More damage from the Nvidia hack, real customer data exposed, the unexplained closing of a criminal forum and more.
Welcome to Cyber Security Today. It’s Monday, March 7th, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
The problems arising from the recent hack of graphics card maker Nvidia continue. According to the Bleeping Computer news site, threat actors are using stolen Nvidia code signing certificates to sign malware they try to install on victims’ computers. These are things like backdoors, the Cobalt Strike communications tool and the Mimikatz credentials stealing tool. With these certificates, Windows would allow these tools to load. The certificates have expired, but Windows still recognizes them. Windows administrators need to configure systems to deny these certificates until Microsoft prevents them from loading.
By the way, the Lapsus$ hacking group claiming responsibility for the Nvidia theft has just leaked what it says is confidential source code and other corporate data from Samsung.
There are dangers in letting software developers play with real customer data to test their applications: Make a mistake and that data can either be stolen or publicly exposed. The latest example comes from a New York City company called Adafruit, which makes electronic components. On Friday it admitted that a dataset used for training with real customer data could have been seen by anyone who could access a former employee’s GitHub account. GitHub is a cloud platform with tools used by application developers. The database had names, email addresses, shipping and billing addresses of some customers. It did not have passwords or credit card information. Still, names and email addresses could be used by crooks. There’s no shortage of test data with fake information that companies can buy. Or they can create fake data themselves.
Some IT departments still don’t understand the importance of finding every computer system and every application in an organization so they can be securely patched. The latest evidence comes in a report from researchers at F-Secure. Among the group of organizations it examined in 2020, researchers found 61 per cent of those that had unpatched vulnerabilities had bugs that were at least five years old. Some bugs dated back to 1997. All all of those vulnerabilities and had security updates issued by vendors. It’s vital IT departments have rigorous patch management processes.
One of Russia’s worries about Ukraine is that it will join NATO. However, Russia’s current invasion has pushed the country closer to NATO. Last week the NATO Co-operative Cyber Defence Centre of Excellence announced that Ukraine is now a contributing participant. That means both sides can now share cyber expertise. The centre is headquartered in Estonia.
Cybersecurity experts are puzzled by the disappearance last month of a criminal website called Raid Forums. According to researchers at Flashpoint, something happened on February 25th – either the site was seized or it was closed. This may or may not have had something to do with the Russia-Ukraine war, which started the day before. On that day, the 24th, an administrator announced that the site would ban all users connecting from Russia. The next day a threat actor leaked a database belonging to a Russian express delivery and logistics company that allegedly provides services for the Russian federal government. The threat actor said the database leak was a consequence of Russia’s invasion of Ukraine. Also that day a user asked for help in creating fake identification documents, allegedly to assist a friend escape Ukraine. In addition another user encouraged members to begin collecting attackable ranges of Russian IP addresses. After that an administrator claimed the site had been seized by an unnamed person. Users were told to change their passwords and log into a new Raid Forums site. But when users try to log in, a message says they’ve been banned. Flashpoint suggests the login credentials are now being captured by someone. It’s unclear when or if Raid Forums will return. One thing for sure: The crooks who used it will go to other forums.
Finally, Linux administrators running containers without best practice hardenings or with additional privileges are warned to upgrade to a fixed kernel version. This comes after researchers at Palo Alto Networks discovered a new privilege escalation vulnerability in the kernel that affects those running containers. The default security hardenings in most container environments should protect against this attack. But those containers not using these controls may be at risk. There’s a link to full details of the report and mitigations in the text version of this podcast, along with links to other reports mentioned, at ITWorldCanada.com.
You can follow Cyber Security Today on Apple Podcasts, Google Podcasts or add us to your Flash Briefing on your smart speaker.