A botnet expands, threats to unpatched TeamCity servers, and more.
Welcome to Cyber Security Today. It’s Friday, December 15th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
 |
 |
 |
A botnet of compromised small and home office firewalls and routers continues to expand. Researchers at Lumen say those behind what it calls the KV-botnet most recently added internet-connected video cameras made by Axis and Netgear ProSafe firewalls. Lumen suspect the botnet is growing so it can be used for phishing campaigns during the holiday season. The researchers aren’t sure how devices are being infected. But they believe it’s run by a threat group dubbed Volt Typhoon or Bronze Silhouette by other researchers. It’s a state-sponsored group based in China that has been infiltrating critical infrastructure providers in the U.S. Often this botnet takes over out-of-date devices that can’t receive security patches anymore so they are ripe for picking. The report is a warning to IT and network leaders — as well as homeowners — to get rid of internet-connected equipment that isn’t supported anymore. At the very least make sure devices are regularly rebooted because that will flush some types of malware.
Unpatched servers hosting JetBrains’ TeamCity software are being exploited by Russian government hackers. That’s according to cyber authorities in the U.S., the U.K. and Poland. The Russian group, known as CozyBear, Nobelium or APT29 by security researchers, has been exploiting a vulnerability since September. Because TeamCity is used by software developers, a successful hacker gets access to source code and signing certificates that can be used to authenticate malware — everything needed for a supply chain attack. Companies using compromised and internet availableTeamCity servers have been found in the United States, Europe, Asia, and Australia. They include an energy trade association, internet hosting providers and more. Administrators of TeamCity who haven’t applied recent patches or workarounds should assume their servers have been compromised and take action.
Here’s another example of someone not configuring a database properly and leaving it open in the internet. It was discovered by security researcher Jeremiah Fowler and appears to belong to an American company that makes a cloud-based management suite for nonprofits. It has subscribing organizations around the world. Had someone found this particular database they would have been able to download over 460GB of data. Fowler saw a document from a hospital charity that named a child, their medical conditions and their doctor. This is another reminder that organizations have to make sure all employees handling the personal data of customers and employees know how to protect data from exposure. In addition IT leaders have to constantly watch data stores created by employees for security breaches.
On a November podcast I told you that personal information of staff working at the Idaho National Laboratory, a federal nuclear energy research facility, had been stolen. The number of victims has now been released: It’s just over 45,000 current and former employees, their spouses and dependents. The notice to victims says the data was stolen from an off-site data centre and not the lab’s IT system.
Finally, users of the Discord voice, video and chat app can now use security key-based multifactor authentication to protect their accounts from being hacked. That means they can use Windows Hello, Apple Face ID, Touch ID or physical security keys for logging in to Discord.
That’s it for this podcast. However, later today the Week in Review edition will be available. Guest Terry Cutler of Cyology Labs will join me to discuss a report on the readiness of the U.K. to face malware, why applications with old versions Log4j is still being compromised and more.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.
