Indian authorities continue their investigation of the possibility that the Chinese threat actor Recorded Future calls “RedEcho” compromised portions of the country’s power grid. Inquiries are ongoing in Maharashtra (according to India Today) and Telangana (reports Business Today, which claims malware was found in some forty substations).
Microsoft warned late yesterday that the Chinese state-directed threat actor Hafnium was actively exploiting four zero days in on-premises Microsoft Exchange Server 2013, 2016, and 2019. Redmond has issued out-of-band patches for all four vulnerabilities, and it urges users to apply them "immediately." Hafnium (Microsoft offers its attribution with "high confidence") is a cyberespionage group active mostly against organizations in the US, especially "infectious disease researchers, law firms, higher education institutions, defense contractors, policy think tanks, and NGOs." While based in and directed from China, Hafnium operates largely from leased virtual private servers in the US.
Redmond stresses that this campaign and the actor behind it are unrelated to the recent SolarWinds supply chain compromise. Microsoft credits security firms Dubex and Volexity with helping identify the exploitation. Volexity dates the onset of the campaign (which it calls "Operation Exchange Marauder") to January 6.
Avast has reached out to payment processors, banks, and financial services information sharing groups to help facilitate remediation of Ursnif infestations.
CISA yesterday issued ICS security advisories covering MB connect line mbCONNECT24, mymbCONNECT24, Rockwell Automation CompactLogix 5370 and ControlLogix 5570 Controllers, and Hitachi ABB Power Grids Ellipse EAM.
The New York Times reviews proliferation of surveillance tools to Myanmar's junta.