CNN reports that on August 19th attackers associated with a foreign intelligence service gained access to a server in the Port of Houston, planted malware, and stole Microsoft credentials. Defenders were able to isolate the compromised server within about an hour and a half of the initial attack, and the Port Authority said yesterday that no operational systems or data were affected in the incident.
Whichever nation-state was responsible for the Houston attack (no attribution, yet) the Record reports that the attack exploited a zero-day in a Zoho authentication appliance. A week ago the US Cybersecurity and Infrastructure Security Agency (CISA) issued a a Joint Advisory with the FBI and the Coast Guard, warning that CVE-2021-40539, a vulnerability in Zoho's password manager and single-sign-on solution ManageEngine ADSelfService Plus, was being actively exploited in the wild. Zoho had addressed the bug on September 6th, and CISA urged users to apply the patch as soon as possible. The Port of Houston incident would seem to explain both the urgency of, and the Coast Guard's involvement in, the Advisory.
WIRED notes that the dip in the frequency and consequence of ransomware attacks early this summer was a false dawn and not an enduring trend. The gangs and the intelligence services that abet them seem simply to have taken time to adjust to Western, mostly US, policy and law enforcement tactics, and have returned with even greater intensity.
Mediapart reports that investigation confirms at least five French Ministers' phones were infected with Pegasus spyware.