Cybersecurity

A new policy directive from Maine Information Technology (MaineIT) has put a six-month moratorium on the adoption and use of Generative Artificial Intelligence (AI) technology within all State of Maine agencies due to “significant” cybersecurity risks.

The prohibition on AI will include large language models that generate text such as ChatGPT, as well as software that generates images, music, computer code, voice simulation, and art.

It’s unclear whether and to what extent state employees have been relying on emerging AI tools as part of their jobs. Maine may be the first state in the U.S. to impose such a moratorium.

According to an email to sent on Wednesday to all Executive Branch agencies and employees from Maine’s Acting Chief Information Officer Nick Marquis, MaineIT issued a “cybersecurity directive” prohibiting the use of AI for all state business and on all devices connected to the state’s network for six months, effective immediately.

The BBC CISO says she is a “consummate cynic” about cybersecurity certifications. Helen Rabe believes schemes like the widely recognised ISO 27001 standard are “time consuming” and “cumbersome” to maintain for tech teams, and could be ripe for reform.

Rabe was speaking as part of a panel at the Infosec Europe conference in London, where she joined Munawar Vallji, CISO at rail ticketing platform Trainline, and Dr Emma Philpott, of advisory group the IASME Consortium for a panel on the future of cybersecurity certifications. BBC CISO ‘cynical’ about cybersecurity certifications

Cybersecurity certifications are designed to ensure organisations have an appropriate level of security across their teams. The most common certification is the ISO 27001 from the International Organisation of Standards, which was updated last year and is held by more than 30,000 companies.

While these certifications are not a legal requirement, they can be a contractual stipulation for IT buyers, particularly in public sector organisations. Speaking to Tech Monitor last year, Alan Calder, founder and executive chairman of cyber risk and privacy management company IT Governance, said: “The Department of Work and Pensions, for instance, requires organisations it is contracting to have ISO specification.

Every cybersecurity vendor has a different vision of how generative AI will serve its customers, yet they all share a common direction. Generative AI brings a new focus on data accuracy, precision and real-time insights. DevOps, product engineering and product management are delivering new generative AI-based products in record time, looking to capitalize on the technology’s strengths.

The 5 from the article:

1. Real-time risk assessment and quantification
2. Generative AI will revolutionize extended detection and response (XDR)
3. Improving endpoint resilience, self-healing capability and contextual intelligence
4. Improving existing AI-based automated patch management techniques
5. Managing the use of generative AI tools, including AI-based chatbot services

cross-posted from: https://kbin.social/m/tech/t/67505

Over 100,000 OpenAI ChatGPT account credentials have been compromised and sold on the dark web. Cybercriminals are targeting the valuable information.

Complex, well-resourced, and well-organized, Anonymous Sudan looks like a front group for an intelligence service.

Anonymous Sudan's questionable provenance.

Researchers are moved to conclude that Anonymous Sudan is a Russian-run operation, and not the Islamist patriotic hacktivist collective it claims to be,

Is Anonymous Sudan a Russian front group, or a grassroots religious hacktivist group? Researchers at CyberCX have released an intelligence update on Anonymous Sudan after that threat group attacked Australian government organizations. The researchers point out that they assess, with high confidence, that Anonymous Sudan is unlikely to be the simple religious hacktivist group it purports to be, “and that Anonymous Sudan is unlikely to be geographically linked to Sudan.” CyberCX also assesses that the threat group uses a substantial paid proxy infrastructure across various countries to conduct its attacks. “Traffic was highly dispersed, with the common infrastructure across attacks spanning 1720 Autonomous Systems (AS) over 132 countries. Indonesia was the most represented country of origin, followed by Malaysia and the United States,” the researchers explained. That infrastructure probably costs about $2,700 per month. This is an estimate. As CyberCX points out, given the inherently closed nature of the proxy services, “it is difficult to estimate Anonymous Sudan’s likely expenditure on infrastructure.” It’s clear in any case that this supposed backwater organization has suspiciously significant funding and a complex operational style.

The group’s well-organized attacks are not typical of a grassroots organization of religiously motivated hacktivists. “Most authentic grassroots hacktivist organizations observed by CyberCX plan activities in an at least semi-public way, discussing targeting and coordinating operations in forums and group chats. Anonymous Sudan declares specific targets as it attacks, implying it is a closely held operation.” While it’s difficult to determine the group’s geographical location, the timezone during which they’re most active is the UTC-3 region, and that includes both Sudan and Eastern Europe. Anonymous Sudan is actively working with the Russian cyber auxiliary KillNet and its group of Russia-aligned accounts.

