USB-based attacks rising, attacks on AWS increasing and more.
Welcome to Cyber Security Today. It’s Monday, July 17th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
On a podcast last month I told listeners about a European hospital that was infected after an employee plugged a compromised USB memory stick into a computer after returning from a conference. The memory stick was his own; he’d loaned it to someone so they could copy his presentation. But when he got it back it was infected. Well, spreading infections by USB drives isn’t that uncommon, according to a new report from Mandiant. Researchers say in the first half of this year they’ve seen a three-times increase in attacks using compromised USB drives. One of the biggest campaigns is from a group trying to steal industrial, corporate and government secrets from organizations around the world for China. Its weapon is the SOGU (SO-GU) malware. Another group is targeting energy companies in Asia. Its weapon is the Snowydrive malware, which creates a backdoor into a computer. Both pieces of malware can copy themselves onto removable drives plugged into an infected machine by an innocent employee, which then spread into other computers. In both cases the victims click on a file in a USB drive believing it to be something worthwhile. It’s not always the case that someone is giving out infected USB drives to victims. Mandiant believes hotels and print shops may be where infections start. In those cases an innocent person plugs in their own USB memory stick into someone’s computer and their device gets infected. Regardless of the cause IT leaders should either restrict the ability of employees to plug USB sticks into corporately-owned PCs and servers, or set up antivirus solutions that scan USB devices when plugged in.
IT administrators who oversee Adobe’s Cold Fusion web application development server are urged to upgrade to the latest versions. There’s a critical vulnerability that needs to be patched. If it isn’t an attacker could exploit the hole and run malicious code. While it’s a newly-discovered vulnerability there’s a proof-of-concept exploit circulating. Adobe also released patches for 12 security vulnerabilities in InDesign.
A threat actor attacking AWS cloud environments is improving tactics to steal data. Called Scarleteel by researchers at Sysdig, it starts by compromising AWS accounts by exploiting vulnerabilities in compute services. Then the attacker installs cryptominers or steals important data. One of the latest attacks took advantage of an organization’s mistake in an AWS policy, which allowed the hacker to get administrator privileges. From there they may also try to get into Kubernetes containers. A couple of lessons from this report: Security in the cloud is just like an on-prem environment: You’ll pay dearly for mistakes by staff who chose poor passwords, don’t protect passwords with multifactor authentication and who make configuration mistakes.
More on cloud attacks: Researchers at SentinelLabs and Permiso have discovered that a threat actor going after AWS login credentials is now also targeting passwords for Microsoft Azure and Google Cloud Platform environments. One source: Unpatched web application vulnerabilities. So, in addition to enabling multifactor authentication for users of your cloud apps, make sure the apps are patched.
Still more on cloud security: Some developers who create and put container images into the Docker Hub repository are pretty clumsy, according to German university researchers. In a published paper they found 8.5 per cent of over 337,000 images they analyzed included secrets, such as private keys and digital certificates That puts identity and access management of those containers at risk. IT administrators have to create security policies for employees creating cloud assets and then make sure they are monitored and enforced.
Members of Canada’s Parliament continue fighting over the shape of a public inquiry into China’s attempts to interfere with elections process here. Meanwhile last week the U.K.’s Intelligence and Security Committee of Parliament released a report into the national security threat posed by China. That includes stealing intellectual property and targeting members of the U.K. Parliament. The 207-page report found the U.K. government isn’t dedicating enough resources to combat the threat.
The monitoring interfaces of over 130,000 green engery devices like solar panels are exposed to the internet. That’s according to researchers at Cyble. These include web servers and controllers which may or may not be properly secured. Two points from this research: If your company has solar panels or wind turbines make sure their management software is always fully patched and can’t been seen on the public internet. If they have to be visible make sure access is tightly controlled.
Finally, how interconnected is the world? Two weeks ago Russia tried to disconnect its internet infrastructure from the world. The goal was to create a sovereign internet. According to an expert interviewed by Scientific American, the test was a failure. The IT systems of a railway and a shipping company were knocked out. One conclusion: So far countries can’t unplug from the internet without serious disruption. That probably won’t stop some of them from trying.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.