The US government is actively searching for Chinese malware that has infiltrated US networks, according to unnamed officials who spoke to the New York Times. The malware, known as Volt Typhoon, has been quietly staged in various US systems and is believed to have been present for at least a year. The extent of the infestation is broader than initially thought, with concentrations of the malware seen near US military installations. Efforts to locate and eradicate the malware have been ongoing for some time, and its geographical reach extends beyond US territory.
Meanwhile, Russia’s SVR has been engaged in a cyberespionage campaign targeting diplomatic services between February and June of this year. Recorded Future’s Insikt Group has been tracking the campaign, which utilizes spear-phishing as its initial attack vector. Phishing emails contain lures such as an ambassador’s schedule or an invitation to an embassy reception. Once a target clicks on the phishing email, malware is installed on their network, giving the SVR persistent access. The researchers have dubbed the threat actor behind this campaign as BlueBravo. This is not the only cyberespionage campaign the SVR has been involved in. Norwegian government networks were also targeted by Russian intelligence services, exploiting a vulnerability in Ivanti Endpoint Manager Mobile. The US Cybersecurity and Infrastructure Security Agency (CISA) and the Norwegian National Cyber Security Centre (NCSC-NO) have released a joint advisory on the incident.
In another development, Microsoft has reported on the activities of the Russian threat group Midnight Blizzard, which is linked to Russia’s SVR. The group has been carrying out highly targeted social engineering attacks against Western targets. The primary objective of the attacks is espionage, and they typically involve credential phishing. The attack is staged from compromised Microsoft 365 tenants owned by small businesses and involves multiple stages, including requests to chat in Microsoft Teams and actions on the target’s authentication app. Once successful, Midnight Blizzard gains access to the target’s Microsoft 365 account and proceeds with information theft. The SVR’s cyberespionage efforts are not limited to government organizations but also target non-governmental organizations (NGOs), IT services, technology, discrete manufacturing, and media sectors.
In response to increased scrutiny of their activities, the Russian FSB has added new domains to its attack infrastructure. The FSB’s activity, known as BlueCharlie or Star Blizzard, has registered ninety-four new domains to support their credential-harvesting, intelligence collection, and hack-and-leak operations. These activities are primarily focused on Ukraine and members of the NATO alliance. The FSB also conducts online operations to support Russian disinformation campaigns.
Researchers at Halcyon have published a report on command-and-control providers used by ransomware gangs. They highlight Cloudzy, a virtual private server (VPS) provider, as a common service provider for ransomware attacks. Although Cloudzy is incorporated in the US, the researchers believe it operates out of Tehran, Iran, possibly in violation of US sanctions. Threat actors using Cloudzy’s services include APT groups tied to various governments, a sanctioned Israeli spyware vendor, criminal syndicates, and ransomware affiliates.
Furthermore, intelligence services from the Five Eyes countries have jointly issued a cybersecurity advisory on the top routinely exploited vulnerabilities in 2022. These vulnerabilities continue to be relevant and pose a significant concern. The list includes vulnerabilities affecting Fortinet SSL VPNs, Microsoft Exchange email servers, Zoho ManageEngine ADSelfService Plus, Atlassian Confluence Server and Data Center, Apache’s Log4j library, VMware Workspace ONE Access and Identity Manager, F5 BIG-IP application delivery and security software, Windows Microsoft Support Diagnostic Tool (MSDT), and Atlassian Confluence and Data Center.
These vulnerabilities have been consistently exploited, highlighting the importance of timely patching and proactive cybersecurity measures to mitigate the risk of cyberattacks. Efforts to address these vulnerabilities and protect critical systems and networks are crucial to safeguard national security and the privacy of individuals and organizations.