Zeppelin ransomware. The DoNot Team. $10 million reward for Conti tips. Cyber partisans. CISA issues 28 ICS advisories.

Summary

By the CyberWire staff

At a glance.

Joint warning on Zeppelin ransomware.
Update on the DoNot Team, APT-C-35.
Rewards for Justice offers $10 million for information on Conti operators.
The optempo of the war's cyber phase, and how Ukraine has responded.
Organizing and equipping hacktivists.
CISA issues twenty-eight ICS security advisories.

Joint warning on Zeppelin ransomware.

The US Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) have released a joint advisory on Zeppelin ransomware. Developed from the Delphi-based Vega malware family, Zeppelin is a ransomware-as-a-service offering that's used "to target a wide range of businesses and critical infrastructure organizations, including defense contractors, educational institutions, manufacturers, technology companies, and especially organizations in the healthcare and medical industries." It gains access to its victims either through phishing or by RDP exploitation of known SonicWall firewall vulnerabilities. Zeppelin is typically used in double-extortion attacks, exfiltrating files before encrypting them, and thus adding the threat of doxing to the denial of access to data. The advisory includes a comprehensive list of indicators of compromise as well as recommended mitigations.

Sponsors make the Daily Briefing possible.

Having the industry’s largest B2B podcast network, popular newsletters, and influential readers and listeners all over the world, means companies trust us to get their messages out. Feature your brand and message with the source that top security leaders read every day. Learn more.

Update on the DoNot Team, APT-C-35.

Morphisec researchers have published an updated and detailed account of the tactics, techniques, and procedures of the DoNot Team, or APT-C-35, a cyberespionage operations that concentrates on military, government, and diplomatic targets in South Asia, and especially in India, Pakistan, Sri Lanka, and Bangladesh. "For initial infection, the DoNot Team uses spear phishing emails containing malicious attachments," the researchers say. "To load the next stage they leverage Microsoft Office macros and RTF files exploiting Equation Editor vulnerability and remote template injection." The group has recently added new modules to its Windows framework.

The DoNot Team is also known as "Viceroy Tiger," and has, as CrowdStrike and others have pointed out, an ambiguous connection with India. CrowdStrike's entry on the threat group says, "Viceroy Tiger is an adversary with a nexus to India with a long history of targeted intrusion activity targeting entities in a range of geographies and sectors. Industry reporting from 2013 linked the adversary to an India-based security company. Since that time, VICEROY TIGER operations have continued with the use of custom malware families with a heavy focus on targeting Pakistan, other countries in the South Asia region, and China."

Check out our exclusive interview w/ CISA Director Jen Easterly.

Did you catch Dave Bittner's interview with CISA Director Jen Easterly? Hear Director Easterly discuss her time at CISA, the work of her team, and her take on the current cyber threat landscape in this special edition extended interview. Listen now!

Rewards for Justice offers $10 million for information on Conti operators.

Or Conti alumni, depending upon how you read the gang's present occultation. In any case it's the natural person and not the organization that's the target. The US Department of State has tweeted its offer in both Russian and English: "The U.S. Government reveals the face of a Conti associate for the first time! We’re trying to put a name with the face! To the guy in the photo: Imagine how many cool hats you could buy with $10 million dollars! Write to us via our Tor-based tip line."

The alleged Conti hoods who go by the noms de hack Tramp, Dandis, Professor, Reshaev, and Target are specifically mentioned (and invited to turn their coats). Target is the one with the taste in hats Foggy Bottom admires. "If you have information that ties hacking groups such as Conti, Trickbot, Wizard Spider; the hackers known as 'Tramp,' 'Dandis,' 'Professor,' 'Reshaev,' and 'Target;' or any malware or ransomware to a foreign government targeting U.S. critical infrastructure, you may be eligible for a reward," the embedded video says. Target is the guy in the hat; there are no pictures of the other four. Target is a belt-and-suspenders kind of guy. In addition to the "cool hat," he seems to be wearing the obligatory hoodie.

The $10 million reward is twice what the Rewards for Justice program offered Monday for information on North Korean operators using cryptocurrency mixers like Tornado Cash to launder money.

The optempo of the war's cyber phase, and how Ukraine has responded.

Reuters reports remarks delivered at the Black Hat conference in Las Vegas this Wednesday by Victor Zhora, deputy head of Ukraine's State Special Communications Service. He said that detection of cyberattacks had more than tripled since the war began in February, and that they became particularly intense in late March and early April. Reuters summarizes Zhora as saying, "Ukraine faced a number of 'huge incidents' in cyberspace from the end of March to the beginning of April, Zhora said, including the discovery of the 'Industroyer2' malware which could manipulate equipment in electrical utilities to control the flow of power." Zhora also acknowledged the pro bono cloud services provided by Microsoft, Amazon and Google, which have helped the Ukrainian government back data up in physically safe servers abroad.

Organizing and equipping hacktivists.

The Record has an account of the work of Nikita Knysh, an alumnus of Ukraine’s Security Service (SBU) and founder of the cybersecurity consultancy HackControl. Knysh took it upon himself to support hacktivists, cyber partisans, who wished to hit Russian interests and assets in cyberspace. He sees cyber partisans as filling a Ukrainian capability gap. “'I realized that we should take control of the situation,' Knysh told The Record. Our government didn’t have a ‘cyber army’, so we built it ourselves.'” Part of enabling the partisans to take effective action is training them. A website Knysh established, HackYourMom Academy, offers a kind of vade mecum through cyber conflict, and it's available in Ukrainian, Russian and English. "Some lessons are simple," the Record writes, "how to install an antivirus program, connect to a VPN, or use a virtual machine. Others are more advanced, such as how to conduct distributed denial-of-service (DDoS) attacks or hack Russian cameras and WiFi routers."

