A new data wiper is discovered, patches for Lexmark printers and BIND are issued and more.
Welcome to Cyber Security Today. It’s Monday, January 30th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
Attention Windows administrators: If you aren’t already doing so, make sure your Active Directory is completely locked down. Hackers believed to be from Russia’s Sandworm group have a new data-wiping malware that gets distributed through Active Directory’s Group Policy. Researchers at ESET discovered this new strain after a cyber attack last week against a target in Ukraine. ESET calls this destructive malware SwiftSlicer. Among the ways to protect Active Directory are to limit the number of people who can access it, and make sure those who do have access use strong passwords, multifactor authentication and if possible hardware keys. Make sure these people are reminded not to fall for phishing scams claiming to be from the IT or support staff checking their credentials. Domain controllers also need to be secured the same way. For more advice from Microsoft on securing AD click here.
Attention network administrators using the open-source BIND 9 suite for domain controllers. The Internet Systems Consortium has issued advisories for four high severity vulnerabilities. They need to be addressed by installing the latest versions of the suite.
More on patches: Lexmark has warned a server-side request forgery vulnerability has been discovered in over 100 newer models of its printers. Patches are available for certain models of CX, XC, MX, MB and other printers.
Attention VMware administrators: Make sure the four fixes issued last week for the vRealize log analysis tool are installed fast. That’s because security researchers at Horizon3 are about to release an exploit showing how three of the vulnerabilities can be chained together to get into vRealize. Once hackers see a possible exploit they are fast to create a working one.
Last week’s dismantling of the IT infrastructure supporting the Hive ransomware gang was cheered by infosec pros. It shows the effective work of law enforcement around the world. Here’s another possible sign: The number of exchanges threat actors use to cash out ransomed or stolen cryptocurrency is dropping. Reporters at Wired noticed this fact in the annual crime report by researchers at Chainlysis. It counted only 915 cash-out services last year. That sound huge. But 68 per cent of all black market cash-outs are going through just five cryptocurrency exchanges. Chainalysis thinks this shows the international crackdown on money laundering is having an effect.
Here’s another reminder that hackers don’t necessarily strike fast if they get past your initial security controls. The Los Angeles Unified School District has revised the timeline for the ransomware attack it suffered last September. Initially the district said the attack took place over the Labor Day weekend. Now it says the intrusion started as early as July 31st and ended on September 3rd. This is another example of why constant monitoring and scanning for suspicious network activity is vital.
Finally, periodically cybersecurity companies issue warnings about vulnerabilities in internet-connected industrial control systems, or ICS. But the head of one vendor that sells ICS solutions warns patching vulnerabilities in this gear should be prioritized in the same way fixes for IT equipment are installed: Ask if the vulnerability is currently being used in an attack, and if the vulnerability could cause the company damage. If the answer to both questions is yes, address those vulnerabilities first. “There have been zero known ICS vulnerabilities leveraged in any ICS cyberattack,” says Robert Lee, chief executive of Dragos. There’s too much pressure on companies to patch everything fast, he said. Then there’s this memorable quote: “I have responded to more IT people taking down plants through patching than Russia, China and Iran combined.” Think about it.
Remember links to details about podcast stories are in the text version at ITWorldCanada.com. U.S. listeners can also find my stories on TechNewsDay.com.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.