Microsoft Hacked, Source Code Leaked

In its K-8 filing to SEC, Microsoft claims the relation of the latest hack to the one that was uncovered in January 2024. A Russian threat actor known as Nobelium/Midnight Blizzard managed to hack into Microsoft systems. The hack happened around November, with hackers staying inside for until January. This eventually resulted in adversaries gaining access to the emails of executives and certain authentication tools. And it turns out that attackers managed to take away some of the authentication secrets even after being discovered.

In the latest attack, Midnight Blizzard used these leaked auth secrets to get into the Microsoft internal networks once again. The same K-8 filing discloses the facts of hackers getting access (or at least attempting to) using the said leaked keys. Among particular systems under attack are source code repositories and some of the internal systems. Microsoft warns that the unauthorized access may happen repeatedly in future, meaning that they do not know the exact scale of auth secrets leak.

One fortunate thing though is that customer-facing assets and their data was not compromised. And this is most likely true, as the previous attacks mainly concentrated on top-tier executives, who barely have access to customer data. And this is a big relief: the scale of consequent attacks due to the data leaked from Azure, Outlook or other cloud services could have been tremendous. Still, no excuses for such a large company to fall victim to hackers.

Who is Midnight Blizzard?

Nobelium/APT29/Fancy Bear or Midnight Blizzard, by the new Microsoft classification, is a Russian state-sponsored threat actor. It mainly aims at cyber espionage, being led by the Russian External Intelligence Agency (SVR). The group is known for picking loud targets for its attacks, particularly government agencies, military contractors and the like.

Microsoft became their point of interest back in 2022, when they managed to hack an auxiliary SSO system for Windows Server. 2023 though has become a year of a “proper” hack. Back in November 2023, APT29 managed to stay in the network for quite some time, compromising a lot of different internal systems. Considering the uncertainity regarding the amount of compromised elements, they will certainly repeat.

The post Microsoft is Hacked, Again by Midnight Blizzard appeared first on Gridinsoft Blog.

TeamCity Vulnerability Exploited by CozyBear

JetBrains TeamCity servers, a crucial solution in the software development lifecycle, have recently been targeted in a cyberattack similar to the infamous SolarWinds hack. The Russian Foreign Intelligence Service (SVR)-backed group CozyBear exploited a severe vulnerability in these servers, tracked as CVE-2023-42793. This vulnerability allowed unauthorized attackers to bypass security measures and execute code remotely without user interaction. As a result, this poses a significant risk to over 30,000 JetBrains customers globally.

The aforementioned exploit was discovered in September and has been used to compromise an extensive array of companies and over a hundred devices worldwide, affecting organizations in the United States, Europe, Asia, and Australia. The victims come from various sectors, from billing and finance to gaming and medical devices. The widespread impact underlines the critical nature of the flaw and the tactics employed by CozyBear, previously known for the SolarWinds supply chain attack in 2020.

CozyBear Tactics and Techniques

CozyBear used various tactics and techniques around Mimikatz in the cyberattack on JetBrains TeamCity servers. This is a well-known tool for extracting credentials from the Windows Registry. It helped them steal information and escalate their access privileges within the compromised systems. CozyBear gained more profound and extensive control over the affected systems by elevating their access rights.

To further enhance their stealth and efficacy, CozyBear deployed the GraphicalProton backdoor. This backdoor uses standard cloud storage services such as OneDrive and Dropbox for command-and-control operations. Specifically, he used a randomly generated BMP file to save the information. This allowed CozyBear to mask its malicious communications amidst regular traffic, significantly reducing the likelihood of detection.

Another SolarWinds Attack?

The SolarWinds attack in 2020 was due to the company’s credentials being publicly available on GitHub. Cybersecurity researcher Vinoth Kumar discovered in 2018 that SolarWinds’ update server credentials were openly accessible on their GitHub repository. However, no one seems to be paying attention then. The attack compromised high-profile targets and affected about 18,000 SolarWinds clients.

