Headline
Microsoft Warns on Zero-Day Spike as Nation-State Groups Shift Tactics
The software giant also recorded an increase in attacks on IT services companies as state-backed threat actors have adapted to better enterprise defenses and cast a wider net, Microsoft says.
Enterprise security executives that perceive nation-state-backed cyber groups as a distant threat might want to revisit that assumption, and in a hurry.
Several recent geopolitical events around the world over the past year have spurred a sharp increase in nation-state activity against critical targets, such as port authorities, IT companies, government agencies, news organizations, cryptocurrency firms, and religious groups.
A Microsoft analysis of the global threat landscape over the last year, released Nov. 4, showed that cyberattacks targeting critical infrastructure doubled, from accounting for 20% of all nation-state attacks to 40% of all attacks that the company’s researchers detected.
Furthermore, their tactics are shifting — most notably, Microsoft recorded an uptick in the use of zero-day exploits.
Multiple Factors Drove Increased Nation-State Threat Activity
Unsurprisingly, Microsoft attributed much of the spike to attacks by Russia-backed threat groups related to and in support of the country’s war in Ukraine. Some of the attacks were focused on damaging Ukrainian infrastructure, while others were more espionage-related and included targets in the US and other NATO member countries. Ninety percent of Russia-backed cyberattacks that Microsoft detected over the past year targeted NATO countries; 48% of them were directed at IT service providers in these countries.
While the war in Ukraine drove most of the activity by Russian threat groups, other factors fueled an increase in attacks by groups sponsored by China, North Korea, and Iran. Attacks by Iranian groups, for instance, escalated following a presidential change in the country.
Microsoft said it observed Iranian groups launching destructive, disk-wiping attacks in Israel as well as what it described as hack-and-leak operations against targets in the US and EU. One attack in Israel set off emergency rocket signals in the country while another sought to erase data from a victim’s systems.
The increase in attacks by North Korean groups coincided with a surge in missile testing in the country. Many of the attacks were focused on stealing technology from aerospace companies and researchers.
Groups in China, meanwhile, increased espionage and data-stealing attacks to support the country’s efforts to exert more influence in the region, Microsoft said. Many of their targets included organizations that were privy to information that China considered to be of strategic importance to achieving its goals.
From Software Supply Chain to IT Service Provider Chain
Nation-state actors targeted IT companies more heavily than other sectors in the period. IT companies, such as cloud services providers and managed services providers, accounted for 22% of the organizations that these groups targeted this year. Other heavily targeted sectors included the more traditional think tank and nongovernmental organization victims (17%), education (14%), and government agencies (10%).
In targeting IT service providers, the attacks were designed to compromise hundreds of organizations at once by breaching a single trusted vendor, Microsoft said. The attack last year on Kaseya, which resulted in ransomware ultimately being distributed to thousands of downstream customers, was an early example.
There were several others this year, including one in January in which a Iran-backed actor compromised an Israeli cloud services provider to try and infiltrate that company’s downstream customers. In another, a Lebanon-based group called Polonium gained access to several Israeli defense and legal organizations via their cloud services providers.
The growing attacks on the IT services supply chain represented a shift away from the usual focus that nation-state groups have had on the software supply chain, Microsoft noted.
Microsoft’s recommended measures for mitigating exposure to these threats include reviewing and auditing upstream and downstream service provider relationships, delegating privileged access management responsible, and enforcing least privileged access as needed. The company also recommends that companies review access for partner relationships that are unfamiliar or have not been audited, enable logging, review all authentication activity for VPNs and remote access infrastructure, and enable MFA for all accounts
An Uptick in Zero-Days
One notable trend that Microsoft observed is that nation-state groups are spending significant resources to evade the security protections that organizations have implemented to defend against sophisticated threats.
“Much like enterprise organizations, adversaries began using advancements in automation, cloud infrastructure, and remote access technologies to extend their attacks against a wider set of targets,” Microsoft said.
The adjustments included new ways to rapidly exploit unpatched vulnerabilities, expanded techniques for breaching corporations, and increased use of legitimate tools and open source software to obfuscate malicious activity.
