Microsoft targeted by Cozy Bear. Suspected Chinese threat actor exploits VMware vulnerability.

Summary

By the CyberWire staff

At a glance.

Microsoft targeted by Cozy Bear.
Suspected Chinese threat actor exploits VMware vulnerability.
US FTC bans another data broker from selling location data.
North Korean threat actor targets cybersecurity researchers.

Microsoft targeted by Cozy Bear.

Microsoft has disclosed in an SEC filing that email accounts belonging to its senior executives were compromised by the Russian state-sponsored threat actor "Midnight Blizzard" (also known as "APT29" or "Cozy Bear") in November 2023, GovInfoSecurity reports. The US government has tied this threat actor to Russia's Foreign Intelligence Service, the SVR.

Microsoft said in its filing, "Beginning in late November 2023, the threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents. The investigation indicates they were initially targeting email accounts for information related to Midnight Blizzard itself. We are in the process of notifying employees whose email was accessed."

The company added, "The attack was not the result of a vulnerability in Microsoft products or services. To date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems. We will notify customers if any action is required."

Optimize the value of your biggest investment – your cyber talent.

Gain actionable insights to continuously build and maintain high-performance teams, climb the knowledge curve, and stay ahead in a rapidly changing world. N2K’s Strategic Cyber Workforce Intelligence is a comprehensive solution designed to identify current capabilities and develop a data-driven framework to enrich hiring, upskilling, and career mobility efforts in your people strategy that evolves with ongoing organizational transformation. Learn more.

Suspected Chinese threat actor exploits VMware vulnerability.

Mandiant says the suspected Chinese cyberespionage group UNC3886 has been exploiting CVE-2023-34048, a remote code execution vulnerability affecting VMware vCenter Server, since late 2021. VMware issued a patch for the flaw in October 2023. Mandiant observed process crashing associated with exploitation of the flaw on impacted vCenter systems: "While publicly reported and patched in October 2023, Mandiant has observed these crashes across multiple UNC3886 cases between late 2021 and early 2022, leaving a window of roughly a year and a half that this attacker had access to this vulnerability. Most environments where these crashes were observed had log entries preserved, but the 'vmdird' core dumps themselves were removed. VMware’s default configurations keep core dumps for an indefinite amount of time on the system, suggesting the core dumps were purposely removed by the attacker in an attempt to cover their tracks."

RSA Conference™ 2024—Where the Cybersecurity Community Unites

Cybercrime knows no bounds, and a united front is our strongest defense. At RSA Conference™ 2024, May 6 – 9, we unite in San Francisco as a cybersecurity community, fostering learning, networking, idea exchange, and exploration of cutting-edge innovations. Join us as we face the future of cybersecurity head on. Learn more and register.

US FTC bans another data broker from selling location data.

The US Federal Trade Commission (FTC) has prohibited a second data broker from "selling or licensing any precise location data." The FTC alleges that Texas-based data aggregator InMarket Media "failed to obtain informed consent from users of its own apps, shopping rewards app CheckPoints and shopping list app ListEase. For example, when the company requests to use a consumer’s location data, it states that the data will be used for the app’s function, such as to provide shopping reward points or to remind consumers about items on their shopping list, and fails to inform users that the location data will also be combined with other data obtained about those users and used for targeted advertising."

North Korean threat actor targets cybersecurity researchers.

Researchers at SentinelOne warn that the suspected North Korean threat actor ScarCruft (also known as "APT37") is conducting a cyberespionage campaign targeting cybersecurity professionals: "In an interesting twist, ScarCruft is testing malware infection chains that use a technical threat research report on Kimsuky as a decoy document. Kimsuky is another suspected North Korean threat group observed to share operational characteristics with ScarCruft, like infrastructure and C2 server configurations. Given ScarCruft’s practice of using decoy documents relevant to targeted individuals, we suspect that the planned campaigns will likely target consumers of technical threat intelligence reports, like threat researchers, cyber policy organizations, and other cybersecurity professionals."

Notes.

Today's issue includes events affecting China, the Democratic People's Republic of Korea, Russia, and the United States.

Attacks, Threats, and Vulnerabilities

Ukraine’s Monobank hit with massive DDoS attack (Silicon Republic) The CEO of Ukraine's Monobank said the online bank was hit by a massive DDoS attack that included 580m requests.

Ransomware hits cloud service Tietoevry; numerous Swedish customers affected (The Record) Finland-based Tietoevry said “one part of one of our Swedish datacenters” was affected by a ransomware attack. Several high-profile customers were affected, including payroll and HR company Primula.

LockBit gang claims the attack on the sandwich chain Subway (Security Affairs) The LockBit ransomware gang claimed to have hacked Subway, the American multinational fast food restaurant franchise.

