Midnight Blizzard uses stolen Microsoft information to gain access to source code
Microsoft released additional information related to the nation-state Midnight Blizzard cyberattack first detected on January 12th, 2024, warning that the group is now using information initially stolen from its corporate email systems to attempt to gain unauthorised access, including to some of Microsoft’s source code repositories and internal systems. The company noted a 10-fold increase in some aspects of the attack, including password sprays, in February 2024.
Magnet Goblin exploits 1-day vulnerabilities across multiple products
Check Point researchers analysed the threat actor, Magnet Goblin, that exploits newly disclosed vulnerabilities, sometimes as 1-days, in products such as Ivanti Connect Secure, Magento, Qlik Sense, and possibly Apache ActiveMQ, to breach public-facing servers and edge devices. The threat actor primarily targets entities in the United States, including those from the medical, manufacturing, and energy sectors.
Andariel threat group delivers MeshAgent for remote screen control
ASEC researchers observed the Andariel threat group delivering MeshAgent for remote screen control as part of a persistent attack campaign against South Korean businesses. MeshAgent can collect system information needed for remote management and perform activities involving power and account management, chat and message pop-ups, file uploads and downloads, and command execution. The attackers also employed keylogger malware alongside several backdoors, notably AndarLoader and ModeLoader.
Evasive Panda delivers MgBot and Nightdoor to Tibetan users in espionage campaign
ESET researchers identified a new cyberespionage campaign, active since September 2023, targeting Tibetans in several countries through watering hole and supply-chain compromise attacks. The campaign delivers MgBot and a newly identified backdoor, dubbed Nightdoor. For the watering hole attack, the attackers compromised the website of the organizer of the Kagyu Monlam Festival, placing a script on the website that verifies the IP address of a potential victim. The malware was also observed being delivered via a trojanised installer for a Tibetan language translation software. The translation software’s website and Tibetpost were additionally compromised to host the payloads obtained by the malicious downloads, including MgBot and Nightdoor, and an unknown number of macOS payloads.
DarkGate operators exploit Windows SmartScreen vulnerability
In mid-January 2024, TrendMicro researchers observed a DarkGate malware phishing campaign exploiting a zero-day flaw in Microsoft Windows SmartScreen, tracked as CVE-2024-21412. The campaign involves the distribution of fake Microsoft software installers masquerading as legitimate software, including Apple iTunes, Notion productivity software, NVIDIA, and others. The threat actors leverage open redirects in Google DoubleClick Digital Marketing to bypass email security checks, with DarkGate ultimately delivered via DLL sideloading and the AutoIt loader.
Ransomware
Volume of blog posts by operators during the last week.
Sharp Increase in Akira Ransomware Attack Following LockBit TakedownGBHackers On Security – Mar 13 2024Government Pensions Administration Agency hacked – payments unaffectedCitizen.co.za – Mar 12 2024Ransomware: Attacks Continue to Rise as Operators Adapt to Disruption – symantec-enterprise-blogs[.]security[.]comSymantec Enterprise Blogs – Mar 12 2024Ransomware Attacks on Critical Infrastructure Are SurgingBankInfoSecurity – Mar 07 2024Switzerland: Play ransomware leaked 65,000 government documentsBleepingComputer.com – Mar 07 2024
Financial Services
Financial Services Top Target for DDoS AttacksCyber Risk Leaders – Mar 13 2024BIPClip: Malicious PyPI packages target crypto wallet recovery passwordsReversingLabs – Mar 12 2024Security Medusa ransomware claims attack on US Federal Credit UnionCyber Daily – Mar 08 2024New Fakext malware targets Latin American banksSecurity Intelligence – Mar 07 2024FINTRAC Takes Systems Offline After Cyber-IncidentBitdefender – Mar 07 2024
Geopolitics
Lithuania Warns of Chinese Intelligence Services Using Social Media to Target VictimsBitdefender – Mar 12 2024France & Estonia State Agencies Hit By ‘Intense’ CyberattacksZeroHedge – Mar 12 2024South Korean Citizen Detained in Russia on Cyber Espionage ChargesThe Hacker News – Mar 12 2024Russia’s spy service accuses US of trying to meddle in presidential electionReuters – Mar 11 2024National intelligence agency of Moldova warns of Russia attacks ahead of the presidential electionSecurity Affairs – Mar 07 2024
High Priority Vulnerabilities
Name | Software | Base Score |
Temp Score |
|
---|---|---|---|---|
CVE-2023-6000 | Popup Builder P… | 6.1 | 6.1 | |
Related: New campaign exploits WordPress Popup Builder XSS vulnerability | ||||
CVE-2023-42793 | TeamCity | 9.8 | – | |
Related: BianLian exploits vulnerable TeamCity server to distribute GO backdoor variant | ||||
CVE-2024-2172 | miniOrange Plugin | 9.8 | – | |
Related: Critical unpatched vulnerability identified in miniOrange WordPress plugins | ||||
CVE-2023-46805 | Policy Secure | 8.2 | 8.2 | |
Related: Ivanti vulnerabilities exploited to breach CISA systems | ||||
CVE-2023-46604 | Apache ActiveMQ | 9.8 | 9.8 | |
Related: Apache ActiveMQ exploited by various threat actors |