BEC gang impersonates law firms. Transportation disruptions. Social engineering. Notes on Russia’s hybrid war.

Dateline Moscow and Kyiv: Preparing for the battle of Kherson.

Ukraine at D+253: Kherson, barrier troops, and an assessment of cyber defense. (CyberWire) Russia appears to have revived the old Soviet practice of positioning barrier troops behind combat units to prevent desertion. The battle for Kherson approaches, with rumors of a Russian withdrawal and Ukrainian suspicion of a ruse. A look at the conflict in cyberspace as a case study in collective defense.

Russia-Ukraine war: List of key events, day 254 (Al Jazeera) As the Russia-Ukraine war enters its 254th day, we take a look at the main developments.

Ukraine war latest: Putin issues chilling warning on Kherson (The Telegraph) Vladimir Putin has called on Russian officials to forcibly evacuate residents of Russia-occupied Kherson to safety.

Ukraine capable of retaking Kherson from Russia -Pentagon chief (Reuters) Ukrainian forces can retake the strategic southern city of Kherson from Russian troops, U.S. Defense Secretary Lloyd Austin said on Thursday, in what would be a major defeat for Russia in its invasion of its neighbor.

Russian troops begin leaving Kherson city – but Ukraine warns of a trap (The Telegraph) Kyiv’s officials fear that the apparent withdrawal of Vladimir Putin’s troops from the area might not be all it seems

Russian flag comes down in Kherson, but Ukraine sees a trap (The Hill) Russia’s flag has come down over the main administrative building in Kherson, Ukraine, but Ukrainian officials and war experts aren’t convinced surrender is nigh.  They suspect Russia may be s…

Why Putin will fight for Kherson: Fresh water and land bridge to Crimea (Washington Post) Here in the muddy coastal region of Kherson, which sits like a crumpled hat atop the Russian-occupied Crimean Peninsula, soldiers are readying for what may become the biggest battle of President Vladimir Putin’s war in Ukraine, and perhaps the single best test of whether Moscow ends up winning any significant territory from its invasion or is forced to retreat empty-handed.

Russian Shelling Forces Ukraine Nuclear Plant to Run on Backup Generators (Wall Street Journal) Moscow resumed attacks on energy infrastructure overnight and Kyiv said the Zaporizhzhia nuclear-power facility had 15 days’ worth of fuel left to run generators.

Russian ambassador claims UK involved in drone attack on Black Sea fleet (the Guardian) Andrei Kelin says Britain ‘too deep in this conflict’ as speculation grows over Russian withdrawal from Kherson region

Ukraine war latest: Putin issues chilling warning on Kherson (The Telegraph) Vladimir Putin has called on Russian officials to forcibly evacuate residents of Russia-occupied Kherson to safety.

In newly liberated villages, Ukrainian investigators uncover horrific claims of Russian sexual violence (CNN) Day after day, in town after town, a police officer and prosecutor go door to door in Ukraine’s Kherson region.

A Russian soldier confesses to executing a civilian (CBC) Despite blanket denials of war crimes from the Kremlin, a Russian soldier has revealed details of looting, torture and killing that took place in the Kyiv suburb of Andriivka back in March.

Russia hopes a winter wave of Ukrainian refugees will divide Europe (Atlantic Council) Russia’s campaign of airstrikes against Ukraine’s civilian infrastructure aims to spark a humanitarian crisis and fuel a new winter season refugee wave that Moscow hopes will undermine European support for Ukraine.

Potential nuclear strike in Ukraine is just talk for now, but here’s what Russia could do next (The Telegraph) High state of alarm in the West as Kremlin military leaders talked about how and when they might deploy lower-yield devices

Ukrainians face nuclear threat with grit and dark humor (AP NEWS) Dmytro Bondarenko is ready for the worst. He’s filled the storage area under his fold-up bed and just about every other nook of his apartment in eastern Kyiv with water and nonperishable food.

Time is running out for Putin, and the danger is that he knows it (The Telegraph) The West must take Russia seriously as an opponent – and reject both unworkable appeasement or aggressive threats to break up the country

Opinion Russia is fighting by the book. The problem is, it’s the wrong book. (Washington Post) Civilians don’t talk much about military doctrine, but military professionals know how important it is.