Anonymous Sudan primarily writes in English and Russian. Researchers at Trustwave write “There are numerous clues left behind by Anonymous Sudan pointing toward the group being associated in some manner with Killnet. The primary indicator is that Anonymous Sudan’s preferred attack vector is DDoS attacks, the attack type that Killnet has conducted. Other circumstantial evidence pointing toward a Russian connection is that the Anonymous Sudan Telegram posts are mostly in Russian (with some in English), and the targets are all nations that support Ukraine in its fight against Russia.”

Cybersecurity provider Trend Micro Incorporated has been integrating artificial intelligence (AI) into its technologies for a decade, but it hasn’t had the power of generative AI, until now.

Today Trend Micro announced its new Vision One platform, bringing together a series of different cybersecurity capabilities including extended detection and response (XDR), attack surface risk management (ASRM) and zero trust. In many respects, the platform is an evolution of the Trend Micro one platform announced in 2022, with the big new addition being gen AI.

The Trend vision one companion is a gen AI-powered assistant for security operation center (SOC) analysts. The technology enables security teams to use natural language queries to answer questions, assist with threat hunting and accelerate remediation.

“We’ve really tried to think about how we can bring the power of gen AI to the security operation center,” Trend Micro COO Kevin Simzer told VentureBeat. “When you’re in an SOC, It tends to be a bit of a stressful job as they’re inundated with lots of telemetry from all different sources.”

Tesla CEO Elon Musk might have his very own supersecret driver mode that enables hands-free driving in Tesla vehicles.

The hidden feature, aptly named “Elon Mode,” was discovered by a Tesla software hacker known online as @greentheonly. The anonymous hacker has dug deep into the vehicle code for years and uncovered things like how Tesla can lock you out of using your power seats or the center camera in the Model 3 before it was officially activated.

After finding and enabling Elon Mode, greentheonly ventured out to test the system and posted some rough footage of the endeavor. They did not share the literal “Elon Mode” setting on the screen but maintain that it’s real.

The hacker found that the car didn’t require any attention from them while using Tesla’s Full Self-Driving (FSD) software. FSD is Tesla’s vision-based advanced driver-assist system that’s in beta but is currently available to anyone who paid as much as $15,000 for the option. The software was the subject of an internally leaked report last month that indicated FSD has had thousands of customer complaints of sudden braking and abrupt acceleration.

From the moment I began my freelance web design business back in 2014, I was collecting payments via Stripe and happily paying their processing fees for the ability to grow my business from just a desire for more freedom to running a company that employs women and supports them to create their own freedom and financial independence.

It never occurred to me that using Stripe to process payments would become one of the biggest risks to my small business.

My Stripe account was hacked due to Stripe’s lax security, over $70,000 of fraudulent charges were processed by the hacker through a fake connected account, paid out instantly to that person via Stripe’s Instant Payments to the hacker’s pre-paid debit card, and Stripe started pulling the money out of my business bank account to pay back the victims of the theft.

And Stripe says it’s my fault that my account was hacked and that I’m liable to pay back the victims of the fraud.

Listen to the full podcast episode or read on to find out exactly what happened and how to protect your business.

On a quiet Monday morning after the Easter holiday, I was sipping coffee on my couch in Columbus, Ohio like I normally do, snuggling with my dog and going through my normal morning entrepreneurial routine of checking emails and DMs on my business account when I see an email from Stripe with the subject line:

“Subject: [Action required] Closure of your Stripe account”

We recently identified payments on your Stripe account that don’t appear to have been authorized by the customer, meaning that the owner of the card or bank account didn’t consent to these payments.

As a precautionary measure, we will no longer accept payments for [your company].

We will also begin issuing refunds on card payments on April 15, 2023, although they may take longer to appear on the cardholder’s statement.

Please refer to your dashboard for a list of the charges that will be refunded. If there are insufficient funds on your account to cover any refunds, those refunds won’t be processed and any outstanding funds will remain in your account .

If you believe that we’ve misunderstood or miscategorized your business and would like us to conduct another review of your account , please complete the form on your Stripe Dashboard to provide more information about your business.

Request further review

If you have any questions, you can contact us any time from our support site.”

I remember thinking… yeah, this is probably some phishing scam…

So I check out the “From” address, and actually click into it to see the actual address and it’s saying it’s FROM [email protected]…

And I log into my Stripe account from a separate browser, you know, just in case… and after using my Authenticator app because I have 2-factor authentication set up on my account, I see the request at the top of my account asking me to provide proof that I am the owner of my business.

