Vulnerabilidad de Microsoft explotada por sofisticada herramienta de hackers rusos

Security researchers have uncovered evidence of a sophisticated cyberattack campaign targeting Microsoft systems by a Russian-backed hacking group known as APT29, exploiting a critical vulnerability. This attack has raised concerns over the group's advanced capabilities and the potential impact on affected organizations.

Exploiting the Vulnerability:

APT29 exploited a critical vulnerability in Microsoft Exchange, identified as CVE-2023-21529, which allows attackers to gain elevated privileges, steal credentials, and exfiltrate sensitive data from compromised systems. This vulnerability, if not addressed promptly, could lead to significant security breaches.

Microsoft released security updates in October 2022 to patch this vulnerability. However, it was not initially known that the vulnerability was being actively exploited in the wild. The discovery of APT29's exploitation highlights the importance of timely vulnerability management and the need for organizations to apply security patches promptly.

APT29's Modus Operandi:

APT29, also known by various aliases such as Cozy Bear, CozyDuke, and Strontium, has been linked to the Russian military intelligence service, known as the GRU, by both the U.S. and U.K. governments. This group has conducted numerous high-profile cyberattacks since the mid-2000s, targeting intelligence gathering operations by hacking into various organizations, primarily in the U.S., Europe, and the Middle East.

APT29's technical sophistication is evident in the use of a previously unknown tool called Cloaked Ursa, which enables attackers to gain SYSTEM privileges, the highest level of access available in Microsoft Windows. Despite being a simple launcher application, Cloaked Ursa can spawn other applications specified on the command line with elevated permissions.

This capability allows APT29 to pursue secondary objectives, such as remote code execution, backdoor installation, and lateral movement across compromised networks. Cloaked Ursa, deployed using a simple batch script, has shown persistence on infected systems, re-executing with every reboot of the compromised machine.

The attackers have been observed using Cloaked Ursa to deploy a dropper, in some cases referred to as "wayzgoose23.dll," within the context of the "NT SERVICE" service with SYSTEM privileges. This dropper functions as an application launcher capable of executing additional payloads with SYSTEM-level permissions.

Targeting and Impact:

Microsoft has observed APT29 using Cloaked Ursa in post-compromise activities against targets including government and non-governmental organizations, educational institutions, and entities in the transportation sector. The group's activities have been detected in the U.S. and the U.K.

Some of APT29's notable attacks include the exploitation of a zero-day in Cisco routers to deploy the VPNFilter malware in 2018; compromising router devices from multiple vendors to evade detection in attacks earlier this year; and being linked to the hack of the Democratic National Committee and intrusions into the Clinton campaign and the Democratic Congressional Campaign Committee ahead of the 2016 U.S. presidential election.

Members of APT29 were indicted by the U.S. Department of Justice two years later for their involvement in the DNC and DCCC hacks, while the U.S. Treasury sanctioned members of the group in October 2020 for their role in the SolarWinds hack.

Mitigation Measures:

To mitigate the risk of being targeted by APT29 and similar groups, organizations should prioritize the following measures:

• Apply security patches and updates promptly, especially for critical vulnerabilities like CVE-2023-21529.
• Implement multi-factor authentication to enhance account security.
• Use network segmentation and firewalls to limit lateral movement and isolate compromised systems.
• Monitor network traffic for suspicious activity and investigate any anomalies promptly.
• Educate users about cybersecurity best practices, including phishing and social engineering awareness.
• Consider implementing intrusion detection and prevention systems (IDS/IPS) to detect and block malicious activity.
• Conduct regular security audits and penetration testing to identify and address vulnerabilities.

Fuente: https://www.infobae.com/tag/microsoft/

¡Esperamos que haya sido de utilidad este artículo de la categoría Ciberseguridad. Por cualquier consulta sobre los artículos presentados en esta Web por favor contactanos a redaccion@noticiaspuertosantacruz.com.ar. Recuerda que somos un medio independiente que está 100% automatizado con IA (Inteligencia Artificial) por lo que siempre te recomendamos que visites las fuentes originales de cada artículo presentado en esta web. Todavía no te vayas, ¡tenemos mucho más contenido interesante para vos! Te invitamos a explorar otros artículos similares a Vulnerabilidad de Microsoft explotada por sofisticada herramienta de hackers rusos en nuestra amplia colección sobre Ciberseguridad.