Dateline Moscow, Minks, Kyiv, and Aspen: Updates on the hybrid war.

Ukraine at D+148: Spycraft, traditional and cyber. (The CyberWire) Russia’s offensives remain stalled, as MI6 and CIA think the Russian army has “run out of steam.” Russian cyberespionage continues as traditional espionage runs up against apparently effective European counterespionage measures. And hackers spread disinformation over nine Ukrainian radio stations.

Russia-Ukraine war: List of key events, day 149 (Al Jazeera) As the Russia-Ukraine war enters its 149th day, we take a look at the main developments.

Ukraine latest: Russia ‘destroys’ four US-supplied Himars rocket systems (The Telegraph) Russia’s defence ministry has claimed its forces have destroyed four US-supplied Himars rocket systems in July alone.

Russia Moves to Annex Occupied Ukrainian Land by September (Bloomberg) Kremlin prepares for referendums in areas seized by its troops. Officials say votes planned on merging with Russia by Sept. 15.

End the war to prevent nuclear ‘abyss’, warns Lukashenko (The Telegraph) The Belarus president and Putin ally insisted that Kyiv could end the war if it re-started talks with Moscow and accepted Russia’s demands

How Putin’s Flawed Assumptions Doomed Russian Victory in Ukraine (Foreign Affairs) A Conversation With Lawrence Freedman

Greenpeace Says IAEA Downplayed Damage at Chernobyl by Russian Troops (Newsweek) The environmental organization conducted its own survey at Chernobyl after “very limited data” was provided by the International Atomic Energy Agency.

Russia-Ukraine war: UK vows to send thousands more weapons to Kyiv after Kremlin’s threat of escalation (The Telegraph) Britain will send scores of artillery guns and more than 1,600 anti-tank weapons to Ukraine, in the latest supply of Western arms to the fury of the Kremlin.

UK Spy Chief Sees Russia’s Military Running ‘Out of Steam’ Soon (Bloomberg) MI6 head Richard Moore sees no sign Putin is in poor health. Big advantage of US, UK over China is ‘we have allies’.

Exhausted Russian army gives Ukraine chance to strike back, says British spy chief (The Telegraph) Richard Moore, the head of MI6, says intelligence shows Vladimir Putin’s army is ‘running out of steam’

‘Cut by half’ Putin’s masterplan backfires as 400 Russian spies thrown out of Europe (Express) RUSSIA has lost “half” of its ability to spy on European countries, the UK’s foreign intelligence chief has said.

Half of Russian spies in Europe expelled since Ukraine invasion, says MI6 chief (the Guardian) Richard Moore says 400 intelligence officers operating under diplomatic cover have been expelled

MI6 chief: Russia’s spies ‘not having a great war’ in Ukraine (The Record by Recorded Future) Hundreds of Russian spies have been expelled from Europe in recent months, dealing a major blow to Moscow’s intelligence efforts during its war with Ukraine, said the head of Britain’s Secret Intelligence Service, or MI6, on Thursday.

CIA chief says 15,000 Russians killed in war, dismisses Putin health rumors (Washington Post) Russia’s territorial gains in Ukraine have been minimal and have come at a “very high” cost, senior U.S. officials said Wednesday, illustrating the deadly grind of the conflict while dismissing concerns about President Vladimir Putin’s health.

CIA Chief Says Russia’s Iran Drone Deal Shows Military Weakness (Bloomberg) William Burns says the two countries don’t trust each other. China is unsettled by Russia’s war performance, Burns says.

Putin thinks he’ll break America’s will in Ukraine, but he’s wrong, says the CIA director (CNBC) “Putin’s view of Americans is that we always suffer from attention deficit disorder, and we’ll get distracted,” said CIA Director William Burns at the Aspen Security Forum.

Ukraine can win (Atlantic Council) If the West takes active measures to ensure Ukraine can’t defeat Putin’s Russia, it won’t. But if it commits to supplying the range of capabilities required for modern, high intensity warfare, Ukraine can win, and it will win.

Ukraine says air force needs western fighter jets, and the US is preparing to help (Defense News) “Older U.S. systems are a possibility” as Ukraine builds its future air force, U.S. Air Force Secretary Frank Kendall said.

