Cybercrime , Fraud Management & Cybercrime , Incident & Breach Response
Also: Hackers Target Apple Password Reset Flaw
Every week, Information Security Media Group rounds up cybersecurity incidents and breaches around the world. This week, Russian organizations are losing Microsoft Cloud, hackers targeted an Apple flaw, Germany warned of critical flaws in Microsoft Exchange, an info stealer targeted Indian government agencies and the energy sector, and Finland confirmed APT31’s role in a 2020 breach of Parliament.
See Also: Ransomware Response Essential: Fixing Initial Access Vector
Microsoft Restricting Cloud Products for Russian Organizations
Russian resellers of Western cloud products from providers including Microsoft and Amazon told customers their service will terminate this month as the companies start complying with enhanced European sanctions. Europe imposed a new round of sanctions on Russia in December – the twelfth round since Russia invaded Ukraine in February 2022. The sanctions cover enterprise and design-related software, including business intelligence and computer-assisted design. Russian It provider Softline advised customers earlier this month to backup all their data stored in Microsoft, Amazon and Google clouds.
Russian state-controlled media outlet Tass published a list of the 50 affected Microsoft products, which it says includes the Office suite, SharePoint and Power BI. The Russian government has touted Linux-based alternatives to Microsoft. Redmond in March 2022 suspended new sales in Russia and Belarus. A company representative did not return a request for comment. In Russia, cloud service really is on demand.
Hackers Targeting Apple Password Reset Flaw
Hackers are exploiting a potential bug in Apple’s password reset feature, said startup founder Parth Patel on X. The attack, reminiscent of “push bombing” or “MFA fatigue” tactics, inundates targeted Apple devices with numerous system-level prompts, rendering them unusable until the user responds to each prompt with either “Allow” or “Don’t Allow.”
Patel said he was bombarded with notifications demanding approval for a password reset. Despite his efforts to decline the prompts, he said, he received a call from a purported Apple support representative, further complicating the situation.
Cybersecurity reporter Brian Krebs reported cryptocurrency hedge fund owner “Chris” experienced a similar phishing attempt, in which he received multiple reset notifications and an unsolicited call claiming to be from Apple support. Sensing a potential security breach, Chris – who asked he be identified only by his first name – changed his passwords and acquired a new iPhone, but the prompts persisted.
Germany Warns of Critical Flaws in Microsoft Exchange Servers
The German Federal Office for Information Security, or BSI, warned that approximately 17,000 Microsoft Exchange servers in Germany contain unpatched flaws or outdated software.
Among the 45,000 servers on which Outlook Web Access is enabled, around 12% operate on outdated Exchange versions that have not received security updates since October 2020 or April 2023. Also, 28% of Exchange 2016 or 2019 servers have been unpatched for at least four months, making them susceptible to remote code execution exploits.
BSI said that 37% of Exchange servers used by sectors such as education, healthcare, legal and local government are at severe risk. It advised Exchange administrators to implement patches and restrict web-based services to trusted IPs or use VPNs for access.
Info Stealer Targeting Indian Government
Dutch cybersecurity company EclecticIQ warned Wednesday that “an uncategorized threat actor” is targeting Indian government agencies and energy sector firms with a modified version of the open-source information stealer HackBrowserData.
The threat actor uses a phishing email containing a putative invitation letter from the Indian Air Force as bait. It uses Slack channels as exfiltration points and captures data such as internal documents, emails and cached web browser data. Because each of the attacker-operated Slack channels is named “FlightNight,” researchers have dubbed the campaign “Operation FlightNight.”
EclecticIQ estimates the hackers stole 8.8 gigabytes worth of data, “leading analysts to assess with medium confidence that the data could aid further intrusions into the Indian government’s infrastructure.”
The tactics used by the hackers appear similar to those from an earlier round of info stealers targeting the Indian military that was spotted in January. EclecticIQ said it has high confidence that the motive behind the campaign is cyberespionage.
Finland Confirms APT31’s Role in 2020 Parliament Breach
Finnish law enforcement on Tuesday linked Chinese nation-state threat actor APT31 to the 2020 hack of email inboxes belonging to members of the country’s Parliament. The disclosure by the Police of Finland came on the heels of U.S. federal prosecutors indicting seven Chinese nationals they accuse of hacking for hire for APT 31 (US Indicts Accused APT31 Chinese Hackers for Hire).
The Finnish Security and Intelligence Service, known better as Supo, in 2021 linked APT 31 with the hack. “These connections have now been confirmed by the investigation, and the police have also identified one suspect,” the Police of Finland said Tuesday.
Other Coverage From Last Week
With reporting from Information Security Media Group’s Mihir Bagwe in Mumbai, India, and David Perera in Washington, D.C.
