![]() "Midnight Blizzard took a kitchen sink approach, using password spray, credentials acquired from third-parties, believable social engineering campaigns via Teams, and abuse of cloud services to infiltrate cloud environments," the tech giant said. ![]() Targets of the campaign include an energy trade association firms that provide software for billing, medical devices, customer care, employee monitoring, financial management, marketing, sales, and video games as well as hosting companies, tools manufacturers, and small and large IT enterprises. "Post-compromise activity includes credential theft using Mimikatz, Active Directory enumeration using DSinternals, deployment of tunneling tool rsockstun, and turning off antivirus and EDR capabilities," Microsoft said, adding it took steps to disrupt what it described as a "widespread campaign" targeting TeamCity servers by exploiting the flaw.Īs many as 100 devices located across the U.S., Europe, Asia, and Australia are said to have been compromised as a result of what's suspected to be opportunistic attacks. It has been put to use by the threat actor as part of an ongoing campaign dubbed Diplomatic Orbiter that singles out diplomatic agencies across the world. GraphicalProton, which is also known as VaporRage, leverages OneDrive as a primary command-and-control (C2) communication channel, with Dropbox treated as a fallback mechanism. The end goal of the attacks is to deploy a backdoor codenamed GraphicalProton that functions as a loader to deliver additional payloads. "If compromised, access to a TeamCity server would provide malicious actors with access to that software developer's source code, signing certificates, and the ability to subvert software compilation and deployment processes - access a malicious actor could further use to conduct supply chain operations."Ī successful initial access is typically followed by reconnaissance, privilege escalation, lateral movement, and data exfiltration, while simultaneously taking steps to evade detection using an open-source tool called EDRSandBlast. "The TeamCity exploitation usually resulted in code execution with high privileges granting the SVR an advantageous foothold in the network environment," the agencies noted. ![]() UPCOMING WEBINARįrom USER to ADMIN: Learn How Hackers Gain Full Controlĭiscover the secret tactics hackers use to become admins, how to detect and block it before it's too late. It has since come under active exploitation by hacking crews, including those associated with North Korea, for malware delivery. The vulnerability in question is CVE-2023-42793 (CVSS score: 9.8), a critical security flaw that could be weaponized by unauthenticated attackers to achieve remote code execution on affected systems. "The SVR has, however, been observed using the initial access gleaned by exploiting the TeamCity CVE to escalate its privileges, move laterally, deploy additional backdoors, and take other steps to ensure persistent and long-term access to the compromised network environments," cybersecurity agencies from Poland, the U.K., and the U.S. It's notable for the supply chain attack targeting SolarWinds and its customers in 2020. The activity has been tied to a nation-state group known as APT29, which is also tracked as BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard (formerly Nobelium), and The Dukes. ![]() ![]() Threat actors affiliated with the Russian Foreign Intelligence Service (SVR) have targeted unpatched JetBrains TeamCity servers in widespread attacks since September 2023. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |