US govt email servers hacked in Barracuda zero-day attacks

Chinese hackers targeted government and government-linked organizations worldwide, exploiting a zero-day vulnerability in Barracuda Email Security Gateway (ESG), with a particular focus on entities in the Americas, according to a report by Mandiant. Almost one-third of the hacked appliances belonged to government agencies, and the attacks were motivated by espionage, with a threat actor known as UNC4841 exfiltrating data from high-profile users in government and high-tech industries. Despite patches, the FBI warns that compromised devices are still being targeted, and advises customers to replace hacked appliances and investigate potential breaches.

bleepingcomputer.com

Relevant topic timeline:

8/2/2023

US, Norway say hackers have been exploiting Ivanti zero-day since April

Main topic: Hackers exploiting a zero-day flaw in Ivanti's mobile endpoint management software to breach government agencies. Key points: 1. Hackers exploited a zero-day flaw in Ivanti's mobile endpoint management software for at least three months. 2. Multiple Norwegian government agencies were compromised by the hackers. 3. The flaw allows unauthenticated access to users' personal information and the ability to make changes to the vulnerable server. 4. Hackers used compromised routers as proxies to conceal the source of their attacks. 5. A second vulnerability was also exploited, reducing the complexity of executing attacks. 6. Ivanti released patches for both vulnerabilities. 7. CISA and NCSC-NO urged agencies to search their systems for potential compromise and report any issues. 8. Previous MobileIron vulnerabilities have been exploited by government-backed actors, potentially linked to Chinese state-sponsored hackers. 9. Ivanti has not yet responded to inquiries. 10. There are still over 2,200 exposed MobileIron portals, mostly in the United States.

8/3/2023

Russia-backed hackers used Microsoft Teams to breach government agencies

Main topic: Russian state-sponsored hackers posing as technical support staff on Microsoft Teams to compromise global organizations, including government agencies. Key points: 1. The hacking campaign was carried out by a Russian state-sponsored group known as APT29 or Cozy Bear. 2. The group is linked to the SolarWinds attack in 2020 and is part of Russia's Foreign Intelligence Service. 3. The hackers used previously compromised Microsoft 365 accounts to create new technical support-themed domains. 4. They sent Microsoft Teams messages to manipulate users into granting approval for multi-factor authentication prompts. 5. By gaining access to user accounts, the hackers aimed to exfiltrate sensitive information. 6. Less than 40 unique global organizations were targeted or breached, including government agencies, non-government organizations, and various sectors. 7. Microsoft has mitigated the use of the domains and continues to investigate the activity. 8. The campaign follows a recent incident where Chinese hackers exploited a flaw in Microsoft's cloud email service.

8/7/2023

China reportedly had ‘deep, persistent access’ to Japanese networks for months

Main topic: Cybersecurity breach in Japan's defense networks by hackers from China. Key points: 1. Hackers from China had "deep, persistent access" to Japanese defense networks. 2. The breach was discovered by the National Security Agency in late 2020 and persisted through the end of the Trump administration and early 2021. 3. Japan initially declined assistance from US Cyber Command and opted for domestic commercial security firms, but later adopted a more active national security strategy, including the establishment of a new cyber command and the addition of 4,000 cybersecurity personnel.

9/6/2023

Hackers stole Microsoft signing key from Windows crash dump

Chinese hackers stole a signing key from a Windows crash dump and used it to breach government email accounts, including those of the U.S. State and Commerce Departments, by exploiting a zero-day validation issue in Microsoft's Exchange Online and Azure Active Directory.

Topics

Posted 8/29/2023, 12:00:00 PM