Misinformation and #Cyberespionage Top #WEF's Global Risks Report 2025
cyberespionage
Microsoft reported that APT28 (Fancy Bear, Forest Blizzard) used a custom tool to elevate privileges and steal credentials in compromised networks. This GooseEgg tool leveraged CVE-2022-38028 (7.8 high, disclosed 11 October 2022 by Microsoft; Windows Print Spooler Elevation of Privilege Vulnerability). APT28 is publicly attributed to Russian General Staff Main Intelligence Directorate (GRU). IOC provided. ๐ https://www.microsoft.com/en-us/security/blog/2024/04/22/analyzing-forest-blizzards-custom-post-compromise-tool-for-exploiting-cve-2022-38028-to-obtain-credentials/
#APT28 #cyberespionage #Russia #FancyBear #ForestBlizzard #CVE_2022_38028 #eitw #activeexploitation #GooseEgg
Der Spiegel and ZDF both reported that Chinese state-sponsored hackers repeatedly hacked the Volkswagen Group (as well as the sister brands Audi and Bentley) from 2010 to 2015. According to @hatr, Volkswagen CERT was able to restore deleted RAR archives (ATT&CK Indicator Removal: File Deletion T1070.004) that were exfiltrated, showing that the targeted documents were about the development of gasoline engines, transmissions developments (especially dual clutch transmissions), and electric vehicles (fuel cells, and automatic transmissions). While ZDF's article concentrates on the overall security event, Der Spiegel highlights the incident response containment. Interestingly, Der Spiegel links the People's Liberation Army (PLA) but walks it back in the next sentence. ๐
Der Spiegel: VW-Konzern wurde jahrelang ausspioniert โ von China?
ZDF: Der groรe Hack bei VW - China im Fokus
hakan's toot
Edited 331d ago
MITRE disclosed that one of their research and development networks was compromised by a foreign nation-state threat actor in January 2024 using Ivanti Connect Secure zero-days CVE-2023-46805 and CVE-2024-21887. Networked Experimentation, Research, and Virtualization Environment (NERVE) is a collaborative network used for research, development, and prototyping. MITRE included a timeline, observed TTP methods (mapped out to MITRE ATT&CK techniques cc: @howelloneill) and their incident response actions. No IOC provided. ๐ https://www.mitre.org/news-insights/news-release/mitre-response-cyber-attack-one-its-rd-networks and https://medium.com/mitre-engenuity/advanced-cyber-threats-impact-even-the-most-prepared-56444e980dc8 h/t @reverseics
#MITRE #Ivanti #ConnectSecure #CVE_2023_46805 #CVE_2024_21887 #threatintel #cyberespionage
Edited 332d ago
Reuters: FBI Director Christopher Wray warned, "Volt Typhoon has successfully gained access to numerous American companies in telecommunications, energy, water and other critical sectors, with 23 pipeline operators targeted." This is a repeated warning from February 2024 that Peopleโs Republic of China (PRC) state-sponsored cyber actors are seeking to pre-position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States. ๐ https://www.reuters.com/technology/cybersecurity/fbi-says-chinese-hackers-preparing-attack-us-infrastructure-2024-04-18/
h/t @brett
Hot off the press! CISA issues Emergency Directive (ED) 24-02: Mitigating the Significant Risk from Nation-State Compromise of Microsoft Corporate Email System. Affected agencies are required to take immediate remediation action for tokens, passwords, API keys, or other authentication credentials known or suspected to be compromised; identify the full content of the agency correspondence with compromised Microsoft accounts, etc. ๐ https://www.cisa.gov/news-events/directives/ed-24-02-mitigating-significant-risk-nation-state-compromise-microsoft-corporate-email-system
This is in regards to the cyberattack on Microsoft by APT29 a.k.a. Midnight Blizzard, publicly attributed to Russia's Foreign Intelligence Service (SVR) first disclosed 19 January 2024.
