Microsoft faces criticism for China-linked Email hack
The company has since made its logging features available for free
Microsoft said a validation error in its source code allowed for Azure Active Directory (Azure AD) tokens to be forged by a China-linked malicious actor known as Storm-0558 using a Microsoft account (MSA) consumer signing key to breach two dozen organizations. But new findings suggest that the activity could be far-reaching and impactful, potentially placing a much broader swathe of Microsoft cloud services at risk than previously thought. China has denied it’s behind the breach.
Full details about the attack, including how it began, aren’t publicly known, but the company has since pledged to make advanced logging for free to all customers after facing criticism for locking the feature behind licensing barriers, thereby offering several users zero visibility as to the impact of the attacks on their businesses. The company is also attracting renewed scrutiny for what has been called negligent cybersecurity practices that led to the theft of non-classified government emails.
What’s trending in security?
↘️ The JumpCloud hack has been attributed to a North Korean nation-state threat actor called Jade Sleet (aka TraderTraitor or UNC4899), continuing the adversary’s pattern of orchestrating supply chain attacks to gain access to a broader set of downstream customers. It’s said the attack was primarily focused on obtaining credentials from priority targets and reconnaissance data for future intrusions. Early indications suggest that the activity was financially motivated, mainly focusing on cryptocurrency and blockchain companies, although there is no evidence of data or cryptocurrency theft to date.
Jade Sleet has also been linked to a new low-volume social engineering campaign that targets employees working in Web3, online gambling, and cybersecurity sectors. The attacks trick victims into installing malware by either directly sharing a piece of bogus software that includes malicious npm dependencies on messaging apps or invite them to collaborate on a GitHub repository and clone and execute its contents. “The threat actor often publishes their malicious packages only when they extend a fraudulent repository invitation, minimizing the exposure of the new malicious package to scrutiny,” GitHub said. [The Hacker News]
↘️ Millions of enterprise software repositories on GitHub are vulnerable to repojacking, a relatively simple kind of software supply chain attack where a threat actor redirects projects that are dependent on a particular repository to a malicious one instead. The issue has to do with how GitHub handles dependencies when a GitHub user or organization changes the name of a project or transfers its ownership to another entity to avoid breaking code dependencies. Compounding the problem are easily available tools that allow attackers to find these repos and hijack them to server malware. One way to mitigate repojacking threat is by maintaining their old usernames on GitHub as placeholders when they switch to new ones. [The Hacker News]
↘️ Researchers have devised a novel attack that recovers the secret encryption keys stored in smart cards and smartphones by using cameras in iPhones or commercial surveillance systems to video record power LEDs that show when the card reader or smartphone is turned on. [Ars Technica / The Hacker News]
↘️ New findings about the Chinese espionage actor known Volt Typhoon paint a picture of a flexible group that’s capable of customizing its tactics based on data gathered through extensive reconnaissance, not to mention employ techniques that allow it pervasive access to the victim’s environment for an extended period and clean up their tracks to avoid detection. [The Hacker News]
↘️ Geopolitical upheavals across the world, specifically Russia’s conflict with Ukraine, China’s preparations for potential forceful unification with Taiwan, and the deterioration of U.S.-China relations, are likely to fuel physical attacks and intelligence collection efforts against submarine cables. [Recorded Future]
↘️ Investigations triggered by the cracking of EncroChat nearly three years ago have so far led to more than 6,500 arrests worldwide and the seizure of $980 million in illicit assets and hundreds of tons of drugs, underscoring the staggering scale of the criminal acts that have been carried out using the platform. Law enforcement authorites gained access to more than 115 million encrypted communications between some 60,000 criminals after infiltrating the servers hosting the service. The devices, which ran a hardened version of Android, were marketed as offering complete anonymity and were said to be untraceable and easy to erase remotely if a user was arrested. Europol said the takedown “sent shockwaves across organized crime groups in Europe and beyond.” [AP / The Hacker News]
↘️ A novel process injection technique called Mockingjay leverages dynamic link libraries (DLLs) with default read, write, and execute (RWX) permissions to push code into the address space of a running process in a manner that can sidestep antivirus detection. [The Hacker News]
↘️ Researchers from the Massachusetts Institute of Technology (MIT) have published a new framework called Metior, designed to evaluate the effectiveness of different cybersecurity obfuscation schemes to mitigate the amount of data that can be leaked via side-channel attacks. [MIT]
