By the CyberWire staff
At a glance.
- US government disrupts Volt Typhoon.
- Midnight Blizzard abused OAuth apps in Microsoft attack.
- New PowerShell backdoor targets the Ukrainian military.
- Schneider Electric confirms ransomware attack.
- New variant of the Zloader Trojan.
- Ivanti issues patches for VPNs and discloses new zero-days.
US government disrupts Volt Typhoon.
Reuters reports that the US Justice Department and FBI disabled portions of a network of compromised devices that was being used by the China-linked threat actor Volt Typhoon to target US critical infrastructure. Volt Typhoon had been forming a botnet by compromising vulnerable devices, including routers, modems, and IoT devices, in order to hide later intrusions into sensitive targets. John Hultquist, Chief Analyst at Mandiant Intelligence, said in an emailed statement that Volt Typhoon has been conducting battlespace preparation by staging potentially disruptive attacks: "This actor is not doing the quiet intelligence collection and theft of secrets that has been the norm in the US. They are probing sensitive critical infrastructure so they can disrupt major services if, and when, the order comes down."
FBI Director Christopher Wray told Congress on Wednesday that the Chinese government (specifically Volt Typhoon) is targeting US critical infrastructure, including the power grid, water treatment facilities, and pipelines, in order to stage future destructive attacks, NPR reports. "China's hackers are positioning on American infrastructure in preparation to wreak havoc and cause real-world harm to American citizens and communities, if and when China decides the time has come to strike," Wray said. "They're not focused just on political and military targets. We can see from where they position themselves across civilian infrastructure that low blows are just a possibility in the event of a conflict; low blows against civilians are part of China's plan."
Optimize the value of your biggest investment – your cyber talent.
Gain actionable insights to continuously build and maintain high-performance teams, climb the knowledge curve, and stay ahead in a rapidly changing world. N2K’s Strategic Cyber Workforce Intelligence is a comprehensive solution designed to identify current capabilities and develop a data-driven framework to enrich hiring, upskilling, and career mobility efforts in your people strategy that evolves with ongoing organizational transformation. Learn more.
Midnight Blizzard abused OAuth apps in Microsoft attack.
Microsoft has shared additional details on how its senior executives' email accounts were compromised by the Russian threat actor Midnight Blizzard (also known as "Cozy Bear" or "APT29"), offering guidance for organizations to defend themselves against similar attacks. The threat actor launched password spray attacks from a distributed residential proxy infrastructure, enabling it to compromise "a legacy, non-production test tenant account that did not have multifactor authentication (MFA) enabled."
After gaining access to the test account, the threat actor abused OAuth to establish persistence and access additional email accounts: "Midnight Blizzard leveraged their initial access to identify and compromise a legacy test OAuth application that had elevated access to the Microsoft corporate environment. The actor created additional malicious OAuth applications. They created a new user account to grant consent in the Microsoft corporate environment to the actor controlled malicious OAuth applications. The threat actor then used the legacy test OAuth application to grant them the Office 365 Exchange Online full_access_as_app role, which allows access to mailboxes."
Cloudflare discloses breach.
Cloudflare has disclosed details of a 2023 breach that resulted in unauthorized access to the company's internal wiki and bug database hosted on an Atlassian server. The threat actor had access to the server for ten days between November 14th and November 24th. Cloudflare stresses that "[N]o Cloudflare customer data or systems were impacted by this event. Because of our access controls, firewall rules, and use of hard security keys enforced using our own Zero Trust tools, the threat actor’s ability to move laterally was limited. No services were implicated, and no changes were made to our global network systems or configuration."
Cloudflare says the threat actor gained access "by using one access token and three service account credentials that had been taken, and that we failed to rotate, after the Okta compromise of October 2023." The company adds, "Based on our collaboration with colleagues in the industry and government, we believe that this attack was performed by a nation state attacker with the goal of obtaining persistent and widespread access to Cloudflare’s global network."
Share your message with our audience of security leaders.
Sponsorship packages in N2K's CyberWire network podcasts and the CyberWire Daily briefing and Week that Was are now available. If you're looking to reach the eyes and ears of our influential security professionals, let's talk and see how we can build a program that meets your goals.
New PowerShell backdoor targets the Ukrainian military.
Researchers at Securonix warn that the Russia-aligned threat actor Shuckworm is targeting Ukrainian military personnel with a new PowerShell-based backdoor the researchers have dubbed "SUBTLE-PAWS." The malware is spread via infected USB drives: "Execution begins when the victim user unzips the archive and double clicks on the included shortcut file. The shortcuts followed a rather consistent nomenclature consisting of Ukrainian cities or military terms such as 'ODESSA.lnk', 'CRIMEA.lnk', 'LUGANSK.lnk' or 'KROPIVA.lnk'. The latter term 'Kropiva' (Nettle) refers to a military system used by the Ukrainian military."
The Ukrainian government has attributed Shuckworm to Russia's Federal Security Service (FSB). According to Symantec, the threat actor has targeted the Ukrainian military since 2014.