Edited 340d ago
Newsweek is two months late in warning about Chinese cyberespionage actors' attempts to pre-position themselves on IT networks for disruptive or destructive cyberattacks against U.S. critical infrastructure in the event of a major crisis or conflict with the United States. Newsweek for some reason describes Volt Typhoon as a campaign instead of a state-sponsored cyberespionage group. ๐ https://www.newsweek.com/volt-typhoon-cyber-security-china-hacking-infrastructure-america-computer-military-1888175
Hot off the press! Microsoft Security Response Center (MSRC) posted an update on the Midnight Blizzard (aka APT29 or Cozy Bear, publicly attributed to Russian Foreign Intelligence Service (SVR) by the U.S. Government) post-attack activity. This includes attempts to gain access to source code repositories and internal systems, and increased volume of password spray attacks. "To date we have found no evidence that Microsoft-hosted customer-facing systems have been compromised. " Microsoft is also notifying customers of secrets that were shared between customers and Microsoft in previously exfiltrated emails. No IOC.
๐ https://msrc.microsoft.com/blog/2024/03/update-on-microsoft-actions-following-attack-by-nation-state-actor-midnight-blizzard/
cc: @campuscodi @serghei @briankrebs @GossiTheDog
#Microsoft #Russia #MidnightBlizzard #APT #APT29 #CozyBear #cyberespionage #threatintel
Edited 1y ago
Hot off the press! Mandiant published another Ivanti Connect Secure VPN exploitation blog post outlining additional TTPs and observations for UNC5325, a suspected Chinese cyber espionage operator.
๐ https://www.mandiant.com/resources/blog/investigating-ivanti-exploitation-persistence
cc: @campuscodi @iagox86 @brett
#cyberespionage #IOC #TTPs #UNC5325 #China #Ivanti #ConnectSecure #vulnerability #zeroday #eitw #activeexploitation #UTA0178 #UNC5221 #CVE_2023_46805 #CVE_2024_21887 #KEV #KnownExploitedVulnerabilitiesCatalog #CISA #CVE_2024_21888 #UNC5325
Edited 1y ago
NEW episode of DISCARDED ๐๏ธโจ
Greg Lesnewich joins us to talk about recent activity from the Russian APT #TA422 that includes exploiting two different vulnerabilities. We also dive into the importance of knowing and examining biases, the use of less fancy malware and more living off the land tactics by Russian groups, and why people call him Gregles.
#cyberespionage #threathunting #APT
Apple: https://lnkd.in/efsaiDVH
Spotify: https://lnkd.in/eJpcAfz7
Google: https://lnkd.in/eg_Rpc5q
๐จ Latest issue of my curated #cybersecurity and #infosec list of resources for week #40/2023 is out! It includes the following and much more:
๐บ๐ธ ๐ณ๏ธ D.C. Board of #Elections confirms voter data stolen in site hack
๐ ๐ชช #MGM Resorts confirms hackers stole customersโ personal data during #cyberattack
๐ ๐งฌ #DNA testing service 23andMe investigating theft of user data
๐ ๐ง #Sony confirms #databreach impacting thousands in the U.S.
๐ฑ ๐ฅ Lyca Mobile Group Services Significantly Disrupted by Cyberattack
๐ ๐ต๐ปโโ๏ธ #NATO investigating breach, #leak of internal documents
๐ ๐ช๐บ European Telecommunications Standards Institute Discloses Data Breach
๐ ๐จ #MotelOne discloses data breach following #ransomware attack
๐ฐ๐ต ๐ฐ North Korea's #Lazarus Group Launders $900 Million in #Cryptocurrency
๐ง๐ช ๐จ๐ณ #Alibaba accused of โpossible espionageโ at European hub
๐จ๐ณ #China-linked cyberspies #backdoor #semiconductor firms with #CobaltStrike
๐ฅธ Meet LostTrust #ransomware โ A likely rebrand of the #MetaEncryptor gang
