Apr 12, 2024NewsroomCyber Attack / Data Breach

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) on Thursday issued an emergency directive (ED 24-02) urging federal agencies to hunt for signs of compromise and enact preventive measures following the recent compromise of Microsoft’s systems that led to the theft of email correspondence with the company.

The attack, which came to light earlier this year, has been attributed to a Russian nation-state group tracked as Midnight Blizzard (aka APT29 or Cozy Bear). Last month, Microsoft revealed that the adversary managed to access some of its source code repositories but noted that there is no evidence of a breach of customer-facing systems.

The emergency directive, which was originally issued privately to federal agencies on April 2, was first reported on by CyberScoop two days later.

“The threat actor is using information initially exfiltrated from the corporate email systems, including authentication details shared between Microsoft customers and Microsoft by email, to gain, or attempt to gain, additional access to Microsoft customer systems,” CISA said.

The agency said the theft of email correspondence between government entities and Microsoft poses severe risks, urging concerned parties to analyze the content of exfiltrated emails, reset compromised credentials, and take additional steps to ensure authentication tools for privileged Microsoft Azure accounts are secure.

It’s currently not clear how many federal agencies have had their email exchanges exfiltrated in the wake of the incident, although CISA said all of them have been notified.

The agency is also urging affected entities to perform a cybersecurity impact analysis by April 30, 2024, and provide a status update by May 1, 2024, 11:59 p.m. Other organizations that are impacted by the breach are advised to contact their respective Microsoft account team for any additional questions or follow up.

“Regardless of direct impact, all organizations are strongly encouraged to apply stringent security measures, including strong passwords, multi-factor authentication (MFA) and prohibited sharing of unprotected sensitive information via unsecure channels,” CISA said.

The development comes as CISA released a new version of its malware analysis system, called Malware Next-Gen, that allows organizations to submit malware samples (anonymously or otherwise) and other suspicious artifacts for analysis.

Apr 03, 2024NewsroomData Breach / Incident Response

The U.S. Cyber Safety Review Board (CSRB) has criticized Microsoft for a series of security lapses that led to the breach of nearly two dozen companies across Europe and the U.S. by a China-based nation-state group called Storm-0558 last year.

The findings, released by the Department of Homeland Security (DHS) on Tuesday, found that the intrusion was preventable, and that it became successful due to a “cascade of Microsoft’s avoidable errors.”

“It identified a series of Microsoft operational and strategic decisions that collectively pointed to a corporate culture that deprioritized enterprise security investments and rigorous risk management, at odds with the company’s centrality in the technology ecosystem and the level of trust customers place in the company to protect their data and operations,” the DHS said in a statement.

The CSRB also lambasted the tech titan for failing to detect the compromise on its own, instead relying on a customer to reach out to flag the breach. It further faulted Microsoft for not prioritizing the development of an automated key rotation solution and rearchitecting its legacy infrastructure to meet the needs of the current threat landscape.

The incident first came to light in July 2023 when Microsoft revealed that Storm-0558 gained unauthorized access to 22 organizations as well as more than more than 500 related individual consumer accounts.

Microsoft subsequently said a validation error in its source code made it possible for Azure Active Directory (Azure AD) tokens to be forged by Storm-0558 using a Microsoft account (MSA) consumer signing key, thus allowing the adversary to infiltrate the mailboxes.

In September 2023, the company divulged that Storm-0558 acquired the consumer signing key to forge the tokens by compromising an engineer’s corporate account that had access to a debugging environment hosting a crash dump of its consumer signing system that also inadvertently contained the signing key.

Microsoft has since acknowledged in a March 2024 update that it was inaccurate and that it has not still been able to locate a “crash dump containing the impacted key material.” It also said its investigation into the hack remains ongoing.

“Our leading hypothesis remains that operational errors resulted in key material leaving the secure token signing environment that was subsequently accessed in a debugging environment via a compromised engineering account,” it noted.

“Recent events have demonstrated a need to adopt a new culture of engineering security in our own networks,” a Microsoft spokesperson was quoted as saying to The Washington Post.

As many as 60,000 unclassified emails from Outlook accounts are believed to have been exfiltrated over the course of the campaign that began in May 2023. China has rejected accusations that it was behind the attack.

Earlier this February, Redmond expanded free logging capabilities to all U.S. federal agencies using Microsoft Purview Audit, irrespective of the license tier, to help them detect, respond, and prevent sophisticated cyber attacks.

“The threat actor responsible for this brazen intrusion has been tracked by industry for over two decades and has been linked to 2009 Operation Aurora and 2011 RSA SecureID compromises,” said CSRB Acting Deputy Chair Dmitri Alperovitch.