China’s Xi meets Germany’s Scholz, urges Ukraine peace talks (AP NEWS) In a much-scrutinized meeting Friday with visiting German Chancellor Olaf Scholz, Chinese President Xi Jinping called for peace talks between Russia and Ukraine and warned against the conflict going nuclear.

Russia ‘can be good guys and live peacefully with Ukraine if they get rid of Putin’ (The Telegraph) Kyiv’s ambassador to Britain says his nation’s fight is with dictator, not Russians themselves

US senators in Ukraine promise continued aid ahead of winter (AP NEWS) Two U.S. senators met with families in Ukraine’s capital Thursday and promised continued humanitarian support for the war-torn country as winter nears.

Ukraine war, geopolitics fuelling cybersecurity attacks -EU agency (Reuters) Geopolitics such as Russia’s invasion of Ukraine has led to more damaging and widespread cybersecurity attacks in the year to July, EU cybersecurity agency ENISA said in its annual report on Thursday.

Microsoft Extends Aid for Ukraine’s Wartime Tech Innovation (SecurityWeek) Microsoft’s financial commitment of more than $400 million to support Ukraine offers resilience and security for Ukraine operations.

Evaluating the International Support to Ukrainian Cyber Defense (Carnegie Endowment for International Peace) International efforts to support Ukrainian cyber defense have delivered increased capabilities and capacity while harnessing the potential of a diverse array of actors. But those involved are not declaring victory and will need concrete steps to sustain momentum.

Ukraine issues Crimean Bridge strike stamp on Russia’s Unity Day (the Guardian) Postal service follows up April’s limited edition stamp celebrating attack on Russian flagship Moskva

The Decision to Defect (Foreign Affairs) A Conversation With Boris Bondarev

Attacks, Threats, and Vulnerabilities

Danish train standstill on Saturday caused by cyber attack (Reuters) A major breakdown of Denmark’s train network during the weekend was the result of a hacker attack on an IT subcontractor’s software testing environment, Danish train operator DSB said on on Thursday.

‘Project Merciless’: how Qatar spied on the world of football in Switzerland (SWI Qatar orchestrated a major intelligence operation against FIFA officials helped by ex-CIA agents. Switzerland was a key theatre of operations.

China may use cyberattacks rather than military, US official warns Taiwan (ThePrint) Taipei [Taiwan], November 2 (ANI): US senior director of the foundation for the Defence of Democracies Centre on Cyber and Technology Innovation, Mark Montgomery, warned Taiwan and said that China would use cyberattacks rather than its military against Taipei, Taipei Times reported citing Voice of America’s Chinese-language Web site. On Saturday, Voice of America’s Chinese […]

Crimson Kingsnake: BEC Group Impersonates International Law Firms in… (Abnormal Security) Uncovering how threat group Crimson Kingsnake uses third-party impersonation tactics to swindle organizations across the world.

New Crimson Kingsnake gang impersonates law firms in BEC attacks (BleepingComputer) A business email compromise (BEC) group named ‘Crimson Kingsnake’ has emerged, impersonating well-known international law firms to trick recipients into approving overdue invoice payments.

French-speaking crooks stole $30m in bank cyber-heist spree (Register) Smooth ‘OPERA1ER’ hit orgs around the world over four or more years

French-Speaking Cybercrime Group Stole Millions From Banks (SecurityWeek) A French-speaking cybercrime group tracked as Opera1er may have stolen more than $30 million from banks and other organizations.

Boeing subsidiary Jeppesen’s services impacted by cyber incident (Reuters) Boeing Co said on Friday its subsidiary Jeppesen was impacted by a cyber incident which affected certain flight planning products and services.

BREAKING: Boeing’s Jeppesen Subsidiary Hit With Potential Ransomware Attack (Live and Let’s Fly) As a Boeing – Jeppesen outage enters a second day, a trusted source has revealed to Live and Let’s Fly that Boeing has been hit with a ransomware attack.

