Microsoft, in partnership with US and Poland Government, has taken steps to disrupt and mitigate a widespread campaign by the Russian nation-state threat actor Midnight Blizzard targeting TeamCity servers using the publicly available exploit for CVE-2023-42793. Microsoft's October analysis on North Korean actor exploit of TeamCity CVE-2023-42793 linked below. Additional related details from US Government and Poland Government also below. Following exploitation, Midnight Blizzard uses scheduled tasks to keep a variant of VaporRage malware persistent. The VaporRage variant, which is similar to malware deployed by the threat actor in recent phishing campaigns, abuses Microsoft OneDrive and Dropbox for C2. Post-compromise activity includes credential theft using Mimikatz, Active Directory enumeration using DSinternals, deployment of tunneling tool rsockstun, and turning off antivirus and EDR capabilities. In addition to disrupting the abuse of Microsoft OneDrive for command and control, Microsoft Defender Antivirus and Microsoft Defender for Endpoint protect customers against this and other Midnight Blizzard malware. Although many of the compromises appear to be opportunistic, affecting unpatched Internet-facing TeamCity servers, Microsoft continues to work with the international cybersecurity community to mitigate the potential risk to software supply chain ecosystems. We are especially grateful to our partners in the international cybersecurity community for their collaboration on this investigation. [edited/updated links] https://lnkd.in/eejCCtcH https://lnkd.in/eB5ptTsY https://lnkd.in/eG3s2n42 Midnight Blizzard is the latest nation-state threat actor observed exploiting the TeamCity CVE-2023-42793 vulnerability. In October, North Korean threat actors Diamond Sleet and Onyx Sleet exploited the same vulnerability in separate attacks: https://lnkd.in/gUv4SU24
Jeremy Dallman’s Post
More Relevant Posts
-
🌐 DarkGate Surge: BattleRoyal Cluster Raises Cybersecurity Alarms! 🚨🛑 Security researchers issue a stark warning about DarkGate's resurgence through the BattleRoyal cluster, orchestrating at least 20 email campaigns with sophisticated tactics. The actor demonstrates a keen focus on exploiting CVE-2023-36025, a Windows SmartScreen vulnerability, even before its public disclosure by Microsoft. 🔍 Evolving from DarkGate to NetSupport, the BattleRoyal cluster showcases a unique trend in cybercriminal tactics, utilizing multiple attack chains and social engineering techniques. 🔐 Defend your digital fortress with MAD Security! Act now for robust cybersecurity. 🛡️ #DarkGateThreat #BattleRoyalCluster #CybersecurityAlert #ThreatLandscape #ProtectYourNetwork
To view or add a comment, sign in
-
Be Aware ! Cozy Bear Hackers Roaming Cyberspace 🌐 Microsoft has issued a crucial alert: the notorious Cozy Bear hackers, responsible for cyberattacks on their systems in late 2023, are expanding their targets! They're currently prowling for vulnerabilities in other organizations, and you could be next ⏭️. Who are Cozy Bear? 🐻 These state-sponsored Russian threat actors are well-known for their stealthy tactics. They infiltrate systems, gather sensitive information, and remain hidden for extended periods. Their primary targets include governments, diplomatic entities, and IT service providers, mainly in the U.S. and Europe. How do they attack? 🎯 Cozy Bear employs a diverse arsenal, including: • Stolen credentials 🪪: Sneaking in disguised as authorized users. • Supply chain attacks ⛓️: Infecting software updates and trusted vendors. • On-premises exploitation 💻: Gaining footholds in internal networks. • Cloud migration ☁️: Following victims to cloud platforms. • Service provider trust abuse 💥 : Exploiting connections between companies. Stay vigilant, stay safe! 