Update on the Microsoft 365 hack - Russia has used the exfiltrated data to push further into Microsoft’s network.
“In recent weeks, we have seen evidence that Midnight Blizzard is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access. This has included access to some of the company’s source code repositories and internal systems.”
A bunch of people have alerted me to a vulnerability in #MoveIT, a secure file transfer app used heavily in the UK.
I did some digging and it looks like it’s a zero day under active exploitation. Not 100% on threat actor yet but it may be one of the ransomware/extortion groups.
Really serious, impacted orgs should shut down the server. Thread follows. #threatintel
Lots of ransomware cases coming in for Cisco AnyConnect/ASA recently and find finally we know how - CVE-2020-3259
It was a vuln which allowed a CitrixBleed style memory dump, found by a Russian research org now under US sanctions. Ransomware operators have an exploit.
I am looking for a technical writer with a strong Intel/networking background and the ability to take the deep technical content my group creates and convert it into multiple more accessible pieces. For example, the VexTrio paper we released this week. Our work is designed for experts in the security industry. The person I'm looking for can use it to create writings for consumers and customers. If that's you, text me here or on LinkedIn. #threatintel#infosec#cybersecurity
More hilarity on #ConnectAround - there’s now two NEW vulnerabilities in Ivanti Pulse Secure, being actively exploited as zero days too - no patches for many versions.
Gonna write this up better later. But thanks to @tbaraki , we found a fluke in Microsoft's SignonLogs table. Sometime in the last few days they made UserPrincipalName case sensitive.
So our alerts looking for breakglassadmin@CompanyName.onmicrosoft.com started failing because we were using (==) instead of (has).
Would highly recommend you check your alerting and see which operands you're using in your queries.
During a recent investigation, Sophos X-Ops discovered a trojanized Windows installer for CloudChat, an instant messaging application. Looking into this supply chain attack further, we found that the official distribution server for the application had been compromised, and delivered a Window installer modified to load an additional, malicious DLL. This DLL contained an encrypted payload that connected back to a C2 server to download and execute the next stage malware. We contacted the vendor when we found this issue, but at the time of posting haven’t received a response.
Threat actors have remotely wiped the infrastructure of Infotel JSC, which provides communication interconnects amongst Russian banks. They’ve been down since yesterday. A group called Cyber Anarchy Squad are claiming credit. #threatintel
Rapid7 found notable similarities between BlackHunt ransomware and LockBit, which suggested that it uses leaked code of Lockbit. In addition, it uses some techniques similar to REvil ransomware. Rapid7 provided a technical analysis of a BlackHunt sample, describing functionalities and MITRE ATT&CK techniques. IOC provided.
🔗 https://www.rapid7.com/blog/post/2024/02/05/exploring-the-not-so-secret-code-of-blackhunt-ransomware-2/
🍽️ & #threatintel | The Cisco, F5, Ivanti, Juniper, JetBrains, and OwnCloud exploitation attempts have jumped so much in the last two days that they squashed the normal scale of the charts.
If you use GoAnywhere MFT, a widely abused FTP program by Cl0p recently, you might want to upgrade as they seem to have forgot to mention something important from over a month ago.
GoAnywhere MFT vulnerability is incredibly easy to exploit. Another path traversal, 1998 style. Expect extortion.
Pretty credible the vendor didn’t tell people about the flaw clearly in December, ie allocate a CVE. Critical infrastructure runs this software. HT @simontsui
The CEO of UnitedHealth is due to give testimony in Washington on their Change Healthcare ransomware incident tomorrow, where he will say “Our company alone repels an attempted intrusion every 70 seconds – thwarting more than 450,000 intrusions per year”
That sound impressive, but if you own a Windows PC at home, you’re doing the same thing - it’s called the built in firewall.
Not having MFA on Citrix Netscaler is also called negligence.