Learn more.