Cyber incident at Boeing subsidiary causes flight planning disruptions (The Record by Recorded Future) Jeppesen, a wholly-owned Boeing subsidiary that provides navigation and flight planning tools, confirmed on Thursday that it is dealing with a cybersecurity incident that has caused some flight disruptions.

More than 250 US news sites inject malware in possible supply chain attack (SC Media) Proofpoint researchers disclose that Russia-linked TA569 injects SocGholish malware in what’s potentially a very serious supply chain attack.

Dropbox Suffers Data Breach From Phishing Attack, Exposing Customer and Employee Emails (GitGuardian Blog) Dropbox has confirmed they suffered a data breach involving a bad actor gaining access to credentials, data, and other secrets inside their internal GitHub code repositories.

CyRC Vulnerability Advisory: CVE-2022-43945 buffer overflow vulnerabilities in NFSD (Application Security Blog) Get remediation guidance on CVE-2022-43945, which contains two vulnerabilities causing buffer handling issues in Linux Kernel NFSD implementation.

Espionage campaign loads VPN spyware on Android devices via social media (CSO Online) Attackers built a fake online community and used a malicious VPN app to steal credentials and other user data.

LockBit repeats ‘PR stunt’ as Thales ransomware investigation claims no breach (Data Breaches) An investigation by Thales has found no evidence that the LockBit ransomware organistion successfully attacked its systems, following threats by the group to post stolen company data on hacker forums.

Over 250 US News Websites Deliver Malware via Supply Chain Attack (SecurityWeek) Hundreds of regional and national news websites in the United States are delivering SocGholish malware due to a supply chain compromise.

Protecting Your Organization Against Vendor Fraud and Supply Chain Attacks (Armorblox) Know the three types of vendor fraud attacks and warning signs, including the ways these attacks can easily bypass your native email security controls. See real-world instances and how Armorblox protects organizations against vendor fraud attacks.

Security Patches, Mitigations, and Software Updates

Apple Releases Security Update for Xcode (CISA) Apple has released a security update to address vulnerabilities in Xcode. A remote attacker could exploit one of these vulnerabilities to take control of an affected system. The Cybersecurity and Infrastructure Security Agency (CISA) encourages users and administrators to review the Apple security page for Xcode 14.1 and apply the necessary update.

Cisco Releases Security Updates for Multiple Products (CISA) Cisco has released security updates for vulnerabilities affecting multiple products. A remote attacker could exploit some of these vulnerabilities to take control of an affected system. For updates addressing lower severity vulnerabilities, see the Cisco Security Advisories page. CISA encourages users and administrators to review the advisories and apply the necessary updates.

Cisco Patches High-Severity Bugs in Email, Identity, Web Security Products (SecurityWeek) Cisco has released patches for high-severity vulnerabilities in Identity Services Engine, Email Security Appliance, Secure Email and Web Manager, and Secure Web Appliance.

ETIC Telecom Remote Access Server (RAS) (CISA) 1. EXECUTIVE SUMMARY CVSS v3 9.0 ATTENTION: Exploitable remotely/low attack complexity Vendor: ETIC Telecom Equipment: Remote Access Server (RAS) Vulnerabilities: Insufficient Verification of Data Authenticity, Path Traversal, Unrestricted Upload of File with Dangerous Type 2.

Nokia ASIK AirScale System Module (CISA) 1. EXECUTIVE SUMMARY CVSS v3 8.4 ATTENTION: Low attack complexity  Vendor: Nokia  Equipment: ASIK AirScale 5G Common System Module Vulnerabilities: Improper Access Control for Volatile Memory Containing Boot Code, Assumed-Immutable Data is Stored in Writable Memory 2.

Delta Industrial Automation DIALink (CISA) 1. EXECUTIVE SUMMARY CVSS v3 8.1 ATTENTION: Exploitable remotely/low attack complexity Vendor: Delta Industrial Automation  Equipment: DIALink  Vulnerability: Path traversal 2. RISK EVALUATION Successful exploitation of this vulnerability could allow an attacker to place malicious code on the target device.

