Veeam backup targeted, DOJ SolarWinds discovery, Americold frozen out

Hackers target vulnerable Veeam backup servers exposed online

Malicious activity and tools echoing FIN7 attacks have been observed in intrusions since March 28, less than a week after an exploit became available for a high-severity vulnerability in Veeam Backup and Replication (VBR) software. Tracked as CVE-2023-27532, the security issue exposes encrypted credentials stored in the VBR configuration to unauthenticated users in the backup infrastructure. This could be used to access the backup infrastructure hosts. The software vendor fixed the issue on March 7 and provided workaround instructions. Threat researchers at Finnish cybersecurity and privacy company WithSecure noted in a report this week that the tactics, techniques, and procedures were similar to activity previously attributed to FIN7.

(Bleeping Computer)

The DOJ detected the SolarWinds hack 6 months earlier than first disclosed

Kim Zetter, writing in Wired, states that the US Department of Justice, Mandiant, and Microsoft stumbled upon the SolarWinds breach six months earlier than previously reported, but were unaware of its significance. Suspicions were triggered when the department detected unusual traffic emanating from one of its servers that was running a trial version of the Orion software suite made by SolarWinds, according to sources familiar with the incident. Investigators reached out to SolarWinds to assist with the inquiry, but the company’s engineers were unable to find a vulnerability in their code. In August 2020, the DOJ purchased the Orion system, suggesting that the department was satisfied that there was no further threat posed by the Orion suite.


Cold storage giant Americold outage caused by network breach

Representatives from the cold storage and logistics company say they have been facing IT issues since their network was breached on Tuesday night. They confirmed that the attack has been contained, and they are now investigating the incident that also affected operations, but that their systems will be down until at least next week. This is according to a memo seen by BleepingComputer and sent to customers. The company has asked customers to cancel all “inbound” deliveries past next week and to reschedule all but the most critical outbounds reaching expiration dates.

(Bleeping Computer)

NSA sees “significant” Russian intel gathering on European, U.S. supply chain entities

Russian hackers are focused on using ransomware to attack supply chains both within Ukraine and in European countries being used to provide weapons and humanitarian aid in support of the Ukrainian war effort, and as the war drags on, they could be looking to attack logistics targets more broadly, including in the United States, said Rob Joyce, the NSA’s director of cybersecurity, during a briefing at the RSA Conference. The NSA is seeing “a significant amount of intelligence gathering into the Western countries, to include the U.S., in that logistics supply chain,” he said, adding there are no indications yet that any U.S. companies have been attacked with ransomware in connection with logistics related to Ukraine.


Thanks to this week’s episode sponsor, Trend Micro

Cybersecurity is not just about protection, it’s about foresight, agility, and resilience. Navigating a new era of cyber risk demands evolved strategies, new frameworks, and integrated tools to equip security teams to anticipate and defend against even the most advanced attacks. Trend Micro, the global leader in cybersecurity is bringing the cyber risk conversation to more than 120 cities around the world in their latest “Risk to Resilience World Tour” — The largest cybersecurity roadshow of its kind. Find the closest city to you and register today to take a leap towards a more resilient future. Head to

Zyxel firewall devices vulnerable to remote code execution attacks — patch now

Networking equipment maker Zyxel has released patches for a critical security flaw in its firewall devices that could be exploited to achieve remote code execution on affected systems. The issue, tracked as CVE-2023-28771, is rated 9.8 on the CVSS scoring system. Researchers from TRAPA Security have been credited with reporting the flaw. “Improper error message handling in some firewall versions could allow an unauthenticated attacker to execute some OS commands remotely by sending crafted packets to an affected device,” Zyxel said in an advisory on April 25, 2023. Products impacted by the flaw are versions of ATP, USG FLEX, VPN, and ZyWALL/USG.

(The Hacker News)

First draft of controversial UN Cybercrime treaty slated for June

The first draft of the UN Cybercrime Treaty will be released in June after years of debate and concern over what the document might cover. The UN General Assembly voted in December 2019 to begin negotiating a treaty centered around cybercrime after Russia took issue with a previous agreement – the Budapest Convention – and demanded something new to address the issue. Jane Lee, senior counsel for computer crime and intellectual property at the U.S. Justice Department, said at the RSA Conference Thursday that she had just returned from the fifth negotiating session in Vienna, explaining that progress was made on an initial draft that will be released on June 28.

(The Record)

South Carolina county government hit with ransomware attack

The South Carolina county of Spartanburg is dealing with a ransomware attack that has limited its IT and phone systems. In a statement to Recorded Future News, Spartanburg County spokesperson Kay Blackwell said officials recently discovered the ransomware and are in the process of responding to the incident. Blackwell confirmed that all essential services continue to operate, including 9-1-1 operations and emergency communications.

(The Record)

Last week in ransomware

It has been a quiet week for ransomware news, with few reports and little new information about cyberattacks released. What we did see was Microsoft linking the recent PaperCut server attacks on the Clop and LockBit ransomware operation, an exposé on the initial-access broker and ransomware affiliate known as BassterLord, a VMware ESXi encryptor for RTM Locker, and Yellow Pages Canada suffered a BlackBasta ransomware attack.

(Bleeping Computer and Cyber Security Headlines)