A warning to firms using VoIP systems, malicious files in an open-source Python registry, and more.
Welcome to Cyber Security Today. It’s Monday, June 27th, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
Organizations turn to voice-over-IP phone systems as a way of saving money. However, if these systems aren’t properly protected they could be an entry point into internet-connected systems. The latest example is a report by researchers at Crowdstrike into their discovery earlier this year of an undocumented vulnerability in a VoIP system made by Ottawa’s Mitel Networks. A suspected ransomware threat actor gained initial access to an organization’s network through the Mitel MiVoice Connect appliance using a zero-day vulnerability. Fortunately, the attack was detected and stopped. After being notified, Mitel issued a critical security advisory in March urging administrators to install a patch to close this hole. Crowdstrike waited until now to issue its report on the incident. Two lessons to IT staff: First, security updates on any internet-connected device on your networks — not just servers and desktops — have to be patched as soon as possible. Second any internet-connected device — including VoIP phone systems — must have anti-virus, anti-malware or firewall protection.
Here’s another example of why application developers shouldn’t automatically trust code posted to open source libraries. Researchers at Sonatype recently discovered five suspicious if not malicious Python packages in the open source PyPi registry. If included in an application some of them could steal Amazon AWS credentials and other information included in software. Sonatype reported its findings to PyPi and the packages have been removed. If you’re worried about whether these libraries are in your application there’s a link to the Sonatype report in the text version of this podcast at ITWorldCanada.com. Developers who use open source packages should research and scan any code they download.
A hacker claims they have already broken into and are selling access to 50 IT networks of organizations that have unpatched versions of Atlassian’s Confluence collaboration suite. According to the security news site called The Record, researchers at Rapid7 found an access broker on a Russian-language criminal forum selling access to the organizations. All of them are allegedly in the U.S. I reported earlier about this particular vulnerability and that a patch has been issued. If your organization uses Confluence and hasn’t installed the patch, do it now — and scan your entire IT environment for possible compromise.
Finally, there are many ways of tricking victims into clicking on email attachments that hide malware. One of the latest was discovered by researchers at a South Korean firm called ASEC. A victim received an email alleging their firm has violated another company’s copyright. The evidence was supposedly in an attached PDF. What that attachment really does is install the LockBit ransomware. While this scam is being tried in Korean, it could easily be used in any language. In fact the report notes this isn’t the first attempt at spreading malware through copyright infringement threats. IT leaders should ensure employees are trained to send any legal threat to the legal department. Staff in the legal department need be trained to consult with IT security staff before clicking on attachments.
That’s it for now Remember links to details about podcast stories are in the text version at ITWorldCanada.com.
Follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.