A warning for users of Microsoft’s digital signature tool, an alert to VMware administrators, and more.
Welcome to Cyber Security Today. It’s Wednesday, June 14th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
 |
 |
 |
Microsoft provides users with a way to digitally sign Office documents so recipients can verify their authenticity. But German university researchers say the Office Open XML Signatures standard that the suite uses can be hacked. In fact, in a paper to be presented at the upcoming Usenix Security Symposium, they say there are five ways it can be compromised on Windows or macOS versions of Microsoft Office. And they also work on the open-source OnlyOffice suite as well. One worry: If the digital signatures can be broken, so can the content of signed documents. Those using Office Open XML Signatures need to take care with how it it used, or chose a different digital signing solution.
VMware is warning administrators using its ESXi hypervisor to install updates to the VMware Tools utility. It will block an authentication bypass vulnerability. This comes after researchers at Mandiant discovered the hole is being used by what it believes to be a China-based espionage group. After harvesting login credentials from a vCenter Server, an attacker can exploit the vulnerability to execute privileged commands across Windows, Linux and vCenter guest virtual machines. Administrators need to install the patch and harden their vCenter and ESXi installations.
A Catholic hospital in rural Illinois will close on Friday, with the administration partly blaming a two-year-old ransomware attack. Other factors in the closing of St. Margaret’s Health were the COVID-19 pandemic and a shortage of staff. The combined financial problems led to a bank last week reportedly cutting off access to funds.
A U.S. court has sentenced a Romanian man to three years in prison for running a bulletproof hosting service that distributed malware. That included the Gozi Virus, the Zeus Trojan, the SpyEye Trojan and the BlackEnergy malware, all for stealing corporate financial information. Victims included the American NASA space agency as well as organizations in Great Britain, Germany, France, Italy and other countries. Prosecutors said the Gozi Virus alone caused tens of millions of dollars in losses to individuals and organizations. The three-year sentence credited the 14 months the man already spent in jail in Romania and Columbia before being extradited to the U.S. He’ll also have to forfeit US$3.5 million. According to one news site, he is the last of three gang members to be sentenced.
In a May 29th podcast I reported that researchers at Mandiant had discovered a new piece of malware aimed at industrial control systems. They call the malware CosmicEnergy. This week researchers at Dragos took a deep look and concluded it isn’t an immediate threat. However, administrators of operational technology networks should still shore up their defences against this malware.
Crooks are distributing a free version of Windows 10, or perhaps what looks like an update. The catch? It has malware that steals cryptocurrency from digital wallets. Researchers at Doctor Web say so far the crooks behind this have captured the equivalent almost US$19,000 from victims.
Are you looking online for bargains on clothes, footwear and watches? This is another warning to shoppers to be careful. Researchers at Bolster have discovered a widespread fake website campaign targeting brands like Nike, Puma, Adidas, Casio, Fila, Tommy Hilfiger and others. The goal is to steal shoppers’ credit and debit card numbers. This campaign uses website names that are similar to the real brand names to sucker victims. So if you search for Nike shoes, for example, you may come across one of these fake websites. One tip: Be suspicious when you see a price that’s too good to be true.
Microsoft has agreed to pay US$20 million for collecting and retaining personal information of children who used its Xbox Live service. This is to settle allegations the practice violated the U.S. Children’s Privacy Protection Act.
Meanwhile music streaming service Spotify has been fined the equivalent of US$5.4 million by regulators in Sweden for violating the EU’s General Data Protection Regulation. The penalty is for not adequately explaining to subscribers how personal data is used by the company.
Finally, yesterday was Microsoft Patch Tuesday. The security updates released fix over 70 vulnerabilities, including six that are critical. Make sure the updates are installed as soon as possible. Adobe also released patches for vulnerabilities in Adobe Commerce (what used to be called Magento), Experience Manager and other products.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.