↘️ The United States’ National Counterintelligence and Security Center (NCSC) has warned that China’s updated Counter-Espionage law – which came into effect on July 1 – is dangerously ambiguous and could pose a risk to global business. The law, NCSC said, “expands the definition of espionage from covering state secrets and intelligence to any documents, data, materials, or items related to national security interests, without defining terms,” adding “any documents, data, materials, or items could be considered relevant to PRC.” [The Register]
↘️ Cybersecurity researchers have released a new tool called “Snappy” that can help detect fake or rogue WiFi access points that attempts to steal data from unsuspecting users. [Trustwave]
↘️ Threat actors are exploiting vulnerable secure shell protocol (SSH) servers to launch Docker services that hijack a victim’s network bandwidth for money. The proxyjacking campaign is part of a larger trend of monetizing victim resources, similar to endeavors like cryptojacking, that are geared towards generating illicit profits. [The Hacker News]
↘️ A new China-linked cyber espionage campaign targeting European entities has been found to make use of HTML smuggling techniques to deploy the PlugX remote access trojan. The campaign, dubbed SmugX, is said to be part of a wider move by threat actors tied to China to shift their focus to European targets. HTML smuggling isn’t new, however adversaries have relied on it more since Microsoft has shut down other popular ways to sneak malware onto systems, such as blocking macros by default in Word documents. [The Hacker News]
↘️ The Iranian threat actor known as Charming Kitten (aka Mint Sandstorm) has been linked to a new spear-phishing campaign that culminates in the deployment of a PowerShell backdoor called GorjolEcho that can execute additional commands sent by the threat actor. On systems running Apple macOS, the infection chain leverages a bogus VPN application that’s used to download a bash script dubbed NokNok that establishes a backdoor on the system. NokNok shares functional overlaps with its Windows counterpart CharmPower. The new attack differs from previously observed Charming Kitten campaigns that typically relied on VBA macros and remote template injection for malware delivery. [The Hacker News]
↘️ The French government passes a bill that lets police surveil suspects by remotely activating cameras, microphones and GPS location systems on phones and other devices to investigate serious crimes. The remote access is said to be facilitated by the exploitation of security vulnerabilities (aka zero-days). [Engadget]
↘️ Google has stepped in to remove two malicious file management apps from the Play Store after it emerged that they collected excessive user data well beyond what’s necessary to offer the promised functionality. Collectively installed on over 1.5 million devices, the apps harvested contact lists, multimedia, and other metadata without users’ consent, which were then exfiltrated to servers located in China. To maximize their success, the applications falsely boosted their credibility by inflating the number of installations. [Pradeo]
↘️ Threat actors associated with botnets such as Mozi, Kinsing, and Mirai are becoming quicker at exploiting new security vulnerabilities, in some cases taking only days after the release of the proof-of-concept (PoC) code. Even in the absence of a PoC, it’s expected that the attackers will be able to reverse engineer any patch and develop their own exploit. The development highlights the swift speed at which newly discovered flaws are plugged into existing botnet infrastructure. [Trustwave]
↘️ Cybersecurity agencies have warned of increased TrueBot infections targeting U.S. and Canada networks by leveraging a critical flaw in Netwrix Auditor application as well as other delivery vectors such as Raspberry Robin. The advisory comes weeks after VMware Carbon Black alerted of a spike in TrueBot attacks in May 2023. [The Hacker News]
↘️ Over two-thirds of 600 internet-exposed Contec SolarView devices, an industrial control systems (ICS) hardware widely used for monitoring solar power generation and storage, remain unpatched against a critical and actively exploited vulnerability (CVE-2022-29303, CVSS score: 9.8) that makes it easy for remote attackers to disrupt operations or gain a foothold inside the facilities. The discovery comes as Cyble found that tens of thousands of photovoltaic (PV) monitoring and diagnostic systems are reachable over the public web, making them potential targets for hackers. [VulnCheck / Cyble / SC Magazine]
↘️ The threat actor FIN8 has resurged after a lull, using a revised version of its Sardonic backdoor to deliver the BlackCat ransomware, marking the latest evolution of the group. FIN8 has been around since at least 2016, when it burst onto the scene by compromising point-of-sale (PoS) systems at more than 100 organizations. In years since, the group has dipped in and out of the spotlight, refining its toolset each time with more capabilities to evade detection. [The Hacker News]
↘️ Threat actors are impersonating the trusted brands such as the United States Post Office (USPS) in a malvertising campaign that diverts victims who search for “USPS Tracking” on sites like Google to a phishing site to steal payment-card and banking credentials. [Malwarebytes]
↘️ Google said it’s tightening its Brand Indicators for Message Identification (BIMI) verification process by enforcing the DomainKeys Identified Mail (DKIM) authentication standard after it emerged that the controls could be bypassed by scammers to masquerade as legitimate brands. It blamed the issue on an unnamed third-party. [BIMI / CyberScoop]
