Newsletters

The infamous Clop ransomware gang is exploiting a zero-day vulnerability in on-prem SysAid IT automation servers.

The attacks were discovered last week by SysAid's security team, and the company released a software update to patch the exploited bug.

Tracked as CVE-2023-47246, SysAid's team described the zero-day as a "path traversal vulnerability leading to code execution."

Last week, Microsoft announced a “Secure Future Initiative" to improve its ability to cope with increasingly sophisticated cyber security threats.

This reminds us of Microsoft's last security epiphany, the Trustworthy Computing initiative, launched in 2002. Unfortunately, compared to the clarity, focus and commitment of the Trustworthy Computing initiative, this announcement is disappointing.

In a post describing the Secure Future Initiative, Microsoft President and Vice Chair Brad Smith wrote that the new initiative was required because of the "increasing speed, scale and sophistication of cyberattacks".

Chinese state-sponsored hacking operations have undergone a major shift in recent years, with groups growing in sophistication and abandoning noisy and high-volume campaigns for stealthy and extremely targeted attacks.

If you read APT reports for a living—like this newsletter's author—then nothing in the above sentence is new to you.

Over the past two or three years, there have been numerous reports across the infosec industry about how Chinese APT group "XX" or how Chinese APT group "YY" has changed their modus operandi.

The US Treasury has sanctioned a Russian businesswoman named Ekaterina Zhdanova for helping Russian oligarchs and cybercrime gangs evade sanctions and launder stolen cryptocurrency.

Officials say Zhdanova worked as an intermediary in order to obfuscate the real nature of various illegal transactions.

She disguised operations using traditional businesses operating overseas but also used accounts at cryptocurrency platforms that did not enforce anti-money laundering (AML/CFT) controls.

The Forum of Incident Response and Security Teams (FIRST) has officially released a new version of the Common Vulnerability Scoring System (CVSS), the most widely used standard for rating the severity of software vulnerabilities using a score from 1 to 10.

With this week's release, the standard has now reached version 4.0—also more commonly known as CVSSv4.

Work on this new version began years ago and comes after a period of public comments and feedback and after a first CVSSv4 draft was presented in June at the FIRSTcon 2023 security conference.

Groups of young Lapsus$-style hackers are rapidly evolving their tradecraft and aggressively exploiting organisations in ways their victims don't expect.

A new Microsoft report describes the evolution of a group it calls Octo Tempest and charts its increasingly aggressive tactics and the rapid change in its targets. In early 2022, Octo Tempest focused on social engineering and targeting mobile providers to enable SIM-swapping crimes such as cryptocurrency theft, and selling the access gained to other criminals.

However, by early 2023, the group was targeting telecommunications, email and tech service providers, and collaborating with the ALPHV/BlackCat ransomware-as-a-service operation to extort organisations by threatening to leak stolen sensitive data.

The US Securities and Exchange Commission has filed fraud charges against software company SolarWinds and its chief information security officer, Timothy Brown.

The agency says it reviewed internal communications and security assessments and found that SolarWinds lied about its cybersecurity posture to investors for years before it was hacked in 2020.

The SEC says that for at least two years before the hack, the company—through its CISO—had learned and discussed its cybersecurity deficiencies but misrepresented the risks to investors.

A Citrix vulnerability has entered the dangerous stage of mass exploitation as multiple threat actors are compromising unpatched devices all over the internet in a race with each other to steal their session tokens.

Known as CitrixBleed and tracked as CVE-2023-4966, the vulnerability impacts Citrix ADC and Citrix NetScaler, which are extremely complex networking devices used in large enterprise and government networks in multiple roles, such as gateways, proxies, caching, VPN servers, and a bunch of other stuff.

The vulnerability allows threat actors to send junk data to the Citrix OpenID component that will crash and leak a part of the device's memory. The bad part is that, in some cases, this memory may contain session tokens that attackers can collect and then bypass authentication and access the device. For a more technical explanation, check this write-up from Assetnote researchers.

In a blog post this week, researchers with Cisco Talos have formally linked a cyber-espionage group named YoroTrooper to Kazakhstan, making it the first official APT group operating out of the country.

First spotted in the wild in June 2022, the group has followed the pattern of most nascent cyber espionage programs, starting with run-of-the-mill commodity malware and slowly moving to custom capabilities in recent attacks.

Throughout the past year, the group has primarily targeted former Soviet states in what appears to be a classic intelligence collection operation meant to support Kazakhstan's state objectives.

A purported group of pro-Ukrainian cyber activists, the Ukrainian Cyber Alliance, has disrupted an active ransomware gang, known as Trigona, by hacking and deleting the group's servers.

If a group of hacktivists can compromise a ransomware gang, these gangs are certainly susceptible to operations run by better organised and resourced state cyber outfits.

While the hacktivists’ actions will hurt, this is probably a speed hump for Trigona rather than an enduring disruption. The group claims that it will return quickly.