One of the most troubling manifestations of the trend is the increasing use among nation-state actors of zero-day vulnerability exploits in their attack chain. Microsoft’s research showed that patches were released for 41 zero-day vulnerabilities between July 2021 and June 2022.
According to Microsoft, China-backed threat actors have been especially proficient at finding and discovering zero-day exploits recently. The company attributed the trend to a new China regulation that went into effect in September 2021; it requires organizations in the country to report any vulnerabilities they discover to a Chinese government authority for review before disclosing the information with anyone else.
Examples of zero-day threats that fall into this category include CVE-2021-35211, a remote code execution flaw in SolarWinds Serv-U software that was widely exploited before being patched in July 2021; CVE-2021-40539, a critical authentication bypass vulnerability in Zoho ManageEngine ADSelfService Plus, patched last September; and CVE-2022-26134, a vulnerability in Atlassian Confluence Workspaces that a Chinese threat actor was actively exploiting before a patch become available in June.
“This new regulation might enable elements in the Chinese government to stockpile reported vulnerabilities toward weaponizing them,” Microsoft warned, adding that this should be viewed as a major step in the use of zero-day exploits as a state priority.
.
Related news
By Deeba Ahmed Another day, another Linux malware! This is a post from HackRead.com Read the original post: New Linux Malware Alert: ‘Spinning YARN’ Hits Docker, Other Key Apps
Iranian nation-state actors have been conducting password spray attacks against thousands of organizations globally between February and July 2023, new findings from Microsoft reveal. The tech giant, which is tracking the activity under the name Peach Sandstorm (formerly Holmium), said the adversary pursued organizations in the satellite, defense, and pharmaceutical sectors to likely facilitate
Categories: Exploits and vulnerabilities Categories: News Tags: Zoho ManageEngine Tags: CVE-2021-40539 Tags: Log4Shell Tags: CVE-2021-44228 Tags: CVE-2021-13379 Tags: ProxyShell Tags: CVE-2021-34473 Tags: CVE-2021-31207 Tags: CVE-2021-34523 Tags: CVE-2021-26084 Tags: Atlassian Tags: CVE-2022-22954 Tags: CVE-2022-22960 Tags: CVE-2022-26134 Tags: CVE-2022-1388 Tags: CVE-2022-30190 Tags: Follina What can the routinely exploited vulnerabilities of 2022 tell us, and what do we think will make it on to next year's list? (Read more...) The post 2022's most routinely exploited vulnerabilities—history repeats appeared first on Malwarebytes Labs.
A four-year-old critical security flaw impacting Fortinet FortiOS SSL has emerged as one of the most routinely and frequently exploited vulnerabilities in 2022. "In 2022, malicious cyber actors exploited older software vulnerabilities more frequently than recently disclosed vulnerabilities and targeted unpatched, internet-facing systems," cybersecurity and intelligence agencies from the Five
A recent campaign shows that the politically motivated threat actor has more tricks up its sleeve than previously known, targeting an old RCE flaw and wiping logs to cover their tracks.
