Daily Brief

Microsoft identified a sophisticated nation-state attack attributed to the Russian APT group known as Midnight Blizzard, which compromised emails from top executives. The attack commenced in late November 2023 and was detected on January 12, 2024, after which immediate investigation and mitigation steps were taken. Attackers executed a password spray attack on a legacy non-production test tenant account to access corporate emails, affecting senior leadership and departments like cybersecurity and legal. No evidence suggests that customer data, production systems, source code, or AI systems were compromised. The total number of infiltrated accounts and the extent of accessed information remain undisclosed, with impacted employees currently being notified. The same hacking group was previously responsible for the SolarWinds supply chain attack and has targeted Microsoft on several occasions. Microsoft highlighted the persistent risks posed by well-resourced nation-state actors, emphasizing the need for robust security measures across organizations.

TA866, a threat actor, has launched a large-scale phishing campaign distributing WasabiSeed and Screenshotter malware after nine months of inactivity. The campaign targeted North American entities with invoice-themed emails containing PDF attachments that led to a multi-step infection. Proofpoint identified the phishing attack on January 11, 2024, and had documented TA866's activities as early as February 2023. These attacks aim to capture desktop screenshots for reconnaissance purposes to identify high-value targets and eventually deploy the Rhadamanthys information stealer. The recent campaign uses PDFs with malicious OneDrive URLs instead of macro-enabled attachments, demonstrating an adaptation in tactics. The spam service TA571 aids in distributing the phishing emails, which can carry a range of malware, including IcedID, AsyncRAT, and DarkGate. DarkGate malware, active since 2017, is continually evolving with new features and anti-analysis techniques to avoid detection. Evasion tactics leveraging caching mechanisms in security products have been noted, particularly targeting sectors like financial services, with attackers waiting for safe verdict caching before switching to malicious payloads.

Russian state-sponsored hackers, known as Midnight Blizzard, breached Microsoft corporate email accounts. Microsoft's security team detected the issue on January 12th and commenced investigative and mitigation activities. The hackers accessed the system via password spray attack, compromising a non-production account. Compromised accounts include those of leadership, cybersecurity, and legal department personnel, with email and attachment theft occurring. The target of the attack seems to be information concerning the Midnight Blizzard group itself. Microsoft is notifying affected employees and assures that the breach was due to an account attack, not a product vulnerability. Nobelium, the group behind the attack, is notorious for the 2020 SolarWinds attack and has a history of high-profile breaches, including another Microsoft corporate account breach in 2021.

Chinese espionage group UNC3886 exploited a critical vulnerability in VMware vCenter Server, actively targeted since late 2021. Despite a patch, Mandiant detected intrusions by UNC3886 on several organizations, with a similar modus operandi observed in previous attacks. Russian hackers, identified as Midnight Blizzard (APT29 or Cozy Bear), compromised a small number of Microsoft corporate email accounts, including those of executives and cybersecurity personnel. The Microsoft breach, first identified in late November 2023, was not due to a vulnerability but rather a password spray attack on a test tenant account. Microsoft announced potential upcoming disruptions as they implement enhanced security measures in response to the breach. Ivanti Connect Secure devices, including those used by US federal agencies, were urgently directed to apply mitigations against zero-day vulnerabilities linked to potential Chinese nation-state exploitation. CISA's directive reflects ongoing concerns about Chinese cyber threats, despite no current evidence of successful exploits against federal agencies by PRC actors.

Russian state-sponsored hackers, Midnight Blizzard, breached Microsoft and accessed corporate email accounts. Microsoft detected the cyberattack on January 12th, identifying the group also known as Nobelium or APT29. The breach occurred through a password spray attack in November 2023, exploiting a legacy non-production test account. Attackers gained access for over a month, stealing emails and attachments from key areas including leadership, cybersecurity, and legal departments. Targeted accounts contained information about Midnight Blizzard; Microsoft is notifying affected employees. Microsoft has stated the incident was not due to product vulnerabilities but was a result of a brute force password attack. While ongoing investigations continue, Microsoft pledges to share further details as they become available, underscoring the breach's significance.

