New Russia’s GRU-affiliated APT group linked to destructive wiper attacks on Ukraine

Microsoft’s threat intelligence team has released a report linking destructive WisperGate wiper attacks that targeted Ukrainian government organizations to Cadet Blizzard (formerly DEV-0586), a Russian state-sponsored threat actor associated with the Russian General Staff Main Intelligence Directorate (GRU).

Besides WisperGate data-wiping attacks that started on January 13, 2022, more than a month before Russia invaded Ukraine, the group was also behind a series of defacements of several Ukrainian organization websites, as well as multiple operations, including the hack-and-leak forum known as “Free Civilian.”

Barracuda zero-day attacks linked to suspected Chinese hackers

Google-owned threat intel firm Mandiant has linked recently disclosed data-stealing attacks affecting Barracuda's Email Security Gateway (ESG) devices globally to a suspected Chinese cyber-espionage group it tracks as UNC4841.

The attackers have been exploiting an OS command injection flaw (CVE-2023-2868) in the appliances since October 2022. The threat actors gained initial access to vulnerable Barracuda ESG appliances via malicious emails exploiting the bug and deployed three malware families Saltwater, Seaside, and Seaspy. The hackers used their access to an ESG appliance to conduct lateral movement into the victim network or to send mail to other victim devices.

Mandiant said the campaign has impacted organizations across the public and private sectors worldwide, with almost a third being government agencies.

Gamaredon cyber spies use new PowerShell script to drop backdoors

Russia-linked state-sponsored cyber-espionage group Gamaredon (Shuckworm, Armageddon, UAC-0010) continues its relentless attacks against government entities, and organizations in Ukraine's military and security intelligence sectors, using updated malware tools. The group repeatedly attempted to access and steal sensitive information such as reports about the deaths of Ukrainian military service members, enemy engagements and air strikes, arsenal inventories, and military training. In some cases, Gamaredon’s operations lasted for as long as three months.

Google fixes multiple vulns in Pixel, including 1 zero-day

Google has released security updates to address more than a hundred security issues in its Pixel phones, including a vulnerability said to have been exploited in the wild.

Tracked as CVE-2023-21237, the zero-day is an information exposure issue, which allows a local application to gain access to sensitive information.

US agencies, Shell, Adare are the latest victims in MOVEit hacking spree

The US Department of Energy and several other federal agencies were breached in a global MOVEit hacking campaign orchestrated by the Clop ransomware gang. While officials declined to name the agencies affected by the breach or say how many were hacked, the energy department confirmed data was stolen from two its contractors - Oak Ridge Associated Universities, and the Waste Isolation Pilot Plant - the New Mexico-based facility for disposal of defense-related nuclear waste.

The MOVEit hack has already claimed some high-profile organizations, with the latest victims being oil and gas giant Shell, UK’s media regulator Ofcom, and British integrated communications provider Adare SEC.

It’s worth noting, Progress Software, the company behind the MOVEit Transfer protocol, released security updates to address new vulnerabilities found in the application during a security audit

Fortinet warns new VPN bug exploited in a limited number of cases

Network security company Fortinet has warned that a new vulnerability impacting its SSL-VPN product may have been exploited in the wild in a limited number of cases.

Tracked as CVE-2023-27997, the flaw is a heap-based overflow issue that resides in the SSL-VPN feature. A remote non-authenticated attacker can exploit this vulnerability to execute arbitrary code on the target system by sending specially crafted requests to the SSL-VPN interface. Fortinet addressed the issue in an update released last week. Organizations are strongly advised to apply these patches as soon as possible.

Chinese cyber spies exploited VMware ESXi zero-day to backdoor VMWare guest VMs

A Chinese cyber espionage group has been found exploiting a VMware ESXi zero-day vulnerability to backdoor guest virtual machines. Tracked as UNC3886, the threat actor exploited the CVE-2023-20867 VMware Tools authentication bypass bug to deploy VirtualPita and VirtualPie backdoors on guest virtual machines from compromised ESXi hosts where they escalated privileges to root.

The attackers used scripts to obtain vpxuser credentials, enumerate ESXi hosts and their guest VMs, manipulate connected ESXi host firewall rules, and add or delete from the list of allowed IPs for a specified service (Default sshServer) across all connected ESXi hosts.

Fake security researcher GitHub repos deliver malware

A series of malicious GitHub repositories posing as legitimate security research projects were discovered that lured users with promises of zero-day vulnerabilities and exploits for well-known products such as Chrome, Microsoft Exchange and Discord, but, in actuality, have been pushing malicious implants. A more detailed analysis of this campaign is available here.

US authorities charge two Russians with the 2011 Mt. Gox hack

The US Department of Justice has charged two Russian nationals with the 2011 historic breach of Mt. Gox, one of the largest bitcoin exchanges in existence. The exchange never recovered from the theft and shut down in 2014.

The accused, Alexey Bilyuchenko and Aleksandr Verner, allegedly stole about 647,000 bitcoins -valued at some $450 million - from Mt. Gox between September 2011 through at least May 2014. Additionally, Bilyuchenko faces separate charges related to running the infamous Russian crypto exchange BTC-e shut down by authorities in 2017.

A Russian national charged for deploying LockBit ransomware

The US Department of Justice has charged a 20-year-old Russian national for his alleged involvement in LockBit ransomware and other cyberattacks against victims in the US, Asia, Europe, and Africa.

Ruslan Magomedovich Astamirov, of the Chechen Republic, was involved with the LockBit ransomware gang from August 2020 to March 2023 and executed at least five ransomware attacks against victims in the US and abroad. According to cybersecurity authorities, the LockBit ransomware gang is believed to have made more than $91 million in ransom payments from more than 1,700 attacks targeting US organizations.

He also owned, controlled, and used a variety of email addresses, Internet Protocol (IP) addresses, and other online provider accounts that allowed him and his co-conspirators to deploy LockBit ransomware and to communicate with their victims. If convicted, Astamirov faces up to 25 years in prison.

Bulletproof hoster who helped distribute Gozi and Zeus sentenced to 3 years in prison

Romanian national Mihai Ionut Paunescu was sentenced to three years in prison for running PowerHost[.]ro, a bulletproof service that enabled cybercriminals to distribute various banking and information-stealing malware families, including the Gozi (Ursnif), Zeus, and SpyEye trojans, as well as the BlackEnergy malware.

Two Megaupload coders sentenced to over 2 years in prison

Two staffers who helped run the once wildly popular pirating website Megaupload were sentenced to prison by a New Zealand court after pleading guilty in a deal in which they promised to testify against the site's founder Kim Dotcom who is continuing to fight the US charges and threat of extradition.

Mathias Ortmann was sentenced to two years and seven months in prison and Bram van der Kolk to two years and six months, as per local media reports.

New supply chain attack hijacks Amazon AWS S3 buckets

Checkmarx researchers spotted a new hack, where an attacker has taken over an abandoned AWS S3 bucket used by the Bignum npm library and replaced binaries necessary for the library function with malicious ones. Malicious binaries steal the user IDs, passwords, local machine environment variables, and local host name, and then exfiltrate the stolen data to the hijacked bucket.