Microsoft Observations of a State-backed Russian State-Backer from the Solar-Winds Attack on Microsoft’s E-Mail System

Intelligence-gathering is the main focus of the SVR. It mainly targets governments in the U.S. and Europe.

Microsoft described the SolarWinds hacking campaign as the most sophisticated nation-state attack in history. In addition to U.S. government agencies, including the departments of Justice and Treasury, more than 100 private companies and think tanks were compromised, including software and telecommunications providers.

Microsoft calls it a hacking unit. Last year, it changed its threat-actor name to the group Nobleium. The cybersecurity firm Mandiant, owned by Google, calls the group Cozy Bear.

The Russian state backed actor known as Midnight Blizzard has been identified by Microsoft as the source of a January 12 system intrusion. The company says it has fully remediated the breach, which began in November 2023 and used “password spraying” attacks to compromise historic system test accounts that, in some cases, then allowed the attacker to infiltrate “a very small percentage of Microsoft corporate email accounts, including members of our senior leadership team and employees in our cybersecurity, legal, and other functions.” The hackers were able to expose some emails and attached documents with this access. Microsoft reports that attackers appeared to be looking for information about Microsoft’s investigations. “The attack was not the result of a vulnerability in Microsoft products or services,” the company wrote. “To date, there is no evidence that the threat actor had any access to customer environments, production systems, source code, or AI systems. We will notify customers if any action is required.”

BOSTON — State-backed Russian hackers broke into Microsoft’s corporate email system and accessed the accounts of members of the company’s leadership team, as well as those of employees on its cybersecurity and legal teams, the company said Friday.

The Microsoft disclosure comes a month after a new U.S. Securities and Exchange Commission rule took effect that compels publicly traded companies to disclose breaches that could negatively impact their business. Unless they obtain a national-security waiver, they need to do it within four days.

The Real Story of Facebook: Human Trafficking, Scam Density and Rebellious Forced Labor in the Southeast Asian Warfare

The threat actor tries to log into multiple accounts with a single password. In an August blog post, Microsoft described how its threat-intelligence team discovered that the same Russian hacking team had used the technique to try to steal credentials from at least 40 different global organizations through Microsoft Teams chats.

In a new investigation, Consumer Reports and The Markup crowdsourced three years of archived Facebook data from 709 users of the social network to assess which data brokers and other organizations are tracking and monitoring them. The reporters found that 186,892 companies sent data about 709 people to Facebook. On average, each of those users had information sent to Facebook about them by 2,230 companies. The number varied, though. The average user had less than many others, however some had more than many others, and thousands of companies were offering information to the social network.

The UN estimates that there may be as many as 100,000 people held in scam centers in Cambodia and 120,000 in Myanmar. “I’ve worked in this space for over 20 years and to be honest, we’ve never seen anything like what we’re seeing now in Southeast Asia in terms of the sheer numbers of people,” Rebecca Miller, regional program director for human trafficking at the UN Office on Drugs and Crime told Vox.

As rebel groups in Myanmar violently oppose the country’s military government, the human trafficking and abuse fueling pig butchering scams is exacerbating the conflict. Forced laborers who are often kidnapped and are being held against their will are the root of the scam that has exploded in recent years. In one instance this fall, a collection of rebel groups made their way over the border to control 100 military outposts in the country’s north, and vowed to “eradicate telecom fraud, scam dens and their patrons.”

Source: Security News This Week: US Agencies Urged to Patch Ivanti VPNs That Are Actively Being Hacked

Walmart, Ivanti, and the X-Mode Case: What Do U.S. Governments Really Want to Know About Computer Security and Privacy?

They were worried about the bucks. That’s all,” Nick Alicea, a former fraud team leader for the US Postal Inspection Service, told ProPublica. Walmart says it has stopped $700 million of suspicious money transfers and $4 million of gift card fraud. Walmart offers financial services and works to keep customers safe from third-party fraudsters, according to a statement. “We have a robust anti-fraud program and other controls to help stop scammers and other criminals who may use the financial services we offer to harm our customers.”

More than one actor has been exploiting vulnerable Ivanti devices to gain access to organizations’ networks around the world. The activity began in December 2023, but it has ramped up in recent days as word of the vulnerabilities and a proof of concept have emerged. Researchers from the security firm Volexity say that at least 1,700 Connect Secure devices have been compromised overall. Mandiant and Volexity both have evidence that the exploitation activity may be motivated by espionage. The United States government has yet to attribute exploitation of products to specific actors, but it is consistent with what we have seen from PRC actors in the past.

On Friday, the US Cybersecurity and Infrastructure Security Agency issued an emergency directive requiring federal agencies to patch two vulnerabilities that are being actively exploited in the popular VPN appliances Ivanti Connect Secure and Policy Secure. The executive assistant director said that around 15 agencies have applied the mitigations and every federal agency that is running a version of the products has been notified. “We are not assessing a significant risk to the federal enterprise, but we know that risk is not zero,” Goldstein said. He said investigations are on whether any federal agencies were compromised in the mass exploitation spree.

There’s more. Each week, we round up the security and privacy news we didn’t break or cover in depth ourselves. Stay safe and click the headlines to read the full stories.

Earlier this month the Federal Trade Commission reached a settlement with X-Mode over its selling of location data from phone apps to US government and other clients. While the action was hailed by some as a historic privacy win, it also illustrates the limitations of the FTC and the US government’s data privacy enforcement power and the ways in which many companies can avoid scrutiny and consequences for failing to protect consumers’ data.

A major coordinated disclosure this week called attention to the importance of prioritizing security in the design of graphics processing units (GPUs). Researchers published details about the “LeftoverLocals” vulnerability in multiple brands and models of mainstream GPUs—including Apple, Qualcomm, and AMD chips—that could be exploited to steal sensitive data, such as responses from AI systems. Meanwhile, new findings from the cryptocurrency tracing firm Chainalysis show how stablecoins that are tied to the value of the US dollar were instrumental in cryptocurrency-based scams and sanctions evasion last year.