By the CyberWire staff
At a glance.
- Salt Typhoon breached at least eight US telecoms.
- Russia's Secret Blizzard exploits Pakistani APT's infrastructure.
- Earth Minotaur targets Tibetan and Uyghur communities with mobile phishing attacks.
- Large US organization breached by China-based hackers.
- 760,000 employee records leaked online.
- SailPoint issues advisory for maximum severity vulnerability.
- Law enforcement seizes MATRIX criminal messaging app.
- Russian bank reportedly disrupted by DDoS attack.
- Rockstar phishing kit targets Microsoft 365 users.
Salt Typhoon breached at least eight US telecoms.
US Deputy National Security Adviser for Cyber and Emerging Technologies Anne Neuberger revealed in a press call this week that China's Salt Typhoon hacking campaign breached at least eight US telecoms, the Wall Street Journal reports. The threat actor also breached telecommunications companies in dozens of other countries.
The Record quotes Neuberger as saying, "Our understanding is that a couple dozens of countries were impacted. We believe this is intended as a Chinese espionage program focused, again, on key government officials, key corporate IP, so that will determine which telecoms were often targeted, and how many were compromised as well." Neuberger added, "[T]he communications of US government officials relies on these private sector systems, which is why the Chinese were able to access the communications of some senior US government and political officials. At this time, we don't believe any classified communications have been compromised."
Officials from the US Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have said the Salt Typhoon hackers likely still have access to critical telecommunications systems in the US, the Record reports. CISA and the FBI, along with their Five Eyes partners, have issued guidance for securing communications infrastructure against these attacks. The agencies note, "As of this release date, identified exploitations or compromises associated with these threat actors’ activity align with existing weaknesses associated with victim infrastructure; no novel activity has been observed. Patching vulnerable devices and services, as well as generally securing environments, will reduce opportunities for intrusion and mitigate the actors’ activity."
Russia's Secret Blizzard exploits Pakistani APT's infrastructure.
Lumen’s Black Lotus Labs and Microsoft Threat Intelligence have published reports on a lengthy campaign by Secret Blizzard (also known as "Turla"), a threat actor tied to Russia's Federal Security Service (FSB). Secret Blizzard infiltrated thirty-three command-and-control nodes used by the Pakistani espionage actor Storm-0156 (also tracked as "SideCopy" or "Transparent Tribe") and repurposed them to deploy malware within Afghan government networks. Secret Blizzard also used the access to compromise military and defense-related institutions in India. Additionally, the threat actor compromised the workstations of the Pakistani-based operators, acquiring "insights into Storm-0156’s tooling, credentials for both C2s and targeted networks, as well as exfiltrated data collected from prior operations."
From response to resilience: unlock next-level automation for security teams
Security teams are facing a constant uphill battle. Between alert fatigue, repetitive manual tasks, endless false positives, inflexible technology, and the looming risk of burnout, it all adds up, making it tough for teams to stay ahead of threats.
That’s where effective workflow orchestration and automation comes in.
Discover how automation can empower analysts and engineers to automate their most repetitive, time-consuming tasks - regardless of complexity - in this guide from Tines. Get the guide today!
Earth Minotaur targets Tibetan and Uyghur communities with mobile phishing attacks.
Trend Micro is tracking a threat actor dubbed "Earth Minotaur" that's using the MOONSHINE exploit kit to target Tibetan and Uyghur communities. MOONSHINE is designed to exploit vulnerabilities in instant messaging apps on Android devices in order to plant a backdoor. Victims are targeted via phishing messages with malicious links, often themed around Chinese news or government announcements.
Trend Micro notes, "MOONSHINE uses multiple Chromium exploits to attack instant messaging apps on Android. As many instant messaging apps use Chromium as their engine of the built-in browser, it becomes vulnerable when an application doesn’t update their Chromium and doesn’t enable the sandboxing protection feature. This gives attackers a great opportunity to exploit these vulnerabilities and install their backdoors. We found that the MOONSHINE exploit kit can attack multiple versions of Chromium and the Tencent Browser Server (TBS), which is another Chromium-based browser engine."
Large US organization breached by China-based hackers.
Researchers at Symantec say a "large US organization with a significant presence in China" sustained a four-month-long intrusion between April and August 2024. The goal of the operation was likely espionage. Symantec notes, "The available evidence suggests that the organization was breached by a China-based actor. Aside from the fact that DLL sideloading is a widely favored tactic among Chinese groups, the same organization was targeted in 2023 by an attacker with tentative links to the China-based Daggerfly group."
The researchers add, "The attackers moved laterally across the organization’s network, compromising multiple computers. Some of the machines targeted were Exchange Servers, suggesting the attackers were gathering intelligence by harvesting emails. Exfiltration tools were also deployed, suggesting that targeted data was taken from the organizations."
Modernize Your Identity Systems with Ease.
Identity architects and engineers, Strata helps you integrate legacy apps with any IDP, ensuring seamless identity failover and applying MFA without touching app code. Reduce tech debt and enhance security with Strata's robust identity orchestration solution. Share your biggest identity challenge and receive a pair of complimentary AirPods Pro.
760,000 employee records leaked online.
Information belonging to more than 760,000 employees of several major companies has been posted online by a criminal threat actor, SecurityWeek reports. The data was apparently stolen during last year's widespread attacks on Progress Software's MOVEit file transfer tool. The information appears to belong to Xerox, Nokia, Koch, Bank of America, Morgan Stanley, and Bridgewater, and includes names, emails, phone numbers, work ID numbers, job titles, and manager names.
