Microsoft has recently released the results of its investigation into a cloud email compromise incident involving a Chinese threat actor. The investigation revealed that the threat actor, known as “Storm-0558,” was able to obtain a Microsoft account consumer key, which it used to forge tokens and gain unauthorized access to Outlook Web Access (OWA) and Outlook.com. The compromise occurred when Storm-0558 targeted a Microsoft engineer’s corporate account, which had access to the crash dump containing the key.
Although there were no specific logs that provided evidence of the exfiltration of the key, Microsoft identified this as the most probable mechanism by which the threat actor acquired it. It is important to note that Storm-0558 is a Chinese cyberespionage actor known to target various organizations for intelligence gathering purposes. In this particular incident, at least twenty-five organizations, including several US Government agencies, were compromised.
In a separate incident, multiple nation-state actors targeted the aerospace sector using two vulnerabilities: CVE-2022-47966 in Zoho ManageEngine ServiceDesk Plus and CVE-2022-42475 in FortiOS SSL-VPN. This joint advisory, released by the US Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), and US Cyber Command’s Cyber National Mission Force (CNMF), provides details about the threat activity and offers advice on detection and mitigation.
The advisory emphasizes the importance of patching both vulnerabilities, as patches have been available since earlier this year. It also highlights the need for organizations in the aerospace sector to enhance their cybersecurity measures to protect against advanced threats from nation-state actors.
In yet another incident, North Korean threat actors targeted security researchers using at least one zero-day exploit. Google’s Threat Analysis Group (TAG) discovered this ongoing campaign and promptly notified the affected vendor. The zero-day is currently being patched to prevent further exploitation by the threat actors.
Additionally, the GRU’s APT28, also known as Fancy Bear, attempted to compromise an energy facility in Ukraine through a phishing campaign. The phishing emails contained a zip file with links to supposedly innocent photos. However, if the attachment was opened, it would enable remote code execution, giving the threat actors unauthorized access to the victim’s system. The phishing email’s content was unusual compared to previous Russian phishing attempts in Ukraine, as it involved gaudier phishbait and a different narrative.
Moreover, a China-based cybercriminal group known as the “Smishing Triad” has been running a smishing campaign targeting US citizens. The group impersonates postal services and sends package-tracking text scams via iMessage. These scams are designed to collect personally identifying information and payment credentials, which the threat actors then use for identity theft and credit card fraud.
Furthermore, researchers at Security Joes discovered that a threat actor exploited vulnerabilities in the MinIO distributed object storage system to steal data and execute arbitrary code. The vulnerabilities had been previously fixed, but the attacker used social engineering to trick a MinIO developer into reverting to a vulnerable version. From there, the threat actor gained access to the MinIO administrative console and pushed a malicious update containing exploit code.
Additionally, a new variant of the Chae$ malware, known as “Chae$ 4,” is being used in attacks against the financial services and software supply chain sectors. This malware has targeted various organizations, including Mercado Libre, Mercado Pago, WhatsApp Web, Itau Bank, Caixa Bank, and content management systems such as WordPress, Joomla, Drupal, and Magento. The threat actor behind this malware, known as “Lucifer,” remains unidentified.
In terms of patch news, Apple issued three emergency patches for vulnerabilities that could be exploited to install spyware. The patches affect various Apple operating systems and protect against a zero-click exploit called “BLASTPASS” used to deploy NSO Group’s Pegasus spyware. These patches are crucial in preventing unauthorized access to vulnerable devices and protecting users’ privacy and security.
Moving on to crime and punishment, the International Criminal Court (ICC) has confirmed that it intends to prosecute cyber war crimes. The ICC believes that certain cyber activities may constitute war crimes, crimes against humanity, genocide, or the crime of aggression. These crimes can have significant impacts on people’s lives, particularly vulnerable populations, and the ICC seeks to collect evidence and establish accountability for such behavior.
The US Justice Department is expanding its investigations under Operation KleptoCapture to target professional service providers who have aided Russian oligarchs in evading sanctions. This operation aims to disrupt the financial support sustaining Russia’s war against Ukraine and hold those involved accountable for their actions.
The US Department of Justice also announced indictments against multiple Russian cybercrime actors involved in the Trickbot malware and Conti ransomware schemes. These indictments are part of ongoing efforts to address cybercrime and deter future malicious activities.
In other legal news, a Russian tech entrepreneur, Vladislav Klyushin, was sentenced to nine years in a US Federal Court for wire fraud and securities fraud. Klyushin’s activities were connected to a $100-million stock fraud scheme.
Overall, these incidents highlight the continued and evolving cyber threats faced by organizations and individuals worldwide. It is crucial for individuals and organizations to remain vigilant, keep their software up to date with the latest patches, and implement robust cybersecurity measures to mitigate the risk of cyber attacks.