CyberSecurity News Byte

Hosted ByJim Guckin

Welcome to CyberSecurity News Byte with Jim Guckin, your one-stop resource for the latest cybersecurity news, updates, and discussions. Our podcast is a vital tool for CyberSecurity and IT professionals, as well as technology leaders, who need to stay on top of the ever-evolving digital landscape.

Episode 77: January 22 2023


Russian hackers stole Microsoft corporate emails

  • Microsoft
    • some of its corporate email accounts were breached
    • data was compromised.
    • Detected on January 12th
      • Happened in November
    • Password spay
      • No MFA?
    • Test Account compromised
      • Pivoted to other accounts
      • No indication on how
      • Microsoft’s leadership team accessed
        • And legal and cyber security
    • Data
      • Looks like initially after information about them
  • Midnight Blizzard
    • AKA Nobelium, APT29, and Cozy Bear
    • Russian state-sponsored group
      • Might be part of Russia’s Foreign Intelligence Service (SVR)
    • Previously: SolarWinds attack, Microsoft Account breach (2021)

Critical vCenter flaw now exploited in attacks

  • VMware
    • critical vCenter Server vulnerability
    • Patched in October
      • Actively exploited.
  • CVE-2023-34048
    • out-of-bounds write.
    • low-complexity attacks
      • don’t require authentication or user interaction.
    • Needs patch
      • no workaround
      • can’t patch, limit access.
        • 2012/tcp, 2014/tcp, and 2020/tcp.
  • Valuable
    • Network access brokers
      • Sell on darkweb for easy access
        • Big groups like this
        • Royal, Black Basta, LockBit, RTM Locker, Qilin, ESXiArgs, Monti, and Akira to name a few.
    • Shodan
      • 2,000 VMware exposed online
  • Patching
    • VMware released fixed for end of life systems

TeamViewer abused to breach networks

  • TeamViewer
    • a legitimate remote access tool
    • valued for its simplicity and capabilities.
  • Huntress
    • CyberSecurity company
    • analyzed log files (connections_incoming.txt)
      • connections from same host
      • saw multiple employees logging in (actively used)
  • Attack
    • deploy the ransomware payload using a DOS batch file (PP.bat)
      • on the desktop
      • executed a DLL file (payload) via a rundll32.exe
        • LB_Rundll32_pass.dll
    • does not use the standard LockBit 3.0 ransomware note
      • another ransomware gang using the leaked builder.
  • TeamViewer Response
    • “Our analysis shows that most instances of unauthorized access involve a weakening of TeamViewer’s default security settings”
    • “use of easily guessable passwords which is only possible by using an outdated version of our product.”

TA866 Returns with a Large Email Campaign

  • January 11, 2024
    • Proofpoint identified a malicious email campaign
  • Attack
    • Invoice-themed emails
    • attached PDFs
      • “Document_[10 digits].pdf”
      • contained OneDrive URLs
        • lead to malware
    • various subjects
      • “Project achievements”.
    • Chain
      • Served a JavaScript file hosted on OneDrive.
      • The JavaScript, if run by the user, downloaded and ran an MSI file. 
      • The MSI file executed an embedded WasabiSeed VBS script.
      • The WasabiSeed VBS script then downloaded and executed a second MSI file as well as continued polling for additional payloads in a loop. The additional payloads are currently unknown. 
      • Finally, the second MSI file contained components of the Screenshotter screenshot utility which took a screenshot of the desktop and sent it the C2.
  • TA866
    • First seen in October 2022
    • Financially motovated
    • 9 month absence

WasabiSeed and Screenshotter