In addition, prompt action is crucial in responding to security lapses. Overall, the SolarWinds attack underscores cybersecurity’s ongoing and evolving challenge in a highly interconnected digital world, where vigilance and proactive defense are essential. However, the reality we are seeing today suggests otherwise.

Mitigation and Response

JetBrains has released a patch to address security issues and recommends applying it immediately to reduce risks. The fixes are included in TeamCity servers version 2023.05.4 or later. Despite these efforts, Shadowserver reports show that about 800 instances worldwide still have not been patched, with over 230 located in the United States. It looks like a flash mob of ignoring installing updates and subsequent asspain is becoming a trend.

The post JetBrains Vulnerability Exploited by CozyBear Hackers appeared first on Gridinsoft Blog.

I considered delaying writing this post to gather more facts regarding the situation. On day 1, nothing but speculation and suppositions were available. Today, some of the facts appear, allowing me to make a comprehensive analysis of the case.

Ukrainian Mobile Operator Kyivstar Hacked by Russians

Early on December 12, Kyivstar services stopped working. As the company operates not only in the cell carrier segment, but also provides home Internet and connectivity services for businesses, these were down as well. The “national roaming” option, that allows switching between operators with certain limitations, was unresponsive, meaning that the network structure is severely disrupted.

At around 12:00, the first official comments from the company appeared. They claimed a cyberattack disrupting their services, and told about a rather long recovery process ahead. Further statements specified that the estimated time of major services recovery is not earlier than on December 13.

Until the evening of the same day, the details were lean. Some analysts tried to make conclusions, though they were at best blurred. Certain sources of information also supposed that Kyivstar suffered outages due to the DDoS attack, but that was likely just a confusion due to the simultaneous launch of a DDoS attack on one of Ukrainian banks. Meanwhile, the company succeeded with recovering part of its services, particularly the home Internet service to the end of the day.

On the morning of December 13, 2023, some facts and even more rumors began to surface. Among the latter, the brightest was the responsibility claim from a previously unknown Solntsepek threat actor. The gang published their statement along with the screenshots of what they claim to be insight into the hacked network. Nonetheless, I heavily doubt credibility of both claims and screenshots, since no one heard of the group before, and no identifiable details are present on those pictures.

Unpredicted outcomes

As Kyivstar is the biggest cellular operator in Ukraine, the outage caused obvious troubles for over 24 million users. Considering the population of the country is around 40 million in total, the outage touched every second citizen to a certain extent. That obviously uncovered how hard people are dependent on technology nowadays, but some of the issues caused by the Kyivstar hack were not that clear.

For instance, the air raid alarms – a heavily needed thing in a belligerent country – were reliant on the Kyivstar’s cell network. As a result, numerous cities across the country did not hear air raid alarms, and even online air raid maps were not able to work properly. That is especially unfortunate as rocket and UAV strikes happen on a daily basis.

What is less unfortunate for Ukraine though is that Russian troops who reside in the occupied areas of Kherson and Zaporizhzhia regions experienced cell coverage issues as well. Since invaders used stolen SIM cards of Ukrainian operators, their phones stopped working once the attack happened. Pay day for stolen SIM-cards, one may say.

Kyivstar Hack – Who is Responsible?

Well, all symptoms aside, let’s think of what exactly happened and figure out who is responsible for the hack. The character of destruction and the way the recovery goes supposes that hackers managed to establish persistence in the majority of infrastructural elements of the corporate network. Further, they destroyed all they could reach. That was not just a “DROP DATABASE”, as someone supposed before – in that case the recovery would not take that much time. Moreover, Kyivstar themselves claim that they are forced into recovering the network “piece by piece”.

The executor is, most likely, one of Russian APT groups. Sure enough, there is no confirmation, but there is no one to hack Ukrainian companies for pure vandalism except for Russians. Even though I doubt the claims of a no-name hack group, the nationality of hackers is almost certain.

Another edge of responsibility lies on the Kyivstar itself. Having such a large number of users creates significant responsibility, not only in the matter of service availability, but also data safety. Addresses, passport info, phone numbers, emails – all this was successfully leaked. Bad luck for a country in peacetime, culpable negligence for a country at war.

