The US Cybersecurity and Infrastructure Security Agency (CISA) this morning issued a joint advisory with the FBI, the Australian Cyber Security Centre (ACSC), and the UK’s National Cyber Security Centre (NCSC) that warns of Iranian-sponsored exploitation of vulnerabilities in Microsoft Exchange and Fortinet. The advisory includes advice on detection and mitigation.
Candiru, the Israeli company recently subjected to US sanctions alongside the better-known NSO Group, has been tracked to a widespread surveillance campaign targeting mostly Middle Eastern subject. ESET finds the company's tools in watering holes (some of them infected news sites) designed to attract Iranian and other targets.
Mandiant finds a connection between the Ghostwriter campaign, generally regarded as a Russian operation, to Belarus. (The company doesn't rule out an additional Russian connection to the threat actor it tracks as UNC1151.)
Reuters reports that Facebook tracked a Pakistan-based group ("SideCopy") that sought to bring Afghans connected to the former government under surveillance as that government collapsed during this summer's Taliban takeover.
Flashpoint observes that the RAMP ransomware forum is back, but that it includes a lot of Chinese-speaking participants. It's not clear what they're up to: does it represent a serious criminal outreach, maybe even a serious privateering outreach, to Chinese actors? Or is it misdirection of the kind Flashpoint discerned earlier this month in Groove, apparently intended simply to darken counsel?
CISA released three more industrial control system advisories yesterday afternoon, for FATEK Automation WinProladder, Mitsubishi Electric GOT products, and Mitsubishi Electric FA engineering software products (Update C).