Hacktivists and cyber partisans occupy a gray area similar to one their kinetic counterparts live in. Just conduct of a war generally requires that combatants use proper discrimination in their selection of targets, and that they operate under some form of responsible command. In the loosey-goosey hacktivists' world, it's not clear that these conditions are always or even generally met (witness Anonymous as exhibit A). Still, Knysh seems clearly right to maintain that enemy assets in cyberspace represent legitimate potential targets. “Not attacking your enemy in cyberspace is stupid,” Knysh said. “In the past, soldiers destroyed logistics and production facilities, but now they also attack technology and information.”

The CyberWire's continuing coverage of the unfolding crisis in Ukraine may be found here.

CISA issues twenty-eight ICS security advisories.

Yesterday the US Cybersecurity and Infrastructure Security Agency, (CISA) released an unusually large number of ICS security advisories, twenty eight in all. They're too many to link here, but see the selected reading below for a complete list. The affected systems include products offered by Siemens, Schneider Electric, Emerson, and Baxter.

Dateline Moscow, Kyiv, and Minsk: Insecurity in the communications zone.

Ukraine at D+169: Partisans, both kinetic and cyber. (CyberWire) Ukraine appears determined to convince Russia (and its Belarusian fellow-traveler) that the rear areas, including Crimea and Belarusian border regions themselves aren't safe places any longer. A website aims to train and empower anti-Russian cyber partisans.

Russia-Ukraine war: List of key events, day 170 (Al Jazeera) As the Russia-Ukraine war enters its 170th day, we take a look at the main developments.

UN nuclear watchdog warns of ‘grave hour’ amid fresh shelling of Ukraine’s Zaporizhzhia plant (the Guardian) Agency chief calls for immediate end to military activity around plant, saying further ‘deeply worrying’ incidents could lead to disaster

Russia-Ukraine war: 'Explosions heard at Belarus airbase' near Ukrainian border (The Telegraph) Unexplained explosions were heard in the early hours on Thursday at a military airbase in Belarus near the Ukrainian border, that Russia has been using as one of the launchpads for the invasion.

Belarus says 'technical incident' behind blasts at military base (Reuters) Belarus said on Thursday that blasts heard overnight at one of its military bases 30 km (19 miles) from Ukraine were caused by a "technical incident."

Ukraine says Marines resist Russian push in Kherson region (Newsweek) The Ukrainian Navy took out 16 Russian soldiers in the Donetsk region, according to the force.

Satellite pictures show devastation at Russian air base in Crimea (Reuters) Satellite pictures released on Thursday showed devastation at a Russian air base in Crimea, hit in an attack that suggested Kyiv may have obtained new long-range strike capability with potential to change the course of the war.

Damage at Air Base in Crimea Worse Than Russia Claimed, Satellite Images Show (New York Times) Russian authorities had previously portrayed the blast as minor, but the satellite images show three major craters and at least eight destroyed warplanes. Local officials listed dozens of damaged buildings and declared a state of emergency.

Russian warplanes destroyed in Crimea airbase attack, satellite images show (the Guardian) Multiple aircraft at Saky base in Crimea blown up, with the new evidence suggesting possibility of targeted attack

Ukraine’s Strike in Crimea Could Be a Turning Point in the War (The Bulwark) Determined soldiers and steady flows of supplies point to continued Ukrainian success.

Great Expectations? The Next Phase of the Russo-Ukrainian War (War on the Rocks) Michael Kofman joined Ryan for yet another conversation about the unfolding tragedy of the Russo-Ukrainian War.

Vladimir Putin’s military cupboard is bare (The Telegraph) The Kremlin will want to respond to Ukraine’s attack in Crimea. It may no longer have the ability to do so

Putin is running out of excuses as Ukraine expands the war to Crimea (Atlantic Council) Ukraine appears to have struck deep inside Russian-occupied Crimea for the first time on August 9 with an audacious attack on a heavily defended military base. The explosions at western Crimea’s Saki airbase rattled nerves in Moscow and sparked panic throughout the Russian-occupied Ukrainian peninsula, with traffic jams reported on routes leading to the Crimean Bridge as Russian holidaymakers scrambled to cut short their vacations.

Putin Has Opened a Pandora’s Box of International Adventurism (Wilson Center) In Ukraine, Vladimir Putin has failed on many levels. He is paying an enormous cost, but he has been “successful” enough to usher in a barrage of unintended consequences for the world’s economy and some of the world’s most opportunistic players.

Latvia designates Russia a "state sponsor of terrorism" over Ukraine war (Reuters) Latvia's parliament on Thursday designated Russia as a "state sponsor of terrorism" over the war in Ukraine and called on Western allies to impose more comprehensive sanctions on Moscow in order to bring an end to the conflict.

The Other Ukrainian Army (The Atlantic) Imperiled by Russian invaders, private citizens are stepping forward to do what Ukraine’s government cannot.

Crimea bridge jammed with traffic as Russians flee after air base blasts (Newsweek) The Saki air base near Novofedorivka village was hit in a strike that reportedly killed one person and damaged or destroyed nine Russian planes.

Ukraine mocks crying Russian in Crimea with explosions video (Newsweek) The video includes footage of Russian tourists watching explosions at the Saky air base, after which on-screen text reads: "Time to head home. Crimea is Ukraine."

Russian journalist who protested Putin's war live on TV placed under house arrest (The Telegraph) Marina Ovsyannikova could face 10 years in prison if convicted of demonstration near the Kremlin

Ukraine cyber chief pays surprise visit to 'Black Hat' hacker meeting in Las Vegas (Reuters) Ukraine's top cyber official addressed a room full of security experts at a hackers' convention following a two-day trip from the capital, Kyiv, to a golden casino in Las Vegas.

