Week that Was for 06.29.24

At a glance.

• TeamViewer attributes breach to APT29.
• LockBit's claim to have breached the US Federal Reserve appears to be false.
• Microsoft provides updates on Midnight Blizzard email hack.
• CISA warns chemical facilities of potential breach.
• Google disrupts Chinese influence operations.
• Malware distribution campaign deploys "cluster bomb" of information-stealers.
• Threat actors target critical MOVEit flaw.
• RedJuliett targets Taiwanese organizations.
• Arkansas Attorney General sues Temu over alleged privacy violations.
• Neiman Marcus sustains data breach via Snowflake account.

TeamViewer attributes breach to APT29.

Remote access software provider TeamViewer is investigating a breach of its internal corporate IT environment, the Record reports. The company said in an update this morning, "Current findings of the investigation point to an attack on Wednesday, June 26, tied to credentials of a standard employee account within our Corporate IT environment. Based on continuous security monitoring, our teams identified suspicious behavior of this account and immediately put incident response measures into action. Together with our external incident response support, we currently attribute this activity to the threat actor known as APT29 / Midnight Blizzard. Based on current findings of the investigation, the attack was contained within the Corporate IT environment and there is no evidence that the threat actor gained access to our product environment or customer data."

The Health Information Sharing and Analysis Center (H-ISAC) issued a threat bulletin yesterday "alerting the health sector to active cyberthreats exploiting TeamViewer." The Record also notes that cybersecurity firm NCC Group notified its customers that it "has been made aware of significant compromise of the TeamViewer remote access and support platform by an APT group."

LockBit's claim to have breached the US Federal Reserve appears to be false.

CyberDaily says the LockBit ransomware gang's claims to have breached the US Federal Reserve were likely false after the group failed to publish any data belonging to the banking system. LockBit said it would begin leaking Federal Reserve data this past Tuesday, but instead posted data allegedly belonging to Evolve Bank & Trust, a bank that was penalized by the Federal Reserve earlier this month. Evolve confirmed it was breached, telling BleepingComputer that it's investigating the incident.

Microsoft provides updates on Midnight Blizzard email hack.

Microsoft is notifying additional customers whose email correspondence with Microsoft was accessed by the Russian threat actor Midnight Blizzard, Engadget reports. Microsoft stated, "This week we are continuing notifications to customers who corresponded with Microsoft corporate email accounts that were exfiltrated by the Midnight Blizzard threat actor, and we are providing the customers the email correspondence that was accessed by this actor. This is increased detail for customers who have already been notified and also includes new notifications."

CISA warns chemical facilities of potential breach.

The US Cybersecurity and Infrastructure Security Agency (CISA) has confirmed that its Chemical Security Assessment Tool (CSAT) environment was breached via a vulnerable Ivanti Connect Secure appliance on January 23rd, 2024, BleepingComputer reports. The agency stated, "While CISA’s investigation found no evidence of exfiltration of data, this intrusion may have resulted in the potential unauthorized access of Top-Screen surveys, Security Vulnerability Assessments, Site Security Plans, Personnel Surety Program (PSP) submissions, and CSAT user accounts."

CISA hasn't specified which vulnerability was exploited, but the agency references a CISA advisory outlining three actively exploited Ivanti vulnerabilities that were disclosed before the breach. BleepingComputer notes that one of the vulnerabilities (CVE-2024-21888) was disclosed the day before CISA's Ivanti appliance was breached.

Google disrupts Chinese influence operations.

Google's Threat Analysis Group (TAG) has published an update on DRAGONBRIDGE, an influence operator that pushes content aligned with the Chinese government's positions. The researchers state, "DRAGONBRIDGE accounts create content reacting to breaking news, especially wedge social issues, usually within a few weeks of the event. In general, this content is lower quality than the content created for anticipated events, reflecting the speed with which the actor pivots to create content in response to current events."

In 2023, Google removed more than 65,000 YouTube and Blogger instances linked to DRAGONBRIDGE. While the operation is high-volume, it's largely ineffective and gets almost no engagement from users.

Malware distribution campaign deploys "cluster bomb" of information-stealers.

Outpost24 has published a report on a malware distribution campaign that's spreading "hundreds of thousands of malware samples, infecting each victim with up to ten of them at the same time." The campaign is run by a suspected criminal group based in Eastern Europe, which is likely providing the distribution operation as a service for numerous malware operators. The researchers believe the threat actor is paid per infection and is attempting to "spread as much malware as possible to as many victims as possible." The malware is distributed via phishing emails and malware loaders. Once the initial file is executed on a machine, it "unfurls" by installing up to ten strains of information-stealing malware.

Threat actors target critical MOVEit flaw.