Volatile Geopolitics Shake the Trends of the 2022 Cybersecurity Threat Landscape (ENISA) With the geopolitical context giving rise to cyberwarfare and hacktivism, alarming cyber operations and malignant cyberattacks have altered the trends of the 10th edition of the Threat Landscape report released today by the European Union Agency for Cybersecurity (ENISA).

The State of Data Security: The Human Impact of Cybercrime from Rubrik Zero Labs (Rubrik) Rubrik Zero Labs is on a mission to deliver actionable, vendor-agnostic insights to reduce data security risks. Read more about the recent report, “The State of Data Security,” in this blog.

Rubrik Zero Labs Research Reveals One Third of Organizations Forced to Change Leadership as a Result of a Cyberattack (Rubrik) Rubrik Zero Labs is on a mission to deliver actionable, vendor-agnostic insights to reduce data security risks. Read more about the recent report, “The State of Data Security.”

The surprising relationship between Bitcoin and ransomware is investigated in White House summit (VentureBeat) Bitcoin and ransomware are moving money illegally. As this borderless threat evolves, governments are responding with new security methods.

ThreatQuotient Publishes 2022 State of Cybersecurity Automation Adoption Research Report (Business Wire) ThreatQuotient’s 2022 State of Cybersecurity Automation Adoption report sheds light on where cybersecurity automation brings the most benefit.

2023 Cyber Threat Predictions (Digital Shadows) As we move towards the end of 2022, now is the time to take a look back at the major trends from the last eleven months and identify what might happen from a cyber threat perspective in 2023. 2022 will likely be remembered for several reasons; notably the Russian invasion of Ukraine, the world recovering

IoT cybersecurity is slowly gaining mainstream attention (Help Net Security) In this interview for Help Net Security, Jason Oberg, CTO at Cycuity, talks about IoT devices cybersecurity, from production to usage.

Cyberspace ‘a battleground’ as reports of cybercrime in Australia jump 13% (the Guardian) Fraud, online shopping and banking among most commonly reported crimes, but ransomware ‘most destructive’, ASD says


Cyber community mourns renowned researcher Vitali Kremez (The Record by Recorded Future) The 36-year-old cybersecurity researcher and ethical hacker died while scuba diving off the coast of Hollywood Beach in Florida.

Remembering Vitali Kremez, Threat Intelligence Researcher (Bank Info Security) Tributes are being paid to Vitali Kremez, who has died at the age of 34 in a suspected scuba-diving accident. The renowned threat intelligence expert, born in Belarus, had long tracked Russian cybercrime syndicates and was part of an ad hoc group established to counter ransomware and help victims.

Apiiro Raises $100M After Palo Alto Networks Reportedly Ends Takeover Talks (CRN) Apiiro raises $100M after Palo Alto pulls out of takeover talks

Darwinium raises $10 million to deliver a new approach to customer protection (Help Net Security) Darwinium has revealed a seed funding round of $10M USD led by Blackbird alongside Airtree, Australian headquartered Venture Capitalist firms.

ECS Awarded $430M AESS Recompete by Army Cyber Command (Business Wire) ECS has won a five-year, $430 million, recompete contract to support the Army Endpoint Security System (AESS).

Twitter Tells Employees Jobs Cuts Will Be Announced Friday (Wall Street Jorunal) The move comes about a week after Elon Musk acquired the social-media platform.

Twitter Plans to Fire Employees by Email (The Information) Twitter employees will be notified by email by 9 a.m. Pacific Standard Timeon Friday whether they will be laid off, according to a communication sent out to all Twitter employees on Thursday evening. It was the first employee-wide communication since Elon Musk closed his takeover of the social …

Twitter may have lost more than a million users since Elon Musk took over (MIT Technology Review) Estimates from Bot Sentinel suggest that more than 875,000 users deactivated their accounts between October 27 and November 1, while half a million more were suspended.

Analysis | What Musk might mean for cybersecurity at Twitter (Washington Post) The new owner has pledged changes that could affect the platform’s security.

