eSentire’s Threat Response Unit (TRU) compiles the following weekly intelligence overview, providing cybersecurity leaders with expert analysis and insights on the most important events of the past week along with important security tips.
Recent Threat Intelligence Advisories
Noteworthy News
Critical Confluence Vulnerability Actively Exploited
Bottom Line: The active exploitation of CVE-2023-22527 in Confluence represents a critical security threat, where attackers can execute arbitrary commands on the server. Organizations using Confluence must immediately patch this vulnerability and monitor for signs of exploitation.
On January 16th, Atlassian disclosed a critical vulnerability impacting multiple versions of Confluence Data Center and Servers. Tracked as CVE-2023-22527 (CVSS: 10), the vulnerability would allow a remote and unauthenticated threat actor to execute arbitrary code on impacted systems. CVE-2023-22527 does not impact Atlassian Cloud sites. Confluence sites, accessible via the Atlassian.net domain, are not vulnerable to exploitation.
On January 17th, the eSentire Threat Intelligence team released a public security advisory to raise awareness of this vulnerability and to encourage organizations to apply the latest security patches before real-world exploitation inevitably began. As noted in the advisory, the eSentire Threat Intelligence team assessed with high confidence that real-world exploitation will occur in the near future; which it did on January 21st, providing our customers with a five day head start in pushing an emergency patch.
On January 21st, exploitation attempts in the wild were identified. Initially, successful exploitation resulted in reconnaissance activity as threat actors tried to determine information about the compromised networks. Shortly afterwards, multiple threat actors started using the exploit to deploy cryptocurrency miners on vulnerable hosts in an attempt to monetize their access.
If patching is not immediately possible, Atlassian recommends taking impacted systems offline and backing up data to a secure location outside of Confluence.
eSentire Threat Intelligence Analysis:
The rapid targeting of the critical CVE-2023-22527 vulnerability in Atlassian Confluence underscores the urgency for organizations to patch outdated versions immediately. These attacks highlight the speed at which threat actors can weaponize newly disclosed vulnerabilities, posing significant risks to unpatched systems.
Unauthenticated Remote Code Execution (RCE) vulnerabilities in Internet facing applications are highly concerning as they may allow direct access to protected networks. When possible, these systems should be made internal only to reduce the risk of exploitation. Historically Confluence vulnerabilities have been heavily targeted. In 2023, Confluence was impacted by two separate critical vulnerabilities that were actively exploited in real-world attacks (CVE-2023-22515, CVE-2023-22518).
Implementing a defense-in-depth strategy is crucial for protecting against both zero-day and one-day vulnerabilities, where "one-day" refers to vulnerabilities that are recently disclosed and may not yet have been patched in all environments. The rapid exploitation of CVE-2023-22527 gave organizations little time to update their systems. By employing multiple layers of security, organizations can effectively mitigate the risks posed by these known vulnerabilities, ensuring comprehensive protection and resilience against evolving cyber threats.
Mother Of All Breaches Reveals 26 Billion Records
Bottom Line: Mother of all Breaches is a compilation of multiple past breaches, which includes 26 billion records. This release will facilitate credential and spear-phishing attacks. It is critical that organizations have controls in place to prevent initial compromise, defend against attacks using valid credentials, and identify leaked or stolen credentials on the darkweb.
On January 23rd , security researchers identified a massive compilation of previous breaches being circulated online; this event is being tracked under the name of Mother of all Breaches or MOAB. Despite the implications of the name, the compilation is made up entirely of previously known breaches; no new breach data has been identified at this time.
MOAB includes 12 terabytes of data in total, with approximately 26 billion records spread over 3,800 folders. Past breaches corelated in MOAB have been traced back to Tencent, Weibo, MySpace, Twitter, LinkedIn, Adobe, Dropbox, Telegram, Evite, and various government bodies. Impacted countries are confirmed to include the US, Brazil, Germany, Philippines, and Turkey; due to the scope of the data, it is highly likely that a large number of other countries are also impacted. Breach data includes sensitive information such as personal details, credentials, financial data, social media, and government records.
It is critical that organizations take steps to both protect user credentials and prevent initial breaches through a defense-in-depth approach, that includes vulnerability management and endpoint, network, and log monitoring. Users impacted in these breaches are recommended to ensure that passwords have been updated and Multi-Factor Authentication (MFA) is enabled.
eSentire Threat Intelligence Analysis:
While the data from these breaches was already available to threat actors, the centralization of all data into one repository is concerning. The eSentire Threat Intelligence team assesses with high confidence that threat actors will employ breach data in attacks, such as the use of legitimate credentials for account access and targeting email addresses in phishing or malspam campaigns. It is also possible that threat actors will exploit the media attention on MOAB to create malicious documents that impersonate MOAB or perform social engineering attacks with claims related to users being impacted. End-users should be highly suspicious of unprompted emails that claim to have information related to MOAB.
