🐻 Kremlin-backed ‘Forest Blizzard’ exploits MS Outlook flaw 📧

Dec 06 2023

Gone Phishing Banner

Welcome to Gone Phishing, your daily cybersecurity newsletter that saw #Cyberpunk trending on the site formerly known as Twitter 🙄 and got nervous 💀

Today’s hottest cybersecurity news stories: 

  • 🐻 Kremlin-backed ‘Forest Blizzard’ exploits MS Outlook flaw 📧

  • ✈️ Enter AeroBlade, the espionage actor gunning for US airspace 📡

  • 🌐 15,000 Go Module repositories on GitHub open to ‘repojacking’ 🤏  

Batten down the h̶a̶t̶c̶h̶e̶s̶ patches 😏, Forest Blizzard is coming 👀

🔒 Microsoft Detects Kremlin-Backed Cyber Intrusion! 🔒

Microsoft announced the detection of Kremlin-backed nation-state activity exploiting a patched security flaw in Outlook, affecting Exchange servers.

😱 The Vulnerability: CVE-2023-23397, a critical bug with a CVSS score of 9.8, allowed unauthorised access, posing a serious threat to user accounts.

🕵️‍♂️ Threat Actor: Attributed to Forest Blizzard (formerly Strontium), also known as APT28, BlueDelta, Fancy Bear, and others.

💻 Intrusion Tactics: The goal was to gain unauthorised access to mailboxes, with adversaries modifying folder permissions for persistent access.

🛡️ Previous Exploits: Russia-based threat actors weaponized this flaw in zero-day attacks across government, transportation, energy, and military sectors in Europe since April 2022.

🌐 International Impact: APT28's activities expanded globally, with spear-phishing campaigns, webmail exploits, and WinRAR flaw abuse affecting organisations in France and Ukraine.

🚨 Ongoing Threat: Cybersecurity firm Proofpoint observed high-volume phishing campaigns leveraging vulnerabilities, emphasising the group's reliance on exploiting flaws for initial access.

🤖 Changing Tactics: Forest Blizzard continuously refines techniques, shifting from compiled malware to lighter-weight, credential-oriented access.

🎯 Outlook's Role: Microsoft Outlook's popularity in enterprise environments makes it a critical attack vector, introducing various cyber threats into organisations.

🌐 Global Concerns: Recent reports suggest breaches at the Sellafield nuclear waste site in the U.K. by hacking crews associated with Russia and China, deploying "sleeper malware" since 2015.

🔍 Government Response: The U.K. government denies evidence of successful state actor attacks on its networks.

🛑 Stay Vigilant: Ensure your systems are up to date and stay vigilant against evolving cyber threats! 🚨🛡️

Cybersecurity is more important than ever, and your Mac or PC are no exception. Over time, your Mac or PC can accumulate junk files, malware, and other threats that can slow it down and make it vulnerable to attack.

That's where MacPaw comes in. MacPaw offers a suite of easy-to-use apps that can help you clean, optimize, and secure your Mac. With MacPaw, you can:

  • Remove junk files and malware to free up space and improve performance

  • Protect your privacy by erasing sensitive data

  • Optimize your startup settings to speed up boot times

  • Manage your extensions and apps to keep your Mac or PC running smoothly

Since 2008 MacPaw is trusted by over 30 million users worldwide, and it's the perfect solution for keeping your Mac or PC safe and secure.

Move over Dyson Airblade, this is AeroBlade. Nope, not the badminton racket either… 🙈

🚨 New Cyber Espionage Threat Uncovered! 🚨

The BlackBerry Threat Research and Intelligence team has identified a new threat actor, AeroBlade, suspected to be involved in a cyber attack targeting a U.S. aerospace organisation. The origin remains unknown, and the success of the attack is uncertain.

📩 Spear-Phishing Tactics: AeroBlade utilised spear-phishing, delivering a weaponized document via email with an embedded remote template injection technique and a malicious VBA macro code. The final payload execution is dependent on victim interaction.

⚙️ Intricate Attack Timeline: The network infrastructure went live in September 2022, and the offensive phase occurred nearly a year later in July 2023. The adversary enhanced their toolset for stealthiness during this time.

🛑 Phishing Email Insight: The initial attack in September 2022 began with a phishing email containing a Microsoft Word attachment. Victim interaction triggered remote template injection, leading to a next-stage payload execution.

💻 Reverse Shell Deployment: The attack chain culminated in deploying a DLL functioning as a reverse shell, connecting to a command-and-control server. The attackers gathered system information, potentially for reconnaissance.

🛡️ Security Threat Warning: Dmitry Bestuzhev, senior director of cyber threat intelligence at BlackBerry, emphasised the severity of the threat posed by reverse shells, enabling attackers to take complete control of devices.

