New reports on ransomware and cyber attacks, new tools used by attackers, and more.
Welcome to Cyber Security Today. It’s Wednesday, April 26th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
The number of reported ransomware attacks is going up. A new report from researchers at Black Kite note that three new ransomware groups sprung up so far this year, with the number of victims in March nearly double that of last April. In analyzing victim organizations over the last 12 months the researchers found these things in common: Poor email configuration, recent leaks of usernames and passwords, publicly-available remote access ports, out-of-date systems and IP addresses with botnet activity. Does your IT system have any of these conditions? If so, you’re very vulnerable to any cyber attack.
Sophos released its Active Adversary Report for Business Leaders. It’s an examination of 150 attacks Sophos was called to investigate. Among the findings: Unpatched vulnerabilities were the most common way attackers got behind defences. The second most common way attackers got in: Using compromised usernames and passwords. The report has more bad news: Attackers are spending less time in systems before launching attacks. You may only have between nine and 11 days to detect an intruder before they launch their malware or copy data.
Attention IT administrators who use the PaperCut print management software: Hackers are taking advantage of unpatched servers to compromise systems. If you haven’t already done so, upgrade your PaperCut Application Servers immediately.
Attackers working for ransomware gangs have a new tool. According to researchers at Sophos, the tool is built around an old tactic — using an outdated Windows driver — to disable endpoint detection and response, or EDR, clients. In this case the new tool uses an outdated Microsoft driver that’s part of the Process Explorer utility. This tool, which Sophos calls AuKill, was seen in at least three ransomware incidents since the beginning of the year. However, to use AuKill the attackers first have to get administrative privileges somehow. Then they can run the AuKill took against an EDR client. IT and security pros must remember that tool only works if the attacker either escalates privileges they control, either from compromising the user directory or another way. So locking down the directory and making sure as few employees as possible have admin privileges can stop this type of attack. And, as always, make sure Windows systems have the latest patches and security updates.
There’s another new hacker toolkit quietly circulating. Security researchers at Infoblox call it Decoy Dog, and it deploys the Pupy remote access trojan. It is believed to have become active 12 months ago and is linked to several suspicious internet domains that may used in the future as command and control servers. Exactly what those behind Decoy Dog are doing isn’t clear. Infloblox says infosec leaders should watch for signs their IT infrastructure may be hosting or connecting to these domains.
Finally, almost everyone in the world believes using ChatGPT can solve any problem. But researchers at the University of Quebec warn that so far it’s not reliable for generating secure programming code. They asked version 3.5 of ChatGPT to create 21 programs in five programming languages. The results, they say, were “worrisome.” In several cases the initial code generated was well below minimum application security standards, with factual errors and biases. But when asked to tighten things up, ChatGPT was able in many cases to do so. The conclusion: Today software developers can’t rely on ChatGPT for automated code creation without human oversight. Two things to note: First, ChatGPT is now on version 4, which wasn’t tested. Second, the goal of the chatbot’s creators is to make it better.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.