“This People’s Republic of China affiliated group of hackers has the capability and intent to compromise identity systems to access sensitive data, including emails of individuals of interest to the Chinese government.”

To safeguard against threats from state-sponsored actors, cloud service providers have been recommended to –

• Implement modern control mechanisms and baseline practices
• Adopt a minimum standard for default audit logging in cloud services
• Incorporate emerging digital identity standards to secure cloud services
• Adopt incident and vulnerability disclosure practices to maximize transparency
• Develop more effective victim notification and support mechanisms to drive information-sharing efforts

“The United States government should update the Federal Risk Authorization Management Program and supporting frameworks and establish a process for conducting discretionary special reviews of the program’s authorized Cloud Service Offerings following especially high-impact situations,” the CSRB said.

Mar 21, 2024NewsroomThreat Intelligence / Malware

The Russia-linked threat actor known as Turla infected several systems belonging to an unnamed European non-governmental organization (NGO) in order to deploy a backdoor called TinyTurla-NG.

“The attackers compromised the first system, established persistence and added exclusions to antivirus products running on these endpoints as part of their preliminary post-compromise actions,” Cisco Talos said in a new report published today.

“Turla then opened additional channels of communication via Chisel for data exfiltration and to pivot to additional accessible systems in the network.”

There is evidence indicating that the infected systems were breached as early as October 2023, with Chisel deployed in December 2023 and data exfiltrating taking place via the tool a month later, around January 12, 2024.

TinyTurla-NG was first documented by the cybersecurity company last month after it was found to be used in connection with a cyber attack targeting a Polish NGO working on improving Polish democracy and supporting Ukraine during the Russian invasion.

Cisco Talos told The Hacker News at the time that the campaign appears to be highly targeted and focused on a small number of organizations, most of which are located in Poland.

The attack chain involves Turla exploiting their initial access to configure Microsoft Defender antivirus exclusions to evade detection and drop TinyTurla-NG, which is then persisted by creating a malicious “sdm” service that masquerades as a “System Device Manager” service.

TinyTurla-NG acts as a backdoor to conduct follow-on reconnaissance, exfiltrate files of interest to a command-and-control (C2) server, and deploy a custom-built version of the Chisel tunneling software. The exact intrusion pathway is still being investigated.

“Once the attackers have gained access to a new box, they will repeat their activities to create Microsoft Defender exclusions, drop the malware components, and create persistence,” Talos researchers said.

Mar 08, 2024NewsroomEndpoint Security / Network Security

Threat actors have been observed leveraging the QEMU open-source hardware emulator as tunneling software during a cyber attack targeting an unnamed “large company” to connect to their infrastructure.

While a number of legitimate tunneling tools like Chisel, FRP, ligolo, ngrok, and Plink have been used by adversaries to their advantage, the development marks the first QEMU that has been used for this purpose.

“We found that QEMU supported connections between virtual machines: the -netdev option creates network devices (backend) that can then connect to the virtual machines,” Kaspersky researchers Grigory Sablin, Alexander Rodchenko, and Kirill Magaskin said.

“Each of the numerous network devices is defined by its type and supports extra options.”

In other words, the idea is to create a virtual network interface and a socket-type network interface, thereby allowing the virtual machine to communicate with any remote server.

The Russian cybersecurity company said it was able to use QEMU to set up a network tunnel from an internal host within the enterprise network that didn’t have internet access to a pivot host with internet access, which connects to the attacker’s server on the cloud running the emulator.

The findings show that threat actors are continuously diversifying their attack strategies to blend their malicious traffic with actual activity and meet their operational goals.

“Malicious actors using legitimate tools to perform various attack steps is nothing new to incident response professionals,” the researchers said.

“This further supports the concept of multi-level protection, which covers both reliable endpoint protection, and specialized solutions for detecting and protecting against complex and targeted attacks including human-operated ones.”

Feb 07, 2024NewsroomCyber Espionage / Network Security

Chinese state-backed hackers broke into a computer network that’s used by the Dutch armed forces by targeting Fortinet FortiGate devices.

“This [computer network] was used for unclassified research and development (R&D),” the Dutch Military Intelligence and Security Service (MIVD) said in a statement. “Because this system was self-contained, it did not lead to any damage to the defense network.” The network had less than 50 users.

The intrusion, which took place in 2023, leveraged a known critical security flaw in FortiOS SSL-VPN (CVE-2022-42475, CVSS score: 9.3) that allows an unauthenticated attacker to execute arbitrary code via specially crafted requests.

Successful exploitation of the flaw paved the way for the deployment of a backdoor dubbed COATHANGER from an actor-controlled server that’s designed to grant persistent remote access to the compromised appliances.

“The COATHANGER malware is stealthy and persistent,” the Dutch National Cyber Security Centre (NCSC) said. “It hides itself by hooking system calls that could reveal its presence. It survives reboots and firmware upgrades.”

