Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label cyber intrusion. Show all posts

MITRE Links Recent Attack to China-Associated UNC5221

 

MITRE recently provided further insight into the recent cyber intrusion, shedding light on the new malicious software employed and a timeline detailing the attacker's actions.

In April 2024, MITRE announced a breach in one of its research and prototyping networks. Following the discovery, MITRE's security team swiftly initiated an investigation, ejected the threat actor, and enlisted third-party forensics Incident Response teams for independent analysis alongside internal experts. It was revealed that a nation-state actor had infiltrated MITRE's systems in January 2024 by exploiting two Ivanti Connect Secure zero-day vulnerabilities (CVE-2023-46805 and CVE-2024-21887).

The intrusion was detected when MITRE noticed suspicious activity from a foreign nation-state threat actor targeting its Networked Experimentation, Research, and Virtualization Environment (NERVE), which is utilized for research and prototyping purposes. MITRE promptly took NERVE offline and commenced mitigation procedures. Although investigations are ongoing to ascertain the extent of compromised information, MITRE has informed relevant authorities and affected parties while endeavoring to restore alternative collaboration platforms.

Despite MITRE's adherence to industry best practices, vendor recommendations, and governmental directives to bolster its Ivanti system, oversight led to unauthorized access into its VMware infrastructure. However, MITRE emphasized that neither its core enterprise network nor its partners' systems were impacted by the breach.

MITRE researchers identified indicators of compromise associated with UNC5221, a China-linked APT group, coinciding with the security breach. The hackers gained initial access to NERVE on December 31, deploying the ROOTROT web shell on Internet-facing Ivanti appliances.

On January 4, 2024, the threat actors conducted reconnaissance within the NERVE environment, leveraging compromised Ivanti appliances to access vCenter and communicate with multiple ESXi hosts. Subsequently, the attackers utilized hijacked credentials to infiltrate accounts via RDP, accessing user bookmarks and file shares to probe the network and manipulate VMs, compromising the infrastructure.

Further malicious activities ensued, including deploying the BRICKSTORM backdoor and the BEEFLUSH web shell on January 7, 2024, facilitating persistent access and arbitrary command execution. The hackers maintained control through SSH manipulation and script execution, exploiting default VMware accounts and establishing communication with designated C2 domains.

Additional payloads, such as the WIREFIRE (aka GIFTEDVISITOR) web shell and the BUSHWALK web shell for data exfiltration, were deployed on the target infrastructure. Despite attempts at lateral movement between mid-February and mid-March, the threat actors failed to compromise other resources beyond NERVE.

MITRE concluded its update with malware analysis and Indicators of Compromise for the involved payloads, highlighting the adversary's persistent attempts to infiltrate and maintain control within the network.

Microsoft Claims Russian Hackers are Attempting to Break into Company Networks.

 

Microsoft warned on Friday that hackers affiliated to Russia's foreign intelligence were attempting to break into its systems again, using data collected from corporate emails in January to seek new access to the software behemoth whose products are widely used throughout the US national security infrastructure.

Some experts were alarmed by the news, citing concerns about the security of systems and services at Microsoft, one of the world's major software companies that offers digital services and infrastructure to the United States government. 

The tech giant revealed that the intrusions were carried out by a Russian state-sponsored outfit known as Midnight Blizzard, or Nobelium.

The Russian embassy in Washington did not immediately respond to a request for comment on Microsoft's statement, nor on Microsoft's earlier statements regarding Midnight Blizzard activity.

Microsoft reported the incident in January, stating that hackers attempted to break into company email accounts, including those of senior company executives, as well as cybersecurity, legal, and other services. 

Microsoft's vast client network makes it unsurprising that it is being attacked, according to Jerome Segura, lead threat researcher at Malwarebytes' Threatdown Labs. He said that it was concerning that the attack was still ongoing, despite Microsoft's efforts to prevent access. 

Persistent Threat

Several experts who follow Midnight Blizzard claim that the group has a history of targeting political bodies, diplomatic missions, and non-governmental organisations. Microsoft claimed in a January statement that Midnight Blizzard was probably gunning after it since the company had conducted extensive study to analyse the hacking group's activities. 

Since at least 2021, when the group was discovered to be responsible for the SolarWinds cyberattack that compromised a number of U.S. federal agencies, Microsoft's threat intelligence team has been looking into and sharing research on Nobelium.

The company stated on Friday that the ongoing attempts to compromise Microsoft are indicative of a "sustained, significant commitment of the threat actor's resources, coordination, and focus.” 

"It is apparent that Midnight Blizzard is attempting to use secrets of different types it has found," the company added. "Some of these secrets were shared between customers and Microsoft in email, and as we discover them in our exfiltrated email, we have been and are reaching out to these customers to assist them in taking mitigating measures.”

Cyber Intruders Disrupt Operations at Beirut International Airport

 

Over the weekend, the Flight Information Display Screens at Beirut's international airport fell victim to a hacking incident that not only showcased politically motivated messages but also temporarily disrupted baggage inspection, according to local media reports.

The hackers seized control of the screens at Beirut-Rafic Al Hariri International Airport, replacing the usual plane departure and arrival information with a statement accusing Hezbollah, the Iran-backed militant group based in Lebanon, of leading the country into conflict with Israel. A segment of the message directed blame at Hezbollah, stating, "You bear your responsibility and its consequences, Hezbollah."

Airport authorities disclosed that the cyber attack briefly interfered with the passenger baggage inspection system. However, they emphasized that the flight schedule remained unaffected. Additionally, hackers reportedly sent fake messages to some passengers on behalf of Middle East Airlines, a claim promptly refuted by the airline.

Recent heightened tensions between Lebanon and Israel, marked by frequent exchanges of fire, further amplify the significance of the cyber incident. In a recent Israeli strike on Lebanon, a senior commander in Hezbollah's elite forces was reportedly killed. Israeli officials had previously expressed a preference for restoring security without engaging in a full-scale war with Hezbollah, though readiness for such action was affirmed if necessary.

Attribution for the airport hack points to two domestic hacker groups: The One Who Spoke, a relatively unknown entity, and Soldiers of God, a Christian group previously associated with campaigns against the LGBTQ+ community in Lebanon. The latter group denied involvement. However, reports suggest that "external parties" could be behind the attack, utilizing the names of Lebanese hacker groups to either conceal their identity or incite tension. Some believe that local hackers might lack the requisite technology and capabilities for such an attack.

An anonymous security source, speaking to a Lebanese TV channel, raised the possibility of Israel's involvement as a potential culprit behind the cyber attack. Lebanon's Minister of Public Works and Transportation, Ali Hamieh, provided updates during a press conference on Monday, revealing that approximately 70% of the compromised airport screens had resumed normal operations. As a precautionary measure, the airport was disconnected from the internet to mitigate further damage. The country's security services are actively investigating the hack, with Hamieh anticipating a conclusive determination on whether the breach is internal or external in the coming days.