In this week's digest we look at the latest victim of the Accellion attacks, the most recent forum targeted in a series of attacks on Russian-speaking hacker forums and Malaysia Airlines' nine-year-long data breach. Keep reading to get all the information you need.
In December 2020, there has been a wave of attacks targeting the Accellion FTA file-sharing application using a zero-day vulnerability that allowed attackers to steal files stored on the server. The latest victim being Qualys after the Clop ransomware gang posted screenshots of files allegedly belonging to the cybersecurity firm. The leaked data includes purchase orders, invoices, tax documents, and scan reports. Qualys confirmed this week that their Accellion FTA server was breached in December 2020 and affected a limited number of customers.
At least four state-sponsored hacking groups are exploiting the Microsoft Exchange Server vulnerability as part of ongoing attacks to achieve remote code execution without authentication on unpatched on-premises Exchange servers. Microsoft addressed the four zero-days Tuesday via emergency out-of-band security updates. Microsoft identified one of the threat actors as APT group Hafnium who operates out of China. The Cybersecurity and Infrastructure Security Agency (CISA) has issued an emergency directive and mandates patching for the issues.
According to Malaysia Airlines, the breach occurred at a third-party IT service provider who notified the airline that member data was exposed between March 2010 and June 2019. The member information exposed during the data breach includes member names, contact information, date of birth, gender, frequent flyer number, status. and rewards tier level. It is unknown how many Enrich members were affected by this breach. Malaysia Air is just the latest organization to fall prey to a supply chain attack of a third-party IT service provider.
Researchers have uncovered more custom malware that the threat group behind the SolarWinds attack is using. The malware families include: two backdoors called GoldMax and the other called Sunshuttle, discovered by Microsoft and FireEye; a dual-purpose malware called Sibot discovered by Microsoft; and a malware called GoldFinder also found by Microsoft. Microsoft said that it found these latest custom attacker tools lurking in some networks of customer compromised by the SolarWinds attackers.
Over the past few weeks, three of the longest-running Russian-language online forums serving thousands of experienced cybercriminals have been hacked. Maza is one of the oldest and elite crime communities, with one of the highest entry barriers for hackers. This week attackers dumped thousands of usernames, email addresses and obfuscated passwords on the dark web apparently belonging to Maza. The leaked data consists of approximately 2,982 user records. The compromise of these hacking forums has many community members concerned that their real-life identities could be exposed and believing it is the work of a government agency.