According to a regulatory filing with the U.S. Securities and Exchange Commission (SEC), HPE stated, “The threat actor accessed and extracted data starting from May 2023 from a small subset of HPE mailboxes belonging to individuals in our cybersecurity, go-to-market, business segments, and other functions.”

The intrusion has been attributed to APT29, a Russian state-sponsored group also known by aliases such as BlueBravo, Cloaked Ursa, Cozy Bear, Midnight Blizzard (formerly Nobelium), and The Dukes.

This disclosure follows Microsoft’s recent revelation implicating the same threat actor in breaching its corporate systems in late November 2023, targeting senior executives and personnel in the cybersecurity and legal departments to pilfer emails and attachments.

HPE was made aware of the incident on December 12, 2023, indicating that the hackers operated within its network without detection for over six months.

The company also noted a likely connection to a prior security event, also attributed to APT29, involving unauthorized access and extraction of a limited number of SharePoint files as early as May 2023, with HPE being alerted to the malicious activity in June 2023.

While emphasizing that the incident has not materially impacted its operations to date, HPE did not disclose the full extent of the attack or the specific email data compromised.

APT29, believed to be affiliated with Russia’s Foreign Intelligence Service (SVR), has been responsible for several notable cyber intrusions in recent years, including the 2016 breach of the U.S. Democratic National Committee (DNC) and the 2020 SolarWinds supply chain compromise.

Identified as CVE-2024-23897, the critical flaw allows for arbitrary file read access via the built-in command line interface (CLI). Jenkins employs the args4j library to parse command arguments and options on its controller, inadvertently enabling a feature called “expandAtFiles,” which replaces a specific character sequence followed by a file path with the contents of that file. This feature is active by default in Jenkins versions 2.441 and earlier, as well as LTS 2.426.2 and earlier, leaving systems vulnerable to exploitation.

Malicious actors with appropriate permissions could exploit this vulnerability to read arbitrary files on the Jenkins controller’s file system. While attackers with “Overall/Read” permission could access entire files, those without it might only retrieve the first three lines, depending on the CLI commands used. Furthermore, the vulnerability could potentially allow access to binary files containing cryptographic keys, albeit with limitations.

Yaniv Nizry, a security researcher at SonarSource, discovered and reported the flaw on November 13, 2023. It has since been addressed in Jenkins versions 2.442 and LTS 2.426.3 by disabling the problematic command parser feature.

As a temporary measure until the patch can be applied, it is advised to disable access to the CLI.

This security issue comes approximately a year after Jenkins resolved two severe vulnerabilities known as CorePlague (CVE-2023-27898 and CVE-2023-27905), which also posed risks of code execution on targeted systems.

The vulnerability originates from the improper processing of user-input data, allowing malicious actors to send specially crafted messages to a listening port of an exposed appliance. If successfully exploited, the attacker could execute arbitrary commands on the device’s underlying operating system with the privileges of the web services user. Additionally, gaining access to the operating system could lead to establishing root access on the compromised device.

Security researcher Julien Egloff from Synacktiv is credited with discovering and reporting CVE-2024-20253. The impacted products include Unified Communications Manager (versions 11.5, 12.5(1), and 14), Unified Communications Manager IM & Presence Service (versions 11.5(1), 12.5(1), and 14), Unified Communications Manager Session Management Edition (versions 11.5, 12.5(1), and 14), Unified Contact Center Express (versions 12.0 and earlier, and 12.5(1)), Unity Connection (versions 11.5(1), 12.5(1), and 14), and Virtualized Voice Browser (versions 12.0 and earlier, 12.5(1), and 12.5(2)).

While there are no immediate workarounds available, Cisco advises users to implement access control lists (ACLs) on intermediary devices to restrict access to ports of deployed services, particularly in scenarios where applying the updates may take time.

This disclosure follows recent efforts by Cisco to address another critical security flaw affecting Unity Connection (CVE-2024-20272, CVSS score: 7.3), which could also enable attackers to execute arbitrary commands on the underlying system.

For the attack to succeed, the email sent to the target’s mailbox must have two specific headers. One informs Outlook that the message contains shared content, while the other header references a file on the attacker’s system—in the ICS format, which is a known iCalendar data format for exchanging calendar information.

When the target opens the calendar invitation in Outlook, the software attempts to authenticate itself to the attacker’s system to access the ICS file. In doing so, the NTLMv2 hash of the password is transmitted.

