Chinese UNC4841 Group Exploits Zero-Day Flaw in Barracuda Email Security Gateway
A suspected China-nexus threat actor dubbed UNC4841 has been linked to the exploitation of a recently patched zero-day flaw in Barracuda Email Security Gateway (ESG) appliances since October 2022.
"UNC4841 is an espionage actor behind this wide-ranging campaign in support of the People’s Republic of China," Google-owned Mandiant said in a new report published today, describing the group as " Read More
The Hacker News | #1 Trusted Cybersecurity News Site
DDoS Attack Leads to Microsoft Azure Global Outage
On July 30, 2024, Microsoft experienced a significant global outage affecting its Azure cloud services and Microsoft 365 products. The incident, which lasted nearly 10 hours, was triggered by a Distributed Denial-of-Service (DDoS) attack and impacted users worldwide.
The outage began at approximately 11:45 UTC and was resolved by 19:43 UTC. During this period, users reported difficulties accessing various Microsoft services, including Azure App Services, Application Insights, Azure IoT Central, Azure Log Search Alerts, Azure Policy, the Azure portal, and several Microsoft 365 and Microsoft Purview services.
Microsoft confirmed that the initial trigger was a DDoS attack, which caused an unexpected usage spike. This surge overwhelmed Azure Front Door (AFD) components and Azure Content Delivery Network (CDN), leading to intermittent errors, timeouts, and latency spikes.
How to Build a Security Framework With Limited Resources IT Security Team (PDF) – Free Guide
A flaw in Microsoft’s defense made the situation even worse than expected. The company stated, “While the initial trigger event was a Distributed Denial-of-Service (DDoS) attack, initial investigations suggest that an error in the implementation of our defenses amplified the impact of the attack rather than mitigating it.”
Microsoft Statement
Microsoft’s response included implementing networking configuration changes and performing failovers to alternate networking paths. The initial mitigation efforts successfully addressed the majority of the impact by 14:10 UTC. However, some customers continued to experience less than 100% availability until around 18:00 UTC.
The tech giant then proceeded with an updated mitigation approach, rolling it out first across regions in Asia Pacific and Europe, followed by the Americas. Failure rates returned to pre-incident levels by 19:43 UTC, with full mitigation declared at 20:48 UTC.
This incident follows a series of recent outages affecting Microsoft’s services. Just two weeks prior, a problematic update from CrowdStrike’s Falcon agent caused Windows virtual machines to BSOD Errors. These recurring issues have raised concerns about cloud infrastructure resilience and the potential risks associated with centralized services.
The outage had widespread effects, impacting various businesses globally. For instance, Starbucks in the US had to disable its mobile ordering system for several hours due to the Azure issues.
Microsoft has committed to conducting an internal retrospective to understand the incident better. The company plans to publish a Preliminary Post-Incident Review within 72 hours, followed by a Final Post-Incident Review within 14 days, providing additional details and lessons learned from the event.
Are you from SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Free Access
A supply chain attack targets python developers. Russia targets German political parties. Romanian and Spanish police dismantle a cyber-fraud gang. Pwn2Own prompts quick patches from Mozilla. President Biden nominates the first assistant secretary of defense for cyber policy at the Pentagon. An influential think tank calls for a dedicated cyber service in the US. Unit42 tracks a StrelaStealer surge. GM reverses its data sharing practice. Our guest is Anna Belak, Director of the Office of Cybersecurity Strategy at Sysdig, who shares trends in cloud-native security. And a Fordham Law School professor suggests AI creators take a page from medical doctors. Read More
Hackers Hijacked Notepad++ Plugin To Inject Malicious Code
[[{“value”:”
Hackers have manipulated a popular Notepad++ plugin, injecting malicious code that compromises users’ systems upon execution.
The AhnLab Security Intelligence Center (ASEC) researchers have revealed that the “mimeTools.dll” plugin, which is widely used, was modified to carry out the attack.
Notepad++, a text and source code editor favored by programmers and writers for its versatility and plugin support, became an unwitting vehicle for cybercriminals.
Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .
Malicious vs Legitimate Package
The altered “mimeTools.dll” plugin, a default component of Notepad++, was discovered to be masquerading as a legitimate package, deceiving users into downloading and installing the compromised version.
official vs malicious Notepad
The mimeTools plugin, known for its encoding functionalities such as Base64, is automatically loaded when Notepad++ is launched. Attackers exploited this behavior using a technique known as DLL Hijacking.
When Notepad++.exe is launched, the “mimeTools.dll” file is automatically loaded, triggering the activation of the embedded malicious code, without any further user action.
Infection Flow
The attackers ingeniously added encrypted malicious Shell Code and the code to decrypt and execute it within the “mimeTools.dll” file.
ASEC’s investigation highlighted a file named “certificate.pem” within the altered package as the container of the malicious shell code.
Despite the manipulation, the plugin’s original functionalities remained intact, with only the DllEntryPoint code being altered. This stealthy approach ensures that the malicious activities commence the moment the DLL is loaded, unbeknownst to the user.
The execution flow of the malicious code begins with the launching of Notepad++ and the subsequent loading of the “mimeTools.dll.”
The DLL then decrypts and executes the Shell Code contained in the “certificate.pem” file, initiating the attack.
As cybercriminals continue to evolve their tactics, the cybersecurity community remains committed to uncovering and mitigating such threats, safeguarding users’ digital experiences.