Cyber Intelligence Weekly

Cyber Intelligence Weekly (January 8, 2023): Our Take on Three Things You Need to Know

Welcome to our weekly newsletter where we share some of the major developments on the future of cybersecurity that you need to know about. Make sure to follow my LinkedIn page as well as Echelon’s LinkedIn page to receive updates on the future of cybersecurity!

To receive these and other curated updates to your inbox on a regular basis, please sign up for our email list here:

Also, we are always looking for great people to join our team. If you know anyone who fits the profiles for any of our open positions, drop me a line and let me know!

Before we get started on this week’s CIW, I’d like to announce that Echelon has recently admitted a partner to the firm's ranks, Matt Donato. Adding a partner is a significant milestone in the lifecycle of a professional services firm, and we are all thrilled to have Matt as that partner. Matt brings with him a proven track record of business leadership, knowledge of the industry, a long history of commercial successes, and a penchant for building great teams with a pure focus on excellence and culture. Welcome to the team, Matt!

No alt text provided for this image

Away we go!

1. Slack’s GitHub Compromised Over the Holidays

In a rather short update, Slack released the news that their GitHub account was compromised over the holidays. The threat actor downloaded private code repositories belonging to Slack. They did note that these repositories did not contain any customer data or means to access customer data.

No alt text provided for this image

According to Slack’s investigation, they noted that, “When notified of the incident, we immediately invalidated the stolen tokens and began investigating potential impact to our customers. Our current findings show that the threat actor did not access other areas of Slack’s environment, including the production environment, and they did not access other Slack resources or customer data. There was no impact to our code or services, and we have also rotated all relevant credentials as a precaution.

Why does this news sound eerily similar to the beginning of the latest LastPass breach? It will be interesting to see how this evolves.

2. Zero-Day to Blame for Rackspace Breach

Back in December we wrote about the massive issue with Rackspace’s hosted Exchange environment that was down due to a ransomware attack. At the time there had been much speculation about the root cause of the attack, with many saying that the ProxyNotShell vulnerability was to blame.

However, a new update from Rackspace states that ProxyNotShell was not to blame, rather, it was a previously unknown zero-day Exchange vulnerability. Rackspace noted the following in their update, “While there has been widespread speculation that the root cause of this incident was the result of the ProxyNotShell exploit, we can now definitively state that is not accurate. We have been diligent about this forensic investigation and prioritizing accuracy and precision in everything we say and do, because our credibility is important to us at Rackspace. The forensic investigation determined that the threat actor, known as PLAY, used a previously unknown security exploit to gain initial access to the Rackspace Hosted Exchange email environment. This zero-day exploit is associated with CVE-2022-41080. Microsoft disclosed CVE-2022-41080 as a privilege escalation vulnerability and did not include notes for being part of a Remote Code Execution chain that was exploitable.

No alt text provided for this image

CrowdStrike has a very good blog writeup where they talk about the vulnerability that they discovered. It was noted that CrowdStrike examined the pertinent logs and found no indication that CVE-2022-41040 (ProxyNotShell) had been exploited for initial access. Instead, it seemed that related queries were sent straight through the Outlook Web Application (OWA) interface, which suggests a previously unreported Exchange exploit technique.

It is always interesting when you see a threat actor utilize a zero-day in an attack. More often than not, that level of sophistication is not needed.

3. U.S. Nuclear Scientists Were Targeted by Russian Hackers

In an exclusive report, Reuters tells the story of a Russian hacking team called Cold River, that targeted several U.S. based nuclear research facilities. Reuters notes that the threat actors created fake login pages for various nuclear facilities and attempted to spear phish nuclear scientists to capture their actual credentials. The motivations behind the attacks were not revealed.

No alt text provided for this image

Per a threat intelligence report from Google, Cold River will typically use Gmail accounts to send credential phishing emails to a variety of targets. They often set their sights on government and defense officials, politicians, non-governmental organizations, think tanks, and journalists. Additionally, per the Google report, for these campaigns, the group's tactics, techniques, and procedures (TTPs) have shifted slightly from directly including phishing links in the email to also linking to PDFs and/or DOCs hosted on Google Drive and Microsoft One Drive.

This definitely sounds like something directly out of a Jack Ryan novel.

Thanks for reading!

About us: Echelon is a full-service cybersecurity consultancy that offers wholistic cybersecurity program building through vCISO or more specific solutions like penetration testing, red teaming, security engineering, cybersecurity compliance, and much more! Learn more about Echelon here:

Sign Up for Weekly Cyber Intelligence Delivered to Your Inbox

Sign up to get Cyber Intelligence Weekly in your inbox.