At a glance.
- Australian ports recovering from cyberattack.
- SysAid exploitation by Cl0p user Lace Tempest.
- Ransomware attack against China's largest bank.
- LockBit doxes Boeing as Boeing hangs tough on paying ransom.
- Docker Engine for DDoS.
- Anonymous Sudan claims attacks on ChatGPT and Cloudflare.
Australian ports recovering from cyberattack.
Australia's National Cyber Security Coordinator announced Saturday that the government was investigating a cyberattack that disrupted several Australian ports. "DP World Australia has advised it has restricted access to its Australian port operations in Sydney, Melbourne, Brisbane and Fremantle while it investigates the incident" the Coordinator tweeted. "This interruption is likely to continue for a number of days and will impact the movement of goods into and out of the country. DP World Australia is working with its stakeholders to consider the impacts on its operations at specific ports." DP World began restoring operations at the affected ports Monday, according to the BBC.
The unspecified cyber incident at the container operator shut down operations at Sydney, Melbourne, Brisbane, and Fremantle. It is, the Coordinator said, "a nationally significant cyber incident." The shutdown at the ports was preventive, according to the Guardian. All that was publicly known Sunday was that "unauthorized activity" had been detected in DP World Australia's systems. The ABC reports that land operations were affected by the incident, which remains under investigation.
DP World Australia has said, Bloomberg reports, that it has not received a ransom demand. The Conversation recounts informed speculation to the effect that the incident represents sabotage "by a foreign state actor."
SysAid exploitation by Cl0p user Lace Tempest.
Microsoft’s threat intelligence team has warned that Lace Tempest, the Cl0p ransomware actor that was behind the widespread attacks against the MOVEit file transfer software earlier this year, is now exploiting a recently disclosed path traversal vulnerability (CVE-2023-47246) affecting on-premise SysAid servers. SysAid issued a patch for the flaw on November 8th.
SysAid says the threat actor exploited the vulnerability as a zero-day by “[uploading] a WAR archive containing a WebShell and other payloads into the webroot of the SysAid Tomcat web service.” Rapid7 notes, “Post-exploitation behavior included deployment of MeshAgent remote administration tooling and GraceWire malware.” For more on Lace Tempest and its exploitation of the SysAid vulnerability, see CyberWire Pro.