↘️ An emerging and advanced form of voice phishing (vishing) known as “Letscall” technique is currently targeting individuals in South Korea by means of a multi-step attack to deceive victims into downloading malicious apps from a counterfeit Google Play Store website. The goal is to steal data from the infected devices, direct victims to bogus landing pages to steal bank account credentials, and reroute calls made by them to the bank to a call center under the control of the criminals. [The Hacker News]
↘️ Malicious actors are targeting hot and cold cryptocurrency wallets as part of email campaigns designed to get full access to the wallet and the ability to siphon all of the funds to their own addresses. [Kaspersky]
↘️ While information stealers have long targeted Windows, there are signs that threat actors are expanding their targeting scope to include macOS. After Atomic Stealer emerged in May 2023, a new macOS-focused stealer called ShadowVault is being advertised on underground forums for $500 a month. [Guardz]
↘️ A U.S. court sentenced Roger Thomas Clark, a 61-year-old Canadian man who acted as a mentor to Silk Road founder Ross Ulbricht, to 20 years, after his extradition from Thailand in June 2018. Silk Road was a underground online marketplace for illegal drugs, computer hacking services, and a host of other criminal activity. It was shut down by law enforcement in 2013. [WIRED / DoJ]
↘️ Threat actors are using open-source tools that’s popular within the video game cheat development community to allow their Windows-based malware to sign malicious drivers and bypass security restrictions and gain elevated access. In a related development, gaming users in China have been targeted by a novel rootkit driver signed by Microsoft to deploy additional payloads. By loading a malicious kernel mode driver, attackers can breach the integrity and security of the operating system, as access to the kernel provides complete access to a system, while also maintaining persistence and evading security solutions. [The Hacker News / Ars Technica]
↘️ After a slump in 2022, ransomware attacks are on the rise again in 2023. Data from cryptocurrency tracing firm Chainalysis shows that victims have paid ransomware groups $449.1 million in the first six months of this year. While expanded security protections and preparedness played a role, as did the increased availability of decryption tools, so have the aggressiveness and recklessness with which ransomware groups have operated in recent months, publishing sensitive stolen information from victims who refuse to pay up. [WIRED / The Hacker News / The Record]
↘️ The discovery of critical flaws in Mastodon has sparked questions about the platform’s security. At the heart of the matter is Mastodon’s decentralized structure, which allows users and organizations to set up their own instances. But servers with lax security practices and outdated software versions could open the federated social network to attacks and compromsie the privacy and security of its users. It’s therefore imperative that those in charge of managing the instances to get the patches deployed quickly. It’s not just Mastodon, for several instances of the Reddit alternative Lemmy were breached by unknown attackers who had apparently exploited a zero-day cross-site vulnerability. [Dark Reading]
↘️ A new open-source tool called TeamsPhisher leverages an unresolved security issue in Microsoft Teams to bypass restrictions for incoming files from users outside of a targeted organization. This is made possible owing to the fact that the application can be tricked into treating an external Teams user as an internal recipient just by changing the ID in the POST request of a message. [Bleeping Computer / Dark Reading]
↘️ With malicious apps finding their way to the Play Store again and again, Google is enforcing a new policy change starting August 31, 2023, that requires developer accounts registering as an organization to provide a valid D-U-N-S number before submitting apps. Acquiring a valid D-U-N-S number requires passing various proof-of-identity and business checks and that will make it difficult, expensive and time-consuming for fraudsters to complete. But it remains to be seen if it will help cull low-quality apps from the storefront. [Android Developers Blog]
↘️ The source code for the BlackLotus UEFI bootkit has leaked online, potentially allowing skilled threat actors to create more potent variants that can bypass existing and future countermeasures. It has been stripped of the Baton Drop exploit targeting CVE-2022-21894, and uses the bootlicker UEFI firmware rootkit, but contains the rest of the original code [Bleeping Computer]
↘️ With Microsoft clamping down on macros and abuse of OneNote files, the once-notorious Emotet botnet has struggled to stay afloat adapt to the shrinking attack surface. Campaigns uncovered this year have continued to rely on VB macros to activate the infection, with some attacks notably not relying on the reply-chain attacks, in which an existing email conversation is hijacked after compromise to spread malware. While the operators recently added a new module named “hwinfo” to harvest additional information about the compromised device, the latest development has raised the possibility that “a different – probably less-skilled – threat group has bought the botnet and its infrastructure.” [ESET]
↘️ Attackers have been observed using Google Firebase Hosting infrastructure to host ZIP archive files containing malicious HTML pages, which are sent in phishing emails that lead to the deployment of a Java-based malware called Sorillus RAT. [eSentire]
↘️ Google has started a new pilot program where some employees will be restricted from accessing the internet in a bid to reduce the risk of cyber attacks. It also detailed its Red Teaming efforts to help address risks to AI systems, including prompt injection, training data extraction, model and data poisoning, and exfiltration. [CNBC / Google]