BreachForums hacking forum administrator Conor Brian Fitzpatrick sentenced to 20 years of supervised release. Fitzpatrick faced charges for stealing and selling personal information of millions and possession of child pornography. Known online as "Pompompurin," he played a key role in the cybercriminal community by running BreachForums. Originally faced with a government recommendation of approximately 15.7 years in prison, he received a sentence of time served plus supervised release. Fitzpatrick's supervised release includes home arrest with GPS for two years and mandatory mental health treatment. He will have no internet access in the first year and must approve any future online sales with authorities. Restitution for victims' losses to be determined, reflecting the impact of Fitzpatrick's criminal activities.

Five individuals allegedly embezzled over $7 million by submitting fake work expenses to an IT consultancy. The fraudulent charges funded lavish personal expenses, including hotel stays, a cruise, and visits to strip clubs. Mark Angarola, a global account manager at the unnamed IT firm, was pivotal in approving false invoices and hiring unqualified associates, including friends and relatives. Charges include wire fraud and tax evasion, with maximum sentences of 20 years for each count of wire fraud. The scam involved no-show jobs, fraudulent billings, and disguising personal expenses as business-related expenditures. Three defendants additionally accused of tax fraud for not reporting illicit income to the IRS. The consultancy involved remains unnamed in court documents, but prior civil lawsuit filings suggest a connection to IT giant DXC Technology.

Numerous users of the financial service Payoneer in Argentina have reported unauthorized access and theft of funds from their accounts. Despite accounts being protected with two-factor authentication (2FA), victims received unexpected one-time password (OTP) SMS codes during the night, leading to empty accounts by morning. Suspicions have arisen concerning a possible link to a Movistar data leak; however, the leaked data did not include email addresses needed for Payoneer password resets. Victims noticed funds transferred to an unknown email address linked to the 163.com domain, suggesting a coordinated attack. Movistar, a major service provider for victims, has declared non-responsibility for third-party messages but has taken measures against the numbers related to the smishing campaign. Payoneer acknowledged the fraud incident and is working with authorities but suggests phishing as the cause, which some victims dispute, pointing to a potential platform vulnerability. The exact method of attack remains undetermined, highlighting the risks associated with SMS-based 2FA and the Payoneer password recovery process.

CISA has issued an emergency directive due to active exploitation of two critical Ivanti zero-day vulnerabilities, namely CVE-2023-46805 and CVE-2024-21887. Federal Civilian Executive Branch agencies are ordered to swiftly implement Ivanti's mitigation measures to thwart ongoing attacks. Ivanti has not released patches for these vulnerabilities, prompting CISA to classify the situation as posing an "unacceptable risk." The Shadowserver service is tracking over 16,200 Internet-exposed Ivanti ICS VPN appliances globally, with more than 600 confirmed compromises. Volexity reports that a Chinese state-backed threat actor has backdoored over 2,100 Ivanti appliances, deploying malware including cryptocurrency miners. The ongoing cyber attacks have affected a diverse range of organizations, from small businesses to Fortune 500 companies across various industry sectors, including government and military.

The U.S. Federal Trade Commission (FTC) has settled with InMarket Media, prohibiting the sale of Americans' precise location data. InMarket Media, a Texas-based data company, has been aggregating and monetizing location data via proprietary and third-party apps. The FTC complaint reveals that InMarket's apps were installed on over 30 million unique devices since 2017, while their SDK was used in over 300 third-party apps. InMarket's data practices created detailed advertising profiles in 2,000 categories without proper user consent, raising privacy concerns. The FTC criticizes InMarket's five-year data retention policy as excessive and risky, prompting regulatory action to protect consumer privacy. The proposed FTC order demands that InMarket cease selling, licensing, or sharing products or services based on sensitive location data. This FTC case against InMarket follows a recent similar action barring X-Mode Social from engaging in location data sales from its SDK-using apps.