🛡️⚔️ Don't become a statistic! Here's how to protect yourself: 1. Be smart online: Avoid suspicious links and unknown websites. Remember, if it seems too good to be true, it probably is! ❌ 2. Patch up your defenses: Don't neglect security updates! Install the latest patches for your operating system and software on time. This closes vulnerability gaps hackers exploit 💥. ️ 3. Deploy your digital shield 🛡️: Invest in a reliable endpoint security solution with a strict prevention policy. Think of it as a watchful knight guarding your devices! ⚔️ Learn more & Stay informed 🛡️⚔️: Read the full article about Cozy Bear and their tactics 📰: https://lnkd.in/geQPDVUJ Share this post to raise awareness and help protect others! Remember, cybersecurity is a team effort. Together, we can stay ahead of cyber threats and keep our digital world safe 🌐. #cybersecurity #staysafe #cozybear #hackers #beware
Microsoft Warns of Widening APT29 Espionage Attacks Targeting Global Orgs
thehackernews.com
To view or add a comment, sign in
-
Cyber Security Student | Seeking Co-op opportunities | Microsoft Azure, Wireshark, Splunk, ReactJS, Typescript | Google Cybersecurity Certified
🚨 Critical Security Alert: Google OAuth Exploit Uncovered 🚨 🔒 CloudSEK's threat intelligence researcher, Pavan Karthick M, recently exposed a significant security threat that demands immediate attention. 🌐 Exploit Overview: Attackers are leveraging an undisclosed Google OAuth endpoint to compromise user sessions, allowing persistent access to Google services even post-password reset. Prisma, a threat actor, discovered and unveiled this exploit, enabling the generation of persistent Google cookies through token manipulation. 🕵️ Discovery and Rapid Spread: CloudSEK researchers detected the zero-day exploit in October after Prisma's announcement on Telegram. Lumma and Rhadamanthys, among other infostealers, incorporated this capability into their malware, creating a ripple effect across various malicious groups. 🔐 OAuth Cyber Risk vs. Reward: The exploit targets an undocumented Google OAuth endpoint named "MultiLogin." While OAuth is a crucial standard for cross-platform access, its improper implementation poses significant risks. In this case, the exploit manipulates the token:GAIA ID pair, ensuring persistent access and complicating detection. 🔍 Abuse of MultiLogin: Lumma's approach involves nuanced manipulation of the token:GAIA ID pair, effectively "blackboxing" the exploitation process to enhance stealth. This abuse persists even after password resets, allowing prolonged unauthorized access to user accounts and data. 💡 Security Implications and Recommendations: CloudSEK emphasizes the evolving sophistication of cyber threats, demanding enhanced security measures. The encryption of the exploit's key component by threat actors underscores the need for continuous monitoring of vulnerabilities and collaboration between technical and human intelligence sources. 🛡️ Defense Strategies: Regularly update security protocols to address evolving threats. Implement continuous monitoring to detect and respond to sophisticated exploits. Collaborate with threat intelligence sources to stay ahead of emerging cyber threats. 🚀 Stay Informed, Stay Secure: Everyone must adapt to the changing landscape of malware development. Collaboration and continuous monitoring are paramount to uncovering and understanding sophisticated exploits. Let's collectively enhance our cybersecurity posture to thwart evolving threats! Link to full article: https://lnkd.in/gjZgyZxr #CyberSecurity #GoogleOAuth #ThreatIntelligence #SecurityAlert
Attackers Abuse Google OAuth Endpoint to Hijack User Sessions
darkreading.com
To view or add a comment, sign in
-
Explore this insightful article on the vulnerabilities associated with weak passwords and the potential for hackers to gain unauthorized access, compromising your security without detection until later stages.