Western fighter jets could be sent to Ukraine to boost forces under US plans (The Telegraph) Training Ukrainian pilots is also being discussed by military chiefs as part of a future support package

Inside the multinational logistics cell coordinating military aid for Ukraine (Defense News) Since early March, a cohort of U.S. servicemembers and a rotating crew of multinational partners have set up shop in U.S. European Command headquarters to ensure equipment gets from the donor nation to Ukraine’s doorstep.

Ukraine’s Wartime Politics Takes a New Turn (Wilson Center) Political processes change dramatically during a time of war. In the early stages of the war, the usual competition between the ruling group and the opposition is dampened, while society becomes more disciplined and united around the government. But the longer the war goes on, the more politics adapts: either it further organizes around the leader of the nation at war or the usual competition returns, but posing an unusual threat to national security.

Ukraine confronts Kremlin infiltration threat at unreformed state bodies (Atlantic Council) Last week’s dismissal by President Zelenskyy of two key figures from Ukraine’s state security and prosecution services has highlighted the threat posed by Kremlin agents infiltrating unreformed Ukrainian state bodies.

US seeking to understand Russia’s failure to project cyber power in Ukraine (Defense News) “With regard to the Russian use of cyber and our takeaways,” Anne Neuberger said, “there are any number of theories for what we saw and what, frankly, we didn’t see.”

Battling Moscow’s hackers prior to invasion gave Kyiv ‘full dress rehearsal’ for today’s cyber warfare (CyberScoop) Years of cyberattacks have helped prepare Ukraine to fight back against Russia’s arsenal of digital weapons.

Defence officials warn of possible risk of social engineering attacks through MS Teams (DELFI) Virtual communication software MS Teams can be exploited for social engineering attacks without necessary changes to its external access settings, Lithuania’s Ministry of National Defense warned on Thursday, adding that this could pose risk to the security of organizations using the software.

Cyber criminals attack Ukrainian radio network, broadcast fake message about Zelensky’s health (CyberScoop) The company that operates nine radio stations across Ukraine said the message did “not correspond to reality.”

How Russia promoted the claim that Ukraine re-sold French howitzers for profit (Medium) Kremlin media amplified narrative until mainstream coverage on the risk of weapons smuggling allegedly gave it credence

Ukraine invites allies to check on their weapons donations (POLITICO) Ukraine has created a temporary special commission to monitor the flow of billions of dollars in Western weapons into the country.

Google to be banned in Ukraine’s occupied Donetsk and Luhansk regions (the Guardian) Leader of self-proclaimed Donetsk People’s Republic accuses search engine of promoting ‘terrorism and violence against all Russians’

Deal for Ukraine grain exports due to be sealed in Istanbul (AP NEWS) Russia and Ukraine were expected to sign an agreement Friday that would allow Ukraine to resume grain shipments to world markets and Russia to export grain and fertilizers, ending a standoff that threatened world food security while the two countries are at war in Ukraine .

Russian gas attack: Europe must not give in to Putin’s energy blackmail (Atlantic Council) The CEO of Ukrainian energy giant Naftogaz has told European leaders to prepare for a complete Russian gas cut off and warned that any concessions to the Kremlin will only serve to encourage further energy blackmail.

Russia requests North Korean labourers be sent to Donbas in exchange for wheat and machinery (The Telegraph) Providing technology to Pyongyang would violate UN sanctions that Moscow has supported in the past

Attacks, Threats, and Vulnerabilities

How Conti ransomware hacked and encrypted the Costa Rican government (BleepingComputer) Details have emerged on how the Conti ransomware gang breached the Costa Rican government, showing the attack’s precision and the speed of moving from initial access to the final stage of encrypting devices.

