Newsletters

Ransomware groups are exploiting recently disclosed vulnerabilities in TeamCity and WS_FTP servers to breach corporate networks and ransom organizations.

The attacks are exploiting CVE-2023-42793 and CVE-2023-40044.

The first is an authentication bypass and RCE vulnerability that can allow threat actors to take full control of JetBrains TeamCity CI/CD servers. Once on the development pipeline, threat actors can pivot to other resources on a company's internal or cloud network, from where ransomware gangs can do extensive damage.

A critical vulnerability impacting more than 3.5 million Exim email servers has remained unpatched for more than 15 months in one of the most egregious instances of vulnerability disclosure snafus in recent history.

Tracked as CVE-2023-42115, the vulnerability is a no-authentication remote code execution with a severity rating of 9.8/10.

It is one of six vulnerabilities that were disclosed by Trend Micro's Zero-Day Initiative (ZDI) to the Exim project in June 2022.

Cybersecurity agencies from Japan and the US have issued a joint security  advisory about a Chinese APT group that is hacking the overseas subsidiaries of US and Japanese companies and then pivoting to their corporate headquarters.

Known as BlackTech (Palmerworm, Temp.Overboard, Circuit Panda, and Radio Panda), the group targets internet-facing routers as their entry point into victim networks.

To maintain access, the group hot-patches the router firmware with a modified version that bypasses security features and contains a built-in SSH backdoor to maintain future access.

Teenage hackers have breached systems at Caesars Entertainment and MGM Resorts International, two large US resort, entertainment and gaming companies. These incidents showcase how hacking groups comprising young people using Lapsus$-style techniques are becoming one of the greatest cyber security threats to organisations.

Both hacks had significant impact.

Caesars Entertainment reportedly paid a ransom of USD$15m after the group stole personal information from its loyalty program database, including driver licence and social security numbers. The organisation’s SEC filing uses a form of words that we suspect will become standard when paying a data extortion ransom:

The US Cybersecurity and Infrastructure Security Agency released on Monday the first version of the Hardware Bill of Materials (HBOM), a framework meant to mitigate supply chain risks for hardware/physical products.

The framework is inspired and is meant to be a complement to SBOM, a similar framework that CISA has been pushing to software vendors since the Log4Shell incident in late 2021.

Under the new HBOM framework, hardware vendors are expected to produce an HBOM file that will contain information on all physical components used in a product.

China's Ministry of State Security (MSS) published an extremely rare official statement on its WeChat account last week formally accusing the US National Security Agency of hacking and maintaining access to servers at Huawei's headquarters since 2009.

The statement is the first time the Chinese government has confirmed the NSA's Huawei hack—first reported by the New York Times and Der Spiegel back in 2014.

Based on documents from the Snowden leaks, the two reports cover Shotgiant, an NSA operation to compromise Huawei's network.

North Korean hackers known as the Lazarus Group have stolen $54 million from the CoinEx cryptocurrency exchange.

The hack took place on Tuesday, September 12. In a statement, CoinEx said the hackers identified a leak of some of its private keys and used them to steal Ether, Tron, and Matic assets from some of the company's hot wallets.

The company didn't formally link the hack to North Korea, but a blockchain investigator named ZachXBT found that some of CoinEx's stolen funds were sent to the same address that is storing funds stolen from the recent hack of the Stake.com crypto-gambling site.

Last week, Microsoft released its latest report into how its services were compromised by a China-based actor it called Storm-0558. It's an eye opening document that raises some red flags about Microsoft's security culture.

To summarise the incident briefly, Storm-0558 used a Microsoft Account (MSA) signing key to gain access to the email accounts of individuals in businesses and in government departments including the US Department of State and the US Department of Commerce. For several reasons this hack should not have worked, yet Storm-0558 was able to take advantage of multiple flaws in Microsoft processes to achieve its objectives.

From the perspective of someone who has worked in high-security environments, some of these flaws are absolutely bewildering.

The Cybersecurity and Infrastructure Security Agency (CISA) has announced it is providing free access to its official Vulnerability Scanning (VS) service to the operators of public US water and wastewater utilities.

The VS service has been running for years but has been previously available to federal civilian agencies only.

The service will help water utilities identify internet-exposed systems and see if they are vulnerable to known security bugs.

Microsoft will phase out the use of third-party printer drivers in Windows in favor of a new and more secure interface.

"In the near future, Windows will default to a new print mode that disables 3rd party drivers for printing," said Microsoft security engineer Johnathan Norman.

"That new system will have quite a few big security improvements, which we plan to detail in a future blog post."