Midnight Blizzard, Polyfill.io and cyber workforce, June 23rd – 29th - This Week In Security

Going over the security news sometimes is an overwhelming experience with security incidents all over.  This edition include news from 23rd – 29th and this week a lone there are 50 different security items across the various news, and those are the ones that make it to the news.  Out of those 50, there are around 20 items that relate to actual incident response. Looking at CVE details the past week has 615 vulnerabilities with 41 critical. As a security personnel, if only one of those hits you per quarter, you are busy, very busy.

One interesting point and a place for hope is that incident response is done properly and damage control evaluations are making progress. With the general security assumption of: it is a matter of time until you get hacked, the next important thing is to manage the incident properly and get back online as fast as you can to prevent money lose. Finally, research shows that the cyber security workforce is growing at large organizations as they prioritize security, which is good news.

Until next time, stay safe. Lior


Microsoft Alerts More Customers to Email Theft in Expanding Midnight Blizzard Hack

Poper IR being proactive, embracing transparency and collecting the data on the incident response at the level I would expect MS to demonstrate. Well done.

“Earlier this year, Microsoft described the incident as an “ongoing attack”

According to published reports, Redmond’s incident response team is providing a secure portal for customers to view specifics of emails stolen by the Midnight Blizzard threat actor.

“You are receiving this notification because emails were exchanged between Microsoft and accounts in your organization, and those emails were accessed by the threat actor Midnight Blizzard as part of their cyber-attack on Microsoft,” the company said.

“As part of our commitment to transparency, we are proactively sharing these emails. We have custom built a secure system to enable the approved members of your organization to review the exfiltrated emails between Microsoft and your company,” according to the notifications.“



Multiple WordPress Plugins Compromised: Hackers Create Rogue Admin Accounts

Sometimes security products themselves are the hacking point. While this shouldn’t happen, things do happen. Also learned new wording “rogue administrator accounts”

“Multiple WordPress plugins have been backdoored to inject malicious code that makes it possible to create rogue administrator accounts with the aim of performing arbitrary actions.

“The injected malware attempts to create a new administrative user account and then sends those details back to the attacker-controlled server,” Wordfence security researcher Chloe Chamberland said in a Monday alert.

“In addition, it appears the threat actor also injected malicious JavaScript into the footer of websites that appears to add SEO spam throughout the website.”

It’s currently not known how the unknown attackers behind the campaign managed to compromise the plugins, but the earliest signs of the software supply chain attack date back to June 21, 2024. “



Google Introduces Project Naptime for AI-Powered Vulnerability Research

The defensive security keeps on providing more tools and research, this time for AI.

“Google has developed a new framework called Project Naptime that it says enables a large language model (LLM) to carry out vulnerability research with an aim to improve automated discovery approaches.

The approach, at its core, seeks to take advantage of advances in code comprehension and the general reasoning ability of LLMs, thus allowing them to replicate human behavior when it comes to identifying and demonstrating security vulnerabilities.

It encompasses several components, such as a Code Browser tool that enables the AI agent to navigate through the target codebase. A Python tool to run Python scripts in a sandboxed environment for fuzzing; a Debugger tool to observe program behavior with different inputs; and a Reporter tool to monitor the progress of a task.



Polyfill.io Supply Chain Attack Smacks Down 100K+ Websites

Supply chain attacks always have big impact. Hit the source and it will spread.

A domain that more than 100,000 websites use to deliver JavaScript code is now being used as a conduit for a Web supply chain attack that uses dynamically generated payloads, redirects users to pornographic and sports-betting sites, and can potentially lead to data theft, clickjacking, or other attacks. The malicious activity follows the sale of the domain polyfill.io to a Chinese organization earlier this year.

Security researchers are warning that the cdn . polyfill . io domain has been compromised to serve malicious code in scripts to end users in a widespread attack. The site allows websites to use modern JavaScript features in older browsers by including only the necessary polyfills based on the user’s browser.

"This attack places an estimated +100k websites at immediate risk," he wrote. "When a once-safe domain is embedded in thousands of websites and concealed like JavaScript threats are, it becomes a tempting path for malicious actors."



Cyber Workforce Grows 15% at Large Organizations as Security is Prioritized

Two areas made progress this year: cloud security and data security.

Large organizations will significantly strengthen their cyber workforce in 2024, according to cyber consultancy Wavestone.

In its Cyber Benchmark 2024 report, Wavestone found that, on average, companies with over $1bn in revenues have one expert dedicated to cybersecurity for 1086 employees.

In 2023, the same organizations had one cyber professional for 1285 employees — a 15% increase.

The best in class are financial businesses, which boast an average of one cyber expert per 267 employees, while industrial groups have an average of one cyber expert for 1390 employees.



TeamViewer Credits Network Segmentation for Rebuffing APT29 Attack

The hacking group APT29 aka Midnight Blizzard, is busy.

“This week, TeamViewer said that while the Russian group APT29, aka Midnight Blizzard, managed to access its corporate network, the threat actors were limited to the company's internal IT network because of "strong segmentation" between its environments. Thus, no customers were affected.

In public statements on June 27 (reiterated today), the German maker of remote desktop software said, "[W]e keep all servers, networks, and accounts strictly separate to help prevent unauthorized access and lateral movement between the different environments. This segregation is one of multiple layers of protection in our 'defense in-depth' approach."

…because of the potential mischief a bad actor with desktop access can wreak, TeamViewer users should up their security game, according to industry groups. The NCC Group, which originally issued a warning under an amber/limited classification but then changed it to green/public, advised its customers that, while awaiting final confirmation of the extent of compromise, they remove TeamViewer from their systems if possible and closely monitor hosts that had the application installed if not.”


Updated Jul 15, 2024
Version 3.0

Was this article helpful?

No CommentsBe the first to comment