๐ฌ๐พ ๐จ๐ณ #Guyana Governmental Entity Hit by #DinodasRAT in #CyberEspionage Attack
๐ท๐บ ๐บ๐ธ #FBI most-wanted Russian hacker reveals why he burned his passport
๐บ๐ธ ๐ฅ #FDA cyber mandates for #medicaldevices goes into effect
โ๏ธ ๐ Number of Internet-Exposed #ICS Drops Below 100,000
โ๏ธ #Microsoft Warns of Cyber Attacks Attempting to Breach Cloud via #SQL Server Instance
๐ฆ ๐ #QakBot Threat Actors Still in Action, Using Ransom Knight and Remcos RAT in Latest Attacks
๐ ๐ #Apple Warns of Newly Exploited iOS 17 Kernel Zero-Day
๐ฃ ๐ง๐ปโ๐ผ US Executives Targeted in #Phishing Attacks Exploiting Flaw in Indeed Job Platform
๐ฆ ๐ฆ #Zanubis #Android Banking Trojan Poses as Peruvian Government App to Target Users
๐ฆ ๐ฎ๐ท Iranian APT Group #OilRig Using New Menorah #Malware for Covert Operations
๐ โ๏ธ #Amazon to make #MFA mandatory for 'root' #AWS accounts by mid-2024
๐ก๏ธ ๐ง
#Microsoft Defender no longer flags #Tor Browser as malware
๐ X-Force uncovers global #NetScaler Gateway credential harvesting campaign
๐ ๐ฐ Zero-days for hacking #WhatsApp are now worth millions of dollars
๐ฉน #Cisco fixes hard-coded root credentials in Emergency Responder
๐ Vulnerabilities in #Supermicro BMCs could allow for unkillable server #rootkits
๐ ๐ง Looney Tunables: New #Linux Flaw Enables Privilege Escalation on Major Distributions
๐ Warning: #PyTorch Models Vulnerable to Remote Code Execution via ShellTorch
๐ฉน Microsoft Edge, Teams get fixes for zero-days in #opensource libraries
๐ ๐ฅ Live Exploitation Underscores Urgency to Patch Critical WS-FTP Server Flaw
โ๏ธ Cloudflare #DDoS protections ironically bypassed using #Cloudflare
๐ This week's recommended reading is: "8 Steps to Better Security: A Simple Cyber Resilience Guide for Business" by Kim Crawley
Subscribe to the #infosecMASHUP newsletter to have it piping hot in your inbox every week-end โฌ๏ธ
https://infosec-mashup.santolaria.net/p/infosec-mashup-week-402023
๐จ Latest issue of my curated #cybersecurity and #infosec list of resources for week #38/2023 is out! It includes the following and much more:
โ ๐ โ TransUnion Denies #Breach After Hacker Publishes Allegedly Stolen Data
โ ๐ โ๏ธ Hackers breached International Criminal Courtโs systems last week
โ ๐ ๐ค #Microsoft #AI researchers accidentally exposed terabytes of internal sensitive data
โ ๐ฆ ๐ธ #BlackCat #ransomware hits #Azure Storage with #Sphynx encryptor
โ ๐ฎ๐ท ๐ฎ๐ฑ Iranian Nation-State Actor OilRig Targets Israeli Organizations
โ ๐ฎ๐ณ #India's biggest tech centers named as #cybercrime hotspots
โ ๐ซ๐ฎ ๐ Finnish Authorities Dismantle Notorious #PIILOPUOTI Dark Web Drug Marketplace
โ ๐จ๐ฆ ๐ท๐บ Canadian Government Targeted With #DDoS Attacks by Pro-#Russia Group
โ ๐จ๐ณ ๐บ๐ธ #China Accuses U.S. of Decade-Long #Cyberespionage Campaign Against #Huawei Servers
โ ๐บ๐ธ ๐จ๐ณ China's Malicious Cyber Activity Informing War Preparations, #Pentagon Says
โ ๐จ๐ณ ๐ฆ New #SprySOCKS Linux #malware used in cyber espionage attacks
โ ๐ฌ๐ง ๐ UK Minister Warns #Meta Over End-to-End Encryption
โ ๐บ๐ธ ๐ท๐บ One of the #FBIโs most wanted hackers is trolling the U.S. government
โ ๐ฆ ๐ฅธ Fake #WinRAR proof-of-concept exploit drops #VenomRAT malware
โ ๐ฆ ๐ #P2PInfect botnet activity surges 600x with stealthier malware variants
โ ๐ฆ ๐ก Hackers backdoor #telecom providers with new HTTPSnoop malware
โ ๐ฆ ๐ #Bumblebee malware returns in new attacks abusing #WebDAV folders
โ ๐ #GitHub launches #passkey support into general availability
