Widespread Infiltration of HP Enterprise: Hackers with connections to the Kremlin infiltrated Hewlett Packard Enterprise's (HPE) cloud email environment, exfiltrating mailbox data. The incident, first detected in December 2023, persisted undetected for over six months, starting in May 2023. The attack targeted HPE's cybersecurity, go-to-market, business segments, and other functional areas, but the company reported no significant impact on operations.
APT29's Sophisticated Espionage Tactics: The attacks were orchestrated by APT29, a Russian state-sponsored group, also known as BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard, and The Dukes. APT29 is renowned for its involvement in high-profile hacks, including the 2016 U.S. Democratic National Committee breach and the 2020 SolarWinds supply chain compromise. Their strategy involves using legitimate yet compromised accounts to maintain extended, undetected presence in target environments.
Expanding Targets and Advanced Techniques: Microsoft revealed that APT29, responsible for a cyberattack on its systems in late November 2023, is targeting additional organizations globally. The group primarily aims at governmental, diplomatic, NGO, and IT service providers in the U.S. and Europe. Their tactics include diverse initial access methods, exploitation of on-premises environments to cloud migration, and abuse of service providers' trust to access downstream customers.
Rogue OAuth Applications and Evasion Methods: APT29 utilizes breached accounts to create and manipulate OAuth applications, granting high permissions for clandestine activities. This allows them to maintain access even after losing control over the initial compromised account. They also employed password spray attacks from a distributed residential proxy infrastructure, making traditional IoC-based detection challenging due to the high turnover rate of IP addresses.
Sophisticated Cyberespionage Tool: The NSPX30 backdoor, an advanced implant employed by the Blackwood APT, is used for cyberespionage. Originally discovered in 2005, it has evolved into a more sophisticated threat, capable of hijacking update requests from legitimate software using adversary-in-the-middle (AiTM) techniques.
Global Target Scope: Blackwood targets individuals and companies in China, Japan, and the UK. Victims include unidentified individuals in China and Japan, a Chinese-speaking individual at a UK university, a large Chinese manufacturing company, and China-based offices of a Japanese corporation.
Multistage Implant Capabilities: NSPX30, a multistage implant, is designed to steal sensitive data, monitor user activity, and potentially disrupt system operations. It can re-compromise systems even after losing initial access, making it a persistent threat.
Evasion and Data Exfiltration Techniques: The backdoor utilizes legitimate software such as Tencent QQ, Sogou Pinyin, and WPS Office to establish communication channels and capture screenshots. Attackers employ interception techniques to anonymize their infrastructure and seamlessly forward malicious traffic to their own systems.
Ready for the next week's brief? Stay informed with the latest key developments.
Mandos Brief GPT
Analyze any cybersecurity topic 100 times faster by focusing on key takeaways and zero noise.
Severe CLI Flaw in Jenkins: A critical vulnerability in Jenkins' built-in command-line interface (CLI), identified as CVE-2024-23897, allows remote attackers to obtain cryptographic keys and execute arbitrary code. This affects Jenkins versions 2.441 and earlier, including LTS 2.426.2 and earlier.
Exploitation and Impact: Attackers can exploit this flaw to read arbitrary files on the Jenkins controller file system. Unauthenticated attackers can read the first few lines of a file, while authenticated ones, even with 'read-only' permissions, can view entire file contents.
Remote Code Execution Risks: The vulnerability can be leveraged to access cryptographic keys, enabling various remote code execution (RCE) scenarios. This includes decrypting stored secrets, deleting Jenkins items, and downloading Java heap dumps of the Jenkins controller process.
Remediation and Unpatched Vulnerabilities: Jenkins 2.442 and LTS 2.426.3 resolve the vulnerability by disabling the command parser feature. Administrators unable to update should disable Jenkins CLI access as a temporary workaround. However, another similar vulnerability, CVE-2024-23904, in the Log Command Plugin remains unpatched.
MoveIt Vulnerability Exploited: Cyber criminals targeted CCleaner using a flaw in the MoveIt file transfer tool. They stole names, contact info, and product details. The attack affected less than 2% of users but given CCleaner's large user base, the impact is significant.
Delayed Disclosure: CCleaner took several months to inform its users about the breach. This delay raises questions about the company's transparency and incident response strategy, potentially eroding trust among its user base.
Community Confusion: Users on CCleaner's community forum were initially unsure if the warning emails were genuine. Even moderators were not informed, leading to misinformation and increased risk for users who might have ignored genuine alerts.
Data Protection Advice: Users are advised to check their email and passwords on "Have I Been Pwned" for any breaches. The company is also offering dark web monitoring services to affected individuals, although this is seen as a reactive measure rather than a proactive solution.
Widespread Misconfiguration Risks: A critical security loophole in Google Kubernetes Engine (GKE) named "Sys:All" was discovered by cybersecurity researchers. This issue could allow any Google account holder to gain control over a Kubernetes cluster due to a misconception in the system:authenticated group's scope. It's estimated that as many as 250,000 active GKE clusters are vulnerable to this exploit.
Technical Details and Exploitation: The misconfiguration stems from the system:authenticated group in GKE, which includes all Google authenticated accounts, even those outside an organization. This can result in over-permissive roles being unwittingly assigned by administrators. Exploitation of this misconfiguration could lead to actions like lateral movement, cryptomining, and sensitive data theft without leaving a traceable link to the Gmail or Google Workspace account that obtained the OAuth bearer token.
Real-World Consequences and Examples: Orca Security's investigation into this issue revealed over a thousand vulnerable clusters. This vulnerability was used to penetrate a NASDAQ listed company’s GKE clusters, exposing sensitive information such as AWS keys and private keys, potentially leading to system-wide breaches. This emphasizes the need for stringent security protocols in cloud environments to prevent similar occurrences.
Recommendations and Remediation by Google: In response, Google has taken steps to block the binding of the system:authenticated group to the cluster-admin role in GKE versions 1.28 and later. Google also recommends not binding the system:authenticated group to any RBAC roles and has sent email notifications to all GKE users with bindings to these groups, advising them to review their configurations. Despite these improvements, other roles and permissions can still be assigned to the system:authenticated group, so vigilance is necessary.
Subscribe to the Mandos Way
Join security professionals, CISOs and tech leaders for cybersecurity strategies & weekly Briefs.