A new ransomware strain with a trick, a warning for Azure Cosmos administrators and more on the T-Mobile hack
Welcome to Cyber Security Today. It’s Monday August 30th. I’m Howard Solomon, contributing writer on cybersecurity for ITWorldCanada.com.
A new strain of ransomware uses a trick to evade detection. According to cybersecurity company Sophos, instead of encrypting all the bytes of a file the LockFile strain only scrambles every 16 bytes of a file. That way the partly encrypted files look similar to the uncompromised original file. As a result, it evades the statistical file analysis some ransomware protection applications perform when comparing files. It’s not the only ransomware strain that does this. But what sets LockFile apart is it encrypts every other 16 bytes of a file. Sophos calls this intermittent encryption. IT security teams need to make sure their defensive software can meet this challenge.
Meanwhile the news site The Record reports the gang behind the Ragnarok ransomware has shut operations and released a free decryption utility that victims can use to get their data back.
Chains of threat actor-controlled computing devices called botnets help attackers distribute malware. According to a news report, one of them has suddenly shut. Those behind the botnet distributing the Phorpiex malware are selling the source code. The bad news is if a threat actor buys the code the botnet can be re-activated.
Organizations with employees using Microsoft’s Azure Cosmos database with the Jupyter Notebook feature enabled need to take certain security precautions. This comes after researchers reported a vulnerability that could allow an attacker to get into accounts. Microsoft says it has fixed the vulnerability. But it also says IT departments have to regenerate the primary security keys for the application. According to the company that discovered the problem, every organization that uses Azure Cosmos DB should assume their data has been exposed. It estimates there are thousands of organizations affected, including some in the Fortune 500. There’s a link to the Microsoft report here.
Has sportswear maker Puma been hacked? That’s the question after an ad on the criminal data marketplace called Marketo claimed to be selling about 1 GB of data from the company. According to the news site Security Affairs, some of the files have source code from company applications.
Many IT departments have test environments that duplicate their organization’s IT network and systems. It’s used to evaluate patches, new software and hardware for incompatibilities. However, that test system can be a way hackers get into the operational network if it’s connected to the internet and if security isn’t perfect. And apparently it wasn’t on American wireless carrier T-Mobile’s test network. According to the chief executive, that’s how a hacker recently got into its system to steal personal data on over 50 million current and former customers. In a blog he said a hacker was able to use their knowledge of technical systems, along with specialized tools and capabilities, to access the carrier’s testing environments. Then they used brute force attacks and other methods to make their way into other IT servers that included customer data. According to the Wall Street Journal, the hacker says he found an unprotected router after using a publicly available tool to search for weak spots in T-Mobile’s known internet addresses.
Finally, Atlastian has released security patches for its Confluence collaboration suite. IT departments with Confluence Server or Data Center should install the patches immediately to block a critical vulnerability.
That’s it for now Remember links to details about podcast stories are in the text version at ITWorldCanada.com. That’s where you’ll also find other stories of mine.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker. Thanks for listening. I’m Howard Solomon