Hackers target vulnerable Veeam backup servers exposed online
Malicious activity and tools echoing FIN7 attacks have been observed in intrusions since March 28, less than a week after an exploit became available for a high-severity vulnerability in Veeam Backup and Replication (VBR) software. Tracked as CVE-2023-27532, the security issue exposes encrypted credentials stored in the VBR configuration to unauthenticated users in the backup infrastructure. This could be used to access the backup infrastructure hosts. The software vendor fixed the issue on March 7 and provided workaround instructions. Threat researchers at Finnish cybersecurity and privacy company WithSecure noted in a report this week that the tactics, techniques, and procedures were similar to activity previously attributed to FIN7.
The DOJ detected the SolarWinds hack 6 months earlier than first disclosed
Kim Zetter, writing in Wired, states that the US Department of Justice, Mandiant, and Microsoft stumbled upon the SolarWinds breach six months earlier than previously reported, but were unaware of its significance. Suspicions were triggered when the department detected unusual traffic emanating from one of its servers that was running a trial version of the Orion software suite made by SolarWinds, according to sources familiar with the incident. Investigators reached out to SolarWinds to assist with the inquiry, but the company’s engineers were unable to find a vulnerability in their code. In August 2020, the DOJ purchased the Orion system, suggesting that the department was satisfied that there was no further threat posed by the Orion suite.
(Wired)
Cold storage giant Americold outage caused by network breach
Representatives from the cold storage and logistics company say they have been facing IT issues since their network was breached on Tuesday night. They confirmed that the attack has been contained, and they are now investigating the incident that also affected operations, but that their systems will be down until at least next week. This is according to a memo seen by BleepingComputer and sent to customers. The company has asked customers to cancel all “inbound” deliveries past next week and to reschedule all but the most critical outbounds reaching expiration dates.
NSA sees “significant” Russian intel gathering on European, U.S. supply chain entities
Russian hackers are focused on using ransomware to attack supply chains both within Ukraine and in European countries being used to provide weapons and humanitarian aid in support of the Ukrainian war effort, and as the war drags on, they could be looking to attack logistics targets more broadly, including in the United States, said Rob Joyce, the NSA’s director of cybersecurity, during a briefing at the RSA Conference. The NSA is seeing “a significant amount of intelligence gathering into the Western countries, to include the U.S., in that logistics supply chain,” he said, adding there are no indications yet that any U.S. companies have been attacked with ransomware in connection with logistics related to Ukraine.
Thanks to this week’s episode sponsor, Trend Micro
Zyxel firewall devices vulnerable to remote code execution attacks — patch now
Networking equipment maker Zyxel has released patches for a critical security flaw in its firewall devices that could be exploited to achieve remote code execution on affected systems. The issue, tracked as CVE-2023-28771, is rated 9.8 on the CVSS scoring system. Researchers from TRAPA Security have been credited with reporting the flaw. “Improper error message handling in some firewall versions could allow an unauthenticated attacker to execute some OS commands remotely by sending crafted packets to an affected device,” Zyxel said in an advisory on April 25, 2023. Products impacted by the flaw are versions of ATP, USG FLEX, VPN, and ZyWALL/USG.
First draft of controversial UN Cybercrime treaty slated for June
The first draft of the UN Cybercrime Treaty will be released in June after years of debate and concern over what the document might cover. The UN General Assembly voted in December 2019 to begin negotiating a treaty centered around cybercrime after Russia took issue with a previous agreement – the Budapest Convention – and demanded something new to address the issue. Jane Lee, senior counsel for computer crime and intellectual property at the U.S. Justice Department, said at the RSA Conference Thursday that she had just returned from the fifth negotiating session in Vienna, explaining that progress was made on an initial draft that will be released on June 28.
South Carolina county government hit with ransomware attack
The South Carolina county of Spartanburg is dealing with a ransomware attack that has limited its IT and phone systems. In a statement to Recorded Future News, Spartanburg County spokesperson Kay Blackwell said officials recently discovered the ransomware and are in the process of responding to the incident. Blackwell confirmed that all essential services continue to operate, including 9-1-1 operations and emergency communications.
Last week in ransomware
It has been a quiet week for ransomware news, with few reports and little new information about cyberattacks released. What we did see was Microsoft linking the recent PaperCut server attacks on the Clop and LockBit ransomware operation, an exposé on the initial-access broker and ransomware affiliate known as BassterLord, a VMware ESXi encryptor for RTM Locker, and Yellow Pages Canada suffered a BlackBasta ransomware attack.