Tag Archive for: breach

Chinese Hackers Exploited FortiGate Flaw to Breach Dutch Military Network

/in


Feb 07, 2024NewsroomCyber Espionage / Network Security

Dutch Military Network

Chinese state-backed hackers broke into a computer network that’s used by the Dutch armed forces by targeting Fortinet FortiGate devices.

“This [computer network] was used for unclassified research and development (R&D),” the Dutch Military Intelligence and Security Service (MIVD) said in a statement. “Because this system was self-contained, it did not lead to any damage to the defense network.” The network had less than 50 users.

The intrusion, which took place in 2023, leveraged a known critical security flaw in FortiOS SSL-VPN (CVE-2022-42475, CVSS score: 9.3) that allows an unauthenticated attacker to execute arbitrary code via specially crafted requests.

Cybersecurity

Successful exploitation of the flaw paved the way for the deployment of a backdoor dubbed COATHANGER from an actor-controlled server that’s designed to grant persistent remote access to the compromised appliances.

“The COATHANGER malware is stealthy and persistent,” the Dutch National Cyber Security Centre (NCSC) said. “It hides itself by hooking system calls that could reveal its presence. It survives reboots and firmware upgrades.”

COATHANGER is distinct from BOLDMOVE, another backdoor linked to a suspected China-based threat actor that’s known to have exploited CVE-2022-42475 as a zero-day in attacks targeting a European government entity and a managed service provider (MSP) located in Africa as early as October 2022.

The development marks the first time the Netherlands has publicly attributed a cyber espionage campaign to China. Reuters, which broke the story, said the malware is named after a code snippet that contained a line from Lamb to the Slaughter, a short story by British author Roald Dahl.

Cybersecurity

It also arrives days after U.S. authorities took steps to dismantle a botnet comprising out-of-date Cisco and NETGEAR routers that were used by Chinese threat actors like Volt Typhoon to conceal the origins of malicious traffic.

Last year, Google-owned Mandiant revealed that a China-nexus cyber espionage group tracked as UNC3886 exploited zero-days in Fortinet appliances to deploy THINCRUST and CASTLETAP implants for executing arbitrary commands received from a…

Source…

BlackBaud settles FTC charges on ransomware data breach

/in



Major U.S. cloud software provider Blackbaud has agreed to bolster its security defenses and remove unneeded customer data from its systems to settle charges by the Federal Trade Commission alleging …

Source…

Cloudflare Okta Breach Doesn’t Have A Big Impact, Company Says

/in


According to the company, the recent Cloudflare Okta breach has not caused any harm to any of the customers or users. However, the incident brought more questions about the Okta breach, which affects many different services and companies.

In today’s digital world, online data security is constantly under threat, making news of cyberattacks almost routine. However, when a company like Cloudflare—a leader in internet security—reports a breach, it grabs everyone’s attention, particularly when a nation-state is believed to be behind the attack. The Cloudflare Okta breach serves as a vivid reminder of the cyber dangers that loom in the shadows.

Cloudflare Okta breach explained

On November 14, Cloudflare found itself under attack. The intruders, suspected to be supported by a nation-state, targeted Cloudflare’s internal Atlassian server, aiming for critical systems, including the Confluence wiki, Jira bug database, and Bitbucket source code management.

This initial intrusion set the stage for a more aggressive attack on November 22, where the attackers established a strong presence on Cloudflare’s server, accessed the source code, and even attempted to infiltrate a console server tied to an undeveloped data center in São Paulo, Brazil.

cloudflare okta breach
Company executives explained the Cloudflare Okta breach incident on the official blog page (Image Credit)

The method of entry for the attackers was particularly concerning. They used credentials that were previously compromised during an Okta breach in October 2023, highlighting a critical oversight by Cloudflare in not rotating these credentials among the thousands affected, says Bleeping Computer.

Cloudflare CEO Matthew Prince, CTO John Graham-Cumming, and CISO Grant Bourzikas, said: “They then returned on November 22 and established persistent access to our Atlassian server using ScriptRunner for Jira, gained access to our source code management system (which uses Atlassian Bitbucket), and tried, unsuccessfully, to access a console server that had access to the data center that Cloudflare had not yet put into production in São Paulo, Brazil.” You can take a look at the full statement here.

1Password Okta breach unveiled by…

Source…

Zero-day, supply-chain attacks drove data breach high for 2023

/in


“The complexity of modern software supply chains adds to this challenge, as it can hide potential security flaws and make comprehensive vetting difficult,” Neal adds.

Number of data breaches rise, but fewer victims

While the number of data breaches was up, the ITRC found a decline in the number of victims affected by the compromises, to 353,027,892, a 16% decline from 425,212,090 in 2022. That decline is part of a longer trend. “If you go back to 2018, which was the high point for victim count, we’re down 84%,” Lee says. “Identity thieves have changed their tactics. They’re more targeted, both in what they’re attacking and the information that they’re seeking.”

“Attackers today who want personal identifying information are more able to target the right systems,” Bach says. “If you’re more precise about the systems that you target, there’s going to be less collateral damage. That’s how we can see the number of attacks go up while the number of affected individuals goes down.”

“The breaches we’re seeing affect organizations more directly than individuals,” adds Luciano Allegro, co-founder and CMO of BforeAi, a threat intelligence company. “Many companies have stepped up their data privacy efforts due to GDPR and CCPA, but they are so focused on this aspect of data protection that they overlook the rest of their infrastructure.”

Supply-chain and zero-day attacks will continue to rise

The ITRC also reported that nearly 11% of all publicly traded companies were compromised in 2023 and that while most industries saw modest increases, healthcare, financial services, and transportation reported more than double the number of compromises compared to 2022.

For the coming year, Lee expects breach numbers to continue to trend upwards. “I don’t see any reason for it to go down,” he says. “With the increase in supply-chain and zero-day attacks, I believe we’re going to see another year of increases.”

Source…