โ โ๏ธ ๐ง Free Download Manager releases script to check for #Linux malware
โ ๐ฌ ๐ #Signal adds quantum-resistant encryption to its #E2EE messaging protocol
โ ๐ ๐ #iOS 17 includes these new security and #privacy features
โ ๐ฉน High-Severity Flaws Uncovered in #Atlassian Products and ISC BIND Server
โ ๐ฉน ๐ก Incomplete disclosures by #Apple and #Google create โhuge blindspotโ for 0-day hunters
โ ๐ ๐ฉน Apple emergency updates fix 3 new zero-days exploited in attacks
โ ๐ฉน #TrendMicro fixes #endpoint protection zero-day used in attacks
โ ๐ฉน #Fortinet Patches High-Severity #Vulnerabilities in FortiOS, FortiProxy, FortiWeb Products
โ ๐ Nearly 12,000 #Juniper #Firewalls Found Vulnerable to Recently Disclosed RCE Vulnerability
๐ This week's recommended reading is: "Future Crimes: Everything Is Connected, Everyone Is Vulnerable and What We Can Do About It" by Marc Goodman
Subscribe to the #infosecMASHUP newsletter to have it piping hot in your inbox every week-end โฌ๏ธ
https://infosec-mashup.santolaria.net/p/infosec-mashup-week-382023
๐จ Latest issue of my curated #cybersecurity and #infosec list of resources for week #35/2023 is out! It includes the following and much more:
โ ๐ ๐๐ปโโ๏ธGolf gear giant #Callaway data breach exposes info of 1.1 million
โ ๐๐ Forever 21 data breach affects half a million people
โ ๐ ๐คฆ๐ปโโ๏ธ #LogicMonitor customers hit by hackers, because of default passwords
โ ๐บ๐ธ โ๏ธ Lawsuit Accuses University of Minnesota of Not Doing Enough to Prevent #DataBreach
โ ๐ฌ ๐ #Paramount discloses data breach following security incident
โ ๐ฅ ๐ #Healthcare Organizations Hit by Cyberattacks Last Year Reported Big Impact, Costs
โ ๐บ๐ธ ๐ #Microsoft joins a growing chorus of organizations criticizing a #UN cybercrime treaty
โ ๐บ๐ธ ๐ฆ U.S. Hacks #QakBot, Quietly Removes Botnet Infections
โ ๐ท๐บ ๐บ๐ฆ #Russia targets #Ukraine with new Android #backdoor, intel agencies say
โ ๐ท๐บ ๐ต๐ปโโ๏ธ Unmasking #Trickbot, One of the Worldโs Top Cybercrime Gangs
โ ๐จ๐ณ ๐ โEarth Estriesโ #Cyberespionage Group Targets Government, Tech Sectors
โ ๐จ๐ณ Chinese Hacking Group Exploits Barracuda Zero-Day to Target Government, Military, and Telecom
โ ๐ธ ๐ช๐บ Pay our ransom instead of a #GDPR fine, #cybercrime gang tells its targets
โ ๐บ๐ธ ๐จ๐ณ #Meta: Pro-Chinese influence operation was the largest in history
โ ๐ช๐ธ ๐ธ Spain warns of #LockBit Locker ransomware phishing attacks
โ ๐ต๐ฑ ๐ Two Men Arrested Following #Poland Railway Hacking
โ ๐ฐ๐ต ๐ #Lazarus hackers deploy fake #VMware PyPI packages in #VMConnect attacks
โ ๐ธ #Classiscam fraud-as-a-service expands, now targets banks and 251 brands
โ ๐ฌ ๐ Trojanized #Signal and #Telegram apps on Google Play delivered spyware
โ ๐ฆ ๐ MalDoc in PDFs: Hiding malicious Word docs in PDF files
โ ๐ง๐ท ๐ A Brazilian phone #spyware was hacked and victimsโ devices โdeletedโ from server
โ ๐จ๐ปโ๐ป ๐ #GitHub Enterprise Server Gets New Security Capabilities
โ ๐ ๐ฐ Over $1 Million Offered at New #Pwn2Own #Automotive Hacking Contest
โ ๐ฉน #Splunk Patches High-Severity Flaws in Enterprise, IT Service Intelligence
โ โ๏ธ ๐ Recent #Juniper Flaws Chained in Attacks Following #PoC Exploit Publication
๐ This week's recommended reading is: "Spam Nation: The Inside Story of Organized Cybercrimeโfrom Global Epidemic to Your Front Door" by @briankrebs
Subscribe to the #infosecMASHUP newsletter to have it piping hot in your inbox every week-end โฌ๏ธ
https://infosec-mashup.santolaria.net/p/infosec-mashup-week-352023