Midnight Blizzard brings the storm.

Russian state hackers breach Microsoft. LockBit claims Subway restaurants hack. A Swedish datacenter is hit with ransomware. VMware patches a vulnerability targeted by Chinese espionage groups. Sentinel Labs warns of North Korean APTs focus on cybersecurity pros. FTC order another data broker to restrict location data. US Feds release security guidance for water and wastewater sectors. Senators question the DOJ on facial recognition technology. Ukraine’s Monobank gets DDoSed. N2K’s CSO Rick Howard joins us to share some insight into what he and the Hash Table are cooking up for the upcoming season of his CSO Perspectives podcast  The passing of a Time Lord. 

Today is January 22nd, 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.

Russian state hackers breach Microsoft.

We begin today with news that Russian state hackers, identified as Midnight Blizzard (also known as Nobelium or APT29), infiltrated the email accounts of Microsoft's senior executives and staff within its cybersecurity and legal departments. This breach, disclosed by Microsoft in a regulatory filing with the SEC, occurred for approximately six weeks, with the company detecting the intrusion on January 12 and severing access by January 13. The attack was initiated via a password spraying technique on a non-production account and enabled access to a limited portion of corporate emails, primarily targeting information about Midnight Blizzard itself. Microsoft says there was no evidence of the hackers reaching customer data, production systems, source code, or AI systems. The extent of data accessed and the implications of the breach are still under investigation.

We note for disclosure that Microsoft is a CyberWire partner. 

LockBit claims Subway restaurants hack.

The LockBit ransomware gang has claimed responsibility for hacking Subway, the leading multinational fast-food franchise. Announcing this on their Tor data leak site, LockBit threatened to release the stolen data, comprising hundreds of gigabytes, this coming  February 2. The compromised data reportedly includes sensitive financial information such as employee salaries, franchise royalty and commission payments, and restaurant turnovers. LockBit accuses Subway of ignoring the breach and warns of selling the data to competitors if Subway fails to secure it. 

A Swedish datacenter is hit with ransomware. 

Cloud hosting service provider a Tietoevry (TeeAYtoe-evry)disclosed that its Swedish datacenter experienced what it’s calling a partial ransomware attack, impacting numerous clients and leading to store closures nationwide. The Finland-based tech company stated the attack was confined to a segment of the datacenter, primarily affecting services for some Swedish customers. This includes Primula, a major payroll and HR firm used by most Swedish universities and over 30 government authorities, disrupting personal leave and expense submissions. While January salaries have been processed, future remediation plans remain unclear. No confirmation was given regarding the theft of sensitive data.

VMware patches a vulnerability targeted by Chinese espionage groups.

Mandiant and VMware Product Security discovered that UNC3886, an advanced espionage group with links to China, has been exploiting a VMware vulnerability since late 2021, although it was only publicly reported and patched in October 2023. This group, known for targeting technologies without Endpoint Detection and Response (EDR) systems, has a history of using zero-day vulnerabilities for undetected operations. The exploitation was traced back to vCenter system crash logs, which revealed the "vmdird" service crashing just before the deployment of attacker backdoors. Analysis linked these crashes to an out-of-bounds write vulnerability in vCenter's DCE/RPC protocol, allowing unauthenticated remote command execution. The core dumps, typically preserved indefinitely, were found removed in most cases, indicating deliberate action by the attackers to hide their traces. VMware released patches for this vulnerability, and Mandiant advises users to update to the latest vCenter version to mitigate the risk.

Sentinel Labs warns of North Korean APTs focus on cybersecurity pros. 

Cybersecurity researchers and threat analysts are increasingly targeted by nation-state advanced persistent threat (APT) actors, such as North Korea's ScarCruft group. These actors employ various tactics, like creating fake social media profiles and GitHub accounts, to lure security professionals into downloading malware. A recent report from SentinelLabs highlights ScarCruft's persistent campaign targeting experts in North Korean affairs, including those from South Korea's academic sector and a news organization. They use malware disguised as threat research reports as decoys, which SentinelLabs says is a new strategy. This malware is believed to be in the testing phase and includes shellcode variants and LNK files named after intelligence and news topics, targeting those interested in North Korean cybersecurity developments. The goal is to gather non-public threat intelligence and improve their attack techniques. SentinelLabs warns that cybersecurity professionals must remain vigilant, as these sophisticated social engineering and phishing campaigns could target a wide range of professionals in the industry.

FTC order another data broker to restrict location data.