If the screenshots shared by the Solntsepek group are real, things can be much worse. An analyst under the nickname of Sean Townsend shares his thoughts regarding what the pics say. Spoiler – things may be extremely bad, and the security was non-existent at all.

Update 12/13 (21:00 GMT)

Olexandr Komarov, CEO of Kyivstar, uncovered some of the details regarding the beginning of the hack. The initial access was gained through a compromised account of an employee.

Are Other Companies in Danger?

What is the conclusion from such a situation? This is what all Ukrainian companies should be ready to counteract. And not only Ukrainian – Russian hackers are now naught on limitations in attacks on countries “rival” to Russia. Since hackers aim only for vandalism and do not try to monetize their job, the effects may be rapid and irreversible. A sturdy, well-engineered security system should be mandatory for all companies.

The post Kyivstar, Ukraine’s Biggest Cell Carrier, Hacked appeared first on Gridinsoft Blog.

Microsoft Outlook Vulnerability Used by Kremlin-Backed Hackers

Being a privilege escalation bug, CVE-2023-23397 received almost the highest CVSS score of 9.8. The rating was set back in March 2023, when the vulnerability was originally uncovered. And well, the flow of attacks commenced with this vulnerability exploitation confirms every bit of this score.

By its essence, the vulnerability consists of the ability to leak the Net-NTLMv2 hash by sending a specially-crafted email message. It is possible due to the features of the specific transfer format Microsoft uses in the Outlook. Through playing with the PidLidReminderFileParameter settings, adversaries can leak the hash and send it to its command server. That’s it for this exploit, but the main course of actions happens afterwards.

Forest Blizzard Exploits MS Outlook in Attacks on Poland

Microsoft researchers noticed one main threat actor using the CVE-2023-23397 in its cyberattacks – Forest Blizzard a.k.a. APT28/Fancy Bear. This threat actor has a proven connection to the Russian government, particularly to the Main Intelligence Directorate (GRU). In the campaign that exploited the described Outlook vulnerability, hackers primarily targeted Poland.

Upon receiving the Net-NTLMv2 hash, adversaries were able to manipulate the access permissions to specific mailbox folders. This, in turn, ended up with the ability to read all of the contents. Hackers specifically aimed at ones that could store any valuable and potentially sensitive information.

Such a targeting is rather obvious – Poland has had its relations with Russia ruined since February 2023. And its participation in supplies delivery to Ukraine is a point of interest for Russian intelligence. While such espionage bears on the same tactics as cybercriminals use in attacks on corporations, the final target is what is different. Though, nothing stops hackers from applying the same tactics in attacks on other countries.

Install the Patch, Microsoft Insists

As I have mentioned at the beginning, the patch for the CVE-2023-23397 was available all the way back in March 2023. Microsoft released it almost immediately after disclosing it. And since it is a vulnerability in the protocol, there is not much you can do to temporarily mitigate the issue. Even though it may be troublesome to update all the instances soon after the patch, it was plenty of time to arrange the update.

The post Outlook Vulnerability Exploited by Russian Hackers appeared first on Gridinsoft Blog.

The US Federal Bureau of Investigation on Tuesday reported the disruption of a massive spying program by the Russian Federal Security Service (FSB) using cyberspyware codenamed “Snake”.

This is stated in a press release from the US Department of Justice.

Let me remind you that we also talked about the fact that Europe’s largest private hospital operator Fresenius was attacked with an eponymous Snake ransomware. Don’t be confused – now we talk about a completely different malware.

US law enforcers believe that the spy tool was used by the hacker unit of the 16th FSB center, codenamed “Turla” for almost 20 years. We also reported that Fake DDoS App from Turla Targets Pro-Ukrainian Hacktivists.

The Snake program was designed to steal confidential documents from hundreds of computer systems in at least 50 countries that belonged to the governments of NATO member countries, in particular the United States, as well as journalists and other persons of interest to the Russian Federation.

To eliminate the “Snake”, the FBI developed an operation code-named “Medusa“. Within its framework, the spy application was forced to rewrite its own code, which disabled it. A senior FBI official said the Bureau’s tool was only designed to communicate with Russian spyware.

