A bunch of people have alerted me to a vulnerability in #MoveIT, a secure file transfer app used heavily in the UK.
I did some digging and it looks like it’s a zero day under active exploitation. Not 100% on threat actor yet but it may be one of the ransomware/extortion groups.
Really serious, impacted orgs should shut down the server. Thread follows. #threatintel
Basically neither the master password change dialog nor the 2FA settings dialog require the current master password to function. So to exploit this, you'd need GUI access to a machine with an unlocked KeePassXC session. It's not nearly as scary as the KeePass vuln we saw a few weeks ago, but appears to be planned to be addressed in version 2.8.0.
EDIT: This is a BOGUS CVE that was created in bad faith. None of this should be considered a "vulnerability" so much as "how password managers work." Apologies to @keepassxc, who do fantastic work and whose project I use professionally and endorse.
Nissan Australia and New Zealand are dealing with a “cyber incident”, which likely translates as ‘paying the ransom with the help of the Australian government’. https://www.nissan.com.au/#threatintel
I did a write up about Cyber Toufan - over 100 orgs breached and data dumped, including multiple cyber security vendors, about a third haven't been able to recover after being wiped. Includes TTPs, suggestions.
Customers of customers of customers of customers have been getting emails from threat actor, who are sending what are the first (?) lobbying emails from hack of a supply chain.
During a recent investigation, Sophos X-Ops discovered a trojanized Windows installer for CloudChat, an instant messaging application. Looking into this supply chain attack further, we found that the official distribution server for the application had been compromised, and delivered a Window installer modified to load an additional, malicious DLL. This DLL contained an encrypted payload that connected back to a C2 server to download and execute the next stage malware. We contacted the vendor when we found this issue, but at the time of posting haven’t received a response.
Now that Twitter is rate limiting access, and more users who create Twitter's content are leaving, I wonder how this will impact all of those so-called "Threat Intel" companies? I know of at least one which was likely getting most of it's data from Twitter searches. I'm guessing most of these companies will pay for the Blue Checkmark to retain access to Twitter's now Premium API, but what's the point if the users who create the data are leaving? The second option is moving their data-mining operations over to ActivePub, except ActivePub isn't curated by fancy algorithms, it's just a raw fire hose. #infosec#twitter#business#threatintel
Threat actors have remotely wiped the infrastructure of Infotel JSC, which provides communication interconnects amongst Russian banks. They’ve been down since yesterday. A group called Cyber Anarchy Squad are claiming credit. #threatintel
Lots of ransomware cases coming in for Cisco AnyConnect/ASA recently and find finally we know how - CVE-2020-3259
It was a vuln which allowed a CitrixBleed style memory dump, found by a Russian research org now under US sanctions. Ransomware operators have an exploit.
Cyber Anarchy Squad - who recently hit Infotel in Russia - are claiming they have hit #Dozortel (aka DoZor-Teleport), the satellite internet provider in Russia.
They are saying they've impacted firmware on client modems.
So far, I can confirm a network outage at Dozortel.