Georgia's Fulton County confirms cyberattack.
Fulton County, Georgia (home to Atlanta) has confirmed that it sustained a cyberattack that disrupted its IT services, the Record reports. The county's Board of Commissioners Chairman Robb Pitts stated, "[The] investigation is still in the early stages. So we'll be providing limited information at this time. However, we do want our citizens to be aware that a number of our primary technology platforms are affected by this incident. Three notable examples include our phone system, our court system, and our tax system. We do not yet have a specific timeframe for when these systems will be restored."
RSAC 2024—Where the Cybersecurity Community Unites
Cybercrime knows no bounds, and a united front is our strongest defense. At RSAC 2024, May 6 – 9, we unite in San Francisco as a cybersecurity community, fostering learning, networking, idea exchange, and exploration of cutting-edge innovations. Join us as we face the future of cybersecurity head on. Learn more and register.
Schneider Electric confirms ransomware attack.
Schneider Electric has confirmed that its sustainability business division was disrupted by a ransomware attack, Silicon Republic reports. The company stated, "From an impact assessment standpoint, the ongoing investigation shows that data have been accessed. As more information becomes available, the sustainability business division of Schneider Electric will continue the dialogue directly with its impacted customers and will continue to provide information and assistance as relevant."
BleepingComputer says the attack occurred on January 17th, and involved the Cactus strain of ransomware.
New variant of the Zloader Trojan.
Zscaler says a new variant of the Zloader Trojan has surfaced after an almost two-year hiatus. The malware's operations were disrupted after Microsoft dismantled its infrastructure in April 2022. Zscaler says the new version of the Trojan offers "new obfuscation techniques, an updated domain generation algorithm (DGA), RSA encryption for network communications, and the loader now has native support for 64-bit versions of Windows."
Patch news.
Ivanti on Wednesday issued patches for two actively exploited vulnerabilities affecting Connect Secure and Policy Secure gateways, the Register reports. The company has also disclosed two additional vulnerabilities (CVE-2024-21888 and CVE-2024-21893) in Ivanti Connect Secure, Ivanti Policy Secure, and Ivanti Neurons for ZTA. One of the newly disclosed flaws is being exploited: "CVE-2024-21888 allows for privilege escalation and CVE-2024-21893 is a server-side request forgery in the SAML component which allows a threat actor to access certain restricted resources without authentication. We have no evidence of customers being impacted by CVE-2024-21888 at this time, and we are aware of a limited number of customers impacted by CVE-2024-21893....At the time of publication, the exploitation of CVE-2024-21893 appears to be targeted. Ivanti expects the threat actor to change their behavior and we expect a sharp increase in exploitation once this information is public – similar to what we observed on 11 January following the 10 January disclosure."
The US Cybersecurity and Infrastructure Security Agency (CISA) has ordered US federal agencies to disconnect all Ivanti Connect Secure and Policy Secure VPNs by Saturday, February 3rd, BleepingComputer reports.
Software automation server Jenkins has received a patch for a vulnerability that could allow "unauthenticated attackers to read arbitrary files on the Jenkins controller file system." The flaw was discovered by researchers at SonarSource, who warn that "[a]ttackers could leverage this vulnerability, by reading Jenkins secrets, to escalate privileges to admin and eventually execute arbitrary code on the server." BleepingComputer notes that proof-of-concept exploits for the flaw are publicly available, and some researchers have reported that the vulnerability is already being exploited in the wild.
Crime and punishment.
Former CIA programmer Joshua Schulte has been sentenced to forty years in prison for leaking CIA hacking tools to WikiLeaks in 2016, Digital Journal reports. WikiLeaks published the tools in its Vault 7 and Vault 8 disclosures in 2017. Schulte was found guilty of espionage, computer hacking, contempt of Court, making false statements to the FBI, and child pornography. US Attorney Damian Williams said in a statement, "Schulte betrayed his country by committing some of the most brazen, heinous crimes of espionage in American history. He caused untold damage to our national security in his quest for revenge against the CIA for its response to Schulte’s security breaches while employed there."
Courts and torts.
SolarWinds is seeking the dismissal of a US Securities and Exchange Commission (SEC) lawsuit that alleges the company and its CISO defrauded investors by concealing poor cybersecurity practices, Bloomberg Law reports. SolarWinds claims that the SEC "is trying to unfairly move the goalposts for what companies must disclose about their cybersecurity programs and, with the controls charges, claim a mandate for regulating those programs that the agency does not have."
The company maintains that it made clear that its systems were vulnerable to sophisticated nation-state attacks before they were compromised by a Russian state-sponsored threat actor in December 2020. The company adds, "The SEC complains these disclosures were insufficient, asserting that companies must disclose detailed vulnerability information in their SEC filings. But that is not the law, and for good reason: disclosing such details would be unhelpful to investors, impractical for companies, and harmful to both, by providing roadmaps for attackers."