CISA Says Russian Hackers Compromised Agencies Using Stolen Microsoft Emails

The Cybersecurity and Infrastructure Security Agency (CISA) issued a rare binding directive to an undisclosed number of government agencies requiring them to change any log-ins that were taken and investigate what else might be at risk following the January disclosure by Microsoft that the Russian state hacking group Midnight Blizzard exfiltrated email correspondence between Federal Civilian Executive Branch (FCEB) agencies and Microsoft through a successful compromise of Microsoft corporate email accounts.

CISA said the “successful compromise of Microsoft corporate email accounts and the exfiltration of correspondence between agencies and Microsoft presents a grave and unacceptable risk to agencies. This Emergency Directive requires agencies to analyze the content of exfiltrated emails, reset compromised credentials, and take additional steps to ensure authentication tools for privileged Microsoft Azure accounts are secure.”

The warning expands the possible fallout from a breach that Microsoft disclosed in January to the government and major corporate customers, including some who resell Microsoft products to others. The software giant said a month ago that the hackers might be targeting those it emailed with.

During a briefing with reporters, CISA said it is unclear whether the hackers, associated with Russian military intelligence agency SVR, had obtained anything from the exposed agencies. Microsoft calls the hacking group Midnight Blizzard, while other security experts call it Cozy Bear or APT29.

The officials declined to say how many agencies received the warning, noting that the company was still determining what had happened and could find more government targets.

CISA did not spell out the extent of any risks to national interests. However, Eric Goldstein, executive assistant director for cybersecurity, said, “The potential for exposure of federal authentication credentials to the Midnight Blizzard actor does pose an exigent risk to the federal enterprise, hence the need for this directive and the actions therein.”

Agencies must report the status to CISA across all required actions by 11:59 PM April 8, 2024, provide a status update to CISA by 11:59 PM May 1, 2024, and, as applicable, provide weekly updates on remediation actions for authentication compromises until completion. CISA will provide agencies with a reporting template and reporting instructions. (Joseph Menn / Washington Post)

Related: CISA, CISA, Axios, Cybernews, Benzinga, Decipher, Reddit cybersecurity, The Stack, Federal News Network, cybersecurity | The Hill, InsideCyberSecurity.com, CRN, SiliconANGLE, Bloomberg Politics, Cyberscoop, Reuters, Techopedia, CNN, Politico, BankInfoSecurity, Security Week, NextGov/FCW

Following an announcement by business intelligence company Sisense that “certain Sisense company information may have been made available on what we have been advised is a restricted access server” and an alert by CISA that it is taking an active role in investigating that incident, sources said the breach appears to have started when the attackers somehow gained access to the company’s Gitlab code repository which contained a token or credential that gave the threat actors access to Sisense’s Amazon S3 buckets in the cloud.

Sisense was using the self-managed version of Gitlab. The sources said the attackers used the S3 access to copy and exfiltrate several terabytes of Sisense customer data, which included millions of access tokens, email account passwords, and even SSL certificates. This means the unknown attackers have all of the credentials Sisense customers use in their dashboards.

Sisense’s CISO, Sangram Dash, directly updated customers. The company's latest advice is far more detailed than earlier guidance and involves resetting a potentially large number of access tokens across multiple technologies, including Microsoft Active Directory credentials, GIT credentials, web access tokens, and any single sign-on (SSO) secrets or tokens. (Brian Krebs / Krebs on Security)

Related: The Record, Varonis, SC Media, Dark Reading, Security Affairs, CSO Online, Nextgov/FCW, SecurityWeek, BleepingComputer, Help Net Security, Hacker News (ycombinator), CyberScoop, Reuters, Varonis, Bloomberg, CRN, Help Net Security, SC Media, Teiss

According to officials familiar with the matter, the Biden administration is preparing to take the unusual step of issuing an order that would prevent US companies and citizens from using software made by major Russian cybersecurity firm Kaspersky Lab because of national security concerns.

US officials have for years alleged that the Russian government could force Kaspersky Lab to hand over data or use its anti-virus software to attempt to carry out hacking or surveillance of Americans, accusations that Kaspersky Lab strenuously denies.

The move to ban Kaspersky Lab, which is being finalized and could happen as soon as this month, would use relatively new Commerce Department authorities built on executive orders signed by Presidents Joe Biden and Donald Trump to prohibit Kaspersky Lab from providing certain products and services in the US, the sources said.