COATHANGER is distinct from BOLDMOVE, another backdoor linked to a suspected China-based threat actor that’s known to have exploited CVE-2022-42475 as a zero-day in attacks targeting a European government entity and a managed service provider (MSP) located in Africa as early as October 2022.

The development marks the first time the Netherlands has publicly attributed a cyber espionage campaign to China. Reuters, which broke the story, said the malware is named after a code snippet that contained a line from Lamb to the Slaughter, a short story by British author Roald Dahl.

It also arrives days after U.S. authorities took steps to dismantle a botnet comprising out-of-date Cisco and NetGear routers that were used by Chinese threat actors like Volt Typhoon to conceal the origins of malicious traffic.

Last year, Google-owned Mandiant revealed that a China-nexus cyber espionage group tracked as UNC3886 exploited zero-days in Fortinet appliances to deploy THINCRUST and CASTLETAP implants for executing arbitrary commands received from a remote server and exfiltrating sensitive data.

Jan 25, 2024NewsroomCyber Attack / Data Breach

Hackers with links to the Kremlin are suspected to have infiltrated information technology company Hewlett Packard Enterprise’s (HPE) cloud email environment to exfiltrate mailbox data.

“The threat actor accessed and exfiltrated data beginning in May 2023 from a small percentage of HPE mailboxes belonging to individuals in our cybersecurity, go-to-market, business segments, and other functions,” the company said in a regulatory filing with the U.S. Securities and Exchange Commission (SEC).

The intrusion has been attributed to the Russian state-sponsored group known as APT29, and which is also tracked under the monikers BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard (formerly Nobelium), and The Dukes.

The disclosure arrives days after Microsoft implicated the same threat actor to the breach of its corporate systems in late November 2023 to steal emails and attachments from senior executives and other individuals in the company’s cybersecurity and legal departments.

HPE said it was notified of the incident on December 12, 2023, meaning that the threat actors persisted within its network undetected for more than six months.

It also noted that attack is likely connected to a prior security event, also attributed to APT29, which involved unauthorized access to and exfiltration of a limited number of SharePoint files as early as May 2023. It was alerted of the malicious activity in June 2023.

HPE, however, emphasized that the incident has not had any material impact on its operations to date. The company did not disclose the scale of the attack and the exact email information that was accessed.

APT29, assessed to be part of Russia’s Foreign Intelligence Service (SVR), has been behind some high-profile hacks in recent years, including the 2016 attack on the Democratic National Committee and the 2020 SolarWinds supply chain compromise.

Jan 24, 2024NewsroomCryptocurrency / Cybercrime

Governments from Australia, the U.K., and the U.S. have imposed financial sanctions on a Russian national for his alleged role in the 2022 ransomware attack against health insurance provider Medibank.

Alexander Ermakov (aka blade_runner, GistaveDore, GustaveDore, or JimJones), 33, has been tied to the breach of the Medibank network as well as the theft and release of Personally Identifiable Information (PII) belonging to the Australian company.

The ransomware attack, which took place in late October 2022 and attributed to the now-defunct REvil ransomware crew, led to the unauthorized access of approximately 9.7 million of its current and former customers.

The stolen information included names, dates of birth, Medicare numbers, and sensitive medical information, including records on mental health, sexual health and drug use. Some of these records were leaked on the dark web.

As part of the trilateral action, the sanctions make it a criminal offense to provide assets to Ermakov, or to use or deal with his assets, including through cryptocurrency wallets or ransomware payments.

The offense is punishable by up to 10 years’ imprisonment. In addition, the Australian government has also imposed a travel ban on Ermakov.

The U.K. government said the penalty is their latest effort “to counter malicious cybercriminal activity emanating from Russia that seeks to undermine integrity and prosperity” of the country and its allies.

Besides criticizing Russia for providing a safe haven to malicious cyber actors, the U.S. Department of the Treasury called out the East European nation for enabling ransomware attacks by cultivating and co-opting criminal groups.

It further called on Russia to take concrete steps to prevent cyber criminals from freely operating in its jurisdiction.

“Russian cyber actors continue to wage disruptive ransomware attacks against the United States and allied countries, targeting our businesses, including critical infrastructure, to steal sensitive data,” said Under Secretary of the Treasury Brian E. Nelson.

“This action demonstrates that the United States stands with our partners to disrupt ransomware actors who victimize the backbone of our economies and critical infrastructure,” the Treasury Department noted.

Dec 15, 2023NewsroomCryptocurrency / Malware

Crypto hardware wallet maker Ledger published a new version of its “@ledgerhq/connect-kit” npm module after unidentified threat actors pushed malicious code that led to the theft of more than $600,000 in virtual assets.