Anatomy of Attack: Truth Behind the Costa Rica Government Ransomware 5-Day Intrusion (AdvIntel) This report data is derived from Andariel’s adversarial collections, which enable visibility into Cobalt Strike commands which bypass a known EDR solution in a play-by-play format. The ransomware and exfiltration operation took approximately five days from the initial access on April 11, 2022 primarily due to the massive data exfiltration prolonging the exploitation operation prior to the ransomware deployment. On May 8, 2022, the new preside

Conti Criminals Resurface as Splinter RaaS Groups  (Security Boulevard) Conti—one of the most ruthless and successful Russian ransomware groups—has been quiet since the group publicly announced it would cease operations in the

LockBit 3.0 Update | Unpicking the Ransomware’s Latest Anti-Analysis and Evasion Techniques (SentinelOne) The self-proclaimed ‘oldest ransomware affiliate on the planet’ has new tricks and new features and continues to beat enterprise defenses.

A Fake Google Search YouTube Ad Redirects to Scam Windows Defender Security Alert (iTech Post) An unsettlingly lifelike Google Search “malvertising” campaign was misusing Google ads. (Photo : ISSOUF SANOGO/AFP via Getty Images) Malwarebytes, a cybersecurity company, revealed on Thursday that it had found a “major” malvertising campaign that was misusing Google ads.

Understanding the Evolution of Cybercrime to Predict its Future (SecurityWeek) A study of the evolution of cybercrime suggests the threat will only get worse as financially motivated malware gangs become more and more professional.

Matanbuchus with Cobalt Strike: Not Your Favorite Combo (CircleID) For US$2,500, threat actors can employ Matanbuchus, a malware-as-a-service (MaaS) package found delivering Cobalt Strike beacons through phishing and spam messages. Cobalt Strike is a powerful security tool that threat actors are increasingly using as a reconnaissance and post-exploitation weapon.

The Evolution of Cybercrime: Why the Dark Web is Supercharging the Threat Landscape and How to Fight Back (HP Wolf Security) Don’t let cyber threats get the best of you. Read our post, The Evolution of Cybercrime: Why the Dark Web is Supercharging the Threat Landscape and How to Fight Back, to learn more about cyber threats and cyber security.

Bitdefender identifies 192 active ransomware families worldwide (SecurityBrief New Zealand) Bitdefender says the most prevalent of the 192 active ransomware families was WannaCry, which accounted for 42% of detections.

Atlassian warns of several new critical vulnerabilities potentially being exploited in wild (The Record by Recorded Future) Atlassian is warning its customers and partners about three different critical vulnerabilities affecting Confluence Server, Confluence Data Center as well as several other products from Bamboo, BitBucket, Fisheye and Jira.

Atlassian Warns Confluence Users of Critical Hardcoded Credentials Bug (Decipher) After an external party publicly disclosed the hardcoded password on Twitter, Atlassian said the issue is “likely to be exploited in the wild.”

Exploitation of Recent Chrome Zero-Day Linked to Israeli Spyware Company (SecurityWeek) An actively exploited Chrome zero-day for which Google released a patch on July 4 has been linked to an Israeli spyware company and used in targeted attacks in the Middle East.

Spyware maker Candiru exploited Google Chrome zero-day to target journalists (Computing) The vulnerability has already been patched by Google

Candiru surveillance spyware DevilsTongue exploited Chrome Zero-Day to target journalists (Security Affairs) The spyware developed by Israeli surveillance firm Candiru exploited recently fixed CVE-2022-2294 Chrome zero-day in attacks on journalists. Researchers from the antivirus firm Avast reported that the DevilsTongue spyware, developed, by Israeli surveillance firm Candiru, was used in attacks against journalists in the Middle East and exploited recently fixed CVE-2022-2294 Chrome zero-day. The flaw, which […]

Hackers for Hire: Adversaries Employ ‘Cyber Mercenaries’ (Threatpost) Also known as the Atlantis Cyber-Army, the emerging organization has an enigmatic leader and a core set of admins that offer a range of services, including exclusive data leaks, DDoS and RDP.

Hundreds of ICS Vulnerabilities Disclosed in First Half of 2022 (SecurityWeek) More than 600 vulnerabilities were disclosed in the first half of 2021 and more than 60% are critical or high severity.

Google blocks site of largest computing society for being ‘harmful’ (BleepingComputer) Google Search and Drive are erroneously flagging links to Association for Computing Machinery (ACM) research papers and websites as malware. BleepingComputer has successfully reproduced the issue, first reported by researcher Maximilian Golla.

