Microsoft Warns Of Iran-Linked Hackers Targeting US And Israeli Defense Firms.

 

An emerging threat actor likely supporting Iranian national interests has been behind a password spraying campaign targeting US, EU, and Israeli defense technology companies, with additional activity observed against regional ports of entry in the Persian Gulf as well as maritime and cargo transportation companies focused in the Middle East.

Microsoft is tracking the hacking crew under the moniker DEV-0343.

The intrusions, which were first observed in late July 2021, are believed to have targeted more than 250 Office 365 tenants, fewer than 20 of which were successfully compromised following a password spray attack — a type of brute force attack wherein the same password is cycled against different usernames to log into an application or a network in an effort to avoid account lockouts.

Indications thus far allude to the possibility that the activity is part of an intellectual property theft campaign aimed at government partners producing military-grade radars, drone technology, satellite systems, and emergency response communication systems with the likely goal of stealing commercial satellite images and proprietary information.

DEV-0343's Iranian connection is based on evidence of "extensive crossover in geographic and sectoral targeting with Iranian actors, and alignment of techniques and targets with another actor originating in Iran," researchers from Microsoft Threat Intelligence Center (MSTIC) and Digital Security Unit (DSU) said.

The password sprays emulate Firefox and Google Chrome browsers and rely on a series of unique Tor proxy IP addresses expressly used to obfuscate their operational infrastructure. Noting that the attacks peaked between Sunday and Thursday from 7:30 AM to 8:30 PM Iran Time (4:00 AM to 5:00 PM UTC), Microsoft said dozens to hundreds of accounts within an entity were targeted depending on the size.

The Redmond-based tech giant also pointed out the password spraying tool's similarities to that of "o365spray" an actively updated open-source utility aimed at Microsoft Office 365, and is now urging customers to enable multi-factor authentication to mitigate compromised credentials and prohibit all incoming traffic from anonymizing services wherever applicable.

"Gaining access to commercial satellite imagery and proprietary shipping plans and logs could help Iran compensate for its developing satellite program," the researchers said. "Given Iran's past cyber and military attacks against shipping and maritime targets, Microsoft believes this activity increases the risk to companies in these sectors."

 

 

Microsoft Fended Off A Record 2.4 Tbps DDoS Attack Targeting Azure Customers.

 

Microsoft on Monday revealed that its Azure cloud platform mitigated a 2.4 Tbps distributed denial-of-service (DDoS) attack in the last week of August targeting an unnamed customer in Europe, surpassing a 2.3 Tbps attack stopped by Amazon Web Services in February 2020.

"This is 140 percent higher than 2020's 1 Tbps attack and higher than any network volumetric event previously detected on Azure," Amir Dahan, senior program manager for Azure Networking, said in a post, calling it a "UDP reflection" lasting for about 10 minutes.

Reflected amplification attacks are a type of denial of service attacks wherein a threat actor takes advantage of the connectionless nature of UDP protocol with spoofed requests so as to overwhelm a target server or network with a flood of packets, causing disruption or rendering the server and its surrounding infrastructure unavailable.

The attack is said to have originated from a botnet of approximately 70,000 compromised devices primarily located across the Asia-Pacific region, such as Malaysia, Vietnam, Taiwan, Japan, and China, as well as the U.S.

Microsoft said it observed three short-lived bursts, each ramping up in seconds to terabit volumes — the first at 2.4 Tbps, the second at 0.55 Tbps, and the third at 1.7 Tbps.

News of the DDoS attack comes a month after Russian internet giant Yandex became the target of a record-breaking distributed denial-of-service (DDoS) attack by a new botnet called Meris, which battered the company's web infrastructure with millions of HTTP requests, before hitting a peak of 21.8 million requests per second (RPS).

"Bad actors, now more than ever, continuously look for ways to take applications offline," Dahan said. "Attacks of this size demonstrate the ability of bad actors to wreak havoc by flooding targets with gigantic traffic volumes trying to choke network capacity."

 

 

Update Your Windows PCs Immediately To Patch New 0-Day Under Active Attack.

 

Microsoft on Tuesday rolled out security patches to contain a total of 71 vulnerabilities in Microsoft Windows and other software, including a fix for an actively exploited privilege escalation vulnerability that could be exploited in conjunction with remote code execution bugs to take control over vulnerable systems.