Passwords can be obtained through brute force Subsequently, the actual password can be determined, for example, through a brute force attack, the researchers explain. This could occur locally on an attacker’s system, leaving no traces in the network. However, there are also web tools with databases containing billions of NTLM hashes of known passwords. If the intercepted hash appears in these databases, the associated password can be determined even faster.

Moreover, the security researchers warn that an Authentication Relay Attack is possible using the NTLMv2 hash. This means the attacker could intercept the authentication request from the victim and use it to log in to a targeted system without needing to know the password in plaintext.

Outlook vulnerability patched, others not Microsoft released a patch for the security flaw, registered as CVE-2023-35636, on December 12, 2023, and classified it as “important” with a CVSS of 6.5. Varonis had reported the vulnerability to the company in July 2023, the researchers explain, along with two other security flaws in the Windows File Explorer and the Windows Performance Analyzer (WPA), which could also lead to the exposure of NTLMv2 hashes.

However, Microsoft closed the tickets for the latter two vulnerabilities due to their “moderate severity.” “These were not patched; according to Microsoft, this behavior was not considered a vulnerability,” said one of the Varonis security researchers to SC Media.

Towards the end of their report, the researchers share some possible protective measures to prevent the inadvertent leakage of NTLMv2 hashes. This includes, for example, blocking outbound NTLM authentications, which is now possible under Windows 11, as well as enforcing Kerberos authentication.

Using the permissions of this account, the attackers were subsequently able to access “a very small percentage” of Microsoft’s corporate email accounts, including those of executives and employees in the cybersecurity and legal departments. Some emails and attached documents were exfiltrated during the breach.

Attackers spent weeks in Microsoft’s systems before being detected, likely operating within the mentioned email accounts for approximately one and a half months. Microsoft emphasizes that the cyberattack was not due to a vulnerability in any of its products. Furthermore, there is no evidence thus far of unauthorized access to customer environments, source code, production, or AI systems.

“We are currently in the process of notifying the employees whose emails were accessed,” the company stated. Initial investigations revealed that the hacker group was seeking information about itself. Details of the attack have not yet been shared by the company as investigations are ongoing.

In a report to the US Securities and Exchange Commission (SEC), Microsoft stated that the incident has not had any significant impact on the company’s operations thus far. Whether there will be consequences for the financial position or operating results of the company remains undetermined.

Questionable security practices seem to have been at play within Microsoft. The company’s description suggests that the aforementioned test account was protected by a weak password, allowing attackers to guess it using a list of commonly used passwords. Additionally, it appears there was no active two-factor authentication (2FA) in place, as access to the account would have been prevented despite the guessed password.

Lastly, the test account seemingly had extensive access rights, enabling Midnight Blizzard to gain access to real employee accounts within the company. The fact that access was effectively limited to “a very small percentage” of them likely aligns with the attackers’ objectives.

Midnight Blizzard is no stranger to cyberattacks. They were responsible for the prominent Sunburst attack at the end of 2020, where the Trojan was distributed through updates for SolarWinds’ monitoring and management software, Orion. Allegedly, Midnight Blizzard is connected to the Russian Foreign Intelligence Service (SVR).

SIM swapping is an attack technique where attackers take over the phone number of their target to, for example, make calls or receive SMS messages on their behalf. The takeover typically occurs by attackers impersonating the target to the mobile service provider, using personal data obtained beforehand through social engineering methods.

If malicious actors can convincingly persuade the provider that they are the rightful owners of the targeted phone number, they can have it transferred to a new SIM card, thereby gaining control.

The investigations continue, and it remains unclear how the attackers who took over the SEC’s X-account obtained knowledge of the associated phone number. The agency also stated that they are currently investigating how unauthorized individuals managed to persuade the SEC’s telecommunications provider to transfer the number to a different SIM card.

The SEC also addressed the fact that the Multi-Factor Authentication (MFA) for their X-account was not activated. Several US senators had recently criticized this oversight. The SEC mentioned that MFA had been active until July 2023 but was then deactivated due to issues accessing the account. Subsequently, the SEC apparently failed to reactivate the security feature until January 9, 2024, the day the X-account was compromised.

“The MFA is currently enabled for all SEC social media accounts that support it,” emphasized the agency. Furthermore, there is no evidence so far that the attackers gained access to other systems, data, devices, or social media accounts of the SEC. The agency continues to collaborate with various law enforcement and federal regulatory agencies to investigate the case.