Black Hat 2022‑ Cyberdefense in a global threats era (WeLiveSecurity) ESET's expert Tony Anscombe take on this first day of Black Hat 2022, with a special highlights on the cyberwar in Ukraine and the role of cyberdefense.

How one Ukrainian ethical hacker is training 'cyber warriors' in the fight against Russia (The Record by Recorded Future) In the Ukrainian hacker community, Mykyta Knysh is a household name. The 31-year-old former employee of Ukraine’s Security Service (SBU) founded cybersecurity consulting company HackControl in 2017 and launched a YouTube channel about internet security and digital literacy. It has about 8,000 subscribers.

How Russian sanctions may be helping US cybersecurity (SearchSecurity) Government officials say Russian sanctions following the invasion of Ukraine are slowing down cyber attacks on the U.S.

Past And Future In Ukraine And Belarus (RadioFreeEurope/RadioLiberty) A crucial time in the war in Ukraine, and two years since a disputed election led to protests and crackdown in Belarus. Nigel Gould-Davies, senior fellow for Russia and Eurasia at the International Institute for Strategic Studies, joins host Steve Gutterman to discuss.

How Does Russia’s War against Ukraine Affect Civilians Living Near Front Lines? (Wilson Center) Since February, Russia has been attacking Ukrainian cities from different directions with different weapons. Tens of thousands of people have died because of this attack. How is the invasion affecting people in these areas, and what challenges do they face in everyday life? Here are a few insights into the living conditions of Ukrainian citizens in war zones, from a reporter who regularly travels to regions neighboring the Russian army.

Generation UA: Young Ukrainians are driving the resistance to Russia’s war (Atlantic Council) Generation UA: From politics and the military to civil society and journalism, the post-independence generation of young Ukrainians is driving the country's remarkable fight back against Russia's invasion.

Western nations pledge more military support for Ukraine (AP NEWS) Western countries agreed Thursday to continue long-term funding to help Ukraine’s military keep fighting nearly 5½ months after Russia invaded its neighbor, saying 1.5 billion euros ($1.5 billion) has been pledged so far and more is coming.

Turkey Is the Biggest Swing Player in the Russia-Ukraine War (Foreign Policy) Ankara has used its unique position for a strategic advantage.

When will Sweden and Finland join NATO? Tracking the ratification process across the Alliance. (Atlantic Council) With this tracker, the Atlantic Council team is keeping tabs on the countries that have ratified the amended NATO treaty—and handicapping the political prospects for ratification in the rest.

Expert on the ground: What the NATO ratification process looks like from Finland (Atlantic Council) Helsinki is watching closely as political momentum builds for Finland and Sweden's NATO accession, with military preparation already under way.

Will the Ukraine War Return Poland to Europe’s Democratic Fold? (Foreign Policy) Europe and Poland need each other more than ever.

Europe's Exhaustion (Wilson Center) The first bomb that fell on Kyiv on February 24 buried the united Europe project that had been born out of the ruins of World War II. This explosion raises fundamental, perhaps even existential, questions, to which Europe is only now starting to wake up.

German soldier ‘sent army secrets to Russian spies out of sympathy’ (The Telegraph) Former reservist on trial accused of feeding Moscow’s military intelligence service with sensitive industrial and army details

The US-Led Drive to Isolate Russia and China Is Falling Short (Bloomberg) While the US and its allies have sanctioned Russia for its invasion of Ukraine, half of the countries in the Group of Twenty have not signed up.

China on the Offensive (Foreign Affairs) How the Ukraine war has changed Beijing’s strategy.

China’s New Vassal (Foreign Affairs) The war in Ukraine turned Moscow into Beijing’s junior partner.

How Putin’s Ukraine War Has Only Made Russia More Reliant on China (Defense One) Despite Putin’s imperial dreams, in the last six months China has increasingly dictated the direction of the partnership and squeezed more concessions from the Russians.

Russia Can’t Fight a War and Still Arm the World (Foreign Affairs) How the country’s shrinking weapons exports could change the Middle East.

Why Is Armenia So Close to Russia and Iran? (Foreign Policy) The small Caucasus country challenges the idea that the world is splitting into democratic and autocratic camps.

Thousands sign Ukraine petition to remove Amnesty chief Agnes Callamard (Newsweek) Ukrainian civil society leaders are demanding action after an Amnesty International report that "spit in the face of Ukrainian people."

Germany’s Frantic Push to Reduce Gas Consumption (Foreign Policy) As Russia weaponizes its gas exports, Germany is left scrambling to meet its needs—and reduction targets.

Internal documents: BSI warning about Kaspersky was strongly politically motivated - How smart Technology changing lives (Tech Smart) After Russia's military attack on Ukraine, the BSI abruptly blocked communication with Kaspersky and coordinated with the Ministry of the Interior. Internal documents from the Federal Office for Information Security (BSI) show how difficult it was for the cyber security authority to deal with the start of Russia's war…

The EU’s Next Ban Could Be on Russian Tourists (World Politics Review) A debate is raging across Europe over whether all Russians should be banned from entering the EU.

Attacks, Threats, and Vulnerabilities

#StopRansomware: Zeppelin Ransomware (CISA) Actions to take today to mitigate cyber threats from ransomware: • Prioritize remediating known exploited vulnerabilities. • Train users to recognize and report phishing attempts. • Enable and enforce multifactor authentication.

APT-C-35: New Windows Framework Revealed (Morphisec) Morphisec Labs exclusively details new updates to the Windows framework of the advanced persistent threat actors APT-C-35, a.k.a the DoNot Team.

How a Venezuelan disinformation campaign swayed voters in Colombia (CSO Online) A Black Hat presentation explains how Russia-aligned Venezuela influenced the presidential election in Columbia to its political benefit.

