Chinese threat actor Storm-0558 has been identified as the perpetrator behind a cyberespionage campaign that targeted US organizations using a Microsoft cloud exploit. Microsoft discovered “anomalous” mail activity on June 16th, which led to the investigation and subsequent confirmation of the cyberespionage campaign. Storm-0558 gained access to approximately 25 organizations, including government agencies, by using forged authentication tokens with an acquired Microsoft account signing key. Microsoft has since mitigated the effects of the attack for all affected customers. The US Government is currently investigating the scope and potential damage caused by the Chinese operation.
In a new proof-of-concept attack discovered on GitHub, a training code was found to be malicious. Uptycs, a cybersecurity firm, found that the PoC contained a hidden backdoor that could steal data from the infected system. PoCs are typically used by researchers to explore vulnerabilities and are generally considered safe. However, this incident serves as a reminder to always analyze files downloaded from the internet with caution. Although the PoC has been removed from GitHub, users who installed it are at high risk of compromise. The malicious code was concealed within the program, operating as a downloader and executing a Linux bash script, disguised as a kernel-level process.
Multichain, a crypto platform, has reported that over $100 million was stolen in a recent crypto heist. The platform has suspended its services as it investigates the claims of the theft. The stolen assets included WBTC, USDC, DAI, wETH, and Link, with a total value of $126 million. Cross-blockchain bridges, like Multichain, have become a popular target for hackers. This incident highlights the need for enhanced security measures within the crypto industry to protect against such attacks.
USB attacks have seen a significant increase in the first half of 2023, according to a report by Mandiant. The report identifies two new USB attack campaigns: SOGU and SNOWYDRIVE. These campaigns use a USB drive for initial infection and propagation, installing malware that steals sensitive information from the host system. SOGU, in particular, has targeted various sectors globally, including pharmaceutical, IT, energy, communications, and healthcare organizations. USB campaigns pose a particular threat as they can target air-gapped systems that have no connection to the internet. The most well-known example of a USB-based attack is the Stuxnet worm, which targeted Iranian nuclear facilities.
The US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have released a joint Cybersecurity Advisory regarding a Chinese cyberespionage campaign targeting government officials. The advisory calls for increased monitoring and logging of activity surrounding Microsoft Exchange Online environments, especially for organizations operating critical infrastructure. This comes after Microsoft announced in a blog post that approximately 25 organizations had their email accounts compromised by forged authentication tokens. The US Commerce and State Departments were among the targeted agencies, with the email account of US Commerce Secretary Gina Raimondo being compromised.
In the ongoing Russia-Ukraine hybrid war, Russia is pursuing a “sovereign Internet” as it seeks to establish a protected and controllable cyberspace. However, the program has faced difficulties, with a recent test resulting in widespread outages among Russian websites. The sovereign Internet project aims to give the Russian government greater control over external connections, monitor domestic traffic, and provide domestic alternatives to foreign hardware and software. Russia has responded to Ukraine’s counteroffensive in the cyber domain with a surge in cyberattacks. The GRU, Russia’s military intelligence service, has been actively involved in these operations using a well-thought-out and repeatable process.
In terms of software security, Progress Software has issued patches for three security flaws affecting MOVEit Transfer. The vulnerabilities could potentially allow an attacker to execute arbitrary code and gain unauthorized access to the system. It is recommended that users update their software to the latest version to mitigate the risks associated with these vulnerabilities.
Overall, these recent incidents highlight the ongoing cybersecurity threats faced by organizations globally, emphasizing the need for robust security measures and constant vigilance in the face of evolving cyber threats.