Security News
Microsoft Azure customers' virtual machines running Ubuntu 18.04 have been taken offline by an ongoing outage caused by a faulty systemd update. Microsoft says in an incident report published on the Azure status page that these DNS issues only affect VMs running Ubuntu 18.04.
Hackers continue to exploit the Log4j vulnerability in vulnerable applications, as shown by the Iranian 'MuddyWater' threat actor who was found targeting Israeli organizations using the SysAid software. The latest MuddyWater hacking campaign outlined in a Microsoft report yesterday constitutes the first example of leveraging vulnerable SysAid applications to breach corporate networks.
To protect the victim's account, the organization had implemented Microsoft MFA through the Microsoft Authenticator app, which should have stopped any use of stolen credentials. Microsoft MFA doesn't always require a second form of authentication.
Microsoft has discovered a new malware used by the Russian hacker group APT29 that enables authentication as anyone in a compromised network. Dubbed 'MagicWeb', the new malicious tool is an evolution of 'FoggyWeb', which allowed hackers to exfiltrate the configuration database of compromised Active Directory Federation Services servers, decrypt token-signing and token-decryption certificates, and fetch additional payloads from the command and control server.
The threat actor behind the SolarWinds supply chain attack has been linked to yet another "Highly targeted" post-exploitation malware that could be used to maintain persistent access to compromised environments. "Nobelium remains highly active, executing multiple campaigns in parallel targeting government organizations, non-governmental organizations, intergovernmental organizations, and think tanks across the US, Europe, and Central Asia," Microsoft said.
A new business email compromise campaign has been discovered combining sophisticated spear-phishing with Adversary-in-The-Middle tactics to hack corporate executives' Microsoft 365 accounts, even those protected by MFA. By accessing accounts of high-ranking employees like CEOs or CFOs of large organizations, the threat actors can monitor communications and respond to emails at the right moment to divert a large transaction to their bank accounts. The phishing emails sent in these attacks tell the target that the corporate bank account they usually send payments to has been frozen due to a financial audit, enclosing new payment instructions that switch to the account of an alleged subsidiary.
More recently, Mandiant and Mitiga researchers have documented different approaches that allow attackers touse Microsoft MFA to their advantage. Attackers take over dormant Microsoft accounts and set up MFA. Douglas Bienstock, an IR manager at Mandiant, shared last week a new tactic by APT29 and other threat actors that involves taking advantage of the self-enrollment process for MFA in Azure Active Directory and other platforms.
Microsoft has described a severe ChromeOS security vulnerability that one of its researchers reported to Google in late April. Microsoft's write-up is noteworthy both for the severity of the bug and for flipping of the script - it has tended to be Google, particularly its Project Zero group, that calls attention to bugs in Microsoft software.
Resecurity, a Los Angeles-based cybersecurity company protecting Fortune 500 worldwide, identified a new RAT advertised in Dark Web and Telegram called Escanor. The threat actors offer Android-based and PC-based versions of RAT, along with HVNC module and exploit builder to weaponize Microsoft Office and Adobe PDF documents to deliver malicious code.
The state-backed Russian cyberespionage group Cozy Bear has been particularly prolific in 2022, targeting Microsoft 365 accounts in NATO countries and attempting to access foreign policy information. Mandiant, who has been tracking the activities of Cozy Bear, reports that the Russian hackers have been vigorously targeting Microsoft 365 accounts in espionage campaigns.