Facebook parent company pushes back on two cyber-espionage groups (Washington Examiner) These outfits create fake personas and impersonate famous people or attractive women.

DHS undersecretary: Log4j problem is not over, may take ‘a decade or longer’ (The Record by Recorded Future) The controversy and concern around Log4j is far from over, according to the chair of Homeland Security's Cyber Safety Review Board.

Loki Is Part Cyberdeck, Part Sinclair Spectrum, And Pretty Tricky (Hackaday) You’ve got to watch out for Loki — he’s a trickster, after all, and he might make you think this semi-cyberdeck mash-up machine is named after him, when the backstory on this buil…

Xiaomi phones with MediaTek chips vulnerable to forged payments (BleepingComputer) Security analysts have found weaknesses in the implementation of the trusted execution environment (TEE) in MediaTek-powered Xiaomi smartphones, which could enable third-party unprivileged apps to disable the payment system or forge payments.

LNK’s Awakening: Cybercriminals Moving from Macros to Shortcut Files to Access Business PCs (HP) HP Inc. (NYSE: HPQ) today issued its quarterly Threat Insights Report revealing that a wave of cybercriminals spreading malware families – including QakBot, IceID, Emotet, and RedLine Stealer – are shifting to shortcut (LNK) files to deliver malware. Shortcuts are replacing Office macros – which are starting to be blocked by default in Office – as a way for attackers to get a foothold within networks by tricking users into infecting their PCs with malware. This access can be used to steal valuable company data, or sold on to ransomware groups, leading to large-scale breaches that could stall business operations and result in significant remediation costs.

OT Security Firm Warns of Safety Risks Posed by Alerton Building System Vulnerabilities (SecurityWeek) Potentially serious vulnerabilities have been found in a building management system made by Alerton, a brand of industrial giant Honeywell.

Windows-based HMIs are too slow for monitoring process sensors or plant equipment anomalies (Control Global) Microsoft Windows has been widely adopted as a Human-Machine Interface (HMI) for Operational Technology (OT) networks which includes control systems, process sensors, and equipment monitoring. Why? Because it was there and available, not because it was optimized for the task. Windows has proven to be a great operating system for business systems and information exchange between Information Technology (IT) and OT organizations. But as an HMI to provide detailed engineering data, not so much.

AT&T Customer Data Found on the Dark Web (Hold Security) Data that likely belongs to AT&T Internet, TV, and landline customers was identified in the hands of the Romanian cyber criminals.

It Might Be Our Data, But It’s Not Our Breach (KrebsOnSecurity) A cybersecurity firm says it has intercepted a large, unique stolen data set containing the names, addresses, email addresses, phone numbers, Social Security Numbers and dates of birth on nearly 23 million Americans. The firm's analysis of the data suggests…

Cisco Confirms Data Breach, Hacked Files Leaked (Dark Reading) Ransomware gang gained access to the company's VPN in May by convincing an employee to accept a multifactor authentication (MFA) push notification.

NHS IT supplier held to ransom by hackers (BBC News) Its IT provider says it may take three or four weeks to fully recover from the cyber-attack.

Cyber-attack targets IT firm used by Northern Ireland's health service (BBC News) Health officials shut down system access to services provided by IT company Advanced as a precaution.

NHS ransomware attack: what happened and how bad is it? (the Guardian) Cyber-attacks on health bodies appear to be on the rise again after a hiatus early in the pandemic

NHS working with U.K. cyber authorities to assess ransomware attack on IT vendor (The Record by Recorded Future) The U.K.’s National Health Service said it is working with the country’s National Cyber Security Centre to investigate a recent ransomware attack on a major IT vendor.

Swan Bitcoin Discloses Data Leak Due to Phishing Attack on Newsletter Provider (Decrypt) Crypto trading app Swan Bitcoin is among dozens of crypto businesses affected by a data breach suffered by email marketing firm Klaviyo.

Report: Ransomware gangs, fraudsters laundered $540 million through RenBridge platform (The Record by Recorded Future) Hackers and cryptocurrency thieves are turning to so-called cross-chain platforms to launder money and avoid attempts by law enforcement to trace and freeze their illicit proceeds.

Facebook’s In-app Browser on iOS Tracks ‘Anything You Do on Any Website’ (Threatpost) Researcher shows how Instagram and Facebook’s use of an in-app browser within both its iOS apps can track interactions with external websites.

Emotet Phishing Update…And a Reminder to Turn On Dark Cubed Auto-Blocking (Dark Cubed) In one of our first Threat Spotlight entries back in early February , we introduced Emotet malware and why it’s so dangerous to the Dark Cubed user community, one comprising mostly small businesses. Now, we’ve uncovered evidence that Emotet’s threat to our user community - and the broader small bu

iOS Privacy: Instagram and Facebook can track anything you do on any website in their in-app browser (Felix Krause) The iOS Instagram and Facebook app render all third party links and ads within their app using a custom in-app browser. This causes various risks for the user, with the host app being able to track every single interaction with external websites, from all form inputs like passwords and addresses, to every single tap.

CISA Adds Two Known Exploited Vulnerabilities to Catalog (CISA) CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation. These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risk to the federal enterprise. Note: to view the newly added vulnerabilities in the catalog, click on the arrow in the "Date Added to Catalog" column, which will sort by descending dates. 

Security Patches, Mitigations, and Software Updates

August Patch Tuesday 2022: Updates and Analysis (CrowdStrike) The CrowdStrike Falcon Spotlight™ team analyzes this month’s vulnerabilities, highlights the most severe CVEs and recommends how to prioritize patching.

Hackers are still using these old security flaws in Microsoft Office. Make sure you've patched them (ZDNet) 'Malware authors still achieve their aims by relying on aging vulnerabilities,' warn security researchers.

