By the CyberWire staff
At a glance.
- Atlassian patches critical flaw in Confluence Data Center and Confluence Server.
- Ivanti Connect Secure zero-days exploited.
- COLDRIVER continues targeting Western officials.
- Iranian threat actor targets universities and research organizations.
- TA866 returns with widespread phishing campaigns.
- Massive credential dump offered on underground forums.
- Lazarus Group shares money laundering networks with Southeast Asian criminal gangs.
- UK councils disrupted by cyberattacks.
- VF ransomware attack affected data belonging to 35 million customers.
Atlassian patches critical flaw in Confluence Data Center and Confluence Server.
Atlassian has released a patch for a critical template injection vulnerability (CVE-2023-22527) in Confluence Data Center and Confluence Server that could lead to remote code execution, Help Net Security reports. The bug, which has been assigned a CVSS score of 10, affects all versions released before December 5th. Atlassian says in its advisory, "If you are on an out-of-date version, you must immediately patch. Atlassian recommends that you patch each of your affected installations to the latest version available."
The vulnerability's description states, "A template injection vulnerability on older versions of Confluence Data Center and Server allows an unauthenticated attacker to achieve RCE on an affected instance. Customers using an affected version must take immediate action. Most recent supported versions of Confluence Data Center and Server are not affected by this vulnerability as it was ultimately mitigated during regular version updates. However, Atlassian recommends that customers take care to install the latest version to protect their instances from non-critical vulnerabilities outlined in Atlassian’s January Security Bulletin."
Ivanti Connect Secure zero-days exploited.
Two recently disclosed zero-days affecting Ivanti Connect Secure VPNs are now undergoing widespread exploitation, according to researchers at Volexity. The vulnerabilities were initially being exploited in limited attacks by the suspected Chinese threat actor UTA0178. Volexity says additional actors now have access to the exploit, and have compromised more than 1,700 devices around the world. The targeting appears to be indiscriminate: “Victims are globally distributed and vary greatly in size, from small businesses to some of the largest organizations in the world, including multiple Fortune 500 companies across multiple industry verticals.”
BleepingComputer notes that more than 16,800 Connect Secure appliances are currently exposed to the internet. Volexity urges organizations to apply the mitigation provided by Ivanti until patches are available.
Optimize the value of your biggest investment – your cyber talent.
Gain actionable insights to continuously build and maintain high-performance teams, climb the knowledge curve, and stay ahead in a rapidly changing world. N2K’s Strategic Cyber Workforce Intelligence is a comprehensive solution designed to identify current capabilities and develop a data-driven framework to enrich hiring, upskilling, and career mobility efforts in your people strategy that evolves with ongoing organizational transformation. Learn more.
COLDRIVER continues targeting Western officials.
Google's Threat Analysis Group (TAG) is tracking new activity by the Russian threat actor COLDRIVER: "COLDRIVER continues its focus on credential phishing against Ukraine, NATO countries, academic institutions and NGOs. In order to gain the trust of targets, COLDRIVER often utilizes impersonation accounts, pretending to be an expert in a particular field or somehow affiliated with the target. The impersonation account is then used to establish a rapport with the target, increasing the likelihood of the phishing campaign's success, and eventually sends a phishing link or document containing a link."
In addition to credential phishing, the group is now delivering malware via PDF documents: "COLDRIVER presents these documents as a new op-ed or other type of article that the impersonation account is looking to publish, asking for feedback from the target. When the user opens the benign PDF, the text appears encrypted. If the target responds that they cannot read the encrypted document, the COLDRIVER impersonation account responds with a link, usually hosted on a cloud storage site, to a 'decryption' utility for the target to use. This decryption utility, while also displaying a decoy document, is in fact a backdoor, tracked as SPICA, giving COLDRIVER access to the victim’s machine."
Iranian threat actor targets universities and research organizations.
Microsoft says the Iranian threat actor Mint Sandstorm (also known as "APT35" and "Charming Kitten") has been targeting "high-profile individuals working on Middle Eastern affairs at universities and research organizations in Belgium, France, Gaza, Israel, the United Kingdom, and the United States" since November 2023. The threat actor is using phishing emails to deliver malicious files, including a new, custom backdoor called "MediaPl."
The researchers note, "This group is known to conduct resource-intensive social engineering campaigns that target journalists, researchers, professors, or other individuals with insights or perspective on security and policy issues of interest to Tehran. These individuals, who work with or who have the potential to influence the intelligence and policy communities, are attractive targets for adversaries seeking to collect intelligence for the states that sponsor their activity, such as the Islamic Republic of Iran. Based on the identities of the targets observed in this campaign and the use of lures related to the Israel-Hamas war, it’s possible this campaign is an attempt to gather perspectives on events related to the war from individuals across the ideological spectrum."
RSAC 2024—Where the Cybersecurity Community Unites
Cybercrime knows no bounds, and a united front is our strongest defense. At RSAC 2024, May 6 – 9, we unite in San Francisco as a cybersecurity community, fostering learning, networking, idea exchange, and exploration of cutting-edge innovations. Join us as we face the future of cybersecurity head on. Learn more and register.
