Cyber Intelligence Weekly

Cyber Intelligence Weekly (January 21, 2024): Our Take on Three Things You Need to Know

Welcome to our weekly newsletter where we share some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!

To receive these and other curated updates to your inbox on a regular basis, please sign up for our email list here: https://echeloncyber.com/ciw-subscribe

Before we get started on this week’s CIW, I’d like to highlight that we are thrilled to welcome Chris Furtick to Echelon Risk + Cyber as Director of Defensive Security!

Chris joins us from Fortalice Solutions, where he demonstrated exceptional client service and leadership as the VP of Client Solutions. His expertise in building robust, hardened environments and leading top-tier defensive engineering teams is unparalleled.

Additionally, he has a remarkable background in leading digital forensics investigations and guiding clients through complex active cybersecurity breaches.

To say that we’re excited to bring his knowledge and experience to our team is an understatement!

We’re confident that Chris’s innovative approach and strategic thinking will be invaluable as we continue to strengthen our suite of cybersecurity services to strengthen and protect our clients from threats.

Join us in welcoming Chris Furtick to our team! We look forward to achieving new heights under his leadership.

Away we go!

1. Microsoft Leaders Breached by Russian Threat Actors Using Password Spray

In a recent security blog update, Microsoft has reported a sophisticated cyberattack conducted by the Russian state-sponsored actor known as Midnight Blizzard, or Nobelium. The attack, which targeted Microsoft's corporate systems, was first detected on January 12, 2024. In response, Microsoft initiated a swift and thorough investigation and response process aimed at mitigating the attack and preventing further unauthorized access. This incident has been disclosed as part of Microsoft’s commitment to transparency under its Secure Future Initiative (SFI).

The attack began in late November 2023 with a password spray attack that compromised a non-production test tenant account. Using this account, the attackers accessed a small percentage of Microsoft’s corporate email accounts, including those of senior leadership and employees in critical departments like cybersecurity and legal. The attackers aimed to extract information related to Midnight Blizzard itself, exfiltrating some emails and attached documents. Microsoft is in the process of notifying the affected employees. Importantly, the attack did not exploit any vulnerabilities in Microsoft's products or services, and there is no indication of the attackers gaining access to customer environments, production systems, source code, or AI systems.

This incident underscores the ongoing risk posed by nation-state threat actors like Midnight Blizzard. In light of this, Microsoft is accelerating its security enhancements, particularly on its legacy systems and internal processes, as part of the Secure Future Initiative. While these changes may disrupt existing business processes, Microsoft views them as necessary steps to counter advanced threats. The company is committed to ongoing investigations and collaboration with law enforcement and regulators, and promises to keep sharing information and insights to help the wider community understand and combat such sophisticated threats.

Microsoft also reported the incident in an 8-K filing:

2. Navigating the Ivanti VPN Zero-Day Crisis: What You Need to Know

On January 10, 2024, Ivanti announced the discovery of two critical vulnerabilities, designated CVE-2023-46805 and CVE-2024-21887, affecting their Connect Secure VPN (previously known as Pulse Secure) and Policy Secure appliances. These vulnerabilities could potentially allow attackers to bypass authentication and inject commands, paving the way for more extensive breaches within the targeted networks. Mandiant has detected active exploitation of these zero-day vulnerabilities as early as December 2023, carried out by a suspected espionage-oriented threat group, currently monitored under the identifier UNC5221.

A recent surge in cyberattacks exploiting two zero-day vulnerabilities in Ivanti Connect Secure (ICS) VPN has raised significant concerns in the cybersecurity community. According to Volexity's latest data, over 1,700 devices have been compromised since the mass exploitation began. Microsoft Threat Intelligence Center also emphasized that users who failed to apply the mitigation released on January 10 are at a high risk of being compromised, as the widespread attacks began just a day after.

The rapid escalation of these attacks is evident when compared to Mandiant's report on January 11, which initially identified fewer than 20 compromised devices. The situation has since evolved dramatically, with attackers beyond the initial group gaining access to the exploit. This broader access has led to attacks on a wide range of targets, including governments, militaries, telecommunications, technology companies, financial services firms, and aerospace industries. Volexity's research points to UTA0178, a group believed to be linked to China, as the primary perpetrator behind the majority of these compromises, although there is involvement from other criminal groups as well.

Volexity's analysis of ICS VPN logs reveals attempts by various threat actors, indicating a mix of private Virtual Private Server (VPS) instances and compromised network appliances in these attempts. Additionally, the group tracked as UTA0188 by Volexity is suspected of involvement in some exploit attempts. The compromised devices have mostly been infected with a modified version of the GIFTEDVISITOR webshell, with each victim system likely having a unique AES key as part of the attack.

The largest concentration of vulnerable ICS appliances is in the United States, followed by Japan, China, Taiwan, and South Korea. In Europe, Germany has the most exposures. Ivanti users are advised to use the company's Integrity Checker Tool to detect ongoing compromises, although this tool only identifies a compromise without reversing it. Volexity stresses the importance of collecting logs, system snapshots, and forensic artifacts, and investigating potential lateral movements and compromised credentials and sensitive data on the affected ICS VPN appliance. Organizations are strongly advised to proactively check for signs of internal and external infrastructure anomalies that deviate from expected behavior.

3. 71 Million Unique Credentials from Naz.API Dataset Now on HIBP

The renowned data breach notification service Have I Been Pwned (HIBP) has recently integrated almost 71 million email addresses from the stolen account list known as the Naz.API dataset. This dataset is a vast accumulation of 1 billion credentials amassed from credential stuffing lists and data pilfered by information-stealing malware. Credential stuffing involves utilizing username and password pairs, previously stolen in data breaches, to access accounts on different websites. Information-stealing malware, on the other hand, is designed to extract a range of data from infected computers, including browser-saved credentials, VPN and FTP client details, SSH keys, credit cards, cookies, browsing history, and cryptocurrency wallets.

The collected data, stored in text files and images, are archived into “logs” and then uploaded to a remote server for later retrieval by the attacker. These stolen credentials are used to breach victim accounts, sold on cybercrime marketplaces, or released on hacker forums to build reputation within the hacking community. The Naz.API dataset is notorious for its extensive collection of stolen credentials. Although it was initially used to power an open-source intelligence (OSINT) platform called illicit.services, the service was briefly shut down due to concerns over its misuse for Doxxing and SIM-swapping attacks before resuming operations in September.

Troy Hunt, creator of HIBP, added the Naz.API dataset to his service after receiving it from a notable tech company. This dataset comprises 319 files, totaling 104GB and containing 70,840,771 unique email addresses. However, the dataset is considered somewhat outdated; for instance, it included a password once used by Hunt back in 2011. Users can check if their credentials are part of the Naz.API dataset via HIBP. If an email is linked to Naz.API, it indicates potential infection by information-stealing malware. Given the malware connection, users are advised to change passwords for all accounts, including corporate VPNs, email, bank accounts, and cryptocurrency wallets.

Thanks for reading!

About us: Echelon is a full-service cybersecurity consultancy that offers wholistic cybersecurity program building through vCISO or more specific solutions like penetration testing, red teaming, security engineering, cybersecurity compliance, and much more! Learn more about Echelon here: https://echeloncyber.com/about

Sign Up for Weekly Cyber Intelligence Delivered to Your Inbox

Sign up to get Cyber Intelligence Weekly in your inbox.
Latest Intelligence