By the CyberWire staff
At a glance.
- Microsoft and HPE targeted by Russia's Cozy Bear.
- Water management conglomerate hit by ransomware.
- AI's use in ransomware attacks.
- Ukrainian critical infrastructure companies targeted by disruptive attacks.
- EquiLend hit by cyberattack.
- SEC's X account hack caused by SIM swapping.
- loanDepot breach affects 16 million individuals.
- Suspected Chinese threat actor exploits VMware vulnerability.
- A look at the ransomware threat landscape.
- CISA director targeted by swatting attack.
- North Korean threat actor targets cybersecurity researchers.
- US senator says NSA's purchase of Americans' data is unlawful.
Microsoft and HPE targeted by Russia's Cozy Bear.
Microsoft disclosed in an SEC filing that email accounts belonging to its senior executives were compromised by the Russian state-sponsored threat actor "Midnight Blizzard" (also known as "APT29" or "Cozy Bear") in November 2023, GovInfoSecurity reports. The US government has tied this threat actor to Russia's Foreign Intelligence Service, the SVR.
Microsoft said in its filing, "Beginning in late November 2023, the threat actor used a password spray attack to compromise a legacy non-production test tenant account and gain a foothold, and then used the account’s permissions to access a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions, and exfiltrated some emails and attached documents. The investigation indicates they were initially targeting email accounts for information related to Midnight Blizzard itself. We are in the process of notifying employees whose email was accessed."
Hewlett Packard Enterprise (HPE) also disclosed in an SEC filing that its cloud-based email environment was compromised by Cozy Bear, the Record reports. The company stated, "Based on our investigation, we now believe that the threat actor accessed and exfiltrated data beginning in May 2023 from a small percentage of HPE mailboxes belonging to individuals in our cybersecurity, go-to-market, business segments, and other functions." HPE said it was notified of the breach on December 12, 2023.
Water management conglomerate hit by ransomware.
Veolia North America, a subsidiary of French water management conglomerate Veolia, sustained a ransomware attack that affected its "internal back-end systems," BleepingComputer reports. The company stated, "In response to this incident, we implemented defensive measures, including taking the targeted back-end systems and servers offline until they could be restored. As a result, some customers experienced delays when using our online bill payment systems. Those systems are working normally again. Any payments made during this event have been applied, and customer accounts should reflect the most updated information. Customers will not be penalized for late payments or charged interest on their bills due to this service interruption." Veolia added that "there is no evidence to suggest it affected our water or wastewater treatment operations."
Optimize the value of your biggest investment – your cyber talent.
Gain actionable insights to continuously build and maintain high-performance teams, climb the knowledge curve, and stay ahead in a rapidly changing world. N2K’s Strategic Cyber Workforce Intelligence is a comprehensive solution designed to identify current capabilities and develop a data-driven framework to enrich hiring, upskilling, and career mobility efforts in your people strategy that evolves with ongoing organizational transformation. Learn more.
AI's use in ransomware attacks.
The UK's National Cyber Security Centre (NCSC) predicts that artificial intelligence will lead to an increase in the volume and impacts of ransomware attacks over the next two years, the Record reports. The NCSC said in a report, "Threat actors, including ransomware actors, are already using AI to increase the efficiency and effectiveness of aspects of cyber operations, such as reconnaissance, phishing and coding. This trend will almost certainly continue to 2025 and beyond. Phishing, typically aimed either at delivering malware or stealing password information, plays an important role in providing the initial network accesses that cyber criminals need to carry out ransomware attacks or other cyber crime. It is therefore likely that cyber criminal use of available AI models to improve access will contribute to the global ransomware threat in the near term."
The report also notes, "AI will almost certainly make cyber attacks against the UK more impactful because threat actors will be able to analyse exfiltrated data faster and more effectively, and use it to train AI models."
Ukrainian critical infrastructure companies targeted by disruptive attacks.
Four Ukrainian state-owned critical infrastructure companies were hit by disruptive cyberattacks this week, the Record reports. The attacks targeted Ukraine's largest state-owned oil and gas company, Naftogaz, the country's national postal service provider, Ukrposhta, transport safety organization DSBT, and Ukraine’s state railway Ukrzaliznytsia. It's unclear who's responsible for the attacks, although a Russian hacktivist gang has claimed credit for the attack against DSBT.
EquiLend hit by cyberattack.