At a briefing ahead of the announcement, a US official involved in the operation called the Snake the “prime tool” of Russia’s cyber-espionage, Reuters reported.He expressed the hope that as a result of the liquidation of the program, Moscow could be “eradicated from the virtual battlefield.”

The media also reported that the FBI and NSA discovered Drovorub malware, created by Russian Intelligence services.

The post The FBI Disrupted the Cyberspyware “Snake” that the Russian FSB Used for 20 Years appeared first on Gridinsoft Blog.

In May, the racketeer-bargaining specialist (the negotiator) at a European production company had received an unexpected chat message from a malefactor who had hacked the specialist’s client.

Ransom negotiations, aimed at lowering the demands of racketeers, are the realm totally dominated by lawyers, consulting, and information security companies who know the nuts and bolts of working with hacker groups. The Palo Alto Networks Research shows that ransoms in 2021 grew to $2.2 million, becoming twice larger compared to the previous year. Palo Alto Networks state that the victims usually pay less than half of the initial ransom amount (around $541 000.)

The negotiator has shared this information on conditions of anonymity since he is not at liberty to discuss details of his work. The specialist’s job is to soften the demands of the extortionists.

“We need to know that you are honest with us,” – said the criminals, demanding a copy of the expert’s contract with the victims as proof of the legality of the specialist’s work after getting startled and nervous during the conversation.

The expert said that the crooks feared he would get an additional sum of money taken from the ransom amount.

After that, the hackers unexpectedly offered the negotiator to share the rest of their victims’ details with him to work for them. The crooks even offered the man to pay him a fee for each client; however, he refused.

As the expert concludes, the racketeers who contacted him were part of the Haron ransomware group, whose attack on Colonial Pipeline facilities stalled the supply of gas to the USA, eventually leading to arrests of the Russia-related hacking groups.

The post Companies Manage to Bargain With Ransomware Racketeers appeared first on Gridinsoft Blog.

According to the June 16 report by the US Department of Justice, the activity of a Russian botnet RSOCKS has been stopped in a joint operation by the US, German, Dutch, and British law enforcement agencies.

RSOCKS is responsible for hacking millions of network-connected devices. Initially, the botnet targeted IoT devices. The latter group includes industrial control systems, which makes the threats like the one in question highly important. The group, however, infected the Android devices and regular PCs too.

Law enforcement was long aware of RSOCKS activity. The Russian botnet got in the spotlight of police attention back in 2017 when over 300 000 devices in the San Diego district were hacked.

The malefactors monetized their hackings through a website where visitors could rent the segment of the botnet for different periods: days, weeks, months. The price varied from $30 per day (for 2000 proxies) to $200 per day (for 90000 hacked IPs.) Clients then could use bots for whatever they could be used: DDoS attacks, traffic routing, fake commentaries, etc.

The operation involved the undercover purchase of proxies with subsequent reverse inquiry into the Russian botnet back end and its victims. Eventually, the authorities managed to dismantle the infrastructure of the botnet. The Department appreciated the contribution of the foreign colleague agencies and the Black Echo private sector cybersecurity group.

The current operation is a part of a war on cybercrime consistently conducted by the US and Interpol, obviously concentrated around Russia-originating threats.

The post The US Department of Justice Reports a Russian Botnet Dismantled appeared first on Gridinsoft Blog.

CERT-UA has published a report on ongoing DDoS attacks on Ukrainian websites and a government web portal.

Unknown attackers compromise WordPress sites and inject malicious JavaScript code into the HTML structure. The script is base64 encoded to avoid detection like in this picture.

The code is executed on the visitor’s computer and generates a huge number of requests in order to stop the websites from working. Cyberattacks occur without the knowledge of the owners of compromised sites and create subtle performance disruptions for users.

By the way, we talked about the State Department Offers $1 million for Info on Russian Hackers.

