Veeam backup targeted, DOJ SolarWinds discovery, Americold frozen out

Hackers target Veeam backup servers exposed online

There has been a rash of activity using tools that resemble FIN7 attacks less than a week after an exploit emerged for a high-severity vulnerability in Veeam Backup and Replication (VBR) software. The flaw, numbered CVE-2023-27532 “exposes encrypted credentials stored in the VBR configuration to unauthenticated users in the backup infrastructure.” Such access could be exploited to gain access to the backup infrastructure hosts. Veeam fixed the issue on March 7 and provided workaround instructions. It was threat researchers at Finnish cybersecurity and privacy company WithSecure who noted the similarity to tactics used by FIN7.in a report this week that the tactics, techniques, and procedures were similar to activity previously attributed to FIN7.

(Bleeping Computer)

SolarWinds hack 6 detected months earlier than first disclosed

Kim Zetter, writing in Wired, states that the US Department of Justice, Mandiant, and Microsoft “stumbled upon the SolarWinds breach six months earlier than previously reported,” but were unaware of its significance. According to sources familiar with the incident, the department detected unusual traffic coming from one of its servers that was running a trial version of the SolarWinds Orion software suite, which raised suspicions. Investigators reached out to SolarWinds for assistance with the inquiry, but the company’s engineers were unable to find a vulnerability in their code. In August 2020, the DOJ purchased the Orion system, suggesting that the department was satisfied that there was no further threat posed by the Orion suite.

(Wired)

Network breach freezes out Americold

Representatives from the cold storage and logistics company say they have been facing IT issues since their network was breached on Tuesday night. They confirmed that the attack has been contained, and they are now investigating the incident that also affected operations, but that their systems will be down until at least next week. This is according to a memo seen by BleepingComputer and sent to customers. The company has asked customers to cancel all “inbound” deliveries past next week and to reschedule all but the most critical outbounds reaching expiration dates.

(Bleeping Computer)

NSA sees “significant” Russian intel gathering on European, U.S. supply chain

Russian hackers are using ransomware to damage supply chains both in Ukraine as well as those in European countries that are providing weapons and humanitarian to the Ukrainian war effort. NSA director of cybersecurity, Rob Joyce, speaking at a briefing at the RSA Conference, said, “as the war drags on, they could be looking to attack logistics targets more broadly, including in the United States.” He added the NSA is seeing “a significant amount of intelligence gathering into the Western countries, to include the U.S., in that logistics supply chain,” although there are no indications yet that any U.S. companies have been attacked with ransomware in connection with logistics related to Ukraine.

(Cyberscoop)

Thanks to this week’s episode sponsor, Trend Micro

Cybersecurity is not just about protection, it’s about foresight, agility, and resilience. Navigating a new era of cyber risk demands evolved strategies, new frameworks, and integrated tools to equip security teams to anticipate and defend against even the most advanced attacks. Trend Micro, the global leader in cybersecurity is bringing the cyber risk conversation to more than 120 cities around the world in their latest “Risk to Resilience World Tour” — The largest cybersecurity roadshow of its kind. Find the closest city to you and register today to take a leap towards a more resilient future. Head to TrendMicro.com/cisoseries.

Zyxel firewall devices vulnerable to remote code execution attacks, and need immediate patching

Zyxel, the manufacturer of networking equipment, has released patches for a critical security flaw in its firewall devices. Tracked as CVE-2023-28771 and with a CCVSS score of 9.8, it could be exploited to achieve remote code execution on affected systems. Researchers from TRAPA Security have been credited with reporting the flaw. In an advisory on April 25, 2023, Zyxel said, “Improper error message handling in some firewall versions could allow an unauthenticated attacker to execute some OS commands remotely by sending crafted packets to an affected device,” Products impacted are versions of ATP, USG FLEX, VPN, and ZyWALL/USG.

(The Hacker News)

First draft of controversial UN Cybercrime treaty slated for June

After years of debate over its content and direction, the first draft of the UN Cybercrime Treaty will be released in June. Back in december 2019 the UN General Assembly voted to start negotiating a treaty centered on cybercrime after Russia took issue with its predecessor, the Budapest Convention. Jane Lee, senior counsel for computer crime and intellectual property at the U.S. Justice Department, said at the RSA Conference Thursday that she had just returned from the fifth negotiating session in Vienna, explaining that progress was made on an initial draft and that it will be released on June 28.

(The Record)

South Carolina county government hit with ransomware attack

Spartanburg, a county in South Carolina, has been hit by a ransomware attack that has limited its IT and phone systems. In a statement to Recorded Future News, Spartanburg County spokesperson Kay Blackwell said “officials recently discovered the ransomware and are in the process of responding to the incident”. Blackwell confirmed that all essential services continue to operate, including 9-1-1 operations and emergency communications.

(The Record)

Last week in ransomware

This past week saw Microsoft associating the recent PaperCut server attacks on the Clop and LockBit ransomware operation; we saw an exposé on the initial-access broker and ransomware affiliate known as BassterLord, a VMware ESXi encryptor for RTM Locker, and Yellow Pages Canada suffered a BlackBasta ransomware attack.

(Bleeping Computer and Cyber Security Headlines)

Steve Prentice
Author, speaker, expert in the area where people and technology crash into each other, viewed from the organizational psychology perspective. Host of many podcasts, voice actor and narrator for corporate media and audiobooks. Ghost-writer for busy executives.