Progress Software on Tuesday disclosed a critical authentication bypass flaw (CVE-2024-5806) affecting its MOVEit Transfer solution, and threat actors are already attempting to exploit the vulnerability, BleepingComputer reports. The flaw can allow an attacker to "access sensitive data stored on the MOVEit Transfer server, upload, download, delete, or modify files, and intercept or tamper with file transfers."

RedJuliett targets Taiwanese organizations.

Recorded Future's Insikt Group describes a cyberespionage campaign by the China-aligned threat actor "RedJuliett" that targeted "government, academic, technology, and diplomatic organizations in Taiwan" between November 2023 and April 2024. The group also compromised government organizations in Laos, Kenya, and Rwanda. The threat actor gained initial access via known vulnerabilities in network edge devices, and deployed SQL injection and directory traversal exploits against web and SQL applications.

Insikt Group notes, "RedJuliett's activities align with Beijing's objectives to gather intelligence on Taiwan’s economic policy, trade, and diplomatic relations. The group also targeted multiple critical technology companies, highlighting the strategic importance of this sector for Chinese state-sponsored threat actors."

Arkansas Attorney General sues Temu over alleged privacy violations.

Arkansas Attorney General Tim Griffin has alleged in a lawsuit that e-commerce app Temu is "dangerous malware, surreptitiously granting itself access to virtually all data on a user’s cell phone," the Verge reports. The lawsuit states, "Temu is purposefully designed to gain unrestricted access to a user's phone operating system, including, but not limited to, a user's camera, specific location, contacts, text messages, documents, and other applications. Temu is designed to make this expansive access undetected. even by sophisticated users. Once installed, Temu can recompile itself and change properties, including overriding the data privacy settings users believe they have in place. Even users without the Temu app are subject to Temu's gross overreach if any of their information is on the phone of a Temu user. Temu monetizes this unauthorized collection of data by selling it to third parties, profiting at the direct expense of Arkansans’ privacy rights."

Temu is currently the top shopping app in Apple's App Store. Temu's parent company PDD Holdings was founded in China, though it moved its headquarters to Ireland last year. Griffin said in a press release, "Temu is led by a cadre of former Chinese Communist Party officials, which raises significant security risks to our country and our citizens."

Neiman Marcus sustains data breach via Snowflake account.

US luxury retailer Neiman Marcus has disclosed a data breach affecting 64,000 people, the Register reports. The company said in a statement, "Neiman Marcus Group (NMG) recently learned that an unauthorized party gained access to a cloud database platform used by NMG that is provided by a third party, Snowflake. Promptly after discovering the incident, NMG took steps to contain it, including by disabling access to the platform. We also began an investigation with assistance from leading cybersecurity experts and notified law enforcement authorities."

A criminal threat actor dubbed "Sp1d3r" is selling the alleged stolen data for $150,000. According to the threat actor's listing, the data dump contains "names, addresses, phone numbers, the last four digits of customers' Social Security numbers, plus 50 million customer email addresses with IP addresses, 12 million gift card numbers, and 6 billion rows of customer shopping records, employee data, store information."

Patch news.

Claroty has discovered four vulnerabilities affecting Emerson Rosemount 370XA gas chromatographs, one of which could allow "an unauthenticated attacker with network access to remotely execute arbitrary commands with root privileges," SecurityWeek reports. The researchers note, "A compromise of such devices can have a tremendous impact on various industries. In the food and beverage sector, attacks against a food processing company’s gas chromatographs could prevent the accurate detection of bacteria and bring a process chain to a halt. Similar attacks against a hospital’s chromatographs would disrupt testing of blood and other patient samples."

Emerson has issued patches and mitigations for the vulnerabilities.

Crime and punishment.

WikiLeaks founder Julian Assange has been freed in the UK after agreeing to plead guilty to one US charge of conspiracy to obtain and disclose national defense information, the Register reports. Assange is headed to court in the Northern Mariana Islands, a US territory, to enter the plea. The US Justice Department is seeking a 62-month sentence, equal to the amount of time Assange has been imprisoned in the UK. The plea deal will credit that time served, and Assange is expected to return to Australia following the proceedings. NBC News quotes Australian Prime Minister Anthony Albanese as saying, "[T]he case has dragged on for too long, there is nothing to be gained by his continued incarceration and we want him brought home to Australia."

The US Justice Department has charged four Vietnamese nationals for their alleged involvement with the FIN9 cybercriminal group. The individuals are accused of conducting "a series of computer intrusions that caused victim companies to collectively suffer more than $71 million in losses."

The US Treasury Department's Office of Foreign Assets Control (OFAC) has sanctioned twelve Kaspersky Lab executives "for operating in the technology sector of the Russian Federation economy." The sanctions did not include the company's CEO and co-founder Eugene Kaspersky.