Rapid7 lowers outlook, says sales team reorganization is taking longer than expected (Boston Business Journal) Shares of Rapid7 fell Thursday after the cybersecurity company detailed how a planned transition in the responsibilities of its salesforce is taking longer than expected.

Claroty Appoints CJ Radford as Global VP of Channels and Alliances (Yahoo) Claroty, the cyber-physical systems protection company, today announced the appointment of CJ Radford as global vice president of channels and alliances.

Constance Stack joins Next DLP as CEO (Help Net Security) Next DLP announced the appointment of Constance (“Connie”) Stack as its new chief executive officer to accelerate the company’s growth.

Products, Services, and Solutions

Armorblox Launches Protection against Organizations’ Biggest Threats: Vendor Compromise and Supply Chain Attacks (Armorblox) Armorblox Vendor and Supply Chain Attack Protection monitors over 50,000 vendors to safeguard organizations from compromised vendors and suppliers

Cabify Partners Up With Incode Technologies To Enhance Driver Security With Selfie Identity Verification Technology (PR Newswire) This partnership is a further step in Cabify’s security commitment to its collaborating drivers and taxi drivers by offering them the best identity…

Ansell Adopts Exabeam Fusion for Threat Detection, Investigation, and Response (Exabeam) Global PPE manufacturer selected Exabeam for the New-Scale SIEM™ leader’s simple, powerful Cisco security stack integrations FOSTER CITY – November 4, 2022 – Exabeam, a global cybersecurity leader and creator of New-Scale SIEM for advancing security operations, announced today that Ansell has adopted Exabeam Fusion security information and event management (SIEM) across its U.S. locations… Read more »

Technologies, Techniques, and Standards

[Project Description] Securing Water and Wastewater Utilities: Cybersecurity for the Water and Wastewater Systems Sector (CSRC) The National Cybersecurity Center of Excellence (NCCoE) is seeking feedback from all stakeholders in the water and wastewater utilities sector. In our efforts to ensure our guidance can benefit the broadest audience, the NCCOE is especially interested in hearing from water utilities of all sizes: small, medium and large.

Cyber Incident Reporting Framework (Cyber Threat Alliance) Multiple industry organizations have come together to provide input regarding cyber incident reporting. This group has identified a set of principles that the incident reporting regulation should incorporate, and we have developed a set of model reporting formats the Cybersecurity and Infrastructure Security Agency (CISA) could use as the foundation for the reporting forms.

Offense Gets the Glory, but Defense Wins the Game (SecurityWeek) Malicious actors are developing their playbooks in order to circumvent defenses and expand their networks of criminal affiliates.

CYBERCOM concludes CYBER FLAG 23 exercise (U.S. Cyber Command) U.S. Cyber Command hosted CYBER FLAG 23-1 CF23-1 a Multinational Tactical Exercise on October 17-28 as well as a Multinational Symposium MNS and Tabletop Exercise TTX October 27-28 at the Joint Staff

Design and Innovation

Red Cross Seeks ‘Digital Emblem’ to Protect Against Hacking (SecurityWeek) The Red Cross is creating a “digital red cross/red crescent emblem” to tell hackers that they have entered the computer systems of medical facilities or Red Cross offices.

Could a ‘digital Red Cross emblem’ protect hospitals from cyber warfare? (The Record by Recorded Future) The International Committee of the Red Cross (ICRC) is proposing applying a “digital Red Cross” marker to certain systems used for medical and humanitarian purposes.


Everything You Need To Know About Earning An Associate In Cybersecurity (Forbes Advisor) Earning an associate degree in cybersecurity can help students and early-stage professionals prepare to earn industry certifications and entry-level cybersecurity jobs. If you’re wondering how to get into cybersecurity, an associate degree is a great way to get started.

Cybersecurity is a rapidly

Dublin Schools Get $500,000 IBM Grant To Boost Cybersecurity (Access Wire) “The team at IBM Security here in Ireland are looking forward to partnering with City of Dublin ETB over the…

Legislation, Policy, and Regulation

Canada Releases Latest National Cyber Threat Assessment (Organized Crime and Corruption Reporting Project) The state-sponsored cyber programs of China, Russia, Iran, and North Korea are the greatest strategic threats to Canadian online security, the Canadian Centre for Cyber Security claims in its latest National Cyber Threat Assessment.

