Moscow ISP revenge hack and Microsoft Sharepoint bug warning
Ukrainian cyber group takes down Moscow ISP in revenge hack, CISA warns about exploitation of critical SharePoint vulnerability and fake 401K statements decoy. Catch all this and more in this week’s edition of Cybersecurity Weekly.
See Infosec IQ in action
1. Ukraine claims responsibility for Moscow internet service provider hack
Ukrainian hackers linked to the country's spy agency breached Moscow-based M9 Telecom in retaliation for a Russian cyber attack on Kyivstar, Ukraine's largest telecom operator. The group, known as "Blackjack" and connected to Ukraine's Security Service, deleted 20 terabytes of data, causing internet outages in Moscow. The CEO of M9 Telecom declined to comment on the attack, and its full extent remains unverified.
2. CISA warns of critical SharePoint privilege escalation vulnerability
CISA warns that hackers are exploiting a critical SharePoint vulnerability that allows admin privilege escalation. Identified as CVE-2023-29357, attackers can combine it with another vulnerability to execute arbitrary code. STAR Labs' Jang demonstrated this exploit chain at Pwn2Own 2023, following which a proof-of-concept was released on GitHub.
3. Threat actors use fake 401k year-end statements to spoof corporate credentials
Cofense reports that hackers are using fake 401(k) updates, salary changes, and performance reports to steal employee credentials. They send phishing emails posing as HR, with QR codes leading to fraudulent sites. This tactic fools even employees at companies with strong email security. Cofense advises HR departments to clearly schedule real communications to help employees spot these scams.
4. Medusa ransomware gang ramp up activities with new attacks identified
Palo Alto Networks' Unit 42 reports that the Medusa ransomware group is intensifying its activities. Using a blog and a Telegram channel, Medusa posts stolen data and pressures victims with ransom demands, including double extortion for decryption and preventing data leaks. Their transparent extortion methods have affected 74 organizations, underscoring the growing threat of ransomware and the need for robust cybersecurity measures.
5. Hackers exploit Ivanti VPN zero-days to deploy custom malware
Mandiant reports that hackers have been exploiting two zero-day vulnerabilities in Ivanti Connect Secure for espionage since December 2023. Tracked as CVE-2023-46805 and CVE-2024-21887, these flaws allow attackers to bypass authentication and inject arbitrary commands. UNC5221, the threat group behind these exploits, used the opportunity to deploy multiple families of custom malware.
Phishing simulations & training