New activity of the threat actor Nobelium
Microsoft has issued an update on the activities of the Russian threat actor known as Nobelium (aka APT29), which is credited with compromising the SolarWinds supply chain in late 2020. This time, researchers warn of targeted brute-force and password spraying attacks against entities in 36 different countries, almost half of which are focused on the United States. In terms of sectors, the attacks are mainly affecting technology companies (57%) and government (20%), as well as, to a lesser extent, financial institutions and think tanks. So far, there are three known compromises as a result of this activity. Additionally, as part of this investigation, Microsoft identified a credential-stealing trojan installed on the device of one of its customer support employees. With this intrusion, Nobelium gained access to basic account information of a limited number of Microsoft customers, data that has been used to launch targeted phishing campaigns.
More information: https://msrc-blog.microsoft.com/2021/06/25/new-nobelium-activity/
Microsoft releases technical details of critical vulnerabilities in NETGEAR routers
Security researchers at Microsoft 365 Defender Research have published details of three critical vulnerabilities with CVSS scores between 7.1 and 9.4 in NETGEAR DGN-2200v1 routers with versions prior to v220.127.116.11. These were reported in a security advisory by Netgear in December 2020, along with details for patching the vulnerabilities. The three vulnerabilities lie in the HTTPd component and allow an unauthenticated remote attacker to bypass authentication and perform the backup function to obtain access credentials, as well as recover these through side-channel attacks by measuring the response time upon authentication. These vulnerabilities could provide an entry vector into the internal networks of companies that have the exposed administration port of the vulnerable router.
Brute-force attack campaign by members of the Russian GRU
Several American and British agencies, NSA, CISA, FBI and NCSC, have published an alert about a campaign of brute force attacks carried out from the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). According to the researchers, this campaign has been running from mid-2019 to the beginning of this year and is reportedly being directed against entities from different sectors that mainly use Microsoft Office 365 cloud services, among others. This brute-force attack methodology allows the actors to obtain the credentials of their victims, to subsequently use these accesses to carry out lateral movements. In addition, the researchers indicate that they have also managed to exploit the CVE 2020-0688 and CVE 2020-17144 vulnerabilities in Microsoft Exchange servers, in order to allow remote code execution and further access to victims’ networks. It is recommended to apply the mitigation and blocking measures for IOCs attached to the briefing note.
New Mirai botnet variants exploit a zero-day in KGUARD DVRs
Netlab researchers have identified two new botnets based on Mirai code that use a 0-day vulnerability in KGUARD digital video recording devices as a method of propagation. The vulnerability allows remote code execution without authentication and is found in those KGUARD DVR devices with firmware prior to 2017, including up to 3,000 devices currently exposed online. Analysis of the botnets, named mirai_ptea and mirai_aurora, reveals that they use Tor proxies to communicate with the C2 and the TEA algorithm to hide sensitive data, with their ultimate goal being DDoS attacks. Researchers have observed a steady activity of 2,000 infection attempts per day, with peaks of up to 15,000 attempts. Territorially, most of the infections are located in the United States, South Korea and Brazil, although their reach is global.