A fake Emsisoft code-signing certificate found, increasing VMware ransomware detected and more.
Welcome to Cyber Security Today. It’s Friday, February 17th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
An attacker created and tried to use a fake code-signing certificate from security company Emsisoft to install a tool for hacking into a customer’s computer. If successful the tool would have been detected by the Emsisoft application — but registered as a false positive. Emsisoft said this week the attempt was blocked by its product. However, application developers should use this incident watch for someone trying to compromise their digital certificate infrastructure. IT and security administrators need to limit the number of approved applications that can be downloaded by staff and run in their environments. And they need to ensure that applications flagged for being signed with suspicious digital certificates are quarantined. The tool the attacker tried to leverage with the phony-named certificate was MeshCentral, an open-source remote access application. That can be OK if approved, but in the hands of an attacker it will be used for network compromise. Emsisoft also notes that if an attacker gains a foothold on the network one of the first things they want to do is disable antivirus, antimalware and other defensive applications. That’s why it’s important that all endpoint products should only be disabled by an administrator whose access is protected with multifactor authentication.
There’s evidence that the ransomware exploitation of unpatched VMware hypervisor servers continues. Researchers at Censys this week have seen 500 more servers on the internet that appear to have been infected with what is called the ESXiArgs ransomware. Most of these recent infections are on hosts in France, Germany, the Netherlands and the U.K. Hundreds of others have been seen earlier in Canada and the U.S. IT departments running out of date and unsupported versions of ESXi are at the greatest risk.
Splunk has issued a number of patches for the Enterprise version of its security event management platform as part of its quarterly updates. Administrators should review these updates and install them as soon as possible. Also this week, Citrix issued a number of patches for severe vulnerabilities in several products. These include Citrix Virtual Apps and Desktops, and Workspace for Windows and Linux. Because of the sensitivity of Citrix these should be installed as soon as possible.
Tile, which makes a little Bluetooth tracker for finding lost keys, wallets, purses, luggage and other things, has added an anti-theft mode to its devices. That way, the company says, crooks or stalkers can’t use a scan mode to find nearby Tile-enabled devices. Anti-theft mode makes it easier to recover stolen valuables by making it harder for thieves to know an item is being tracked by the owner.
I regularly report on business email compromise scams. These are attempts by email, text or voice to impersonate an executive to trick an employee into sending money in some way to a crook. A common tactic is claiming funds have to be sent to a new customer to nail down a partnership. The scams I report on are perpetrated in English-speaking countries. But a new report from Abnormal Intelligence is a reminder that these scams have been found in 13 languages including French, German, Italian, Spanish and others. So if you’re listening outside Canada, the U.S. and the U.K. your company is just as likely to get one of these messages. In whatever country you are in, be careful with messages from executives who ask you to do something involving money transfers or buying gift cards, especially if they say it has to be done fast.
Truck manufacturing and transportation companies need people with cybersecurity experience to protect the GPS and wireless diagnostic devices in heavy vehicles. One way the industry finds people interested in cybersecurity is through the annual CyberTruck challenge. It’s a five-day event for Canadian and American university students interested in heavy vehicle cybersecurity issues. Registration is now open for this year’s event during the week of June 12th in Warren, Michigan. All student expenses are covered including travel, accommodation and meals. There’s a link to the application here.
That’s it for now. But later today the Week in Review will be available. Guest commentator David Shipley and I will discuss cybersecurity and hospitals, as well as why executives and IT security don’t communicate well.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.