The Lockbit ransomware gang has claimed credit for an attack against major securities lending platform EquiLend, Bloomberg reports. The company said in a statement yesterday that some of its systems have been taken offline: "We are working with external cybersecurity firms and other professional advisers to assist with our investigation and restoration of service. Clients have been advised that this may take several days."
Share your message with our audience of security leaders.
Sponsorship packages in N2K's CyberWire network podcasts and the CyberWire Daily briefing and Week that Was are now available. If you're looking to reach the eyes and ears of our influential security professionals, let's talk and see how we can build a program that meets your goals.
SEC's X account hack caused by SIM swapping.
The US Securities and Exchange Commission (SEC) says the hack of its X account on January 9th was due to a SIM swapping attack, the Record reports. The SEC said in a statement, "Access to the phone number occurred via the telecom carrier, not via SEC systems. SEC staff have not identified any evidence that the unauthorized party gained access to SEC systems, data, devices, or other social media accounts."
loanDepot breach affects 16 million individuals.
US mortage lender loanDepot has disclosed that the personal information of approximately 16.6 million individuals was accessed by attackers during a ransomware attack earlier this month, BleepingComputer reports. The company says it "will notify these individuals and offer credit monitoring and identity protection services at no cost to them."
Suspected Chinese threat actor exploits VMware vulnerability.
Mandiant says the suspected Chinese cyberespionage group UNC3886 has been exploiting CVE-2023-34048, a remote code execution vulnerability affecting VMware vCenter Server, since late 2021. VMware issued a patch for the flaw in October 2023. Mandiant observed process crashing associated with exploitation of the flaw on impacted vCenter systems: "While publicly reported and patched in October 2023, Mandiant has observed these crashes across multiple UNC3886 cases between late 2021 and early 2022, leaving a window of roughly a year and a half that this attacker had access to this vulnerability. Most environments where these crashes were observed had log entries preserved, but the 'vmdird' core dumps themselves were removed. VMware’s default configurations keep core dumps for an indefinite amount of time on the system, suggesting the core dumps were purposely removed by the attacker in an attempt to cover their tracks."
RSAC 2024—Where the Cybersecurity Community Unites
Cybercrime knows no bounds, and a united front is our strongest defense. At RSAC 2024, May 6 – 9, we unite in San Francisco as a cybersecurity community, fostering learning, networking, idea exchange, and exploration of cutting-edge innovations. Join us as we face the future of cybersecurity head on. Learn more and register.
A look at the ransomware threat landscape.
Symantec (a Broadcom company) has published a report looking at the ransomware threat landscape in 2024, noting that the main infection vector for ransomware is now "exploitation of known vulnerabilities in public facing applications." The most popular vulnerability currently being targeted by ransomware actors is Citrix Bleed (CVE-2023-4966), a session token leakage flaw affecting Citrix NetScaler ADC and NetScaler Gateway.
The researchers also observed an increase in the abuse of legitimate tools and operating system features to stage the ransomware: "Windows operating system components are the most widely used legitimate software (so-called living off the land). PsExec, PowerShell, and WMI are the top three most frequently used tools by attackers. Remote desktop/remote administration software is the most widely used type of legitimate software introduced by attackers onto targeted networks. This includes AnyDesk, Atera, Splashtop, and ConnectWise."
CISA director targeted by swatting attack.
The Record reports that CISA director Jen Easterly's home was swatted late last month. The Arlington County Police Department said in an incident summary, "Responding officers made contact with the occupant of the residence, determined no shooting had occurred and that there were no injuries associated with the call for service." Easterly said in a statement to the Record, "One of the most troubling trends we have seen in recent years has been the harassment of public officials across the political spectrum, including extreme incidents involving swatting and direct personal threats. These incidents pose a serious risk to the individuals, their families, and in the case of swatting, to the law enforcement officers responding to the situation. While my own experience was certainly harrowing, it was unfortunately not unique. In particular, several of our nation’s election officials have also been targeted with this type of harassment and other threats of violence."
North Korean threat actor targets cybersecurity researchers.