I look at my recent authorized transactions and nothing is out of the ordinary… all of the successful payment listed are from students inside my Web Designer Academy who have been making their monthly membership payments like clockwork.

And I think, “This must just be a mistake. I’ve been a customer of Stripe for 8 years now. I’ll submit all the documentation Stripe requested and I’m sure that will take care of it.”

So I grab my laptop, submit all the documentation right away, and get back to snuggling and scrolling.

Then I log into my back account and see a withdrawal from my business checking account from Stripe for over $600. And another pending transaction for a withdrawal over $2000. And no credits for the payments that were made by students over the weekend.

And I’m feeling very confused thinking, “What is happening?”

I’m starting to feel the anxiety bubbling up, but I tell myself to be patient. Once they review all the documents I submitted to prove that I am who I say I am, this will all get resolved.

A few hours later, I receive another email:

“Subject: Additional review completed for Stripe Shop”

Whew, I think. I’m glad they took care of this so quickly.

I click into the email, and my heart starting pounding in my chest as I read it:

“Thank you for providing additional information about your business.

After reviewing your account again, we’ve confirmed that your business represents a higher risk than we can currently support.

We are unable to accept payments for [your company] moving forward.

Payouts to your bank account have been paused, and we will issue refunds on any card payments by May 10, 2023, although they may take longer to appear on the cardholder’s statement.

If there are insufficient funds on your account to cover any refunds, these refunds will not be processed and any outstanding funds will remain on your account.

Please refer to your Dashboard for a list of the charges to be refunded.

If you’d like to further appeal our decision, please contact us.”

I can feel the panic rising in my body. I tap on the Stripe app on my phone and I see that there’s a negative payout balance… but all the transactions listed in the app are legit.

I logged back into my Stripe account via my computer trying to figure out what in the world they are talking about, what are all these charges that they are saying are fraudulent? I’m looking for a phone number I can call to talk to someone.

I start clicking through every link in my Stripe dashboard, and when I get to the “Connect” menu item, that’s when I see it.

Two accounts with the business name of “Netflix.com” under the name “Albert Dawkins” which between the two accounts had racked up over $70,000 in credit card charges in the 3 days over the Easter holiday weekend.

Looking more closely, the ill-gotten gains were paid out instantly to a pre-paid debit card via Stripe’s Instant Payouts feature the moment the transactions were successful.

I realized my Stripe account was hacked. ...

The United Kingdom on Sunday announced a “major expansion” to its Ukraine Cyber Program, which has seen British experts provide remote incident response support to the Ukrainian government following Russian cyberattacks on critical infrastructure.

It follows the British government last year announcing that personnel from cyber and signals intelligence agency GCHQ had been contributing to Ukraine’s defense, including by providing protection against the Industroyer2 malware, alongside delivering hardware and software and limiting “attacker access to vital networks.”

The new funding will also support the provision of “forensic capabilities to enable Ukrainian cyber experts to analyze system compromises, attribute attackers and build better evidence to prosecute these indiscriminate attacks,” said Number 10.

A hacking group that has carried out attacks targeting organizations in Europe, Latin America and Central Asia has been linked to Russia’s military intelligence agency, according to new research.

Microsoft said Wednesday that the group, which it calls Cadet Blizzard, played a significant role at the beginning of Russia’s cyberwar against Ukraine. About a month prior to the invasion, the group deployed WhisperGate malware, which targeted numerous Ukrainian government computers and websites, while Russian tanks and troops were surrounding the Ukrainian borders waiting to start the offense.

Last year, Ukrainian cybersecurity officials along with their allies from the U.K. and the U.S. attributed the WhisperGate attack to units operating under the Russian military intelligence agency known as the GRU, but they did not disclose additional details.

According to Microsoft’s report, Cadet Blizzard operates independently from other GRU-affiliated hacking groups, such as Sandworm. The group is responsible for destructive attacks, cyber espionage, hack-and-leak operations, and defacement attacks — incidents where hackers modify the visual appearance of a website.

Microsoft considers the emergence of a novel GRU-affiliated actor “a notable development in the Russian cyber threat landscape.” According to the researchers, Cadet Blizzard’s cyber operations align with Russia's wider military goals in Ukraine but also pose a danger to NATO countries that provide military aid to Ukraine.