Russian Hackers Who Hacked Microsoft Also Targeted Other Organizations Cyber Security News 📌 Microsoft corporate systems hacked by Midnight Blizzard Read more: https://lnkd.in/g6vXr5zs #cybersecurity #informationsecurity
Russian Hackers Who Hacked Microsoft Also Targeted Other Organizations
https://cybersecuritynews.com
To view or add a comment, sign in
-
Cyber security is critical for any business, and relying solely on the makers of your business applications is not enough. Layering security-specific tools is essential to keep your business Cyber Ready! At Logically, we combine our traditional IT offerings with security-specific offerings to maximize your security posture at every step of the way. Don't compromise on your business's security and take the necessary steps to protect yourself. #cyberdefense #microsoft #mssp #msp Interesting article on Microsoft: https://lnkd.in/ejUBwuBt
Midnight Blizzard attack seen as another sign of Microsoft falling short on security
ciodive.com
To view or add a comment, sign in
-
Hackers Exploit Google Ads to Spread IP Scanner with Concealed Backdoor: Malicious actors are distributing a new backdoor, MadMxShell, through a Google Ads campaign that impersonates an IP scanner. This Windows backdoor leverages DNS MX queries for communication with its command-and-control server. The technique involves encoding data within subdomains of DNS MX queries to send information to the attacker and receiving commands encoded within the response […] The post Hackers Exploit Google Ads to Spread IP Scanner with Concealed Backdoor appeared first on Cyber Security News. #CyberSecurity #InfoSec
Hackers Exploit Google Ads to Spread IP Scanner with Concealed Backdoor
https://cybersecuritynews.com
To view or add a comment, sign in
-
Can Cyber Sinkholes Be Avoided? Can Cyber Sinkholes Be Avoided? What Lurks Beneath Botnets? How Denial-Of-Service (Dos) Attacks Could Create a Cyber Sinkhole Exploiting Cyber's Sinkhole: What's at Risk? What Can We Learn from the 'Cyber Sinkhole'? Sinkhole is an acronym that refers to two strategies used to protect against malware attacks by intercepting and monitoring all of the traffic that passes between compromised devices. DNS sinkholes work by intercepting any attempts to connect to known botnet command and control (C2) servers with fake IP addresses controlled by administrators; this redirects attacks back into an administrator-managed server instead. ISPs and domain registrars often employ this technique on an infrastructure level, while system administrators or those with administrative privileges can modify their host file to achieve similar effects. To read more, go to: https://lnkd.in/eNJzm8mg
Can Cyber Sinkholes Be Avoided? - BestCyberSecurityNews
https://bestcybersecuritynews.com
To view or add a comment, sign in
-
Can Cyber Sinkholes Be Avoided? Can Cyber Sinkholes Be Avoided? What Lurks Beneath Botnets? How Denial-Of-Service (Dos) Attacks Could Create a Cyber Sinkhole Exploiting Cyber's Sinkhole: What's at Risk? What Can We Learn from the 'Cyber Sinkhole'? Sinkhole is an acronym that refers to two strategies used to protect against malware attacks by intercepting and monitoring all of the traffic that passes between compromised devices. DNS sinkholes work by intercepting any attempts to connect to known botnet command and control (C2) servers with fake IP addresses controlled by administrators; this redirects attacks back into an administrator-managed server instead. ISPs and domain registrars often employ this technique on an infrastructure level, while system administrators or those with administrative privileges can modify their host file to achieve similar effects. To read more, go to: https://lnkd.in/e7KN5rj9
Can Cyber Sinkholes Be Avoided? - BestCyberSecurityNews
https://bestcybersecuritynews.com
To view or add a comment, sign in
-
Can Cyber Sinkholes Be Avoided? Can Cyber Sinkholes Be Avoided? What Lurks Beneath Botnets? How Denial-Of-Service (Dos) Attacks Could Create a Cyber Sinkhole Exploiting Cyber's Sinkhole: What's at Risk? What Can We Learn from the 'Cyber Sinkhole'? Sinkhole is an acronym that refers to two strategies used to protect against malware attacks by intercepting and monitoring all of the traffic that passes between compromised devices. DNS sinkholes work by intercepting any attempts to connect to known botnet command and control (C2) servers with fake IP addresses controlled by administrators; this redirects attacks back into an administrator-managed server instead. ISPs and domain registrars often employ this technique on an infrastructure level, while system administrators or those with administrative privileges can modify their host file to achieve similar effects. To read more, go to: https://lnkd.in/exbazrP4
Can Cyber Sinkholes Be Avoided? - BestCyberSecurityNews
https://bestcybersecuritynews.com
To view or add a comment, sign in