US government agencies are already banned from using Kaspersky Lab software, but action to prevent private companies from using the software would be unprecedented. The sources cautioned that nothing is final until it is announced, but the Commerce Department has made an “initial determination” to prohibit certain transactions between the Russian company and US persons.

The sources familiar with the policy process said that one goal of the order would be to mitigate any risk to critical US infrastructure. A draft of the initial determination to prohibit specific Kaspersky software that circulated last year applied to US persons but could have been amended, according to a source who viewed the draft. (Sean Lyngaas / CNN)

Related: Ukrainska Pravda, TechReport

Password management company LastPass revealed that threat actors targeted one of its employees in a voice phishing attack, using deepfake audio to impersonate Karim Toubba, the company's Chief Executive Officer.

However, while some researchers indicate that 25% of people fall for deepfake audio, the LastPass employee didn't because the attacker used WhatsApp, a very uncommon business channel.

"In our case, an employee received a series of calls, texts, and at least one voicemail featuring an audio deepfake from a threat actor impersonating our CEO via WhatsApp," LastPass intelligence analyst Mike Kosak said.

"As the attempted communication was outside of normal business communication channels and due to the employee’s suspicion regarding the presence of many of the hallmarks of a social engineering attempt (such as forced urgency), our employee rightly ignored the messages and reported the incident to our internal security team so that we could take steps to both mitigate the threat and raise awareness of the tactic both internally and externally."

LastPass' warning follows a US Department of Health and Human Services (HHS) alert issued last week regarding cybercriminals targeting IT help desks using social engineering tactics and AI voice cloning tools to deceive their targets. (Sergiu Gatlan / Bleeping Computer)

Related: LastPass, Security Week, Cybernews

Cybersecurity giant Palo Alto Networks warned that threat actors are exploiting a critical OS command injection vulnerability to execute arbitrary code on Palo Alto Networks firewalls in a limited number of attacks.

The security defect tracked as CVE-2024-3400 and assigned a severity score of 10 out of 10 was identified in the GlobalProtect feature of PAN-OS, the operating system running on Palo Alto Networks appliances.

“A command injection vulnerability in the GlobalProtect feature of Palo Alto Networks PAN-OS software for specific PAN-OS versions and distinct feature configurations may enable an unauthenticated attacker to execute arbitrary code with root privileges on the firewall,” the company notes.

The vulnerability was identified in PAN-OS versions 10.2, 11.0, and 11.1. The company’s Panorama appliances, Cloud NGFW, and Prisma Access solutions are not impacted. The issue, Palo Alto Networks says, exists only if both the GlobalProtect gateway and the device telemetry configurations are enabled.

The company says it is currently working on patches for the flaw, which will be included in PAN-OS versions 10.2.9-h1, 11.0.4-h1, and 11.1.2-h3. The security updates are expected to be released by the end of this week.

In the meantime, Palo Alto Networks customers can go to Network > GlobalProtect > Gateways from the firewall’s web interface to check whether a GlobalProtect gateway has been configured. Customers should go to Device > Setup > Telemetry to verify whether device telemetry has been enabled.

Mitigations are available for customers with a Threat Prevention subscription. Exploitation can also be prevented by applying vulnerability protection on the GlobalProtect interface and disabling device telemetry until fixes are applied.

Threat intelligence and incident response firm Volexity has been credited for reporting CVE-2024-3400, but the company has yet to release any information on the attacks exploiting the vulnerability. (Ionut Arghire / Security Week)

Related: Palo Alto Networks, Security Affairs, Help Net Security, Cybersecurity News

Researchers at Binarly report that hardware sold for years by Intel, Lenovo, and Supermicro contains a remotely exploitable vulnerability that will never be fixed due to a supply chain snafu involving open-source software package Lighttpd and hardware from multiple manufacturers that directly or indirectly incorporated it into their products.

The lapse has resulted in Intel, Lenovo, and Supermicro shipping server hardware that contains a vulnerability that can be exploited to reveal security-critical information. However, the researchers warned that any hardware that incorporates certain generations of baseboard management controllers made by Duluth, Georgia-based AMI, or Taiwan-based AETN is also affected.