Researchers at SentinelOne warn that the suspected North Korean threat actor ScarCruft (also known as "APT37") is conducting a cyberespionage campaign targeting cybersecurity professionals: "In an interesting twist, ScarCruft is testing malware infection chains that use a technical threat research report on Kimsuky as a decoy document. Kimsuky is another suspected North Korean threat group observed to share operational characteristics with ScarCruft, like infrastructure and C2 server configurations. Given ScarCruft’s practice of using decoy documents relevant to targeted individuals, we suspect that the planned campaigns will likely target consumers of technical threat intelligence reports, like threat researchers, cyber policy organizations, and other cybersecurity professionals."
Mexican banks targeted by AllaKore RAT.
Researchers at BlackBerry warn that a financially motivated threat actor is using a modified version of the open-source remote access tool AllaKore to target Mexican banks and cryptocurrency trading entities: "Lures use Mexican Social Security Institute (IMSS) naming schemas and links to legitimate, benign documents during the installation process. The AllaKore RAT payload is heavily modified to allow the threat actors to send stolen banking credentials and unique authentication information back to a command-and-control (C2) server for the purposes of financial fraud. The targeting we observed was indifferent to industry; the attackers appear to be most interested in large companies, many with gross revenues over $100M USD. We know this because the lures sent out by the threat actors only work for companies that are large enough to be reporting directly to the Mexican government’s IMSS department."
Patch news.
Apple has issued a patch for a WebKit type-confusion vulnerability affecting iOS, macOS, tvOS, and Safari, BleepingComputer reports. The flaw could lead to remote code execution. Apple says it's "aware of a report that this issue may have been exploited."
Crime and punishment.
Russian national Vladimir Dunaev, a former developer of the Trickbot malware, pleaded guilty in the US to conspiracy to commit computer fraud and conspiracy to commit wire fraud, the Register reports. Dunaev admitted in his plea agreement to providing "specialized services and technical abilities" to the Trickbot gang between June 2016 and June 2021. Dunaev has been sentenced in the Northern District of Ohio to five years and four months in prison.
The Australian government has sanctioned Russian national Aleksandr Ermakov for his alleged involvement in the 2022 Medibank hack, the ABC reports. According to BleepingComputer, Ermakov is believed to be a member of the REvil ransomware gang. The Guardian notes that this is the first time Australia has used its cyber sanctions powers granted by the country's Magnitsky-style laws passed in 2021.
Courts and torts.
The US Federal Trade Commission (FTC) has prohibited a second data broker from "selling or licensing any precise location data." The FTC alleges that Texas-based data aggregator InMarket Media "failed to obtain informed consent from users of its own apps, shopping rewards app CheckPoints and shopping list app ListEase. For example, when the company requests to use a consumer’s location data, it states that the data will be used for the app’s function, such as to provide shopping reward points or to remind consumers about items on their shopping list, and fails to inform users that the location data will also be combined with other data obtained about those users and used for targeted advertising."
US Senator Ron Wyden (Democrat of Oregon) on Thursday sent a letter to Director of National Intelligence Avril Haines asserting that the US National Security Agency (NSA) is unlawfully purchasing US citizens' information from data brokers, the Record reports. Wyden states, "Although the intelligence agencies’ warrantless purchase of Americans’ personal data is now a matter of public record, recent actions by the Federal Trade Commission (FTC), the primary federal privacy regulator, raise serious questions about the legality of this practice."
Wyden adds, "According to the FTC, it is not enough for a consumer to consent to an app or website collecting such data, the consumer must be told and agree to their data being sold to 'government contractors for national security purposes.' I have conducted a broad probe of the data broker industry over the past seven years, and I am unaware of any company that provides such warnings to consumers before their data is collected. As such, the lawbreaking is likely industrywide, and not limited to this particular data broker."
Wyden requests that Haines direct the US intelligence agencies to conduct the following actions:
- "Conduct an inventory of the personal data purchased by the agency about Americans, including, but not limited to, location and internet metadata. As you know, the cataloging of IC acquisition of commercially available information was also a recommendation of the Senior Advisory Group Panel on Commercially Available Information in its January 2022 report.
- "Determine whether each data source identified in that inventory meets the standards for legal personal data sales outlined by the FTC. This, too, is consistent with the Senior Advisory Group’s recommendation to “identify and protect sensitive [Commercially Available Information] that implicates privacy and civil liberties concerns.”
- "Where those data purchases do not meet the FTC’s standard for legal data personal data sales, promptly purge the data. Should IC elements have a specific need to retain the data, I request that such need, and a description of any retained data, be conveyed to Congress and, to the greatest extent possible, to the American public."