Cisco Releases Security Update for Multiple Products (CISA) Cisco has released a security update to address a vulnerability affecting Cisco Adaptive Security Appliance Software and Firepower Threat Defense Software. This vulnerability could allow a remote attacker to obtain sensitive information. For updates addressing lower severity vulnerabilities, see the Cisco Security Advisories page.

Siemens Simcenter STAR-CCM+ (CISA) 1. EXECUTIVE SUMMARY CVSS v3 5.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: Simcenter STAR-CCM+ Vulnerability: Exposure of Sensitive Information to an Unauthorized Actor 2. RISK EVALUATION  Simcenter STAR-CCM+ contains an information disclosure vulnerability when using the Power-on-Demand public license server.

Siemens Teamcenter (CISA) 1. EXECUTIVE SUMMARY CVSS v3 7.6 ATTENTION: Exploitable remotely/low attack complexity/public exploits are available Vendor: Siemens Equipment: Teamcenter Vulnerabilities: Command Injection, Infinite Loop 2. RISK EVALUATION Successful exploitation of these vulnerabilities could lead to command injection and denial-of-service condition.

Schneider Electric EcoStruxure, EcoStruxure Process Expert, SCADAPack RemoteConnect for x70 (CISA) 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: Schneider Electric Equipment: EcoStruxure, EcoStruxure Process Expert, SCADAPack RemoteConnect for x70 Vulnerabilities: Heap-based Buffer Overflow, Wrap or Wraparound, Classic Buffer Overflow, Out-of-bounds Write 2.

Emerson ROC800, ROC800L and DL8000 (CISA) 1. EXECUTIVE SUMMARY CVSS v3 6.3 ATTENTION: High attack complexity Vendor: Emerson Equipment: ROC800, ROC800L and DL8000 Vulnerability: Insufficient Verification of Data Authenticity CISA is aware of a public report, known as “OT:ICEFALL” that details vulnerabilities found in multiple operational technology (OT) vendors.

Siemens SICAM A8000 Web Server Module (CISA) 1. EXECUTIVE SUMMARY CVSS v3 4.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: SICAM A8000 CP-8000, CP-8021, CP-8022 Vulnerability: Improper Access Control 2. RISK EVALUATION  Successful exploitation of this vulnerability could allow unauthenticated access to the web interface of the affected web server.

Siemens SICAM TOOLBOX II (CISA) 1. EXECUTIVE SUMMARY CVSS v3 9.9 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: SICAM TOOLBOX II Vulnerability: Use of Hard-coded Credentials  2. RISK EVALUATION  Successful exploitation of this vulnerability results in full access to the database.

Siemens SCALANCE (CISA) 1. EXECUTIVE SUMMARY CVSS v3 9.1 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: SCALANCE Vulnerabilities: Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’), Allocation of Resources Without Limits or Throttling, Basic Cross Site Scripting 2.

Siemens SIMATIC S7-400 (CISA) 1. EXECUTIVE SUMMARY CVSS v3 7.5 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: SIMATIC S7-400 Vulnerability: Improper Restriction of Operations within the Bounds of a Memory Buffer 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to create a denial-of-service condition.

Siemens Industrial Products Intel CPUs (Update A) (CISA) 1. EXECUTIVE SUMMARY CVSS v3 7.5 ATTENTION: Low attack complexity Vendor: Siemens Equipment: SIMATIC, SINUMERIK Vulnerabilities: Missing Encryption of Sensitive Data 2. UPDATE INFORMATION This updated advisory is a follow-up to the original advisory titled ICSA-21-222-05 Siemens Industrial Products Intel CPU that was published August 10, 2021, to the ICS webpage on www.cisa.gov/uscert.

Siemens Industrial Products LLDP (Update B) (CISA) 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: Industrial Products Vulnerabilities: Classic Buffer Overflow, Uncontrolled Resource Consumption 2.

Siemens Linux-based Products (Update G) (CISA) 1. EXECUTIVE SUMMARY CVSS v3 7.4 ATTENTION: Exploitable remotely Vendor: Siemens Equipment: Linux based products Vulnerability: Use of Insufficiently Random Values 2. UPDATE INFORMATION This updated advisory is a follow-up to the advisory update titled ICSA-21-131-03 Siemens Linux-based Products (Update F) that was published November 11, 2021, to the ICS webpage at www.cisa.gov/uscert.

Siemens Datalogics File Parsing Vulnerability (CISA) 1. EXECUTIVE SUMMARY CVSS v3 7.8 ATTENTION: Low attack complexity Vendor: Siemens Equipment: Teamcenter Visualization and JT2Go Vulnerability: Heap-based buffer Overflow 2. RISK EVALUATION Successful exploitation of this vulnerability could crash a system or potentially lead to arbitrary code execution if a user opens a malicious PDF file.

Siemens S7-400 CPUs (Update A) (CISA) This updated advisory is a follow-up to the advisory update titled ICSA-18-317-02 Siemens S7-400 CPUs (Update A) that was published May 14, 2019, on the ICS webpage on cisa.gov/ics. This advisory contains mitigations for an Improper Input Validation vulnerability in versions of SIMATIC S7-400 products.

Siemens SIMATIC Software Products (Update B) (CISA) 1. EXECUTIVE SUMMARY CVSS v3 7.3 ATTENTION: Low attack complexity Vendor: Siemens Equipment: SIMATIC Software Products Vulnerability: Incorrect Permission Assignment for Critical Resource 2. UPDATE INFORMATION This updated advisory is a follow-up to the original advisory titled ICSA-21-194-06 Siemens SIMATIC Software Products (Update A) that was published July 13, 2021, to the ICS webpage on cisa.gov/ics

Siemens SIMATIC S7-1200 and S7-1500 CPU Families (Update B) (CISA) 1. EXECUTIVE SUMMARY CVSS v3 5.3 ATTENTION: Exploitable remotely/low skill level to exploit Vendor: Siemens Equipment: SIMATIC S7-1200 and S7-1500 CPU families Vulnerabilities: Use of a Broken or Risky Cryptographic Algorithm, Missing Support for Integrity Check 2.