IowaWorks.gov website restored after cyber attack that caused outage (WQAD) The state says no user data was compromised and the delivery of unemployment benefit payments was not impacted.

Ransomware Group Says It Has Breached Colorado Town’s Network (GovTech) The town of Frederick, Colo., is currently investigating claims about a breach in their network. Officials are working with digital forensics experts to determine exactly if and how the community might be impacted.

Waterloo Regional District School Board says it was hit by cyberattack (Global News) In a letter issued to parents late Wednesday night, the Waterloo Regional District School Board says it recently discovered that it had been hacked.

Security Patches, Mitigations, and Software Updates

Windows 11 is getting a new security setting to block ransomware attacks (ZDNet) Microsoft releases a new default policy to thwart credential attacks, which is also heading to Windows 10.

Microsoft resuming default block of Office VBA macros (The Record by Recorded Future) Microsoft confirmed that it is resuming the roll out of a popular change that blocked Visual Basic for Applications (VBA) macros by default in Office apps.

Google Chrome security update fixes ‘high risk’ flaws (ZDNet) Google releases 11 fixes for Chrome – and CISA says users should apply them.

Google Releases Security Updates for Chrome (CISA) Google has released Chrome version 103.0.5060.134  for Windows, Mac, and Linux. This version addresses vulnerabilities that an attacker could exploit to take control of an affected system.   CISA encourages users and administrators to review the Chrome Release Note and apply the necessary updates. 

Central Florida construction firm: Ex-employee snatched personal records in data breach (Florida Politics) Williams Company has a portfolio of major projects at SeaWorld Orlando and Legoland Florida.

Drupal Releases Security Update (CISA) Drupal has released security updates to address vulnerabilities affecting Drupal 9.3 and 9.4. An attacker could exploit some of these vulnerabilities to take control of an affected system.   CISA encourages users and administrators to review Drupal security advisory SA-CORE-2022-015 and apply the necessary update.  

Oracle Releases July 2022 Critical Patch Update (CISA) Oracle has released its Critical Patch Update for July 2022 to address 349 vulnerabilities across multiple products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system.   CISA encourages users and administrators to review the Oracle July 2022 Critical Patch Update and apply the necessary updates.    

ABB Drive Composer, Automation Builder, Mint Workbench (CISA) 1. EXECUTIVE SUMMARY CVSS v3 7.8 ATTENTION: Low attack complexity Vendor: ABB Equipment: Drive Composer, Automation Builder, Mint Workbench Vulnerability: Improper Privilege Management 2. RISK EVALUATION Successful exploitation of this vulnerability could allow remote code execution. 3. TECHNICAL DETAILS 3.1 AFFECTED PRODUCTS The following ABB products are affected:

Johnson Controls Metasys ADS, ADX, OAS (CISA) 1. EXECUTIVE SUMMARY CVSS v3 5.3 ATTENTION: Exploitable remotely/low attack complexity Vendor: Johnson Controls, Inc Equipment: Metasys ADS, ADX, OAS with MUI Vulnerability: Missing Authentication for Critical Function 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an unauthenticated user to access Metasys web API and enumerate users.

Rockwell Automation ISaGRAF Workbench (CISA) 1. EXECUTIVE SUMMARY CVSS v3 8.6 ATTENTION: Low attack complexity Vendor: Rockwell Automation Equipment: ISaGRAF Workbench Vulnerabilities: Deserialization of Untrusted Data, Path Traversal 2. RISK EVALUATION Successful exploitation of these vulnerabilities could result in directory traversal, privilege escalation, and arbitrary code execution.

ICONICS Suite and Mitsubishi Electric MC Works64 Products (CISA) 1. EXECUTIVE SUMMARY CVSS v3 9.8 ATTENTION: Low attack complexity Vendors: ICONICS, Mitsubishi Electric Equipment: ICONICS Product Suite, MC Works64 Vulnerabilities: Path Traversal, Deserialization of Untrusted Data, Inclusion of Functionality from Untrusted Control Sphere, Out-of-Bounds Read 2.