BMCs are tiny computers soldered into the motherboard of servers that allow cloud centers, and sometimes their customers, to streamline the remote management of vast fleets of servers. They enable administrators to remotely reinstall OSes, install and uninstall apps, and control every other aspect of the system—even when it's turned off. BMCs provide what’s known in the industry as “lights-out” system management. AMI and AETN are two of several makers of BMCs.

For years, BMCs from multiple manufacturers have incorporated vulnerable versions of open-source software known as lighttpd. Lighttpd is a fast, lightweight web server compatible with various hardware and software platforms. It’s used in various wares, including embedded devices like BMCs, to allow remote administrators to control servers remotely with HTTP requests.

In 2018, lighttpd developers released a new version that fixed “various use-after-free scenarios,” a vague reference to a class of vulnerabilities that can be remotely exploitable to tamper with security-sensitive memory functions of the affected software. Despite the description, the update didn’t use the word “vulnerability” and didn’t include a CVE vulnerability tracking number as is customary.

BMC makers, including AMI and ATEN, were using affected versions of lighttpd when the vulnerability was fixed and continued doing so for years, Binarly researchers said. Server manufacturers, in turn, continued putting the vulnerable BMCs into their hardware over the same multi-year period. Binarly has identified three server makers: Intel, Lenovo, and Supermicro. Hardware sold by Intel as recently as last year is affected. Binarly said that neither Intel nor Lenovo plans to release fixes because they no longer support the affected hardware. Affected products from Supermicro are still supported. (Dan Goodin / Ars Technica)

Related: Binarly, Fudzilla, Cyberscoop, Techzine

Blackjack, a Ukrainian hacker group affiliated with the Security Service of Ukraine (SBU), said it had launched a cyberattack on Moskollector, which operates the communication system for Moscow’s sewage network.

Unnamed government sources told Ukrainian news outlet LIGA.net that Blackjack managed to shut off 87,000 alarm sensors throughout Moscow and the surrounding suburbs, preventing the company from responding to emergency events. The source also claimed that Blackjack destroyed 70 servers and at least 90 terabytes of company data, including emails, backup copies, and contracts.

“Now the operation of the object of critical infrastructure of Moscow is completely blocked, the company cannot respond to accidents and emergency events. It will take 15 to 30 days to restore its functioning,” the source told LIGA.net.

“We wish Moscow various man-made disasters these days,” the source added.

While initial reports attached a screenshot of the hacked main page, Moskollector’s website is now up and running. (Kyiv Post)

Related: Cybernews, ITC.ua, Interfax-Ukraine, Online.ua, Liga.net, Cybersecurity News

Researchers at GreyNoise and ShadowServer report that hackers are actively exploiting a pair of recently discovered vulnerabilities to commandeer network-attached storage devices manufactured by D-Link remotely.

The vulnerability pair, found in the nas_sharing.cgi programming interface of the vulnerable devices provides an ideal recipe for remote takeover. The first, tracked as CVE-2024-3272 and carrying a severity rating of 9.8 out of 10, is a backdoor account enabled by credentials hardcoded into the firmware. The second is a command-injection flaw tracked as CVE-2024-3273, with a severity rating of 7.3. It can be remotely activated with a simple HTTP GET request.

Greynoise researchers say that the activity began around 02:17 UTC on Sunday. The attacks attempted to download and install one of several pieces of malware on vulnerable devices depending on their specific hardware profile. One such piece of malware is flagged under various names by 40 endpoint protection services.

Shadowserver reported seeing scanning or exploits from multiple IP addresses but didn’t provide additional details.

The best defense against these attacks and others like them is to replace hardware once it reaches end of life. Barring that, users of EoL devices should at least ensure they’re running the most recent firmware. D-Link provides a dedicated support page for legacy devices so owners can locate the latest firmware. Another effective protection is to disable UPnP and connections from remote Internet addresses unless they’re absolutely necessary and configured correctly. (Dan Goodin / Ars Technica)

Related: GitHub, The Record, Help Net Security, SC Media, How-To-Geek, Security Week

Five municipalities near the river Loire on the west coast of France were hit by a “large-scale cyberattack” on their shared computer servers, leaving staff unable to access documents or continue with their work.

According to a statement on the Saint-Nazaire website, services are currently down across Saint-Nazaire, Montoir-de-Bretagne, Donges, La Chapelle-des-Marais, and Pornichet. Clustered around a seaport, they have a combined population of around 100,000.