TA866 returns with widespread phishing campaigns.
Proofpoint says the threat actor TA866 has resurfaced after a nine-month hiatus, launching large-scale phishing campaigns to deliver malware. The emails contain invoice-themed PDF attachments with OneDrive links that will download variants of the WasabiSeed and Screenshotter malware. The researchers note, "It is currently unknown what follow-on payload the actor would install if they were satisfied with the screenshots taken by the Screenshotter. In previous campaigns the actor has delivered AHK Bot and Rhadamanthys Stealer." TA866 has been known to conduct cyberespionage as well as financially motivated attacks; Proofpoint says "[t]his specific campaign appears financially motivated."
Massive credential dump offered on underground forums.
Troy Hunt, owner of the Have I Been Pwned? breach notification service, describes a credential stuffing list that contains nearly 25 million newly leaked passwords, Ars Technica reports. Hunt states, "This isn't just the usual collection of repurposed lists wrapped up with a brand-new bow on it and passed off as the next big thing; it's a significant volume of new data. When you look at the above forum post the data accompanied, the reason why becomes clear: it's from 'stealer logs' or in other words, malware that has grabbed credentials from compromised machines."
Lazarus Group shares money laundering networks with Southeast Asian criminal gangs.
The United Nations Office of Drugs and Crime (UNODC) has published a report finding that North Korea's Lazarus Group shares money laundering and banking networks with Southeast Asian criminal gangs, Reuters reports. The report states, "Through ongoing analysis of case information and blockchain data, UNODC has observed several examples of regional money laundering and underground banking networks being shared between Mekong-based cyberfraud operations, drug traffickers, and more sophisticated cyber threat actors including the Lazarus Group."
The report outlines how cybercriminals groups are using Southeast Asia's casino industry for large-scale money laundering: "While casinos and junkets have for years served as vehicles for regional underground banking and money laundering, the proliferation of online gambling platforms, e-junkets, and both illegal and underregulated cryptocurrency exchanges in Southeast Asia has changed the game, allowing for faster anonymized movement of funds. At the same time, the creation and success of these systems has helped expand the region’s broader, booming illicit economy, in turn attracting new networks, innovators, and service providers to the criminal ecosystem of Southeast Asia and the Mekong."
UK councils disrupted by cyberattacks.
Three local councils in the UK county of Kent have been hit by cyberattacks, the BBC reports. The Canterbury City Council, Dover District Council, and Thanet District Council have limited access to online systems while they investigate the incidents. Canterbury City Council said in a statement, "Our teams are taking a precautionary approach while we work hard to investigate the problem and to minimise any disruption to our services. Our email system and website have been available throughout although some parts of the website may not quite work as intended." The UK's National Cyber Security Centre (NCSC) is assisting in the investigations.
Kansas State University sustains cyberattack.
Kansas State University has disclosed a cyber incident that disrupted its IT services, SecurityAffairs reports. The university stated, "K-State has been experiencing a disruption to certain network systems, including VPN, K-State Today emails, and videos on Canvas, or Mediasite. Upon detection, university IT took immediate steps to investigate the disruption, isolating the areas of concern. We are able to confirm that these disruptions are the result of a recent cybersecurity incident, and as such, we want you to know that these impacted systems were taken offline and will remain offline for the immediate future as the investigation continues. This will also include select shared drives and printers, as well as university listservs."
VF ransomware attack affected data belonging to 35 million customers.
US apparel giant VF Corporation (owner of Dickies, The North Face, Smartwool, Timberland, and Vans) has disclosed that the ransomware attack it sustained last month resulted in the theft of data belonging to 35.5 million customers, SecurityWeek reports. It's unclear what type of information was stolen, but the company said in a Form 8-K filing with the Securities and Exchange Commission (SEC), "VF does not collect or retain in its IT systems any consumer social security numbers, bank account information or payment card information as part of its direct-to-consumer practices, and, while the investigation remains ongoing, VF has not detected any evidence to date that any consumer passwords were acquired by the threat actor."
Patch news.
The US Cybersecurity and Infrastructure Security Agency (CISA) has ordered Federal agencies to patch a Citrix NetScaler vulnerability (CVE-2023-6548) by Wednesday, January 24th, the Record reports. The flaw involves "Improper Control of Generation of Code ('Code Injection') in NetScaler ADC and NetScaler Gateway [that] allows an attacker with access to NSIP, CLIP or SNIP with management interface to perform Authenticated (low privileged) remote code execution on Management Interface." A second vulnerability affecting NetScaler ADC and NetScaler Gateway (CVE-2023-6549) must be patched by US Federal agencies by February 7th.
GitLab has issued a patch for a critical account takeover flaw (CVE-2023-7028) affecting GitLab Community Edition (CE) and Enterprise Edition (EE), SecurityWeek reports. The bug could allow account password reset emails to be delivered to unverified email addresses.