AutomationDirect Stride Field I/O (CISA) 1. EXECUTIVE SUMMARY CVSS v3 9.6 ATTENTION: Exploitable remotely/low attack complexity Vendor: AutomationDirect Equipment: Stride Field I/O Vulnerability: Cleartext Transmission of Sensitive Information. 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to obtain user credentials.

Intelligence Insights: July 2022 (Red Canary) Qbot returns with a vengeance, Emotet climbs the charts, and BumbleBee changes tactics.

Report: Financial Institutions Overly Complacent About Current Authentication Methods (PR Newswire) HYPR, The Passwordless Company™ and Vanson Bourne, today released a new report that reveals the financial sector is failing to combat the…

Marketplace

Halborn Raises $90M in Series A Funding (FinSMEs) Halborn, a Miami, FL-based cybersecurity firm serving both traditional finance and blockchain-based clients, raised $90M in Series A funding

VIPC’s Virginia Venture Partners’ Investment in Fend Fosters Cybersecurity Solutions For Critical Infrastructure (EIN News) Specialty hardware focuses on developing innovative solutions that protect critical assets against cyberattacks

Microsoft closes unfilled job openings in cloud and security (Register) Despite growth and strong demand in these areas, Redmond keeps trimming investment

Devo Expands SciSec Team with Data Science Leaders to Accelerate Delivery of Autonomous SOC (Devo) Devo names data-science experts Kevin Zhou and Chaz Lever to leadership positions on its SciSec threat research team.

Products, Services, and Solutions

New infosec products of the week: July 22, 2022 (Help Net Security) The featured infosec products this week are from: Cato Networks, CoSoSys, Darktrace, EnGenius, Orca Security, Persona, and Resecurity.

Kovrr Launches ‘Cyber-Sphere’ to Simplify Enterprise Cyber Risk Management Decisions (Business Wire) Kovrr, a leading provider of cyber risk quantification (CRQ) solutions for global enterprises and (re)insurers, announced today the launch of the Cybe

Axonius Adds Key Integrations with AWS (PR Newswire) Axonius, a cybersecurity asset management provider, today announced integrations with Amazon Macie, Amazon GuardDuty, and AWS SecurityHub while…

Proximus selects Zimperium mobile threat defence to protect subscribers against surging mobile attacks (VanillaPlus) Brussels, Belgium. 20July 2022 – Zimperium, a global provider of mobile security, has struck a deal with Proximus starting from 1st July 2022, Belgium’s

Technologies, Techniques, and Standards

NIST Revises Cybersecurity Guidelines Specifically for HIPAA (Nextgov.com) NIST will accept comments on the updated draft publication regarding HIPAA’s Security Rule until September 21.

Standing shoulder to shoulder – building a resilient healthcare ecosystem with Health-ISAC (Google Cloud Blog) Google Cloud has joined the Health Information Sharing and Analysis Center (Health-ISAC) as its first Ambassador Partner in the cloud.

Lack of staff and resources drives smaller teams to outsource security (Help Net Security) This Help Net Security video highlights how a lack of staff, skills, and resources drives smaller teams to outsource their security.

Academia

Education institutions hit hard by ransomware – study (SecurityBrief New Zealand) The findings reveal that education institutions are increasingly being hit with ransomware, with 60% suffering attacks in 2021 compared to 44% in 2020.

Legislation, Policy, and Regulation

Do we need a cyber NATO to address the changing threat landscape? [Q&A] (BetaNews) The threat landscape facing enterprises is changing constantly. In recent months, major vulnerabilities like Log4j and malware-based threats have demonstrated the need for organizations to move quickly in order to defend themselves.

British recycle old arguments for borking encryption (Register) Levy and Robinson are at it again

China Has a Problem With Data Leaks. One Reason Is Its Surveillance State. (Wall Street Journal) Cybersecurity researchers say the Chinese government’s mass collection of personal information aids in social control but undermines national security.

Why suspected Chinese spy gear remains in America’s telecom networks (POLITICO) In an already hectic year, Congress is now on the hook to find billions of dollars to help some 200 small U.S. telecom carriers finally rip out risky Chinese equipment.

Senators intro bill to foster federal move to quantum-resistant technology (The Record by Recorded Future) A bipartisan pair of senators on Thursday introduced legislation to motivate federal agencies to shift their information systems to quantum-resistant cryptography.

