Hackers target Veeam backup servers exposed online
There has been a rash of activity using tools that resemble FIN7 attacks less than a week after an exploit emerged for a high-severity vulnerability in Veeam Backup and Replication (VBR) software. The flaw, numbered CVE-2023-27532 “exposes encrypted credentials stored in the VBR configuration to unauthenticated users in the backup infrastructure.” Such access could be exploited to gain access to the backup infrastructure hosts. Veeam fixed the issue on March 7 and provided workaround instructions. It was threat researchers at Finnish cybersecurity and privacy company WithSecure who noted the similarity to tactics used by FIN7.in a report this week that the tactics, techniques, and procedures were similar to activity previously attributed to FIN7.
SolarWinds hack 6 detected months earlier than first disclosed
Kim Zetter, writing in Wired, states that the US Department of Justice, Mandiant, and Microsoft “stumbled upon the SolarWinds breach six months earlier than previously reported,” but were unaware of its significance. According to sources familiar with the incident, the department detected unusual traffic coming from one of its servers that was running a trial version of the SolarWinds Orion software suite, which raised suspicions. Investigators reached out to SolarWinds for assistance with the inquiry, but the company’s engineers were unable to find a vulnerability in their code. In August 2020, the DOJ purchased the Orion system, suggesting that the department was satisfied that there was no further threat posed by the Orion suite.
Network breach freezes out Americold
Representatives from the cold storage and logistics company say they have been facing IT issues since their network was breached on Tuesday night. They confirmed that the attack has been contained, and they are now investigating the incident that also affected operations, but that their systems will be down until at least next week. This is according to a memo seen by BleepingComputer and sent to customers. The company has asked customers to cancel all “inbound” deliveries past next week and to reschedule all but the most critical outbounds reaching expiration dates.
NSA sees “significant” Russian intel gathering on European, U.S. supply chain
Russian hackers are using ransomware to damage supply chains both in Ukraine as well as those in European countries that are providing weapons and humanitarian to the Ukrainian war effort. NSA director of cybersecurity, Rob Joyce, speaking at a briefing at the RSA Conference, said, “as the war drags on, they could be looking to attack logistics targets more broadly, including in the United States.” He added the NSA is seeing “a significant amount of intelligence gathering into the Western countries, to include the U.S., in that logistics supply chain,” although there are no indications yet that any U.S. companies have been attacked with ransomware in connection with logistics related to Ukraine.
Thanks to this week’s episode sponsor, Trend Micro
Zyxel firewall devices vulnerable to remote code execution attacks, and need immediate patching
Zyxel, the manufacturer of networking equipment, has released patches for a critical security flaw in its firewall devices. Tracked as CVE-2023-28771 and with a CCVSS score of 9.8, it could be exploited to achieve remote code execution on affected systems. Researchers from TRAPA Security have been credited with reporting the flaw. In an advisory on April 25, 2023, Zyxel said, “Improper error message handling in some firewall versions could allow an unauthenticated attacker to execute some OS commands remotely by sending crafted packets to an affected device,” Products impacted are versions of ATP, USG FLEX, VPN, and ZyWALL/USG.
First draft of controversial UN Cybercrime treaty slated for June
After years of debate over its content and direction, the first draft of the UN Cybercrime Treaty will be released in June. Back in december 2019 the UN General Assembly voted to start negotiating a treaty centered on cybercrime after Russia took issue with its predecessor, the Budapest Convention. Jane Lee, senior counsel for computer crime and intellectual property at the U.S. Justice Department, said at the RSA Conference Thursday that she had just returned from the fifth negotiating session in Vienna, explaining that progress was made on an initial draft and that it will be released on June 28.
South Carolina county government hit with ransomware attack
Spartanburg, a county in South Carolina, has been hit by a ransomware attack that has limited its IT and phone systems. In a statement to Recorded Future News, Spartanburg County spokesperson Kay Blackwell said “officials recently discovered the ransomware and are in the process of responding to the incident”. Blackwell confirmed that all essential services continue to operate, including 9-1-1 operations and emergency communications.
Last week in ransomware
This past week saw Microsoft associating the recent PaperCut server attacks on the Clop and LockBit ransomware operation; we saw an exposé on the initial-access broker and ransomware affiliate known as BassterLord, a VMware ESXi encryptor for RTM Locker, and Yellow Pages Canada suffered a BlackBasta ransomware attack.