Microsoft urges Outlook users to install security update and enhance security measures
Microsoft has issued an urgent advisory to all Outlook users to promptly update their software and implement enhanced security measures, including password resets and multi-factor authentication (MFA). The warning came in response to the active exploitation of a known vulnerability by a nation-state threat actor, specifically targeting Exchange users.
Recent events saw Outlook services disrupted by Anonymous Sudan, a hacking group with possible ties to Russia.
The vulnerability in question, along with its subsequent bypass, was identified months ago and patches were made available. Despite this, the continued exploitation of these vulnerabilities underscores the critical importance of timely security update installations.
Microsoft's security blog revealed that a Russian-based group, "Forest Blizzard," has been exploiting the CVE-2023-23397 vulnerability to gain unauthorized access to email accounts on Exchange servers. Forest Blizzard, also known as "Fancy Bear" or "APT28," is believed to be linked to the Russian Federation's military intelligence agency, the GRU. Their primary targets include entities in government, energy, and transportation sectors across the US, Europe, and the Middle East, extending to non-state-affiliated companies and organisations.
The original flaw (CVE-2023-23397) was patched in March 2023 after being actively exploited since April 2022. A bypass discovered in May 2023 (CVE-2023-29324) necessitated another patch to prevent zero-click attacks. However, due to uneven patch installations across various organisations, these vulnerabilities remain a threat.
To combat this, Microsoft emphasized the importance of applying the latest security updates for Outlook, regardless of the hosting platform. The company also offers a script to check if servers have been targeted and advises resetting passwords for affected accounts and implementing MFA.
Global Law Enforcement Agencies Dismantle Major Ransomware Ring in Ukraine, Arrest Five
In a coordinated international effort, law enforcement agencies, including Europol and those from the U.S., successfully dismantled a major Ukraine-based ransomware operation. The cybercriminal group, linked to a series of attacks using HIVE, LockerGoga, Dharma, and MegaCortex ransomware strains, targeted over 250 servers in 71 countries, causing losses in the hundreds of millions of euros.
The operation, executed at the end of last month, involved raids in 30 locations across Kyiv, Cherkasy, Rivne, and Vinnytsia, leading to the arrest of the group's alleged leader and four associates.
The arrests mark a blow to the ransomware landscape, as the group had affiliations with multiple ransomware operations, contributing to substantial financial losses globally. The successful operation reflects the increasing effectiveness of international collaboration in tackling organised cybercrime gangs.
Ransomware Attack on Cloud IT Provider Disrupts Services for 60 US Credit Unions
A ransomware attack on cloud IT provider Ongoing Operations, which services about 60 credit unions across the U.S., has caused significant disruption. The National Credit Union Administration (NCUA), responsible for regulating and insuring these financial institutions, confirmed the widespread outages triggered by the attack. Affected credit unions are ensured up to $250,000 per member by the National Credit Union Share Insurance Fund.
Ongoing Operations, owned by Trellance, was compromised on November 26, 2023, likely through the Citrix Bleed vulnerability. The company, offering disaster recovery and other IT services, swiftly responded by engaging third-party specialists and notifying federal law enforcement. They reassured their clients that there was no immediate evidence of data misuse.
The impact of the ransomware attack extended to New York, indicating a nationwide issue. Trellance's client, FedComp Inc, also experienced disruptions, confirming a "countrywide outage" and limited technical support availability. This situation highlights the growing cyber security risks facing financial organisations and their third-party service providers.
EU Set to Adopt Cyber Resilience Act, Bolstering Security Standards for Digital Products
The European Union is on the verge of officially adopting the Cyber Resilience Act (CRA), a pivotal legislation aimed at enhancing the security of digital products. Following extensive discussions, the European Parliament and the EU Council reached a political agreement on the act on December 3.
Initially proposed in September 2022 by the EU Commission, the CRA is designed to establish security standards for manufacturers of connected devices within the EU. A provisional agreement, achieved on November 30, indicated alignment on the law's technical aspects. A notable feature of the CRA is the obligation for manufacturers of Internet of Things (IoT) devices and other connected products to report significant cyber incidents and unpatched, actively exploited vulnerabilities.
The legislation marks the first of its kind, applying across various sectors. It requires manufacturers to perform risk assessments to determine applicable security measures and mandates at least five years of support for products, with security updates available for either 10 years or the duration of the support period, whichever is longer.
Manufacturers can self-assess their compliance with these security standards. However, products deemed "important" or "critical" must undergo a security audit by a certified body, ensuring adherence to the CRA's stringent security requirements.
HTC Global Services Confirms Cyberattack Amid ALPHV Ransomware Gang's Data Leak Exposure
HTC Global Services, has confirmed it was the victim of a cyberattack following the ALPHV ransomware gang's release of screenshots showcasing stolen data.
The company, which serves the healthcare, automotive, manufacturing, and financial sectors, confirmed the incident via a tweet earlier this week.
This confirmation was in response to the ALPHV (BlackCat) ransomware gang listing HTC on their data leak site, revealing sensitive information such as passports, emails, and confidential documents. Cyber security experts suggest the breach may have been executed using the Citrix Bleed vulnerability, particularly targeting HTC's CareTech unit.
The ALPHV/BlackCat group, a rebrand of the notorious DarkSide and BlackMatter ransomware operations, is known for its sophisticated attacks on global enterprises. They gained infamy with the Colonial Pipeline breach and have continued to evolve, involving English-speaking affiliates in their operations. Recent attacks have targeted a wide range of entities, including critical infrastructure like electricity providers and hospital networks, which could potentially draw increased scrutiny from law enforcement agencies.