Officials have warned local media that recovery may take months. The mayor of Saint-Nazaire is chairing crisis meetings, which are currently held twice a day, at 11 AM and 5 PM. France’s cybersecurity agency, ANSSI, is providing support.

According to the Saint-Nazaire announcement, the attack took place on Tuesday night. Officials at the affected local authorities cannot access their workspaces, files, or business software. Local media reported that when staff arrived on Wednesday morning, they were instructed not to turn on their computers or use their mobile phones to check their inboxes.

Mayor David Samzun warned that the attack would have “significant consequences.” The municipalities' Email and phone systems are currently down. It is unclear what has been taken down as a security precaution and what services are down due to the attack.

The nature of the incident has not been confirmed, nor whether the attackers were able to steal residents’ data. “At this stage, the origin of the cyber attack is unknown, as is the duration of the blockage,” the local authority stated. (Alexander Martin / The Record)

Related: Saintnazaire.fr, The Register, The Cyber Express

Crypto payment platform Ripple Labs has issued another warning to its community, reminding them to remain cautious of phishing links and Deepfakes.

Ripple shared a demonstration video on X to show how certain scammers have been impersonating key members of the firm, like Brad Garlinghouse, its CEO. According to the illustrations in the demo, bad actors clone the image, voice, and even gestures of their target individual to gain the trust of unsuspecting victims.

Next, they promise Ripple users an XRP giveaway or even an XRP-doubling program. These fake giveaways are valued as high as 500-1000 XRP tokens, with 1 XRP worth $0.6114, according to the coin's market price at the time of this writing.

Ripple Labs has called the attention of its community to the fact that the company will never make such requests from its users. In addition to this statement, the crypto firm also clarified that neither its CEO Garlinghouse nor any individuals associated with Ripple will ask users to transfer their XRP to be doubled. (Godfrey Benjamin / CoinGape)

Related: Forbes

A 36-year-old Japanese man was arrested for selling hacked Pokémon data for Pokémon Scarlet and Violet.

Modifying save files and distributing edited save data is illegal in Japan and constitutes a violation of the Unfair Competition Prevention Act. (A save file allows players to save and restore objects without first placing save media into their save media devices.)

Police have established that the suspect had been using a special tool to illegally modify the abilities of Pokémon from Pokémon Violet and sell them. The hacked Pokémon were sold between December 2022 and March 2023 for up to 13,000 yen (about $90) each via a website for buying and selling video game items and characters.

According to the report, police cyber patrol caught the man taking custom orders for rare and difficult-to-train Pokémon from buyers and offering deals such as “6 Pokémon for only $30.” The man has reportedly admitted to the charges, explaining that he did it to earn a living.

The investigation is ongoing, as police suspect the total profit from illegal sales may amount to millions of yen. (Amber v / Automation)

Related: Goninentdo, GamesRadar, My Nintendo News, NHK

Knostic, a company providing need-to-know-based access control for LLMs, has announced that it has raised $3.3 million in pre-seed funding,

Backers included Shield Capital, Pitango First, DNX Ventures, and Seedcamp, as well as angel investors Kevin Mahaffey(Lookout), David Cross (Rain Capital), Bryson Bort (SCYTHE), Travis McPeak (Resourcely), Matthew Honea (Forward Networks), and others. (James Spiro / Calcalist)

Related: Crunchbase, Dark Reading, FinSMEs, FinTech Global, Security Week

Cloud cybersecurity vendor Zscaler announced plans to acquire Airgap Networks, a venture-backed startup selling network segmentation and secure access technologies.

Zscaler said the plan is to combine its Zero Trust SD-WAN suite with Airgap’s technology to protect so-called east-west traffic in branch offices, campuses, factories, and plants with critical IT infrastructure. (Ryan Naraine / Security Week)

Related: BankInfoSecurity, CRN, Channel Futures, sdx central, Silicon Angle, FinTech Global

Best Thing of the Day: Let’s Hope They Have Enough Analysts to Handle the Flood of Submissions.

The US Cybersecurity and Infrastructure Security Agency (CISA) has released a new version of "Malware Next-Gen” and is now allowing the public to submit malware samples for analysis by CISA.

Worst Thing of the Day: You Think It’s a Badge of Shame? Too Bad.

X will no longer allow users to hide their blue checks, regardless of whether they paid for premium or not.

Closing Thought