CERT-UA works closely with the National Bank of Ukraine to implement protective measures against DDoS campaigns and numerous previous cyberattacks. In their report, the CERT-UA team provided instructions for removing malicious JavaScript code and added a threat detection tool to scan sites for hacking.

In addition, it is important to keep the content management systems (Content Management Systems, CMS) of the site up to date, update plugins and restrict access to site management.

We also note that it seems that the Chinese comrades do not support Russian hackers: we wrote that Chinese Mustang Panda Cyberspies Attack Russian Officials.

The post Ukraine Was Hit by DDoS Attacks from Hacked WordPress Sites appeared first on Gridinsoft Blog.

The announcement states that the reward is intended for anyone who can provide information to help identify and locate any of the people who, acting under command or on behalf of foreign nation-states, participated in attacks on objects of the US critical infrastructure.

The notification specifies that the wanted people are the members of a hacker group known as Sandworm Team, Telebots, Iron Viking, and Voodoo Bear. DC ties the named groups with the infection of computers in the US and other countries with the malware known as NotPetya on June 17, 2017.

Earlier, the FBI has made statements about the hackers’ increased attention to American companies from the start of the Russian invasion of Ukraine. According to information from the Bureau, presumed Russian hackers scanned the networks of five American energy companies and at least 18 US financial and defense-related companies.

Although the US authorities don’t have any direct evidence of Russian threat actors committing an attack on the US, US President Joe Biden said on March 18 that Russia would most likely use its cyber warfare tools, but it was still exploring an attack.

In the context of the Russian invasion of Ukraine, the United States’ war on ransomware has gained features of the international cyber-war. The US has decisively joined forces with European law enforcement to seize servers of Hydra in Germany and arrest the RaidForums administrator Diogo Santos Coelho in Britain. Hydra, the Russian-language darknet black market, and RaidForums, one of the world’s largest hackers’ forum, stopped working.

RELATED: CISA and several other US agencies has made a joint warning about the nation-state threat actors jeopardizing American energy industry using PIPEDREAM malware.

The post State Department Offers $1 million for Info on Russian Hackers appeared first on Gridinsoft Blog.

The group, linked by experts to Russia, has been carrying out cyber-espionage operations against Ukrainian government organizations since at least 2014.

According to experts, the group carried out more than 5 thousand cyberattacks on 1.5 thousand public and private enterprises in the country.

By the way, we talked about the fact that hacker groups split up: some of them support Russia, others Ukraine.

Pteredo has its origins in hacker forums, where it was acquired by Shuckworm in 2016. Hackers began active development of the backdoor, adding DLL modules to it for data theft, remote access, and penetration analysis.

In addition to Pteredo, Shuckworm has also used the UltraVNC remote access tool and Microsoft’s Process Explorer to process DLL processes in recent attacks.

Note: Let me remind you that even before the escalation of hostilities, Microsoft discovered the WhisperGate wiper attacking Ukrainian users.

If we compare Shuckworm attacks on Ukrainian organizations since January 2022, we can conclude that the group has hardly changed its tactics. In previous attacks, variants of Pteredo were downloaded to the attacked systems using VBS files hidden inside the document attached to the phishing email.

7-Zip files are unzipped automatically, which minimizes user interaction (the same files were used in the January attacks).

For example, one variant of Pteredo is a modified self-extracting archive containing obfuscated VBScripts that can be decompressed with 7-Zip. It then adds them as a scheduled task to ensure persistence:

The script also copies itself to [USERPROFILE]\ntusers.ini file.

The two newly created files are more obfuscated VBScripts.

• The first is designed to gather system information, such as the serial number of the C: drive, and sends this information to a C&C server.
• The second adds another layer of persistence by copying the previously dropped ntusers.ini file to another desktop.ini file.

Although Shuckworm is a highly professional group, its infection tools and tactics have not improved over the past few months, making it easier to detect and simplify methods of protection.

Currently, Pteredo is still actively developed, which means that hackers can work on a more advanced, powerful and undetectable version of the backdoor, as well as modify their attack chain.

The post Shuckworm hackers attack Ukrainian organizations with new variant of Pteredo backdoor appeared first on Gridinsoft Blog.