The NTLM bug that sees and steals.
Researchers uncover a critical Windows zero-day. An alleged Ukrainian cyberattack targets one of Russia’s largest banks. Russian group BlueAlpha exploits CloudFlare services. Microsoft flags Chinese hacking group Storm-0227 for targeting critical infrastructure and U.S. government agencies. SonicWall patches high-severity vulnerabilities in its secure access gateway. Atrium Health reports a data breach affecting over half a million individuals. Rockwell Automation discloses four critical vulnerabilities in its Arena software. U.S. authorities arrest an alleged member of the Scattered Spider gang. Our guest is Hugh Thompson, RSAC program committee chair, discussing the 2025 Innovation Sandbox Contest and its new investment component. C3PO gets caught in the crypto mines.
<Script>
Today is Friday December 6th 2024. I’m Dave Bittner. And this is your CyberWire Intel Briefing.
Researchers uncover a critical Windows zero-day.
Researchers at Acros Security have identified a critical zero-day vulnerability affecting all Windows versions from 7 through 11 and Windows Server 2008 R2 onwards. The flaw, tied to the Windows NT LAN Manager (NTLM) authentication protocol, enables attackers to steal credentials simply by having users view a malicious file in Windows Explorer. Actions as mundane as opening a shared folder, a USB disk, or even viewing the Downloads folder can trigger exploitation.
Microsoft is developing a patch but has not yet released an official fix or CVE allocation. Meanwhile, Acros Security has issued a temporary “micropatch” through its 0patch platform to protect users, including those running unsupported Windows versions. Users are advised to apply this micropatch immediately to mitigate risks until Microsoft provides a permanent solution. With full technical details withheld to limit exploitation, this remains a significant and evolving security threat.
An alleged Ukrainian cyberattack targets one of Russia’s largest banks.
Gazprombank, one of Russia’s largest private banks, faced reported service outages following an alleged Ukrainian cyberattack. Ukraine’s military intelligence agency (HUR) claimed responsibility for a DDoS attack, disrupting online and mobile banking services for Russian users. While Gazprombank’s website is operational, users continue to report app issues. The bank denied linking the disruptions to the attack. This follows recent U.S. sanctions targeting Gazprombank, a key channel for Russia’s oil and gas payments. Ukrainian cyberattacks on Russian financial institutions are frequent but their actual impact remains unclear.
Russian group BlueAlpha exploits CloudFlare services.
The Russian FSB-backed hacking group BlueAlpha is exploiting CloudFlare’s secure tunneling service to enhance its phishing malware attacks, particularly targeting Ukraine. Researchers from Recorded Future’s InsiktGroup revealed that BlueAlpha uses CloudFlare Tunnels to hide staging servers and establish secure connections between victims’ devices and malware command-and-control servers. This method, part of its GammaDrop infrastructure, complicates detection and blocking efforts. BlueAlpha, an offshoot of Kremlin-controlled Centre 18, exemplifies the growing trend among threat actors leveraging legitimate services like CloudFlare Tunnels for malicious campaigns.
China-based threat actors breach a major U.S. organization with operations in China.
China-based threat actors reportedly breached a major U.S. organization with operations in China, persisting in its networks from April to August 2024, likely for intelligence gathering. Symantec researchers found compromised Exchange Servers, suggesting email and data exfiltration. Although the attack’s entry point remains unclear, attackers used PowerShell to query Active Directory and employed Kerberoasting for credential access.
They escalated activity in June, using renamed FileZilla components for data transfer and deploying persistence tools such as malicious DLLs and registry manipulation. Attackers leveraged “living off the land” tactics with tools like PsExec, PowerShell, and WMI, typical of Chinese hacker strategies. The same organization was targeted by China’s ‘Daggerfly’ group in 2023, but attribution to specific actors remains inconclusive. Symantec highlighted the methodical role assignment across compromised machines to maintain persistence and gather intelligence.
Microsoft flags Chinese hacking group Storm-0227 for targeting critical infrastructure and U.S. government agencies.
Microsoft has flagged Chinese government-linked hacking group Storm-0227 for targeting critical infrastructure organizations and U.S. government agencies. Active since January, the group shares similarities with Silk Typhoon (Hafnium) and TAG-100. Over the past year, Storm-0227 has focused on sectors including defense, aviation, telecommunications, legal services, and government agencies.
The group typically gains access through vulnerabilities in public-facing applications or spear phishing emails delivering SparkRAT, an open-source remote administration tool. Notably, they use off-the-shelf malware rather than custom tools, blending into normal network activity to evade detection.
Once inside, Storm-0227 steals credentials to access cloud applications like Microsoft 365, exfiltrating emails and sensitive files to gather contextual intelligence. Their operations align with China’s broader espionage goals, targeting U.S. interests and critical sectors. Microsoft warns the group’s persistence and focus on espionage make them a long-term threat.
SonicWall patches high-severity vulnerabilities in its secure access gateway.
SonicWall has patched several high-severity vulnerabilities in its SMA100 SSL-VPN secure access gateway, including remote code execution (RCE) flaws. The most critical, CVE-2024-45318 and CVE-2024-53703, are buffer overflow bugs in the web management interface and Apache web server library, each with a CVSS score of 8.1. Other issues include CVE-2024-40763 (heap-based overflow), CVE-2024-38475 (path traversal), and CVE-2024-45319 (authentication bypass). Users are urged to update to firmware version 10.2.1.14-75sv promptly to prevent potential exploitation.
