Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 19 submissions in the queue.
posted by janrinok on Friday November 12 2021, @01:05AM   Printer-friendly

Arthur T Knackerbracket has processed the following story:

Cybersecurity firm Palo Alto Networks warned over the weekend of an ongoing hacking campaign that has already resulted in the compromise of at least nine organizations worldwide from critical sectors, including defense, healthcare, energy, technology, and education.

To breach the orgs networks, the threat actors behind this cyberespionage campaign exploited a critical vulnerability (CVE-2021-40539) in Zoho's enterprise password management solution known as ManageEngine ADSelfService Plus which allows remotely executing code on unpatched systems without authentication.

The attacks observed by Palo Alto Networks researchers started on September 17 with scans for vulnerable servers, nine days after the US Cybersecurity and Infrastructure Security Agency (CISA) warned it detected exploits used in the wild and one day after a joint advisory was published by CISA, the FBI, and the United States Coast Guard Cyber Command (CGCYBER).

Exploitation attempts began on September 22 after five days of harvesting info on potential targets who hadn't yet patched their systems.

"While we lack insight into the totality of organizations that were exploited during this campaign, we believe that, globally, at least nine entities across the technology, defense, healthcare, energy and education industries were compromised," the researchers said.

"Through global telemetry, we believe that the actor targeted at least 370 Zoho ManageEngine servers in the United States alone. Given the scale, we assess that these scans were largely indiscriminate in nature as targets ranged from education to Department of Defense entities."

Even though the researchers are working on attributing these attacks to a specific hacking group, they suspect that this is the work of a Chinese-sponsored threat group known as APT27 (also tracked as TG-3390, Emissary Panda, BRONZE UNION, Iron Tiger, and LuckyMouse).

From https://www.microsoft.com/security/blog/2021/11/08/threat-actor-dev-0322-exploiting-zoho-manageengine-adselfservice-plus/ we read:

Microsoft Threat Intelligence Center (MSTIC) attributes this campaign with high confidence to DEV-0322, a group operating out of China, based on observed infrastructure, victimology, tactics, and procedures. MSTIC uses DEV-#### designations as a temporary name given to an unknown, emerging, or developing cluster of threat activity, allowing MSTIC to track it as a unique set of information until we can reach high confidence about the origin or identity of the actor behind the activity. Once it meets defined criteria, a DEV group is converted to a named actor.

[...] MSTIC first observed the latest DEV-0322 campaign on September 22, 2021, with activity against targets that appear to be in the Defense Industrial Base, higher education, consulting services, and information technology sectors. Following initial exploitation of CVE-2021-40539 on a targeted system, DEV-0322 performed several activities including credential dumping, installing custom binaries, and dropping malware to maintain persistence and move laterally within the network.

[...] In addition to a custom IIS module, DEV-0322 also deployed a Trojan that we are calling Trojan:Win64/Zebracon. This Trojan uses hardcoded credentials to make connections to suspected DEV-0322-compromised Zimbra email servers.

[Editor's Note: DEV-0322 is the Microsoft designation of a specific hacking group operating within the more widely known Chinese threat group identity APT27, hence the confusing attributions to different identities.]


Original Submission

Related Stories

Hospitals are at a High Risk of Cyberattacks, but Patients Don’t Realize It 28 comments

Hospitals are at a high risk of cyberattacks, but patients don't realize it:

Information technology experts are worried about increasing rates of ransomware attacks on healthcare organizations. Most patients, though, don't know they're happening, according to a new survey.

Southern Ohio Medical Center, a not-for-profit hospital in Portsmouth, Ohio, canceled appointments for today and is diverting ambulances after it was hit by a cyberattack on Thursday. It's part of a series of escalating attacks on healthcare organizations in the past two years — a trend that could have serious consequences for patient care.

But while information technology experts are well aware that the risk of cyberattacks that compromise patient data and shut down computer systems is on the rise, patients don't seem to be, according to a new report by cybersecurity company Armis. In fact, over 60 percent of people in the general public surveyed in the new report said they hadn't heard of any cyberattacks in healthcare in the past two years.

That's despite a doubling of cyberattacks on healthcare institutions in 2020, high-profile incidents like the attack on hospital chain Universal Health Services, and a major threat from groups using the ransomware Ryuk. The magnitude of attacks during the COVID-19 pandemic shocked experts, who said that ransomware gangs were targeting hospitals more aggressively than they had before. Unlike attacks on banks or schools, which are also common, these attacks have the potential to directly injure people.


Original Submission

Zimbra 0-Day Used to Target International Government Organizations 2 comments

Google's Threat Analysis Group announced a zero-day against the Zimbra Collaboration email server that has been used against governments around the world:

In June 2023, Google's Threat Analysis Group (TAG) discovered an in-the-wild 0-day exploit targeting Zimbra Collaboration, an email server many organizations use to host their email. Since discovering the 0-day, now patched as CVE-2023-37580, TAG has observed four different groups exploiting the same bug to steal email data, user credentials, and authentication tokens. Most of this activity occurred after the initial fix became public on Github. To ensure protection against these types of exploits, TAG urges users and organizations to keep software fully up-to-date and apply security updates as soon as they become available.

