AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

InfoSec News Nuggets 3/11/2024

Microsoft says Russian hackers stole source code after spying on its executives

Microsoft revealed earlier this year that Russian state-sponsored hackers had been spying on the email accounts of some members of its senior leadership team. Now, Microsoft is disclosing that the attack, from the same group behind the SolarWinds attack, has also led to some source code being stolen in what Microsoft describes as an ongoing attack. “In recent weeks, we have seen evidence that Midnight Blizzard [Nobelium] is using information initially exfiltrated from our corporate email systems to gain, or attempt to gain, unauthorized access,” explains Microsoft in a blog post. “This has included access to some of the company’s source code repositories and internal systems. To date we have found no evidence that Microsoft-hosted customer-facing systems have been compromised.”


Swiss cheese security? Play ransomware gang milks government of 65,000 files

The Swiss government had around 65,000 files related to it stolen by the Play ransomware gang during an attack on an IT supplier, its National Cyber Security Center (NCSC) says. A total of 1.3 million files were stolen during the incident at software biz Xplain in May 2023, meaning 5 percent of the entire trove related to the Swiss Federal Administration – a collection of seven federal agencies that alongside the Federal Council comprise the main government departments. Among them were classified files and sensitive, personally identifiable information (PII) – all of which are believed to be published on the dark web.


Florida teens arrested for creating ‘deepfake’ AI nude images of classmates

Two Florida middle schoolers were arrested in December and charged with third-degree felonies for allegedly creating deepfake nudes of their classmates. A report by Wired cites police reports saying two boys, aged 13 and 14, are accused of using an unnamed “artificial intelligence application” to generate the explicit images of other students “between the ages of 12 and 13.” The incident may be the first US instance of criminal charges related to AI-generated nude images.


Magnet Goblin hackers use 1-day flaws to drop custom Linux malware

A financially motivated hacking group named Magnet Goblin uses various 1-day vulnerabilities to breach public-facing servers and deploy custom malware on Windows and Linux systems. 1-day flaws refer to publicly disclosed vulnerabilities for which a patch has been released. Threat actors looking to exploit these flaws must do so quickly before a target can apply security updates. Though exploits are usually not made available immediately upon a flaw’s disclosure, some vulnerabilities are trivial to figure out how to leverage. Additionally, reverse-engineering the patch may reveal the underlying problem and how to exploit it.


Hackers exploit WordPress plugin flaw to infect 3,300 sites with malware

Hackers are breaching WordPress sites by exploiting a vulnerability in outdated versions of the Popup Builder plugin, infecting over 3,300 websites with malicious code. The flaw leveraged in the attacks is tracked as CVE-2023-6000, a cross-site scripting (XSS) vulnerability impacting Popup Builder versions 4.2.3 and older, which was initially disclosed in November 2023. A Balada Injector campaign uncovered at the start of the year exploited the particular vulnerability to infect over 6,700 websites, indicating that many site admins hadn’t patched quickly enough.


CISA forced to take two systems offline last month after Ivanti compromise

Hackers breached the systems of the Cybersecurity and Infrastructure Security Agency (CISA) in February through vulnerabilities in Ivanti products, officials said. A CISA spokesperson confirmed to Recorded Future News that the agency “identified activity indicating the exploitation of vulnerabilities in Ivanti products the agency uses” about a month ago. “The impact was limited to two systems, which we immediately took offline. We continue to upgrade and modernize our systems, and there is no operational impact at this time,” the spokesperson said.

Related Posts