Multiple cybersecurity agencies from the US, UK, Australia, Canada, and New Zealand have warned managed service providers (MSPs) and their customers of an increased risk of supply chain attacks by malicious actors, including state-sponsored hackers (advanced persistent threat groups, APTs).

In a joint security advisory the agencies said they expect threat actors to step up their targeting of MSPs in order to exploit provider-customer network trust relationships to conduct ransomware attacks or cyber-espionage.

The advisory offers specific guidance for both MSPs and customers on securing sensitive data and recommendations on how to strengthen their defenses against malicious cyber activity.

Microsoft May 2022 Patch Tuesday fixes an actively exploited Windows zero-day flaw

Microsoft has released security updates for its software products designed to address over 70 vulnerabilities, including an actively exploited zero-day flaw, which affects all versions of Windows.

Tracked as CVE-2022-26925 (CVSS8.1), the issue in question is a Windows LSA (Local Security Authority) spoofing vulnerability, which allows an unauthenticated attacker to remotely force domain controllers to authenticate them via the Windows NT LAN Manager (NTLM) security protocol. Microsoft warns that the CVSS score could increase to 9.8 (out of 10) if an attacker chains CVE-2022-26925 to an NTLM relay attack (man-in-the-middle attack) on Active Directory Certificate Services servers.

This month’s Patch Tuesday also includes fixes for two publicly disclosed vulnerabilities: CVE-2022-22713 (a denial of service vulnerability in Windows Hyper V), and CVE-2022-29972 (a vulnerability in the Magnitude Simba Amazon Redshift ODBC Driver). So far, there has been no evidence that these two bugs have been exploited in real-world attacks.

Agricultural machinery maker AGCO, defense contractor Top Aces hit with ransomware

AGCO, the US-based manufacturer of agricultural equipment, said it experienced a ransomware attack on May 5, which affected operations at some of its production facilities.

In a short statement on its website the company said that investigation into the incident is underway, without providing any details on how the breach occurred, the type of systems targeted, or if any data was stolen during the attack.

In a separate incident, Canadian defense contractor Top Aces, which operates a fleet of fighter jets and offers contracted airborne training services, has been reportedly hit with a LockBit ransomware attack.

The company has launched an investigation after the LockBit ransomware gang posted an announcement on its data leak site claiming to have stolen 44GB of data from Top Aces. The group gave the company a deadline of May 15 to pay the ransom.

Costa Rica declares state of emergency after a Conti ransomware attack

Newly elected Costa Rican president Rodrigo Chaves has declared a state of national cybersecurity emergency following a Conti ransomware attack on multiple government agencies, including the Ministry of Finance, Administrative Board of the Electrical Service of the province of Cartago (Jasec), the Ministry of Science, Innovation, Technology and Telecommunications, the Ministry of Labor and Social Security, and others.

The Conti hackers demanded a $10 million ransom from Costa Rica threatening to leak data stolen from the Ministry of Finance, however, the government refused to pay. On its data leak website the group said it had leaked 97% of the 672GB data dump allegedly containing information stolen from government bodies.

Following the Conti ransomware attack on Costa Rica the US State Department announced a reward of up to $10 million for information that would allow to identify or locate the Conti leaders. In addition, the authorities offered a reward of up to $5 million for information leading to the arrest of individuals involved in Conti ransomware attacks.

The US, UK, EU and allies say Russia was behind a massive Viasat cyberattack

Western officials formally accused Russia for a large-scale cyberattack that disrupted Viasat's KA-SAT satellite internet service across Ukraine and Europe roughly an hour before the Russian troops crossed Ukraine’s borders on February 24.

The UK's Foreign Office said in a statement that although the primary target of the attack was likely the Ukrainian military, it caused outages for several thousand Ukrainian commercial customers and disrupted wind farms and internet users in central Europe.

According to Viasat, tens of thousands of satellite terminals were damaged due to the attack.

In addition, the US State Department accused Russia of a series of disruptive cyber operations that targeted Ukrainian government and private entities. These operations include website defacements, distributed denial-of-service (DDoS) attacks, and destructive data-wiping attacks that used multiple families of wiper malware such as WhisperGate.

What’s next:

Follow ImmuniWeb on Twitter and LinkedIn
Subscribe to newsletter to get the next post automatically
Explore 18 use cases how ImmuniWeb can help
See the benefits of our partner program
Request a demo, quote or special price
Subscribe to our newsletter

Application Security Weekly

Application Security Weekly is a weekly review of the most important news and events in cybersecurity, privacy and compliance. We cover innovative cyber defense technologies, new hacking techniques, data breaches and evolving cyber law.

Recent Blog Posts:

Chinese Hackers Silently Siphoned Trade Secrets For Years

Lapsus$ Hackers Breached Systems of Telecom Giant T-Mobile

GitHub: Hackers Breached Multiple Orgs Using Stolen OAuth User Tokens