Data aggregator InMarket Media has agreed to stop selling precise location data, following Federal Trade Commission (FTC) charges of not adequately informing consumers or obtaining their consent for collecting and using their location data for advertising. Under the proposed order, InMarket is also barred from categorizing or targeting consumers based on sensitive location data. This action by the FTC, its second in the last few weeks, addresses InMarket's practices of collecting location data from sources including its apps and third-party apps using its software development kit (SDK). The proposed order requires InMarket to delete or deidentify previously collected data, provide opt-out mechanisms, notify consumers about FTC action, limit data collection without informed consent, and establish a privacy program and data retention schedule. 

US Feds release security guidance for water and wastewater sectors. 

The US government released new guidance to enhance cyber resilience and incident response in the water and wastewater (WWS) sector, addressing threats from financially and politically motivated actors. The Water and Wastewater Sector – Incident Response Guide, developed by CISA, FBI, EPA, and other federal and WWS partners, provides comprehensive strategies for water utility owners and operators to prepare for, mitigate, and respond to cyber incidents. The guide emphasizes the sector's vulnerability to various cyber events like unauthorized access and ransomware, with potential widespread impacts on critical infrastructure. It outlines federal roles, resources, and responsibilities throughout the incident response lifecycle, offering guidelines for incident reporting, resources, services, and training. The guide encourages WWS organizations to build cybersecurity baselines, interact with local cyber communities, and share information on cyberattacks with federal partners. It also advises on strengthening incident response plans, covering preparation, detection, analysis, containment, recovery, and post-incident review. While prioritizing water system operations, WWS utilities are urged to participate in collective response efforts and share 'lessons learned' after incidents.

Senators question the DOJ on facial recognition technology. 

A group of 18 senators, led by democrats Dick Durbin and Raphael Warnock, expressed concerns to the Department of Justice (DOJ) regarding the use and accuracy of facial recognition technology, particularly its frequent misidentification of Black individuals. Highlighting an instance of a wrongful jailing due to this technology, the senators questioned the DOJ's funding and oversight of such systems, suggesting potential violations of Title VI of the Civil Rights Act of 1964. They sought information on DOJ's measures to ensure compliance with civil rights laws and policies to track the deployment of facial recognition technology. This technology has also faced scrutiny from privacy advocates and the Federal Trade Commission, with recent cases like Rite Aid's settlement for misuse. Additionally, the Electronic Privacy Information Center (EPIC) raised concerns about the discriminatory impact of acoustic gun detection tools funded by the DOJ and DHS. The senators' request for more DOJ transparency and oversight reflects growing attention to the intersection of technology, privacy, and civil rights. The DOJ acknowledged receipt of the letter but did not comment further.

Ukraine’s Monobank gets DDoSed.

Monobank, a prominent online bank in Ukraine, experienced a significant distributed denial-of-service (DDoS) attack, as confirmed by CEO Oleh Horokhovskyi. Despite the attack's scale, Monobank's services remained uninterrupted. This incident follows a similar DDoS attack on Ukraine's broadband and mobile services, previously targeting Kyivstar. The origin of the attack is unclear, but Ukraine has faced numerous cyberattacks targeting its critical infrastructure, especially since the onset of the Russian invasion.

 

Coming up next, Rick Howard joins me to give us a preview of what he and the Hash Table are cooking up for the upcoming season of his CSO Perspectives podcast.

 

The passing of a Time Lord. 

And finally, we note the passing of David Mills, an engineer and computer scientist who was creator of the Network Time Protocol, a fundamental element of networks and the internet itself. 

In 1977, David Mills joined COMSAT and became involved in the ARPANET, a precursor to the Internet. Recognizing the need for synchronized time across the network, Mills developed the Network Time Protocol (NTP), a system for timekeeping on the Internet. His protocol differentiated reliable "truechimers" from misleading "falsetickers," and by 1988, NTP could synchronize clocks to within milliseconds. Mills was known for his eccentricity and expertise in various fields, and nicknamed the Internet’s Time Lord by his peers. He passed away on January 17 at the age of 85. 

May his memory be a blessing to those who knew and loved him. 

And that’s the CyberWire.

For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.

 

We’d love to know what you think of this podcast. You can email us at cyberwire@n2k.com—your feedback helps us ensure we’re delivering the information and insights that help keep you a step ahead in the rapidly changing world of cybersecurity.

We’re privileged that N2K and podcasts like the CyberWire are part of the daily intelligence routine of many of the most influential leaders and operators in the public and private sector, as well as the critical security teams supporting the Fortune 500 and many of the world’s preeminent intelligence and law enforcement agencies.

N2K strategic workforce intelligence optimizes the value of your biggest investment—people. We make you smarter about your team, while making your team smarter. Learn more at n2k.com.

 

This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music by Elliott Peltzman. Our executive producers are Jennifer Eiben and Brandon Karpf. Our executive editor is Peter Kilpe, and I’m Dave Bittner. Thanks for listening.