Baxter Sigma Spectrum Infusion Pumps (Update B) (CISA) 1. EXECUTIVE SUMMARY CVSS v3 8.6 ATTENTION: Exploitable remotely/low attack complexity Vendor: Baxter Equipment: Sigma Spectrum Infusion Pumps Vulnerabilities: Use of Hard-coded Password, Cleartext Transmission of Sensitive Data, Incorrect Permission Assignment for Critical Resource, Operation on a Resource After Expiration or Release 2.

Siemens Industrial Products with OPC UA (Update H) (CISA) 1. EXECUTIVE SUMMARY CVSS v3 7.5 ATTENTION: Exploitable remotely/low skill level to exploit Vendor: Siemens Equipment: SIMATIC, SINEC-NMS, SINEMA, SINEMURIK Industrial Control Products with OPC UA Vulnerability: Uncaught Exception 2.

Siemens PROFINET Stack Integrated on Interniche Stack (CISA) 1. EXECUTIVE SUMMARY CVSS v3 5.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: PROFINET Stack Integrated on Interniche Stack Vulnerability: Uncontrolled Resource Consumption 2. RISK EVALUATION Successful exploitation of this vulnerability could allow a denial-of-service condition.

Siemens TIA Portal (Update C) (CISA) 1. EXECUTIVE SUMMARY CVSS v3 7.8 ATTENTION: Low skill level to exploit Vendor: Siemens Equipment: TIA Portal Vulnerability: Path Traversal 2. UPDATE INFORMATION This updated advisory is a follow-up to the advisory update titled ICSA-20-014-05 Siemens TIA Portal (Update B) that was published January 12, 2021, to the ICS webpage at www.cisa.gov/uscert/ics.

Siemens Teamcenter (CISA) 1. EXECUTIVE SUMMARY CVSS v3 9.9 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: Teamcenter Vulnerability: Use of Hard-coded Credentials 2. RISK EVALUATION Successful exploitation of this vulnerability could lead to remote code execution with elevated permissions.

Siemens Industrial Devices using libcurl (CISA) 1. EXECUTIVE SUMMARY CVSS v3 8.1 ATTENTION: Exploitable remotely Vendor: Siemens Equipment: Industrial devices using libcurl Vulnerabilities: Use After Free 2. RISK EVALUATION Successful exploitation of these vulnerabilities could crash and allow an attacker to interfere with the affected products in various ways.

Siemens SIMATIC WinCC and PCS (CISA) 1. EXECUTIVE SUMMARY CVSS v3 6.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: SIMATIC WinCC and PCS Vulnerabilities: Exposure of Sensitive Information to an Unauthorized Actor, Insertion of Sensitive Information into Externally-Accessible File or Directory 2.

Siemens Teamcenter (CISA) 1. EXECUTIVE SUMMARY CVSS v3 7.8 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: Teamcenter Vulnerabilities: Stack-based Buffer Overflow, Improper Restriction of XML External Entity Reference 2. RISK EVALUATION Successful exploitation of these vulnerabilities may lead the binary to crash or allow an attacker to view files on the application server filesystem.

Siemens Industrial Products (CISA) 1. EXECUTIVE SUMMARY CVSS v3 7.5 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: OPC Foundation Local Discovery Server of several industrial products Vulnerability: Improper Restriction of Operations within the Bounds of a Memory Buffer 2. RISK EVALUATION Successful exploitation of this vulnerability could cause a denial-of-service condition on the service or the device.

Siemens OpenSSL Vulnerabilities in Industrial Products (CISA) 1. EXECUTIVE SUMMARY CVSS v3 5.9 ATTENTION: Exploitable remotely/high attack complexity Vendor: Siemens Equipment: Siemens Industrial Products Vulnerability: NULL Pointer Dereference 2. RISK EVALUATION Successful exploitation of this vulnerability may allow an unauthenticated attacker to cause a denial-of-service condition if a maliciously crafted renegotiation message is sent.

Siemens RUGGEDCOM ROS (CISA) 1. EXECUTIVE SUMMARY CVSS v3 8.0 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: RUGGEDCOM ROS Vulnerability: Improper Control of Generation of Code 2. RISK EVALUATION Successful exploitation of this vulnerability could cause malicious behavior through legitimate user accounts accessing certain web resources on affected devices.

Simcenter Femap and Parasolid (CISA) 1. EXECUTIVE SUMMARY CVSS v3 7.8 ATTENTION: Low attack complexity Vendor: Siemens Equipment: Simcenter Femap and Parasolid Vulnerability: Out-of-bounds Read 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to perform remote code execution in the context of the current process of the application through an out-of-bounds read.

Siemens SRCS VPN Feature in SIMATIC CP Devices (CISA) 1. EXECUTIVE SUMMARY CVSS v3 10.0 ATTENTION: Exploitable remotely/low attack complexity Vendor: Siemens Equipment: SIMATIC CP Devices Vulnerabilities: Heap-based Buffer Overflow, Command Injection, Code Injection 2.

Trends

Access to hacked corporate networks still strong but sales fall (BleepingComputer) Statistics collected by cyber-intelligence firm KELA during this year's second quarter show that marketplaces selling initial access to corporate networks have taken a blow.

