UK, US and allies expose FSB-associated hacker group, sanction members

The UK authorities and allies have accused a Russia-associated threat actor known as Star Blizzard, Callisto Group, Seaborgium and Coldriver, of being responsible for a series of cyberattacks targeting politicians, civil servants, journalists, NGOs and other civil society organizations. The group is said to have ties with Russia’s Federal Security Service (FSB).

The UK and the US authorities sanctioned Federal Security Service (FSB) Center 18 officers Ruslan Aleksandrovich Peretyatko and Andrey Stanislavovich Korinets for their involvement in the Star Blizzard hacker group.

Both Peretyatko and Korinets were also sanctioned by the US Treasury’s Office of Foreign Assets Control (OFAC). The State Department has offered a reward of up to $10 million for information on Peretyatko and Korinets’ whereabouts as well as the location of their conspirators.

The Five Eyes (FVEY) intelligence alliance released an advisory describing the spear-phishing techniques Star Blizzard uses to target individuals and organizations, including the abuse of webmail addresses from Outlook, Gmail, Yahoo and Proton. Additionally, Microsoft published updated technical information about Star Blizzard tactics, techniques, and procedures (TTPs). The tech giant said the threat actor has evolved to focus on improving its detection evasion capabilities since 2022.

Russian hackers are exploiting critical MS Outlook bug to get access to email accounts on Exchange servers

Russian military hackers have been observed exploiting a critical Net-NTLMv2 hash leak vulnerability (CVE-2023-23397) in the Microsoft Outlook email service to hijack email accounts on MS Exchange servers. Tracked as APT28, Fighting Ursa, Fancy Bear, and Sofacy, the group has been previously linked to Russia's Main Intelligence Directorate (GRU).

A separate report from Palo Alto Networks’ Unit 42 details a series of attacks by APT28 targeting multiple European NATO member countries, including a NATO Rapid Deployable Corps. The threat actor exploited the CVE-2023-23397 flaw over roughly 20 months in three campaigns against at least 30 organizations across 14 nations that are of likely strategic intelligence value to the Russian government and its military.

Russian influence network 'Doppelgänger' orchestrating disinformation campaigns in Ukraine, the US, and Germany

Recorded Future’s Insikt Group detailed an ongoing and highly sophisticated influence operation conducted by a Russia-linked network named 'Doppelgänger' that targets audiences in Ukraine, the United States, and Germany through the use of inauthentic news sites and social media accounts. Most notably, the ongoing influence operation incorporated advanced obfuscation techniques, including the manipulation of social media thumbnails, strategic first- and second-stage website redirects, and a probable reliance on generative AI for the creation of deceptive news articles.

Russian hackers are targeting Ukraine and Poland with Remcos RAT and Meduza Stealer

Ukraine’s CERT published technical details and Indicators of Compromise associated with a new phishing campaign by a threat actor tracked as UAC-0050 targeting Ukraine and Poland with the Remcos RAT and Meduza Stealer malware.

Andariel APT reportedly stole key defense technologies from South Korean defense firms

North Korean hacking group known as ‘Andariel,’ believed to be a unit within the notorious Lazarus cybercrime group, has reportedly stolen key technologies from South Korean defense firms, including anti-aircraft weapons, and transferred some of the money they obtained via ransomware attacks to North Korea. The police confirmed that a total of 1.2 terabytes of technology and data files were stolen.

Andariel is also said to have pocketed 470 million won ($360,153) worth of cryptocurrency acquired through ransomware attacks on South Korean firms. Some of the stolen funds are believed to have been sent to North Korea. Speaking of which, the US authorities are offering a reward of up to $10 million for information about new technologies used by North Korean hackers to launder money.

New AeroBlade cyberespionage group targets the aerospace industry

An unnamed aerospace company in the US has been targeted by a previously unknown threat actor with the goal of commercial and competitive espionage. Dubbed ‘AeroBlade,’ the campaign used spear-phishing as a means to gain access to the victim’s network. Evidence suggests that the attacker’s network infrastructure and weaponization became operational around September 2022, with the offensive phase of the attack taking place in July 2023.