🤐 Obfuscated DLL Tactics: The heavily obfuscated DLL incorporates anti-analysis and anti-disassembly techniques, making detection challenging. It avoids execution in sandboxed environments, ensuring persistence via Task Scheduler.

🔍 Threat Actor Evolution: AeroBlade demonstrated significant effort between campaigns to develop resources, securing access to sought-after information and ensuring successful exfiltration.

Stay vigilant against evolving cyber threats! 🛡️👀

🎣 Catch of the Day!! 🌊🐟🦞

🃏 The Motley Fool: “Fool me once, shame on — shame on you. Fool me — you can't get fooled again.” Good ol’ George Dubya 😂 Let us tell who’s not fooling around though; that’s the Crüe 👀 at Motley Fool. You’d be a fool (alright, enough already! 🙈) not to check out their Share Tips from time to time so your savings can one day emerge from their cocoon as a beautiful butterfly! 🐛 Kidding aside, if you check out their website they’ve actually got a ton of great content with a wide variety of different investment ideas to suit most budgets 🤑 (LINK)


🚵 Wander: Find your happy place. Cue Happy Gilmore flashback 🏌️⛳🌈🕊️ Mmmm Happy Place… 😇 So, we’ve noticed a lot of you guys are interested in travel. As are we! We stumbled upon this cool company that offers a range of breath-taking spots around the United States and, honestly, the website alone is worth a gander. When all you see about the Land of the free and the home of the brave is news of rioting, looting and school shootings, it’s easy to forget how beautiful some parts of it are. The awe-inspiring locations along with the innovative architecture of the hotels sets Wander apart from your run of the mill American getaway 🏞️😍 (LINK)


🌊 Digital Ocean: If you build it they will come. Nope, we’re not talking about a baseball field for ghosts 👻🍿 (Great movie, to be fair 🙈). This is the Digital Ocean who’ve got a really cool platform for building and hosting pretty much anything you can think of. If you check out their website you’ll find yourself catching the buzz even if you can’t code (guilty 😑). But if you can and you’re looking for somewhere to test things out or launch something new or simply enhance what you’ve got, we’d recommend checking out their services fo’ sho 😉 And how can you not love their slogan: Dream it. Build it. Grow it. Right on, brother! 🌿 (LINK)

Repojacking?! Git to Hub 💀

🔐 GitHub Repositories at Risk: 15,000+ Vulnerable to Repojacking! 🔐

New research reveals that over 15,000 Go module repositories on GitHub are susceptible to repojacking, a technique exploiting account changes for open-source software supply chain attacks.

🚨 Vulnerability Origins: Chief Technology Officer at VulnCheck, Jacob Baines, highlights that 9,000 repositories are vulnerable due to GitHub username changes, and 6,000 are at risk from account deletions, collectively accounting for 800,000 Go module-versions.

👾 Understanding Repojacking: Repojacking, a blend of "repository" and "hijacking," allows bad actors to create a repository with the same name after account changes, staging supply chain attacks.

🔄 Go Modules Vulnerability: Go programming language modules face heightened vulnerability as they are decentralised, getting published to GitHub or Bitbucket. Anyone can register an unused username, duplicate a module repository, and publish a new module.

🛡️ GitHub Countermeasures:

GitHub's countermeasure, popular repository namespace retirement, blocks attempts to create repositories with retired names. However, this protection is less effective for Go modules, as they are cached, potentially leading to bypass scenarios.

💻 Mitigation Challenges: Mitigating repojackings involving 15,000 GitHub accounts requires action from either Go or GitHub. Awareness is crucial for Go developers to understand the modules they use and their repository status.

🚨 Additional Security Concerns: In parallel, Lasso Security discovered 1,681 exposed API tokens on Hugging Face and GitHub, including Google, Meta, Microsoft, and VMware tokens. These could be exploited for supply chain, data poisoning, and model theft attacks.

🔍 Stay Informed and Vigilant: Developers must remain vigilant, understand their module sources, and be aware of evolving security threats! 🛡️👀

🗞️ Extra, Extra! Read all about it!

Every few weeks, we carefully select three hot newsletters to show you. Reputation is everything, so any links we share come from personal recommendation or carefully researched businesses at the time of posting. Enjoy!

  • The GeekAI: A daily 3 min newsletter on what matters in AI, with all the new AI things coming to market its good to stay ahead of the curve.

  • Libby Copa: The Rebel Newsletter helps writers strengthen their writing and creative practice, navigate the publishing world, and turn their art into an act of rebellion.

  • Techspresso: Receive a daily summary of the most important AI and Tech news, selected from 50+ media outlets (The Verge, Wired, Tech Crunch etc)

Let us know what you think!

So long and thanks for reading all the phish!

Recent articles