Stay updated on the latest cybersecurity news, featuring crucial insights into emerging threats and email protection measures with our weekly cybersecurity bulletin. Let’s take a look!

France Reports Breach by Russian State Hackers Across Multiple Vital Networks

The Russian APT28 hacking group, known as ‘Strontium’ or ‘Fancy Bear,’ has been relentlessly targeting a wide range of entities in France since the latter half of 2021.

Considered an integral part of Russia’s military intelligence service GRU, APT28 was recently implicated in exploiting CVE-2023-38831, a Remote Code Execution (RCE) vulnerability in WinRAR, and CVE-2023-23397, a zero-day privilege elevation flaw in Microsoft Outlook.

ANSSI’s investigations unveiled APT28’s sophisticated techniques. Between March 2022 and June 2023, APT28 exploited the then zero-day vulnerability, now identified as CVE-2023-23397, by sending emails to Outlook users. The core objective of these zero day attacks lies in data access and exfiltration. ANSSI observed these threat actors retrieving authentication details using native utilities and pilfering emails containing sensitive information and correspondence.

 

 

Microsoft Issues Warning as Scattered Spider Broadens Tactics from SIM Swaps to Ransomware Attacks

The threat actor, Scattered Spider (Octo Tempest), has been observed adopting a cunning strategy in targeted organizations. They impersonate newly hired employees, seamlessly blending into standard on-hire procedures. This facade enables them to take over accounts and breach organizations worldwide.

Microsoft, shedding light on the activities of this financially motivated hacking crew, labeled them as “one of the most formidable financial criminal groups.” Microsoft emphasized its operational flexibility, integrating SMS phishing, SIM swapping, and help desk fraud into its attack model seamlessly. Their ransomware attack campaigns feature Adversary-in-The-Middle (AiTM) techniques, social engineering, and SIM-swapping capabilities.

One of their signature techniques involves social engineering attacks on support and help desk personnel. Their methods range from purchasing employee credentials on the criminal underground market to direct social engineering. They convince users to install Remote Monitoring and Management (RMM) utilities, visit fake login portals using AiTM phishing toolkits, or even remove their FIDO2 tokens.

In a sinister evolution, Octo Tempest widened their targets to include email and tech service providers, gaming, hospitality, retail, Managed Service Providers (MSPs), manufacturing, technology, and financial sectors. Their end goals vary, ranging from cryptocurrency theft to data exfiltration for extortion and ransomware deployment.

 

Cybersecurity Threats

 

Tortoiseshell, an Iranian Cyber Group, Unleashes Fresh Wave of IMAPLoader Malware Attacks

The Iranian threat actor, Tortoiseshell, has recently been linked to multiple watering hole malware attacks where a strain named IMAPLoader is deployed to target systems.

IMAPLoader, described as a .NET malware, possesses the capability to identify victim systems using native Windows utilities. It acts as a downloader for subsequent payloads, leveraging email as a Command-and-Control (C2) channel. Notably, it can execute payloads extracted from email attachments and is activated through new service deployments. Operating since at least 2018, Tortoiseshell has a well-documented history of employing strategic website compromises to distribute malware.

IMAPLoader, in fact, has replaced a Python-based IMAP implant previously utilized by Tortoiseshell in late 2021 and early 2022. The change highlights the group’s adaptability, as the new malware exhibits similar functionality to its predecessor. The mechanism involves querying specific hard-coded IMAP email accounts. Additionally, PwC’s investigation unveiled several phishing sites created by Tortoiseshell.

High-stakes sectors like nuclear, aerospace, and defense industries in the U.S. and Europe, along with IT MSPs in the Middle East, are under imminent threat from this sophisticated threat actor.

 

European Government Email Servers Breached Utilizing Roundcube Zero-Day Exploit

The Winter Vivern Russian hacking group has been exploiting a recently discovered Roundcube Webmail zero-day vulnerability, posing a significant threat to email servers for various European government entities and think tanks since at least October 11.

The Roundcube development team swiftly released crucial security updates, addressing the Stored Cross-Site Scripting (XSS) vulnerability (CVE-2023-5631) identified by diligent ESET researchers on October 16. These security patches arrived just in time, five days after ESET uncovered Russian threat actors employing the zero-day attack in real-world attacks.

They utilized HTML email messages containing meticulously crafted SVG documents to remotely inject arbitrary JavaScript code. In their deceptive phishing attempts, these hackers impersonated the Outlook Team. Tricking unsuspecting victims into opening malicious emails, which automatically triggered a first-stage payload exploiting the Roundcube email server vulnerability.

 

Email Servers

 

Recent attacks between August and September 2023 exploited the Roundcube XSS vulnerability (CVE-2020-35730), as per ESET telemetry data. It’s worth noting that this same vulnerability was exploited by Russian APT28 military intelligence hackers.

Winter Vivern has shifted from known vulnerabilities in Roundcube and Zimbra, for which proofs of concept are available online, to using a zero-day vulnerability in Roundcube.

It would be highly beneficial to implement essential phishing protection solutions, such as advanced email filtering and security patches, and also prioritize phishing awareness training for employees to safeguard against such threats effectively.

Pin It on Pinterest

Share This