Monthly IntSum - July 2023

We will bring you a roundup of the top weekly threat intelligence news. Our monthly IntSum report is a compilation of the most important and relevant news stories from our monthly newsletter. Our team of cybersecurity experts are constantly monitoring the latest threats and vulnerabilities from around the world to provide you with the most up-to-date information.

3rd July - 7th July: Anonymous Sudan claims to have stolen Microsoft customer data during recent disruptive operations

Anonymous Sudan, a pro-Russian hacktivist group, claimed to have stolen 30 million customer accounts from Microsoft. The group disrupted Microsoft's OneDrive service through Distributed Denial-of-Service (DDoS) attacks on June 9, 2023. Microsoft confirmed the DDoS attacks but denied any evidence of a data breach. However, on July 2, 2023, Anonymous Sudan announced that they had breached Microsoft's servers, allegedly obtaining credentials for the customer accounts. They offered to sell this data for USD 50,000 on their Telegram channel.

The low asking price for such valuable credentials raises doubts about the credibility of Anonymous Sudan's claims. It's likely an attempt by the group to capitalize on their recent successful DDoS attacks to make money. While they have conducted data breach operations before, their primary focus remains on DDoS attacks and disruptive actions.

The recent announcement of a joint operation with other groups targeting the Western financial system may indicate a shift in Anonymous Sudan's activities. Collaboration with more sophisticated non-hacktivist groups might lead to enhanced capabilities in the future.

10th July - 14th July: Microsoft services exploited in nation-state campaigns targeting North American and European institutions

Microsoft released two reports revealing the exploitation of their services in nation-state campaigns targeting North American and European institutions. In the first campaign, a Russian threat actor known as Storm-0978 targeted defense and government entities using an unpatched zero-day vulnerability (CVE-2023-36884). The vulnerability allowed for remote code execution and was delivered through phishing emails related to the Ukraine World Congress. Once access was gained, the group installed MagicSpell loader and RomCom backdoor to collect credentials.

The second campaign was linked to a Chinese-espionage unit called Storm-0558, which accessed Exchange Online and Outlook accounts belonging to around 25 organizations, including the US State and Commerce Departments. The actor exploited a token validation issue to impersonate Azure AD users, leading to credential theft and access to sensitive data.

These incidents underscore the continued exploitation of widely used software like Microsoft for malicious purposes by nation-state actors. Given the legitimacy and widespread use of such applications, threat actors find them attractive tools for successful infiltration in financially motivated and espionage campaigns.

It is likely that such software, especially Microsoft, will continue to be targeted, so individuals and companies are advised to monitor for security releases regularly and follow cybersecurity best practices.

17th July - 21st July: North Korean threat actors linked to attempted supply-chain compromise on JumpCloud customers

This week, Identity Access Management (IAM) software provider JumpCloud disclosed a breach of its systems, linked to a highly targeted campaign attributed to North Korea's Labyrinth Chollima, operating as a subgroup of Lazarus. The breach occurred through spear-phishing on June 22, 2023, and was discovered by JumpCloud on June 27, 2023. Although initially believed not to impact customers, unusual commands related to a small set of customers were later found on July 5, 2023.

JumpCloud's directory software is used by approximately 180,000 organizations worldwide for user and device management, making it a potential target for supply chain compromises similar to the 3CX compromise attributed to Lazarus in April 2023. The threat actor injected data into JumpCloud's commands framework, focusing on specific customers involved in cryptocurrency and blockchain platforms.

This is the second instance of a widely used software being targeted for supply chain compromises attributed to the Lazarus group, showing the capability of sophisticated North Korean threat actors to exploit software supply chains creatively and effectively. Following this incident and the success of the 3CX compromise, it is likely that other North Korean threat actors will adopt similar techniques to target various organizations downstream from software vendors.

24th July - 28th July: Data breach victims double-posted to multiple groups’ leak sites.

Multinational conglomerate Yamaha and cosmetics giant Estee Lauder both experienced separate data breaches. These incidents are significant because both companies were listed on data leak sites of multiple ransomware groups.

Estee Lauder confirmed the breach in a Security Exchange Commission filing, acknowledging that threat actors gained access to some of its systems, potentially resulting in data exfiltration. The company was listed on the data leak sites of both the ALPHV (also known as BlackCat) and Clop ransomware groups. Clop claimed to have exploited a recently disclosed zero-day vulnerability in the MOVEit Transfer platform to gain access to Estee Lauder.

In a separate incident, the Yamaha Corporation also suffered a data breach, with two ransomware groups, BlackByte and Akira, listing the organization on their respective data leak sites. Yamaha acknowledged the security incident but did not comment on the groups' claims.

The significance of these breaches lies in the uncommon occurrence of data breach victims being listed on multiple ransomware groups' leak sites, indicating a potential overlap or cooperation among the different groups. The motive behind this overlap remains unclear, but it is hypothesized that ransomware groups' affiliates may be operating under multiple brands or collaborating to expand their reach. This tactic benefits both the affiliates and the Ransomware-as-a-Service (RaaS) groups by increasing ransom payments and enhancing their reputation.

The tactic of listing victims on multiple sites was previously seen with the City of Oakland in early 2023. If successful in coercing larger ransom payments, it is likely that more victims will be listed on multiple sites in the future.

We are committed to keeping you informed and helping you stay ahead of the ever-evolving cybersecurity landscape.

By subscribing to our newsletter, you can ensure that you stay ahead of the ever-evolving cybersecurity landscape. You'll receive monthly updates on the latest trends and threats, in-depth analysis and expert commentary. With this information at your fingertips, you can better protect yourself and your organisation from potential cyber-attacks. Subscribe here