Ransomware Victims and Network Access Sales in Q2 2022 (KELA) Ransomware groups continue to evolve and threaten organizations and companies around the world. While some gangs reduced their activity in Q2 2022 or shut down, new actors like Black Basta emerged and continued extorting money from businesses. Similarly to the ransomware attackers, there are actors mimicking their methods, such as stealing data and managing data leak sites, but not using actual encrypting software in their attacks.

Ex-CIA security boss predicts coming crackdown on spyware (Register) Plus, spoiler alert: ransomware is gonna get a lot worse

Krebs: 'We’ve Over-Fetishized the APT Threat' (Decipher) Former CISA director Chris Krebs said at Black Hat that the community may have focused too much on APT groups in recent years.

Krebs to Vendors at Black Hat: No More 'Band-Aid' Approach (BankInfo Security) Black Hat USA 2022 opened with somber warnings from Chris Krebs about why application developers, vendors and the government need to solve major industry challenges. Key security executives also discussed DNS visibility, cloud security, patch management, APT strategies and supply chain woes.

Marketplace

Pittsburgh cybersecurity firm GrayMatter merges with Michigan-based automation company HTSE (Pittsburgh Inno) GrayMatter, one of Pittsburgh's largest cybersecurity firms, announced it entered into a strategic merger with Portage, Michigan-based HTSE Inc., a process automation and machine control provider that's worked on over 1,000 of such projects for food, beverage, pharmaceutical, chemical and manufacturing companies around the world.

Majority of firms lack cyber insurance (Computing) Cost, lack of transparency and increasing software requirements are big challenges when it comes to finding an insurer

Forescout Announces the Appointment of Rik Ferguson to VP of Security Intelligence (Forescout) Infosecurity Hall of Famer and Security Intelligence Expert Broadens Focus on Digital Terrain Risk SAN JOSE, Calif., Aug. 10, 2022 – Forescout Technologies, the leader in automated cybersecurity, today announced the appointment of Rik Ferguson as VP of Security Intelligence. With a career spanning more than 25 years, including 15 years as VP of Threat […]

Mailchimp Resumes Crackdown on Crypto Newsletters Including Messari, Edge (Decrypt) It isn't the first time the popular email marketing platform has shut down the accounts of crypto-content publishers.

Products, Services, and Solutions

Why Templates Deliver Critical Best Practice Workflows For Maximizing Enterprise Security (Torq) Templates deliver best practice workflows to maximize enterprise security operations. Learn more about Torq templates and integrations.

Wipro launches Australian cybersecurity consulting arm (CRN Australia) Through recent acquisition of Shelde via Ampion.

SentinelOne Integrates with Proofpoint for Enhanced Ransomware Protection (Business Wire) SentinelOne (NYSE: S), an autonomous cybersecurity platform company, today announced a new integration with Proofpoint to orchestrate unified ransomwa

Cycode Expands Scope of AppDev Security Platform (DevOps.com) Cycode has added SAST and container scanning capabilities to its SCA platform that is based on a graph database.

Technologies, Techniques, and Standards

3 Accelerators for Data Sharing with Allies (Booz Allen Hamilton) See data insights for DOD operations in a mission partner environment from a C4ISRNET webinar sponsored by Booz Allen.

ReversingLabs Analysis Reveals Need to Expand National Vulnerability Database to Include Emerging Software Supply Chain Flaws (GlobeNewswire News Room) Findings show flaws in open source contribute to a sharp rise in reports to the National Vulnerability Database in 2022; Research demonstrates how emerging...

CISQ Automated Source Code Data Protection Specification becomes Object Management Group Standard (CISQ - Consortium for Information & Software Quality) Protecting confidential data from exposure or theft.

Cybersecurity and Technology Industry Leaders Launch Open-Source Project to Help Organizations Detect and Stop Cyberattacks Faster and More Effectively (Splunk) A coalition of cybersecurity and technology leaders announced an open-source effort to break down data silos that impede security teams. The Open Cybersecurity Schema Framework (OCSF) project, revealed today at Black Hat USA 2022, will help organizations detect, investigate and stop cyberattacks faster and more effectively.

Cybersecurity vendors team up to form new open-source project (CRN) It is set to help organisations detect, investigate and stop cyberattacks faster and more effectively

Design and Innovation

This Mac hacker’s code is so good, corporations keep stealing it (The Verge) He’s asking politely for them to stop or pay.

Gmail is now officially allowed to spam-proof politicians’ emails (The Verge) The FEC agreed that the program is lawful.

Our approach to the 2022 US midterms (Twitter) Information on Twitter's approach to the 2022 US midterm elections.

Meta Just Happens to Expand Messenger's End-to-End Encryption (Wired) The company says an expansion of privacy features in Messenger is unrelated to a high-profile Nebraska abortion case.

Academia

Education sector most at risk of cyber attack (Education Technology) Check Point Research claims that the education sector was hit by more than the twice the industry average of cyberattacks in July.

Feeling stuck in a major you don't love? This cyber pro promises you, it's OK to fail - Technical.ly (Technical.ly) "If my freshman self knew that he’d go from a pretty bad engineering student to getting his master’s degree from Johns Hopkins, he’d be in complete shock," said Tyler Ramdass, now a junior cybersecurity specialist at Warminster's Sabre Systems, Inc.

MSU, MGCCC, federal partners collaborate to host premier cybersecurity conference (Mississippi State University) Representatives from hundreds of leading academic institutions recently gathered on the Mississippi Gulf Coast for one of the country’s premier academic conferences in cybersecurity.

Doctoral student earns NSA scholarship to complete cybersecurity research (Lousiana Tech) Louisiana Tech University doctoral student and Haughton native Dakota Digilormo has earned a National Centers Academic Excellence (NCAE-C) Cybersecurity Ph.D. Scholarship from the U.S. National Security Agency (NSA) to complete his studies in Cyberspace Engineering.

Legislation, Policy, and Regulation

FTC Explores Rules Cracking Down on Commercial Surveillance and Lax Data Security Practices (Federal Trade Commission) Note: The FTC hosted a virtual news conference on the ANPR announcement. View the webcast.

FTC moves to create data security and privacy rules (The Record by Recorded Future) Long the de facto privacy watchdog, the Federal Trade Commission is exploring creating rules for its role.

Will the Feds Backstop Cyber Insurance? | Endpoint (Tanium) Critical infrastructure providers may soon get federal protection against the crippling costs of cyberattacks. Here’s why.

Litigation, Investigation, and Law Enforcement

The US Offers a $10M Bounty for Intel on Conti Ransomware Gang (Wired) The State Department organization has called for people to share details about five key members of the hacking group.

US accuses Chinese company of helping ZTE hide business with Iran - ChinaTechNews.com (ChinaTechNews.com) US accuses Chinese company of helping ZTE hide business with Iran The US Commerce Department on Tuesday accused Far East Cable, China’s largest wire and cable manufacturer, of violating US export controls related to shipments of telecommunications equipment to Iran.

BIS charges Chinese cable giant with export control violations (Compliance Week) The Commerce Department's Bureau of Industry and Security charged China's largest cable and wire manufacturer Far East Cable with export control violations related to its alleged dealings with telecommunications company ZTE to circumvent U.S. restrictions against Iran.

Banks ordered to notify cardholders of suspicious activity after iPay88 data breach (Malay Mail ) In light of the potential data breach incident announced by iPay88 (M) Sdn. Bhd, Bank Negara Malaysia (BNM) has instructed banks to immediately notify...

Lincolnshire Police has lost data or sent it to the wrong person 200 times (LincolnshireLive) Problems have been admitted with emails, post and devices

Industry Events

For a complete running list of events, please visit the Event Tracker.

Events

STEM Pioneers Rock! Loretta Hall, Author of biography of Wally Funk, member of the female team for Mercury 13 flight (Columbia and Virtual, Maryland, United States, Aug 15, 2022) Brought to you by NSA and Dreamport/MISI, the STEM Pioneers Rock series, highlights significant accomplishments of those who are "firsts" in their field. These individuals are responsible for attaining goals that opened doors for those who come behind them. In addition, we hope the "pioneers" we have identified encourage our workforce to "stay the course", improving retention statistics. Loretta Hall is a freelance writer and nonfiction book author. Although she has written for a variety of consumer magazines, she concentrated on civil engineering and architecture trade publications for many years. About ten years ago, her latent fascination with space exploration resurfaced, and she has since concentrated on that subject. During the past fifteen years, she has written seven books for adults and young adults, including two on architecture and three on the history and future of space travel. Her children's picture book about visiting Spaceport America was published in 2017. She is a board member of New Mexico Press Women, a Certified Space Ambassador for the National Space Society, and a member of the Historical Society of New Mexico's Speakers Bureau.

Certified CMMC Professional (CCP) 2.0 Exam Prep (Virtual, Aug 15 - 19, 2022) This 5-day CCP course covers the foundational required curriculum along with CMMC Level 2 scoping and the full 110 practices. Edwards Cyber AB approved CCP 2.0 courses enable participants to sit for the CCP exam – making you a valuable resource to a consultancy providing CMMC preparation, C3PAO providing certified assessor support, or organization interested in having in-house CMMC trained resources. Edwards all-star lineup of Provisional Instructors (PIs) includes several of the CMMC industry’s most respected consultants along with Edwards’ internal SMEs to deliver their action packed bootcamps.

Insider Threat Program Development - Management Training Course (Sterling, Virginia, USA, Aug 22 - 23, 2022) This affordable, comprehensive and extremely resourceful 2 day training course will ensure the Insider Threat Program (ITP) Manager, Facilities Security Officer, Insider Threat Analyst, and others who support the ITP (CSO, CIO, CISO, IT, Network Security, Human Resources, Etc.), have the Core Knowledge, Blueprint, Resources needed for developing, managing or enhancing an ITP / Working Group. Our student satisfaction levels are in the exceptional range. Over 875+ individuals have attended this training course and received ITP Manager Certificates. The class has 2 additional instructors who are the former ITP Managers for CIA and NSA.

Insider Threat Program Development - Management (Virtual, Aug 22 - 23, 2022) This affordable, comprehensive and extremely resourceful 1 day WEB BASED training course will ensure the Insider Threat Program (ITP) Manager, Senior Official, Facilities Security Officer, Insider Threat Analyst, and others who support the ITP (CSO, CIO, CISO, IT, Network Security, Human Resources, Etc.), have the Core Knowledge, Blueprint, Resources needed for developing, managing or enhancing an ITP / Working Group. Our student satisfaction levels are in the exceptional range. Over 900+ individuals have attended this training course and received ITP Manager Certificates. CLASS DATES: August 22 & 23 (Training Taught In 2 / 4 Hour Sessions On Different Dates).

SANS 2022 Cloud Security Exchange (Virtual, Aug 25, 2022) SANS Institute, the global leader in cybersecurity training and certifications, today announced it would be hosting its first SANS 2022 Cloud Security Exchange live online event, which will take place on August 25, 2022 at 11:00am EDT. The Cloud Security Exchange brings technical security leaders from Google Cloud Platform (GCP) and Microsoft Azure together in one forum to share their perspectives on building cloud security programs and best practices on crucial security pillars. As more organizations embrace digital transformation, security operations and architecture teams are facing new challenges.

Sponsor & Support

Grow your brand, generate leads, and fill your funnel.

With the industry’s largest B2B podcast network, popular newsletters, and influential readers and listeners all over the world, companies trust the CyberWire to get the message out. Learn more.