ESET this morning published its study of a hitherto unremarked cyberespionage Advanced Persistent Threat, probably working on behalf of a nation-state. Which nation-state is unknown, but ESET calls the group "FamousSparrow" and says it's been active since 2019. It's recently exploited the ProxyLogon vulnerability to collect data from hotels especially (useful in tracking human targets of interest). FamousSparrow used some tools associated with the Chinese APT SparklingGoblin, but ESET considers them to be distinct groups.
Ransomware has hit a second US Midwestern farm cooperative. The Crystal Valley Cooperative disclosed the September 19th attack Tuesday; since then its website has gone offline. The company's Facebook page remains available. The incident has disrupted business operations, notably the co-op's ability to process credit card payments. Early reports don't indicate which strain of ransomware was involved. Iowa's NEW Cooperative was hit by BlackMatter last week; it's unknown, BleepingComputer says, which strain of ransomware hit Mankato-based Crystal Valley.
REvil, whose alumni may be operating the BlackMatter ransomware (if indeed BlackMatter isn't simply a rebranding of the older gang), appears, Threatpost reports, to have been cheating its own criminal affiliates. A backdoor and double-chat functionality enabled REvil to communicate directly with victims, bypassing its affiliates. The backdoor and chats have been "cleaned out," perhaps as part of a rebranded REvil's attempt to restore its reputation.
CISA has issued a new warning (with the FBI and NSA) against Conti ransomware. It recommends mitigations.
Guardicore has discovered a flaw in Microsoft Exchange's Autodiscover feature: it can leak passwords.