Darkweb monitoring tools are an important aspect of modern security. The ability to identify corporate email addresses and passwords that are shared on darkweb marketplaces allows organizations to take proactive measures, such as password reset, before credentials are abused in attacks. In the event that user credentials are discovered online, it is important to immediately reset the credentials and review the accounts for signs of unauthorized access. Users are strongly recommended to enable MFA, as this reduces the value of compromised credentials. Additionally, end-users are encouraged to avoid password re-use, as organizations may reset credentials to known compromised accounts, but threat actors may pivot to alternative accounts where the password was reused.
Midnight Blizzard APT
Bottom Line: The coordinated attacks by the state actor Midnight Blizzard on Microsoft and Hewlett Packard Enterprise highlight the advanced capabilities and strategic focus of state-sponsored cyber actors. APT groups, such as Midnight Blizzard, will attempt to maintain stealthy long-term persistence to monitor victim activity and steal sensitive data.
In separate disclosures this week, both Microsoft and Hewlett Packard Enterprise (HPE) confirmed that they had been impacted by breaches; both breaches are attributed to the APT group Midnight Blizzard (aka. Nobelium, APT29, UNC2452, Cozy Bear). The US and UK have directly attributed Midnight Blizzard to the Foreign Intelligence Service of the Russian Federation (SVR).
On January 19th, Microsoft’s Security Response Center confirmed that the company was impacted by an attack attributed to Midnight Blizzard. The attack was detected by Microsoft on January 12th, 2024, but began in late November 2023. Initial access was established via a password spray attack on a legacy non-production test tenant account. This access allowed the attackers to infiltrate a small percentage of Microsoft's corporate email accounts, including those of senior leadership and employees in cybersecurity and legal functions. The attackers exfiltrated emails and attached documents, mainly seeking information related to Midnight Blizzard itself.
On January 24th, Hewlett Packard Enterprise (HPE) disclosed that a breach had occurred in May 2023, and threat actors-maintained persistence until December 2023. Midnight Blizzard gained access to HPE's Microsoft Office 365 email environment and exfiltrated data from a small percentage of HPE mailboxes belonging to individuals in cybersecurity, go-to-market, business segments, and other functions. HPE is still investigating the incident, but it is believed that the breach is related to a previous case which occurred in May 2023 where attackers gained access to the company's SharePoint server and stole files.
Microsoft released an updated report on January 25th, with additional details and information on known Midnight Blizzard Tactics, Techniques, and Procedures (TTPs). Based on information gained from the recent breach investigation, Microsoft Threat Intelligence identified multiple breaches across various organizations that are suspected to be related to Midnight Blizzard. Microsoft is in the process of notifying all confirmed impacted organizations.
The eSentire Threat Intelligence team is closely monitoring the situation for additional details and detection opportunities. The eSentire product suite includes a wide variety of detections for known Midnight Blizzard tools and techniques.
eSentire Threat Intelligence Analysis:
Midnight Blizzard is a highly sophisticated and persistent threat actor group that has been active since at least 2018. The group’s goals are believed to be intelligence collection via long-term compromises for the purpose of espionage. Midnight Blizzard has a history of primarily targeting Europe and the United States, with victim organizations across a variety of industries including government, diplomatic entities, non-governmental organizations (NGOs), and IT service providers. While these are the known targeted industries, it is probable that organizations outside of these categories have been targeted based on strategic goals or potential access to secondary targets.
Password spraying, despite its simplicity, remains an effective attack method, especially against targets with weaker password policies or lacking Multi-Factor Authentication (MFA). APTs like Midnight Blizzard leverage such techniques for their efficiency and higher success rates. Using less-complex techniques conserves resources and allows APTs to reserve more sophisticated tools, like zero-days, for targets where simple methods are ineffective.
Midnight Blizzard's ability to maintain persistent access for months in the systems of major corporations like Microsoft and Hewlett Packard Enterprise before detection is a significant aspect of their operational strategy. While technical details of the breaches are minimal, the prolonged presence suggests an understanding and exploitation of potential gaps or weaknesses in the cybersecurity monitoring and response systems of these organizations. Midnight Blizzard likely utilized advanced evasion techniques to blend in with normal network traffic and evade detection by standard security tools. This could include mimicking legitimate user behavior, using encryption to conceal command and control traffic, and regularly altering tactics to avoid signature-based detection. While the publication of recent attacks may prompt the group to alter tactics, similar activity is expected to continue in the future.
About the threat briefings:
The threat briefing is a weekly intelligence overview for non-technical users. The Threat Intelligence team at eSentire investigates, analyzes, and organizes the most important events of the past week along with important security tips and redistributes the findings for quick reading. The main goal of this briefing is to improve the overall awareness of readers regarding cyber security.