Hackers are exploiting Adobe ColdFusion bug to breach government servers

Threat actors leveraged a vulnerability in popular Adobe software to compromise servers running outdated versions of the popular software at two US federal agencies. The unidentified attackers exploited CVE-2023-26360, an improper access control issue impacting Adobe ColdFusion versions 2018 Update 15 (and earlier) and 2021 Update 5 (and earlier). In one of the cases, the threat actors deployed a remote access trojan (RAT) onto the compromised server. CISA believes that the malicious activity conducted by the threat actors was a reconnaissance effort to map the broader network.

Atlassian rolls out security updates to fix dangerous vulnerabilities

Australian software company Atlassian released security updates to address a slew of high-risk vulnerabilities (CVE-2022-1471, CVE-2023-22522, CVE-2023-22524, CVE-2023-22523), all of which, if exploited, could lead to remote code execution.

Flaws in Sierra Wireless routers expose critical sectors to cyber attacks

Forescout’s researchers discovered 21 new vulnerabilities in Sierra AirLink cellular routers and the TinyXML and OpenNDS components, with some of them allowing “to take full control of an OT/IoT router in critical infrastructure.” Sierra Wireless devices are found in multiple critical infrastructure sectors, such as government and commercial facilities, emergency services, energy, transportation, water and wastewater systems, manufacturing and healthcare.

The researchers identified over 86,000 internet-exposed AirLink routers in critical organizations engaged in power distribution, vehicle tracking, waste management, and national health services. Nearly 80% of the exposed systems are located in the United States, followed by Canada, Australia, France, and Thailand.

Five Eyes security agencies published new guidance on creating memory safety roadmaps

Top cybersecurity agencies released new guidance for software manufacturers designed to help them eliminate memory safety vulnerabilities.

Rust-based P2Pinfect botnet goes after MIPS devices

A new variant of an emerging botnet called P2Pinfect was discovered that is designed to infect devices with 32-bit MIPS (Microprocessor without Interlocked Pipelined Stages) processors like routers and Internet of Things (IoT) devices. First spotted in July 2023, P2Pinfect is Rust-based malware previously observed targeting vulnerable Redis servers by exploiting a Lua sandbox escape vulnerability (CVE-2022-0543) for initial access.

Threat actors can abuse Amazon AWS STS to hack into cloud accounts

Security researchers with Red Canary detailed an attack method involving Amazon Web Services (AWS) Secure Token Service (STS) that can be abused to gain access to cloud accounts.

Separately, SafeBreach researchers discovered eight new Windows process injection techniques collectively named ”Pool Party” that can be used to bypass endpoint detection and response (EDR) systems.

Also, Indian researchers found a weakness they named ‘AutoSpill’ in the autofill function of Android-based apps, which exposes login credentials to apps hosting web pages, potentially enabling malicious attacks.

Malicious Lockdown Mode attack tricks users into thinking their iPhone is secure

Security researchers with Jamf Threat Labs shared details of a new post-exploitation tampering technique that allows to carry out covert attacks while fooling iPhone users into believing that their device is running in Lockdown Mode when it's not.

The tampering technique only works on devices that have already been infected with malware, Jamf said. The new method doesn’t exploit any vulnerabilities in Lockdown Mode itself. Instead, it enables malware to deceive users by creating a false impression that their phone is operating in Lockdown Mode.

Apple confirms “push notification” spying

Apple and Google have confirmed that government agencies in foreign countries have been requesting smartphone “push” notification records from the tech giants to track smartphones. The issue came to light after US Senator Ron Wyden sent a letter to the US Department of Justice raising concerns that governments are spying on smartphone users through the push notifications that they receive from apps. Wyden said in the letter that the federal government had restricted Apple and other companies’ ability to share information about this practice.

Apple said that it is updating its transparency policies “now that this method has become public.”

Cybercrime-friendly crypto exchange Bitzlato founder pleads guilty in the US

Anatoly Legkodymov, the co-founder and majority owner of the Hong Kong-registered virtual currency exchange Bitzlato, has pleaded guilty to operating a money-transmitting business that processed approximately $700 million in illicit funds. Legkodymov now faces a maximum penalty of five years in prison. As part of his plea agreement, he agreed to dissolve Bitzlato and to release any claim over approximately $23 million in seized assets of Bitzlato.

The news comes after another Russian man, Vladimir Dunaev, pleaded guilty to his involvement in developing and deploying the Trickbot malware.