Notable Cozy Bear Breaches

Microsoft?

In a recent security incident, Microsoft faced an unauthorised access breach that exposed senior leadership emails between late November 2023 and January 13th, 2024. The breach, linked to the group Midnight Blizzard, exploited a non-production test account using a password spray technique, raising concerns about potential undisclosed compromised assets. Microsoft officially disclosed the breach on Friday, January 19th, shortly after the introduction of the Secure Future Initiative, prompting questions from industry about the effectiveness of the new security programs measures. ?

HP Enterprise?

HP Enterprise confirmed a cyberattack by the Russian-linked hacking group Midnight Blizzard, also known as Cozy Bear, in a January 12th, 2024, Securities and Exchange Commission filing. The attack, discovered on December 12, 2023, targeted HPE's cloud-based email system, with data accessed and stolen from specific email accounts, including cybersecurity personnel. The incident is believed to be connected to a May 2023 breach involving a limited number of SharePoint files. While the nature of the stolen data remains unspecified, HPE is actively investigating and collaborating with authorities, reporting no immediate operational impact, as of yet. ?Midnight Blizzard?was not only responsible for?the latest Microsoft intrusion, they are also believed to be behind the SolarWinds attacks and attempts to steal COVID-19 vaccine research in 2020.?

Hacks, Cybercrime & Threat Intel?

Legal & General

The anonymous collective targeted Legal & General due to their perceived UK involvement in Yemen and support for Israel.??

Lockbit

Ransomware group, Lockbit have hit two big companies, Swift Air and Subway . However, the part we find bizarre is Swift Air had formally declared bankruptcy, meaning they might not be able to pay up. It makes you wonder which credit referencing agency they used to check their targets finances!??

VF Corp

VF Corporation revealed in an SEC filing that a ransomware attack in December 2023 resulted in the theft of personal data from over 35.5 million customers. The company, which oversees more than 13 retail brands like The North Face, Dickies, Vans, Timberland, and Supreme on a global scale, was targeted by the AlphV ransomware group. Interestingly, the group claimed responsibility for the attack shortly before its infrastructure was seized by US law enforcement.?

AerCap

AerCap , a major global aviation leasing firm, disclosed a ransomware attack, becoming the fourth aviation company targeted in six months. The Dublin-based company reported the incident to the SEC, emphasising control over IT systems and no financial losses. Investigations are ongoing, with the extent of the data impact unknown. Notably, Air Canada and Kenya Airways, previously hit by ransomware, are leasing customers of AerCap. The aviation sector has faced multiple ransomware incidents, involving Boeing, Air Canada, and Kenya Airways in 2023.??

TeamViewer

Researchers from Huntress report multiple instances of threat actors infiltrating corporate networks through TeamViewer connections and subsequently launching ransomware attacks.?

Infosec Research and Vulnerabilities ? ?

Ivanti?

On January 10, 2024, Ivanti disclosed two vulnerabilities in their Ivanti Connect Secure (ICS) and Ivanti Policy Secure gateways: CVE-2023-46805 and CVE-2024-21887. The first is a high-severity authentication bypass vulnerability, and the second is a critical-severity command injection flaw, impacting all supported gateway versions. When exploited together, these vulnerabilities enable attackers to execute commands on compromised systems without authentication. Proof-of-concept code for both has been publicly released, elevating the risk of exploitation by threat actors. The products are widely used, with 30,089 instances of Connect Secure exposed in 141 countries. Ivanti has initiated patch deployment, with the final patch expected by the week of February 19. In the meantime, a workaround has been provided.?

Salesforce?

Salesforce Bug Bounty Program, involving skilled ethical hackers, has awarded over $18.9 million since 2015 for discovering nearly 30,600 potential vulnerabilities. In 2023, $3 million went to 650 ethical hackers uncovering 4,200 potential vulnerabilities. The program enhances security measures, providing insights to stay ahead of threats. The Bug Bounty initiative, exemplifying hacking for good, continues to evolve for effective collaboration.?

Legal & Compliance

Legal??

German law is creating hurdles for security research, evident in a recent court verdict that found a developer guilty of hacking. Tasked with investigating software issues, the developer uncovered a MySQL connection to the vendor's database server, housing data from all customers. Despite swiftly addressing the vulnerability after notifying the vendor, charges were still filed. The crux of the debate revolved around whether encoding plain-text database credentials is adequate protection against hacking charges. The court sided in favour, highlighting the password's presence as a protective measure. This decision raises concerns about discouraging security efforts, potentially allowing companies to evade responsibility for weak security, thereby jeopardising researcher reputations and user safety.?

Regulatory?

The Cybersecurity Regulation of the European Union, which outlines provisions for maintaining a uniformly high level of cybersecurity across EU institutions, bodies, offices, and agencies, became effective on January 7. This regulation establishes an internal framework for managing, governing, and controlling cybersecurity risks within each EU entity. Additionally, it establishes the Interinstitutional Cybersecurity Board to oversee and assist in the implementation of these measures. Furthermore, the regulation extends the responsibilities of CERT-EU (Computer Emergency Response Team for EU institutions, bodies, offices, and agencies).?

Conclusions ?

In the ever-changing threat and regulatory landscape, the recent exploits of the Cozy Bear group have sent shockwaves through businesses and nations, putting more emphasis on the tech giants to increase their cybersecurity efforts. From breaching Microsoft to alleged ties with the SolarWinds attacks, it's a wake-up call to the increasing threats and sophisticated attacks we all face.

But it's not just about breaches, legal frameworks in Germany are creating a stir. Imagine a developer uncovering a vulnerability, trying to do good, only to face hacking charges. And as the EU tightens its cybersecurity regulations, the question arises: How does the UK navigate this new EU cybersecurity landscape post-Brexit? ?

The world of cybersecurity is at a crossroads, and it's not just for the cyber industry and?techies to ponder, researchers should be able to safely identify vulnerabilities without fear of criminal repercussions. This freedom is crucial if we are to improve the global collaboration effort in defending against these malicious actors.?