- 1. Microsoft tool provides automated Exchange threat mitigation
Microsoft has released a PowerShell script to help customers running its Exchange Server on-premises software to quickly and easily mitigate against an attack. The "Exchange On-Premises Mitigation Tool" (EOMT) addresses a server-side request forgery authentication bypass vulnerability (CVE-2021-26855) via a uniform URL rewrite configuration.
- 2. Hackers hide credit card data from compromised stores in JPG file
Hackers are now exfiltrating stolen credit card data lifted from compromised online stores inside JPG image files on the compromised web site in order to reduce their traffic footprint and evade detection.
- 3. Ex-contractor accessed Vic govt IT system 260 times a year after leaving
The Office of the Victorian Information Commissioner's (OVIC) has disclosed that between September 2017 and October 2018, a former contractor working for an unnamed contracted service provider (CSP) managed to breach Victorian government IT systems 260 times and steal personally identifiable information (PII) from its client relationship information system for service providers (CRISSP) for 12 months after leaving the CSP.
- 4. Azure Active Directory issue takes down Teams, Office, Dynamics and more for some users
An Azure Active Directory issue causing authentication problems is affecting a subset of Microsoft customers worldwide across many Microsoft services, including Azure Portal, Dynamics, Office, Teams, and Xbox Live, Microsoft says the issue has been mitigated as of March 16.
- 5. New Mirai Variant and ZHtrap Botnet Malware Emerge in the Wild
New wave of attacks exploiting multiple vulnerabilities to deploy ZHtrap (Mirai variant) on compromised systems. Attackers exploited vulnerabilities in various firewalls, VPNs, and Ethernet switches to infect targeted systems.
- 6. Hackers are targeting telecom companies to steal 5G secrets
Chinese APT group "Mustang Panda" (RedDelta) has been spotted targeting telecommunications firms in Europe, Southeast Asia, and the U.S. in ongoing attacks designed to infect targeted systems with malware and steal sensitive data, including detailed information related to 5G technology. Once victims visit the malicious page, it delivers a bogus Flash app that is then used to drop the "Cobalt Strike" backdoor
- 7. FBI Warns of PYSA Ransomware Attacks on Education Institutions in US, UK
An alert issued on Tuesday by the FBI warns about an increase in PYSA ransomware (aka Mespinoza) attacks on education institutions in the United States and the United Kingdom. PYSA operators post information on their dark web blog about their ransomware attack victims and threaten to publish stolen data if that ransom is not paid.
- 8. Hacker leaks payment data from defunct WeLeakInfo breach site
A threat actor reportedly breached the now-defunct "WeLeakInfo" data breach site and leaked customers' personally identifiable information (PII) as well as the service's payment information. Information compromised includes victims' full names, email addresses, phone numbers, physical addresses, and, in many cases, passwords.
- 9. SolarWinds and Active Directory/M365 Compromise: Detecting Advanced Persistent Threat Activity from Known Tactics, Techniques, and Procedures
CISA has released a table of TTPs used by the APT actor involved with the recent SolarWinds and Active Directory/M365 compromise. The table uses the MITRE ATT&CK framework to identify APT TTPs and includes detection recommendations. This information will assist network defenders in detecting and responding to this activity.
- 10. Google: This Spectre proof-of-concept shows how dangerous these attacks can be
- 11. CRA locks out taxpayer accounts after discovering unauthorized use of credentials
CRA reportedly revoked some 800,000 taxpayers' CRA account credentials after discovering that an unidentified individual or group breached its systems in February 2021 and stole users' account credentials. Canadians remain an attractive target due high standard of living and technology adoption rate.
- 12. Breach Exposes Data of 200K Health System Staff, Patients
A medical practice management firm that provides support to Tacoma-based MultiCare Health System has alerted over 200,000 patients, providers and staff that their PII may have been compromised after its technology vendor, Netgain Technology, was hit by a ransomware attack.
- 13. DearCry ransomware attacks Microsoft Exchange with ProxyLogon exploits
Researchers say they have spotted attackers installing a new piece of ransomware dubbed "DEARCRY" after hacking into Microsoft Exchange servers vulnerable to the recently uncovered "ProxyLogon" vulnerabilities.
- 14. Molson Coors Suffers Suspected Ransomware Attack
Molson Coors disclosed it suffered what appears to be a ransomware attack after experiencing a "system outage caused by a cybersecurity incident" that resulted in disruptions to its operations. They have "[E]ngaged leading forensic information technology firms and legal counsel to assist the company's investigation into the incident and the company is working around the clock to get its systems back up as quickly as possible."
- 15. Russia and Iran tried to interfere with 2020 election, U.S. intelligence agencies say
Russia and Iran tried to interfere in 2020 elections The News with Shepard Smith Russia and Iran both carried out operations to interfere with the election, designed to undermine confidence in the election process.
- 16. GitLab Critical Security Release: 13.9.4, 13.8.6, and 13.7.9
These versions contain important security fixes, and we strongly recommend that all GitLab installations be upgraded to one of these versions immediately.
Remote code execution via unsafe user-controlled markdown rendering options - Critical
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.2 allowing unauthorised authenticated users to execute arbitrary code on the server. This is a critical severity issue (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H, 9.9).
- 17. AA21-077A: Detecting Post-Compromise Threat Activity Using the CHIRP IOC Detection Tool
This Alert announces the CISA Hunt and Incident Response Program (CHIRP) tool. CHIRP is a forensics collection tool that CISA developed to help network defenders find indicators of compromise (IOCs) associated with activity detailed in the following CISA Alerts:
AA20-352A: Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations, which primarily focuses on an advanced persistent threat (APT) actor’s compromise of SolarWinds Orion products affecting U.S. government agencies, critical infrastructure entities, and private network organizations.
AA21-008A: Detecting Post-Compromise Threat Activity in Microsoft Cloud Environments, which addresses APT activity within Microsoft 365/Azure environments and offers an overview of—and guidance on—available open-source tools. The Alert includes the CISA-developed Sparrow tool that helps network defenders detect possible compromised accounts and applications in the Azure/M365 environment.
Similar to Sparrow—which scans for signs of APT compromise within an M365 or Azure environment—CHIRP scans for signs of APT compromise within an on-premises environment.