Researchers find a zero-day vulnerability in the Mitel MiCollab suite.
A zero-day vulnerability in the Mitel MiCollab suite allows attackers to read sensitive files, according to watchTowr researcher Sonny Macdonald. The flaw, exploitable only by authenticated users, was chained in a proof-of-concept (PoC) with CVE-2024-41713, an authentication bypass patched in October. The zero-day, still awaiting a patch, could expose critical files like /etc/passwd. Mitel plans to release a fix soon.
Atrium Health reports a data breach affecting over half a million individuals.
Atrium Health has reported a data breach affecting over 585,000 individuals to the US Department of Health and Human Services. The breach appears linked to tracking technologies used on its patient portals between 2015 and 2019, which may have transmitted user data to third-party vendors like Google and Meta. Exposed information could include names, emails, phone numbers, and treatment details, though no financial or Social Security data was compromised. Atrium emphasized no misuse has been detected. This follows another incident in April involving compromised employee email accounts containing sensitive data.
Rockwell Automation discloses four critical vulnerabilities in its Arena software.
Rockwell Automation has disclosed four critical vulnerabilities in its Arena software (versions 16.20.03 and earlier), potentially enabling attackers to execute remote code. The vulnerabilities include a “use after free” flaw (CVE-2024-11155), “out of bounds write” (CVE-2024-11156), “uninitialized variable” (CVE-2024-11158), and “out of bounds read” (CVE-2024-12130), each rated high severity (CVSS 8.5). Exploiting these flaws requires a legitimate user to execute a malicious DOE file, potentially leading to arbitrary code execution or operational disruption. Users should upgrade to version 16.20.06 immediately.
U.S. authorities arrest an alleged member of the Scattered Spider gang.
U.S. authorities have arrested 19-year-old Remington Goy Ogletree, a member of the Scattered Spider cybercrime gang, for breaching a U.S. financial institution and two telecommunications firms. Ogletree allegedly used text and voice phishing (vishing) to steal employee credentials, impersonating IT support to pressure victims into visiting phishing sites. One phishing campaign targeted 149 employees of the financial institution, luring them with fake HR updates and benefits modifications.
Between October 2023 and May 2024, Ogletree allegedly exploited telecom systems to send over 8.6 million phishing texts, many aimed at stealing cryptocurrency. Evidence seized from Ogletree’s iPhone included phishing messages, credential-harvesting sites, and screenshots of cryptocurrency wallets.
The Scattered Spider gang, known for targeting companies with weaker security, has also been linked to high-profile attacks on MGM Resorts, Caesars, and Reddit. This fluid, English-speaking group uses phishing, social engineering, and SIM-swapping to infiltrate corporate systems, complicating law enforcement’s efforts to track them.
Our guest is Hugh Thompson. Hugh is the RSAC program committee chair and he will be sharing some exciting developments in the 2025 Innovation Sandbox Contest and its new investment component. And, out of Nebraska, C3PO pleads guilty to a cryptojacking scheme. And, you thought you’d find him over on Tatooine.
We’ll be right back.
Welcome back. You can check out our show notes for more information on the Innovation Sandbox Contest.
C3PO Gets Caught in the Crypto Mines.
Imagine this: a guy named Charles O. Parks III, or as he styled himself, “CP3O” (yes, like the droid), decided to take a creative approach to cloud computing. Instead of paying for it, he racked up $3.5 million in unpaid bills with two tech giants based in Washington, believed to be Amazon and Microsoft. What did he do with all that computing power? Parks mined cryptocurrency—Ether, Litecoin, Monero—you name it, netting about $970,000.
From January to August 2021, Parks set up aliases like “MultiMillionaire LLC” (a little on the nose, no?) to open multiple cloud accounts. He convinced providers to give him premium services with deferred billing and even managed to launch tens of thousands of mining instances. That’s a lot of fake money-making, literally and figuratively.
He didn’t stop at mining. Parks laundered his crypto through exchanges, an NFT marketplace, and bank accounts, then spent his ill-gotten gains on first-class travel, a luxury Mercedes-Benz, and flashy jewelry. Basically, he was living like a high-roller… until the bill came due.
The Justice Department wasn’t impressed. They’ve charged Parks, who pleaded guilty to fraud. He faces up to 20 years in prison. Prosecutors say this case highlights their commitment to cracking down on cybercriminals using complex schemes.
So, it would seem this self-styled C3PO miscalculated the odds of dodging Microsoft’s and Amazon’s billing departments.
And that’s the CyberWire.
For links to all of today’s stories, check out our Daily Briefing at the cyberwire dot com.
We’d love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like the show, please share a rating and review in your podcast app. Please also fill out the survey in the show notes or send an email to cyberwire@n2k.com
We’re privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world’s preeminent intelligence and law enforcement agencies.
N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams, while making your teams smarter. Learn how at n2k.com.
This episode was produced by Liz Stokes. Our mixer is Tré Hester, with original music and sound design by Elliott Peltzman. Our executive producer is Jennifer Eiben. Our executive editor is Brandon Karpf. Simone Petrella is our president. Peter Kilpe is our publisher, and I’m Dave Bittner. Thanks for listening.