Unpatched VMware applications are still being exploited, ransomware used as a decoy, and a COVID text scam.
Welcome to Cyber Security Today. It’s Friday, June 24th, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
It’s hard to believe with all of the news stories earlier this year, but threat actors continue to exploit an unpatched Log4Shell vulnerability in VMware Horizon and Unified Access Gateway servers. That’s according to the U.S. Cybersecurity and Infrastructure Security Agency. Alerts about this vulnerability started circulating last December. But some IT administrators still aren’t getting the message. If your organization hasn’t paid attention to this yet, assume your Horizon or UAG installation has been compromised. Start threat hunting. The CISA report includes recommendations on what to look for. There’s a link to the report in the text version of this podcast. Log4Shell is a remote code execution vulnerability that affects products using Apache’s Log4j2 logging library. After exploiting a hole in Horizon or UAG an attacker will upload malware to spread across the IT environment.
Threat actors often use denial of service attacks to distract IT from a data theft going on elsewhere in the organization. According to researchers at Secureworks, one Chinese-based attacker may be using ransomware the same way. The ransomware used by the gang dubbed Bronze Starlight only has a short lifespan, the report stays. That suggests the gang’s goal is data theft or espionage. If so the deployment of ransomware may be to distract incident responders from what’s really going on. One clue of this gang’s presence is the use of a custom DLL loader called HUI Loader for uploading remote access trojans and Cobalt Strike beacons to compromised computers and servers. That leads to the uploading of ransomware. Note that this gang initially compromises networks by exploiting known vulnerabilities in devices. Patches are usually available that could have prevented the attack from starting.
Crooks continue to use fears about COVID-19 to spread scams. One of the latest tricks is happening in the United Kingdom, where people are getting text messages that pretend to come from the National Health Service, or NHS. The message says they’ve been in close contact with someone who has the virus. They are told to order a free testing kit by clicking on the included link. Victims who click go to a website that looks like an NHS site, where all they have to spend is a small amount for postage for the kit — plus fill in personal information and a credit card number. A variant on the scheme asks victims to click on a link to book a free COVID test, again with the goal of getting victims’ personal information. This type of scam can be tried in any country. One reason crooks like text message scams is it’s hard for victims to check website addresses on a smartphone’s small screen. That’s why people have to think carefully before clicking on links in text messages.
Finally, Google has released security updates for Chrome. If you use this browser make sure it’s the latest version.
Remember later today the Week in Review edition will be out, with guest commentator Terry Cutler of Montreal’s Cyology Labs. We’ll talk about Cloudflare’s outage this week and a U.S. bank’s failure to detect a data breach after discovering a separate ransomware attack.
Links to details about podcast stories are in the text version at ITWorldCanada.com.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.