↘️ The Forum of Incident Response and Security Teams (FIRST) has released a preview of CVSS 4.0 to help organizations prioritize their vulnerability and patch management processes. [FIRST / Dark Reading]
↘️ A set of security flaws called TETRA:BURST have been disclosed in the Terrestrial Trunked Radio (TETRA) standard for radio communication used widely by government entities and critical infrastructure sectors, which could allow high-end adversaries to intercept or manipulate law enforcement and military radio communications. [The Hacker News]
↘️ Container images shared on Docker Hub are leaking sensitive data in the cloud, to the tune of tens of thousands of private and API keys, acting as a goldmine for attackers to harvest the information to compromise a wide range of hosts. [arXiv]
↘️ The U.S. government announces a certification and labeling program called the “U.S. Cyber Trust Mark” that will be applied to IoT products meeting established cybersecurity criteria from the National Institute of Standards and Technology (NIST), which include the use of unique and strong default passwords, data protection, software updates, and incident detection capabilities. [The White House]
↘️ In the run up to the elections in May 2023, as many as 700,000 TikTok accounts in Turkey had been compromised by a hack that allowed attackers to access users’ private information and control their accounts. The vulnerability stemmed from its so called “greyrouting” of SMS messages through insecure channels, more than a year earlier in April 2022, enabling malicious actors to intercept one-time passwords to gain access to TikTok users’ accounts and inflate likes and followers. TikTok said it took steps to reverse and terminate the inauthentic activity, notified affected users, and helped them secure their accounts. [Forbes]
↘️ Malicious actors are selling cybercrime generative AI tools such as WormGPT and FraudGPT on dark web forums to explicitly conduct a wide range of malicious activity, a move that could bring down the cybercrime barrier and also lower the bar for cybercriminals looking to mount convincing phishing and business email compromise (BEC) scams quickly and at scale. These tools also function as black hat alternatives to legitimate counterparts like OpenAI ChatGPT and Google Bard, which are erecting security and ethical guardrails to prevent their misuse for developing malware. By creating synthetic communication templates, the tools not only underscore the evolution of the phishing-as-a-service (PhaaS) model, but also allow attackers to test what phishing campaigns work better against which victims and may allow them to become more precise in their targeting. It’s also expected that the developers of these tools will soon offer application programming interface (API) access, greatly simplifying the process of integrating them into other workflows and code. [The Hacker News]
↘️ HaiEnergy, a new Chinese influence campaign undertaken by a PR firm known as Shanghai Haixun Technology Co., Ltd, used newswire services, subdomains associated with legitimate U.S.-based news outlets staged in-person protests and billboard ads to spread pro-Beijing propaganda in the U.S. Besides sharing overlaps with DRAGONBRIDGE, Haixun is also said to have a presence on the freelance services platform Fiverr, “soliciting individuals to promote content both consistent with the political narratives promoted by the HaiEnergy campaign” and shared links to published articles on social media platforms like Twitter. [Mandiant / Dark Reading]
↘️ Dutch police announced the arrest of a 32-year-old Dutch national, a resident of Brazil, who they believe was one of the top 10 users of Genesis Market, a now-defunct dark web marketplace used to sell stolen credentials, including usernames and passwords, session tokens, and other data. Operational since 2018, Genesis Market was dismantled as a result of an international law enforcement operation named Operation Cookie Monster in April 2023. As part of the operation, 119 suspects were arrested. The development came as the criminal group behind the cyber fraud platform claimed that it had been sold to an unidentified buyer a few months after U.S. authorities sanctioned the platform and seized some of its domains.
In a related development, Ilya Lichtenstein and Heather Morgan — who were arrested last year for their role in laundering the more than 120,000 bitcoin stolen from Bitfinex in 2016 — pleaded guilty.
More legal news: a Ukrainian national named Vitalii Chychasov, 37, pleaded guilty in the U.S. to conspiracy to commit access device fraud and trafficking in unauthorized access devices relating to his administration of SSNDOB Marketplace, which was seized by the FBI last year. Chychasov was arrested in Hungary in March 2022, while a second admin, Sergey Pugach, was arrested in May 2022. [Politie / The Record / Chainalysis / DoJ]
↘️ A unknown threat actor named Mysterious Elephant has been observed targeting Pakistan’s foreign affairs via a phishing campaign that’s designed to drop a backdoor, which “has the ability to execute files or commands on the victim’s machine, as well as receive files or commands from the C2 server for execution on the infected computer.” [Kaspersky]
↘️ Threat actors have been observed using fake proofs-of-concept (PoCs) containing Linux backdoors hosted on GitHub to trick security researchers into installing them. Neoteric as PoC poisoning may be, there have been instances where adversaries have resorted to impersonating the security community in hopes of distributing malware via open-source repositories. [The Hacker News / Dark Reading / Bleeping Computer]