The compromise was the result of a former employee falling victim to a phishing attack, the company said in a statement.

This allowed the attackers to gain access to Ledger’s npm account and upload three malicious versions of the module – 1.1.5, 1.1.6, and 1.1.7 — and propagate crypto drainer malware to other applications that are dependent on the module, resulting in a software supply chain breach.

“The malicious code used a rogue WalletConnect project to reroute funds to a hacker wallet,” Ledger said.

Connect Kit, as the name implies, makes it possible to connect DApps (short decentralized applications) to Ledger’s hardware wallets.

According to security firm Sonatype, version 1.1.7 directly embedded a wallet-draining payload to execute unauthorized transactions in order to transfer digital assets to an actor-controlled wallet.

Versions 1.1.5 and 1.1.6, while lacking an embedded drainer, were modified to download a secondary npm package, identified as 2e6d5f64604be31, which acted as a crypto drainer. The module is still available for download as of writing.

“Once installed into your software, the malware presents the users with a fake modal prompt that invites them to connect wallets,” Sonatype researcher Ilkka Turunen said. “Once the users click through this modal, the malware begins draining funds from the connected wallets.”

The malicious file is estimated to have been live for around five hours, although the active exploitation window during which the funds were drained was limited to a period of less than two hours.

Revoke.cash, which was one of the companies affected by the incident, said Ledger lacked two-factor authentication (2FA) protections for its deployment systems, thereby allowing an attacker to use the developer’s compromised account to publish a malicious version of the software.

Ledger has since removed all three malicious versions of Connect Kit from npm and published 1.1.8 to mitigate the issue. It has also reported the threat actor’s wallet addresses and noted that stablecoin issuer Tether has frozen the stolen funds.

If anything, the development underscores the continued targeting of open-source ecosystems, with software registries such as PyPI and npm increasingly used as vectors for installing malware through supply chain attacks.

“The specific targeting of cryptocurrency assets demonstrates the evolving tactics of cybercriminals to achieve significant financial gains within the space of hours, directly monetising their malware,” Turunen noted.

Update

The fraudulent npm module in question, 2e6d5f64604be31, has now been removed from the package repository by its security team for containing “malicious code.”

Dec 17, 2023NewsroomCyber Attack / Data Security

MongoDB on Saturday disclosed it’s actively investigating a security incident that has led to unauthorized access to “certain” corporate systems, resulting in the exposure of customer account metadata and contact information.

The American database software company said it first detected anomalous activity on December 13, 2023, and that it immediately activated its incident response efforts.

It further noted that “this unauthorized access has been going on for some period of time before discovery,” but emphasized it’s not “aware of any exposure to the data that customers store in MongoDB Atlas.” It did not disclose the exact time period of the compromise.

In light of the breach, MongoDB recommends that all customers be on the lookout for social engineering and phishing attacks, enforce phishing-resistant multi-factor authentication (MFA), as well as rotate their MongoDB Atlas passwords.

That’s not all. The company said it’s also experiencing elevated login attempts that are causing issues for customers attempting to log in to Atlas and its Support Portal. It, however, said the problem is unrelated to the security event, and that it was resolved as of December 16, 10:22 p.m. ET.

When reached for comment, MongoDB told The Hacker News that the incident is a matter of ongoing investigation and that it will “provide updates as soon as we can.”

Update (as of December 17, 9:00 p.m. ET)

In a follow-up statement shared with the publication, the company said it found no evidence of unauthorized access to MongoDB Atlas clusters –

To be clear, we have not identified any security vulnerability in any MongoDB product as a result of this incident. It is important to note that MongoDB Atlas cluster access is authenticated via a separate system from MongoDB corporate systems, and we have found no evidence that the Atlas cluster authentication system has been compromised.

We are aware of unauthorized access to some corporate systems that contain customer names, phone numbers, and email addresses among other customer account metadata, including system logs for one customer. We have notified the affected customer. At this time, we have found no evidence that any other customers’ system logs were accessed.

We are continuing with our investigation, and are working with relevant authorities and forensic firms.

Update (as of December 18, 9:00 p.m. ET)

MongoDB, in an update to its advisory, said it was a victim of a phishing attack and that the malicious actor used Mullvad VPN to conceal their origins. It listed a total of 15 IP addresses from which the activity originated.

However, the company has yet to disclose when the attack took place, which systems were accessed, and how many customers’ information may be affected by the breach of its corporate systems.

Update (as of December 20, 9:00 p.m. ET)

In a follow-up revision to its advisory, MongoDB said that the phishing attack allowed the unauthorized third party to gain access to some of the corporate applications used to provide support services to MongoDB customers. It also shared the contact information and related account metadata that were accessed from the compromised apps.