Two of the addressed security flaws are rated Critical, 68 are rated Important, and one is rated Low in severity, with three of the issues listed as publicly known at the time of the release. The four zero-days are as follows —

• CVE-2021-40449 (CVSS score: 7.8) - Win32k Elevation of Privilege Vulnerability
• CVE-2021-41335 (CVSS score: 7.8) - Windows Kernel Elevation of Privilege Vulnerability
• CVE-2021-40469 (CVSS score: 7.2) - Windows DNS Server Remote Code Execution Vulnerability
• CVE-2021-41338 (CVSS score: 5.5) - Windows AppContainer Firewall Rules Security Feature Bypass Vulnerability

At the top of the list is CVE-2021-40449, a use-after-free vulnerability in the Win32k kernel driver discovered by Kaspersky as being exploited in the wild in late August and early September 2021 as part of a widespread espionage campaign targeting IT companies, defense contractors, and diplomatic entities. The Russian cybersecurity firm dubbed the threat cluster "MysterySnail."

"Code similarity and re-use of C2 [command-and-control] infrastructure we discovered allowed us to connect these attacks with the actor known as IronHusky and Chinese-speaking APT activity dating back to 2012," Kaspersky researchers Boris Larin and Costin Raiu said in a technical write-up, with the infection chains leading to the deployment of a remote access trojan capable of collecting and exfiltrating system information from compromised hosts before reaching out to its C2 server for further instructions.

Other bugs of note include remote code execution vulnerabilities affecting Microsoft Exchange Server (CVE-2021-264247), Windows Hyper-V (CVE-2021-38672 and CVE-2021-40461), SharePoint Server (CVE-2021-40487 and CVE-2021-41344), and Microsoft Word (CVE-2021-40486) as well as an information disclosure flaw in Rich Text Edit Control (CVE-2021-40454).

CVE-2021-26427, which has a CVSS score of 9.0 and was identified by the U.S. National Security Agency, underscores that "Exchange servers are high-value targets for hackers looking to penetrate business networks," Bharat Jogi, senior manager of vulnerability and threat research at Qualys, said.

The October Patch Tuesday is rounded out by fixes for two shortcomings newly discovered in the Print Spooler component — CVE-2021-41332 and CVE-2021-36970 — each concerning an information disclosure bug and a spoofing vulnerability, which has been tagged with an "Exploitation More Likely" exploitability index assessment.

"A spoofing vulnerability usually indicates that an attacker can impersonate or identify as another user," security researcher ollypwn noted in a Twitter thread. "In this case, it looks like an attacker can abuse the Spooler service to upload arbitrary files to other servers."

Software Patches From Other Vendors.

In addition to Microsoft, patches have also been released by a number of other vendors to address several vulnerabilities, including —

• Adobe
  
• Android
  
• Apple
  
• Cisco
  
• Citrix
  
• Intel
  
• Linux distributions Oracle Linux, Red Hat, and SUSE.
• SAP
  
• Schneider Electric
  
• Siemens, and
• VMware
  

 

 

Text Message Giant Reveals Five-Year Breach.

 

A major telecoms service provider has revealed it was the victim of a five-year breach impacting hundreds of customers.

Syniverse routes text messages for hundreds of global telco customers — allowing it to boast of reaching “more people and devices than anyone on Earth.”

However, in a filing with the SEC last week ahead of the firm going public via a merger with a special purpose acquisition company (SPAC), it admitted discovering a major incident back in May.

The unauthorized access to its operational and IT systems was subsequently found to have been ongoing since May 2016.

“Syniverse’s investigation revealed that the individual or organization gained unauthorized access to databases within its network on several occasions, and that login information allowing access to or from its Electronic Data Transfer (EDT) environment was compromised for approximately 235 of its customers,” it continued.

“All EDT customers have been notified and have had their credentials reset or inactivated, even if their credentials were not impacted by the incident. All customers whose credentials were impacted have been notified of that circumstance.”

Although the firm claimed it has seen no efforts to disrupt operations or monetize the attack, it could not rule out further discoveries.

