An FBI warning on misconfigured MFA, Asus routers targeted by a botnet, a tool for detecting infected MikroTik routers and more
Welcome to Cyber Security Today. It’s Friday March 18th. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
I regularly quote cybersecurity experts saying multi-factor authentication is one of the best tools for preventing hacking. It can frustrate those who have somehow got employees’ passwords from getting into IT systems. However, MFA has to be implemented properly or it’s just a big a hole as a poor password. The latest evidence comes from the U.S. Cybersecurity and Infrastructure Security Agency and the FBI. They warned IT administrators this week that Russian-state-sponsored attackers have exploited misconfigured multifactor authentication systems. In one case the mistake by a non-governmental organization allowed the attacker to enroll a new employee device in its system. That allowed entry to the IT network. Then the hacker exploited a Windows Print Spooler vulnerability called PrintNightmare to get deeper into the network. Another hacker did the same thing on a system running Cisco Systems’ Duo multifactor authentication system. That led to the compromise of the victim organization’s email system. The alert warns IT departments to enforce MFA security procedures. Administrators also have to make sure inactive accounts of employees are disabled not only in MFA systems but also in Active Directory.
Small businesses and homeowners using certain models of Asus RT and GT routers are being urged to install the latest firmware. And, if they haven’t done so already, stop using the default administrative password. That’s because these devices are vulnerable to malware distributed by a botnet called Cyclops Blink. According to researchers at Trend Micro, this botnet has been going after WatchGuard Firebox network devices. Now it’s finding Asus routers. It is believed the Russian-based Sandworm group is behind this botnet.
Speaking of routers, Microsoft has published a tool for IT departments to detect if their MikroTik manufactured routers have been infected with the Trickbot malware. Those behind Trickbot are using infected MikroTik devices as command and control servers to redirect the spread of malware through non-standard ports. Attackers are getting into MikroTik routers by knowing their passwords. This happens because administrators haven’t changed the default password, are using passwords also used on other hacked MikroTik routers from the same firm, or are exploiting a vulnerability in an older version of the operating system.
If you had any doubt that European regulators are serious about privacy, listen to this: Meta, the parent company of Facebook, was fined the equivalent of about $18 million this week for breaking provisions of the EU General Data Protection Regulation, known as GDPR. That’s for failing to have measures in place to show the security measures it has to protect users’ data. Meta said the fine is about old record-keeping practices.
Cybercrooks have found new ways to get around defences in Apple devices to install malware. According to researchers at Sophos, they’re doing it by tricking victims into downloading an Apple testing application called Test Flight. Test Flight is used by developers before uploading finished apps for approval to the Apple App Store. But if a victim has Test Flight on their Apple device, crooks can push unapproved and malicious apps to them that wouldn’t pass the security checks needed for apps in the App Store. The other strategy is to bypass the App Store by sending a link to a website that uses what are called iOS WebClips. These links go to malicious sites that encourage users to download bad apps. In both cases the apps can support romance scams or go to fake cryptocurrency trading platforms. Here’s the lesson: If you use an Apple device only download apps from the App Store. Don’t download apps from links that anyone sends you.
If you use the Google Chrome browser, make sure it’s running the latest version. This week Google released an update with 11 security fixes, including one rated critical. The latest version starts with 99 and ends with .74
Finally, don’t forget later today the Week in Review podcast will be out. Terry Cutler and I will discuss cyber events in the Russia-Ukraine war, a possible requirement in the U.S. for critical infrastructure firms to report serious cyberattacks to the government and more.
Remember links to details about podcast stories are in the text version at ITWorldCanada.com.
You can follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.