Business email compromises, which supplanted ransomware last year to become the top financially motivated attack vector-threatening organizations, are likely to become harder to track. New investigations by Abnormal Security suggest attackers are using generative AI to create phishing emails, including vendor impersonation attacks of the kind Abnormal flagged earlier this year by the actor dubbed Firebrick Ostricth.

According to Abnormal, by using ChatGPT and other large language models, attackers are able to craft social engineering missives that aren’t festooned with such red flags as formatting issues, atypical syntax, incorrect grammar, punctuation, spelling and email addresses.

The firm used its own AI models to determine that certain emails sent to its customers later identified as phishing attacks were probably AI-generated, according to Dan Shiebler, head of machine learning at Abnormal. “While we are still doing a complete analysis to understand the extent of AI-generated email attacks, Abnormal has seen a definite increase in the number of attacks with AI indicators as a percentage of all attacks, particularly over the past few weeks,” he said.

Pro-Russian hackers are continuing to hit targets in Ukraine amid a counteroffensive aimed at reclaiming territory held by Russian forces in what Ukrainian officials and researchers describe as an intense period of network operations as the conflict heats up.

“The activity is still very high,” said Victor Zhora, a top Ukrainian cybersecurity official told CyberScoop via online chat Thursday.

Zhora, the deputy chairman of the State Service of Special Communications and Information Protection of Ukraine, which is responsible for the defense of Ukrainian government systems, said that pro-Russian hackers are focused on Ukrainian service providers, media and critical infrastructure, as well as collecting data from government networks. Zhora said his team is expecting the pace of pro-Russian operations to pick up.

The story of how I could steal credentials on Infosec Mastodon with a HTML injection vulnerability, without needing to bypass CSP.

Everybody on our Twitter feed seemed to be jumping ship to the infosec.exchange Mastodon server, so I decided to see what the fuss was all about. After figuring out why exactly you had to have loads of @ symbols in your username, I began to have a look at how secure it was. If you've followed me on Twitter you'll know I like to post vectors and test the limits of the app I'm using, and today was no exception.

First, I began testing to see if HTML or Markdown was supported. I did a couple of "tweets" to see if you could have code blocks (how cool would that be?) but nothing seemed to work. That is, until @ret2bed pointed out that you could change your preferences to enable HTML! That's right people, a social network that enables you to post HTML - what could possibly go wrong?

I enabled this handy preference and redid my tests. Markdown seemed pretty limited. I was mainly hoping for code blocks but they didn't materialise. I switched to testing HTML and tested for basic stuff like bold tags, which seemed to work on the web but not on mobile. Whilst I was testing, @securitymb gave me a link to their HTML filter source code and he showed me a very interesting vector where they were decoding entities.

In an operation coordinated by Europol and involving nine countries, law enforcement have seized the illegal dark web marketplace “Monopoly Market” and arrested 288 suspects involved in buying or selling drugs on the dark web.

More than EUR 50.8 million (USD 53.4 million) in cash and virtual currencies, 850 kg of drugs, and 117 firearms were seized. The seized drugs include over 258 kg of amphetamines, 43 kg of cocaine, 43 kg of MDMA and over 10 kg of LSD and ecstasy pills.

from 02 May 2023

The newly coined term "Darknet Parliament” has become the latest catchphrase among cybercriminals trying to prove their clout – and security insiders are loving it.

If you’ve never heard of the term before, don’t fret; neither had the rest of the world until Friday, when the notorious pro-Russian hacker group Killnet introduced the phrase in one of its Telegram threat posts.

Soon after, the Twitterverse seemed to come alive with security folk who couldn’t help but wonder about the ‘never-before-heard-of’ moniker for a ‘never-before-heard-of’ hacker government organization.

in roughly two months, five teams of DEF CON hackers will do their best to successfully remotely infiltrate and hijack the satellite while it's in space. The idea being to try out offensive and defensive techniques and methods on actual in-orbit hardware and software, which we imagine could help improve our space systems.

Moonlighter, dubbed "the world's first and only hacking sandbox in space," is a mid-size 3U cubesat [PDF] with a mass of about 5kg. Stowed, it is 34 cm x 11 cm x 11cm in size, and when fully deployed with its solar panels out, it measures 50 cm x 34 cm x 11 cm.

It was built by The Aerospace Corporation, a federally funded research and development center in southern California, in partnership with the US Space Systems Command and the Air Force Research Laboratory. It will run software developed by infosec and aerospace engineers to support in-orbit cybersecurity training and exercises.

This effort was inspired by the Hack-A-Sat contest co-hosted by the US Air Force and Space Force, now in its fourth year at the annual DEF CON computer security conference.