“While Syniverse believes it has identified and adequately remediated the vulnerabilities that led to the incidents described above, there can be no guarantee that Syniverse will not uncover evidence of exfiltration or misuse of its data or IT systems from the May 2021 Incident, or that it will not experience a future cyber-attack leading to such consequences,” it said.

“Any such exfiltration could lead to the public disclosure or misappropriation of customer data, Syniverse’s trade secrets or other intellectual property, personal information of its employees, sensitive information of its customers, suppliers and vendors, or material financial and other information related to its business.”

It's unclear exactly what information the attackers would have gained access to with the EDT compromise, but it could theoretically include metadata or even the content of text messages, including one-time passcodes, which could unlock two-factor authentication-protected accounts.

The firm claims to process over 740 billion messages every year for 300+ global mobile operators.

An audacious supply chain raid like this bears the hallmarks of nation-state intelligence gathering or a highly organized cybercrime group

Squid Game Scenes Cut Over Data Exposure.

 

Netflix has axed some scenes from its hit show Squid Game because the phone numbers it featured turned out to be genuine and in use by people in the real world. 

The deletions were made after the owners of the phone numbers received thousands of text messages and phone calls from curious Squid Game fans located around the globe.

Since premiering on the streaming platform on September 17, Squid Game looks set to become one of the most popular Netflix shows in history. The South Korean fictional drama depicts contestants who are deeply in debt playing children's games to win a life-altering amount of cash. In a disturbing twist, players who lose are executed. 

A Korean man from Gyeonggi province, who claims his digits were exposed in a subway scene featured in the first episode of the show, said that his phone has been overwhelmed with thousands of nuisance calls. 

Speaking to Korean publication Money Today, he said: "It has come to the point where people are reaching out day and night due to their curiosity."

The constant contact from Squid Game fans has prevented the man from receiving calls and messages that are actually intended for him.

"It drains my phone's battery, and it turns off," he said. 

He added: “At first, I didn’t know why, then my friend told me that my number came out in Squid Game.”

The man's phone number allegedly appeared on a business card passed to Lee Jung-Jae’s character, Seong Gi-Hun, by a mysterious man in a black suit.

Changing his number to avoid nuisance calls is not something the man said he wanted to do, since he has used it for business calls for the past decade. 

The man said that his wife, whose phone number is identical to his with the exception of one digit, has also been receiving nuisance calls from Squid Game fans with careless fingers. 

A spokesperson for Netflix and the show's maker Siren Pictures said: "Together with the production company, we are working to resolve this matter, including editing scenes with phone numbers where necessary."

Facebook Blames Global Outage On Configuration Error.

 

Facebook has apologized for a major global outage that left users unable to access the social network and other platforms for hours, blaming the incident on a configuration error.

The outage began at around 11.40 Eastern Time on Monday morning and lasted well into the evening of the same day — affecting not just Facebook and Messenger but Instagram and WhatsApp.

The recovery effort was also impacted as Facebook engineers found it difficult to access internal tooling which used the same internet infrastructure. Global staff were left high-and-dry for similar reasons.

The issue appears to have stemmed from an update to the firm’s Border Gateway Protocol (BGP) records. BGP is critical to the seamless functioning of the internet, allowing networks of addresses such as Facebook’s to advertise their presence to others.

“It's a mechanism to exchange routing information between autonomous systems (AS) on the internet,” explained Cloudflare about the incident.

“The big routers that make the internet work have huge, constantly updated lists of the possible routes that can be used to deliver every network packet to their final destinations. Without BGP, the internet routers wouldn't know what to do, and the internet wouldn't work.”

Although some commentators had speculated foul play, the cause of the outage appears to be human error..

Vice president of infrastructure, Santosh Janardhan, said no user data was compromised and that the root cause of the issue was a “faulty configuration change.”

“Our engineering teams have learned that configuration changes on the backbone routers that coordinate network traffic between our datacenters caused issues that interrupted this communication. This disruption to network traffic had a cascading effect on the way our datacenters communicate, bringing our services to a halt,” he explained.

“People and businesses around the world rely on us every day to stay connected. We understand the impact outages like these have on people’s lives, and our responsibility to keep people informed about disruptions to our services. We apologize to all those affected, and we’re working to understand more about what happened today so we can continue to make our infrastructure more resilient.”