Government to dilute Online Safety Bill rules on ‘legal but harmful’ content (Computing) The Bill is scheduled to be presented back to Parliament later this month

Overcoming Distrust in Information Sharing: What More is There to Do? (Security Intelligence) Information sharing is more important than ever with more cyber threats arising. How can we improve intel sharing between the public and private sectors to better arm organizations against these attacks?

NDAA Negotiations Will Determine Success of Several Cyber Solarium Goals ( Influence from major industry threatens once again to thwart lawmakers’ attempts to realize their policymaking goals through the annual defense authorization bill.

Senior Dem solicits input for health care cybersecurity legislation (The Record by Recorded Future) Sen. Mark Warner (D-Va.) on Thursday released a white paper about the cybersecurity threats facing the health care sector, issuing a call to private industry and the research community to offer feedback that would craft future legislation.

Cybersecurity is Patient Safety (Office of Senator Mark Warner) Over the past decade, the American public has witnessed increasingly brazen and disruptive attacks on its health care sector that jeopardize sensitive personal information, delay treatment, and ultimately lead to increased suffering and death.

Warner calls for cybersecurity workforce development, incentives for health sector (SC Media) Policy options developed by Sen. Mark Warner advocates for a number of incentive programs and workforce development initiatives to target systemic healthcare cybersecurity challenges.

Litigation, Investigation, and Law Enforcement

Twitter sued by former staff as Elon Musk begins mass sackings (the Guardian) Ex-employees say they were not given enough notice under US federal law over job losses

Public Records Site Isn’t Immune In FCRA Suit, 4th Circ. Says (Law360) An online aggregator of public records is not entitled to the same liability protections as social media platforms, the Fourth Circuit ruled Thursday, reviving a credit reporting class action that accuses the site of creating and selling background checks without adhering to accuracy and disclosure requirements.

TikTok privacy update in Europe confirms China staff access to data as GDPR probe continues (TechCrunch) An incoming privacy policy change made by TikTok yesterday for users in Europe names China as one of several countries where user data can be remotely accessed.

TikTok tells European users its staff in China get access to their data (the Guardian) Privacy policy update confirms data of continent’s users available to range of TikTok bases including in Brazil, Israel and US

New TikTok Privacy Policy Confirms Chinese Staff Can Access European Users’ Data (The Hacker News) TikTok has revised its privacy policy for European users to explicitly clarify that some employees from around the world, including China, may access

U.S. SEC considering action against SolarWinds over cyber disclosures (Reuters) The U.S. Securities and Exchange Commission has recommended an enforcement action against SolarWinds Corp over its public statements on cybersecurity and procedures governing such disclosures, the software firm said on Thursday.

SolarWinds Nears $26M Investor Deal As SEC Eyes Action (Law360) SolarWinds is nearing a $26 million deal to end a putative class action alleging shareholders were hurt after a massive cyberattack that’s been blamed on the software company, but the U.S. Securities and Exchange Commission may be filing an enforcement action, the company told investors on Thursday.

Ex-CEO Gets 5 Years For ‘Massive Fraud’ At Fallen Cyber Co. (Law360) A Manhattan federal judge sentenced a Nevada programmer and former CEO to five years in prison Thursday for a “brash” course of lies and fraud while running a cyberfraud prevention startup that went bankrupt despite $123 million of investor backing.

MGM Resorts Must Face Bulk Of Data Breach Suit, Judge Says (Law360) A federal judge in Nevada is allowing most of a putative class action against the hospitality giant MGM Resorts International to move forward, rejecting the company’s bid to escape claims that it mishandled customers’ personal data and essentially let hackers steal that information in 2019.

Ex-EBay Staffer Gets House Arrest For Stalking Ploy (Law360) A former low-level eBay Inc. security worker received one year of home confinement — plus a strong verbal reprimand — from a Boston federal judge Thursday for participating in a cyberstalking campaign designed to terrorize married e-commerce journalists.