Chinese hackers, identified as UNC3886, exploited the CVE-2023-34048 vulnerability in VMware vCenter Server for espionage. The zero-day exploit was used since late 2021 but was only patched by VMware in October 2023 after the issue came to light. VMware acknowledged the in-the-wild exploitation of the vulnerability without giving details, while Mandiant connected it to UNC3886's activities. The attackers deployed VirtualPita and VirtualPie backdoors after gaining access to vCenter servers using compromised credentials. Following the initial breach, the hackers used another exploit, CVE-2023-20867, to escalate privileges and exfiltrate data from guest VMs. Mandiant noticed the exploitation trail back in late 2021 and early 2022, characterized by vmdird service crashes followed by deliberate removal of crash logs. UNC3886 specializes in targeting the defense, government, telecom, and technology sectors, primarily in the US and APJ region. The same group had previously leveraged a Fortinet zero-day to install sophisticated backdoors on compromised systems, showing their advanced capabilities.

VF Corporation disclosed a ransomware attack that compromised the personal information of over 35 million customers, but no sensitive financial data was breached. The attack, which occurred in December 2023, did not result in stolen consumer passwords, according to VF Corp's ongoing investigation. The cybersecurity incident forced VF Corp to shut down certain IT systems, disrupting retail inventory replenishment and causing delays in order fulfillment. Although significant IT systems have been restored, VF Corp continues to manage minor operational impacts from the breach. VF Corp claims to have removed the threat actor from its systems on December 15, 2023, and currently operates its retail stores and online platforms with minimal issues. There has been no information from VF Corp regarding notification to affected customers or details about the specific types of personal data compromised. VF Corp is collaborating with law enforcement and regulatory authorities to thoroughly investigate the breach and its repercussions.

VF Corporation, owner of Vans and other major brands, disclosed a data breach affecting 35.5 million customers. The breach occurred in December, but specific details about the compromised data haven't been disclosed to the public. VF Corp assures that SSNs, bank information, and payment card details were not at risk as they are not stored on their IT systems. There is no evidence so far that customer passwords were accessed, but the investigation is still ongoing. The cyberattack caused disruptions, impacting the company’s ability to fulfill orders and replenish inventories, leading to customer order cancellations. VF Corp has mostly restored its IT systems and operations, though some minor residual impacts remain. Suspicions of ransomware involvement exist due to system encryption and claims by the AlphV/BlackCat gang, but the company has not confirmed this.

VMware has confirmed active exploitation of a critical vCenter Server remote code execution vulnerability, identified as CVE-2023-34048. The vulnerability, resulting from an out-of-bounds write error in the DCE/RPC protocol implementation, can be exploited remotely without authentication. The company has taken the unusual step of issuing patches for multiple unsupported, end-of-life products due to the severity of the threat. Network access brokers are targeting VMware servers to facilitate ransomware attacks by various notorious groups, such as Royal and LockBit. Over 2,000 VMware Center servers exposed online could be at risk, necessitating immediate patches and strict control of network perimeter access. VMware has released patches for other high-severity vulnerabilities throughout the year, indicating a trend in critical security issues affecting their platforms. The company recommends strict network perimeter access control for vSphere management components to mitigate the risk and protect against future attacks.

macOS backdoors are being distributed through pirated software on Chinese websites, potentially compromising users' devices. Researchers from Jamf Threat Labs discovered malicious payloads within popular applications like Navicat Premium, UltraEdit, and Microsoft Remote Desktop. The malware includes a dropper and a fully-featured backdoor that establishes persistence and enables remote control. The backdoor, part of the Khepri post-exploitation toolkit, is positioned in a temporary directory, suggesting it reinstalls upon each reboot via the pirated app. A downloader component ensures malware persistence and communicates with an actor-controlled server for additional payload retrieval. The compromised applications are not signed, increasing the risk for users bypassing macOS security measures to install pirated software. Similarities between this malware campaign and previous ZuRu malware suggest a potential evolution of threat actors' tactics.