Microsoft: Russian Hackers Had Access to Executives' Emails (GovInfoSecurity) Russian state hackers obtained access to the inboxes of senior Microsoft executives for at least six weeks, the computing giant disclosed late Friday afternoon.

ScarCruft | Attackers Gather Strategic Intelligence and Target Cybersecurity Professionals (SentinelOne) New ScarCruft activity suggests the adversary is planning to target cybersecurity professionals and businesses.

Security Patches, Mitigations, and Software Updates

CISA Directs Federal Agencies to Mitigate Ivanti Software Vulnerabilities (NTD) The Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive on Friday urging agencies to mitigate vulnerabilities in Ivanti Connect Secure VPN devices and its Policy Secure tools. The directive also requires federal agencies to remove compromised products from agency networks and report any indications of compromise to CISA. CISA said it had observed […]

Marketplace

Zscaler in negotiations to acquire cyber startup Avalor for $250-350 million | CTech (ctech) Avalor, which came out of stealth with a $25 million Series A last year, has developed an open data platform which can integrate data from legacy systems, data lakes, data warehouses, SQL databases, applications, and more, and then normalize and analyze it

OpenAI Lifts Military Ban, Opens Doors to DOD for Cybersecurity Collab (GovCon Wire) Looking for the latest GovCon News? Check out our story: OpenAI Lifts Military Ban, Opens Doors to DOD for Cybersecurity Collab. Click to read more!

Technologies, Techniques, and Standards

A Leap Towards Fully Private Internet Searches: Cryptographers Break New Ground (PC-Tablet) Discover how cryptographers are revolutionizing privacy in internet searches, edging closer to fully confidential online information retrieval.

Litigation, Investigation, and Law Enforcement

Senators ask DOJ to investigate whether facial recognition tech violates Civil Rights Act (The Record) A group of 18 senators sent the Department of Justice a letter Thursday raising concerns about the agency’s funding and oversight of what they called “frequently inaccurate” facial recognition software.

BreachForums admin 'Pompourin' gets 20-year sentence (The Register) ALSO: Another UEFI flaw found; Kaspersky discovers iOS log files actually work; and a few critical vulnerabilities

Industry Events

For a complete running list of events, please visit the Event Tracker.

Events

SANS Cyber Security Mountain: January 2024 (Virtual, Jan 22 - 27, 2024) At SANS Cyber Security Mountain: January 2024, choose from 41 interactive courses with hands-on labs. Practice your skills and compete against your peers during NetWars Tournaments, and network with your instructor and industry colleagues in real-time. Each course includes electronic and printed books, and several courses align with GIAC certifications!

Insider Threat Program Development, Management & Optimization Training Course (Laurel, Maryland, USA, Jan 30 - 31, 2024) This highly sought after and very comprehensive 2 day training course will ensure that the Insider Threat Program (ITP) Manager and others who support the ITP (Insider Threat Analyst, FSO, CSO, CISO, Human Resources, CIO - IT, Network Security, Counterintelligence Investigators, Behavioral Science Professionals, Legal Etc.), have the Core Knowledge, Blueprint, Resources needed for developing, managing, enhancing an ITP / ITP Working Group.

Improve Spear Phishing Detection With AI (Virtual, Jan 30 - 31, 2024) Phishing remains one of the costliest attack vectors. Spear phishing, a more targeted form of phishing, is very convincing and poses a great risk to organizations. As threat actors crank up the volume of spear phishing attacks, companies are increasingly embracing AI for cybersecurity. Join this webinar to learn how NVIDIA’s AI technologies, along with ecosystem partners, can help organizations build powerful solutions to defend against cyber threats.

SANS Tysons Corner – NOVA 2024 (Tysons Corner, Virginia, USA, Feb 5 - 10, 2024) At SANS Tysons Corner-NOVA 2024, choose from 41 interactive courses with hands-on labs. Practice your skills and compete against your peers during NetWars Tournaments, and network with your instructor and industry colleagues in real-time. Each course includes electronic and printed books, and several courses align with GIAC certifications!

SANS San Diego 2024 (San Diego (and virtual), California, USA, Feb 12 - 17, 2024) At SANS San Diego 2024, choose from 41 interactive courses with hands-on labs. Practice your skills and compete against your peers during NetWars Tournaments, and network with your instructor and industry colleagues in real-time. Each course includes electronic and printed books, and several courses align with GIAC certifications!

Sponsor & Support

Grow your brand, generate leads, and fill your funnel.

With the industry’s largest B2B podcast network, popular newsletters, and influential readers and listeners all over the world, companies trust the CyberWire to get the message out. Learn more.

Daily Briefing for 01.22.24