TAG first discovered the 0-day, a reflected cross-site scripting (XSS) vulnerability, in June when it was actively exploited in targeted attacks against Zimbra's email server. Zimbra pushed a hotfix to their public Github on July 5, 2023 and published an initial advisory with remediation guidance on July 13, 2023. They patched the vulnerability as CVE-2023-37580 on July 25, 2023.

Originally spotted on Schneier on Security.

Related: State Hackers Breach Defense, Energy, Healthcare Orgs Worldwide


Original Submission

Chinese Malware Removed From SOHO Routers After FBI Issues Covert Commands 15 comments

https://arstechnica.com/security/2024/01/chinese-malware-removed-from-soho-routers-after-fbi-issues-covert-commands/

The US Justice Department said Wednesday that the FBI surreptitiously sent commands to hundreds of infected small office and home office routers to remove malware China state-sponsored hackers were using to wage attacks on critical infrastructure.

The routers—mainly Cisco and Netgear devices that had reached their end of life—were infected with what's known as KV Botnet malware, Justice Department officials said.

[...] "To effect these seizures, the FBI will issue a command to each Target Device to stop it from running the KV Botnet VPN process," an agency special agent wrote in an affidavit dated January 9. "This command will also stop the Target Device from operating as a VPN node, thereby preventing the hackers from further accessing Target Devices through any established VPN tunnel.

[...] The takedown disclosed Wednesday isn't the first time the FBI has issued commands to infected devices without the owners' knowledge ahead of time. In 2021, authorities executed a similar action to disinfect Microsoft Exchange servers that had been compromised by a different China-state group tracked as Hafnium.

[...] In 2018, researchers reported that more than 500,000 SOHO routers had been compromised by sophisticated malware dubbed VPNFilter. The mass hack was later revealed to be an operation by a Russian-state group tracked as Sofacy. In that event, the FBI issued an advisory urging people to restart their routers to remove any possible infections. The agency also seized a domain used to control VPNFilter.

[...] This month's takedown comes as the Chinese government has stepped up attacks in recent years to compromise routers, cameras, and other network-connected devices to target critical infrastructure. warned of the trend in May last year. Researchers in the private sector have issued similar warnings.

Previously on SoylentNews:
Backdoored Firmware Lets China State Hackers Control Routers With "Magic Packets" - 20230930
Microsoft Comes Under Blistering Criticism for "Grossly Irresponsible" Security - 20230805
Malware Turns Home Routers Into Proxies for Chinese State-Sponsored Hackers - 20230518
US Warns of Govt Hackers Targeting Industrial Control Systems - 20220415
State Hackers Breach Defense, Energy, Healthcare Orgs Worldwide - 20211111
Microsoft Exchange Server Zero Day Hack Roundup - 20210316
Breached Water Plant Employees Shared Same Password, No Firewall - 20210211
Iranian Spies Accidentally Leaked Videos of Themselves Hacking - 20200716
Hackers Can Seize Control of Ballots Cast Using the Voatz Voting App, Researchers Say - 20200215
Microsoft Takes Court Action Against Fourth Nation-State Cybercrime Group - 20191231

"state actors" search on SoylentNews for even more: https://soylentnews.org/search.pl?threshold=0&query=state+actors


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 2, Redundant) by Mockingbird on Friday November 12 2021, @01:58AM

    by Mockingbird (15239) on Friday November 12 2021, @01:58AM (#1195547) Journal

    targets that appear to be in the Defense Industrial Base, higher education, consulting services, and information technology sectors.

    And they are running Windows? It's Zoho wonder they have vulnerabilities!

  • (Score: 5, Insightful) by Runaway1956 on Friday November 12 2021, @06:37AM

    by Runaway1956 (2926) Subscriber Badge on Friday November 12 2021, @06:37AM (#1195575) Journal

    If outsiders can touch your network remotely, they will find a way to exploit it. Defense, Energy, Healthcare, and all the rest of our infrastructure is built like a house of cards on a windswept sandy beach.

    Security is a concept that upper management types will never understand, until the house of cards is blown into the sea.

  • (Score: 2) by Username on Friday November 12 2021, @10:37AM

    by Username (4557) on Friday November 12 2021, @10:37AM (#1195603)

    published by CISA, the FBI, and the United States Coast Guard Cyber Command (CGCYBER).

    Why are three different agencies doing the same thing?

  • (Score: 0) by Anonymous Coward on Friday November 12 2021, @01:22PM

    by Anonymous Coward on Friday November 12 2021, @01:22PM (#1195615)

    and they all didn't run woway or zte gear ...

(1)