Killnet claims to be working in concert with a resurgent form of the notorious ReVIL ransomware gang. The goal? To mount an attack on the Western financial system.

The group is warning that attacks are imminent, as in the next day or so; but it's unclear whether the threats amount to anything more than bluster and saber-rattling, particularly given Killnet's past track record of, at most, carrying out mildly disruptive distributed denial of service (DDoS) attacks.

Even so, in a video posted on a Russian Telegram channel on June 16, Killnet made ominous threats against the SWIFT banking system (famously targeted by Lazarus in 2018); the Wise international wire transfer system; the SEPA intra-Europe payments service; central banks in Europe and the US (i.e., the Federal Reserve); and other institutions.

"The post claims that threat actors from Killnet, REvil, and Anonymous Sudan will unite for the campaign," according to ZeroFox researchers, writing in a flash alert on the threat. "Killnet indicates that the attack is motivated by the US providing weapons to aid Ukraine, stating: 'repel the maniacs according to the formula, no money — no weapons — no Kiev regime.'"

British Airways, Boots and the BBC are investigating the potential theft of personal details of staff after the companies were hit by a cyber-attack attributed to a Russia-linked criminal gang.

BA confirmed it was one of the companies affected by the hack, which targeted software called MOVEit used by Zellis, a payroll provider.

“We have been informed that we are one of the companies impacted by Zellis’s cybersecurity incident, which occurred via one of their third-party suppliers called MOVEit,” said a spokesperson for the airline.

An email sent to BA staff told employees that compromised information included names, addresses, national insurance numbers and banking details, according to the Daily Telegraph, which first reported the breach. BA said the hack had affected staff paid through BA payroll in the UK and Ireland.

The size and scope of the government effort to accumulate data revealing the minute details of Americans' lives are described soberly and at length by the director's own panel of experts in a newly declassified report. Haines had first tasked her advisers in late 2021 with untangling a web of secretive business arrangements between commercial data brokers and US intelligence community members.

What that report ended up saying constitutes a nightmare scenario for privacy defenders.

“This report reveals what we feared most,” says Sean Vitka, a policy attorney at the nonprofit Demand Progress. “Intelligence agencies are flouting the law and buying information about Americans that Congress and the Supreme Court have made clear the government should not have.”

By analyzing the usage of ChatGPT and other generative AI apps among 10,000 employees, the report has identified key areas of concern. One alarming finding reveals that 6% of employees have pasted sensitive data into GenAI, with 4% engaging in this risky behavior on a weekly basis. This recurring action poses a severe threat of data exfiltration for organizations.

The report addresses vital risk assessment questions, including the actual scope of GenAI usage across enterprise workforces, the relative share of "paste" actions within this usage, the number of employees pasting sensitive data into GenAI and their frequency, the departments utilizing GenAI the most, and the types of sensitive data most likely to be exposed through pasting.

The research also highlights the prevalence of sensitive data exposure. Of the employees using GenAI, 15% have engaged in pasting data, with 4% doing so weekly and 0.7% multiple times a week. This recurring behavior underscores the urgent need for robust data protection measures to prevent data leakage.

Source code, internal business information, and Personal Identifiable Information (PII) are the leading types of pasted sensitive data. This data was mostly pasted by users from the R&D, Sales & Marketing, and Finance departments.

The EU's Digital Operational Resilience Act (DORA) marks a shift in cybersecurity regulation, from a focus on preventing cyber-attacks to also ensuring the ability to recover quickly and effectively from them – a concept that is commonly called cyber resilience.

DORA was adopted in November 2022 as part of the EU’s 2020 Digital Finance strategy, which laid out the ambition for Europe to become a digital single market for financial services.

It aims to improve the resilience of the financial sector to operational disruptions, such as cyber-attacks. Wide Scope

According to Jean-Philippe Gaulier, co-founder of Cyberzen, DORA was adopted in response to the EU regulators' concerns that the financial sector was not doing enough to mitigate cyber threats.

“Specifically, EU regulators were probably not thinking of big banks and insurance companies when drafting this bill, as they are among the best-prepared companies in the world to prevent and recover from cyber-attacks, but rather of other, perhaps less regulated institutions that play a role in modern financial services,” he told Infosecurity.

Therefore, DORA applies to a wide range of financial institutions, including banks, insurance companies, investment firms, cryptocurrency exchanges and trading platforms, as well as their critical third parties.