The newly discovered Chinese nation-state actor known as Volt Typhoon has been observed to be active in the wild since at least mid-2020, with the hacking crew linked to never-before-seen tradecraft to retain remote access to targets of interest. The findings come from CrowdStrike, which is tracking the adversary under the name Vanguard Panda. "The adversary consistently employed ManageEngine
As many as 55 zero-day vulnerabilities were exploited in the wild in 2022, with most of the flaws discovered in software from Microsoft, Google, and Apple. While this figure represents a decrease from the year before, when a staggering 81 zero-days were weaponized, it still represents a significant uptick in recent years of threat actors leveraging unknown security flaws to their advantage. The
Microsoft is warning of an uptick in the nation-state and criminal actors increasingly leveraging publicly-disclosed zero-day vulnerabilities for breaching target environments. The tech giant, in its 114-page Digital Defense Report, said it has "observed a reduction in the time between the announcement of a vulnerability and the commoditization of that vulnerability," making it imperative that
Microsoft is warning of an uptick in the nation-state and criminal actors increasingly leveraging publicly-disclosed zero-day vulnerabilities for breaching target environments. The tech giant, in its 114-page Digital Defense Report, said it has "observed a reduction in the time between the announcement of a vulnerability and the commoditization of that vulnerability," making it imperative that
Hello everyone! This episode will be about the new hot twenty vulnerabilities from CISA, NSA and FBI, Joint cybersecurity advisory (CSA) AA22-279A, and how I analyzed these vulnerabilities using my open source project Vulristics. Alternative video link (for Russia): https://vk.com/video-149273431_456239105 Americans can’t just release a list of “20 vulnerabilities most commonly exploited in attacks on […]
Categories: Exploits and vulnerabilities Categories: News Tags: Chinese APT Tags: advanced persistent threat Tags: APT Tags: CISA Tags: NSA Tags: FBI Tags: security advisory CISA, the NSA and the FBI have compiled a list of the vulnerabilities targeted by state-sponsorted threat actors from China. (Read more...) The post Chinese APT's favorite vulnerabilities revealed appeared first on Malwarebytes Labs.
A now-patched critical security flaw affecting Atlassian Confluence Server that came to light a few months ago is being actively exploited for illicit cryptocurrency mining on unpatched installations. "If left unremedied and successfully exploited, this vulnerability could be used for multiple and more malicious attacks, such as a complete domain takeover of the infrastructure and the deployment
Malicious actors such as Kinsing are taking advantage of both recently disclosed and older security flaws in Oracle WebLogic Server to deliver cryptocurrency-mining malware. Cybersecurity company Trend Micro said it found the financially-motivated group leveraging the vulnerability to drop Python scripts with capabilities to disable operating system (OS) security features such as
Squiz Matrix CMS 6.20 is vulnerable to an Insecure Direct Object Reference caused by failure to correctly validate authorization when submitting a request to change a user's contact details.
Hello everyone! This is the second episode of Vulnerability Management news and publications. In fact, this is a collection of my posts from the avleonovcom and avleonovrus telegram channels. Therefore, if you want to read them earlier, subscribe to these channels. Alternative video link (for Russia): https://vk.com/video-149273431_456239097 What’s in this episode: Microsoft released a propaganda […]
A threat actor is said to have "highly likely" exploited a security flaw in an outdated Atlassian Confluence server to deploy a never-before-seen backdoor against an unnamed organization in the research and technical services sector. The attack, which transpired over a seven-day-period during the end of May, has been attributed to a threat activity cluster tracked by cybersecurity firm Deepwatch
While attackers continue to rely on older, unpatched vulnerabilities, many are jumping on new vulnerabilities as soon as they are disclosed.
The 8220 cryptomining group has expanded in size to encompass as many as 30,000 infected hosts, up from 2,000 hosts globally in mid-2021. "8220 Gang is one of the many low-skill crimeware gangs we continually observe infecting cloud hosts and operating a botnet and cryptocurrency miners through known vulnerabilities and remote access brute forcing infection vectors," Tom Hegel of SentinelOne
Hello everyone! In this episode, I will try to revive Security News with a focus on Vulnerability Management. On the one hand, creating such reviews requires free time, which could be spent more wisely, for example, on open source projects or original research. On the other hand, there are arguments in favor of news reviews. […]
An unauthenticated remote code execution vulnerability found in Zoho’s compliance tool could leave organizations exposed to an information disclosure catastrophe, new analysis shows.
Swarms of breach attempts against the Atlassian Confluence vulnerability are likely to continue for years, researchers say, averaging 20,000 attempts daily as of this week.
Most of the attacks involve the use of automated exploits, security vendor says.
China suspected in assaults against enterprises running collaboration platform
In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are from 1.3.0 before 7.4.17, from 7.13.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and from 7.18.0 before 7.18.1.
Zoho ManageEngine ADSelfService Plus before 6121, ADAuditPlus 7060, Exchange Reporter Plus 5701, and ADManagerPlus 7131 allow NTLM Hash disclosure during certain storage-path configuration steps.