Congress Might Pass an Actually Good Privacy Bill (Wired) A bill with bipartisan support might finally give the US a strong federal data protection law.

FACT SHEET: National Cyber Workforce and Education Summit (The White House) On July 19, 2022, National Cyber Director Chris Inglis hosted the National Cyber Workforce and Education Summit at the White House. The event focused on

Biden Administration Looks to Jumpstart Cyber Training (Nextgov.com) At a White House event, the Labor and Commerce Departments announced a 120-day apprenticeship sprint to offer pathways into cybersecurity jobs.

USA’s plan to build its cyber workforce, improve skills-based pathways to cyber jobs (Help Net Security) The USA is focused on building the cyber workforce, improving skills-based pathways to cyber jobs, and educating Americans.

It’s not just the private sector — agencies are competing with each other for cyber talent (Federal News Network) OPM wants to level the playing field for agencies trying to recruit and retain cybersecurity specialists.

Where 5 programs are investing to close cyber skills gap (Cybersecurity Dive) In line with a White House driven push to close the cyber skills gap, technology firms, nonprofits and other organizations have launched a range of programs to develop a new generation of workers.

Florida Follows North Carolina in Prohibiting State Agencies from Paying Ransoms (Bake Hostetler Data Counsel) We recently wrote about North Carolina’s new law prohibiting state agencies – including public schools and universities – from paying a ransom or even

New York providing cybersecurity resources to local governments (NY1) The effort includes anti-ransomware attack tools.

Litigation, Investigation, and Law Enforcement

The Unsolved Mystery Attack on Internet Cables in Paris (Wired) As new details about the scope of the sabotage emerge, the perpetrators—and the reason for their vandalism—remain unknown.

Panama Papers whistleblower speaks out: ‘Politicians must act – now’ (the Guardian) In first public comments since 2016, leaker discusses their life in hiding and leaders’ failure to clamp down on tax havens

Former Coinbase Employee Charged in Alleged Insider-Trading Scheme (Wall Street Journal) The first-ever cryptocurrency insider-trading case could have broad ramifications for the industry.

Ex-Coinbase Manager Arrested in US Crypto Insider-Trading Case (Bloomberg) Criminal charges follow probe launched in April by SDNY. SEC also sues former employee and two others over conduct.

SEC lists nine crypto tokens as securities following Coinbase insider trading charges (The Block) The SEC has listed nine cryptocurrencies on Coinbase that it says are securities, providing more clarity on its views.

Jason Calacanis Rips Into ‘Grifting’ VCs Flipping Crypto Tokens to Retail (Bloomberg) Watch out venture capital, the regulators are coming.

Secret Service watchdog knew in February that texts had been purged (Washington Post) A watchdog agency learned in February that the Secret Service had purged nearly all cellphone texts from around the time of the Jan. 6, 2021, attack on the Capitol, but chose not to alert Congress, according to three people briefed on the internal discussions.

SF police plan to monitor video ignites controversy (Axios) A proposal for cops to access privately owned video cams raises criticism from privacy advocates.

Massive Losses Define Epidemic of ‘Pig Butchering’ (KrebsOnSecurity) U.S. state and federal investigators are being inundated with reports from people who’ve lost hundreds of thousands or millions of dollars in connection with a complex investment scam known as “pig butchering,” wherein people are lured by flirtatious strangers online…

Admission of culpability leads to early end in trial of Razer’s S$10m claim against IT vendor over data leak (TODAY) A civil trial between gaming hardware maker Razer and its information technology (IT) vendor over a cybersecurity breach that led to the mass leak of Razer customers’ data came to an early end on Friday (July 22).

Former US spy chief questioned over Julian Assange’s future (SBS News) When asked about calls for the Australian government to intervene in the case of Julian Assange, former US National Security Agency head Admiral Michael Rogers said nations shouldn’t feel “constrained” to act in their best interests.

Editorial: It’s hard to know how bad cybersecurity is at the Department of Corrections (The Bulletin) One of the good things about Oregon government is that it can be public about its failings. And we learned this week that the state’s Department of Corrections has problems