Atlas Privacy CSO Tsachi (Zack) Ganot told SecurityWeek "We believe the data originates from the Cl0p ransomware group, who frequently exploit vulnerabilities like MOVEit to exfiltrate and publish sensitive data as part of their extortion campaigns. It’s likely Name3l3ss dug through terabytes of darkweb data and repackaged it for wider consumption." Ganot also noted in a comment to the Register that this data is "a goldmine for social engineering."
SailPoint issues advisory for maximum severity vulnerability.
SailPoint has released a security advisory for a maximum severity improper access control vulnerability (CVE-2024-10905) that was patched earlier this week. The flaw, which was assigned a CVSS score of 10, affects the company's identity and access management platform IdentityIQ.
SailPoint CISO Rex Booth said in a statement, “As part of our continued commitment to transparency and security, on Monday December 2, SailPoint issued a security advisory for its Identity IQ product which was assigned CVE-2024-10905. A fix has already been released, and we’ve provided customers with guidance on how to apply it."
Build a Stronger Identity Security Program to Protect Your Organization
In our eBook, Building an Identity Security Program, we provide a step-by-step guide to creating a resilient identity security framework. You'll learn how to integrate identity security into your overall security strategy, protect against threats like MFA attacks, and secure access across your entire organization. Don’t leave your organization vulnerable to identity-based attacks. Arm yourself with the knowledge and tools to defend your business. Download the eBook.
Law enforcement seizes MATRIX criminal messaging app.
French and Dutch police have dismantled the criminal encrypted messaging service MATRIX, BleepingComputer reports. MATRIX was an invite-only subscription service designed specifically for coordinating criminal activities. Europol says law enforcement has been gathering messages from the service for the past three months, stating, "More than 2.3 million messages in 33 languages were intercepted and deciphered during the investigation. The messages that were intercepted are linked to serious crimes such as international drug trafficking, arms trafficking, and money laundering." This information will be used to support further investigations.
Russian bank reportedly disrupted by DDoS attack.
The Record reports that Russian users are reporting outages at Gazprombank, Russia's third-largest bank, following an alleged DDoS attack by Ukraine's military intelligence agency (HUR). An anonymous HUR source told Ukrinform earlier this week, "Hundreds of thousands of Russians will be unable to transfer money and carry out online payments due to Gazprombank applications not working." The attack also reportedly disrupted payment terminals for public transportation.
Dropzone AI Named a Gartner Cool Vendor for the Modern SOC.
Dropzone AI has been recognized as a Gartner Cool Vendor, validating its role in transforming SOCs. With an AI SOC Analyst that autonomously investigates alerts 24/7, Dropzone AI helps security teams stay ahead by reducing alert fatigue and providing decision-ready insights. Discover how we're leading SOC innovation.
Rockstar phishing kit targets Microsoft 365 users.
Trustwave has published a report on a phishing kit called "Rockstar 2FA," which is an updated version of the DadSec/Phoenix phishing kit. Rockstar is designed to steal Microsoft 365 credentials via spoofed login pages, and can intercept session cookies to bypass multifactor authentication. The phishing sites use Cloudflare Turnstile challenges to filter visitors and send unwanted users to car-themed decoy pages. The researchers note, "In the messages we analyzed, various techniques were utilized to bypass antispam detections, such as obfuscation methods and the use of FUD links, including the abuse of legitimate link services, document attachments like HTML and PDF, and even QR codes."
Crime and punishment.
A Russian court has sentenced Stanislav Moiseyev, the accused leader of the Hydra darknet marketplace, to life in prison, BleepingComputer reports. Fifteen accomplices received prison terms ranging from 8 to 23 years for drug production and distribution. Hydra was the world's largest darknet drug market before its servers were seized by German police in 2022.
Interpol has announced a global law enforcement operation that resulted in the arrests of more than 5,500 individuals allegedly involved in online scam rings. Operation Haechi V, which involved law enforcement agencies from 40 countries, territories, and regions, "targeted seven types of cyber-enabled frauds: voice phishing, romance scams, online sextortion, investment fraud, illegal online gambling, business email compromise fraud, and e-commerce fraud." The operation also seized more than US$400 million worth of virtual assets and government-backed currencies.
A Nebraska man has pleaded guilty to a multi-million dollar cryptojacking operation that "defrauded two well-known providers of cloud-computing services out of more than $3.5 million," BleepingComputer reports. The defendant, Charles O. Parks III (also known as "CP3O"), used the cloud services to generate nearly $1 million worth of cryptocurrency. According to a US Justice Department press release, "Parks tricked the providers into approving heightened privileges and benefits, including elevated levels of cloud computing services and deferred billing accommodations, and deflected inquiries from the providers regarding questionable data usage and mounting unpaid subscription balances."
GigaOM CxO Brief: Learn why Cobalt is a leader in OST and PtaaS
Driven by an increasing attack surface, sophisticated cybersecurity threats, and the perennial gap in security expertise, companies are turning to more proactive means to evaluate their defenses.
In this report find out:
- The circumstances driving adoption of offsec measures.
- Best practices to maximize the value of this type of testing.
- The organizational impact companies see from using proactive security measures.
Download GigaOm’s CxO Brief to understand how offensive security testing helps organizations maximize their security spend at scale.