Malware aimed at the Spring Java framework, AWS Lambda and in Android apps.
Welcome to Cyber Security Today. It’s Monday, April 11th, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
There’s a new reason why Java application developers using the Spring Framework have to patch it as soon as possible. According to researchers at Trend Micro, unpatched versions of the framework are being exploited to force servers to join the Mirai botnet. That botnet is used to spread denial of service attacks. The two vulnerabilities, dubbed SpringShell or Spring4Shell by some, allow an attacker to get remote access to a Spring local or cloud server. Developers are urged to install upgrades to Spring Framework and Spring Boot. They should also look for signs that their Spring environment has been compromised.
Amazon introduced its serverless AWS Lambda computing platform in 2014 for doing things like uploading images to S3 instances. Until now no one has publicly reported seeing malware aimed at Lambda. However, researchers at Britain’s Cado Security have spotted malware that can run crypto-mining software in Lambda. It isn’t clear how the example they found got into the victim’s environment. But remember while AWS secures the underlying Lambda execution environment it is up to users to secure functions themselves. If you use Lambda keep that in mind.
Seven internet domains allegedly being used by the Russian army hacking group dubbed Strontium have been put out of business by Microsoft. The sites were being used for attacks against targets in Ukraine, the United States and the European Union. Microsoft’s weapon was a court order, which allowed it to take control of the sites. Microsoft says this was part of actions it’s been taking since 2016 to seize IT infrastructure used by Strontium. So far it has taken over more than 100 Strontium-controlled domains.
Industrial toolmaker Snap-on Inc. last week began notifying customers and employees that some of their personal data was stolen from an associate firm or a franchisee. According to the Bleeping Computer news site, this came after the Conti ransomware gang began posting data in March that was allegedly taken from Snap-on. The company said it saw suspicious network activity early in March. Stolen data could have included names, Social Security Numbers, dates of birth, and employee identification numbers.
Facebook’s parent Meta says it has taken unspecified action against a previously unreported hacking group from Iran that targeted energy companies in Canada, Saudia Arabia, Italy and Russia. Also targeted were the semiconductor industry in the U.S., Israel and Germany, as well as other corporations around the world. Among the tactics were creating ficticious accounts of people on LinkedIn, Instagram, Facebook and Twitter who posed as recruiters for real and fake companies. The gang also created fake and spoofed corporate recruiting websites. And it embedded tools like an interview app with a chat function that worked when the victim entered a password for an interview. Doing that activated the delivery of malware. It would seem that espionage is this group’s goal. Looking for a job on the internet? Be warned.
In January I reported that a former Chinese employee of agriculture giant Monsanto in the U.S. pleaded guilty to conspiracy to commit economic espionage. He admitted copying a predictive algorithm used by the company in its software onto a memory card, then trying to fly to China the day after leaving the company in 2017. Last week he was sentenced by a U.S. judge to 29 months in prison followed by three years of supervised release.
Also last week a Ukrainian man was sentenced to five years by a U.S. judge for working for the hacking group called FIN7. It’s also called the Carbanak Group or the Navigator Group by threat researchers. Prosecutors said the convict designed emails with malware for stealing data, including credit and debit card information. He also probed and mapped organizations’ IT networks for data to steal. It is believed the group caused over a billion dollars in losses to American firms alone. The man was arrested in Bangkok in 2019 and extradited to the U.S. He’s the third member of the gang to be convicted in the U.S. in the last 12 months.
Finally, more malware-infected Android apps have been found in the Google Play store. This time they are six supposed anti-virus apps. They’ve been deleted from the Play store, but may still exist on other app stores. According to researchers at Check Point Software, these apps have been downloaded at least 15,000 times. As researchers have said before, you have to carefully check with other users and with reviews from reputable websites before downloading mobile apps.
Remember links to details about podcast stories are in the text version at ITWorldCanada.com.
You can follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.