In July of 2021, the Commerce Department's Bureau of Industry and Security added the Hangzhou, China-based encryption chip manufacturer Hualan Microelectronics, also known as Sage Microelectronics, to its so-called “Entity List,” a vaguely named trade restrictions list that highlights companies “acting contrary to the foreign policy interests of the United States.” Specifically, the bureau noted that Hualan had been added to the list for “acquiring and ... attempting to acquire US-origin items in support of military modernization for [China's] People's Liberation Army.”

Yet nearly two years later, Hualan—and in particular its subsidiary known as Initio, a company originally headquartered in Taiwan that it acquired in 2016—still supplies encryption microcontroller chips to Western manufacturers of encrypted hard drives, including several that list as customers on their websites Western governments' aerospace, military, and intelligence agencies: NASA, NATO, and the US and UK militaries. Federal procurement records show that US government agencies from the Federal Aviation Administration to the Drug Enforcement Administration to the US Navy have bought encrypted hard drives that use the chips, too.

The IT Army of Ukraine was born in the opening days of the Russian invasion of Ukraine. It started with a simple tweet on Feb. 26, 2022 from Mykhailo Fedorov, vice prime minister and minister of digital transformation, who wrote, “We are creating an IT army. We need digital talents” and included a link to a Telegram channel where visitors could find a list of targets to attack. The concept behind the group is simple: The operators of the channel provide tools to conduct distributed denial of service (DDoS) attacks against Russian websites and put out a list of targets two or three times per week for volunteers to attack. These volunteers then use the tools from the channel and, in some cases, their own hacking skills, to take down services on the Russian internet, including banking websites, tax processors, and military hardware stores. The group has attacked prominent Russian websites and even managed to delay Vladimir Putin’s speech at the St. Petersburg Economic Forum for over an hour.

Above from the very recent Lawfare Blog article

More info - doing a bit of study on the IT Army of Ukraine today as I hadn't heard of much activity from them in recent months.

IT Army of Ukraine website: https://itarmy.com.ua/?lang=en

Their Telegram channel: https://t.me/itarmyofukraine2022

English version: https://t.me/itarmyofukraine2022eng

Wikipedia: https://en.wikipedia.org/wiki/IT_Army_of_Ukraine

People on the Discord for the r/ChatGPT subreddit are advertising stolen OpenAI API tokens that have been scraped from other peoples’ code, according to chat logs, screenshots and interviews. People using the stolen API keys can then implement GPT-4 while racking up usage charges to the stolen OpenAI account.

In one case, someone has stolen access to a valuable OpenAI account with an upper limit of $150,000 worth of usage, and is now offering that access for free to other members, including via a website and a second dedicated Discord server. That server has more than 500 members.

People who want to use OpenAI's large language models like GPT-4 need to make an account with the company and associate a credit card with the account. OpenAI then gives them a unique API key which allows them to access OpenAI's tools. For example, an app developer can use code to implement ChatGPT or other language models in their app. The API key gives them access to those tools, and OpenAI charges a fee based on usage: “Remember that your API key is a secret! Do not share it with others or expose it in any client-side code (browsers, apps),” OpenAI warns users. If the key is stolen or exposed, anyone can start racking up charges on that person's account.

"Mandiant assesses with high confidence that UNC4841 is an espionage actor behind this wide-ranging campaign in support of the People's Republic of China," the Google-owned threat intel team said today.

Intrusions started with overly spammy emails

Mandiant, which described UNC4841 as an "aggressive and skilled" crew, said the intrusion started with emails sent to victim organizations. However, the spies didn't want the victims to open the email. Instead they used generic subject and message content, poor grammar and placeholder values to make the email look like spam, get flagged by filters and sent straight to the junk folder, and then — hopefully — avoid a full investigation by security analysts.

-- Barracuda discovered a critical bug, tracked as CVE-2023-2868, in these appliances on May 19, we're told, and pushed a patch to all affected products the following day.

At the time, it said miscreants had been abusing the flaw to run remote commands on targeted equipment, hijack them, and deploy data-stealing spyware on the boxes for at least seven months.

Last week, the vendor told customers to "immediately" replace infected kits, even if they received a patch to fix the remote command injection vulnerability. And don't worry about cost: Barracuda will give all compromised customers a new ESG device for free.

Meanwhile, Mandiant, who has been working with Barracuda to investigate the exploit used and the malware subsequently deployed, today identified a China-based threat group it tracks as UNC4841, and said the snoops targeted a "subset" of Barracuda ESG appliances across several regions and sectors.